Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
upstream | KASAN: use-after-free Read in bpf_skb_change_proto bpf net | 1 | 2358d | 2357d | 8/28 | fixed on 2018/07/09 18:05 |
syzbot |
sign-in | mailing list | source | docs |
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2816 sclass=netlink_route_socket pig=13425 comm=syz-executor.1 ================================================================== BUG: KASAN: use-after-free in bpf_skb_proto_xlat net/core/filter.c:2151 [inline] BUG: KASAN: use-after-free in ____bpf_skb_change_proto net/core/filter.c:2189 [inline] BUG: KASAN: use-after-free in bpf_skb_change_proto+0xdbc/0x10f0 net/core/filter.c:2164 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2816 sclass=netlink_route_socket pig=13425 comm=syz-executor.1 Read of size 2 at addr ffff88808c4058c0 by task syz-executor.3/13429 CPU: 0 PID: 13429 Comm: syz-executor.3 Not tainted 4.14.141 #37 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428 bpf_skb_proto_xlat net/core/filter.c:2151 [inline] ____bpf_skb_change_proto net/core/filter.c:2189 [inline] bpf_skb_change_proto+0xdbc/0x10f0 net/core/filter.c:2164 bpf_prog_4b4d9be662d00a7e+0x526/0x1000 Allocated by task 10286: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552 skb_clone+0x129/0x320 net/core/skbuff.c:1282 dev_queue_xmit_nit+0x2d8/0x940 net/core/dev.c:1943 xmit_one net/core/dev.c:3005 [inline] dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:3025 sch_direct_xmit+0x27a/0x550 net/sched/sch_generic.c:186 __dev_xmit_skb net/core/dev.c:3218 [inline] __dev_queue_xmit+0x1b6e/0x25e0 net/core/dev.c:3493 dev_queue_xmit+0x18/0x20 net/core/dev.c:3558 neigh_hh_output include/net/neighbour.h:490 [inline] neigh_output include/net/neighbour.h:498 [inline] ip_finish_output2+0xddc/0x14a0 net/ipv4/ip_output.c:229 ip_finish_output+0x56d/0xc60 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip_mc_output+0x24a/0xd40 net/ipv4/ip_output.c:390 dst_output include/net/dst.h:462 [inline] ip_local_out+0x97/0x170 net/ipv4/ip_output.c:124 ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1418 udp_send_skb+0x53f/0xb90 net/ipv4/udp.c:833 udp_sendmsg+0x16df/0x1da0 net/ipv4/udp.c:1057 inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xce/0x110 net/socket.c:656 ___sys_sendmsg+0x349/0x840 net/socket.c:2062 __sys_sendmmsg+0x152/0x3a0 net/socket.c:2152 SYSC_sendmmsg net/socket.c:2183 [inline] SyS_sendmmsg+0x35/0x60 net/socket.c:2178 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 10283: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x83/0x2b0 mm/slab.c:3758 kfree_skbmem net/core/skbuff.c:586 [inline] kfree_skbmem+0xac/0x120 net/core/skbuff.c:580 __kfree_skb net/core/skbuff.c:646 [inline] kfree_skb+0xbd/0x340 net/core/skbuff.c:663 skb_queue_purge+0x19/0x40 net/core/skbuff.c:2855 packet_release+0x871/0xb50 net/packet/af_packet.c:3089 __sock_release+0xce/0x2b0 net/socket.c:602 sock_close+0x1b/0x30 net/socket.c:1139 __fput+0x275/0x7a0 fs/file_table.c:210 ____fput+0x16/0x20 fs/file_table.c:244 task_work_run+0x114/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff88808c4058c0 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 0 bytes inside of 232-byte region [ffff88808c4058c0, ffff88808c4059a8) The buggy address belongs to the page: page:ffffea0002310140 count:1 mapcount:0 mapping:ffff88808c405000 index:0xffff88808c4058c0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff88808c405000 ffff88808c4058c0 0000000100000007 raw: ffffea0002421920 ffffea0002a6aba0 ffff8880a9e1aa80 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808c405780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808c405800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc >ffff88808c405880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88808c405900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808c405980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2019/09/02 10:53 | linux-4.14.y | 01fd1694b93c | db7c31ca | .config | console log | report | ci2-linux-4-14 | |||||
2019/08/09 21:17 | linux-4.14.y | 3ffe1e79c174 | aff9e255 | .config | console log | report | ci2-linux-4-14 |