syzbot


KASAN: use-after-free Read in free_netdev

Status: upstream: reported C repro on 2020/03/07 10:14
Reported-by: syzbot+aeb990c485fd48663c5a@syzkaller.appspotmail.com
First crash: 1056d, last: 9d17h

Fix bisection: failed (bisect log)
similar bugs (6):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: use-after-free Read in free_netdev C error 2 191d 223d 2/2 upstream: reported C repro on 2022/06/18 00:20
upstream KASAN: use-after-free Read in free_netdev (2) C done done 1715 422d 1056d 22/24 fixed on 2022/03/08 16:11
android-54 KASAN: use-after-free Read in free_netdev C 427 156d 1056d 0/2 upstream: reported C repro on 2020/03/06 20:14
upstream KASAN: use-after-free Read in free_netdev (3) C inconclusive 130 64d 219d 23/24 upstream: reported C repro on 2022/06/22 01:01
upstream KASAN: use-after-free Read in free_netdev C 42 1903d 1927d 3/24 fixed on 2017/11/28 03:36
upstream general protection fault in free_netdev (2) 1 583d 583d 0/24 auto-closed as invalid on 2021/09/20 23:14

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
netlink: 20 bytes leftover after parsing attributes in process `syz-executor326'.
==================================================================
BUG: KASAN: use-after-free in free_netdev+0x3a7/0x410 net/core/dev.c:9249
Read of size 8 at addr ffff8880b2644f20 by task syz-executor326/8136

CPU: 0 PID: 8136 Comm: syz-executor326 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 free_netdev+0x3a7/0x410 net/core/dev.c:9249
 netdev_run_todo+0x89b/0xab0 net/core/dev.c:9002
 rtnl_unlock net/core/rtnetlink.c:117 [inline]
 rtnetlink_rcv_msg+0x460/0xb80 net/core/rtnetlink.c:4783
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463
 netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351
 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
 __sys_sendmsg net/socket.c:2265 [inline]
 __do_sys_sendmsg net/socket.c:2274 [inline]
 __se_sys_sendmsg net/socket.c:2272 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f1f5be06dd9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1f5bdb8308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f1f5be90428 RCX: 00007f1f5be06dd9
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004
RBP: 00007f1f5be90420 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f5be9042c
R13: 00007f1f5be5d174 R14: 74656e2f7665642f R15: 0000000000022000

Allocated by task 8136:
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15a/0x3c0 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 sk_prot_alloc+0x1e2/0x2d0 net/core/sock.c:1483
 sk_alloc+0x36/0xec0 net/core/sock.c:1537
 tun_chr_open+0x7b/0x560 drivers/net/tun.c:3286
 misc_open+0x372/0x4a0 drivers/char/misc.c:141
 chrdev_open+0x266/0x770 fs/char_dev.c:423
 do_dentry_open+0x4aa/0x1160 fs/open.c:796
 do_last fs/namei.c:3421 [inline]
 path_openat+0x793/0x2df0 fs/namei.c:3537
 do_filp_open+0x18c/0x3f0 fs/namei.c:3567
 do_sys_open+0x3b3/0x520 fs/open.c:1085
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8141:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 sk_prot_free net/core/sock.c:1520 [inline]
 __sk_destruct+0x684/0x8a0 net/core/sock.c:1602
 sk_destruct net/core/sock.c:1617 [inline]
 __sk_free+0x165/0x3b0 net/core/sock.c:1628
 sk_free+0x3b/0x50 net/core/sock.c:1639
 sock_put include/net/sock.h:1713 [inline]
 __tun_detach+0xccb/0x1320 drivers/net/tun.c:750
 tun_detach drivers/net/tun.c:762 [inline]
 tun_chr_close+0x10e/0x180 drivers/net/tun.c:3323
 __fput+0x2ce/0x890 fs/file_table.c:278
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880b2644880
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 1696 bytes inside of
 4096-byte region [ffff8880b2644880, ffff8880b2645880)
The buggy address belongs to the page:
page:ffffea0002c99100 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002559d08 ffffea0002c5b008 ffff88813bff0dc0
raw: 0000000000000000 ffff8880b2644880 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880b2644e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b2644e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880b2644f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8880b2644f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880b2645000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (142):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-19 2022/06/19 16:04 linux-4.19.y 3f8a27f9e27b 8f633d84 .config console log report syz C KASAN: use-after-free Read in free_netdev
ci2-linux-4-19 2020/08/16 00:33 linux-4.19.y c14d30dc9987 5ce13532 .config console log report syz C
ci2-linux-4-19 2020/03/12 12:46 linux-4.19.y 569209711609 d850e9d0 .config console log report syz C
ci2-linux-4-19 2020/03/12 08:44 linux-4.19.y 569209711609 d850e9d0 .config console log report syz C
ci2-linux-4-19 2020/03/08 10:51 linux-4.19.y 7472c4028e23 2e9971bb .config console log report syz C
ci2-linux-4-19 2020/07/04 13:48 linux-4.19.y 399849e4654e 4f739670 .config console log report syz
ci2-linux-4-19 2020/04/14 08:34 linux-4.19.y 6dd0e32665e5 7c54686a .config console log report syz
ci2-linux-4-19 2020/03/15 13:55 linux-4.19.y 569209711609 749688d2 .config console log report syz
ci2-linux-4-19 2020/03/14 03:26 linux-4.19.y 569209711609 749688d2 .config console log report syz
ci2-linux-4-19 2020/03/13 16:20 linux-4.19.y 569209711609 fd69032d .config console log report syz
ci2-linux-4-19 2020/03/12 18:35 linux-4.19.y 569209711609 d850e9d0 .config console log report syz
ci2-linux-4-19 2020/03/11 22:26 linux-4.19.y 569209711609 e103bc9e .config console log report syz
ci2-linux-4-19 2020/03/11 01:17 linux-4.19.y 7472c4028e23 35f53e45 .config console log report syz
ci2-linux-4-19 2020/03/10 11:58 linux-4.19.y 7472c4028e23 35f53e45 .config console log report syz
ci2-linux-4-19 2020/03/09 21:18 linux-4.19.y 7472c4028e23 35f53e45 .config console log report syz
ci2-linux-4-19 2020/03/09 04:10 linux-4.19.y 7472c4028e23 2e9971bb .config console log report syz
ci2-linux-4-19 2020/03/07 18:22 linux-4.19.y 7472c4028e23 2e9971bb .config console log report syz
ci2-linux-4-19 2020/03/07 17:06 linux-4.19.y 7472c4028e23 2e9971bb .config console log report syz
ci2-linux-4-19 2020/03/07 11:31 linux-4.19.y 7472c4028e23 2e9971bb .config console log report syz
ci2-linux-4-19 2023/01/17 19:31 linux-4.19.y 3f8a27f9e27b 42660d9e .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in free_netdev
ci2-linux-4-19 2023/01/14 13:43 linux-4.19.y 3f8a27f9e27b a63719e7 .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in free_netdev
ci2-linux-4-19 2022/12/19 22:03 linux-4.19.y 3f8a27f9e27b c52b2efb .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in free_netdev
ci2-linux-4-19 2022/11/07 13:08 linux-4.19.y 3f8a27f9e27b a779b11a .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in free_netdev
ci2-linux-4-19 2022/09/05 08:06 linux-4.19.y 3f8a27f9e27b 28811d0a .config console log report info [disk image] [vmlinux] KASAN: use-after-free Read in free_netdev
ci2-linux-4-19 2022/07/06 17:27 linux-4.19.y 3f8a27f9e27b bff65f44 .config console log report info KASAN: use-after-free Read in free_netdev
ci2-linux-4-19 2022/07/03 19:59 linux-4.19.y 3f8a27f9e27b 1434eec0 .config console log report info KASAN: use-after-free Read in free_netdev
ci2-linux-4-19 2020/09/14 01:23 linux-4.19.y a87f96283793 2d3cdd63 .config console log report
ci2-linux-4-19 2020/09/09 09:33 linux-4.19.y c37da90efff5 0ea7a887 .config console log report
ci2-linux-4-19 2020/09/08 09:45 linux-4.19.y c37da90efff5 abf9ba4f .config console log report
ci2-linux-4-19 2020/09/07 18:22 linux-4.19.y c37da90efff5 abf9ba4f .config console log report
ci2-linux-4-19 2020/09/07 04:08 linux-4.19.y c37da90efff5 abf9ba4f .config console log report
ci2-linux-4-19 2020/09/03 09:56 linux-4.19.y f6d5cb9e2c06 abf9ba4f .config console log report
ci2-linux-4-19 2020/09/03 07:03 linux-4.19.y f6d5cb9e2c06 abf9ba4f .config console log report
ci2-linux-4-19 2020/09/02 19:01 linux-4.19.y f6d5cb9e2c06 abf9ba4f .config console log report
ci2-linux-4-19 2020/09/01 18:00 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config console log report
ci2-linux-4-19 2020/09/01 15:33 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config console log report
ci2-linux-4-19 2020/09/01 02:34 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config console log report
ci2-linux-4-19 2020/08/31 23:21 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config console log report
ci2-linux-4-19 2020/08/31 06:54 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config console log report
ci2-linux-4-19 2020/08/28 13:00 linux-4.19.y f6d5cb9e2c06 816e0689 .config console log report
ci2-linux-4-19 2020/08/21 06:53 linux-4.19.y a834132bd465 1d75fe45 .config console log report
ci2-linux-4-19 2020/08/19 03:26 linux-4.19.y c14d30dc9987 e1c29030 .config console log report
ci2-linux-4-19 2020/08/18 11:04 linux-4.19.y c14d30dc9987 5ce13532 .config console log report
ci2-linux-4-19 2020/08/17 21:07 linux-4.19.y c14d30dc9987 5ce13532 .config console log report
ci2-linux-4-19 2020/08/16 21:47 linux-4.19.y c14d30dc9987 5ce13532 .config console log report
ci2-linux-4-19 2020/08/16 07:44 linux-4.19.y c14d30dc9987 5ce13532 .config console log report
ci2-linux-4-19 2020/08/15 23:06 linux-4.19.y c14d30dc9987 5ce13532 .config console log report
ci2-linux-4-19 2020/08/12 23:59 linux-4.19.y c14d30dc9987 bc15f7db .config console log report
ci2-linux-4-19 2020/08/12 11:42 linux-4.19.y c14d30dc9987 0d7bd2e0 .config console log report
ci2-linux-4-19 2020/08/05 19:52 linux-4.19.y c076c79e03c6 b7129355 .config console log report
ci2-linux-4-19 2020/08/03 22:20 linux-4.19.y 13af6c74b14a 96dd3623 .config console log report
ci2-linux-4-19 2020/07/27 19:00 linux-4.19.y 20b3a3dfdf6c cb93dc6a .config console log report
ci2-linux-4-19 2020/07/23 23:27 linux-4.19.y 20b3a3dfdf6c 70c104a1 .config console log report
ci2-linux-4-19 2020/07/21 09:54 linux-4.19.y 17a87580a885 d88894e6 .config console log report
ci2-linux-4-19 2020/07/20 10:22 linux-4.19.y 17a87580a885 8caeeeb7 .config console log report
ci2-linux-4-19 2020/07/13 20:17 linux-4.19.y dce0f88600e4 ce4c95b3 .config console log report
ci2-linux-4-19 2020/07/12 01:28 linux-4.19.y dce0f88600e4 7ba05d2d .config console log report
ci2-linux-4-19 2020/07/08 06:52 linux-4.19.y 399849e4654e 5962a2dc .config console log report
ci2-linux-4-19 2020/07/05 01:17 linux-4.19.y 399849e4654e 24d7f505 .config console log report
ci2-linux-4-19 2020/07/02 23:58 linux-4.19.y 399849e4654e f30c14bf .config console log report
ci2-linux-4-19 2020/06/21 09:14 linux-4.19.y 3fc898571b97 c655ec77 .config console log report
ci2-linux-4-19 2020/06/20 22:05 linux-4.19.y 3fc898571b97 c655ec77 .config console log report
ci2-linux-4-19 2020/06/17 07:07 linux-4.19.y 3fc898571b97 b9f3810b .config console log report
ci2-linux-4-19 2020/03/07 10:13 linux-4.19.y 7472c4028e23 2e9971bb .config console log report
* Struck through repros no longer work on HEAD.