syzbot

 sign-in | mailing list | source | docs
🐞 Open [978] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12498] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KMSAN: use-after-free in kmem_cache_free

Status: auto-closed as invalid on 2020/02/19 16:36
Subsystems: net
[Documentation on labels]
First crash: 1660d, last: 1615d

Sample crash report:
=====================================================
BUG: KMSAN: use-after-free in do_slab_free mm/slub.c:3024 [inline]
BUG: KMSAN: use-after-free in slab_free mm/slub.c:3047 [inline]
BUG: KMSAN: use-after-free in kmem_cache_free+0x3df/0x2b70 mm/slub.c:3062
CPU: 0 PID: 13799 Comm: kworker/0:9 Not tainted 5.4.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events rt6_probe_deferred
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x191/0x1f0 lib/dump_stack.c:113
 kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:245
 do_slab_free mm/slub.c:3024 [inline]
 slab_free mm/slub.c:3047 [inline]
 kmem_cache_free+0x3df/0x2b70 mm/slub.c:3062
 kfree_skbmem net/core/skbuff.c:644 [inline]
 __kfree_skb net/core/skbuff.c:680 [inline]
 kfree_skb+0x473/0x4c0 net/core/skbuff.c:697
 packet_rcv+0xcfd/0x2110 net/packet/af_packet.c:2148
 dev_queue_xmit_nit+0x1125/0x1200 net/core/dev.c:2077
 xmit_one net/core/dev.c:3276 [inline]
 dev_hard_start_xmit+0x21e/0xab0 net/core/dev.c:3296
 __dev_queue_xmit+0x35b6/0x4200 net/core/dev.c:3873
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3906
 neigh_resolve_output+0xab7/0xb50 net/core/neighbour.c:1490
 neigh_output include/net/neighbour.h:511 [inline]
 ip6_finish_output2+0x2129/0x2670 net/ipv6/ip6_output.c:116
 __ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142
 ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175
 dst_output include/net/dst.h:436 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ndisc_send_skb+0x1083/0x15e0 net/ipv6/ndisc.c:505
 ndisc_send_ns+0xda8/0xe10 net/ipv6/ndisc.c:647
 rt6_probe_deferred+0x13c/0x240 net/ipv6/route.c:615
 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
 kthread+0x4b5/0x4f0 kernel/kthread.c:256
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline]
 kmsan_internal_chain_origin+0xbd/0x180 mm/kmsan/kmsan.c:319
 __msan_chain_origin+0x6b/0xd0 mm/kmsan/kmsan_instr.c:179
 ___slab_alloc+0x1dbc/0x1fb0 mm/slub.c:2636
 __slab_alloc mm/slub.c:2689 [inline]
 slab_alloc_node mm/slub.c:2763 [inline]
 slab_alloc mm/slub.c:2808 [inline]
 kmem_cache_alloc+0xadf/0xd20 mm/slub.c:2813
 skb_clone+0x326/0x5d0 net/core/skbuff.c:1448
 dev_queue_xmit_nit+0x539/0x1200 net/core/dev.c:2045
 xmit_one net/core/dev.c:3276 [inline]
 dev_hard_start_xmit+0x21e/0xab0 net/core/dev.c:3296
 __dev_queue_xmit+0x35b6/0x4200 net/core/dev.c:3873
 dev_queue_xmit+0x4b/0x60 net/core/dev.c:3906
 neigh_resolve_output+0xab7/0xb50 net/core/neighbour.c:1490
 neigh_output include/net/neighbour.h:511 [inline]
 ip6_finish_output2+0x2129/0x2670 net/ipv6/ip6_output.c:116
 __ip6_finish_output+0x83d/0x8f0 net/ipv6/ip6_output.c:142
 ip6_finish_output+0x2db/0x420 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip6_output+0x5d3/0x720 net/ipv6/ip6_output.c:175
 dst_output include/net/dst.h:436 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ndisc_send_skb+0x1083/0x15e0 net/ipv6/ndisc.c:505
 ndisc_send_ns+0xda8/0xe10 net/ipv6/ndisc.c:647
 rt6_probe_deferred+0x13c/0x240 net/ipv6/route.c:615
 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
 kthread+0x4b5/0x4f0 kernel/kthread.c:256
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:151 [inline]
 kmsan_internal_poison_shadow+0x60/0x120 mm/kmsan/kmsan.c:134
 kmsan_slab_free+0x8d/0xf0 mm/kmsan/kmsan_hooks.c:109
 slab_free_freelist_hook mm/slub.c:1473 [inline]
 slab_free mm/slub.c:3046 [inline]
 kmem_cache_free_bulk+0x3ad9/0x3f10 mm/slub.c:3171
 __kfree_skb_flush+0xb0/0x100 net/core/skbuff.c:862
 net_rx_action+0x1a5e/0x1aa0 net/core/dev.c:6483
 __do_softirq+0x4a1/0x83a kernel/softirq.c:293
 do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1093
 do_softirq kernel/softirq.c:338 [inline]
 __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
 update_defense_level+0xcc7/0xd10 net/netfilter/ipvs/ip_vs_ctl.c:211
 defense_work_handler+0x42/0x120 net/netfilter/ipvs/ip_vs_ctl.c:225
 process_one_work+0x1572/0x1ef0 kernel/workqueue.c:2269
 worker_thread+0x111b/0x2460 kernel/workqueue.c:2415
 kthread+0x4b5/0x4f0 kernel/kthread.c:256
 ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:355
=====================================================

Crashes (44):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/21 16:31 https://github.com/google/kmsan.git master 287021d5afde 8098ea0f .config console log report ci-upstream-kmsan-gce
2019/11/21 00:52 https://github.com/google/kmsan.git master 3db92f3b3586 8098ea0f .config console log report ci-upstream-kmsan-gce
2019/11/19 23:59 https://github.com/google/kmsan.git master 9c6a71628ab9 5bc70212 .config console log report ci-upstream-kmsan-gce
2019/11/18 21:56 https://github.com/google/kmsan.git master 9c6a71628ab9 1daed50a .config console log report ci-upstream-kmsan-gce
2019/11/18 04:09 https://github.com/google/kmsan.git master 9c6a71628ab9 d5696d51 .config console log report ci-upstream-kmsan-gce
2019/11/15 18:47 https://github.com/google/kmsan.git master 9c6a71628ab9 cdac920b .config console log report ci-upstream-kmsan-gce
2019/11/13 18:27 https://github.com/google/kmsan.git master 9c6a71628ab9 048f2d49 .config console log report ci-upstream-kmsan-gce
2019/11/12 18:25 https://github.com/google/kmsan.git master e741088f2efa 048f2d49 .config console log report ci-upstream-kmsan-gce
2019/11/12 13:03 https://github.com/google/kmsan.git master e741088f2efa 048f2d49 .config console log report ci-upstream-kmsan-gce
2019/11/12 07:12 https://github.com/google/kmsan.git master e741088f2efa 048f2d49 .config console log report ci-upstream-kmsan-gce
2019/11/11 22:25 https://github.com/google/kmsan.git master e741088f2efa 048f2d49 .config console log report ci-upstream-kmsan-gce
2019/11/11 18:28 https://github.com/google/kmsan.git master e741088f2efa 048f2d49 .config console log report ci-upstream-kmsan-gce
2019/11/10 19:02 https://github.com/google/kmsan.git master e741088f2efa dc438b91 .config console log report ci-upstream-kmsan-gce
2019/11/09 07:45 https://github.com/google/kmsan.git master e741088f2efa dc438b91 .config console log report ci-upstream-kmsan-gce
2019/11/05 23:03 https://github.com/google/kmsan.git master c235b34ba03a 0f3ec414 .config console log report ci-upstream-kmsan-gce
2019/11/05 20:56 https://github.com/google/kmsan.git master c235b34ba03a 0f3ec414 .config console log report ci-upstream-kmsan-gce
2019/11/03 19:20 https://github.com/google/kmsan.git master 6f88939b3fa3 c9610487 .config console log report ci-upstream-kmsan-gce
2019/11/03 18:36 https://github.com/google/kmsan.git master 6f88939b3fa3 c9610487 .config console log report ci-upstream-kmsan-gce
2019/11/03 14:29 https://github.com/google/kmsan.git master 6f88939b3fa3 c9610487 .config console log report ci-upstream-kmsan-gce
2019/11/03 14:24 https://github.com/google/kmsan.git master 6f88939b3fa3 c9610487 .config console log report ci-upstream-kmsan-gce
2019/10/31 05:28 https://github.com/google/kmsan.git master 6f88939b3fa3 a41ca8fa .config console log report ci-upstream-kmsan-gce
2019/10/30 15:45 https://github.com/google/kmsan.git master 6f88939b3fa3 5ea87a66 .config console log report ci-upstream-kmsan-gce
2019/10/30 13:30 https://github.com/google/kmsan.git master 6f88939b3fa3 5ea87a66 .config console log report ci-upstream-kmsan-gce
2019/10/29 18:25 https://github.com/google/kmsan.git master 96c6c3194b1b 5ea87a66 .config console log report ci-upstream-kmsan-gce
2019/10/28 00:31 https://github.com/google/kmsan.git master d86c15562d02 25bb509e .config console log report ci-upstream-kmsan-gce
2019/10/27 22:10 https://github.com/google/kmsan.git master d86c15562d02 25bb509e .config console log report ci-upstream-kmsan-gce
2019/10/26 23:09 https://github.com/google/kmsan.git master d86c15562d02 25bb509e .config console log report ci-upstream-kmsan-gce
2019/10/26 06:58 https://github.com/google/kmsan.git master d86c15562d02 413926c5 .config console log report ci-upstream-kmsan-gce
2019/10/25 19:21 https://github.com/google/kmsan.git master d86c15562d02 c2e837da .config console log report ci-upstream-kmsan-gce
2019/10/25 17:38 https://github.com/google/kmsan.git master d86c15562d02 c2e837da .config console log report ci-upstream-kmsan-gce
2019/10/25 05:52 https://github.com/google/kmsan.git master d86c15562d02 d01bb02a .config console log report ci-upstream-kmsan-gce
2019/10/24 06:42 https://github.com/google/kmsan.git master ba606e9df216 b602d64b .config console log report ci-upstream-kmsan-gce
2019/10/21 22:42 https://github.com/google/kmsan.git master 3c8ca70889aa b24d2b8a .config console log report ci-upstream-kmsan-gce
2019/10/20 15:20 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/18 07:35 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/18 07:30 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/17 23:19 https://github.com/google/kmsan.git master 3c8ca70889aa 8c88c9c1 .config console log report ci-upstream-kmsan-gce
2019/10/12 21:14 https://github.com/google/kmsan.git master fa1690255288 426631dd .config console log report ci-upstream-kmsan-gce
2019/10/11 20:57 https://github.com/google/kmsan.git master dde8031634c3 426631dd .config console log report ci-upstream-kmsan-gce
2019/10/10 06:35 https://github.com/google/kmsan.git master dc327ecad3b0 c4b9981b .config console log report ci-upstream-kmsan-gce
2019/10/09 13:21 https://github.com/google/kmsan.git master eff1487c45ce 312c6a5a .config console log report ci-upstream-kmsan-gce
2019/10/09 08:24 https://github.com/google/kmsan.git master cebb918b7474 b1ebbfef .config console log report ci-upstream-kmsan-gce
2019/10/08 17:46 https://github.com/google/kmsan.git master cebb918b7474 b1ebbfef .config console log report ci-upstream-kmsan-gce
2019/10/08 13:23 https://github.com/google/kmsan.git master cebb918b7474 28ac6e64 .config console log report ci-upstream-kmsan-gce
* Struck through repros no longer work on HEAD.