syzbot


KASAN: slab-use-after-free Read in do_csum

Status: closed as invalid on 2023/12/13 09:50
Subsystems: arm
[Documentation on labels]
First crash: 251d, last: 251d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in do_csum net C 160 258d 299d 23/27 fixed on 2023/10/12 12:48
upstream BUG: unable to handle kernel paging request in do_csum (3) kernel C error error 31 1036d 1293d 0/27 closed as invalid on 2022/01/07 18:56
upstream KASAN: use-after-free Read in do_csum net C 72 382d 548d 22/27 fixed on 2023/06/08 14:41

Sample crash report:
==================================================================
BUG: KASAN: slab-use-after-free in do_csum+0x11c/0x18c arch/arm64/lib/csum.c:66
Read at addr fcff0000343da240 by task syz-executor.0/7145
Pointer tag: [fc], memory tag: [f8]

CPU: 1 PID: 7145 Comm: syz-executor.0 Not tainted 6.6.0-rc5-syzkaller-00243-g727fb8376504 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x108/0x618 mm/kasan/report.c:475
 kasan_report+0x88/0xac mm/kasan/report.c:588
 report_tag_fault arch/arm64/mm/fault.c:334 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:346 [inline]
 __do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393
 do_bad_area arch/arm64/mm/fault.c:493 [inline]
 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:770
 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:846
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398
 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458
 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:590
 do_csum+0x11c/0x18c arch/arm64/lib/csum.c:66
 gso_make_checksum include/net/gso.h:74 [inline]
 __skb_udp_tunnel_segment net/ipv4/udp_offload.c:140 [inline]
 skb_udp_tunnel_segment+0x34c/0x5a8 net/ipv4/udp_offload.c:182
 udp6_ufo_fragment+0x25c/0x2e0 net/ipv6/udp_offload.c:35
 ipv6_gso_segment+0x120/0x55c net/ipv6/ip6_offload.c:120
 skb_mac_gso_segment+0xb8/0x178 net/core/gso.c:53
 __skb_gso_segment+0x64/0x14c net/core/gso.c:124
 skb_gso_segment include/net/gso.h:83 [inline]
 ip6_finish_output_gso_slowpath_drop net/ipv6/ip6_output.c:153 [inline]
 __ip6_finish_output net/ipv6/ip6_output.c:189 [inline]
 ip6_finish_output+0x2d8/0x354 net/ipv6/ip6_output.c:207
 NF_HOOK_COND include/linux/netfilter.h:293 [inline]
 ip6_output+0x74/0x1cc net/ipv6/ip6_output.c:228
 dst_output include/net/dst.h:458 [inline]
 ip6_local_out+0x48/0x5c net/ipv6/output_core.c:155
 ip6tunnel_xmit include/net/ip6_tunnel.h:161 [inline]
 udp_tunnel6_xmit_skb+0x16c/0x350 net/ipv6/ip6_udp_tunnel.c:109
 geneve6_xmit_skb drivers/net/geneve.c:1071 [inline]
 geneve_xmit+0x7f8/0xf3c drivers/net/geneve.c:1100
 __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
 netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 xmit_one net/core/dev.c:3548 [inline]
 dev_hard_start_xmit+0x8c/0x10c net/core/dev.c:3564
 __dev_queue_xmit+0x1c0/0xe48 net/core/dev.c:4344
 dev_queue_xmit include/linux/netdevice.h:3082 [inline]
 packet_xmit+0xcc/0x144 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3087 [inline]
 packet_sendmsg+0x828/0x1530 net/packet/af_packet.c:3119
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x54/0x60 net/socket.c:745
 __sys_sendto+0x10c/0x164 net/socket.c:2194
 __do_sys_sendto net/socket.c:2206 [inline]
 __se_sys_sendto net/socket.c:2202 [inline]
 __arm64_sys_sendto+0x28/0x38 net/socket.c:2202
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595

Allocated by task 3090:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 save_stack_info+0x38/0x118 mm/kasan/tags.c:104
 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138
 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x150/0x2b8 mm/slub.c:3523
 kmalloc_reserve+0xc4/0x128 net/core/skbuff.c:559
 __alloc_skb+0x8c/0x19c net/core/skbuff.c:650
 alloc_skb_fclone include/linux/skbuff.h:1336 [inline]
 tcp_stream_alloc_skb+0x2c/0x140 net/ipv4/tcp.c:869
 tcp_sendmsg_locked+0x428/0xbe4 net/ipv4/tcp.c:1150
 tcp_sendmsg+0x38/0x60 net/ipv4/tcp.c:1336
 inet_sendmsg+0x44/0x70 net/ipv4/af_inet.c:840
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x54/0x60 net/socket.c:745
 sock_write_iter+0x98/0xf8 net/socket.c:1158
 call_write_iter include/linux/fs.h:1956 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x298/0x300 fs/read_write.c:584
 ksys_write+0xe8/0x104 fs/read_write.c:637
 __do_sys_write fs/read_write.c:649 [inline]
 __se_sys_write fs/read_write.c:646 [inline]
 __arm64_sys_write+0x1c/0x28 fs/read_write.c:646
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595

Freed by task 3106:
 kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45
 save_stack_info+0x38/0x118 mm/kasan/tags.c:104
 kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:143
 ____kasan_slab_free.constprop.0+0x180/0x1c8 mm/kasan/common.c:236
 __kasan_slab_free+0x10/0x1c mm/kasan/common.c:244
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0xac/0x1c4 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0x18c/0x314 mm/slub.c:3831
 skb_kfree_head net/core/skbuff.c:943 [inline]
 skb_kfree_head net/core/skbuff.c:940 [inline]
 skb_free_head+0xa4/0xb4 net/core/skbuff.c:957
 skb_release_data+0x154/0x1f8 net/core/skbuff.c:987
 skb_release_all net/core/skbuff.c:1053 [inline]
 __kfree_skb+0x30/0x48 net/core/skbuff.c:1067
 tcp_wmem_free_skb include/net/tcp.h:300 [inline]
 tcp_rtx_queue_unlink_and_free include/net/tcp.h:1975 [inline]
 tcp_clean_rtx_queue net/ipv4/tcp_input.c:3351 [inline]
 tcp_ack+0x710/0x1280 net/ipv4/tcp_input.c:3907
 tcp_rcv_established+0x348/0x750 net/ipv4/tcp_input.c:5962
 tcp_v4_do_rcv+0x1dc/0x300 net/ipv4/tcp_ipv4.c:1728
 tcp_v4_rcv+0xbc8/0xc38 net/ipv4/tcp_ipv4.c:2150
 ip_protocol_deliver_rcu+0x38/0x1d4 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x7c/0xe8 net/ipv4/ip_input.c:233
 NF_HOOK include/linux/netfilter.h:304 [inline]
 NF_HOOK include/linux/netfilter.h:298 [inline]
 ip_local_deliver+0x118/0x124 net/ipv4/ip_input.c:254
 dst_input include/net/dst.h:468 [inline]
 ip_sublist_rcv_finish+0x68/0x8c net/ipv4/ip_input.c:580
 ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
 ip_sublist_rcv+0x190/0x21c net/ipv4/ip_input.c:639
 ip_list_rcv+0x128/0x1c8 net/ipv4/ip_input.c:674
 __netif_receive_skb_list_ptype net/core/dev.c:5570 [inline]
 __netif_receive_skb_list_core+0x14c/0x264 net/core/dev.c:5618
 __netif_receive_skb_list net/core/dev.c:5670 [inline]
 netif_receive_skb_list_internal+0x208/0x310 net/core/dev.c:5761
 gro_normal_list include/net/gro.h:439 [inline]
 gro_normal_list include/net/gro.h:435 [inline]
 napi_complete_done+0x68/0x1c0 net/core/dev.c:6101
 virtqueue_napi_complete drivers/net/virtio_net.c:440 [inline]
 virtnet_poll+0x358/0x554 drivers/net/virtio_net.c:2155
 __napi_poll+0x38/0x18c net/core/dev.c:6531
 napi_poll net/core/dev.c:6598 [inline]
 net_rx_action+0x30c/0x384 net/core/dev.c:6731
 __do_softirq+0x10c/0x284 kernel/softirq.c:553

The buggy address belongs to the object at ffff0000343da240
 which belongs to the cache skbuff_small_head of size 576
The buggy address is located 0 bytes inside of
 576-byte region [ffff0000343da240, ffff0000343da480)

The buggy address belongs to the physical page:
page:00000000b0a98dd0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x743da
head:00000000b0a98dd0 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
page_type: 0xffffffff()
raw: 01ffc00000000840 f4ff000002c3bd00 fffffc0000f6e500 0000000000000003
raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000343da000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000343da100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000343da200: fc fc fc fc f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                               ^
 ffff0000343da300: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffff0000343da400: f8 f8 f8 f8 f8 f8 f8 f8 f0 f0 f0 f0 f0 f0 f0 f0
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/10/15 00:07 upstream 727fb8376504 f757a323 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm64-mte KASAN: slab-use-after-free Read in do_csum
* Struck through repros no longer work on HEAD.