syzbot


KASAN: use-after-free Read in ila_nf_input

Status: auto-closed as invalid on 2020/01/27 14:15
Reported-by: syzbot+03a25358f4cba0bc4cb6@syzkaller.appspotmail.com
First crash: 1473d, last: 1216d

Sample crash report:
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
==================================================================
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:143 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:492 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:534 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup_fast include/linux/rhashtable.h:560 [inline]
BUG: KASAN: use-after-free in ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:133 [inline]
BUG: KASAN: use-after-free in ila_xlat_addr net/ipv6/ila/ila_xlat.c:658 [inline]
BUG: KASAN: use-after-free in ila_nf_input+0xcd7/0xe00 net/ipv6/ila/ila_xlat.c:191
Read of size 4 at addr ffff88805d2d12cc by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.0.0+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
 rht_key_hashfn include/linux/rhashtable.h:143 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:492 [inline]
 rhashtable_lookup include/linux/rhashtable.h:534 [inline]
 rhashtable_lookup_fast include/linux/rhashtable.h:560 [inline]
 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:133 [inline]
 ila_xlat_addr net/ipv6/ila/ila_xlat.c:658 [inline]
 ila_nf_input+0xcd7/0xe00 net/ipv6/ila/ila_xlat.c:191
 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
 nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511
 nf_hook include/linux/netfilter.h:244 [inline]
 NF_HOOK include/linux/netfilter.h:287 [inline]
 ipv6_rcv+0x25d/0x420 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4973
 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
 process_backlog+0x206/0x750 net/core/dev.c:5923
 napi_poll net/core/dev.c:6346 [inline]
 net_rx_action+0x4fa/0x1070 net/core/dev.c:6412
 __do_softirq+0x266/0x95a kernel/softirq.c:292
 run_ksoftirqd kernel/softirq.c:654 [inline]
 run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
 smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 7632:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:468
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:509
 __do_kmalloc_node mm/slab.c:3678 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3685
 kmalloc_node include/linux/slab.h:588 [inline]
 kvmalloc_node+0xbd/0x100 mm/util.c:416
 kvmalloc include/linux/mm.h:604 [inline]
 kvzalloc include/linux/mm.h:612 [inline]
 bucket_table_alloc+0x3f/0x450 lib/rhashtable.c:176
 rhashtable_init+0x489/0x8a0 lib/rhashtable.c:1065
 ila_xlat_init_net+0x1df/0x2f0 net/ipv6/ila/ila_xlat.c:623
 ila_init_net+0x16/0x20 net/ipv6/ila/ila_main.c:63
 ops_init+0xb6/0x410 net/core/net_namespace.c:129
 setup_net+0x2c5/0x730 net/core/net_namespace.c:314
 copy_net_ns+0x1d9/0x340 net/core/net_namespace.c:437
 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
 ksys_unshare+0x440/0x980 kernel/fork.c:2550
 __do_sys_unshare kernel/fork.c:2618 [inline]
 __se_sys_unshare kernel/fork.c:2616 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8191:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:457
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:465
 __cache_free mm/slab.c:3494 [inline]
 kfree+0xcf/0x230 mm/slab.c:3811
 kvfree+0x61/0x70 mm/util.c:445
 bucket_table_free+0x93/0x180 lib/rhashtable.c:108
 rhashtable_free_and_destroy+0x155/0x8f0 lib/rhashtable.c:1163
 ila_xlat_exit_net+0x1a4/0x360 net/ipv6/ila/ila_xlat.c:632
 ila_exit_net+0x16/0x20 net/ipv6/ila/ila_main.c:75
 ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
 worker_thread+0x98/0xe40 kernel/workqueue.c:2319
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff88805d2d12c0
 which belongs to the cache kmalloc-32k of size 32768
The buggy address is located 12 bytes inside of
 32768-byte region [ffff88805d2d12c0, ffff88805d2d92c0)
The buggy address belongs to the page:
page:ffffea000174b400 count:1 mapcount:0 mapping:ffff88812c3f2380 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0001746408 ffffea000173d408 ffff88812c3f2380
raw: 0000000000000000 ffff88805d2d12c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88805d2d1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805d2d1200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805d2d1280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff88805d2d1300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805d2d1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (43):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-root 2019/03/05 17:31 upstream cd2a3bf02625 bb91cf81 .config console log report
ci-upstream-bpf-kasan-gce 2019/09/25 12:25 bpf 733ef7f056a5 e38a6630 .config console log report
ci-upstream-bpf-kasan-gce 2019/06/07 14:06 bpf 4aeba328019a ce9107d0 .config console log report
ci-upstream-bpf-kasan-gce 2019/04/13 10:28 bpf ad40ddd4cef4 c402d8f1 .config console log report
ci-upstream-net-this-kasan-gce 2019/04/09 21:16 net e063f4598249 995065ff .config console log report
ci-upstream-net-this-kasan-gce 2019/04/09 16:32 net e063f4598249 995065ff .config console log report
ci-upstream-net-this-kasan-gce 2019/03/27 16:41 net 8c838f53e149 4e668495 .config console log report
ci-upstream-net-this-kasan-gce 2019/03/26 22:12 net d29f5aa0bc0c 55684ce1 .config console log report
ci-upstream-net-this-kasan-gce 2019/03/22 12:15 net 33872d79f5d1 dce6e62f .config console log report
ci-upstream-net-this-kasan-gce 2019/03/22 01:56 net 33872d79f5d1 dce6e62f .config console log report
ci-upstream-net-this-kasan-gce 2019/03/17 13:20 net 517ccc2aa50d ba18afea .config console log report
ci-upstream-net-this-kasan-gce 2019/03/14 16:37 net 9417d81f4f8a d09a902e .config console log report
ci-upstream-net-this-kasan-gce 2019/03/12 20:42 net a3b1933d34d5 a71bfb62 .config console log report
ci-upstream-net-this-kasan-gce 2019/03/12 05:56 net 41af8b3a097c 12365b99 .config console log report
ci-upstream-net-this-kasan-gce 2019/03/10 00:11 net 1f5d861f7fef 12365b99 .config console log report
ci-upstream-net-this-kasan-gce 2019/03/06 12:28 net 4177c5d94264 05cf83bf .config console log report
ci-upstream-net-this-kasan-gce 2019/02/27 19:18 net bfd07f3dd4f1 083cfd0e .config console log report
ci-upstream-net-this-kasan-gce 2019/02/14 23:00 net 8d6ea932856c 76dd003f .config console log report
ci-upstream-net-this-kasan-gce 2019/02/03 18:28 net c14f07c6211c c198d5dd .config console log report
ci-upstream-net-this-kasan-gce 2019/01/31 15:38 net 3aa9179b2dfe 0e8ea0a3 .config console log report
ci-upstream-bpf-next-kasan-gce 2019/09/29 14:14 bpf-next b41dae061bbd c1ad5441 .config console log report
ci-upstream-net-kasan-gce 2019/08/11 18:17 net-next 2cc2743d8fee acb51638 .config console log report
ci-upstream-bpf-next-kasan-gce 2019/07/23 04:23 bpf-next 192f0f8e9db7 55e0c077 .config console log report
ci-upstream-bpf-next-kasan-gce 2019/04/30 03:59 bpf-next 9076c49bdca2 b617407b .config console log report
ci-upstream-net-kasan-gce 2019/04/02 07:32 net-next f5d547676ca0 a9ca43d4 .config console log report
ci-upstream-net-kasan-gce 2019/04/01 19:43 net-next f5d547676ca0 a9ca43d4 .config console log report
ci-upstream-net-kasan-gce 2019/03/26 16:24 net-next 68cc2999f692 55684ce1 .config console log report
ci-upstream-net-kasan-gce 2019/03/17 13:39 net-next 3b319ee220a8 ba18afea .config console log report
ci-upstream-net-kasan-gce 2019/03/16 09:33 net-next 3b319ee220a8 bab43553 .config console log report
ci-upstream-net-kasan-gce 2019/03/14 03:22 net-next d9862cfbe209 2881fc25 .config console log report
ci-upstream-net-kasan-gce 2019/03/12 22:41 net-next d9862cfbe209 a71bfb62 .config console log report
ci-upstream-net-kasan-gce 2019/03/09 02:26 net-next d9862cfbe209 12365b99 .config console log report
ci-upstream-net-kasan-gce 2019/03/08 21:12 net-next d9862cfbe209 12365b99 .config console log report
ci-upstream-net-kasan-gce 2019/03/08 14:06 net-next d9862cfbe209 12365b99 .config console log report
ci-upstream-net-kasan-gce 2019/03/08 07:27 net-next d9862cfbe209 4b69c3cb .config console log report
ci-upstream-net-kasan-gce 2019/03/07 23:48 net-next d9862cfbe209 4b69c3cb .config console log report
ci-upstream-net-kasan-gce 2019/03/06 06:11 net-next d9862cfbe209 16559f86 .config console log report
ci-upstream-net-kasan-gce 2019/03/04 06:01 net-next 41bc0ddb80e0 1c0e457a .config console log report
ci-upstream-net-kasan-gce 2019/03/01 08:11 net-next be9cefe796f3 8a4b3a6b .config console log report
ci-upstream-net-kasan-gce 2019/02/17 09:05 net-next f2281c245d60 f42dee6d .config console log report
ci-upstream-net-kasan-gce 2019/02/16 16:58 net-next bb015f2216fe f42dee6d .config console log report
ci-upstream-net-kasan-gce 2019/02/03 00:26 net-next a68a8481353a c198d5dd .config console log report
ci-upstream-bpf-next-kasan-gce 2019/01/15 13:34 bpf-next b71acb0e3721 ebacf5cb .config console log report
* Struck through repros no longer work on HEAD.