syzbot


KASAN: use-after-free Read in sk_dst_check

Status: auto-closed as invalid on 2019/12/26 08:18
Reported-by: syzbot+d0bed8f8385504681d9e@syzkaller.appspotmail.com
First crash: 2252d, last: 1914d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 KASAN: use-after-free Read in sk_dst_check 15 1875d 2050d 0/2 auto-closed as invalid on 2020/02/03 18:21

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:248 [inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline]
BUG: KASAN: use-after-free in __atomic_add_unless arch/x86/include/asm/atomic.h:240 [inline]
BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:506 [inline]
BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1706 [inline]
BUG: KASAN: use-after-free in sk_dst_check+0x347/0x380 net/core/sock.c:513
Read of size 4 at addr ffff8801508cf940 by task syz-executor.5/22647

CPU: 0 PID: 22647 Comm: syz-executor.5 Not tainted 4.9.186+ #10
 ffff8801bab4f6c8 ffffffff81b5a0b1 0000000000000000 ffffea00054233c0
 ffff8801508cf940 0000000000000004 ffffffff822c2d07 ffff8801bab4f700
 ffffffff8150ab68 0000000000000000 ffff8801508cf940 ffff8801508cf940
Call Trace:
 [<00000000a8481923>] __dump_stack lib/dump_stack.c:15 [inline]
 [<00000000a8481923>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<00000000e406efd1>] print_address_description+0x6f/0x23a mm/kasan/report.c:256
 [<00000000c853f188>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<00000000c853f188>] kasan_report mm/kasan/report.c:413 [inline]
 [<00000000c853f188>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
 [<00000000cb91697d>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:433
 [<000000003d49af4b>] __read_once_size include/linux/compiler.h:248 [inline]
 [<000000003d49af4b>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<000000003d49af4b>] __atomic_add_unless arch/x86/include/asm/atomic.h:240 [inline]
 [<000000003d49af4b>] atomic_add_unless include/linux/atomic.h:506 [inline]
 [<000000003d49af4b>] sk_dst_get include/net/sock.h:1706 [inline]
 [<000000003d49af4b>] sk_dst_check+0x347/0x380 net/core/sock.c:513
 [<00000000632da59e>] udp_sendmsg+0x10a6/0x1c60 net/ipv4/udp.c:1014
 [<00000000472dba77>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
 [<0000000007bd0712>] sock_sendmsg_nosec net/socket.c:649 [inline]
 [<0000000007bd0712>] sock_sendmsg+0xbe/0x110 net/socket.c:659
 [<000000005a6bb9e4>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
 [<000000006ecdfae9>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
 [<00000000f3c3b04d>] SYSC_sendmmsg net/socket.c:2104 [inline]
 [<00000000f3c3b04d>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
 [<00000000710b1ed3>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<0000000000d83e65>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 22652:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:512 [inline]
 set_track mm/kasan/kasan.c:524 [inline]
 kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
 kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
 dst_alloc+0xf3/0x1b0 net/core/dst.c:210
 ipv4_blackhole_route+0x30/0x720 net/ipv4/route.c:2442
 make_blackhole net/xfrm/xfrm_policy.c:2214 [inline]
 xfrm_lookup_route net/xfrm/xfrm_policy.c:2387 [inline]
 xfrm_lookup_route+0xf4/0x140 net/xfrm/xfrm_policy.c:2378
 ip_route_output_flow+0x93/0xa0 net/ipv4/route.c:2483
 udp_sendmsg+0x1494/0x1c60 net/ipv4/udp.c:1029
 inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
 sock_sendmsg_nosec net/socket.c:649 [inline]
 sock_sendmsg+0xbe/0x110 net/socket.c:659
 ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
 __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
 SYSC_sendmmsg net/socket.c:2104 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2099
 do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 16542:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:512 [inline]
 set_track mm/kasan/kasan.c:524 [inline]
 kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 dst_destroy+0x275/0x350 net/core/dst.c:270
 dst_gc_task+0x1b2/0x520 net/core/dst.c:89
 process_one_work+0x88b/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5df/0x11d0 kernel/workqueue.c:2251
 kthread+0x278/0x310 kernel/kthread.c:211
 ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:375

The buggy address belongs to the object at ffff8801508cf8c0
 which belongs to the cache ip_dst_cache of size 216
The buggy address is located 128 bytes inside of
 216-byte region [ffff8801508cf8c0, ffff8801508cf998)
The buggy address belongs to the page:
page:ffffea00054233c0 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000200(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801508cf800: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
 ffff8801508cf880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801508cf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801508cf980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801508cfa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (28):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/25 17:24 https://android.googlesource.com/kernel/common android-4.9 3244efed0310 732bc5a0 .config console log report ci-android-49-kasan-gce-root
2019/07/22 18:47 https://android.googlesource.com/kernel/common android-4.9 cd46375d4f59 b3c615f5 .config console log report ci-android-49-kasan-gce-root
2019/07/03 00:29 https://android.googlesource.com/kernel/common android-4.9 ab758e1039d6 55565fa0 .config console log report ci-android-49-kasan-gce-root
2019/07/02 14:08 https://android.googlesource.com/kernel/common android-4.9 ab758e1039d6 55565fa0 .config console log report ci-android-49-kasan-gce-root
2019/06/09 05:43 https://android.googlesource.com/kernel/common android-4.9 83ae225d5ce3 0159583c .config console log report ci-android-49-kasan-gce-root
2019/06/06 11:08 https://android.googlesource.com/kernel/common android-4.9 3434ddb20bf1 a547defc .config console log report ci-android-49-kasan-gce-root
2019/01/14 14:56 https://android.googlesource.com/kernel/common android-4.9 c7b283dd04b1 95485883 .config console log report ci-android-49-kasan-gce-root
2019/01/13 17:08 https://android.googlesource.com/kernel/common android-4.9 c7b283dd04b1 c3f3344c .config console log report ci-android-49-kasan-gce-root
2019/01/10 12:24 https://android.googlesource.com/kernel/common android-4.9 ed0b11d22809 db9b6579 .config console log report ci-android-49-kasan-gce-root
2018/12/29 10:54 https://android.googlesource.com/kernel/common android-4.9 a2f9236e8131 a40793d7 .config console log report ci-android-49-kasan-gce-root
2018/12/28 23:17 https://android.googlesource.com/kernel/common android-4.9 a2f9236e8131 e33ad0f1 .config console log report ci-android-49-kasan-gce-root
2018/11/27 19:28 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 4b6d14f2 .config console log report ci-android-49-kasan-gce-root
2018/10/13 00:50 https://android.googlesource.com/kernel/common android-4.9 38f2b4a8c277 caf12900 .config console log report ci-android-49-kasan-gce-root
2018/09/24 06:48 https://android.googlesource.com/kernel/common android-4.9 1c57ba4f543b 28d9ac76 .config console log report ci-android-49-kasan-gce-root
2019/08/28 08:17 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 fd37b39e .config console log report ci-android-49-kasan-gce-386
2019/08/24 08:46 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 78ded196 .config console log report ci-android-49-kasan-gce-386
2019/08/17 08:33 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 8fd428a1 .config console log report ci-android-49-kasan-gce-386
2019/06/17 16:23 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 442206d7 .config console log report ci-android-49-kasan-gce-386
2019/06/11 22:31 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 ea2f4006 .config console log report ci-android-49-kasan-gce-386
2019/06/08 00:16 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 ce9107d0 .config console log report ci-android-49-kasan-gce-386
2019/05/25 10:17 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 85c57315 .config console log report ci-android-49-kasan-gce-386
2019/04/06 00:39 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 fa763482 .config console log report ci-android-49-kasan-gce-386
2019/03/23 19:39 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 a2cef203 .config console log report ci-android-49-kasan-gce-386
2019/03/23 15:16 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 a2cef203 .config console log report ci-android-49-kasan-gce-386
2019/03/20 01:21 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 2458c1c6 .config console log report ci-android-49-kasan-gce-386
2019/03/06 20:16 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 05cf83bf .config console log report ci-android-49-kasan-gce-386
2019/01/03 00:29 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 06a2b89f .config console log report ci-android-49-kasan-gce-386
2018/12/21 21:58 https://android.googlesource.com/kernel/common android-4.9 8fe428403e30 588075e6 .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.