syzbot

 sign-in | mailing list | source | docs
🐞 Open [979] Subsystems 🐞 Fixed [5235] 🐞 Invalid [12492] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in refcount_sub_and_test

Status: auto-closed as invalid on 2019/02/22 10:29
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+8c17db54fd0c0a2ee849@syzkaller.appspotmail.com
First crash: 2093d, last: 2090d
Discussions (1)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in refcount_sub_and_test 1 (2) 2018/07/31 11:50

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
BUG: KASAN: use-after-free in refcount_sub_and_test+0x9a/0x350 lib/refcount.c:179
Read of size 4 at addr ffff8801d7900e44 by task syz-executor5/23861

CPU: 1 PID: 23861 Comm: syz-executor5 Not tainted 4.18.0-rc7+ #173
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
 refcount_sub_and_test+0x9a/0x350 lib/refcount.c:179
 refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
 fib6_metrics_release+0x4f/0x90 net/ipv6/ip6_fib.c:178
 fib6_drop_pcpu_from net/ipv6/ip6_fib.c:899 [inline]
 fib6_purge_rt+0x5ec/0x7f0 net/ipv6/ip6_fib.c:934
 fib6_del_route net/ipv6/ip6_fib.c:1784 [inline]
 fib6_del+0xc11/0x1310 net/ipv6/ip6_fib.c:1815
 __ip6_del_rt+0xa2/0x140 net/ipv6/route.c:3190
 ip6_route_del+0xfe4/0x14e0 net/ipv6/route.c:3328
 ipv6_route_ioctl+0x616/0x760 net/ipv6/route.c:3681
 inet6_ioctl+0x100/0x1f0 net/ipv6/af_inet6.c:546
 sock_do_ioctl+0xe4/0x3e0 net/socket.c:970
 sock_ioctl+0x30d/0x680 net/socket.c:1094
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x456a09
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007fc3845bbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc3845bc6d4 RCX: 0000000000456a09
RDX: 0000000020000040 RSI: 000000000000890c RDI: 0000000000000014
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d0be0 R14: 00000000004c66e3 R15: 0000000000000000

Allocated by task 23217:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 fib6_metric_set+0x163/0x2c0 net/ipv6/ip6_fib.c:645
 fib6_add_rt2node+0xe36/0x27f0 net/ipv6/ip6_fib.c:1000
 fib6_add+0xaae/0x14d0 net/ipv6/ip6_fib.c:1308
 __ip6_ins_rt+0x54/0x80 net/ipv6/route.c:1163
 ip6_route_add+0x6d/0xc0 net/ipv6/route.c:3171
 addrconf_prefix_route.isra.48+0x51d/0x720 net/ipv6/addrconf.c:2347
 inet6_addr_modify net/ipv6/addrconf.c:4627 [inline]
 inet6_rtm_newaddr+0x112e/0x1b50 net/ipv6/addrconf.c:4743
 rtnetlink_rcv_msg+0x46e/0xc30 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2453
 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1315 [inline]
 netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1341
 netlink_sendmsg+0xa18/0xfd0 net/netlink/af_netlink.c:1906
 sock_sendmsg_nosec net/socket.c:642 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:652
 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2126
 __sys_sendmsg+0x11d/0x290 net/socket.c:2164
 __do_sys_sendmsg net/socket.c:2173 [inline]
 __se_sys_sendmsg net/socket.c:2171 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2171
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 23861:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 fib6_metrics_release+0x77/0x90 net/ipv6/ip6_fib.c:179
 fib6_drop_pcpu_from net/ipv6/ip6_fib.c:899 [inline]
 fib6_purge_rt+0x5ec/0x7f0 net/ipv6/ip6_fib.c:934
 fib6_del_route net/ipv6/ip6_fib.c:1784 [inline]
 fib6_del+0xc11/0x1310 net/ipv6/ip6_fib.c:1815
 __ip6_del_rt+0xa2/0x140 net/ipv6/route.c:3190
 ip6_route_del+0xfe4/0x14e0 net/ipv6/route.c:3328
 ipv6_route_ioctl+0x616/0x760 net/ipv6/route.c:3681
 inet6_ioctl+0x100/0x1f0 net/ipv6/af_inet6.c:546
 sock_do_ioctl+0xe4/0x3e0 net/socket.c:970
 sock_ioctl+0x30d/0x680 net/socket.c:1094
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801d7900e00
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 68 bytes inside of
 96-byte region [ffff8801d7900e00, ffff8801d7900e60)
The buggy address belongs to the page:
page:ffffea00075e4000 count:1 mapcount:0 mapping:ffff8801dac004c0 index:0xffff8801d7900b00
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0006c72388 ffffea0006e28b88 ffff8801dac004c0
raw: ffff8801d7900b00 ffff8801d7900000 000000010000001d 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d7900d00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff8801d7900d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8801d7900e00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                           ^
 ffff8801d7900e80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8801d7900f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================

Crashes (131):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/02 18:34 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 16:45 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce-root
2018/08/02 15:06 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 14:02 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 12:59 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 09:41 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 08:04 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 07:03 upstream 44960f2a7b63 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 06:03 upstream 44960f2a7b63 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 04:47 upstream 44960f2a7b63 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 04:39 upstream 44960f2a7b63 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 03:35 upstream 44960f2a7b63 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 02:28 upstream 44960f2a7b63 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 01:24 upstream 44960f2a7b63 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/02 00:08 upstream 44960f2a7b63 0a7cf4ec .config console log report ci-upstream-kasan-gce
2018/08/01 15:37 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 13:55 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 10:40 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 07:15 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 04:47 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 04:28 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 04:04 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 03:58 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 03:51 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 03:33 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 02:41 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 02:28 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/08/01 02:26 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/07/31 19:21 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce-root
2018/08/02 11:45 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce-386
2018/08/01 06:08 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce-386
2018/08/01 22:58 net-old a94c689e6c9e 0a7cf4ec .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 22:05 net-old a94c689e6c9e 0a7cf4ec .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 20:37 net-old a94c689e6c9e 0a7cf4ec .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 17:40 net-old cb5c65688673 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 16:39 net-old cb5c65688673 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 13:46 net-old cb5c65688673 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 12:27 net-old cb5c65688673 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 08:58 net-old cb5c65688673 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 05:03 net-old 6751e7c66cb8 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 04:44 net-old 6751e7c66cb8 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 03:48 net-old 6751e7c66cb8 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/08/01 03:20 net-old 6751e7c66cb8 1477993e .config console log report ci-upstream-net-this-kasan-gce
2018/07/31 06:14 net-old 61f4b23769f0 1a381291 .config console log report ci-upstream-net-this-kasan-gce
* Struck through repros no longer work on HEAD.