| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Write in tcp_cdg_cwnd_event (2) net | 1 | 667d | 667d | 0/26 | auto-closed as invalid on 2022/09/20 12:00 |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [985] ≡ Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] ⬇ Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Write in tcp_cdg_cwnd_event (2) net | 1 | 667d | 667d | 0/26 | auto-closed as invalid on 2022/09/20 12:00 |
================================================================== BUG: KASAN: use-after-free in memset include/linux/fortify-string.h:209 [inline] BUG: KASAN: use-after-free in tcp_cdg_cwnd_event+0x189/0x300 net/ipv4/tcp_cdg.c:355 Write of size 64 at addr ffff88804a934900 by task kworker/1:10/9742 CPU: 1 PID: 9742 Comm: kworker/1:10 Not tainted 5.16.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events mptcp_worker Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memset+0x20/0x40 mm/kasan/shadow.c:44 memset include/linux/fortify-string.h:209 [inline] tcp_cdg_cwnd_event+0x189/0x300 net/ipv4/tcp_cdg.c:355 tcp_ca_event include/net/tcp.h:1156 [inline] tcp_cwnd_restart+0x108/0x4a0 net/ipv4/tcp_output.c:147 tcp_slow_start_after_idle_check include/net/tcp.h:1405 [inline] tcp_skb_entail+0x5c2/0x710 net/ipv4/tcp.c:666 __mptcp_alloc_tx_skb net/mptcp/protocol.c:1197 [inline] mptcp_alloc_tx_skb net/mptcp/protocol.c:1214 [inline] mptcp_sendmsg_frag+0x5ca/0x2190 net/mptcp/protocol.c:1279 __mptcp_push_pending+0x232/0x720 net/mptcp/protocol.c:1545 mptcp_release_cb+0xfe/0x200 net/mptcp/protocol.c:2975 release_sock+0xb4/0x1b0 net/core/sock.c:3312 mptcp_worker+0x51e/0xc20 net/mptcp/protocol.c:2443 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Allocated by task 25784: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:522 kmalloc_array include/linux/slab.h:630 [inline] kcalloc include/linux/slab.h:661 [inline] tcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380 tcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:183 tcp_reinit_congestion_control net/ipv4/tcp_cong.c:207 [inline] tcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:381 do_tcp_setsockopt net/ipv4/tcp.c:3401 [inline] tcp_setsockopt+0x620/0x2520 net/ipv4/tcp.c:3688 mptcp_setsockopt+0x914/0x2050 net/mptcp/sockopt.c:735 __sys_setsockopt+0x2db/0x610 net/socket.c:2176 __do_sys_setsockopt net/socket.c:2187 [inline] __se_sys_setsockopt net/socket.c:2184 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2184 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 8: kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1723 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749 slab_free mm/slub.c:3513 [inline] kfree+0xf6/0x560 mm/slub.c:4561 tcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:216 tcp_v4_destroy_sock+0xe2/0x760 net/ipv4/tcp_ipv4.c:2260 tcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1971 inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1010 tcp_done+0x23b/0x340 net/ipv4/tcp.c:4452 tcp_reset+0x16f/0x4a0 net/ipv4/tcp_input.c:4312 tcp_validate_incoming+0xfc1/0x1c40 net/ipv4/tcp_input.c:5720 tcp_rcv_established+0x5af/0x2130 net/ipv4/tcp_input.c:5932 tcp_v6_do_rcv+0x461/0x1320 net/ipv6/tcp_ipv6.c:1522 tcp_v6_rcv+0x23be/0x2d10 net/ipv6/tcp_ipv6.c:1766 ip6_protocol_deliver_rcu+0x2e9/0x1cc0 net/ipv6/ip6_input.c:422 ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish+0x1ca/0x300 net/ipv6/ip6_input.c:76 ip_sabotage_in net/bridge/br_netfilter_hooks.c:873 [inline] ip_sabotage_in+0x1fa/0x260 net/bridge/br_netfilter_hooks.c:864 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline] nf_hook_slow+0xc5/0x1e0 net/netfilter/core.c:619 nf_hook.constprop.0+0x3ac/0x650 include/linux/netfilter.h:262 NF_HOOK include/linux/netfilter.h:305 [inline] ipv6_rcv+0x9e/0x3b0 net/ipv6/ip6_input.c:297 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5343 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5457 netif_receive_skb_internal net/core/dev.c:5543 [inline] netif_receive_skb+0x13e/0x8e0 net/core/dev.c:5602 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] br_pass_frame_up+0x2d2/0x3e0 net/bridge/br_input.c:61 br_handle_frame_finish+0x694/0x1850 net/bridge/br_input.c:174 br_nf_hook_thresh+0x2a5/0x360 net/bridge/br_netfilter_hooks.c:1025 br_nf_pre_routing_finish_ipv6+0x684/0xe00 net/bridge/br_netfilter_ipv6.c:206 NF_HOOK include/linux/netfilter.h:307 [inline] br_nf_pre_routing_ipv6+0x42c/0x7b0 net/bridge/br_netfilter_ipv6.c:236 br_nf_pre_routing+0x1477/0x1ec0 net/bridge/br_netfilter_hooks.c:505 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline] nf_hook_bridge_pre net/bridge/br_input.c:230 [inline] br_handle_frame+0x8f8/0x1180 net/bridge/br_input.c:370 __netif_receive_skb_core+0x9e1/0x3770 net/core/dev.c:5237 __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5341 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5457 process_backlog+0x2a5/0x6c0 net/core/dev.c:5789 __napi_poll+0xaf/0x440 net/core/dev.c:6357 napi_poll net/core/dev.c:6424 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:6511 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 The buggy address belongs to the object at ffff88804a934900 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff88804a934900, ffff88804a934940) The buggy address belongs to the page: page:ffffea00012a4d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804a934a00 pfn:0x4a934 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea000123f888 ffffea00010cd8c8 ffff888010c41640 raw: ffff88804a934a00 000000000020001e 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 25001, ts 372471882560, free_ts 372200334362 prep_new_page mm/page_alloc.c:2418 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191 alloc_slab_page mm/slub.c:1793 [inline] allocate_slab mm/slub.c:1930 [inline] new_slab+0x32d/0x4a0 mm/slub.c:1993 ___slab_alloc+0x918/0xfe0 mm/slub.c:3022 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109 slab_alloc_node mm/slub.c:3200 [inline] slab_alloc mm/slub.c:3242 [inline] __kmalloc_track_caller+0x2e7/0x320 mm/slub.c:4925 __do_krealloc mm/slab_common.c:1200 [inline] krealloc+0x87/0xf0 mm/slab_common.c:1233 push_jmp_history kernel/bpf/verifier.c:2267 [inline] is_state_visited kernel/bpf/verifier.c:11000 [inline] do_check kernel/bpf/verifier.c:11140 [inline] do_check_common+0x33c9/0xc8e0 kernel/bpf/verifier.c:13416 do_check_main kernel/bpf/verifier.c:13479 [inline] bpf_check+0x7389/0xbef0 kernel/bpf/verifier.c:14046 bpf_prog_load+0xf4c/0x21e0 kernel/bpf/syscall.c:2343 __sys_bpf+0x674/0x5980 kernel/bpf/syscall.c:4633 __do_sys_bpf kernel/bpf/syscall.c:4737 [inline] __se_sys_bpf kernel/bpf/syscall.c:4735 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4735 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3309 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3388 qlink_free mm/kasan/quarantine.c:146 [inline] qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 ____kasan_kmalloc mm/kasan/common.c:479 [inline] __kasan_krealloc+0x131/0x170 mm/kasan/common.c:581 kasan_krealloc include/linux/kasan.h:289 [inline] __do_krealloc mm/slab_common.c:1196 [inline] krealloc+0x54/0xf0 mm/slab_common.c:1233 push_jmp_history kernel/bpf/verifier.c:2267 [inline] is_state_visited kernel/bpf/verifier.c:11000 [inline] do_check kernel/bpf/verifier.c:11140 [inline] do_check_common+0x33c9/0xc8e0 kernel/bpf/verifier.c:13416 do_check_main kernel/bpf/verifier.c:13479 [inline] bpf_check+0x7389/0xbef0 kernel/bpf/verifier.c:14046 bpf_prog_load+0xf4c/0x21e0 kernel/bpf/syscall.c:2343 __sys_bpf+0x674/0x5980 kernel/bpf/syscall.c:4633 __do_sys_bpf kernel/bpf/syscall.c:4737 [inline] __se_sys_bpf kernel/bpf/syscall.c:4735 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4735 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88804a934800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88804a934880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88804a934900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff88804a934980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88804a934a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2021/11/26 18:02 | net-next-old | 35bf8c86eeb8 | 63eeac02 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Write in tcp_cdg_cwnd_event | |||
| 2022/02/17 11:49 | linux-next | ef6b35306dd8 | 2bea8a27 | .config | console log | report | info | ci-upstream-linux-next-kasan-gce-root | KASAN: use-after-free Write in tcp_cdg_cwnd_event |