KASAN: slab-out-of-bounds Read in ipvlan_queue

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit	C		error	1	601d	601d	0/1	upstream: reported C repro on 2022/08/30 13:48
upstream	KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit net	C	error	error	8	786d	1263d	22/26	fixed on 2023/02/24 13:50
upstream	Internal error in ipvlan_queue_xmit net				3	169d	201d	0/26	auto-obsoleted due to no activity on 2024/02/04 03:58
upstream	KMSAN: uninit-value in ipvlan_queue_xmit net	C			2	602d	1184d	22/26	fixed on 2023/02/24 13:50
upstream	KMSAN: uninit-value in ipvlan_queue_xmit (2) net	C			2	44d	5d00h	0/26	upstream: reported C repro on 2024/04/18 07:05
linux-4.19	KASAN: use-after-free Read in ipvlan_queue_xmit (2)	C		error	2	601d	1070d	0/1	upstream: reported C repro on 2021/05/18 15:37
upstream	KASAN: use-after-free Read in ipvlan_queue_xmit (3) net	C	error	error	8	627d	1225d	22/26	fixed on 2023/02/24 13:51

linux-4.14

KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit

error

601d

0/1

upstream: reported C repro on 2022/08/30 13:48

upstream

KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit net

error

786d

1263d

22/26

fixed on 2023/02/24 13:50

upstream

Internal error in ipvlan_queue_xmit net

169d

201d

0/26

auto-obsoleted due to no activity on 2024/02/04 03:58

upstream

KMSAN: uninit-value in ipvlan_queue_xmit net

602d

1184d

22/26

fixed on 2023/02/24 13:50

upstream

KMSAN: uninit-value in ipvlan_queue_xmit (2) net

44d

5d00h

0/26

upstream: reported C repro on 2024/04/18 07:05

linux-4.19

KASAN: use-after-free Read in ipvlan_queue_xmit (2)

error

601d

1070d

0/1

upstream: reported C repro on 2021/05/18 15:37

upstream

KASAN: use-after-free Read in ipvlan_queue_xmit (3) net

error

627d

1225d

22/26

fixed on 2023/02/24 13:51


Created	Duration	User	Repo	Result
2021/11/07 19:49	12m	bisect fix	linux-4.19.y	error job log (0)
2021/10/08 19:20	28m	bisect fix	linux-4.19.y	job log (0) log
2021/09/08 18:04	27m	bisect fix	linux-4.19.y	job log (0) log
2021/07/23 01:42	25m	bisect fix	linux-4.19.y	job log (0) log
2021/06/22 18:37	23m	bisect fix	linux-4.19.y	job log (0) log
2021/05/23 12:03	28m	bisect fix	linux-4.19.y	job log (0) log
2021/04/23 10:17	22m	bisect fix	linux-4.19.y	job log (0) log
2021/03/24 09:55	22m	bisect fix	linux-4.19.y	job log (0) log
2021/02/22 05:58	23m	bisect fix	linux-4.19.y	job log (0) log
2021/02/18 15:23	19m	bisect fix	linux-4.19.y	error job log (0)
2021/02/12 04:56	0m	bisect fix	linux-4.19.y	error job log (0)
2021/01/13 04:33	22m	bisect fix	linux-4.19.y	job log (0) log

wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready ================================================================== BUG: KASAN: slab-out-of-bounds in ether_addr_equal include/linux/etherdevice.h:321 [inline] BUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2 drivers/net/ipvlan/ipvlan_core.c:605 [inline] BUG: KASAN: slab-out-of-bounds in ipvlan_queue_xmit+0x9d2/0x18e0 drivers/net/ipvlan/ipvlan_core.c:651 Read of size 4 at addr ffff8880aaf6d4ff by task syz-executor370/8107 CPU: 1 PID: 8107 Comm: syz-executor370 Not tainted 4.19.163-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432 ether_addr_equal include/linux/etherdevice.h:321 [inline] ipvlan_xmit_mode_l2 drivers/net/ipvlan/ipvlan_core.c:605 [inline] ipvlan_queue_xmit+0x9d2/0x18e0 drivers/net/ipvlan/ipvlan_core.c:651 ipvlan_start_xmit+0x4f/0x190 drivers/net/ipvlan/ipvlan_main.c:290 __netdev_start_xmit include/linux/netdevice.h:4333 [inline] netdev_start_xmit include/linux/netdevice.h:4347 [inline] dev_direct_xmit+0x3f9/0x6d0 net/core/dev.c:3905 packet_snd net/packet/af_packet.c:2988 [inline] packet_sendmsg+0x2474/0x6aff net/packet/af_packet.c:3013 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:632 sock_write_iter+0x287/0x3c0 net/socket.c:901 call_write_iter include/linux/fs.h:1821 [inline] aio_write+0x37f/0x5c0 fs/aio.c:1574 __io_submit_one fs/aio.c:1858 [inline] io_submit_one+0xecd/0x20c0 fs/aio.c:1909 __do_sys_io_submit fs/aio.c:1953 [inline] __se_sys_io_submit+0x11b/0x4a0 fs/aio.c:1924 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x443ea9 Code: e8 5c 0b 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 0d fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdb3402108 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443ea9 RDX: 0000000020000080 RSI: 0000000000000001 RDI: 00007fc68ccd8000 RBP: 00316e616c767069 R08: 0000001e00000140 R09: 0000001e00000140 R10: 0000001e00000140 R11: 0000000000000246 R12: 0000000000000003 R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000004 Allocated by task 1: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 kmem_cache_zalloc include/linux/slab.h:699 [inline] __alloc_file+0x21/0x330 fs/file_table.c:100 alloc_empty_file+0x6d/0x170 fs/file_table.c:150 path_openat+0xe9/0x2df0 fs/namei.c:3526 do_filp_open+0x18c/0x3f0 fs/namei.c:3567 do_sys_open+0x3b3/0x520 fs/open.c:1085 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0x8ff/0x18b0 kernel/rcu/tree.c:2881 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880aaf6d300 which belongs to the cache filp of size 456 The buggy address is located 55 bytes to the right of 456-byte region [ffff8880aaf6d300, ffff8880aaf6d4c8) The buggy address belongs to the page: page:ffffea0002abdb40 count:1 mapcount:0 mapping:ffff88823b846200 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002acc108 ffffea0002aba008 ffff88823b846200 raw: 0000000000000000 ffff8880aaf6d080 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880aaf6d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880aaf6d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880aaf6d480: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ^ ffff8880aaf6d500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880aaf6d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2020/12/14 04:33	linux-4.19.y	13d2ce42de8c	8f160dd5	.config	console log	report	syz	C			ci2-linux-4-19
2020/11/30 08:35	linux-4.19.y	0c88e405c97e	a0092f9d	.config	console log	report	syz	C			ci2-linux-4-19
2023/02/08 09:12	linux-4.19.y	3f8a27f9e27b	15c3d445	.config	console log	report			info	[disk image] [vmlinux]	ci2-linux-4-19	KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit
2021/08/09 18:04	linux-4.19.y	5c66974a6304	6972b106	.config	console log	report			info		ci2-linux-4-19	KASAN: slab-out-of-bounds Read in ipvlan_queue_xmit

Crashes (4):

Assets (help?)