syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [979] ≡ Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] ⬇ Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
================================================================== BUG: KASAN: use-after-free in fib6_drop_pcpu_from net/ipv6/ip6_fib.c:925 [inline] BUG: KASAN: use-after-free in fib6_purge_rt+0x1b3/0x5e0 net/ipv6/ip6_fib.c:937 Write of size 8 at addr ffff8880a7b36a0b by task kworker/u4:0/6525 CPU: 1 PID: 6525 Comm: kworker/u4:0 Not tainted 5.2.0-rc1+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x123/0x190 mm/kasan/generic.c:191 kasan_check_write+0x14/0x20 mm/kasan/common.c:100 fib6_drop_pcpu_from net/ipv6/ip6_fib.c:925 [inline] fib6_purge_rt+0x1b3/0x5e0 net/ipv6/ip6_fib.c:937 fib6_del_route net/ipv6/ip6_fib.c:1812 [inline] fib6_del+0xac2/0x10a0 net/ipv6/ip6_fib.c:1843 fib6_clean_node+0x3a5/0x590 net/ipv6/ip6_fib.c:2005 fib6_walk_continue+0x4a9/0x8e0 net/ipv6/ip6_fib.c:1927 fib6_walk+0x9d/0x100 net/ipv6/ip6_fib.c:1975 fib6_clean_tree+0xe0/0x120 net/ipv6/ip6_fib.c:2054 __fib6_clean_all+0x118/0x2a0 net/ipv6/ip6_fib.c:2070 fib6_clean_all+0x2b/0x40 net/ipv6/ip6_fib.c:2081 rt6_sync_down_dev+0x134/0x150 net/ipv6/route.c:4169 rt6_disable_ip+0x27/0x5f0 net/ipv6/route.c:4174 addrconf_ifdown+0xa2/0x1220 net/ipv6/addrconf.c:3709 addrconf_notify+0x5db/0x2270 net/ipv6/addrconf.c:3634 notifier_call_chain+0xc2/0x230 kernel/notifier.c:95 __raw_notifier_call_chain kernel/notifier.c:396 [inline] raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1753 call_netdevice_notifiers_extack net/core/dev.c:1765 [inline] call_netdevice_notifiers net/core/dev.c:1779 [inline] dev_close_many+0x33f/0x6f0 net/core/dev.c:1522 rollback_registered_many+0x43b/0xfc0 net/core/dev.c:8193 unregister_netdevice_many.part.0+0x1b/0x1f0 net/core/dev.c:9324 unregister_netdevice_many+0x3b/0x50 net/core/dev.c:9323 ip6_tnl_exit_batch_net+0x50c/0x6f0 net/ipv6/ip6_tunnel.c:2274 ops_exit_list.isra.0+0xfc/0x150 net/core/net_namespace.c:157 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:553 process_one_work+0x989/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x354/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 12213: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:489 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497 slab_post_alloc_hook mm/slab.h:437 [inline] slab_alloc mm/slab.c:3326 [inline] kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488 dst_alloc+0x10e/0x200 net/core/dst.c:93 ip6_dst_alloc+0x34/0xa0 net/ipv6/route.c:356 icmp6_dst_alloc+0x1a9/0x660 net/ipv6/route.c:2734 ndisc_send_skb+0xfc1/0x14a0 net/ipv6/ndisc.c:488 ndisc_send_ns+0x3a9/0x850 net/ipv6/ndisc.c:650 ndisc_solicit+0x2ed/0x470 net/ipv6/ndisc.c:742 neigh_probe+0xc6/0x110 net/core/neighbour.c:1014 __neigh_event_send+0x3a4/0x16a0 net/core/neighbour.c:1172 neigh_event_send include/net/neighbour.h:445 [inline] neigh_resolve_output+0x5cf/0x970 net/core/neighbour.c:1474 neigh_output include/net/neighbour.h:511 [inline] ip6_finish_output2+0x1034/0x2550 net/ipv6/ip6_output.c:120 ip6_finish_output+0x56d/0xc20 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0x235/0x7f0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:433 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip6_xmit+0xe35/0x20b0 net/ipv6/ip6_output.c:275 tcp_v6_send_response+0xe53/0x1f80 net/ipv6/tcp_ipv6.c:906 tcp_v6_send_reset+0x77a/0xf90 net/ipv6/tcp_ipv6.c:984 tcp_v6_rcv+0x1e8f/0x3570 net/ipv6/tcp_ipv6.c:1596 ip6_protocol_deliver_rcu+0x2fe/0x16c0 net/ipv6/ip6_input.c:401 ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:442 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip6_input+0xe4/0x3f0 net/ipv6/ip6_input.c:451 dst_input include/net/dst.h:439 [inline] ip6_rcv_finish+0x1de/0x310 net/ipv6/ip6_input.c:80 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:276 __netif_receive_skb_one_core+0x113/0x1a0 net/core/dev.c:4990 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5104 netif_receive_skb_internal+0x117/0x5c0 net/core/dev.c:5207 napi_frags_finish net/core/dev.c:5774 [inline] napi_gro_frags+0xada/0xd10 net/core/dev.c:5848 tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037 call_write_iter include/linux/fs.h:1872 [inline] do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693 do_iter_write fs/read_write.c:970 [inline] do_iter_write+0x184/0x610 fs/read_write.c:951 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015 do_writev+0x15b/0x330 fs/read_write.c:1058 __do_sys_writev fs/read_write.c:1131 [inline] __se_sys_writev fs/read_write.c:1128 [inline] __x64_sys_writev+0x75/0xb0 fs/read_write.c:1128 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 12213: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kmem_cache_free+0x86/0x260 mm/slab.c:3698 dst_destroy+0x29e/0x3c0 net/core/dst.c:129 dst_destroy_rcu+0x16/0x19 net/core/dst.c:142 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2092 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2310 [inline] rcu_core+0xba5/0x1500 kernel/rcu/tree.c:2291 __do_softirq+0x25c/0x94c kernel/softirq.c:293 The buggy address belongs to the object at ffff8880a7b36a00 which belongs to the cache ip6_dst_cache of size 224 The buggy address is located 11 bytes inside of 224-byte region [ffff8880a7b36a00, ffff8880a7b36ae0) The buggy address belongs to the page: page:ffffea00029ecd80 refcount:1 mapcount:0 mapping:ffff88809b4f03c0 index:0xffff8880a7b363c0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea0002410b48 ffff88809b143d38 ffff88809b4f03c0 raw: ffff8880a7b363c0 ffff8880a7b36000 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a7b36900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a7b36980: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a7b36a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a7b36a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8880a7b36b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2019/05/24 11:11 | net-old | b5730061d105 | 0dadcd9d | .config | console log | report | ci-upstream-net-this-kasan-gce | |||||
| 2019/05/17 02:30 | net-next-old | 35c99ffa20ed | 7fb690f3 | .config | console log | report | ci-upstream-net-kasan-gce |