syzbot

 sign-in | mailing list | source | docs
🐞 Open [985] Subsystems 🐞 Fixed [5238] 🐞 Invalid [12509] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Read in icmp_sk_exit

Status: auto-closed as invalid on 2019/10/25 08:46
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+b22156514878ba5fbf01@syzkaller.appspotmail.com
First crash: 1907d, last: 1789d

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
==================================================================
BUG: KASAN: slab-out-of-bounds in inet_ctl_sock_destroy include/net/inet_common.h:56 [inline]
BUG: KASAN: slab-out-of-bounds in icmp_sk_exit+0x1ce/0x1f0 net/ipv4/icmp.c:1188
Read of size 8 at addr ffff888091d2bc0c by task kworker/u4:7/8055

CPU: 0 PID: 8055 Comm: kworker/u4:7 Not tainted 5.0.0+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
8021q: adding VLAN 0 to HW filter on device batadv0
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 inet_ctl_sock_destroy include/net/inet_common.h:56 [inline]
 icmp_sk_exit+0x1ce/0x1f0 net/ipv4/icmp.c:1188
 ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
 worker_thread+0x98/0xe40 kernel/workqueue.c:2319
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 26580:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:468
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:509
 __do_kmalloc mm/slab.c:3716 [inline]
 __kmalloc_track_caller+0x158/0x740 mm/slab.c:3731
 kmemdup+0x27/0x60 mm/util.c:111
 kmemdup include/linux/string.h:425 [inline]
 __devinet_sysctl_register+0xa5/0x2c0 net/ipv4/devinet.c:2472
 devinet_sysctl_register net/ipv4/devinet.c:2524 [inline]
 devinet_sysctl_register+0x167/0x220 net/ipv4/devinet.c:2514
 inetdev_init+0x22e/0x470 net/ipv4/devinet.c:274
 inetdev_event+0xe0e/0x1200 net/ipv4/devinet.c:1480
 notifier_call_chain+0xc7/0x240 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1739
 call_netdevice_notifiers_extack net/core/dev.c:1751 [inline]
 call_netdevice_notifiers net/core/dev.c:1765 [inline]
 register_netdevice+0xa50/0xff0 net/core/dev.c:8658
 veth_newlink+0x44a/0x990 drivers/net/veth.c:1271
 __rtnl_newlink+0x107b/0x16c0 net/core/rtnetlink.c:3182
 rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3240
 rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5130
 netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5148
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:632
 __sys_sendto+0x262/0x380 net/socket.c:1787
 __do_sys_sendto net/socket.c:1799 [inline]
 __se_sys_sendto net/socket.c:1795 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1795
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888091d2a1c0
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2636 bytes to the right of
 4096-byte region [ffff888091d2a1c0, ffff888091d2b1c0)
The buggy address belongs to the page:
page:ffffea0002474a80 count:1 mapcount:0 mapping:ffff88812c3f0dc0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00014a3008 ffffea00015cee88 ffff88812c3f0dc0
raw: 0000000000000000 ffff888091d2a1c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888091d2bb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888091d2bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888091d2bc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff888091d2bc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888091d2bd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
------------[ cut here ]------------
IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
downgrading a read lock
WARNING: CPU: 1 PID: 5514 at kernel/locking/lockdep.c:3553 __lock_downgrade kernel/locking/lockdep.c:3553 [inline]
WARNING: CPU: 1 PID: 5514 at kernel/locking/lockdep.c:3553 lock_downgrade+0x478/0x810 kernel/locking/lockdep.c:3816
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/03/04 21:26 upstream 736706bee329 7c693b52 .config console log report ci-upstream-kasan-gce-smack-root
2019/06/02 13:17 net-next-old c1e9e01d4233 53c81ea5 .config console log report ci-upstream-net-kasan-gce
2019/02/26 16:39 net-next-old c14f7e1efcbf a36ecd98 .config console log report ci-upstream-net-kasan-gce
2019/02/04 11:59 net-next-old cc7335786f72 d672172c .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.