syzbot


KASAN: use-after-free Read in __fib6_clean_all

Status: fixed on 2023/02/24 13:50
Subsystems: net
[Documentation on labels]
Fix commit: 5daadc86f27e net: tun: Fix use-after-free in tun_detach()
First crash: 792d, last: 539d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __fib6_clean_all+0x296/0x2a0 net/ipv6/ip6_fib.c:2255
Read of size 8 at addr ffff8880758fd000 by task syz-executor.5/5521

CPU: 0 PID: 5521 Comm: syz-executor.5 Not tainted 6.0.0-rc7-syzkaller-00132-g987a926c1d8a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 __fib6_clean_all+0x296/0x2a0 net/ipv6/ip6_fib.c:2255
 rt6_sync_down_dev net/ipv6/route.c:4894 [inline]
 rt6_disable_ip+0x8a1/0xaa0 net/ipv6/route.c:4899
 addrconf_ifdown.isra.0+0x11a/0x1830 net/ipv6/addrconf.c:3750
 addrconf_notify+0xeb/0x1c10 net/ipv6/addrconf.c:3673
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945
 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
 call_netdevice_notifiers net/core/dev.c:1997 [inline]
 netdev_wait_allrefs_any net/core/dev.c:10250 [inline]
 netdev_run_todo+0xbc2/0x1100 net/core/dev.c:10364
 tun_detach drivers/net/tun.c:704 [inline]
 tun_chr_close+0xe0/0x180 drivers/net/tun.c:3458
 __fput+0x277/0x9d0 fs/file_table.c:320
 task_work_run+0xdd/0x1a0 kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xad5/0x29b0 kernel/exit.c:795
 do_group_exit+0xd2/0x2f0 kernel/exit.c:925
 get_signal+0x238c/0x2610 kernel/signal.c:2857
 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4d5a6af2d1
Code: Unable to access opcode bytes at RIP 0x7f4d5a6af2a7.
RSP: 002b:00007f4d5b8590b0 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
RAX: fffffffffffffdfc RBX: 00007f4d5a7ac050 RCX: 00007f4d5a6af2d1
RDX: 00007f4d5b8590f0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f4d5a6e5580 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffcd5461a6f R14: 00007f4d5b859300 R15: 0000000000022000
 </TASK>

Allocated by task 3644:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 ____kasan_kmalloc mm/kasan/common.c:516 [inline]
 ____kasan_kmalloc mm/kasan/common.c:475 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 fib6_net_init net/ipv6/ip6_fib.c:2376 [inline]
 fib6_net_init+0x1d7/0xa20 net/ipv6/ip6_fib.c:2351
 ops_init+0xaf/0x470 net/core/net_namespace.c:134
 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:471
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3181
 __do_sys_unshare kernel/fork.c:3252 [inline]
 __se_sys_unshare kernel/fork.c:3250 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3250
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 42:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:367 [inline]
 ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1759 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785
 slab_free mm/slub.c:3539 [inline]
 kfree+0xe2/0x580 mm/slub.c:4567
 fib6_net_exit+0x1c9/0x280 net/ipv6/ip6_fib.c:2438
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:162
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff8880758fd000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [ffff8880758fd000, ffff8880758fd800)

The buggy address belongs to the physical page:
page:ffffea0001d63e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x758f8
head:ffffea0001d63e00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3646, tgid 3646 (syz-executor.4), ts 192471625445, free_ts 192469894304
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549
 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270
 alloc_slab_page mm/slub.c:1829 [inline]
 allocate_slab+0x27e/0x3d0 mm/slub.c:1974
 new_slab mm/slub.c:2034 [inline]
 ___slab_alloc+0x7f1/0xe10 mm/slub.c:3036
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3123
 slab_alloc_node mm/slub.c:3214 [inline]
 __kmalloc_node+0x2e2/0x380 mm/slub.c:4473
 kmalloc_node include/linux/slab.h:623 [inline]
 kvmalloc_node+0x3e/0x190 mm/util.c:613
 kvmalloc include/linux/slab.h:750 [inline]
 kvmalloc_array include/linux/slab.h:768 [inline]
 kvcalloc include/linux/slab.h:773 [inline]
 ip_set_net_init+0x1b7/0x420 net/netfilter/ipset/ip_set_core.c:2324
 ops_init+0xaf/0x470 net/core/net_namespace.c:134
 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:471
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3181
 __do_sys_unshare kernel/fork.c:3252 [inline]
 __se_sys_unshare kernel/fork.c:3250 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3250
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1449 [inline]
 free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499
 free_unref_page_prepare mm/page_alloc.c:3380 [inline]
 free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476
 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2553
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:727 [inline]
 slab_alloc_node mm/slub.c:3248 [inline]
 slab_alloc mm/slub.c:3256 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3263 [inline]
 kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3273
 kmem_cache_zalloc include/linux/slab.h:723 [inline]
 __proc_create+0x2b3/0x8b0 fs/proc/generic.c:426
 _proc_mkdir fs/proc/generic.c:490 [inline]
 proc_mkdir_data fs/proc/generic.c:507 [inline]
 proc_mkdir+0x7d/0x170 fs/proc/generic.c:521
 create_cache_proc_entries net/sunrpc/cache.c:1683 [inline]
 cache_register_net+0x190/0x580 net/sunrpc/cache.c:1726
 nfsd_export_init+0x198/0x470 fs/nfsd/export.c:1341
 nfsd_init_net+0x10c/0x430 fs/nfsd/nfsctl.c:1476
 ops_init+0xaf/0x470 net/core/net_namespace.c:134
 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:471
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110

Memory state around the buggy address:
 ffff8880758fcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880758fcf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880758fd000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880758fd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880758fd100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (30):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/09/30 08:26 upstream 987a926c1d8a 1d385642 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in __fib6_clean_all
2022/09/29 04:43 upstream c3e0e1e23c70 e2556bc3 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __fib6_clean_all
2022/09/26 08:26 upstream f76349cf4145 d59ba983 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __fib6_clean_all
2022/08/10 16:08 upstream 200e340f2196 a6201f11 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __fib6_clean_all
2022/07/29 08:22 upstream 33ea1340bafe fb95c74d .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in __fib6_clean_all
2022/07/07 21:09 upstream e8a4e1c1bb69 bff65f44 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __fib6_clean_all
2022/06/16 23:26 upstream 48a23ec6ff2b 1719ee24 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __fib6_clean_all
2022/05/26 00:50 upstream 7e062cda7d90 3037caa9 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in __fib6_clean_all
2022/05/21 19:02 upstream 6c3f5bec9b40 7268fa62 .config console log report info ci-qemu-upstream KASAN: use-after-free Read in __fib6_clean_all
2022/05/21 03:06 upstream 3d7285a335ed bd37ad7e .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in __fib6_clean_all
2022/05/17 02:40 upstream 42226c989789 744a39e2 .config console log report info ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in __fib6_clean_all
2022/11/07 20:49 upstream f0c4d9fc9cc9 a779b11a .config console log report info ci-qemu-upstream-386 KASAN: use-after-free Read in __fib6_clean_all
2022/11/11 08:40 net-old 4bbf3422df78 3ead01ad .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/08/31 17:33 net-old 4a4ce82212ef 51e54e30 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/07/11 15:24 net-old e45955766b43 da3d6955 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/07/03 03:43 net-old d28b25a62a47 1434eec0 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/07/02 07:11 net-old 8dfeee9dc52c 1434eec0 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/06/30 20:09 net-old 0a18d802d65c 1434eec0 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/06/21 02:47 net-old 69135c572d1f 0fc5c330 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/06/17 23:16 net-old b4a028c4d031 cb58b3b2 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/06/15 03:39 net-old d7dd6eccfbc9 127d1faf .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/05/21 06:47 net-old eb4c07889647 7268fa62 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/05/20 17:52 net-old 9b80ccda233f bd37ad7e .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/11/26 13:40 net-next-old a6e3d86ece0b 74a66371 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/10/18 01:14 net-next-old 0326074ff465 754863b4 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/09/10 00:13 net-next-old 169ccf0e4082 356d8217 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/09/03 02:44 net-next-old c3f760ef1287 49e94a20 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/08/31 17:41 net-next-old 146ecbac1d32 51e54e30 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/05/15 11:08 net-next-old d9713088158b 744a39e2 .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
2022/03/18 07:55 net-next-old d96657dc9238 e2d91b1d .config console log report info ci-upstream-net-kasan-gce KASAN: use-after-free Read in __fib6_clean_all
* Struck through repros no longer work on HEAD.