syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [993] ≡ Subsystems 🐞 Fixed [5244] 🐞 Invalid [12515] ⬇ Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
================================================================== BUG: KASAN: use-after-free in __fib6_clean_all+0x296/0x2a0 net/ipv6/ip6_fib.c:2255 Read of size 8 at addr ffff8880758fd000 by task syz-executor.5/5521 CPU: 0 PID: 5521 Comm: syz-executor.5 Not tainted 6.0.0-rc7-syzkaller-00132-g987a926c1d8a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __fib6_clean_all+0x296/0x2a0 net/ipv6/ip6_fib.c:2255 rt6_sync_down_dev net/ipv6/route.c:4894 [inline] rt6_disable_ip+0x8a1/0xaa0 net/ipv6/route.c:4899 addrconf_ifdown.isra.0+0x11a/0x1830 net/ipv6/addrconf.c:3750 addrconf_notify+0xeb/0x1c10 net/ipv6/addrconf.c:3673 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10250 [inline] netdev_run_todo+0xbc2/0x1100 net/core/dev.c:10364 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe0/0x180 drivers/net/tun.c:3458 __fput+0x277/0x9d0 fs/file_table.c:320 task_work_run+0xdd/0x1a0 kernel/task_work.c:177 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xad5/0x29b0 kernel/exit.c:795 do_group_exit+0xd2/0x2f0 kernel/exit.c:925 get_signal+0x238c/0x2610 kernel/signal.c:2857 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:166 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f4d5a6af2d1 Code: Unable to access opcode bytes at RIP 0x7f4d5a6af2a7. RSP: 002b:00007f4d5b8590b0 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6 RAX: fffffffffffffdfc RBX: 00007f4d5a7ac050 RCX: 00007f4d5a6af2d1 RDX: 00007f4d5b8590f0 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007f4d5a6e5580 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007ffcd5461a6f R14: 00007f4d5b859300 R15: 0000000000022000 </TASK> Allocated by task 3644: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:437 [inline] ____kasan_kmalloc mm/kasan/common.c:516 [inline] ____kasan_kmalloc mm/kasan/common.c:475 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525 kmalloc include/linux/slab.h:600 [inline] kzalloc include/linux/slab.h:733 [inline] fib6_net_init net/ipv6/ip6_fib.c:2376 [inline] fib6_net_init+0x1d7/0xa20 net/ipv6/ip6_fib.c:2351 ops_init+0xaf/0x470 net/core/net_namespace.c:134 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325 copy_net_ns+0x318/0x760 net/core/net_namespace.c:471 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226 ksys_unshare+0x445/0x920 kernel/fork.c:3181 __do_sys_unshare kernel/fork.c:3252 [inline] __se_sys_unshare kernel/fork.c:3250 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3250 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 42: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:367 [inline] ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1759 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785 slab_free mm/slub.c:3539 [inline] kfree+0xe2/0x580 mm/slub.c:4567 fib6_net_exit+0x1c9/0x280 net/ipv6/ip6_fib.c:2438 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:162 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the object at ffff8880758fd000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 0 bytes inside of 2048-byte region [ffff8880758fd000, ffff8880758fd800) The buggy address belongs to the physical page: page:ffffea0001d63e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x758f8 head:ffffea0001d63e00 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011842000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3646, tgid 3646 (syz-executor.4), ts 192471625445, free_ts 192469894304 prep_new_page mm/page_alloc.c:2532 [inline] get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5549 alloc_pages+0x1a6/0x270 mm/mempolicy.c:2270 alloc_slab_page mm/slub.c:1829 [inline] allocate_slab+0x27e/0x3d0 mm/slub.c:1974 new_slab mm/slub.c:2034 [inline] ___slab_alloc+0x7f1/0xe10 mm/slub.c:3036 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3123 slab_alloc_node mm/slub.c:3214 [inline] __kmalloc_node+0x2e2/0x380 mm/slub.c:4473 kmalloc_node include/linux/slab.h:623 [inline] kvmalloc_node+0x3e/0x190 mm/util.c:613 kvmalloc include/linux/slab.h:750 [inline] kvmalloc_array include/linux/slab.h:768 [inline] kvcalloc include/linux/slab.h:773 [inline] ip_set_net_init+0x1b7/0x420 net/netfilter/ipset/ip_set_core.c:2324 ops_init+0xaf/0x470 net/core/net_namespace.c:134 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325 copy_net_ns+0x318/0x760 net/core/net_namespace.c:471 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226 ksys_unshare+0x445/0x920 kernel/fork.c:3181 __do_sys_unshare kernel/fork.c:3252 [inline] __se_sys_unshare kernel/fork.c:3250 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3250 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1449 [inline] free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499 free_unref_page_prepare mm/page_alloc.c:3380 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2553 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:447 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:727 [inline] slab_alloc_node mm/slub.c:3248 [inline] slab_alloc mm/slub.c:3256 [inline] __kmem_cache_alloc_lru mm/slub.c:3263 [inline] kmem_cache_alloc+0x267/0x3b0 mm/slub.c:3273 kmem_cache_zalloc include/linux/slab.h:723 [inline] __proc_create+0x2b3/0x8b0 fs/proc/generic.c:426 _proc_mkdir fs/proc/generic.c:490 [inline] proc_mkdir_data fs/proc/generic.c:507 [inline] proc_mkdir+0x7d/0x170 fs/proc/generic.c:521 create_cache_proc_entries net/sunrpc/cache.c:1683 [inline] cache_register_net+0x190/0x580 net/sunrpc/cache.c:1726 nfsd_export_init+0x198/0x470 fs/nfsd/export.c:1341 nfsd_init_net+0x10c/0x430 fs/nfsd/nfsctl.c:1476 ops_init+0xaf/0x470 net/core/net_namespace.c:134 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325 copy_net_ns+0x318/0x760 net/core/net_namespace.c:471 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 Memory state around the buggy address: ffff8880758fcf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880758fcf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880758fd000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880758fd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880758fd100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2022/09/30 08:26 | upstream | 987a926c1d8a | 1d385642 | .config | console log | report | info | ci-upstream-kasan-gce-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/09/29 04:43 | upstream | c3e0e1e23c70 | e2556bc3 | .config | console log | report | info | ci-upstream-kasan-gce-smack-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/09/26 08:26 | upstream | f76349cf4145 | d59ba983 | .config | console log | report | info | ci-upstream-kasan-gce-smack-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/08/10 16:08 | upstream | 200e340f2196 | a6201f11 | .config | console log | report | info | ci-upstream-kasan-gce-smack-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/07/29 08:22 | upstream | 33ea1340bafe | fb95c74d | .config | console log | report | info | ci-upstream-kasan-gce-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/07/07 21:09 | upstream | e8a4e1c1bb69 | bff65f44 | .config | console log | report | info | ci-upstream-kasan-gce-smack-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/06/16 23:26 | upstream | 48a23ec6ff2b | 1719ee24 | .config | console log | report | info | ci-upstream-kasan-gce-smack-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/05/26 00:50 | upstream | 7e062cda7d90 | 3037caa9 | .config | console log | report | info | ci-upstream-kasan-gce-smack-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/05/21 19:02 | upstream | 6c3f5bec9b40 | 7268fa62 | .config | console log | report | info | ci-qemu-upstream | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/05/21 03:06 | upstream | 3d7285a335ed | bd37ad7e | .config | console log | report | info | ci-upstream-kasan-gce-selinux-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/05/17 02:40 | upstream | 42226c989789 | 744a39e2 | .config | console log | report | info | ci-upstream-kasan-gce-selinux-root | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/11/07 20:49 | upstream | f0c4d9fc9cc9 | a779b11a | .config | console log | report | info | ci-qemu-upstream-386 | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/11/11 08:40 | net-old | 4bbf3422df78 | 3ead01ad | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/08/31 17:33 | net-old | 4a4ce82212ef | 51e54e30 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/07/11 15:24 | net-old | e45955766b43 | da3d6955 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/07/03 03:43 | net-old | d28b25a62a47 | 1434eec0 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/07/02 07:11 | net-old | 8dfeee9dc52c | 1434eec0 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/06/30 20:09 | net-old | 0a18d802d65c | 1434eec0 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/06/21 02:47 | net-old | 69135c572d1f | 0fc5c330 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/06/17 23:16 | net-old | b4a028c4d031 | cb58b3b2 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/06/15 03:39 | net-old | d7dd6eccfbc9 | 127d1faf | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/05/21 06:47 | net-old | eb4c07889647 | 7268fa62 | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/05/20 17:52 | net-old | 9b80ccda233f | bd37ad7e | .config | console log | report | info | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/11/26 13:40 | net-next-old | a6e3d86ece0b | 74a66371 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/10/18 01:14 | net-next-old | 0326074ff465 | 754863b4 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/09/10 00:13 | net-next-old | 169ccf0e4082 | 356d8217 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/09/03 02:44 | net-next-old | c3f760ef1287 | 49e94a20 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/08/31 17:41 | net-next-old | 146ecbac1d32 | 51e54e30 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/05/15 11:08 | net-next-old | d9713088158b | 744a39e2 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all | |||
| 2022/03/18 07:55 | net-next-old | d96657dc9238 | e2d91b1d | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in __fib6_clean_all |