syzbot

 sign-in | mailing list | source | docs
🐞 Open [995] Subsystems 🐞 Fixed [5242] 🐞 Invalid [12514] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in inet_twsk_hashdance

Status: auto-closed as invalid on 2020/11/27 12:26
Subsystems: net
[Documentation on labels]
First crash: 1336d, last: 1336d

Sample crash report:
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:872 [inline]
BUG: KASAN: use-after-free in inet_twsk_add_bind_node net/ipv4/inet_timewait_sock.c:93 [inline]
BUG: KASAN: use-after-free in inet_twsk_hashdance+0x5b7/0x6b0 net/ipv4/inet_timewait_sock.c:118
Read of size 8 at addr ffff888000111ac0 by task kworker/u4:6/3479

CPU: 1 PID: 3479 Comm: kworker/u4:6 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: krdsd rds_tcp_accept_worker
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 hlist_add_head include/linux/list.h:872 [inline]
 inet_twsk_add_bind_node net/ipv4/inet_timewait_sock.c:93 [inline]
 inet_twsk_hashdance+0x5b7/0x6b0 net/ipv4/inet_timewait_sock.c:118
 tcp_time_wait+0x6a0/0xcd0 net/ipv4/tcp_minisocks.c:329
 tcp_fin+0x422/0x940 net/ipv4/tcp_input.c:4215
 tcp_data_queue+0x28bb/0x49d0 net/ipv4/tcp_input.c:4873
 tcp_rcv_state_process+0xd62/0x4add net/ipv4/tcp_input.c:6443
 tcp_v6_do_rcv+0x7ad/0x1290 net/ipv6/tcp_ipv6.c:1474
 tcp_v6_rcv+0x2fb1/0x3480 net/ipv6/tcp_ipv6.c:1682
 ip6_protocol_deliver_rcu+0x2e8/0x1660 net/ipv6/ip6_input.c:433
 ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:474
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:483
 dst_input include/net/dst.h:449 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ipv6_rcv+0x28e/0x3c0 net/ipv6/ip6_input.c:307
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5286
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5400
 process_backlog+0x28d/0x7f0 net/core/dev.c:6242
 napi_poll net/core/dev.c:6687 [inline]
 net_rx_action+0x4a1/0xe80 net/core/dev.c:6757
 __do_softirq+0x2de/0xa24 kernel/softirq.c:298
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
 do_softirq kernel/softirq.c:343 [inline]
 do_softirq+0x17b/0x1e0 kernel/softirq.c:330
 __local_bh_enable_ip+0x14d/0x190 kernel/softirq.c:195
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:723 [inline]
 ip6_finish_output2+0x91d/0x17b0 net/ipv6/ip6_output.c:118
 __ip6_finish_output net/ipv6/ip6_output.c:143 [inline]
 __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128
 ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
 dst_output include/net/dst.h:443 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip6_xmit+0x1258/0x1e80 net/ipv6/ip6_output.c:280
 inet6_csk_xmit+0x339/0x610 net/ipv6/inet6_connection_sock.c:135
 __tcp_transmit_skb+0x1884/0x3690 net/ipv4/tcp_output.c:1246
 tcp_transmit_skb net/ipv4/tcp_output.c:1264 [inline]
 tcp_write_xmit+0xebf/0x5c70 net/ipv4/tcp_output.c:2527
 __tcp_push_pending_frames+0xaa/0x330 net/ipv4/tcp_output.c:2705
 tcp_send_fin+0x117/0xbb0 net/ipv4/tcp_output.c:3262
 tcp_shutdown net/ipv4/tcp.c:2388 [inline]
 tcp_shutdown+0xcf/0xf0 net/ipv4/tcp.c:2373
 inet_shutdown+0x1a8/0x3a0 net/ipv4/af_inet.c:889
 rds_tcp_accept_one+0x5e0/0xbe0 net/rds/tcp_listen.c:214
 rds_tcp_accept_worker+0x50/0x80 net/rds/tcp.c:515
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 14811:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:518 [inline]
 slab_alloc mm/slab.c:3312 [inline]
 kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482
 inet_bind_bucket_create+0x2b/0x270 net/ipv4/inet_hashtables.c:67
 inet_csk_get_port+0x380/0x1690 net/ipv4/inet_connection_sock.c:382
 __inet6_bind+0x5de/0x1a00 net/ipv6/af_inet6.c:406
 inet6_bind+0xf0/0x159 net/ipv6/af_inet6.c:458
 rds_tcp_conn_path_connect+0x399/0x880 net/rds/tcp_connect.c:144
 rds_connect_worker+0x1a5/0x2c0 net/rds/threads.c:176
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 3479:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693
 inet_bind_bucket_destroy net/ipv4/inet_hashtables.c:88 [inline]
 inet_bind_bucket_destroy+0xdf/0x120 net/ipv4/inet_hashtables.c:84
 inet_twsk_bind_unhash+0x121/0x1b0 net/ipv4/inet_timewait_sock.c:39
 inet_twsk_kill+0x21d/0x470 net/ipv4/inet_timewait_sock.c:59
 inet_twsk_deschedule_put+0x41/0x50 net/ipv4/inet_timewait_sock.c:215
 __inet6_check_established+0xbd8/0xe70 net/ipv6/inet6_hashtables.c:304
 __inet_hash_connect+0x28a/0xfb0 net/ipv4/inet_hashtables.c:690
 tcp_v6_connect+0x1176/0x1dd0 net/ipv6/tcp_ipv6.c:311
 __inet_stream_connect+0x817/0xe30 net/ipv4/af_inet.c:661
 inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:725
 rds_tcp_conn_path_connect+0x61c/0x880 net/rds/tcp_connect.c:172
 rds_connect_worker+0x1a5/0x2c0 net/rds/threads.c:176
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff888000111a80
 which belongs to the cache tcp_bind_bucket of size 72
The buggy address is located 64 bytes inside of
 72-byte region [ffff888000111a80, ffff888000111ac8)
The buggy address belongs to the page:
page:00000000c1a14cc3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111
flags: 0x7ffe0000000200(slab)
raw: 007ffe0000000200 ffffea00008e5fc8 ffffea0002502708 ffff8880a4708f00
raw: 0000000000000000 ffff888000111000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888000111980: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
 ffff888000111a00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff888000111a80: fa fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
                                           ^
 ffff888000111b00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
 ffff888000111b80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/29 12:22 upstream 4d41ead6ead9 d5a3ae1f .config console log report ci-upstream-kasan-gce
* Struck through repros no longer work on HEAD.