syzbot

 sign-in | mailing list | source | docs
🐞 Open [142] 🐞 Fixed [16] 🐞 Invalid [163] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in xfrm6_tunnel_destroy

Status: auto-closed as invalid on 2019/07/02 12:36
Reported-by: syzbot+dbce44c619d57e2afa91@syzkaller.appspotmail.com
First crash: 2046d, last: 1933d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-44 KASAN: use-after-free Read in xfrm6_tunnel_destroy (2) 1 1683d 1683d 0/2 auto-closed as invalid on 2020/01/08 12:52
android-414 KASAN: use-after-free Read in xfrm6_tunnel_destroy C 34461 1598d 1836d 0/1 public: reported C repro on 2019/04/10 15:44
linux-4.14 KASAN: use-after-free Read in xfrm6_tunnel_destroy C error 1692 807d 1834d 0/1 upstream: reported C repro on 2019/04/12 04:12
android-49 KASAN: use-after-free Read in xfrm6_tunnel_destroy C 36181 1598d 1834d 0/3 public: reported C repro on 2019/04/12 00:00

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x557/0x600 net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8801d5c9a8f8 by task kworker/1:2/23916

CPU: 1 PID: 23916 Comm: kworker/1:2 Not tainted 4.4.169+ #2
Workqueue: events xfrm_state_gc_task
 0000000000000000 90f9f17ca0de363f ffff8800984d7a48 ffffffff81aab9c1
 0000000000000000 ffffea0007572600 ffff8801d5c9a8f8 0000000000000008
 ffff8801d5c9a100 ffff8800984d7a80 ffffffff8148fc0d 0000000000000000
Call Trace:
 [<ffffffff81aab9c1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aab9c1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff8148fc0d>] print_address_description+0x6f/0x21b mm/kasan/report.c:252
 [<ffffffff8148fe45>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8148fe45>] kasan_report mm/kasan/report.c:408 [inline]
 [<ffffffff8148fe45>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
 [<ffffffff814849f4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff8267ab77>] xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
 [<ffffffff8267ab77>] xfrm6_tunnel_destroy+0x557/0x600 net/ipv6/xfrm6_tunnel.c:300
 [<ffffffff8255992a>] xfrm_state_gc_destroy net/xfrm/xfrm_state.c:349 [inline]
 [<ffffffff8255992a>] xfrm_state_gc_task+0x3aa/0x510 net/xfrm/xfrm_state.c:368
 [<ffffffff81122a35>] process_one_work+0x825/0x1720 kernel/workqueue.c:2064
 [<ffffffff81123e14>] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196
 [<ffffffff811340d3>] kthread+0x273/0x310 kernel/kthread.c:211
 [<ffffffff827157c5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537

Allocated by task 2139:
 [<ffffffff8102e3c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff81483a42>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff81483a42>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff81483a42>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
 [<ffffffff81483cb7>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
 [<ffffffff81480041>] __kmalloc+0x141/0x330 mm/slub.c:3613
 [<ffffffff82213fb1>] kmalloc include/linux/slab.h:481 [inline]
 [<ffffffff82213fb1>] kzalloc include/linux/slab.h:620 [inline]
 [<ffffffff82213fb1>] ops_init+0xf1/0x3a0 net/core/net_namespace.c:99
 [<ffffffff82216094>] setup_net+0x1b4/0x4e0 net/core/net_namespace.c:289
 [<ffffffff82217d75>] copy_net_ns+0xd5/0x250 net/core/net_namespace.c:388
 [<ffffffff811368a0>] create_new_namespaces+0x2f0/0x670 kernel/nsproxy.c:95
 [<ffffffff8113718b>] unshare_nsproxy_namespaces+0xab/0x1e0 kernel/nsproxy.c:190
 [<ffffffff810d28f2>] SYSC_unshare kernel/fork.c:2083 [inline]
 [<ffffffff810d28f2>] SyS_unshare+0x302/0x6f0 kernel/fork.c:2033
 [<ffffffff827153a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

Freed by task 60:
 [<ffffffff8102e3c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff81484340>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff81484340>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff81484340>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
 [<ffffffff81481764>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff81481764>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff81481764>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff81481764>] kfree+0xf4/0x310 mm/slub.c:3749
 [<ffffffff8221587f>] ops_free net/core/net_namespace.c:124 [inline]
 [<ffffffff8221587f>] ops_free_list.part.0+0x1ff/0x330 net/core/net_namespace.c:146
 [<ffffffff822178b4>] ops_free_list net/core/net_namespace.c:144 [inline]
 [<ffffffff822178b4>] cleanup_net+0x474/0x860 net/core/net_namespace.c:456
 [<ffffffff81122a35>] process_one_work+0x825/0x1720 kernel/workqueue.c:2064
 [<ffffffff81123e14>] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196
 [<ffffffff811340d3>] kthread+0x273/0x310 kernel/kthread.c:211
 [<ffffffff827157c5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537

The buggy address belongs to the object at ffff8801d5c9a100
 which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
 8192-byte region [ffff8801d5c9a100, ffff8801d5c9c100)
The buggy address belongs to the page:
audit: type=1400 audit(1546518951.062:716): avc:  denied  { sigchld } for  pid=2127 comm="syz-executor5" scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=0
audit: type=1400 audit(1546518951.062:717): avc:  denied  { sigchld } for  pid=2127 comm="syz-executor5" scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=0
BUG: unable to handle kernel NULL pointer dereference at 00000000000000c4
IP: [<ffffffff81484c11>] qlink_to_object mm/kasan/quarantine.c:136 [inline]
IP: [<ffffffff81484c11>] qlink_free mm/kasan/quarantine.c:141 [inline]
IP: [<ffffffff81484c11>] qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:166
PGD 1d6c5f067 PUD 1d94ef067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 1923 Comm: rsyslogd Not tainted 4.4.169+ #2
task: ffff8801d6c00000 task.stack: ffff8800b8d70000
RIP: 0010:[<ffffffff81484c11>]  [<ffffffff81484c11>] qlink_to_object mm/kasan/quarantine.c:136 [inline]
RIP: 0010:[<ffffffff81484c11>]  [<ffffffff81484c11>] qlink_free mm/kasan/quarantine.c:141 [inline]
RIP: 0010:[<ffffffff81484c11>]  [<ffffffff81484c11>] qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:166
RSP: 0018:ffff8800b8d77a78  EFLAGS: 00010246
RAX: ffffea00000a2440 RBX: 0000000000000000 RCX: ffffea00000a245f
RDX: 0000000000000000 RSI: ffffffff82891c20 RDI: 0000000000000000
RBP: ffff8800b8d77aa0 R08: 0000000000000001 R09: ffffffff81484c11
R10: ffffea00025fa380 R11: 0000000000000000 R12: ffff8800b8d77ab8
R13: 0000000080000000 R14: ffffea0000000000 R15: ffffffff82891c20
FS:  00007f521162e700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000c4 CR3: 00000001d70d0000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 0000000000000000 0000000000000001 ffff8800b8d77ab8 ffff8800b73ccd80
 ffff8801da401140 ffff8800b8d77ae8 ffffffff814850af ffffffff81484fb5
 ffff8801d2371480 ffff88009bd1f260 00000000001000c0 9f61d5e46f1f5d07
Call Trace:
 [<ffffffff814850af>] quarantine_reduce+0x18f/0x1d0 mm/kasan/quarantine.c:259
 [<ffffffff81483ca0>] kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:601
 [<ffffffff8148427f>] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
 [<ffffffff8147fc80>] slab_post_alloc_hook mm/slub.c:1349 [inline]
 [<ffffffff8147fc80>] slab_alloc_node mm/slub.c:2615 [inline]
 [<ffffffff8147fc80>] slab_alloc mm/slub.c:2623 [inline]
 [<ffffffff8147fc80>] kmem_cache_alloc_trace+0xe0/0x2d0 mm/slub.c:2640
 [<ffffffff8121edec>] kmalloc include/linux/slab.h:476 [inline]
 [<ffffffff8121edec>] syslog_print kernel/printk/printk.c:1153 [inline]
 [<ffffffff8121edec>] do_syslog kernel/printk/printk.c:1336 [inline]
 [<ffffffff8121edec>] do_syslog+0x5bc/0xaf0 kernel/printk/printk.c:1306
 [<ffffffff81607be4>] kmsg_read+0x74/0xa0 fs/proc/kmsg.c:39
 [<ffffffff815dfd2d>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:202
 [<ffffffff81495f26>] __vfs_read+0x116/0x3c0 fs/read_write.c:432
 [<ffffffff81497c34>] vfs_read+0x134/0x360 fs/read_write.c:454
 [<ffffffff8149a45c>] SYSC_read fs/read_write.c:569 [inline]
 [<ffffffff8149a45c>] SyS_read+0xdc/0x1c0 fs/read_write.c:562
 [<ffffffff827153a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 41 56 41 55 41 54 53 48 89 f3 48 8b 37 48 85 f6 0f 84 8d 00 00 00 49 89 fc 41 bd 00 00 00 80 49 be 00 00 00 00 00 ea ff ff eb 21 <48> 63 97 c4 00 00 00 4c 8b 3e 48 29 d6 48 c7 c2 11 4c 48 81 e8 
RIP  [<ffffffff81484c11>] virt_to_head_page include/linux/mm.h:521 [inline]
RIP  [<ffffffff81484c11>] qlink_to_cache mm/kasan/quarantine.c:127 [inline]
RIP  [<ffffffff81484c11>] qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:163
 RSP <ffff8800b8d77a78>
CR2: 00000000000000c4
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2127 at lib/list_debug.c:23 __list_add_valid+0x86/0x120 lib/list_debug.c:23()
list_add corruption. next->prev should be prev (ffff8801db71f238), but was ffffffff8142a736. (next=ffff8800984c8088).

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/01/03 12:36 https://android.googlesource.com/kernel/common android-4.4 d08574b6f0ae 66fcd29b .config console log report ci-android-44-kasan-gce
2018/10/22 14:42 https://android.googlesource.com/kernel/common android-4.4 c82807c7dd9f ecb386fe .config console log report ci-android-44-kasan-gce
2018/10/11 00:16 https://android.googlesource.com/kernel/common android-4.4 a94efb1c27c4 5f818b4b .config console log report ci-android-44-kasan-gce
2018/09/12 09:36 https://android.googlesource.com/kernel/common android-4.4 b3f777efd917 3c88136c .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.