syzbot


KASAN: slab-out-of-bounds Read in ip6_tnl_parse_tlv_enc_lim
Status: upstream: reported C repro on 2018/09/17 21:23
Reported-by: syzbot+68dce7caebd8543121de@syzkaller.appspotmail.com
First crash: 1351d, last: 1023d

Cause bisection: introduced by (bisect log) :
commit a10b5c564741cd3b6708f085a1fa892b63c2063d
Author: Byungchul Park <byungchul.park@lge.com>
Date: Mon Aug 14 07:00:51 2017 +0000

  locking/lockdep: Add a comment about crossrelease_hist_end() in lockdep_sys_exit()

Crash: WARNING in bpf_jit_free (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit 30471d4b20335d9bd9ae9b2382a1e1e97d18d86d
Author: Leon Romanovsky <leonro@mellanox.com>
Date: Sun Feb 3 12:55:50 2019 +0000

  RDMA/core: Share driver structure size with core

similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-414 KASAN: slab-out-of-bounds Read in ip6_tnl_parse_tlv_enc_lim 4 1308d 1140d 0/1 auto-closed as invalid on 2019/04/28 00:03

Sample crash report:
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 net/ipv6/ip6_tunnel.c:417
Read of size 1 at addr ffff8801c9cf3a47 by task syz-executor052/5645

CPU: 1 PID: 5645 Comm: syz-executor052 Not tainted 4.19.0+ #97
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 net/ipv6/ip6_tunnel.c:417
 ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1348 [inline]
 ip6_tnl_start_xmit+0x49f/0x25a0 net/ipv6/ip6_tunnel.c:1412
 __netdev_start_xmit include/linux/netdevice.h:4336 [inline]
 netdev_start_xmit include/linux/netdevice.h:4345 [inline]
 xmit_one net/core/dev.c:3252 [inline]
 dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3268
 __dev_queue_xmit+0x2f71/0x3ad0 net/core/dev.c:3838
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3871
 __bpf_tx_skb net/core/filter.c:2017 [inline]
 __bpf_redirect_common net/core/filter.c:2055 [inline]
 __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2062
 ____bpf_clone_redirect net/core/filter.c:2095 [inline]
 bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2067
 bpf_prog_759a992c578a3894+0xcba/0x1000

Allocated by task 5645:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3684 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3698
 __kmalloc_reserve.isra.40+0x41/0xe0 net/core/skbuff.c:137
 pskb_expand_head+0x230/0x10f0 net/core/skbuff.c:1460
 skb_ensure_writable+0x3dd/0x640 net/core/skbuff.c:5071
 __bpf_try_make_writable net/core/filter.c:1638 [inline]
 bpf_try_make_writable net/core/filter.c:1644 [inline]
 bpf_try_make_head_writable net/core/filter.c:1652 [inline]
 ____bpf_clone_redirect net/core/filter.c:2089 [inline]
 bpf_clone_redirect+0x14a/0x490 net/core/filter.c:2067
 bpf_prog_759a992c578a3894+0xcba/0x1000

Freed by task 4267:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3817
 load_elf_binary+0x25b4/0x5620 fs/binfmt_elf.c:1118
 search_binary_handler+0x17d/0x570 fs/exec.c:1653
 exec_binprm fs/exec.c:1695 [inline]
 __do_execve_file.isra.33+0x1661/0x25d0 fs/exec.c:1819
 do_execveat_common fs/exec.c:1866 [inline]
 do_execve fs/exec.c:1883 [inline]
 __do_sys_execve fs/exec.c:1964 [inline]
 __se_sys_execve fs/exec.c:1959 [inline]
 __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801c9cf3840
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 7 bytes to the right of
 512-byte region [ffff8801c9cf3840, ffff8801c9cf3a40)
The buggy address belongs to the page:
page:ffffea0007273cc0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea0007273b48 ffffea0007264388 ffff8801da800940
raw: 0000000000000000 ffff8801c9cf30c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c9cf3900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801c9cf3980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801c9cf3a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff8801c9cf3a80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8801c9cf3b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (189):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2018/11/04 21:31 upstream 71e56028173b 8bd6bd63 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2018/11/03 00:05 upstream 8adcc59974b8 8bd6bd63 .config log report syz C
ci-upstream-kasan-gce-root 2018/09/16 01:53 upstream 3a5af36b6d0e a343a400 .config log report syz C
ci-upstream-kasan-gce-smack-root 2018/09/15 20:56 upstream 3a5af36b6d0e a343a400 .config log report syz C
ci-upstream-net-this-kasan-gce 2018/10/31 22:17 net d48051c5b837 89781090 .config log report syz C
ci-upstream-bpf-kasan-gce 2018/10/31 22:17 bpf 27b31e68bc9f 89781090 .config log report syz C
ci-upstream-net-this-kasan-gce 2018/09/15 10:05 net 34043d250f51 a343a400 .config log report syz C
ci-upstream-bpf-kasan-gce 2018/09/15 09:46 bpf 4c3d795cb012 a343a400 .config log report syz C
ci-upstream-net-kasan-gce 2018/11/01 01:59 net-next 4b42745211af 1f38e9ae .config log report syz C
ci-upstream-bpf-next-kasan-gce 2018/10/31 21:53 bpf-next 44adbac8f721 89781090 .config log report syz C
ci-upstream-bpf-next-kasan-gce 2018/09/15 10:05 bpf-next 70e88c758a6b a343a400 .config log report syz C
ci-upstream-net-kasan-gce 2018/09/15 10:05 net-next ee4fccbee7d3 a343a400 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/11/03 04:21 linux-next 25e9471b6a27 8bd6bd63 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/09/15 10:03 linux-next f8dcd0279214 a343a400 .config log report syz C
ci-upstream-kasan-gce-smack-root 2018/11/11 18:55 upstream e255aee5b66c 7b5f8621 .config log report
ci-upstream-kasan-gce-smack-root 2018/11/11 00:54 upstream ab6e1f378f54 f3c4e618 .config log report
ci-upstream-kasan-gce-root 2018/10/30 15:36 upstream 11743c56785c 8dbb755a .config log report
ci-upstream-kasan-gce-selinux-root 2018/10/11 21:44 upstream 0778a9f2dd92 ba6ddb43 .config log report
ci-upstream-bpf-kasan-gce 2018/11/19 21:15 bpf 569a933b03f3 adf636a8 .config log report
ci-upstream-bpf-kasan-gce 2018/11/18 08:47 bpf 569a933b03f3 adf636a8 .config log report
ci-upstream-bpf-kasan-gce 2018/11/17 09:35 bpf 569a933b03f3 b08ee62a .config log report
ci-upstream-bpf-kasan-gce 2018/11/16 07:17 bpf da85d8bfd151 f5e275d1 .config log report
ci-upstream-bpf-kasan-gce 2018/11/16 01:30 bpf da85d8bfd151 3a41052e .config log report
ci-upstream-bpf-kasan-gce 2018/11/15 22:04 bpf da85d8bfd151 3a41052e .config log report
ci-upstream-bpf-kasan-gce 2018/11/13 17:07 bpf da85d8bfd151 5f5f6d14 .config log report
ci-upstream-bpf-kasan-gce 2018/11/13 12:07 bpf da85d8bfd151 5f5f6d14 .config log report
ci-upstream-bpf-kasan-gce 2018/11/13 03:34 bpf da85d8bfd151 74dbb806 .config log report
ci-upstream-bpf-kasan-gce 2018/11/12 04:26 bpf da85d8bfd151 7b5f8621 .config log report
ci-upstream-bpf-kasan-gce 2018/11/11 17:30 bpf da85d8bfd151 7b5f8621 .config log report
ci-upstream-bpf-kasan-gce 2018/11/11 03:09 bpf da85d8bfd151 f3c4e618 .config log report
ci-upstream-bpf-kasan-gce 2018/11/10 22:47 bpf da85d8bfd151 f3c4e618 .config log report
ci-upstream-bpf-kasan-gce 2018/11/10 20:09 bpf da85d8bfd151 f3c4e618 .config log report
ci-upstream-bpf-kasan-gce 2018/11/10 09:43 bpf da85d8bfd151 f9815aaf .config log report
ci-upstream-bpf-kasan-gce 2018/11/10 02:46 bpf da85d8bfd151 f9815aaf .config log report
ci-upstream-bpf-kasan-gce 2018/11/09 21:02 bpf da85d8bfd151 f9815aaf .config log report
ci-upstream-bpf-kasan-gce 2018/11/09 12:25 bpf f98e46a251d0 8fd01d3a .config log report
ci-upstream-bpf-kasan-gce 2018/11/09 10:22 bpf f98e46a251d0 8fd01d3a .config log report
ci-upstream-bpf-kasan-gce 2018/11/09 07:37 bpf ea53abfab960 8fd01d3a .config log report
ci-upstream-bpf-kasan-gce 2018/11/07 23:05 bpf ea53abfab960 e85d2a61 .config log report
ci-upstream-bpf-kasan-gce 2018/09/15 08:40 bpf 4c3d795cb012 a343a400 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/25 15:32 bpf-next 197c2dac74e4 3d3ec907 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/21 14:23 bpf-next f6161a8f3036 5d9a3924 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/20 22:16 bpf-next 740baecd811f 9aca6b52 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/20 20:17 bpf-next 740baecd811f 9aca6b52 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/20 18:24 bpf-next bbe5d311be66 9aca6b52 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/20 06:30 bpf-next bbe5d311be66 9bc2a903 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/18 00:18 bpf-next 592ee43faf86 adf636a8 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/17 16:34 bpf-next 592ee43faf86 b08ee62a .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/17 13:23 bpf-next 5c86d2125b58 b08ee62a .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/16 08:26 bpf-next 407be8d03e20 f5e275d1 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/15 20:27 bpf-next 407be8d03e20 3a41052e .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/13 13:59 bpf-next 407be8d03e20 5f5f6d14 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/12 05:57 bpf-next 407be8d03e20 7b5f8621 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/11 09:59 bpf-next 407be8d03e20 f3c4e618 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/09 22:35 bpf-next c8123ead13a5 f9815aaf .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/09 18:24 bpf-next 185067a86a78 8fd01d3a .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/09 05:38 bpf-next bce6a14996f9 8fd01d3a .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/07 01:21 bpf-next 5e1abdc3fe56 8bd6bd63 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/06 18:45 bpf-next 44adbac8f721 8bd6bd63 .config log report
ci-upstream-bpf-next-kasan-gce 2018/11/04 19:27 bpf-next 44adbac8f721 8bd6bd63 .config log report