KASAN: slab-out-of-bounds Write in setup_udp_tunnel

Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock	C	done	1	1416d	1416d	1/1	fixed on 2020/02/22 11:44
linux-4.14	KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock	C	done	1	1415d	1415d	1/1	fixed on 2020/02/23 20:58
upstream	KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock net	C		4	2104d	2104d	4/25	fixed on 2018/03/23 18:14
upstream	KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock (3) net			1	1289d	1289d	17/25	fixed on 2020/07/17 17:58

================================================================== BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x43d/0x520 net/ipv4/udp_tunnel.c:78 Write of size 1 at addr ffff8880a4952590 by task syz-executor502/10686 CPU: 1 PID: 10686 Comm: syz-executor502 Not tainted 5.5.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137 setup_udp_tunnel_sock+0x43d/0x520 net/ipv4/udp_tunnel.c:78 gtp_encap_enable_socket+0x338/0x420 drivers/net/gtp.c:827 gtp_encap_enable drivers/net/gtp.c:845 [inline] gtp_newlink+0x95/0xc60 drivers/net/gtp.c:666 __rtnl_newlink+0x109e/0x1790 net/core/rtnetlink.c:3305 rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3363 rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:659 ____sys_sendmsg+0x753/0x880 net/socket.c:2330 ___sys_sendmsg+0x100/0x170 net/socket.c:2384 __sys_sendmsg+0x105/0x1d0 net/socket.c:2417 __do_sys_sendmsg net/socket.c:2426 [inline] __se_sys_sendmsg net/socket.c:2424 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4402b9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffc780292f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 10686: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x121/0x710 mm/slab.c:3484 sk_prot_alloc+0x67/0x310 net/core/sock.c:1597 sk_alloc+0x39/0xfd0 net/core/sock.c:1657 inet_create net/ipv4/af_inet.c:321 [inline] inet_create+0x363/0xdf0 net/ipv4/af_inet.c:247 __sock_create+0x3ce/0x730 net/socket.c:1420 sock_create net/socket.c:1471 [inline] __sys_socket+0x103/0x220 net/socket.c:1513 __do_sys_socket net/socket.c:1522 [inline] __se_sys_socket net/socket.c:1520 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1520 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880a4952040 which belongs to the cache RAW of size 1360 The buggy address is located 0 bytes to the right of 1360-byte region [ffff8880a4952040, ffff8880a4952590) The buggy address belongs to the page: page:ffffea0002925480 refcount:1 mapcount:0 mapping:ffff88821a8abe00 index:0x0 compound_mapcount: 0 raw: 00fffe0000010200 ffff8880a4d7a348 ffff8880a4d7a348 ffff88821a8abe00 raw: 0000000000000000 ffff8880a4952040 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a4952480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a4952500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880a4952580: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880a4952600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a4952680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2020/01/23 03:09	upstream	dbab40bdb42c	3334d684	.config	console log	report	syz	C	ci-upstream-kasan-gce-selinux-root
2020/01/22 20:40	upstream	d96d875ef5dd	8eda0b95	.config	console log	report	syz	C	ci-upstream-kasan-gce-root
2020/01/21 20:15	upstream	d96d875ef5dd	8eda0b95	.config	console log	report	syz	C	ci-upstream-kasan-gce-smack-root
2020/01/21 18:35	upstream	d96d875ef5dd	8eda0b95	.config	console log	report	syz	C	ci-upstream-kasan-gce
2020/01/21 04:15	net-old	7008ee121089	d2557fb5	.config	console log	report	syz	C	ci-upstream-net-this-kasan-gce
2020/01/21 03:32	net-next-old	b3f7e3f23a76	d2557fb5	.config	console log	report	syz	C	ci-upstream-net-kasan-gce
2020/01/21 14:12	upstream	d96d875ef5dd	8eda0b95	.config	console log	report	syz		ci-upstream-kasan-gce-386
2020/01/21 03:00	net-next-old	b3f7e3f23a76	d2557fb5	.config	console log	report			ci-upstream-net-kasan-gce