syzbot

 sign-in | mailing list | source | docs
🐞 Open [1651]
Subsystems
🐞 Fixed [6000]
🐞 Invalid [14793]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Write in __skb_try_recv_from_queue

Status: auto-closed as invalid on 2020/12/06 11:21
Subsystems: net
[Documentation on labels]
First crash: 1603d, last: 1603d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:2066 [inline]
BUG: KASAN: use-after-free in __skb_try_recv_from_queue+0x767/0x820 net/core/datagram.c:199
Write of size 8 at addr ffff888000022008 by task systemd-journal/3896

CPU: 0 PID: 3896 Comm: systemd-journal Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __skb_unlink include/linux/skbuff.h:2066 [inline]
 __skb_try_recv_from_queue+0x767/0x820 net/core/datagram.c:199
 __skb_try_recv_datagram+0x153/0x3d0 net/core/datagram.c:265
 __skb_recv_datagram+0x1a1/0x220 net/core/datagram.c:297
 skb_recv_datagram+0xa7/0xe0 net/core/datagram.c:317
 netlink_recvmsg+0xe3/0xee0 net/netlink/af_netlink.c:1942
 sock_recvmsg_nosec net/socket.c:885 [inline]
 sock_recvmsg net/socket.c:903 [inline]
 sock_recvmsg net/socket.c:899 [inline]
 ____sys_recvmsg+0x2c4/0x640 net/socket.c:2576
 ___sys_recvmsg+0x127/0x200 net/socket.c:2618
 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2652
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f3b836f5dc7
Code: 89 01 b8 ff ff ff ff eb d8 66 2e 0f 1f 84 00 00 00 00 00 8b 05 0a b6 20 00 85 c0 75 2e 48 63 ff 48 63 d2 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 71 20 00 f7 d8 64 89 02 48
RSP: 002b:00007ffd896aff08 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00007ffd896b0480 RCX: 00007f3b836f5dc7
RDX: 0000000040000040 RSI: 00007ffd896aff60 RDI: 0000000000000003
RBP: 00007ffd896aff60 R08: 0000000000000008 R09: 000055891fa466b8
R10: 000055891fa46680 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000003 R14: 000055891dfde958 R15: 0005aeb7553342b5

Allocated by task 3896:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:518 [inline]
 slab_alloc mm/slab.c:3312 [inline]
 kmem_cache_alloc+0x13a/0x3a0 mm/slab.c:3482
 prepare_creds+0x39/0x6c0 kernel/cred.c:258
 access_override_creds fs/open.c:353 [inline]
 do_faccessat+0x3d7/0x820 fs/open.c:417
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 3896:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693
 __put_cred+0x1de/0x250 kernel/cred.c:148
 put_cred include/linux/cred.h:287 [inline]
 put_cred include/linux/cred.h:280 [inline]
 revert_creds+0x1a8/0x1f0 kernel/cred.c:598
 do_faccessat+0x2ca/0x820 fs/open.c:464
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888000022000
 which belongs to the cache cred_jar of size 184
The buggy address is located 8 bytes inside of
 184-byte region [ffff888000022000, ffff8880000220b8)
The buggy address belongs to the page:
page:00000000de652c9c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22
flags: 0x7ffe0000000200(slab)
raw: 007ffe0000000200 ffffea0000033048 ffffea0001066508 ffff8880aa06f900
raw: 0000000000000000 ffff888000022000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888000021f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888000021f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888000022000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888000022080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
 ffff888000022100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/07 11:15 upstream f4d51dffc6c0 abf9ba4f .config console log report ci-upstream-kasan-gce-root
* Struck through repros no longer work on HEAD.