syzbot


WARNING: kmalloc bug in xfrm_add_sa

Status: fixed on 2018/03/23 18:14
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com
Fix commit: d97ca5d714a5 xfrm_user: uncoditionally validate esn replay attribute struct
First crash: 2240d, last: 2197d
Discussions (10)
Title Replies (including bot) Last reply
[PATCH 3.16 000/410] 3.16.57-rc1 review 426 (426) 2018/11/12 17:42
[PATCH 3.2 000/153] 3.2.102-rc1 review 155 (155) 2018/05/30 22:14
[PATCH 4.4 00/72] 4.4.127-stable review 83 (83) 2018/05/17 08:56
[PATCH 4.9 000/102] 4.9.93-stable review 111 (111) 2018/04/12 16:56
[PATCH 3.18 00/93] 3.18.103-stable review 102 (102) 2018/04/09 08:13
[PATCH 4.15 00/72] 4.15.16-stable review 78 (78) 2018/04/07 06:10
[PATCH 4.14 00/67] 4.14.33-stable review 71 (71) 2018/04/06 22:10
[PATCH 3/9] xfrm_user: uncoditionally validate esn replay attribute struct 1 (1) 2018/03/13 07:09
[PATCH ipsec] xfrm_user: uncoditionally validate esn replay attribute struct 2 (2) 2018/02/14 11:46
WARNING: kmalloc bug in xfrm_add_sa 0 (1) 2018/02/12 12:59

Sample crash report:
audit: type=1400 audit(1518094627.868:7): avc:  denied  { map } for  pid=4171 comm="syzkaller731818" path="/root/syzkaller731818472" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
WARNING: CPU: 1 PID: 4172 at mm/slab_common.c:1012 kmalloc_slab+0x5d/0x70 mm/slab_common.c:1012
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 4172 Comm: syzkaller731818 Not tainted 4.15.0+ #302
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 panic+0x1e4/0x41c kernel/panic.c:183
 __warn+0x1dc/0x200 kernel/panic.c:547
 report_bug+0x211/0x2d0 lib/bug.c:184
 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
 fixup_bug arch/x86/kernel/traps.c:247 [inline]
 do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:988
RIP: 0010:kmalloc_slab+0x5d/0x70 mm/slab_common.c:1012
RSP: 0018:ffff8801bb7af2f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000fffff5bc RCX: ffffffff84c14688
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000fffff5bc
RBP: ffff8801bb7af2f0 R08: 0000000000000000 R09: 1ffff100376f5e21
R10: ffff8801bb7af040 R11: 0000000000000001 R12: 00000000fffff5bc
R13: ffff8801bb7af598 R14: 00000000014080c0 R15: ffff8801c8224dc0
 __do_kmalloc mm/slab.c:3700 [inline]
 __kmalloc+0x25/0x760 mm/slab.c:3714
 kmalloc include/linux/slab.h:517 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 xfrm_alloc_replay_state_esn net/xfrm/xfrm_user.c:442 [inline]
 xfrm_state_construct net/xfrm/xfrm_user.c:601 [inline]
 xfrm_add_sa+0x1b15/0x3440 net/xfrm/xfrm_user.c:647
 xfrm_user_rcv_msg+0x41c/0x860 net/xfrm/xfrm_user.c:2595
 netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2442
 xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2603
 netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
 netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
 netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:640
 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
 __sys_sendmsg+0xe5/0x210 net/socket.c:2080
 SYSC_sendmsg net/socket.c:2091 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2087
 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x445a09
RSP: 002b:00007ff29bc19da8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445a09
RDX: 0000000000000000 RSI: 000000002014f000 RDI: 0000000000000003
RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0073746174735f68
R13: 7361682f6376612f R14: 78756e696c65732f R15: 0000000000000004
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (109):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/02/08 12:59 upstream 581e400ff935 9fb5ec43 .config console log report syz C ci-upstream-kasan-gce
2018/03/23 13:10 net-next-old 6686c459e144 2e9d9054 .config console log report syz ci-upstream-net-kasan-gce
2018/03/12 02:01 net-next-old f44b1886a5f8 36d1c454 .config console log report syz ci-upstream-net-kasan-gce
2018/03/21 13:18 upstream 3215b9d57a2c f63eeee9 .config console log report ci-upstream-kasan-gce
2018/03/14 20:24 upstream 3032f8c504d2 08dacaa0 .config console log report ci-upstream-kasan-gce
2018/03/13 06:00 upstream fc6eabbbf8ef f505ca4b .config console log report ci-upstream-kasan-gce
2018/03/11 21:12 upstream abeb75218aeb 36d1c454 .config console log report ci-upstream-kasan-gce
2018/02/08 12:40 upstream 581e400ff935 9fb5ec43 .config console log report ci-upstream-kasan-gce
2018/03/23 05:28 net-next-old 6686c459e144 2e9d9054 .config console log report ci-upstream-net-kasan-gce
2018/03/23 01:14 net-next-old aa65f6365405 2e9d9054 .config console log report ci-upstream-net-kasan-gce
2018/03/22 23:04 net-next-old aa65f6365405 2e9d9054 .config console log report ci-upstream-net-kasan-gce
2018/03/22 09:35 net-next-old 454bfe97837a 95c88d7a .config console log report ci-upstream-net-kasan-gce
2018/03/22 06:51 net-next-old 454bfe97837a 95c88d7a .config console log report ci-upstream-net-kasan-gce
2018/03/22 03:48 net-next-old 454bfe97837a 95c88d7a .config console log report ci-upstream-net-kasan-gce
2018/03/21 14:39 net-next-old 0466080c751e f63eeee9 .config console log report ci-upstream-net-kasan-gce
2018/03/21 10:29 net-next-old 0466080c751e 113a43ff .config console log report ci-upstream-net-kasan-gce
2018/03/21 09:14 net-next-old 0466080c751e 113a43ff .config console log report ci-upstream-net-kasan-gce
2018/03/21 03:48 net-next-old 0466080c751e 113a43ff .config console log report ci-upstream-net-kasan-gce
2018/03/21 00:49 net-next-old 0466080c751e 113a43ff .config console log report ci-upstream-net-kasan-gce
2018/03/20 16:10 net-next-old c846d8da5640 72c33b66 .config console log report ci-upstream-net-kasan-gce
2018/03/20 05:37 net-next-old c314c7ba4038 7e7d7ed2 .config console log report ci-upstream-net-kasan-gce
2018/03/19 14:21 net-next-old e3c72f3d37e4 7e7d7ed2 .config console log report ci-upstream-net-kasan-gce
2018/03/19 11:54 net-next-old e3c72f3d37e4 7e7d7ed2 .config console log report ci-upstream-net-kasan-gce
2018/03/19 10:11 net-next-old e3c72f3d37e4 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/19 07:56 net-next-old e3c72f3d37e4 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/19 05:42 net-next-old e3c72f3d37e4 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/19 03:55 net-next-old e3c72f3d37e4 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/18 01:11 net-next-old d7cb44496a9b 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/17 23:55 net-next-old d7cb44496a9b 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/17 19:50 net-next-old 53794570049d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/17 15:31 net-next-old 53794570049d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/17 13:55 net-next-old 53794570049d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/17 08:48 net-next-old 53794570049d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/17 04:27 net-next-old 53794570049d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/17 01:05 net-next-old 53794570049d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/16 10:06 net-next-old 0aee4c259849 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/16 03:41 net-next-old 80d9f3a0fdb8 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/16 01:51 net-next-old 80d9f3a0fdb8 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/15 23:26 net-next-old 80d9f3a0fdb8 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/15 20:05 net-next-old 80d9f3a0fdb8 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/15 18:00 net-next-old c292566a7779 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/15 13:38 net-next-old c292566a7779 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/15 11:24 net-next-old c292566a7779 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/15 06:48 net-next-old c292566a7779 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/15 01:55 net-next-old c292566a7779 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/15 00:09 net-next-old a870a02cc963 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/14 10:18 net-next-old be9fc0971a5c 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/13 15:25 net-next-old 9ba32046fc2d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/13 13:49 net-next-old 9ba32046fc2d 08dacaa0 .config console log report ci-upstream-net-kasan-gce
2018/03/13 08:54 net-next-old 9ba32046fc2d f505ca4b .config console log report ci-upstream-net-kasan-gce
2018/03/12 14:22 net-next-old 8b4c6ed2ed0e f505ca4b .config console log report ci-upstream-net-kasan-gce
2018/03/12 10:20 net-next-old 8b4c6ed2ed0e f505ca4b .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.