syzbot


KASAN: use-after-free Read in tc_chain_fill_node

Status: upstream: reported C repro on 2019/10/07 22:26
Reported-by: syzbot+5f229e48cccc804062c0@syzkaller.appspotmail.com
Fix commit: cd25f1099284 net: core: netlink: add helper refcount dec and lock function da1d324088c4 net: sched: add helper function to take reference to Qdisc f602ed9f8574 net: sched: extend Qdisc with rcu 92833e8b5db6 net: sched: rename qdisc_destroy() to qdisc_put() ae214e04b95f net: sched: use Qdisc rcu API instead of relying on rtnl lock
Patched on: [], missing on: [ci2-linux-4-19]
First crash: 1045d, last: 9h32m

Sample crash report:
audit: type=1400 audit(1572250958.120:36): avc:  denied  { map } for  pid=7660 comm="syz-executor726" path="/root/syz-executor726039997" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
hrtimer: interrupt took 46364 ns
syz-executor726 (7662) used greatest stack depth: 21888 bytes left
==================================================================
BUG: KASAN: use-after-free in tc_chain_fill_node+0x891/0x8b0 net/sched/cls_api.c:1733
Read of size 8 at addr ffff88807b45ec80 by task syz-executor726/7767

CPU: 0 PID: 7767 Comm: syz-executor726 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 tc_chain_fill_node+0x891/0x8b0 net/sched/cls_api.c:1733
 tc_chain_notify+0x102/0x200 net/sched/cls_api.c:1771
 __tcf_chain_put+0x380/0x500 net/sched/cls_api.c:330
 tcf_chain_put net/sched/cls_api.c:340 [inline]
 tc_ctl_chain+0xbca/0xff0 net/sched/cls_api.c:1932
 rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
 netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:632
 ___sys_sendmsg+0x803/0x920 net/socket.c:2115
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2153
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg net/socket.c:2160 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446e19
Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f6cd9300d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc98 RCX: 0000000000446e19
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 000000000000000b
RBP: 00000000006dbc90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc9c
R13: 0000000000000000 R14: 0000000000000000 R15: 0507002400000048

Allocated by task 7758:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node+0x51/0x80 mm/slab.c:3696
 kmalloc_node include/linux/slab.h:557 [inline]
 kzalloc_node include/linux/slab.h:720 [inline]
 qdisc_alloc+0xbb/0xa60 net/sched/sch_generic.c:824
 qdisc_create+0xec/0x1230 net/sched/sch_api.c:1113
 tc_modify_qdisc+0xab0/0x1bdc net/sched/sch_api.c:1554
 rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
 netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:632
 ___sys_sendmsg+0x803/0x920 net/socket.c:2115
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2153
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg net/socket.c:2160 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7761:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 qdisc_free+0x89/0x100 net/sched/sch_generic.c:945
 qdisc_destroy+0x4cf/0x690 net/sched/sch_generic.c:985
 notify_and_destroy+0xa2/0xb0 net/sched/sch_api.c:924
 qdisc_graft+0x4f3/0x1030 net/sched/sch_api.c:991
 tc_modify_qdisc+0xcae/0x1bdc net/sched/sch_api.c:1582
 rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
 netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:632
 ___sys_sendmsg+0x803/0x920 net/socket.c:2115
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2153
 __do_sys_sendmsg net/socket.c:2162 [inline]
 __se_sys_sendmsg net/socket.c:2160 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88807b45ec40
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 64 bytes inside of
 4096-byte region [ffff88807b45ec40, ffff88807b45fc40)
The buggy address belongs to the page:
page:ffffea0001ed1780 count:1 mapcount:0 mapping:ffff88812c3f0dc0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffffea000272c488 ffffea0001ed1008 ffff88812c3f0dc0
raw: 0000000000000000 ffff88807b45ec40 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88807b45eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807b45ec00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff88807b45ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88807b45ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b45ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (913):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2019/10/28 08:25 linux-4.19.y c3038e718a19 25bb509e .config log report syz C
ci2-linux-4-19 2019/10/22 08:00 linux-4.19.y c3038e718a19 c59a7cd8 .config log report syz C
ci2-linux-4-19 2019/10/13 15:44 linux-4.19.y dafd634415a7 2f661ec4 .config log report syz C
ci2-linux-4-19 2022/08/18 05:23 linux-4.19.y 3f8a27f9e27b a9409d47 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/14 17:30 linux-4.19.y 3f8a27f9e27b 8dfcaa3d .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/14 11:16 linux-4.19.y 3f8a27f9e27b 8dfcaa3d .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/14 06:32 linux-4.19.y 3f8a27f9e27b 8dfcaa3d .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/07 11:13 linux-4.19.y 3f8a27f9e27b 88e3a122 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/07 05:57 linux-4.19.y 3f8a27f9e27b 88e3a122 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/05 13:30 linux-4.19.y 3f8a27f9e27b a65a7ce9 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/05 03:55 linux-4.19.y 3f8a27f9e27b 1c9013ac .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/05 01:09 linux-4.19.y 3f8a27f9e27b 1c9013ac .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/01 19:32 linux-4.19.y 3f8a27f9e27b fef302b1 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/08/01 01:23 linux-4.19.y 3f8a27f9e27b fef302b1 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/28 05:27 linux-4.19.y 3f8a27f9e27b fb95c74d .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/26 07:44 linux-4.19.y 3f8a27f9e27b 34795c51 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/21 17:44 linux-4.19.y 3f8a27f9e27b 6e67af9d .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/19 16:46 linux-4.19.y 3f8a27f9e27b 72a3cc0c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/19 07:04 linux-4.19.y 3f8a27f9e27b ff988920 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/15 21:42 linux-4.19.y 3f8a27f9e27b 5d921b08 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/15 15:21 linux-4.19.y 3f8a27f9e27b 5d921b08 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/14 01:06 linux-4.19.y 3f8a27f9e27b 5d921b08 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/11 19:12 linux-4.19.y 3f8a27f9e27b f3f217ff .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/10 04:45 linux-4.19.y 3f8a27f9e27b b5765a15 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/08 00:37 linux-4.19.y 3f8a27f9e27b bff65f44 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/03 22:21 linux-4.19.y 3f8a27f9e27b 1434eec0 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/03 16:31 linux-4.19.y 3f8a27f9e27b 1434eec0 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/03 11:10 linux-4.19.y 3f8a27f9e27b 1434eec0 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/02 14:31 linux-4.19.y 3f8a27f9e27b 1434eec0 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/07/02 12:59 linux-4.19.y 3f8a27f9e27b 1434eec0 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/30 06:38 linux-4.19.y 3f8a27f9e27b 1434eec0 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/27 05:56 linux-4.19.y 3f8a27f9e27b a371c43c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/26 23:33 linux-4.19.y 3f8a27f9e27b a371c43c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/26 12:42 linux-4.19.y 3f8a27f9e27b a371c43c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/26 07:03 linux-4.19.y 3f8a27f9e27b a371c43c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/25 17:07 linux-4.19.y 3f8a27f9e27b a371c43c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/25 08:21 linux-4.19.y 3f8a27f9e27b a371c43c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/25 04:09 linux-4.19.y 3f8a27f9e27b a371c43c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/24 20:17 linux-4.19.y 3f8a27f9e27b a371c43c .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/24 01:29 linux-4.19.y 3f8a27f9e27b 912f5df7 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/23 20:15 linux-4.19.y 3f8a27f9e27b 912f5df7 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/22 00:28 linux-4.19.y 3f8a27f9e27b 0fc5c330 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/21 21:49 linux-4.19.y 3f8a27f9e27b 0fc5c330 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/18 07:27 linux-4.19.y 3f8a27f9e27b 8f633d84 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/18 03:01 linux-4.19.y 3f8a27f9e27b 8f633d84 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/17 03:02 linux-4.19.y 3f8a27f9e27b 1719ee24 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2022/06/16 21:37 linux-4.19.y 3f8a27f9e27b 1719ee24 .config log report info KASAN: use-after-free Read in tc_chain_fill_node
ci2-linux-4-19 2021/01/12 12:56 linux-4.19.y 610bdbf6a174 2c1f2513 .config log report info
ci2-linux-4-19 2019/10/07 21:25 linux-4.19.y 58fce2064530 28ac6e64 .config log report