syzbot

 sign-in | mailing list | source | docs
🐞 Open [712] 🐞 Fixed [297] 🐞 Invalid [838] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in tc_chain_fill_node

Status: upstream: reported C repro on 2019/10/07 22:26
Reported-by: syzbot+5f229e48cccc804062c0@syzkaller.appspotmail.com
Fix commit: cd25f1099284 net: core: netlink: add helper refcount dec and lock function da1d324088c4 net: sched: add helper function to take reference to Qdisc f602ed9f8574 net: sched: extend Qdisc with rcu 92833e8b5db6 net: sched: rename qdisc_destroy() to qdisc_put() ae214e04b95f net: sched: use Qdisc rcu API instead of relying on rtnl lock
Patched on: [], missing on: [ci2-linux-4-19]
First crash: 1660d, last: 416d
Discussions (1)
Title Replies (including bot) Last reply
[PATCH 4.19 00/74] 4.19.221-rc1 review 87 (87) 2021/12/15 17:54

Sample crash report:
netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'.
netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'.
netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'.
==================================================================
BUG: KASAN: use-after-free in qdisc_dev include/net/sch_generic.h:472 [inline]
BUG: KASAN: use-after-free in tc_chain_fill_node+0x7f5/0x860 net/sched/cls_api.c:1733
Read of size 8 at addr ffff8880aac4fb80 by task syz-executor106/8116

CPU: 0 PID: 8116 Comm: syz-executor106 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 qdisc_dev include/net/sch_generic.h:472 [inline]
 tc_chain_fill_node+0x7f5/0x860 net/sched/cls_api.c:1733
 tc_chain_notify+0x100/0x1f0 net/sched/cls_api.c:1771
 __tcf_chain_put+0xe5/0x4b0 net/sched/cls_api.c:330
 tcf_chain_put net/sched/cls_api.c:340 [inline]
 tc_new_tfilter+0x729/0x16c0 net/sched/cls_api.c:1338
 rtnetlink_rcv_msg+0x453/0xb80 net/core/rtnetlink.c:4782
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463
 netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351
 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
 __sys_sendmsg net/socket.c:2265 [inline]
 __do_sys_sendmsg net/socket.c:2274 [inline]
 __se_sys_sendmsg net/socket.c:2272 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f4122cbebf9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4122c70318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f4122d46428 RCX: 00007f4122cbebf9
RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005
RBP: 00007f4122d46420 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4122d14074
R13: 00007ffcc82f853f R14: 00007f4122c70400 R15: 0000000000022000

Allocated by task 8105:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node+0x4c/0x70 mm/slab.c:3696
 kmalloc_node include/linux/slab.h:557 [inline]
 kzalloc_node include/linux/slab.h:720 [inline]
 qdisc_alloc+0xb2/0xa40 net/sched/sch_generic.c:837
 qdisc_create+0xdc/0x1130 net/sched/sch_api.c:1114
 tc_modify_qdisc+0x50d/0x1a80 net/sched/sch_api.c:1572
 rtnetlink_rcv_msg+0x453/0xb80 net/core/rtnetlink.c:4782
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463
 netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351
 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
 __sys_sendmsg net/socket.c:2265 [inline]
 __do_sys_sendmsg net/socket.c:2274 [inline]
 __se_sys_sendmsg net/socket.c:2272 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8111:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 qdisc_free net/sched/sch_generic.c:958 [inline]
 qdisc_destroy+0x501/0x790 net/sched/sch_generic.c:998
 notify_and_destroy net/sched/sch_api.c:925 [inline]
 qdisc_graft+0xb61/0x1130 net/sched/sch_api.c:983
 tc_modify_qdisc+0xd3d/0x1a80 net/sched/sch_api.c:1583
 rtnetlink_rcv_msg+0x453/0xb80 net/core/rtnetlink.c:4782
 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463
 netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline]
 netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351
 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
 __sys_sendmsg net/socket.c:2265 [inline]
 __do_sys_sendmsg net/socket.c:2274 [inline]
 __se_sys_sendmsg net/socket.c:2272 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880aac4fb40
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 64 bytes inside of
 1024-byte region [ffff8880aac4fb40, ffff8880aac4ff40)
The buggy address belongs to the page:
page:ffffea0002ab1380 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002c57d88 ffffea0002cf8488 ffff88813bff0ac0
raw: 0000000000000000 ffff8880aac4e040 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880aac4fa80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880aac4fb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880aac4fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880aac4fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880aac4fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1031):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/12/26 05:26 linux-4.19.y 3f8a27f9e27b 9da18ae8 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/12/18 19:23 linux-4.19.y 3f8a27f9e27b 05494336 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2019/10/28 08:25 linux-4.19.y c3038e718a19 25bb509e .config console log report syz C ci2-linux-4-19
2019/10/22 08:00 linux-4.19.y c3038e718a19 c59a7cd8 .config console log report syz C ci2-linux-4-19
2019/10/13 15:44 linux-4.19.y dafd634415a7 2f661ec4 .config console log report syz C ci2-linux-4-19
2023/03/05 07:59 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/03/04 19:06 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/03/01 07:05 linux-4.19.y 3f8a27f9e27b 95aee97a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/24 16:59 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/23 05:57 linux-4.19.y 3f8a27f9e27b 9f1e2cb3 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/21 22:50 linux-4.19.y 3f8a27f9e27b 42a4d508 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/21 18:01 linux-4.19.y 3f8a27f9e27b f949448d .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/17 19:17 linux-4.19.y 3f8a27f9e27b cf8c2d39 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/06 22:16 linux-4.19.y 3f8a27f9e27b 0a9c11b6 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/06 11:49 linux-4.19.y 3f8a27f9e27b be607b78 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/05 14:51 linux-4.19.y 3f8a27f9e27b be607b78 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/05 14:41 linux-4.19.y 3f8a27f9e27b be607b78 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/04 20:08 linux-4.19.y 3f8a27f9e27b be607b78 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/04 12:59 linux-4.19.y 3f8a27f9e27b 1b2f701a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/03 08:35 linux-4.19.y 3f8a27f9e27b 33fc5c09 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/02/01 06:08 linux-4.19.y 3f8a27f9e27b b68fb8d6 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/29 22:01 linux-4.19.y 3f8a27f9e27b 9dfcf09c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/25 01:16 linux-4.19.y 3f8a27f9e27b 9dfcf09c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/24 13:10 linux-4.19.y 3f8a27f9e27b 9dfcf09c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/23 06:40 linux-4.19.y 3f8a27f9e27b cc0f9968 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/22 10:29 linux-4.19.y 3f8a27f9e27b cc0f9968 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/20 16:28 linux-4.19.y 3f8a27f9e27b dd15ff29 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/19 11:40 linux-4.19.y 3f8a27f9e27b 66fca3ae .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/19 01:59 linux-4.19.y 3f8a27f9e27b 4620c2d9 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/16 01:41 linux-4.19.y 3f8a27f9e27b a63719e7 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/14 13:52 linux-4.19.y 3f8a27f9e27b a63719e7 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/13 20:16 linux-4.19.y 3f8a27f9e27b 529798b0 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/11 19:54 linux-4.19.y 3f8a27f9e27b 96166539 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/10 12:20 linux-4.19.y 3f8a27f9e27b 48bc529a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/08 02:09 linux-4.19.y 3f8a27f9e27b 1dac8c7a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/06 05:17 linux-4.19.y 3f8a27f9e27b 1dac8c7a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2023/01/04 03:25 linux-4.19.y 3f8a27f9e27b f0036e18 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/12/31 21:43 linux-4.19.y 3f8a27f9e27b ab32d508 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/12/29 05:13 linux-4.19.y 3f8a27f9e27b 44712fbc .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/12/24 09:47 linux-4.19.y 3f8a27f9e27b 9da18ae8 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/12/11 15:58 linux-4.19.y 3f8a27f9e27b 67be1ae7 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/12/09 13:13 linux-4.19.y 3f8a27f9e27b 1034e5fa .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/12/02 15:33 linux-4.19.y 3f8a27f9e27b e080de16 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/12/02 02:41 linux-4.19.y 3f8a27f9e27b e080de16 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/11/25 16:22 linux-4.19.y 3f8a27f9e27b 74a66371 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/11/19 16:01 linux-4.19.y 3f8a27f9e27b 5bb70014 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2022/11/14 07:34 linux-4.19.y 3f8a27f9e27b 7ba4d859 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tc_chain_fill_node
2021/01/12 12:56 linux-4.19.y 610bdbf6a174 2c1f2513 .config console log report info ci2-linux-4-19
2019/10/07 21:25 linux-4.19.y 58fce2064530 28ac6e64 .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.