syzbot

 sign-in | mailing list | source | docs
🐞 Open [1556]
Subsystems
🐞 Fixed [6198]
🐞 Invalid [15554]
Missing Backports [179]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in nexthop_flush_dev

Status: closed as invalid on 2023/03/21 22:54
Subsystems: net
[Documentation on labels]
First crash: 1093d, last: 883d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in nexthop_flush_dev+0x20b/0x230 net/ipv4/nexthop.c:2382
Read of size 8 at addr ffff88806429c058 by task syz-executor.3/3701

CPU: 3 PID: 3701 Comm: syz-executor.3 Not tainted 6.0.0-rc6-syzkaller-00281-g1707c39ae309 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:317 [inline]
 print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 nexthop_flush_dev+0x20b/0x230 net/ipv4/nexthop.c:2382
 nh_netdev_event+0x2c6/0x370 net/ipv4/nexthop.c:3575
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945
 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
 call_netdevice_notifiers net/core/dev.c:1997 [inline]
 netdev_wait_allrefs_any net/core/dev.c:10250 [inline]
 netdev_run_todo+0xbc2/0x1100 net/core/dev.c:10364
 tun_detach drivers/net/tun.c:704 [inline]
 tun_chr_close+0xe0/0x180 drivers/net/tun.c:3455
 __fput+0x277/0x9d0 fs/file_table.c:320
 task_work_run+0xdd/0x1a0 kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xad5/0x29b0 kernel/exit.c:795
 do_group_exit+0xd2/0x2f0 kernel/exit.c:925
 __do_sys_exit_group kernel/exit.c:936 [inline]
 __se_sys_exit_group kernel/exit.c:934 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc21128a669
Code: Unable to access opcode bytes at RIP 0x7fc21128a63f.
RSP: 002b:00007ffd1fe05928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ffd1fe05ad0 RCX: 00007fc21128a669
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043
RBP: 0000000000000000 R08: 0000000000000025 R09: 00007ffd1fe05ad0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc2112e5531
R13: 000000000000001c R14: 0000000000000007 R15: 00007ffd1fe05b10
 </TASK>

Allocated by task 3701:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:437 [inline]
 ____kasan_kmalloc mm/kasan/common.c:516 [inline]
 ____kasan_kmalloc mm/kasan/common.c:475 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:525
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 kmem_cache_alloc_trace+0x25a/0x460 mm/slab.c:3559
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 nexthop_net_init+0x71/0x140 net/ipv4/nexthop.c:3754
 ops_init+0xaf/0x470 net/core/net_namespace.c:135
 setup_net+0x5d1/0xc50 net/core/net_namespace.c:326
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:472
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3181
 __do_sys_unshare kernel/fork.c:3252 [inline]
 __se_sys_unshare kernel/fork.c:3250 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3250
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 24280:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:367 [inline]
 ____kasan_slab_free+0x13d/0x1a0 mm/kasan/common.c:329
 kasan_slab_free include/linux/kasan.h:200 [inline]
 __cache_free mm/slab.c:3418 [inline]
 kfree+0x173/0x390 mm/slab.c:3786
 nexthop_net_exit_batch+0x245/0x2d0 net/ipv4/nexthop.c:3744
 ops_exit_list+0x125/0x170 net/core/net_namespace.c:168
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:595
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff88806429c000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 88 bytes inside of
 2048-byte region [ffff88806429c000, ffff88806429c800)

The buggy address belongs to the physical page:
page:ffffea000190a700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6429c
flags: 0x4fff00000000200(slab|node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000200 ffffea000190a6c8 ffffea000190a808 ffff888011840800
raw: 0000000000000000 ffff88806429c000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x40cc0(GFP_KERNEL|__GFP_COMP), pid 3701, tgid 3701 (syz-executor.3), ts 104167151097, free_ts 0
 prep_new_page mm/page_alloc.c:2532 [inline]
 get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5515
 __alloc_pages_node include/linux/gfp.h:243 [inline]
 kmem_getpages mm/slab.c:1363 [inline]
 cache_grow_begin+0x75/0x360 mm/slab.c:2569
 fallback_alloc+0x1e2/0x2d0 mm/slab.c:3112
 __do_cache_alloc mm/slab.c:3253 [inline]
 slab_alloc mm/slab.c:3287 [inline]
 kmem_cache_alloc_trace+0x306/0x460 mm/slab.c:3557
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 nexthop_net_init+0x71/0x140 net/ipv4/nexthop.c:3754
 ops_init+0xaf/0x470 net/core/net_namespace.c:135
 setup_net+0x5d1/0xc50 net/core/net_namespace.c:326
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:472
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3181
 __do_sys_unshare kernel/fork.c:3252 [inline]
 __se_sys_unshare kernel/fork.c:3250 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3250
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88806429bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806429bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806429c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88806429c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806429c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/09/23 19:30 upstream 1707c39ae309 0042f2b4 .config console log report info ci-qemu-upstream KASAN: use-after-free Read in nexthop_flush_dev
2022/09/15 07:39 upstream 3245cb65fd91 dd9a85ff .config console log report info ci-qemu-upstream KASAN: use-after-free Read in nexthop_flush_dev
2022/09/02 03:42 upstream 42e66b1cc3a0 a805568e .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in nexthop_flush_dev
2022/07/19 16:55 upstream 4a57a8400075 72a3cc0c .config console log report info ci-qemu-upstream KASAN: use-after-free Read in nexthop_flush_dev
2022/09/11 09:59 upstream b96fbd602d35 356d8217 .config console log report info ci-qemu-upstream-386 KASAN: use-after-free Read in nexthop_flush_dev
2022/07/25 18:05 upstream 4a57a8400075 664c519c .config console log report info ci-qemu-upstream-386 KASAN: use-after-free Read in nexthop_flush_dev
2022/11/18 05:58 net-old 58e0be1ef611 4ba8ab94 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in nexthop_flush_dev
2022/06/28 18:39 net-old ab84db251c04 496a8536 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in nexthop_flush_dev
2022/06/24 01:27 net-old 12378a5a75e3 912f5df7 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in nexthop_flush_dev
2022/06/20 06:55 net-old 9926de7315be 8f633d84 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in nexthop_flush_dev
2022/06/01 12:10 net-old 0a375c822497 3666edfe .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in nexthop_flush_dev
2022/05/29 22:54 net-old 90343f573252 a46af346 .config console log report info ci-upstream-net-this-kasan-gce KASAN: use-after-free Read in nexthop_flush_dev
2022/04/22 08:24 linux-next f1244c81da13 2738b391 .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in nexthop_flush_dev
* Struck through repros no longer work on HEAD.