syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: use-after-free in skb_end_pointer include/linux/skbuff.h:1419 [inline] BUG: KASAN: use-after-free in kcm_sendpage+0x1458/0x1640 net/kcm/kcmsock.c:785 Read of size 8 at addr ffff888032e04d48 by task syz-executor.0/21948 CPU: 1 PID: 21948 Comm: syz-executor.0 Not tainted 5.13.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436 skb_end_pointer include/linux/skbuff.h:1419 [inline] kcm_sendpage+0x1458/0x1640 net/kcm/kcmsock.c:785 kernel_sendpage.part.0+0x1ab/0x350 net/socket.c:3631 kernel_sendpage net/socket.c:3628 [inline] sock_sendpage+0xe5/0x140 net/socket.c:947 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x43e/0x8a0 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0x110/0x180 fs/splice.c:936 splice_direct_to_actor+0x34b/0x8c0 fs/splice.c:891 do_splice_direct+0x1b3/0x280 fs/splice.c:979 do_sendfile+0x9f0/0x1110 fs/read_write.c:1260 __do_sys_sendfile64 fs/read_write.c:1325 [inline] __se_sys_sendfile64 fs/read_write.c:1311 [inline] __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1311 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007feef1134188 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000005 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000001ffe00 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffeb7d8925f R14: 00007feef1134300 R15: 0000000000022000 Allocated by task 21948: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:428 [inline] __kasan_slab_alloc+0x81/0xa0 mm/kasan/common.c:461 kasan_slab_alloc include/linux/kasan.h:236 [inline] slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slab.c:3261 [inline] kmem_cache_alloc_node+0x333/0x590 mm/slab.c:3599 __alloc_skb+0x20b/0x340 net/core/skbuff.c:413 alloc_skb include/linux/skbuff.h:1107 [inline] kcm_sendpage+0x3db/0x1640 net/kcm/kcmsock.c:796 kernel_sendpage.part.0+0x1ab/0x350 net/socket.c:3631 kernel_sendpage net/socket.c:3628 [inline] sock_sendpage+0xe5/0x140 net/socket.c:947 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x43e/0x8a0 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0x110/0x180 fs/splice.c:936 splice_direct_to_actor+0x34b/0x8c0 fs/splice.c:891 do_splice_direct+0x1b3/0x280 fs/splice.c:979 do_sendfile+0x9f0/0x1110 fs/read_write.c:1260 __do_sys_sendfile64 fs/read_write.c:1325 [inline] __se_sys_sendfile64 fs/read_write.c:1311 [inline] __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1311 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 21951: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xcd/0x100 mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:212 [inline] __cache_free mm/slab.c:3445 [inline] kmem_cache_free+0x6b/0x200 mm/slab.c:3740 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:684 __kfree_skb net/core/skbuff.c:741 [inline] kfree_skb net/core/skbuff.c:758 [inline] kfree_skb+0x140/0x3f0 net/core/skbuff.c:752 kfree_skb_list+0x3f/0x60 net/core/skbuff.c:767 kcm_sendmsg+0xe65/0x2240 net/kcm/kcmsock.c:1070 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sock_write_iter+0x289/0x3c0 net/socket.c:1001 call_write_iter include/linux/fs.h:2114 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x796/0xa30 fs/read_write.c:605 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888032e04c80 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 200 bytes inside of 232-byte region [ffff888032e04c80, ffff888032e04d68) The buggy address belongs to the page: page:ffffea0000cb8100 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888032e048c0 pfn:0x32e04 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0000ab0e48 ffffea0000c45888 ffff88814014f900 raw: ffff888032e048c0 ffff888032e04000 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 8431, ts 146204128089, free_ts 146049230459 prep_new_page mm/page_alloc.c:2358 [inline] get_page_from_freelist+0x1033/0x2b60 mm/page_alloc.c:3994 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200 __alloc_pages_node include/linux/gfp.h:549 [inline] kmem_getpages mm/slab.c:1377 [inline] cache_grow_begin+0x75/0x460 mm/slab.c:2593 cache_alloc_refill+0x27f/0x380 mm/slab.c:2965 ____cache_alloc mm/slab.c:3048 [inline] ____cache_alloc mm/slab.c:3031 [inline] __do_cache_alloc mm/slab.c:3275 [inline] slab_alloc mm/slab.c:3316 [inline] kmem_cache_alloc+0x46a/0x530 mm/slab.c:3507 __build_skb+0x21/0x60 net/core/skbuff.c:239 build_skb+0x1c/0x190 net/core/skbuff.c:256 page_to_skb+0x635/0xc40 drivers/net/virtio_net.c:420 receive_mergeable drivers/net/virtio_net.c:1014 [inline] receive_buf+0x2b6e/0x6210 drivers/net/virtio_net.c:1124 virtnet_receive drivers/net/virtio_net.c:1416 [inline] virtnet_poll+0x568/0x10b0 drivers/net/virtio_net.c:1521 __napi_poll+0xaf/0x440 net/core/dev.c:6985 napi_poll net/core/dev.c:7052 [inline] net_rx_action+0x801/0xb40 net/core/dev.c:7139 __do_softirq+0x29b/0x9f6 kernel/softirq.c:559 invoke_softirq kernel/softirq.c:433 [inline] __irq_exit_rcu+0x136/0x200 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 common_interrupt+0x51/0xd0 arch/x86/kernel/irq.c:240 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1298 [inline] free_pcp_prepare+0x223/0x300 mm/page_alloc.c:1342 free_unref_page_prepare mm/page_alloc.c:3250 [inline] free_unref_page+0x12/0x1d0 mm/page_alloc.c:3298 slab_destroy mm/slab.c:1627 [inline] slabs_destroy+0x89/0xc0 mm/slab.c:1647 cache_flusharray mm/slab.c:3418 [inline] ___cache_free+0x58b/0x7a0 mm/slab.c:3480 qlink_free mm/kasan/quarantine.c:146 [inline] qlist_free_all+0x4e/0x110 mm/kasan/quarantine.c:165 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 __kasan_slab_alloc+0x8b/0xa0 mm/kasan/common.c:438 kasan_slab_alloc include/linux/kasan.h:236 [inline] slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slab.c:3261 [inline] kmem_cache_alloc_node+0x333/0x590 mm/slab.c:3599 __alloc_skb+0x20b/0x340 net/core/skbuff.c:413 alloc_skb_fclone include/linux/skbuff.h:1157 [inline] sk_stream_alloc_skb+0x109/0xc30 net/ipv4/tcp.c:887 tcp_sendmsg_locked+0xc00/0x2e40 net/ipv4/tcp.c:1309 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1458 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sock_write_iter+0x289/0x3c0 net/socket.c:1001 call_write_iter include/linux/fs.h:2114 [inline] new_sync_write+0x426/0x650 fs/read_write.c:518 Memory state around the buggy address: ffff888032e04c00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff888032e04c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888032e04d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ^ ffff888032e04d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888032e04e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2021/06/06 01:41 | upstream | 9d32fa5d74b1 | 500c2339 | .config | console log | report | info | ci-upstream-kasan-gce-selinux-root | KASAN: use-after-free Read in kcm_sendpage | |||
| 2021/06/09 05:19 | net-next-old | 5552571c657d | 5c2fe346 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in kcm_sendpage |