syzbot


KASAN: slab-out-of-bounds Read in fq_pie_qdisc_enqueue

Status: fixed on 2021/11/10 00:50
Subsystems: net
[Documentation on labels]
Fix commit: e70f7a11876a net/sched: fq_pie: fix OOB access in the traffic path
First crash: 1036d, last: 1036d

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x147c/0x17a0 net/sched/sch_fq_pie.c:155
Read of size 4 at addr ffff88808b5bc044 by task syz-executor.3/16008

CPU: 1 PID: 16008 Comm: syz-executor.3 Not tainted 5.13.0-rc2-next-20210518-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x13e/0x1d6 lib/dump_stack.c:129
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:436
 fq_pie_qdisc_enqueue+0x147c/0x17a0 net/sched/sch_fq_pie.c:155
 __dev_xmit_skb net/core/dev.c:3899 [inline]
 __dev_queue_xmit+0x1845/0x3150 net/core/dev.c:4214
 neigh_resolve_output net/core/neighbour.c:1495 [inline]
 neigh_resolve_output+0x50e/0x820 net/core/neighbour.c:1475
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0x686/0x1700 net/ipv6/ip6_output.c:117
 __ip6_finish_output net/ipv6/ip6_output.c:182 [inline]
 __ip6_finish_output+0x4c1/0xe10 net/ipv6/ip6_output.c:161
 ip6_finish_output+0x32/0x200 net/ipv6/ip6_output.c:192
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip6_output+0x1e4/0x530 net/ipv6/ip6_output.c:215
 dst_output include/net/dst.h:448 [inline]
 ip6_local_out+0xaf/0x1a0 net/ipv6/output_core.c:179
 ip6_send_skb+0xb7/0x340 net/ipv6/ip6_output.c:1904
 ip6_push_pending_frames+0xdd/0x100 net/ipv6/ip6_output.c:1924
 icmpv6_push_pending_frames+0x294/0x470 net/ipv6/icmp.c:310
 icmp6_send+0x1b0d/0x2310 net/ipv6/icmp.c:626
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_pkt_drop+0x30b/0x7a0 net/ipv6/route.c:4393
 dst_input include/net/dst.h:458 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5459
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5573
 netif_receive_skb_internal net/core/dev.c:5678 [inline]
 netif_receive_skb+0x13e/0x8e0 net/core/dev.c:5737
 tun_rx_batched.isra.0+0x460/0x720 drivers/net/tun.c:1460
 tun_get_user+0x2458/0x36c0 drivers/net/tun.c:1907
 tun_chr_write_iter+0xe1/0x1f0 drivers/net/tun.c:1937
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x75a/0xa40 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_64+0x31/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4192bf
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 cc fd ff ff 48
RSP: 002b:00007f08c7595150 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004192bf
RDX: 000000000000003e RSI: 0000000020000000 RDI: 00000000000000f0
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000056bf80
R13: 00007ffcea91a07f R14: 00007f08c7595300 R15: 0000000000022000

The buggy address belongs to the page:
page:ffffea00022d6800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8b5a0
head:ffffea00022d6800 order:5 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010000(head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 5, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 13008, ts 312573420274, free_ts 309887471077
 prep_new_page mm/page_alloc.c:2377 [inline]
 get_page_from_freelist+0x125c/0x2ed0 mm/page_alloc.c:4038
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5239
 __alloc_pages_node include/linux/gfp.h:549 [inline]
 alloc_pages_node include/linux/gfp.h:563 [inline]
 kmalloc_large_node+0x62/0x130 mm/slub.c:4130
 __kmalloc_node+0x300/0x380 mm/slub.c:4146
 kmalloc_node include/linux/slab.h:613 [inline]
 kvmalloc_node+0xb4/0xf0 mm/util.c:587
 kvmalloc include/linux/mm.h:808 [inline]
 kvmalloc_array include/linux/mm.h:826 [inline]
 kvcalloc include/linux/mm.h:831 [inline]
 fq_pie_init+0x584/0x8e0 net/sched/sch_fq_pie.c:417
 qdisc_create+0x475/0x1320 net/sched/sch_api.c:1247
 tc_modify_qdisc+0x4c8/0x1a60 net/sched/sch_api.c:1663
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5550
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x84c/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1305 [inline]
 __free_pages_ok+0x4cb/0xf30 mm/page_alloc.c:1586
 unfreeze_partials+0x17c/0x1d0 mm/slub.c:2416
 put_cpu_partial+0x13d/0x230 mm/slub.c:2452
 qlink_free mm/kasan/quarantine.c:146 [inline]
 qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:441
 kasan_slab_alloc include/linux/kasan.h:236 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc_node mm/slub.c:2954 [inline]
 kmem_cache_alloc_node+0x266/0x3e0 mm/slub.c:2990
 __alloc_skb+0x20b/0x340 net/core/skbuff.c:413
 alloc_skb include/linux/skbuff.h:1107 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 inet6_netconf_notify_devconf+0xa0/0x1e0 net/ipv6/addrconf.c:574
 __addrconf_sysctl_unregister net/ipv6/addrconf.c:6998 [inline]
 addrconf_sysctl_unregister+0x131/0x1c0 net/ipv6/addrconf.c:7022
 addrconf_ifdown.isra.0+0xf8f/0x15b0 net/ipv6/addrconf.c:3849
 addrconf_notify+0x606/0x2400 net/ipv6/addrconf.c:3631
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2121
 call_netdevice_notifiers_extack net/core/dev.c:2133 [inline]
 call_netdevice_notifiers net/core/dev.c:2147 [inline]
 unregister_netdevice_many+0x951/0x1790 net/core/dev.c:11032
 default_device_exit_batch+0x2fa/0x3c0 net/core/dev.c:11562

Memory state around the buggy address:
 ffff88808b5bbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88808b5bbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88808b5bc000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                                           ^
 ffff88808b5bc080: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff88808b5bc100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/06/23 06:44 linux-next a1f92694393a aba2b2fb .config console log report info ci-upstream-linux-next-kasan-gce-root KASAN: slab-out-of-bounds Read in fq_pie_qdisc_enqueue
* Struck through repros no longer work on HEAD.