syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 Read of size 4 at addr ffff8880299c0008 by task kworker/3:1/55 CPU: 3 UID: 0 PID: 55 Comm: kworker/3:1 Not tainted 6.12.0-rc1-syzkaller-00125-g0c559323bbaa #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_long defense_work_handler Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604 rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline] ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline] ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269 NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5666 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5779 process_backlog+0x443/0x15f0 net/core/dev.c:6111 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6775 napi_poll net/core/dev.c:6844 [inline] net_rx_action+0xa92/0x1010 net/core/dev.c:6966 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554 do_softirq kernel/softirq.c:455 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:442 </IRQ> <TASK> __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] update_defense_level+0x5ce/0xf50 net/netfilter/ipvs/ip_vs_ctl.c:210 defense_work_handler+0x26/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:235 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880299c2000 pfn:0x299c0 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea00012b4c08 ffff88806a944fb0 0000000000000000 raw: ffff8880299c2000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 9119, tgid 9119 (syz-executor), ts 268581262044, free_ts 332814819528 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25c0 mm/page_alloc.c:4733 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x84/0x1b0 mm/slub.c:4210 __kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4237 __do_kmalloc_node mm/slub.c:4253 [inline] __kmalloc_node_noprof.cold+0x5/0x5f mm/slub.c:4271 __kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:658 bucket_table_alloc.isra.0+0x86/0x460 lib/rhashtable.c:186 rhashtable_init_noprof+0x41a/0x7e0 lib/rhashtable.c:1071 ila_xlat_init_net+0xb5/0x110 net/ipv6/ila/ila_xlat.c:613 ops_init+0x1df/0x5f0 net/core/net_namespace.c:139 setup_net+0x21f/0x860 net/core/net_namespace.c:356 copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:494 create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228 ksys_unshare+0x419/0x970 kernel/fork.c:3315 page last free pid 89 tgid 89 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __folio_put+0x30d/0x3d0 mm/swap.c:126 kvfree+0x47/0x50 mm/util.c:701 rhashtable_free_and_destroy+0x16c/0x990 lib/rhashtable.c:1169 ila_xlat_exit_net+0x59/0xa0 net/ipv6/ila/ila_xlat.c:635 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173 cleanup_net+0x5b7/0xb40 net/core/net_namespace.c:626 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Memory state around the buggy address: ffff8880299bff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880299bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880299c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880299c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880299c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2024/10/04 21:56 | upstream | 0c559323bbaa | d7906eff | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: use-after-free Read in ila_nf_input | ||
2024/09/18 04:03 | bpf | b831f83e40a2 | c673ca06 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | KASAN: use-after-free Read in ila_nf_input | ||
2024/10/02 00:55 | net-next | 44badc908f2c | ea2b66a6 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in ila_nf_input | ||
2024/09/09 02:38 | bpf-next | 8a3f14bb1e94 | 9750182a | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | KASAN: use-after-free Read in ila_nf_input | ||
2024/08/31 15:47 | bpf-next | 2ad6d23f465a | 1eda0d14 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-next-kasan-gce | KASAN: use-after-free Read in ila_nf_input | ||
2024/10/18 19:36 | upstream | 4d939780b705 | 0270e729 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in ila_nf_input | ||
2024/10/15 14:07 | upstream | eca631b8fe80 | eddfb4c9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in ila_nf_input | ||
2024/10/14 22:36 | upstream | eca631b8fe80 | b01b6661 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in ila_nf_input | ||
2024/10/11 07:55 | upstream | 1d227fcc7222 | cd942402 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in ila_nf_input | ||
2024/10/04 10:02 | upstream | 3840cbe24cf0 | d7906eff | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in ila_nf_input | ||
2024/10/03 06:22 | upstream | f23aa4c0761a | a4c7fd36 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-qemu-gce-upstream-auto | KASAN: slab-use-after-free Read in ila_nf_input | ||
2024/09/18 18:16 | bpf | b831f83e40a2 | c673ca06 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | KASAN: slab-use-after-free Read in ila_nf_input | ||
2024/09/04 19:35 | bpf | b408473ea01b | 9d47f20a | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-bpf-kasan-gce | KASAN: slab-use-after-free Read in ila_nf_input | ||
2024/09/16 02:02 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 5f5673607153 | 08d8a733 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in ila_nf_input |