syzbot

 sign-in | mailing list | source | docs
🐞 Open [1226]
Subsystems
🐞 Fixed [5632]
🐞 Invalid [13666]
Missing Backports [100]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in ila_nf_input (2)

Status: internal: reported on 2024/08/31 15:47
Subsystems: net
[Documentation on labels]
Fix commit: 031ae72825ce ila: call nf_unregister_net_hooks() sooner
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-snapshot-upstream-root ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu-native-arm64-kvm ci-qemu2-riscv64 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce]
First crash: 16d, last: 17h12m
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ila_nf_input net 43 1814d 2071d 0/28 auto-closed as invalid on 2020/01/27 14:15

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
Read of size 4 at addr ffff88807b878008 by task ksoftirqd/1/24

CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc4-syzkaller-00280-g8a3f14bb1e94 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 rht_key_hashfn include/linux/rhashtable.h:159 [inline]
 __rhashtable_lookup include/linux/rhashtable.h:604 [inline]
 rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672
 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
 ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
 ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
 nf_hook include/linux/netfilter.h:269 [inline]
 NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312
 __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
 __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775
 process_backlog+0x662/0x15b0 net/core/dev.c:6108
 __napi_poll+0xcb/0x490 net/core/dev.c:6772
 napi_poll net/core/dev.c:6841 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6963
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928
 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b878
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff88801ac42140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff88801ac42140 dead000000000122 0000000000000000
head: 0000000000000000 0000000000040004 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001ee1e01 ffffffffffffffff 0000000000000000
head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 9619, tgid 9619 (syz-executor), ts 368695396472, free_ts 368573768142
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493
 prep_new_page mm/page_alloc.c:1501 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2321
 allocate_slab+0x5a/0x2f0 mm/slub.c:2484
 new_slab mm/slub.c:2537 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723
 __slab_alloc+0x58/0xa0 mm/slub.c:3813
 __slab_alloc_node mm/slub.c:3866 [inline]
 slab_alloc_node mm/slub.c:4025 [inline]
 __do_kmalloc_node mm/slub.c:4157 [inline]
 __kmalloc_noprof+0x25a/0x400 mm/slub.c:4170
 __dev_alloc_name net/core/dev.c:1114 [inline]
 dev_prep_valid_name+0x3c2/0xa40 net/core/dev.c:1163
 dev_get_valid_name net/core/dev.c:1197 [inline]
 register_netdevice+0x542/0x1b00 net/core/dev.c:10360
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:690 [inline]
 nsim_create+0x647/0x890 drivers/net/netdevsim/netdev.c:750
 __nsim_dev_port_add+0x6c0/0xae0 drivers/net/netdevsim/dev.c:1390
 nsim_dev_port_add_all+0x33/0xf0 drivers/net/netdevsim/dev.c:1446
 nsim_drv_probe+0x85f/0xb80 drivers/net/netdevsim/dev.c:1604
 really_probe+0x2b8/0xad0 drivers/base/dd.c:657
 __driver_probe_device+0x1a2/0x390 drivers/base/dd.c:799
page last free pid 3029 tgid 3029 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1094 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612
 __folio_put+0x2c8/0x440 mm/swap.c:128
 folio_put include/linux/mm.h:1486 [inline]
 free_large_kmalloc+0x105/0x1c0 mm/slub.c:4565
 kfree+0x1c4/0x360 mm/slub.c:4588
 rhashtable_free_and_destroy+0x7c6/0x920 lib/rhashtable.c:1169
 ila_xlat_exit_net+0x55/0x110 net/ipv6/ila/ila_xlat.c:626
 ops_exit_list net/core/net_namespace.c:173 [inline]
 cleanup_net+0x802/0xcc0 net/core/net_namespace.c:640
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88807b877f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b877f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
>ffff88807b878000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88807b878080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b878100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/09/09 02:38 bpf-next 8a3f14bb1e94 9750182a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: use-after-free Read in ila_nf_input
2024/08/31 15:47 bpf-next 2ad6d23f465a 1eda0d14 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: use-after-free Read in ila_nf_input
2024/09/04 19:35 bpf b408473ea01b 9d47f20a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in ila_nf_input
2024/09/16 02:02 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 5f5673607153 08d8a733 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in ila_nf_input
* Struck through repros no longer work on HEAD.