syzbot


KASAN: use-after-free Read in ila_nf_input (2)

Status: fixed on 2024/10/22 15:46
Subsystems: net
[Documentation on labels]
Fix commit: 031ae72825ce ila: call nf_unregister_net_hooks() sooner
First crash: 95d, last: 46d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ila_nf_input net 43 1893d 2150d 0/28 auto-closed as invalid on 2020/01/27 14:15
linux-5.15 KASAN: use-after-free Read in ila_nf_input 1 44d 44d 0/3 upstream: reported on 2024/10/20 21:26

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff8880299c0008 by task kworker/3:1/55

CPU: 3 UID: 0 PID: 55 Comm: kworker/3:1 Not tainted 6.12.0-rc1-syzkaller-00125-g0c559323bbaa #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_long defense_work_handler
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 rht_key_hashfn include/linux/rhashtable.h:159 [inline]
 __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
 rhashtable_lookup include/linux/rhashtable.h:646 [inline]
 rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
 ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline]
 ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
 nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
 NF_HOOK include/linux/netfilter.h:312 [inline]
 ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
 __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5666
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5779
 process_backlog+0x443/0x15f0 net/core/dev.c:6111
 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6775
 napi_poll net/core/dev.c:6844 [inline]
 net_rx_action+0xa92/0x1010 net/core/dev.c:6966
 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
 do_softirq kernel/softirq.c:455 [inline]
 do_softirq+0xb2/0xf0 kernel/softirq.c:442
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 update_defense_level+0x5ce/0xf50 net/netfilter/ipvs/ip_vs_ctl.c:210
 defense_work_handler+0x26/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:235
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880299c2000 pfn:0x299c0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00012b4c08 ffff88806a944fb0 0000000000000000
raw: ffff8880299c2000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 9119, tgid 9119 (syz-executor), ts 268581262044, free_ts 332814819528
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x223/0x25c0 mm/page_alloc.c:4733
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 ___kmalloc_large_node+0x84/0x1b0 mm/slub.c:4210
 __kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4237
 __do_kmalloc_node mm/slub.c:4253 [inline]
 __kmalloc_node_noprof.cold+0x5/0x5f mm/slub.c:4271
 __kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:658
 bucket_table_alloc.isra.0+0x86/0x460 lib/rhashtable.c:186
 rhashtable_init_noprof+0x41a/0x7e0 lib/rhashtable.c:1071
 ila_xlat_init_net+0xb5/0x110 net/ipv6/ila/ila_xlat.c:613
 ops_init+0x1df/0x5f0 net/core/net_namespace.c:139
 setup_net+0x21f/0x860 net/core/net_namespace.c:356
 copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:494
 create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
 ksys_unshare+0x419/0x970 kernel/fork.c:3315
page last free pid 89 tgid 89 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638
 __folio_put+0x30d/0x3d0 mm/swap.c:126
 kvfree+0x47/0x50 mm/util.c:701
 rhashtable_free_and_destroy+0x16c/0x990 lib/rhashtable.c:1169
 ila_xlat_exit_net+0x59/0xa0 net/ipv6/ila/ila_xlat.c:635
 ops_exit_list+0xb0/0x180 net/core/net_namespace.c:173
 cleanup_net+0x5b7/0xb40 net/core/net_namespace.c:626
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff8880299bff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880299bff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880299c0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff8880299c0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880299c0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/10/04 21:56 upstream 0c559323bbaa d7906eff .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in ila_nf_input
2024/09/18 04:03 bpf b831f83e40a2 c673ca06 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: use-after-free Read in ila_nf_input
2024/10/02 00:55 net-next 44badc908f2c ea2b66a6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce KASAN: use-after-free Read in ila_nf_input
2024/09/09 02:38 bpf-next 8a3f14bb1e94 9750182a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: use-after-free Read in ila_nf_input
2024/08/31 15:47 bpf-next 2ad6d23f465a 1eda0d14 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: use-after-free Read in ila_nf_input
2024/10/18 19:36 upstream 4d939780b705 0270e729 .config console log report info [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto KASAN: slab-use-after-free Read in ila_nf_input
2024/10/15 14:07 upstream eca631b8fe80 eddfb4c9 .config console log report info [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto KASAN: slab-use-after-free Read in ila_nf_input
2024/10/14 22:36 upstream eca631b8fe80 b01b6661 .config console log report info [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto KASAN: slab-use-after-free Read in ila_nf_input
2024/10/11 07:55 upstream 1d227fcc7222 cd942402 .config console log report info [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto KASAN: slab-use-after-free Read in ila_nf_input
2024/10/04 10:02 upstream 3840cbe24cf0 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto KASAN: slab-use-after-free Read in ila_nf_input
2024/10/03 06:22 upstream f23aa4c0761a a4c7fd36 .config console log report info [disk image] [vmlinux] [kernel image] ci-qemu-gce-upstream-auto KASAN: slab-use-after-free Read in ila_nf_input
2024/09/18 18:16 bpf b831f83e40a2 c673ca06 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in ila_nf_input
2024/09/04 19:35 bpf b408473ea01b 9d47f20a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in ila_nf_input
2024/09/16 02:02 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 5f5673607153 08d8a733 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in ila_nf_input
* Struck through repros no longer work on HEAD.