KASAN: use-after-free Read in free_netdev
14 views
Skip to first unread message
syzbot
Mar 6, 2020, 3:14:14 PM3/6/20
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 017d67e9 ANDROID: CC_FLAGS_CFI add -fno-sanitize-blacklist
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=132a7145e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=3f89e7b19e996a7b
dashboard link: https://syzkaller.appspot.com/bug?extid=04649b68561aae62c5ff
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04649b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in free_netdev+0x186/0x300 net/core/dev.c:9582
Read of size 8 at addr ffff8881c92b84f0 by task syz-executor.3/12731
CPU: 0 PID: 12731 Comm: syz-executor.3 Not tainted 5.4.24-syzkaller-00161-g017d67e9a8b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b0/0x228 lib/dump_stack.c:118
print_address_description+0x96/0x5d0 mm/kasan/report.c:374
__kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
kasan_report+0x26/0x50 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
free_netdev+0x186/0x300 net/core/dev.c:9582
netdev_run_todo+0xbc4/0xe00 net/core/dev.c:9333
rtnl_unlock net/core/rtnetlink.c:112 [inline]
rtnetlink_rcv_msg+0x963/0xc20 net/core/rtnetlink.c:5255
netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2478
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5272
netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
netlink_unicast+0x87c/0xa20 net/netlink/af_netlink.c:1329
netlink_sendmsg+0x9a7/0xd40 net/netlink/af_netlink.c:1918
sock_sendmsg_nosec net/socket.c:638 [inline]
sock_sendmsg net/socket.c:658 [inline]
____sys_sendmsg+0x56f/0x860 net/socket.c:2298
___sys_sendmsg net/socket.c:2352 [inline]
__sys_sendmsg+0x26a/0x350 net/socket.c:2398
__do_sys_sendmsg net/socket.c:2407 [inline]
__se_sys_sendmsg net/socket.c:2405 [inline]
__x64_sys_sendmsg+0x7f/0x90 net/socket.c:2405
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ff27a152c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ff27a1536d4 RCX: 000000000045c479
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007
R13: 00000000000009f9 R14: 00000000004cc71a R15: 0000000000000002
Allocated by task 12731:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
__kmalloc+0x102/0x310 mm/slub.c:3802
kmalloc include/linux/slab.h:561 [inline]
sk_prot_alloc+0x11c/0x2f0 net/core/sock.c:1605
sk_alloc+0x35/0x300 net/core/sock.c:1659
tun_chr_open+0x7b/0x4a0 drivers/net/tun.c:3416
misc_open+0x3ea/0x440 drivers/char/misc.c:141
chrdev_open+0x60a/0x670 fs/char_dev.c:414
do_dentry_open+0x8f7/0x1070 fs/open.c:809
vfs_open+0x73/0x80 fs/open.c:926
do_last fs/namei.c:3528 [inline]
path_openat+0x1681/0x42d0 fs/namei.c:3646
do_filp_open+0x1f7/0x430 fs/namei.c:3676
do_sys_open+0x36f/0x7a0 fs/open.c:1109
__do_sys_openat fs/open.c:1136 [inline]
__se_sys_openat fs/open.c:1130 [inline]
__x64_sys_openat+0xa2/0xb0 fs/open.c:1130
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 12728:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x168/0x220 mm/kasan/common.c:471
kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
slab_free_hook mm/slub.c:1424 [inline]
slab_free_freelist_hook mm/slub.c:1457 [inline]
slab_free mm/slub.c:3004 [inline]
kfree+0x170/0x6d0 mm/slub.c:3956
sk_prot_free net/core/sock.c:1642 [inline]
__sk_destruct+0x45f/0x4e0 net/core/sock.c:1726
sk_destruct net/core/sock.c:1741 [inline]
__sk_free+0x35d/0x430 net/core/sock.c:1752
sk_free+0x45/0x50 net/core/sock.c:1763
sock_put include/net/sock.h:1735 [inline]
__tun_detach+0x15d0/0x1a40 drivers/net/tun.c:728
tun_detach drivers/net/tun.c:740 [inline]
tun_chr_close+0xb8/0xd0 drivers/net/tun.c:3452
__fput+0x295/0x710 fs/file_table.c:280
____fput+0x15/0x20 fs/file_table.c:313
task_work_run+0x176/0x1a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
prepare_exit_to_usermode+0x2d8/0x370 arch/x86/entry/common.c:194
syscall_return_slowpath+0x6f/0x500 arch/x86/entry/common.c:274
do_syscall_64+0xe8/0x100 arch/x86/entry/common.c:300
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8881c92b8000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1264 bytes inside of
2048-byte region [ffff8881c92b8000, ffff8881c92b8800)
The buggy address belongs to the page:
page:ffffea000724ae00 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 ffffea00072ff600 0000000200000002 ffff8881da802800
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c92b8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c92b8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881c92b8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c92b8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c92b8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 017d67e9 ANDROID: CC_FLAGS_CFI add -fno-sanitize-blacklist
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=132a7145e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=3f89e7b19e996a7b
dashboard link: https://syzkaller.appspot.com/bug?extid=04649b68561aae62c5ff
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04649b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in free_netdev+0x186/0x300 net/core/dev.c:9582
Read of size 8 at addr ffff8881c92b84f0 by task syz-executor.3/12731
CPU: 0 PID: 12731 Comm: syz-executor.3 Not tainted 5.4.24-syzkaller-00161-g017d67e9a8b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b0/0x228 lib/dump_stack.c:118
print_address_description+0x96/0x5d0 mm/kasan/report.c:374
__kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
kasan_report+0x26/0x50 mm/kasan/common.c:634
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
free_netdev+0x186/0x300 net/core/dev.c:9582
netdev_run_todo+0xbc4/0xe00 net/core/dev.c:9333
rtnl_unlock net/core/rtnetlink.c:112 [inline]
rtnetlink_rcv_msg+0x963/0xc20 net/core/rtnetlink.c:5255
netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2478
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5272
netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
netlink_unicast+0x87c/0xa20 net/netlink/af_netlink.c:1329
netlink_sendmsg+0x9a7/0xd40 net/netlink/af_netlink.c:1918
sock_sendmsg_nosec net/socket.c:638 [inline]
sock_sendmsg net/socket.c:658 [inline]
____sys_sendmsg+0x56f/0x860 net/socket.c:2298
___sys_sendmsg net/socket.c:2352 [inline]
__sys_sendmsg+0x26a/0x350 net/socket.c:2398
__do_sys_sendmsg net/socket.c:2407 [inline]
__se_sys_sendmsg net/socket.c:2405 [inline]
__x64_sys_sendmsg+0x7f/0x90 net/socket.c:2405
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ff27a152c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ff27a1536d4 RCX: 000000000045c479
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007
R13: 00000000000009f9 R14: 00000000004cc71a R15: 0000000000000002
Allocated by task 12731:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
__kmalloc+0x102/0x310 mm/slub.c:3802
kmalloc include/linux/slab.h:561 [inline]
sk_prot_alloc+0x11c/0x2f0 net/core/sock.c:1605
sk_alloc+0x35/0x300 net/core/sock.c:1659
tun_chr_open+0x7b/0x4a0 drivers/net/tun.c:3416
misc_open+0x3ea/0x440 drivers/char/misc.c:141
chrdev_open+0x60a/0x670 fs/char_dev.c:414
do_dentry_open+0x8f7/0x1070 fs/open.c:809
vfs_open+0x73/0x80 fs/open.c:926
do_last fs/namei.c:3528 [inline]
path_openat+0x1681/0x42d0 fs/namei.c:3646
do_filp_open+0x1f7/0x430 fs/namei.c:3676
do_sys_open+0x36f/0x7a0 fs/open.c:1109
__do_sys_openat fs/open.c:1136 [inline]
__se_sys_openat fs/open.c:1130 [inline]
__x64_sys_openat+0xa2/0xb0 fs/open.c:1130
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 12728:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x168/0x220 mm/kasan/common.c:471
kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
slab_free_hook mm/slub.c:1424 [inline]
slab_free_freelist_hook mm/slub.c:1457 [inline]
slab_free mm/slub.c:3004 [inline]
kfree+0x170/0x6d0 mm/slub.c:3956
sk_prot_free net/core/sock.c:1642 [inline]
__sk_destruct+0x45f/0x4e0 net/core/sock.c:1726
sk_destruct net/core/sock.c:1741 [inline]
__sk_free+0x35d/0x430 net/core/sock.c:1752
sk_free+0x45/0x50 net/core/sock.c:1763
sock_put include/net/sock.h:1735 [inline]
__tun_detach+0x15d0/0x1a40 drivers/net/tun.c:728
tun_detach drivers/net/tun.c:740 [inline]
tun_chr_close+0xb8/0xd0 drivers/net/tun.c:3452
__fput+0x295/0x710 fs/file_table.c:280
____fput+0x15/0x20 fs/file_table.c:313
task_work_run+0x176/0x1a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
prepare_exit_to_usermode+0x2d8/0x370 arch/x86/entry/common.c:194
syscall_return_slowpath+0x6f/0x500 arch/x86/entry/common.c:274
do_syscall_64+0xe8/0x100 arch/x86/entry/common.c:300
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8881c92b8000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1264 bytes inside of
2048-byte region [ffff8881c92b8000, ffff8881c92b8800)
The buggy address belongs to the page:
page:ffffea000724ae00 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 ffffea00072ff600 0000000200000002 ffff8881da802800
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c92b8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c92b8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881c92b8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c92b8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c92b8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 6, 2020, 3:38:13 PM3/6/20
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 017d67e9 ANDROID: CC_FLAGS_CFI add -fno-sanitize-blacklist
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=17884f31e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04649b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in free_netdev+0x186/0x300 net/core/dev.c:9582
Read of size 8 at addr ffff8881d4ec74f0 by task syz-executor.0/4543
CPU: 0 PID: 4543 Comm: syz-executor.0 Not tainted 5.4.24-syzkaller-00161-g017d67e9a8b3 #0
RSP: 002b:00007f9e32fcbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f9e32fcc6d4 RCX: 000000000045c479
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004cc71a R15: 000000000076bfcc
Allocated by task 4532:
The buggy address belongs to the object at ffff8881d4ec7000
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800
ffff8881d4ec7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d4ec7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d4ec7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d4ec7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 017d67e9 ANDROID: CC_FLAGS_CFI add -fno-sanitize-blacklist
git tree: android-5.4
kernel config: https://syzkaller.appspot.com/x/.config?x=3f89e7b19e996a7b
dashboard link: https://syzkaller.appspot.com/bug?extid=04649b68561aae62c5ff
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1384481de00000
dashboard link: https://syzkaller.appspot.com/bug?extid=04649b68561aae62c5ff
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04649b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in free_netdev+0x186/0x300 net/core/dev.c:9582
CPU: 0 PID: 4543 Comm: syz-executor.0 Not tainted 5.4.24-syzkaller-00161-g017d67e9a8b3 #0
RAX: ffffffffffffffda RBX: 00007f9e32fcc6d4 RCX: 000000000045c479
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004cc71a R15: 000000000076bfcc
Allocated by task 4532:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
__kmalloc+0x102/0x310 mm/slub.c:3802
kmalloc include/linux/slab.h:561 [inline]
sk_prot_alloc+0x11c/0x2f0 net/core/sock.c:1605
sk_alloc+0x35/0x300 net/core/sock.c:1659
tun_chr_open+0x7b/0x4a0 drivers/net/tun.c:3416
misc_open+0x3ea/0x440 drivers/char/misc.c:141
chrdev_open+0x60a/0x670 fs/char_dev.c:414
do_dentry_open+0x8f7/0x1070 fs/open.c:809
vfs_open+0x73/0x80 fs/open.c:926
do_last fs/namei.c:3528 [inline]
path_openat+0x1681/0x42d0 fs/namei.c:3646
do_filp_open+0x1f7/0x430 fs/namei.c:3676
do_sys_open+0x36f/0x7a0 fs/open.c:1109
__do_sys_openat fs/open.c:1136 [inline]
__se_sys_openat fs/open.c:1130 [inline]
__x64_sys_openat+0xa2/0xb0 fs/open.c:1130
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 4531:
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
__kmalloc+0x102/0x310 mm/slub.c:3802
kmalloc include/linux/slab.h:561 [inline]
sk_prot_alloc+0x11c/0x2f0 net/core/sock.c:1605
sk_alloc+0x35/0x300 net/core/sock.c:1659
tun_chr_open+0x7b/0x4a0 drivers/net/tun.c:3416
misc_open+0x3ea/0x440 drivers/char/misc.c:141
chrdev_open+0x60a/0x670 fs/char_dev.c:414
do_dentry_open+0x8f7/0x1070 fs/open.c:809
vfs_open+0x73/0x80 fs/open.c:926
do_last fs/namei.c:3528 [inline]
path_openat+0x1681/0x42d0 fs/namei.c:3646
do_filp_open+0x1f7/0x430 fs/namei.c:3676
do_sys_open+0x36f/0x7a0 fs/open.c:1109
__do_sys_openat fs/open.c:1136 [inline]
__se_sys_openat fs/open.c:1130 [inline]
__x64_sys_openat+0xa2/0xb0 fs/open.c:1130
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1264 bytes inside of
2048-byte region [ffff8881d4ec7000, ffff8881d4ec7800)
The buggy address is located 1264 bytes inside of
The buggy address belongs to the page:
page:ffffea000753b000 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d4ec7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d4ec7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d4ec7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d4ec7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d4ec7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Mar 7, 2020, 7:30:14 AM3/7/20
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 3334f0da FROMGIT: driver core: Reevaluate dev->links.need_..
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=17c6b731e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2425845ca84241a0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101a5181e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04649b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in free_netdev+0x186/0x300 net/core/dev.c:9582
Read of size 8 at addr ffff8881cdaf54f0 by task syz-executor878/2020
CPU: 1 PID: 2020 Comm: syz-executor878 Not tainted 5.4.24-syzkaller-00181-g3334f0da669e #0
RIP: 0033:0x4483b9
Code: e8 ac e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f11fb1cbd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006e3a28 RCX: 00000000004483b9
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e3a2c
R13: 0000003065736f72 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 2020:
The buggy address belongs to the object at ffff8881cdaf5000
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800
ffff8881cdaf5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881cdaf5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cdaf5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cdaf5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 3334f0da FROMGIT: driver core: Reevaluate dev->links.need_..
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=17c6b731e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2425845ca84241a0
dashboard link: https://syzkaller.appspot.com/bug?extid=04649b68561aae62c5ff
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17aeee2de00000
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101a5181e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+04649b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in free_netdev+0x186/0x300 net/core/dev.c:9582
CPU: 1 PID: 2020 Comm: syz-executor878 Not tainted 5.4.24-syzkaller-00181-g3334f0da669e #0
Code: e8 ac e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f11fb1cbd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006e3a28 RCX: 00000000004483b9
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005
RBP: 00000000006e3a20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e3a2c
R13: 0000003065736f72 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 2020:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
__kmalloc+0x102/0x310 mm/slub.c:3802
kmalloc include/linux/slab.h:561 [inline]
sk_prot_alloc+0x11c/0x2f0 net/core/sock.c:1605
sk_alloc+0x35/0x300 net/core/sock.c:1659
tun_chr_open+0x7b/0x4a0 drivers/net/tun.c:3416
misc_open+0x3ea/0x440 drivers/char/misc.c:141
chrdev_open+0x60a/0x670 fs/char_dev.c:414
do_dentry_open+0x8f7/0x1070 fs/open.c:809
vfs_open+0x73/0x80 fs/open.c:926
do_last fs/namei.c:3528 [inline]
path_openat+0x1681/0x42d0 fs/namei.c:3646
do_filp_open+0x1f7/0x430 fs/namei.c:3676
do_sys_open+0x36f/0x7a0 fs/open.c:1109
__do_sys_openat fs/open.c:1136 [inline]
__se_sys_openat fs/open.c:1130 [inline]
__x64_sys_openat+0xa2/0xb0 fs/open.c:1130
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 2019:
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524
__kmalloc+0x102/0x310 mm/slub.c:3802
kmalloc include/linux/slab.h:561 [inline]
sk_prot_alloc+0x11c/0x2f0 net/core/sock.c:1605
sk_alloc+0x35/0x300 net/core/sock.c:1659
tun_chr_open+0x7b/0x4a0 drivers/net/tun.c:3416
misc_open+0x3ea/0x440 drivers/char/misc.c:141
chrdev_open+0x60a/0x670 fs/char_dev.c:414
do_dentry_open+0x8f7/0x1070 fs/open.c:809
vfs_open+0x73/0x80 fs/open.c:926
do_last fs/namei.c:3528 [inline]
path_openat+0x1681/0x42d0 fs/namei.c:3646
do_filp_open+0x1f7/0x430 fs/namei.c:3676
do_sys_open+0x36f/0x7a0 fs/open.c:1109
__do_sys_openat fs/open.c:1136 [inline]
__se_sys_openat fs/open.c:1130 [inline]
__x64_sys_openat+0xa2/0xb0 fs/open.c:1130
do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1264 bytes inside of
2048-byte region [ffff8881cdaf5000, ffff8881cdaf5800)
The buggy address is located 1264 bytes inside of
The buggy address belongs to the page:
page:ffffea000736bc00 refcount:1 mapcount:0 mapping:ffff8881da802800 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da802800
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cdaf5380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881cdaf5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881cdaf5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881cdaf5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881cdaf5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Apr 23, 2023, 10:54:29 PM4/23/23
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages