WARNING: stack going in the wrong direction? ip=page_fault
7 views
Skip to first unread message
syzbot
Apr 10, 2019, 12:14:11 PM4/10/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 23bc5181 ANDROID: cuttlefish_defconfig: Enable CONFIG_CRYP..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=15b66215400000
kernel config: https://syzkaller.appspot.com/x/.config?x=5a6074c89b6ea274
dashboard link: https://syzkaller.appspot.com/bug?extid=db491e41911848f5508d
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+db491e...@syzkaller.appspotmail.com
WARNING: stack going in the wrong direction? ip=page_fault+0x42/0x50
audit: type=1400 audit(1544190462.666:545): avc: denied { search } for
pid=31861 comm="syz-executor4" name="/" dev="sysfs" ino=1
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1544190462.666:546): avc: denied { map } for
pid=31861 comm="syz-executor4" path="/sys/kernel/debug/kcov" dev="debugfs"
ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi
net/ipv6/xfrm6_tunnel.c:205 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a4/0x650
net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8881d2a628f8 by task kworker/0:5/1134
CPU: 0 PID: 1134 Comm: kworker/0:5 Not tainted 4.14.86+ #17
Workqueue: events xfrm_state_gc_task
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
xfrm6_tunnel_destroy+0x5a4/0x650 net/ipv6/xfrm6_tunnel.c:300
xfrm_state_gc_destroy net/xfrm/xfrm_state.c:449 [inline]
xfrm_state_gc_task+0x3d6/0x550 net/xfrm/xfrm_state.c:470
process_one_work+0x86e/0x1670 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Allocated by task 1847:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
__kmalloc+0x153/0x340 mm/slub.c:3760
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
ops_init+0xec/0x3e0 net/core/net_namespace.c:108
setup_net+0x22b/0x510 net/core/net_namespace.c:294
copy_net_ns+0x193/0x430 net/core/net_namespace.c:418
create_new_namespaces+0x4f0/0x750 kernel/nsproxy.c:107
unshare_nsproxy_namespaces+0x9f/0x1d0 kernel/nsproxy.c:206
SYSC_unshare kernel/fork.c:2377 [inline]
SyS_unshare+0x314/0x6b0 kernel/fork.c:2327
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 18081:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kfree+0xf5/0x310 mm/slub.c:3897
ops_free net/core/net_namespace.c:132 [inline]
ops_free_list.part.4+0x22a/0x350 net/core/net_namespace.c:154
ops_free_list net/core/net_namespace.c:152 [inline]
cleanup_net+0x481/0x880 net/core/net_namespace.c:487
process_one_work+0x86e/0x1670 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
The buggy address belongs to the object at ffff8881d2a62100
which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
8192-byte region [ffff8881d2a62100, ffff8881d2a64100)
The buggy address belongs to the page:
page:ffffea00074a9800 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 0000000100030003
raw: 0000000000000000 0000000100000001 ffff8881da802400 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d2a62780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d2a62800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881d2a62880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d2a62900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d2a62980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 23bc5181 ANDROID: cuttlefish_defconfig: Enable CONFIG_CRYP..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=15b66215400000
kernel config: https://syzkaller.appspot.com/x/.config?x=5a6074c89b6ea274
dashboard link: https://syzkaller.appspot.com/bug?extid=db491e41911848f5508d
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+db491e...@syzkaller.appspotmail.com
WARNING: stack going in the wrong direction? ip=page_fault+0x42/0x50
audit: type=1400 audit(1544190462.666:545): avc: denied { search } for
pid=31861 comm="syz-executor4" name="/" dev="sysfs" ino=1
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:netcontrol_device_t:s0 tclass=dir permissive=1
audit: type=1400 audit(1544190462.666:546): avc: denied { map } for
pid=31861 comm="syz-executor4" path="/sys/kernel/debug/kcov" dev="debugfs"
ino=4999 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi
net/ipv6/xfrm6_tunnel.c:205 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a4/0x650
net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8881d2a628f8 by task kworker/0:5/1134
CPU: 0 PID: 1134 Comm: kworker/0:5 Not tainted 4.14.86+ #17
Workqueue: events xfrm_state_gc_task
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
xfrm6_tunnel_destroy+0x5a4/0x650 net/ipv6/xfrm6_tunnel.c:300
xfrm_state_gc_destroy net/xfrm/xfrm_state.c:449 [inline]
xfrm_state_gc_task+0x3d6/0x550 net/xfrm/xfrm_state.c:470
process_one_work+0x86e/0x1670 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Allocated by task 1847:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
__kmalloc+0x153/0x340 mm/slub.c:3760
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
ops_init+0xec/0x3e0 net/core/net_namespace.c:108
setup_net+0x22b/0x510 net/core/net_namespace.c:294
copy_net_ns+0x193/0x430 net/core/net_namespace.c:418
create_new_namespaces+0x4f0/0x750 kernel/nsproxy.c:107
unshare_nsproxy_namespaces+0x9f/0x1d0 kernel/nsproxy.c:206
SYSC_unshare kernel/fork.c:2377 [inline]
SyS_unshare+0x314/0x6b0 kernel/fork.c:2327
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 18081:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kfree+0xf5/0x310 mm/slub.c:3897
ops_free net/core/net_namespace.c:132 [inline]
ops_free_list.part.4+0x22a/0x350 net/core/net_namespace.c:154
ops_free_list net/core/net_namespace.c:152 [inline]
cleanup_net+0x481/0x880 net/core/net_namespace.c:487
process_one_work+0x86e/0x1670 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
The buggy address belongs to the object at ffff8881d2a62100
which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
8192-byte region [ffff8881d2a62100, ffff8881d2a64100)
The buggy address belongs to the page:
page:ffffea00074a9800 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 0000000100030003
raw: 0000000000000000 0000000100000001 ffff8881da802400 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d2a62780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d2a62800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8881d2a62880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d2a62900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d2a62980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 5, 2019, 9:48:04 AM6/5/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages