Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=14f9de77600000
kernel config:
https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link:
https://syzkaller.appspot.com/bug?extid=b37bf8c6f9f9a98f8a4f
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+b37bf8...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
BUG: KASAN: use-after-free in ip6_packet_match
net/ipv6/netfilter/ip6_tables.c:89 [inline]
BUG: KASAN: use-after-free in ip6t_do_table+0x14e2/0x17e0
net/ipv6/netfilter/ip6_tables.c:333
Read of size 8 at addr ffff88018dee4000 by task syz-executor.0/21852
CPU: 0 PID: 21852 Comm: syz-executor.0 Not tainted 4.9.141+ #1
ffff88018f75f080 ffffffff81b42e79 ffffea000637b900 ffff88018dee4000
0000000000000000 ffff88018dee4000 dffffc0000000000 ffff88018f75f0b8
ffffffff815009b8 ffff88018dee4000 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff8277f202>] ifname_compare_aligned
include/linux/netfilter/x_tables.h:369 [inline]
[<ffffffff8277f202>] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:89
[inline]
[<ffffffff8277f202>] ip6t_do_table+0x14e2/0x17e0
net/ipv6/netfilter/ip6_tables.c:333
[<ffffffff82787695>] ip6table_filter_hook+0x65/0x80
net/ipv6/netfilter/ip6table_filter.c:41
[<ffffffff823ddae6>] nf_iterate+0x126/0x310 net/netfilter/core.c:324
[<ffffffff823ddde4>] nf_hook_slow+0x114/0x1e0 net/netfilter/core.c:355
[<ffffffff827bcbe4>] nf_hook_thresh include/linux/netfilter.h:191 [inline]
[<ffffffff827bcbe4>] nf_hook include/linux/netfilter.h:203 [inline]
[<ffffffff827bcbe4>] __ip6_local_out+0x484/0x620 net/ipv6/output_core.c:164
[<ffffffff827bcda9>] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:174
[<ffffffff826a4891>] ip6_send_skb+0xa1/0x340 net/ipv6/ip6_output.c:1751
[<ffffffff82706689>] udp_v6_send_skb+0x429/0xe70 net/ipv6/udp.c:974
[<ffffffff827072fd>] udp_v6_push_pending_frames+0x22d/0x340
net/ipv6/udp.c:1007
[<ffffffff827092b1>] udpv6_sendmsg+0x1dc1/0x2430 net/ipv6/udp.c:1273
[<ffffffff825952f3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a209a>] ___sys_sendmsg+0x47a/0x840 net/socket.c:1982
[<ffffffff822a55a1>] __sys_sendmmsg+0x161/0x3d0 net/socket.c:2072
[<ffffffff822a5845>] SYSC_sendmmsg net/socket.c:2103 [inline]
[<ffffffff822a5845>] SyS_sendmmsg+0x35/0x60 net/socket.c:2098
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the page:
page:ffffea000637b900 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88018dee3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88018dee3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88018dee4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88018dee4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88018dee4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.