KASAN: slab-out-of-bounds Read in ip6_tnl_xmit2
13 views
Skip to first unread message
syzbot
Apr 11, 2019, 4:44:27 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 23eaecc3 UPSTREAM: tracing: always define trace_{irq,preem..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=144ff95b800000
kernel config: https://syzkaller.appspot.com/x/.config?x=3cb56364f4ef7a8f
dashboard link: https://syzkaller.appspot.com/bug?extid=01400f5fc51cf4747bec
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1152f5c7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=115b3407800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+01400f...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0
net/ipv6/ip6_tunnel.c:987
Read of size 16 at addr ffff8801d8c9e6b0 by task syz-executor247/3706
CPU: 0 PID: 3706 Comm: syz-executor247 Not tainted 4.4.129-g23eaecc #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 5725feeea7834f35 ffff8801ce697000 ffffffff81e0dc8d
ffffea0007632700 ffff8801d8c9e6b0 0000000000000000 ffff8801d8c9e6b8
ffff8801cdebc400 ffff8801ce697038 ffffffff8151535c ffff8801d8c9e6b0
Call Trace:
[<ffffffff81e0dc8d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81e0dc8d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff8151535c>] print_address_description+0x6c/0x216
mm/kasan/report.c:252
[<ffffffff8151567b>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff8151567b>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
[<ffffffff814f924f>] __asan_report_load_n_noabort+0xf/0x20
mm/kasan/report.c:439
[<ffffffff83543fb3>] ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987
[<ffffffff83544950>] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline]
[<ffffffff83544950>] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203
[<ffffffff82f87831>] __netdev_start_xmit include/linux/netdevice.h:3743
[inline]
[<ffffffff82f87831>] netdev_start_xmit include/linux/netdevice.h:3752
[inline]
[<ffffffff82f87831>] xmit_one net/core/dev.c:2759 [inline]
[<ffffffff82f87831>] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775
[<ffffffff82f89bc0>] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207
[<ffffffff82f8a197>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241
[<ffffffff82f9b995>] neigh_direct_output+0x15/0x20
net/core/neighbour.c:1358
[<ffffffff83213b5b>] dst_neigh_output include/net/dst.h:461 [inline]
[<ffffffff83213b5b>] ip_finish_output2+0x6ab/0x1110
net/ipv4/ip_output.c:213
[<ffffffff83215f4b>] ip_do_fragment+0x198b/0x2150 net/ipv4/ip_output.c:633
[<ffffffff83216853>] ip_fragment.constprop.50+0x143/0x200
net/ipv4/ip_output.c:503
[<ffffffff83216fd4>] ip_finish_output+0x6c4/0xbc0 net/ipv4/ip_output.c:286
[<ffffffff8321a103>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
[<ffffffff8321a103>] ip_mc_output+0x233/0x980 net/ipv4/ip_output.c:347
[<ffffffff832179ab>] dst_output include/net/dst.h:498 [inline]
[<ffffffff832179ab>] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119
[<ffffffff8321d64c>] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1450
[<ffffffff832c5a13>] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842
[<ffffffff832ce5ce>] udp_sendmsg+0x16ce/0x1bb0 net/ipv4/udp.c:1070
[<ffffffff832fe123>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff82f1c41c>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82f1c41c>] sock_sendmsg+0xcc/0x110 net/socket.c:635
[<ffffffff82f1d0fc>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
[<ffffffff82f1f780>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff838bf0e5>] entry_SYSCALL_64_fastpath+0x22/0x9e
Allocated by task 3706:
[<ffffffff810341d6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff814f8223>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
[<ffffffff814f8507>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff814f8507>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
[<ffffffff814f4c24>] __kmalloc+0x124/0x310 mm/slub.c:3613
[<ffffffff82fac6b6>] kmalloc include/linux/slab.h:481 [inline]
[<ffffffff82fac6b6>] kzalloc include/linux/slab.h:620 [inline]
[<ffffffff82fac6b6>] neigh_alloc net/core/neighbour.c:285 [inline]
[<ffffffff82fac6b6>] __neigh_create+0x1d6/0x1b20 net/core/neighbour.c:457
[<ffffffff831ecc3d>] neigh_create include/net/neighbour.h:313 [inline]
[<ffffffff831ecc3d>] ipv4_neigh_lookup+0x4dd/0x700 net/ipv4/route.c:464
[<ffffffff83542583>] dst_neigh_lookup include/net/dst.h:466 [inline]
[<ffffffff83542583>] ip6_tnl_xmit2+0x613/0x20d0 net/ipv6/ip6_tunnel.c:982
[<ffffffff83544950>] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline]
[<ffffffff83544950>] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203
[<ffffffff82f87831>] __netdev_start_xmit include/linux/netdevice.h:3743
[inline]
[<ffffffff82f87831>] netdev_start_xmit include/linux/netdevice.h:3752
[inline]
[<ffffffff82f87831>] xmit_one net/core/dev.c:2759 [inline]
[<ffffffff82f87831>] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775
[<ffffffff82f89bc0>] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207
[<ffffffff82f8a197>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241
[<ffffffff82f9b995>] neigh_direct_output+0x15/0x20
net/core/neighbour.c:1358
[<ffffffff83213b5b>] dst_neigh_output include/net/dst.h:461 [inline]
[<ffffffff83213b5b>] ip_finish_output2+0x6ab/0x1110
net/ipv4/ip_output.c:213
[<ffffffff83215f4b>] ip_do_fragment+0x198b/0x2150 net/ipv4/ip_output.c:633
[<ffffffff83216853>] ip_fragment.constprop.50+0x143/0x200
net/ipv4/ip_output.c:503
[<ffffffff83216fd4>] ip_finish_output+0x6c4/0xbc0 net/ipv4/ip_output.c:286
[<ffffffff8321a103>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
[<ffffffff8321a103>] ip_mc_output+0x233/0x980 net/ipv4/ip_output.c:347
[<ffffffff832179ab>] dst_output include/net/dst.h:498 [inline]
[<ffffffff832179ab>] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119
[<ffffffff8321d64c>] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1450
[<ffffffff832c5a13>] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842
[<ffffffff832ce5ce>] udp_sendmsg+0x16ce/0x1bb0 net/ipv4/udp.c:1070
[<ffffffff832fe123>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff82f1c41c>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82f1c41c>] sock_sendmsg+0xcc/0x110 net/socket.c:635
[<ffffffff82f1d0fc>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
[<ffffffff82f1f780>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff838bf0e5>] entry_SYSCALL_64_fastpath+0x22/0x9e
Freed by task 2371:
[<ffffffff810341d6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff814f8223>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
[<ffffffff814f8b52>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff814f8b52>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
[<ffffffff814f6054>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff814f6054>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff814f6054>] slab_free mm/slub.c:2859 [inline]
[<ffffffff814f6054>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff81537c60>] free_pipe_info+0x210/0x2c0 fs/pipe.c:654
[<ffffffff81537dc8>] put_pipe_info+0xb8/0xe0 fs/pipe.c:548
[<ffffffff81537f9f>] pipe_release+0x1af/0x250 fs/pipe.c:569
[<ffffffff81522745>] __fput+0x235/0x6f0 fs/file_table.c:208
[<ffffffff81522c85>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8118bb8f>] task_work_run+0x10f/0x190 kernel/task_work.c:115
[<ffffffff8100362d>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
arch/x86/entry/common.c:252
[<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:283
[inline]
[<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
arch/x86/entry/common.c:348
[<ffffffff838bf275>] int_ret_from_sys_call+0x25/0xa3
The buggy address belongs to the object at ffff8801d8c9e400
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 688 bytes inside of
1024-byte region [ffff8801d8c9e400, ffff8801d8c9e800)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.129-g23eaecc #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d9a41800 task.stack: ffff8801d9a50000
RIP: 0010:[<ffffffff81e6f347>] [<ffffffff81e6f347>] lookup_object
lib/debugobjects.c:120 [inline]
RIP: 0010:[<ffffffff81e6f347>] [<ffffffff81e6f347>]
debug_object_activate+0x1b7/0x480 lib/debugobjects.c:405
RSP: 0018:ffff8801db307bb0 EFLAGS: 00010802
RAX: dffffc0000000000 RBX: 8000000000004080 RCX: ffffffff85a3b128
RDX: 1000000000000813 RSI: ffff8801d9a42108 RDI: 8000000000004098
RBP: ffff8801db307c68 R08: 0000000000000096 R09: 0000000000000001
R10: 0000000000000001 R11: ffff8801d9a41800 R12: 1ffff1003b660f78
R13: ffff8800bafc0f78 R14: 0000000000000004 R15: ffffffff8448fc40
FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa50d0771b0 CR3: 00000001d1916000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d9a41800 ffffffff85a3b128 0000000041b58ab3 ffffffff84208c0f
ffffffff81e6f190 ffff8801d9a420d8 0000000000000000 0000000000000000
0000000000000005 ffff8800bafc0f78 ffffffff8448fc40 ffffffff85390520
Call Trace:
<IRQ>
[<ffffffff8117bec8>] debug_work_activate kernel/workqueue.c:499 [inline]
[<ffffffff8117bec8>] __queue_work+0x48/0xea0 kernel/workqueue.c:1354
[<ffffffff8117cd88>] delayed_work_timer_fn+0x68/0x90
kernel/workqueue.c:1472
[<ffffffff8129085c>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185
[<ffffffff8129145d>] __run_timers kernel/time/timer.c:1257 [inline]
[<ffffffff8129145d>] run_timer_softirq+0x51d/0xb90 kernel/time/timer.c:1444
[<ffffffff838c25ac>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
[<ffffffff8113f75d>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8113f75d>] irq_exit+0x10d/0x140 kernel/softirq.c:391
[<ffffffff838c1d11>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
[<ffffffff838c1d11>] smp_apic_timer_interrupt+0x81/0xa0
arch/x86/kernel/apic/apic.c:926
[<ffffffff838c0c50>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:741
<EOI>
[<ffffffff81025da5>] arch_safe_halt arch/x86/include/asm/paravirt.h:117
[inline]
[<ffffffff81025da5>] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:290
[<ffffffff810272f0>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:281
[<ffffffff8121b9e7>] default_idle_call+0x57/0x70 kernel/sched/idle.c:93
[<ffffffff8121c18f>] cpuidle_idle_call kernel/sched/idle.c:157 [inline]
[<ffffffff8121c18f>] cpu_idle_loop kernel/sched/idle.c:253 [inline]
[<ffffffff8121c18f>] cpu_startup_entry+0x6af/0x780 kernel/sched/idle.c:301
[<ffffffff810aa174>] start_secondary+0x324/0x400
arch/x86/kernel/smpboot.c:242
Code: 8c 02 00 00 48 8b 1b 41 be 01 00 00 00 48 85 db 74 46 48 b8 00 00 00
00 00 fc ff df 48 8d 7b 18 41 83 c6 01 48 89 fa 48 c1 ea 03 <80> 3c 02 00
0f 85 e6 01 00 00 4c 3b 6b 18 0f 84 9e 00 00 00 48
RIP [<ffffffff81e6f347>] lookup_object lib/debugobjects.c:120 [inline]
RIP [<ffffffff81e6f347>] debug_object_activate+0x1b7/0x480
lib/debugobjects.c:405
RSP <ffff8801db307bb0>
---[ end trace cdcd355bd3db684a ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 23eaecc3 UPSTREAM: tracing: always define trace_{irq,preem..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=144ff95b800000
kernel config: https://syzkaller.appspot.com/x/.config?x=3cb56364f4ef7a8f
dashboard link: https://syzkaller.appspot.com/bug?extid=01400f5fc51cf4747bec
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1152f5c7800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=115b3407800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+01400f...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0
net/ipv6/ip6_tunnel.c:987
Read of size 16 at addr ffff8801d8c9e6b0 by task syz-executor247/3706
CPU: 0 PID: 3706 Comm: syz-executor247 Not tainted 4.4.129-g23eaecc #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 5725feeea7834f35 ffff8801ce697000 ffffffff81e0dc8d
ffffea0007632700 ffff8801d8c9e6b0 0000000000000000 ffff8801d8c9e6b8
ffff8801cdebc400 ffff8801ce697038 ffffffff8151535c ffff8801d8c9e6b0
Call Trace:
[<ffffffff81e0dc8d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81e0dc8d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff8151535c>] print_address_description+0x6c/0x216
mm/kasan/report.c:252
[<ffffffff8151567b>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff8151567b>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
[<ffffffff814f924f>] __asan_report_load_n_noabort+0xf/0x20
mm/kasan/report.c:439
[<ffffffff83543fb3>] ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987
[<ffffffff83544950>] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline]
[<ffffffff83544950>] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203
[<ffffffff82f87831>] __netdev_start_xmit include/linux/netdevice.h:3743
[inline]
[<ffffffff82f87831>] netdev_start_xmit include/linux/netdevice.h:3752
[inline]
[<ffffffff82f87831>] xmit_one net/core/dev.c:2759 [inline]
[<ffffffff82f87831>] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775
[<ffffffff82f89bc0>] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207
[<ffffffff82f8a197>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241
[<ffffffff82f9b995>] neigh_direct_output+0x15/0x20
net/core/neighbour.c:1358
[<ffffffff83213b5b>] dst_neigh_output include/net/dst.h:461 [inline]
[<ffffffff83213b5b>] ip_finish_output2+0x6ab/0x1110
net/ipv4/ip_output.c:213
[<ffffffff83215f4b>] ip_do_fragment+0x198b/0x2150 net/ipv4/ip_output.c:633
[<ffffffff83216853>] ip_fragment.constprop.50+0x143/0x200
net/ipv4/ip_output.c:503
[<ffffffff83216fd4>] ip_finish_output+0x6c4/0xbc0 net/ipv4/ip_output.c:286
[<ffffffff8321a103>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
[<ffffffff8321a103>] ip_mc_output+0x233/0x980 net/ipv4/ip_output.c:347
[<ffffffff832179ab>] dst_output include/net/dst.h:498 [inline]
[<ffffffff832179ab>] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119
[<ffffffff8321d64c>] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1450
[<ffffffff832c5a13>] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842
[<ffffffff832ce5ce>] udp_sendmsg+0x16ce/0x1bb0 net/ipv4/udp.c:1070
[<ffffffff832fe123>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff82f1c41c>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82f1c41c>] sock_sendmsg+0xcc/0x110 net/socket.c:635
[<ffffffff82f1d0fc>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
[<ffffffff82f1f780>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff838bf0e5>] entry_SYSCALL_64_fastpath+0x22/0x9e
Allocated by task 3706:
[<ffffffff810341d6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff814f8223>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
[<ffffffff814f8507>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff814f8507>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
[<ffffffff814f4c24>] __kmalloc+0x124/0x310 mm/slub.c:3613
[<ffffffff82fac6b6>] kmalloc include/linux/slab.h:481 [inline]
[<ffffffff82fac6b6>] kzalloc include/linux/slab.h:620 [inline]
[<ffffffff82fac6b6>] neigh_alloc net/core/neighbour.c:285 [inline]
[<ffffffff82fac6b6>] __neigh_create+0x1d6/0x1b20 net/core/neighbour.c:457
[<ffffffff831ecc3d>] neigh_create include/net/neighbour.h:313 [inline]
[<ffffffff831ecc3d>] ipv4_neigh_lookup+0x4dd/0x700 net/ipv4/route.c:464
[<ffffffff83542583>] dst_neigh_lookup include/net/dst.h:466 [inline]
[<ffffffff83542583>] ip6_tnl_xmit2+0x613/0x20d0 net/ipv6/ip6_tunnel.c:982
[<ffffffff83544950>] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline]
[<ffffffff83544950>] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203
[<ffffffff82f87831>] __netdev_start_xmit include/linux/netdevice.h:3743
[inline]
[<ffffffff82f87831>] netdev_start_xmit include/linux/netdevice.h:3752
[inline]
[<ffffffff82f87831>] xmit_one net/core/dev.c:2759 [inline]
[<ffffffff82f87831>] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775
[<ffffffff82f89bc0>] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207
[<ffffffff82f8a197>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241
[<ffffffff82f9b995>] neigh_direct_output+0x15/0x20
net/core/neighbour.c:1358
[<ffffffff83213b5b>] dst_neigh_output include/net/dst.h:461 [inline]
[<ffffffff83213b5b>] ip_finish_output2+0x6ab/0x1110
net/ipv4/ip_output.c:213
[<ffffffff83215f4b>] ip_do_fragment+0x198b/0x2150 net/ipv4/ip_output.c:633
[<ffffffff83216853>] ip_fragment.constprop.50+0x143/0x200
net/ipv4/ip_output.c:503
[<ffffffff83216fd4>] ip_finish_output+0x6c4/0xbc0 net/ipv4/ip_output.c:286
[<ffffffff8321a103>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
[<ffffffff8321a103>] ip_mc_output+0x233/0x980 net/ipv4/ip_output.c:347
[<ffffffff832179ab>] dst_output include/net/dst.h:498 [inline]
[<ffffffff832179ab>] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119
[<ffffffff8321d64c>] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1450
[<ffffffff832c5a13>] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842
[<ffffffff832ce5ce>] udp_sendmsg+0x16ce/0x1bb0 net/ipv4/udp.c:1070
[<ffffffff832fe123>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff82f1c41c>] sock_sendmsg_nosec net/socket.c:625 [inline]
[<ffffffff82f1c41c>] sock_sendmsg+0xcc/0x110 net/socket.c:635
[<ffffffff82f1d0fc>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
[<ffffffff82f1f780>] SyS_sendto+0x40/0x50 net/socket.c:1633
[<ffffffff838bf0e5>] entry_SYSCALL_64_fastpath+0x22/0x9e
Freed by task 2371:
[<ffffffff810341d6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff814f8223>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
[<ffffffff814f8b52>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff814f8b52>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
[<ffffffff814f6054>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff814f6054>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff814f6054>] slab_free mm/slub.c:2859 [inline]
[<ffffffff814f6054>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff81537c60>] free_pipe_info+0x210/0x2c0 fs/pipe.c:654
[<ffffffff81537dc8>] put_pipe_info+0xb8/0xe0 fs/pipe.c:548
[<ffffffff81537f9f>] pipe_release+0x1af/0x250 fs/pipe.c:569
[<ffffffff81522745>] __fput+0x235/0x6f0 fs/file_table.c:208
[<ffffffff81522c85>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8118bb8f>] task_work_run+0x10f/0x190 kernel/task_work.c:115
[<ffffffff8100362d>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
arch/x86/entry/common.c:252
[<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:283
[inline]
[<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
arch/x86/entry/common.c:348
[<ffffffff838bf275>] int_ret_from_sys_call+0x25/0xa3
The buggy address belongs to the object at ffff8801d8c9e400
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 688 bytes inside of
1024-byte region [ffff8801d8c9e400, ffff8801d8c9e800)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.129-g23eaecc #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d9a41800 task.stack: ffff8801d9a50000
RIP: 0010:[<ffffffff81e6f347>] [<ffffffff81e6f347>] lookup_object
lib/debugobjects.c:120 [inline]
RIP: 0010:[<ffffffff81e6f347>] [<ffffffff81e6f347>]
debug_object_activate+0x1b7/0x480 lib/debugobjects.c:405
RSP: 0018:ffff8801db307bb0 EFLAGS: 00010802
RAX: dffffc0000000000 RBX: 8000000000004080 RCX: ffffffff85a3b128
RDX: 1000000000000813 RSI: ffff8801d9a42108 RDI: 8000000000004098
RBP: ffff8801db307c68 R08: 0000000000000096 R09: 0000000000000001
R10: 0000000000000001 R11: ffff8801d9a41800 R12: 1ffff1003b660f78
R13: ffff8800bafc0f78 R14: 0000000000000004 R15: ffffffff8448fc40
FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa50d0771b0 CR3: 00000001d1916000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d9a41800 ffffffff85a3b128 0000000041b58ab3 ffffffff84208c0f
ffffffff81e6f190 ffff8801d9a420d8 0000000000000000 0000000000000000
0000000000000005 ffff8800bafc0f78 ffffffff8448fc40 ffffffff85390520
Call Trace:
<IRQ>
[<ffffffff8117bec8>] debug_work_activate kernel/workqueue.c:499 [inline]
[<ffffffff8117bec8>] __queue_work+0x48/0xea0 kernel/workqueue.c:1354
[<ffffffff8117cd88>] delayed_work_timer_fn+0x68/0x90
kernel/workqueue.c:1472
[<ffffffff8129085c>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185
[<ffffffff8129145d>] __run_timers kernel/time/timer.c:1257 [inline]
[<ffffffff8129145d>] run_timer_softirq+0x51d/0xb90 kernel/time/timer.c:1444
[<ffffffff838c25ac>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
[<ffffffff8113f75d>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8113f75d>] irq_exit+0x10d/0x140 kernel/softirq.c:391
[<ffffffff838c1d11>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
[<ffffffff838c1d11>] smp_apic_timer_interrupt+0x81/0xa0
arch/x86/kernel/apic/apic.c:926
[<ffffffff838c0c50>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:741
<EOI>
[<ffffffff81025da5>] arch_safe_halt arch/x86/include/asm/paravirt.h:117
[inline]
[<ffffffff81025da5>] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:290
[<ffffffff810272f0>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:281
[<ffffffff8121b9e7>] default_idle_call+0x57/0x70 kernel/sched/idle.c:93
[<ffffffff8121c18f>] cpuidle_idle_call kernel/sched/idle.c:157 [inline]
[<ffffffff8121c18f>] cpu_idle_loop kernel/sched/idle.c:253 [inline]
[<ffffffff8121c18f>] cpu_startup_entry+0x6af/0x780 kernel/sched/idle.c:301
[<ffffffff810aa174>] start_secondary+0x324/0x400
arch/x86/kernel/smpboot.c:242
Code: 8c 02 00 00 48 8b 1b 41 be 01 00 00 00 48 85 db 74 46 48 b8 00 00 00
00 00 fc ff df 48 8d 7b 18 41 83 c6 01 48 89 fa 48 c1 ea 03 <80> 3c 02 00
0f 85 e6 01 00 00 4c 3b 6b 18 0f 84 9e 00 00 00 48
RIP [<ffffffff81e6f347>] lookup_object lib/debugobjects.c:120 [inline]
RIP [<ffffffff81e6f347>] debug_object_activate+0x1b7/0x480
lib/debugobjects.c:405
RSP <ffff8801db307bb0>
---[ end trace cdcd355bd3db684a ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Alessio Balsini
Aug 19, 2020, 10:59:24 AM8/19/20
to syzkaller-android-bugs
#syz test: https://github.com/balsini/linux.git 01400f5fc51cf4747bec
syzbot
Aug 19, 2020, 10:59:27 AM8/19/20
to 'Alessio Balsini' via syzkaller-android-bugs, syzkaller-a...@googlegroups.com
I see the command but can't find the corresponding bug.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/2557ca2c-c0ca-4f83-9314-b25dcc31c9b2n%40googlegroups.com.
Please resend the email to syzbo...@syzkaller.appspotmail.com address
that is the sender of the bug report (also present in the Reported-by tag).
> You received this message because you are subscribed to the Google Groups "syzkaller-android-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-android...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/2557ca2c-c0ca-4f83-9314-b25dcc31c9b2n%40googlegroups.com.
Alessio Balsini
Aug 19, 2020, 11:07:35 AM8/19/20
to syzbot, 'Alessio Balsini' via syzkaller-android-bugs
#syz test: https://github.com/balsini/linux.git 01400f5fc51cf4747bec
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-android-bugs/000000000000f8bceb05ad3c3f40%40google.com.
Reply all
Reply to author
Forward
0 new messages