Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=1596b79f600000
kernel config:
https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link:
https://syzkaller.appspot.com/bug?extid=3c8c89608d9c4c766724
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+3c8c89...@syzkaller.appspotmail.com
audit: type=1400 audit(1570997862.945:119): avc: denied { execute } for
pid=10083 comm="syz-executor.1" path="pipe:[35456]" dev="pipefs" ino=35456
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=fifo_file
permissive=1
==================================================================
BUG: KASAN: use-after-free in __ip6_append_data.isra.3+0x3397/0x3460
net/ipv6/ip6_output.c:1375
Read of size 8 at addr ffff8801c90040f0 by task syz-executor.3/10085
CPU: 0 PID: 10085 Comm: syz-executor.3 Not tainted 4.9.141+ #23
ffff8801a9f3f288 ffffffff81b42e79 ffffea0007240100 ffff8801c90040f0
0000000000000000 ffff8801c90040f0 0000000000000008 ffff8801a9f3f2c0
ffffffff815009b8 ffff8801c90040f0 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff815009b8>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff82699877>] __ip6_append_data.isra.3+0x3397/0x3460
net/ipv6/ip6_output.c:1375
[<ffffffff826a4ea1>] ip6_make_skb+0x291/0x480 net/ipv6/ip6_output.c:1831
[<ffffffff82709379>] udpv6_sendmsg+0x1e89/0x2430 net/ipv6/udp.c:1240
[<ffffffff825952f3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff822a063b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a063b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff822a209a>] ___sys_sendmsg+0x47a/0x840 net/socket.c:1982
[<ffffffff822a567c>] __sys_sendmmsg+0x23c/0x3d0 net/socket.c:2065
[<ffffffff82390192>] C_SYSC_sendmmsg net/compat.c:742 [inline]
[<ffffffff82390192>] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:739
[<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328
[inline]
[<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10
arch/x86/entry/common.c:390
[<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2
arch/x86/entry/entry_64_compat.S:137
The buggy address belongs to the page:
page:ffffea0007240100 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c9003f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c9004000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801c9004080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801c9004100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801c9004180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.