KASAN: use-after-free Read in sk_dst_check
24 views
Skip to first unread message
syzbot
Apr 14, 2019, 4:51:37 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b3e9e81e Merge 4.4.172 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=12072497400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d33f51998ee531f
dashboard link: https://syzkaller.appspot.com/bug?extid=8196f47024b3274dd9be
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8196f4...@syzkaller.appspotmail.com
audit: type=1400 audit(1548943040.417:586): avc: denied { create } for
pid=26329 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:218
[inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26
[inline]
BUG: KASAN: use-after-free in __atomic_add_unless
arch/x86/include/asm/atomic.h:211 [inline]
BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:437
[inline]
BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1745 [inline]
BUG: KASAN: use-after-free in sk_dst_check+0x347/0x380 net/core/sock.c:546
Read of size 4 at addr ffff8800a3a90940 by task syz-executor0/26321
CPU: 1 PID: 26321 Comm: syz-executor0 Not tainted 4.4.172+ #13
0000000000000000 64269e74bef24720 ffff8801bf4bf718 ffffffff81aacde1
0000000000000000 ffffea00028ea400 ffff8800a3a90940 0000000000000004
0000000000000000 ffff8801bf4bf750 ffffffff8148fedd 0000000000000000
Call Trace:
[<ffffffff81aacde1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aacde1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff8148fedd>] print_address_description+0x6f/0x21b
mm/kasan/report.c:252
[<ffffffff81490115>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff81490115>] kasan_report mm/kasan/report.c:408 [inline]
[<ffffffff81490115>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
[<ffffffff81484ca4>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:428
[<ffffffff821e1907>] __read_once_size include/linux/compiler.h:218 [inline]
[<ffffffff821e1907>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
[<ffffffff821e1907>] __atomic_add_unless arch/x86/include/asm/atomic.h:211
[inline]
[<ffffffff821e1907>] atomic_add_unless include/linux/atomic.h:437 [inline]
[<ffffffff821e1907>] sk_dst_get include/net/sock.h:1745 [inline]
[<ffffffff821e1907>] sk_dst_check+0x347/0x380 net/core/sock.c:546
[<ffffffff8247f6bf>] udp_sendmsg+0x114f/0x1c60 net/ipv4/udp.c:1019
[<ffffffff824a8e12>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d7eae>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d7eae>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d9989>] ___sys_sendmsg+0x369/0x890 net/socket.c:1975
[<ffffffff821dce00>] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060
[<ffffffff821dcfe5>] SYSC_sendmmsg net/socket.c:2090 [inline]
[<ffffffff821dcfe5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
[<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Allocated by task 26321:
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81483d12>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81483d12>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81483d12>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
[<ffffffff81483f87>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
[<ffffffff8148454f>] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
[<ffffffff8147fc8c>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff8147fc8c>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff8147fc8c>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff8147fc8c>] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628
[<ffffffff82257da3>] dst_alloc+0xf3/0x1b0 net/core/dst.c:210
[<ffffffff823b0d30>] ipv4_blackhole_route+0x30/0x720 net/ipv4/route.c:2396
[<ffffffff82551a14>] make_blackhole net/xfrm/xfrm_policy.c:2161 [inline]
[<ffffffff82551a14>] xfrm_lookup_route net/xfrm/xfrm_policy.c:2331 [inline]
[<ffffffff82551a14>] xfrm_lookup_route+0xf4/0x140
net/xfrm/xfrm_policy.c:2322
[<ffffffff823a5493>] ip_route_output_flow+0x93/0xa0 net/ipv4/route.c:2437
[<ffffffff8247faa7>] udp_sendmsg+0x1537/0x1c60 net/ipv4/udp.c:1040
[<ffffffff824a8e12>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d7eae>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d7eae>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d9989>] ___sys_sendmsg+0x369/0x890 net/socket.c:1975
[<ffffffff821dce00>] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060
[<ffffffff821dcfe5>] SYSC_sendmmsg net/socket.c:2090 [inline]
[<ffffffff821dcfe5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
[<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Freed by task 14698:
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484610>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484610>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484610>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff8148136e>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff8148136e>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff8148136e>] slab_free mm/slub.c:2859 [inline]
[<ffffffff8148136e>] kmem_cache_free+0xbe/0x350 mm/slub.c:2881
[<ffffffff822568ff>] dst_destroy+0x26f/0x330 net/core/dst.c:270
[<ffffffff82256b7e>] dst_gc_task+0x1be/0x530 net/core/dst.c:89
[<ffffffff81122a15>] process_one_work+0x825/0x1720 kernel/workqueue.c:2064
[<ffffffff81123df4>] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196
[<ffffffff811340b3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718a45>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
The buggy address belongs to the object at ffff8800a3a908c0
which belongs to the cache ip_dst_cache of size 208
The buggy address is located 128 bytes inside of
208-byte region [ffff8800a3a908c0, ffff8800a3a90990)
The buggy address belongs to the page:
audit: type=1400 audit(1548943041.347:587): avc: denied { sigchld } for
pid=2120 comm="syz-executor2" scontext=system_u:object_r:unlabeled_t:s0
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process
permissive=0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access[
655.260073] ------------[ cut here ]------------
WARNING: CPU: 0 PID: 2120 at kernel/sched/core.c:7941
__might_sleep+0x138/0x1a0 kernel/sched/core.c:7941()
do not call blocking ops when !TASK_RUNNING; state=1 set at
[<ffffffff810de4e5>] do_wait+0x265/0xa00 kernel/exit.c:1503
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: b3e9e81e Merge 4.4.172 into android-4.4
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=12072497400000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d33f51998ee531f
dashboard link: https://syzkaller.appspot.com/bug?extid=8196f47024b3274dd9be
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8196f4...@syzkaller.appspotmail.com
audit: type=1400 audit(1548943040.417:586): avc: denied { create } for
pid=26329 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:218
[inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26
[inline]
BUG: KASAN: use-after-free in __atomic_add_unless
arch/x86/include/asm/atomic.h:211 [inline]
BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:437
[inline]
BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1745 [inline]
BUG: KASAN: use-after-free in sk_dst_check+0x347/0x380 net/core/sock.c:546
Read of size 4 at addr ffff8800a3a90940 by task syz-executor0/26321
CPU: 1 PID: 26321 Comm: syz-executor0 Not tainted 4.4.172+ #13
0000000000000000 64269e74bef24720 ffff8801bf4bf718 ffffffff81aacde1
0000000000000000 ffffea00028ea400 ffff8800a3a90940 0000000000000004
0000000000000000 ffff8801bf4bf750 ffffffff8148fedd 0000000000000000
Call Trace:
[<ffffffff81aacde1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aacde1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff8148fedd>] print_address_description+0x6f/0x21b
mm/kasan/report.c:252
[<ffffffff81490115>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff81490115>] kasan_report mm/kasan/report.c:408 [inline]
[<ffffffff81490115>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
[<ffffffff81484ca4>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:428
[<ffffffff821e1907>] __read_once_size include/linux/compiler.h:218 [inline]
[<ffffffff821e1907>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
[<ffffffff821e1907>] __atomic_add_unless arch/x86/include/asm/atomic.h:211
[inline]
[<ffffffff821e1907>] atomic_add_unless include/linux/atomic.h:437 [inline]
[<ffffffff821e1907>] sk_dst_get include/net/sock.h:1745 [inline]
[<ffffffff821e1907>] sk_dst_check+0x347/0x380 net/core/sock.c:546
[<ffffffff8247f6bf>] udp_sendmsg+0x114f/0x1c60 net/ipv4/udp.c:1019
[<ffffffff824a8e12>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d7eae>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d7eae>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d9989>] ___sys_sendmsg+0x369/0x890 net/socket.c:1975
[<ffffffff821dce00>] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060
[<ffffffff821dcfe5>] SYSC_sendmmsg net/socket.c:2090 [inline]
[<ffffffff821dcfe5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
[<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Allocated by task 26321:
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81483d12>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81483d12>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81483d12>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
[<ffffffff81483f87>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
[<ffffffff8148454f>] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
[<ffffffff8147fc8c>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff8147fc8c>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff8147fc8c>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff8147fc8c>] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628
[<ffffffff82257da3>] dst_alloc+0xf3/0x1b0 net/core/dst.c:210
[<ffffffff823b0d30>] ipv4_blackhole_route+0x30/0x720 net/ipv4/route.c:2396
[<ffffffff82551a14>] make_blackhole net/xfrm/xfrm_policy.c:2161 [inline]
[<ffffffff82551a14>] xfrm_lookup_route net/xfrm/xfrm_policy.c:2331 [inline]
[<ffffffff82551a14>] xfrm_lookup_route+0xf4/0x140
net/xfrm/xfrm_policy.c:2322
[<ffffffff823a5493>] ip_route_output_flow+0x93/0xa0 net/ipv4/route.c:2437
[<ffffffff8247faa7>] udp_sendmsg+0x1537/0x1c60 net/ipv4/udp.c:1040
[<ffffffff824a8e12>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d7eae>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d7eae>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d9989>] ___sys_sendmsg+0x369/0x890 net/socket.c:1975
[<ffffffff821dce00>] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060
[<ffffffff821dcfe5>] SYSC_sendmmsg net/socket.c:2090 [inline]
[<ffffffff821dcfe5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
[<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Freed by task 14698:
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484610>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484610>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484610>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff8148136e>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff8148136e>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff8148136e>] slab_free mm/slub.c:2859 [inline]
[<ffffffff8148136e>] kmem_cache_free+0xbe/0x350 mm/slub.c:2881
[<ffffffff822568ff>] dst_destroy+0x26f/0x330 net/core/dst.c:270
[<ffffffff82256b7e>] dst_gc_task+0x1be/0x530 net/core/dst.c:89
[<ffffffff81122a15>] process_one_work+0x825/0x1720 kernel/workqueue.c:2064
[<ffffffff81123df4>] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196
[<ffffffff811340b3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718a45>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
The buggy address belongs to the object at ffff8800a3a908c0
which belongs to the cache ip_dst_cache of size 208
The buggy address is located 128 bytes inside of
208-byte region [ffff8800a3a908c0, ffff8800a3a90990)
The buggy address belongs to the page:
audit: type=1400 audit(1548943041.347:587): avc: denied { sigchld } for
pid=2120 comm="syz-executor2" scontext=system_u:object_r:unlabeled_t:s0
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process
permissive=0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access[
655.260073] ------------[ cut here ]------------
WARNING: CPU: 0 PID: 2120 at kernel/sched/core.c:7941
__might_sleep+0x138/0x1a0 kernel/sched/core.c:7941()
do not call blocking ops when !TASK_RUNNING; state=1 set at
[<ffffffff810de4e5>] do_wait+0x265/0xa00 kernel/exit.c:1503
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 14, 2019, 5:30:12 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 1c57ba4f FROMLIST: ANDROID: binder: Add BINDER_GET_NODE_IN..
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=17eab83a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=ce644b18d115ba72
dashboard link: https://syzkaller.appspot.com/bug?extid=d0bed8f8385504681d9e
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243
[inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26
[inline]
BUG: KASAN: use-after-free in __atomic_add_unless
arch/x86/include/asm/atomic.h:240 [inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26
[inline]
BUG: KASAN: use-after-free in __atomic_add_unless
BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:506
[inline]
BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1696 [inline]
BUG: KASAN: use-after-free in sk_dst_check+0x372/0x3a0 net/core/sock.c:513
Read of size 4 at addr ffff8801a6616e40 by task syz-executor4/1722
CPU: 1 PID: 1722 Comm: syz-executor4 Not tainted 4.9.128+ #41
ffff8801adce7690 ffffffff81af2469 ffffea0006998580 ffff8801a6616e40
0000000000000000 ffff8801a6616e40 ffff8801a6616e40 ffff8801adce76c8
ffffffff814e13cb ffff8801a6616e40 0000000000000004 0000000000000000
Call Trace:
[<ffffffff81af2469>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81af2469>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff814e13cb>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff814e17d5>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff814e17d5>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814d3bf4>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:432
[<ffffffff8222ea22>] __read_once_size include/linux/compiler.h:243 [inline]
[<ffffffff8222ea22>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
[<ffffffff8222ea22>] __atomic_add_unless arch/x86/include/asm/atomic.h:240
[inline]
[<ffffffff8222ea22>] atomic_add_unless include/linux/atomic.h:506 [inline]
[<ffffffff8222ea22>] sk_dst_get include/net/sock.h:1696 [inline]
[<ffffffff8222ea22>] sk_dst_check+0x372/0x3a0 net/core/sock.c:513
[<ffffffff824e923a>] udp_sendmsg+0x107a/0x1c50 net/ipv4/udp.c:1010
[<ffffffff82512b43>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
[<ffffffff8222530b>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff8222530b>] sock_sendmsg+0xbb/0x110 net/socket.c:658
[<ffffffff82226d4a>] ___sys_sendmsg+0x47a/0x840 net/socket.c:1982
[<ffffffff8222a251>] __sys_sendmmsg+0x161/0x3d0 net/socket.c:2072
[<ffffffff8222a4f5>] SYSC_sendmmsg net/socket.c:2103 [inline]
[<ffffffff8222a4f5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2098
[<ffffffff8100554f>] do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282
[<ffffffff8278df13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 1722:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
dst_alloc+0xb5/0x1a0 net/core/dst.c:210
ipv4_blackhole_route+0x30/0x700 net/ipv4/route.c:2407
make_blackhole net/xfrm/xfrm_policy.c:2186 [inline]
xfrm_lookup_route+0xf5/0x140 net/xfrm/xfrm_policy.c:2356
ip_route_output_flow+0x90/0xa0 net/ipv4/route.c:2448
udp_sendmsg+0x13cd/0x1c50 net/ipv4/udp.c:1025
inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770
sock_sendmsg_nosec net/socket.c:648 [inline]
sock_sendmsg+0xbb/0x110 net/socket.c:658
___sys_sendmsg+0x47a/0x840 net/socket.c:1982
__sys_sendmmsg+0x161/0x3d0 net/socket.c:2072
SYSC_sendmmsg net/socket.c:2103 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2098
do_syscall_64+0x19f/0x480 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 1682:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xbe/0x310 mm/slub.c:2980
dst_destroy+0x277/0x350 net/core/dst.c:270
dst_gc_task+0x1a9/0x510 net/core/dst.c:89
process_one_work+0x791/0x1470 kernel/workqueue.c:2092
worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
kthread+0x26d/0x300 kernel/kthread.c:211
ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
The buggy address belongs to the object at ffff8801a6616dc0
which belongs to the cache ip_dst_cache of size 216
The buggy address is located 128 bytes inside of
216-byte region [ffff8801a6616dc0, ffff8801a6616e98)
The buggy address belongs to the page:
page:ffffea0006998580 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801a6616d00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
ffff8801a6616d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801a6616e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801a6616e80: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801a6616f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
audit_printk_skb: 6 callbacks suppressed
audit: type=1400 audit(2000000680.373:1590): avc: denied { create } for
pid=1763 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
audit: type=1400 audit(2000000680.443:1591): avc: denied { create } for
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
pid=1757 comm="syz-executor0"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
syzbot
Dec 26, 2019, 3:18:06 AM12/26/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
syzbot
Feb 3, 2020, 1:21:06 PM2/3/20
to syzkaller-a...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages