Hello,
syzbot found the following crash on:
HEAD commit: b3e9e81e Merge 4.4.172 into android-4.4
git tree: android-4.4
console output:
https://syzkaller.appspot.com/x/log.txt?x=12072497400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=9d33f51998ee531f
dashboard link:
https://syzkaller.appspot.com/bug?extid=8196f47024b3274dd9be
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+8196f4...@syzkaller.appspotmail.com
audit: type=1400 audit(1548943040.417:586): avc: denied { create } for
pid=26329 comm="syz-executor2"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tclass=netlink_generic_socket permissive=0
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:218
[inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26
[inline]
BUG: KASAN: use-after-free in __atomic_add_unless
arch/x86/include/asm/atomic.h:211 [inline]
BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:437
[inline]
BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1745 [inline]
BUG: KASAN: use-after-free in sk_dst_check+0x347/0x380 net/core/sock.c:546
Read of size 4 at addr ffff8800a3a90940 by task syz-executor0/26321
CPU: 1 PID: 26321 Comm: syz-executor0 Not tainted 4.4.172+ #13
0000000000000000 64269e74bef24720 ffff8801bf4bf718 ffffffff81aacde1
0000000000000000 ffffea00028ea400 ffff8800a3a90940 0000000000000004
0000000000000000 ffff8801bf4bf750 ffffffff8148fedd 0000000000000000
Call Trace:
[<ffffffff81aacde1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aacde1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff8148fedd>] print_address_description+0x6f/0x21b
mm/kasan/report.c:252
[<ffffffff81490115>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff81490115>] kasan_report mm/kasan/report.c:408 [inline]
[<ffffffff81490115>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
[<ffffffff81484ca4>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:428
[<ffffffff821e1907>] __read_once_size include/linux/compiler.h:218 [inline]
[<ffffffff821e1907>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
[<ffffffff821e1907>] __atomic_add_unless arch/x86/include/asm/atomic.h:211
[inline]
[<ffffffff821e1907>] atomic_add_unless include/linux/atomic.h:437 [inline]
[<ffffffff821e1907>] sk_dst_get include/net/sock.h:1745 [inline]
[<ffffffff821e1907>] sk_dst_check+0x347/0x380 net/core/sock.c:546
[<ffffffff8247f6bf>] udp_sendmsg+0x114f/0x1c60 net/ipv4/udp.c:1019
[<ffffffff824a8e12>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d7eae>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d7eae>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d9989>] ___sys_sendmsg+0x369/0x890 net/socket.c:1975
[<ffffffff821dce00>] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060
[<ffffffff821dcfe5>] SYSC_sendmmsg net/socket.c:2090 [inline]
[<ffffffff821dcfe5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
[<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Allocated by task 26321:
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81483d12>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81483d12>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81483d12>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
[<ffffffff81483f87>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
[<ffffffff8148454f>] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
[<ffffffff8147fc8c>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff8147fc8c>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff8147fc8c>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff8147fc8c>] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628
[<ffffffff82257da3>] dst_alloc+0xf3/0x1b0 net/core/dst.c:210
[<ffffffff823b0d30>] ipv4_blackhole_route+0x30/0x720 net/ipv4/route.c:2396
[<ffffffff82551a14>] make_blackhole net/xfrm/xfrm_policy.c:2161 [inline]
[<ffffffff82551a14>] xfrm_lookup_route net/xfrm/xfrm_policy.c:2331 [inline]
[<ffffffff82551a14>] xfrm_lookup_route+0xf4/0x140
net/xfrm/xfrm_policy.c:2322
[<ffffffff823a5493>] ip_route_output_flow+0x93/0xa0 net/ipv4/route.c:2437
[<ffffffff8247faa7>] udp_sendmsg+0x1537/0x1c60 net/ipv4/udp.c:1040
[<ffffffff824a8e12>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d7eae>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d7eae>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d9989>] ___sys_sendmsg+0x369/0x890 net/socket.c:1975
[<ffffffff821dce00>] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060
[<ffffffff821dcfe5>] SYSC_sendmmsg net/socket.c:2090 [inline]
[<ffffffff821dcfe5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
[<ffffffff82718621>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Freed by task 14698:
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484610>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484610>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484610>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff8148136e>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff8148136e>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff8148136e>] slab_free mm/slub.c:2859 [inline]
[<ffffffff8148136e>] kmem_cache_free+0xbe/0x350 mm/slub.c:2881
[<ffffffff822568ff>] dst_destroy+0x26f/0x330 net/core/dst.c:270
[<ffffffff82256b7e>] dst_gc_task+0x1be/0x530 net/core/dst.c:89
[<ffffffff81122a15>] process_one_work+0x825/0x1720 kernel/workqueue.c:2064
[<ffffffff81123df4>] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196
[<ffffffff811340b3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff82718a45>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
The buggy address belongs to the object at ffff8800a3a908c0
which belongs to the cache ip_dst_cache of size 208
The buggy address is located 128 bytes inside of
208-byte region [ffff8800a3a908c0, ffff8800a3a90990)
The buggy address belongs to the page:
audit: type=1400 audit(1548943041.347:587): avc: denied { sigchld } for
pid=2120 comm="syz-executor2" scontext=system_u:object_r:unlabeled_t:s0
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process
permissive=0
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access[
655.260073] ------------[ cut here ]------------
WARNING: CPU: 0 PID: 2120 at kernel/sched/core.c:7941
__might_sleep+0x138/0x1a0 kernel/sched/core.c:7941()
do not call blocking ops when !TASK_RUNNING; state=1 set at
[<ffffffff810de4e5>] do_wait+0x265/0xa00 kernel/exit.c:1503
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.