Hello,
syzbot found the following crash on:
HEAD commit: 62872f95 Merge 4.4.174 into android-4.4
git tree: android-4.4
console output:
https://syzkaller.appspot.com/x/log.txt?x=1465923fa00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=47bc4dd423780c4a
dashboard link:
https://syzkaller.appspot.com/bug?extid=6b469aae9f85278c2851
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+6b469a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ifname_compare_aligned
include/linux/netfilter/x_tables.h:362 [inline]
BUG: KASAN: use-after-free in ip6_packet_match
net/ipv6/netfilter/ip6_tables.c:124 [inline]
BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860
net/ipv6/netfilter/ip6_tables.c:382
Read of size 8 at addr ffff8801d9640000 by task syz-executor.4/2414
CPU: 1 PID: 2414 Comm: syz-executor.4 Not tainted 4.4.174+ #17
0000000000000000 d94eccd5a6d74833 ffff8800b279f128 ffffffff81aad1a1
0000000000000000 ffffea0007659000 ffff8801d9640000 0000000000000008
dffffc0000000000 ffff8800b279f160 ffffffff81490120 0000000000000000
Call Trace:
[<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff81490120>] print_address_description+0x6f/0x21b
mm/kasan/report.c:252
[<ffffffff81490358>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff81490358>] kasan_report mm/kasan/report.c:408 [inline]
[<ffffffff81490358>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
[<ffffffff81484ed4>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:429
[<ffffffff82685b15>] ifname_compare_aligned
include/linux/netfilter/x_tables.h:362 [inline]
[<ffffffff82685b15>] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:124
[inline]
[<ffffffff82685b15>] ip6t_do_table+0x1545/0x1860
net/ipv6/netfilter/ip6_tables.c:382
[<ffffffff8268e316>] ip6t_mangle_out
net/ipv6/netfilter/ip6table_mangle.c:60 [inline]
[<ffffffff8268e316>] ip6table_mangle_hook+0x2d6/0x710
net/ipv6/netfilter/ip6table_mangle.c:82
[<ffffffff822f84a6>] nf_iterate+0x186/0x220 net/netfilter/core.c:274
[<ffffffff822f86f6>] nf_hook_slow+0x1b6/0x340 net/netfilter/core.c:306
[<ffffffff826bf429>] nf_hook_thresh include/linux/netfilter.h:187 [inline]
[<ffffffff826bf429>] nf_hook include/linux/netfilter.h:197 [inline]
[<ffffffff826bf429>] __ip6_local_out+0x309/0x4b0 net/ipv6/output_core.c:157
[<ffffffff826bf5f9>] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:167
[<ffffffff825b28c2>] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1725
[<ffffffff82611618>] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:1066
[<ffffffff826142ed>] udpv6_sendmsg+0x1e3d/0x24f0 net/ipv6/udp.c:1330
[<ffffffff824a8b42>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
[<ffffffff821d838e>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffff821d838e>] sock_sendmsg+0xbe/0x110 net/socket.c:648
[<ffffffff821d9e69>] ___sys_sendmsg+0x369/0x890 net/socket.c:1975
[<ffffffff821dd386>] __sys_sendmmsg+0x1d6/0x2e0 net/socket.c:2053
[<ffffffff822ace22>] C_SYSC_sendmmsg net/compat.c:731 [inline]
[<ffffffff822ace22>] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:728
[<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330
[inline]
[<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90
arch/x86/entry/common.c:397
[<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
The buggy address belongs to the page:
page:ffffea0007659000 count:0 mapcount:-127 mapping: (null)
index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d963ff00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d963ff80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
> ffff8801d9640000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801d9640080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801d9640100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.