KASAN: use-after-free Read in xfrm6_tunnel_destroy
43 views
Skip to first unread message
syzbot
Apr 10, 2019, 11:44:06 AM4/10/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 47350a9f ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=10c1460a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=10d236078f3378a3
dashboard link: https://syzkaller.appspot.com/bug?extid=3a9fa82e5fb13514eb32
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12e4115a400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b87892400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3a9fa8...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi
net/ipv6/xfrm6_tunnel.c:205 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a4/0x650
net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8801d29ba8f8 by task kworker/0:1/22
CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.14.67+ #1
Workqueue: events xfrm_state_gc_task
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
xfrm6_tunnel_destroy+0x5a4/0x650 net/ipv6/xfrm6_tunnel.c:300
xfrm_state_gc_destroy net/xfrm/xfrm_state.c:449 [inline]
xfrm_state_gc_task+0x3d6/0x550 net/xfrm/xfrm_state.c:470
process_one_work+0x86e/0x15c0 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Allocated by task 1992:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
__kmalloc+0x153/0x340 mm/slub.c:3760
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
ops_init+0xec/0x3e0 net/core/net_namespace.c:108
setup_net+0x22b/0x510 net/core/net_namespace.c:294
copy_net_ns+0x193/0x430 net/core/net_namespace.c:418
create_new_namespaces+0x4f0/0x750 kernel/nsproxy.c:107
unshare_nsproxy_namespaces+0x9f/0x1d0 kernel/nsproxy.c:206
SYSC_unshare kernel/fork.c:2375 [inline]
SyS_unshare+0x314/0x6b0 kernel/fork.c:2325
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 65:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kfree+0xf5/0x310 mm/slub.c:3897
ops_free net/core/net_namespace.c:132 [inline]
ops_free_list.part.4+0x22a/0x350 net/core/net_namespace.c:154
ops_free_list net/core/net_namespace.c:152 [inline]
cleanup_net+0x481/0x880 net/core/net_namespace.c:487
process_one_work+0x86e/0x15c0 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
The buggy address belongs to the object at ffff8801d29ba100
which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
8192-byte region [ffff8801d29ba100, ffff8801d29bc100)
The buggy address belongs to the page:
page:ffffea00074a6e00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 0000000100030003
raw: dead000000000100 dead000000000200 ffff8801da802400 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d29ba780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d29ba800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d29ba880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d29ba900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d29ba980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 47350a9f ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=10c1460a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=10d236078f3378a3
dashboard link: https://syzkaller.appspot.com/bug?extid=3a9fa82e5fb13514eb32
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12e4115a400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12b87892400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3a9fa8...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi
net/ipv6/xfrm6_tunnel.c:205 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5a4/0x650
net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8801d29ba8f8 by task kworker/0:1/22
CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.14.67+ #1
Workqueue: events xfrm_state_gc_task
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x11b lib/dump_stack.c:53
print_address_description+0x60/0x22b mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline]
xfrm6_tunnel_destroy+0x5a4/0x650 net/ipv6/xfrm6_tunnel.c:300
xfrm_state_gc_destroy net/xfrm/xfrm_state.c:449 [inline]
xfrm_state_gc_task+0x3d6/0x550 net/xfrm/xfrm_state.c:470
process_one_work+0x86e/0x15c0 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
Allocated by task 1992:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
__kmalloc+0x153/0x340 mm/slub.c:3760
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:661 [inline]
ops_init+0xec/0x3e0 net/core/net_namespace.c:108
setup_net+0x22b/0x510 net/core/net_namespace.c:294
copy_net_ns+0x193/0x430 net/core/net_namespace.c:418
create_new_namespaces+0x4f0/0x750 kernel/nsproxy.c:107
unshare_nsproxy_namespaces+0x9f/0x1d0 kernel/nsproxy.c:206
SYSC_unshare kernel/fork.c:2375 [inline]
SyS_unshare+0x314/0x6b0 kernel/fork.c:2325
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 65:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kfree+0xf5/0x310 mm/slub.c:3897
ops_free net/core/net_namespace.c:132 [inline]
ops_free_list.part.4+0x22a/0x350 net/core/net_namespace.c:154
ops_free_list net/core/net_namespace.c:152 [inline]
cleanup_net+0x481/0x880 net/core/net_namespace.c:487
process_one_work+0x86e/0x15c0 kernel/workqueue.c:2114
worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
kthread+0x348/0x420 kernel/kthread.c:232
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402
The buggy address belongs to the object at ffff8801d29ba100
which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
8192-byte region [ffff8801d29ba100, ffff8801d29bc100)
The buggy address belongs to the page:
page:ffffea00074a6e00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 0000000100030003
raw: dead000000000100 dead000000000200 ffff8801da802400 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d29ba780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d29ba800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d29ba880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d29ba900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d29ba980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 11, 2019, 8:00:33 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8956c50b Merge commit '3ccf9ee7df56' into android-4.9
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=124e46b4400000
kernel config: https://syzkaller.appspot.com/x/.config?x=f2dbd0c9dd968786
dashboard link: https://syzkaller.appspot.com/bug?extid=49a4d7b80aef69caed04
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1509bab4400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141f7652400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
IPVS: Creating netns size=2536 id=5
IPVS: Creating netns size=2536 id=6
IPVS: Creating netns size=2536 id=7
IPVS: Creating netns size=2536 id=8
==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi
net/ipv6/xfrm6_tunnel.c:205 [inline]
BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x5b2/0x680
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi
net/ipv6/xfrm6_tunnel.c:205 [inline]
net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8801bf6649f8 by task kworker/0:4/3852
CPU: 0 PID: 3852 Comm: kworker/0:4 Not tainted 4.9.113-g8956c50 #15
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events xfrm_state_gc_task
ffff8801c2c5faa8 ffffffff81eb32a9 ffffea0006fd9800 ffff8801bf6649f8
0000000000000000 ffff8801bf6649f8 ffff8801be56e984 ffff8801c2c5fae0
ffffffff81567bd9 ffff8801bf6649f8 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81eb32a9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81eb32a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81567bd9>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81567fe3>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81567fe3>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff8153bc34>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff8364eff2>] xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205
[inline]
[<ffffffff8364eff2>] xfrm6_tunnel_destroy+0x5b2/0x680
net/ipv6/xfrm6_tunnel.c:300
[<ffffffff83504bdd>] xfrm_state_gc_destroy net/xfrm/xfrm_state.c:368
[inline]
[<ffffffff83504bdd>] xfrm_state_gc_task+0x3ad/0x510
net/xfrm/xfrm_state.c:388
[<ffffffff8118d181>] process_one_work+0x7e1/0x1500 kernel/workqueue.c:2092
[<ffffffff8118df76>] worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
[<ffffffff8119d0ad>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff839fa35c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Allocated by task 3809:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
__kmalloc+0x11d/0x300 mm/slub.c:3741
kmalloc include/linux/slab.h:495 [inline]
kzalloc include/linux/slab.h:636 [inline]
ops_init+0xeb/0x380 net/core/net_namespace.c:101
setup_net+0x1b9/0x3f0 net/core/net_namespace.c:291
copy_net_ns+0x189/0x290 net/core/net_namespace.c:408
create_new_namespaces+0x51c/0x730 kernel/nsproxy.c:106
unshare_nsproxy_namespaces+0xa5/0x1d0 kernel/nsproxy.c:205
SYSC_unshare kernel/fork.c:2251 [inline]
SyS_unshare+0x319/0x710 kernel/fork.c:2201
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 6:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
ops_free net/core/net_namespace.c:126 [inline]
ops_free_list.part.10+0x1ff/0x330 net/core/net_namespace.c:148
ops_free_list net/core/net_namespace.c:146 [inline]
cleanup_net+0x3bf/0x630 net/core/net_namespace.c:477
process_one_work+0x7e1/0x1500 kernel/workqueue.c:2092
worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
kthread+0x26d/0x300 kernel/kthread.c:211
ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
The buggy address belongs to the object at ffff8801bf664200
which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
8192-byte region [ffff8801bf664200, ffff8801bf666200)
The buggy address is located 2040 bytes inside of
The buggy address belongs to the page:
page:ffffea0006fd9800 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801bf664880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8801bf664900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801bf664980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801bf664a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801bf664a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
syzbot
Apr 14, 2019, 4:51:40 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d08574b6 ANDROID: cuttlefish_defconfig: Enable VIRTIO_INPUT
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11250807400000
kernel config: https://syzkaller.appspot.com/x/.config?x=39bc4256ec37590
dashboard link: https://syzkaller.appspot.com/bug?extid=dbce44c619d57e2afa91
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
==================================================================
BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi
net/ipv6/xfrm6_tunnel.c:205 [inline]
net/ipv6/xfrm6_tunnel.c:300
Read of size 8 at addr ffff8801d5c9a8f8 by task kworker/1:2/23916
CPU: 1 PID: 23916 Comm: kworker/1:2 Not tainted 4.4.169+ #2
Workqueue: events xfrm_state_gc_task
0000000000000000 90f9f17ca0de363f ffff8800984d7a48 ffffffff81aab9c1
0000000000000000 ffffea0007572600 ffff8801d5c9a8f8 0000000000000008
ffff8801d5c9a100 ffff8800984d7a80 ffffffff8148fc0d 0000000000000000
Call Trace:
[<ffffffff81aab9c1>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81aab9c1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff8148fc0d>] print_address_description+0x6f/0x21b
mm/kasan/report.c:252
[<ffffffff8148fe45>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff8148fe45>] kasan_report mm/kasan/report.c:408 [inline]
[<ffffffff8148fe45>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
[<ffffffff814849f4>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:429
[<ffffffff8267ab77>] xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205
[inline]
[<ffffffff8267ab77>] xfrm6_tunnel_destroy+0x557/0x600
net/ipv6/xfrm6_tunnel.c:300
[<ffffffff8255992a>] xfrm_state_gc_destroy net/xfrm/xfrm_state.c:349
[inline]
[<ffffffff8255992a>] xfrm_state_gc_task+0x3aa/0x510
net/xfrm/xfrm_state.c:368
[<ffffffff81122a35>] process_one_work+0x825/0x1720 kernel/workqueue.c:2064
[<ffffffff81123e14>] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196
[<ffffffff811340d3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff827157c5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
Allocated by task 2139:
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81483a42>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81483a42>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81483a42>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
[<ffffffff81483cb7>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
[<ffffffff81480041>] __kmalloc+0x141/0x330 mm/slub.c:3613
[<ffffffff82213fb1>] kmalloc include/linux/slab.h:481 [inline]
[<ffffffff82213fb1>] kzalloc include/linux/slab.h:620 [inline]
[<ffffffff82213fb1>] ops_init+0xf1/0x3a0 net/core/net_namespace.c:99
[<ffffffff82216094>] setup_net+0x1b4/0x4e0 net/core/net_namespace.c:289
[<ffffffff82217d75>] copy_net_ns+0xd5/0x250 net/core/net_namespace.c:388
[<ffffffff811368a0>] create_new_namespaces+0x2f0/0x670 kernel/nsproxy.c:95
[<ffffffff8113718b>] unshare_nsproxy_namespaces+0xab/0x1e0
kernel/nsproxy.c:190
[<ffffffff810d28f2>] SYSC_unshare kernel/fork.c:2083 [inline]
[<ffffffff810d28f2>] SyS_unshare+0x302/0x6f0 kernel/fork.c:2033
[<ffffffff827153a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Freed by task 60:
[<ffffffff8102e3c6>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff81484340>] save_stack mm/kasan/kasan.c:512 [inline]
[<ffffffff81484340>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff81484340>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
[<ffffffff81481764>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff81481764>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff81481764>] slab_free mm/slub.c:2859 [inline]
[<ffffffff81481764>] kfree+0xf4/0x310 mm/slub.c:3749
[<ffffffff8221587f>] ops_free net/core/net_namespace.c:124 [inline]
[<ffffffff8221587f>] ops_free_list.part.0+0x1ff/0x330
net/core/net_namespace.c:146
[<ffffffff822178b4>] ops_free_list net/core/net_namespace.c:144 [inline]
[<ffffffff822178b4>] cleanup_net+0x474/0x860 net/core/net_namespace.c:456
[<ffffffff81122a35>] process_one_work+0x825/0x1720 kernel/workqueue.c:2064
[<ffffffff81123e14>] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196
[<ffffffff811340d3>] kthread+0x273/0x310 kernel/kthread.c:211
[<ffffffff827157c5>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537
The buggy address belongs to the object at ffff8801d5c9a100
which belongs to the cache kmalloc-8192 of size 8192
The buggy address is located 2040 bytes inside of
8192-byte region [ffff8801d5c9a100, ffff8801d5c9c100)
The buggy address is located 2040 bytes inside of
The buggy address belongs to the page:
audit: type=1400 audit(1546518951.062:716): avc: denied { sigchld } for
pid=2127 comm="syz-executor5" scontext=system_u:object_r:unlabeled_t:s0
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process
permissive=0
audit: type=1400 audit(1546518951.062:717): avc: denied { sigchld } for
pid=2127 comm="syz-executor5" scontext=system_u:object_r:unlabeled_t:s0
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process
permissive=0
BUG: unable to handle kernel NULL pointer dereference at 00000000000000c4
IP: [<ffffffff81484c11>] qlink_to_object mm/kasan/quarantine.c:136 [inline]
IP: [<ffffffff81484c11>] qlink_free mm/kasan/quarantine.c:141 [inline]
IP: [<ffffffff81484c11>] qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:166
PGD 1d6c5f067 PUD 1d94ef067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 1923 Comm: rsyslogd Not tainted 4.4.169+ #2
task: ffff8801d6c00000 task.stack: ffff8800b8d70000
RIP: 0010:[<ffffffff81484c11>] [<ffffffff81484c11>] qlink_to_object
mm/kasan/quarantine.c:136 [inline]
RIP: 0010:[<ffffffff81484c11>] [<ffffffff81484c11>] qlink_free
mm/kasan/quarantine.c:141 [inline]
RIP: 0010:[<ffffffff81484c11>] [<ffffffff81484c11>]
qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:166
RSP: 0018:ffff8800b8d77a78 EFLAGS: 00010246
RAX: ffffea00000a2440 RBX: 0000000000000000 RCX: ffffea00000a245f
RDX: 0000000000000000 RSI: ffffffff82891c20 RDI: 0000000000000000
RBP: ffff8800b8d77aa0 R08: 0000000000000001 R09: ffffffff81484c11
R10: ffffea00025fa380 R11: 0000000000000000 R12: ffff8800b8d77ab8
R13: 0000000080000000 R14: ffffea0000000000 R15: ffffffff82891c20
FS: 00007f521162e700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000c4 CR3: 00000001d70d0000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000000 0000000000000001 ffff8800b8d77ab8 ffff8800b73ccd80
ffff8801da401140 ffff8800b8d77ae8 ffffffff814850af ffffffff81484fb5
ffff8801d2371480 ffff88009bd1f260 00000000001000c0 9f61d5e46f1f5d07
Call Trace:
[<ffffffff814850af>] quarantine_reduce+0x18f/0x1d0
mm/kasan/quarantine.c:259
[<ffffffff81483ca0>] kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:601
[<ffffffff8148427f>] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
[<ffffffff8147fc80>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff8147fc80>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff8147fc80>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff8147fc80>] kmem_cache_alloc_trace+0xe0/0x2d0 mm/slub.c:2640
[<ffffffff8121edec>] kmalloc include/linux/slab.h:476 [inline]
[<ffffffff8121edec>] syslog_print kernel/printk/printk.c:1153 [inline]
[<ffffffff8121edec>] do_syslog kernel/printk/printk.c:1336 [inline]
[<ffffffff8121edec>] do_syslog+0x5bc/0xaf0 kernel/printk/printk.c:1306
[<ffffffff81607be4>] kmsg_read+0x74/0xa0 fs/proc/kmsg.c:39
[<ffffffff815dfd2d>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:202
[<ffffffff81495f26>] __vfs_read+0x116/0x3c0 fs/read_write.c:432
[<ffffffff81497c34>] vfs_read+0x134/0x360 fs/read_write.c:454
[<ffffffff8149a45c>] SYSC_read fs/read_write.c:569 [inline]
[<ffffffff8149a45c>] SyS_read+0xdc/0x1c0 fs/read_write.c:562
[<ffffffff827153a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 41 56 41 55 41 54 53 48 89 f3 48 8b 37 48 85 f6 0f 84 8d 00 00 00 49
89 fc 41 bd 00 00 00 80 49 be 00 00 00 00 00 ea ff ff eb 21 <48> 63 97 c4
00 00 00 4c 8b 3e 48 29 d6 48 c7 c2 11 4c 48 81 e8
RIP [<ffffffff81484c11>] virt_to_head_page include/linux/mm.h:521 [inline]
RIP [<ffffffff81484c11>] qlink_to_cache mm/kasan/quarantine.c:127 [inline]
RIP [<ffffffff81484c11>] qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:163
RSP <ffff8800b8d77a78>
CR2: 00000000000000c4
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2127 at lib/list_debug.c:23
__list_add_valid+0x86/0x120 lib/list_debug.c:23()
list_add corruption. next->prev should be prev (ffff8801db71f238), but was
ffffffff8142a736. (next=ffff8800984c8088).
syzbot
Jul 2, 2019, 8:36:04 AM7/2/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages