Hello,
syzbot found the following crash on:
HEAD commit: 1321d422 cfi: print target address on failure
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=135af5c7800000
kernel config:
https://syzkaller.appspot.com/x/.config?x=1e52aa51291e98a6
dashboard link:
https://syzkaller.appspot.com/bug?extid=ecd9b80965b940128f2a
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=16058fbb800000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=147eb837800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+ecd9b8...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: use-after-free in qdisc_pkt_len_init net/core/dev.c:3085
[inline]
BUG: KASAN: use-after-free in __dev_queue_xmit+0x18fc/0x2080
net/core/dev.c:3395
Read of size 2 at addr ffff8801c7affc42 by task syz-executor200/3730
CPU: 1 PID: 3730 Comm: syz-executor200 Not tainted 4.9.97-g1321d42 #13
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801be8ef500 ffffffff81eb0b69 ffffea00071ebf80 ffff8801c7affc42
0000000000000000 ffff8801c7affc42 ffff8801d7d7c850 ffff8801be8ef538
ffffffff8156540b ffff8801c7affc42 0000000000000002 0000000000000000
Call Trace:
[<ffffffff81eb0b69>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81eb0b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8156540b>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81565815>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81565815>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff81539454>] __asan_report_load2_noabort+0x14/0x20
mm/kasan/report.c:431
[<ffffffff83087b8c>] qdisc_pkt_len_init net/core/dev.c:3085 [inline]
[<ffffffff83087b8c>] __dev_queue_xmit+0x18fc/0x2080 net/core/dev.c:3395
[<ffffffff83088327>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3484
[<ffffffff8368d85f>] packet_snd net/packet/af_packet.c:2960 [inline]
[<ffffffff8368d85f>] packet_sendmsg+0x1eff/0x4470
net/packet/af_packet.c:2985
[<ffffffff83012fcc>] sock_sendmsg_nosec net/socket.c:635 [inline]
[<ffffffff83012fcc>] sock_sendmsg+0xcc/0x110 net/socket.c:645
[<ffffffff830147ea>] ___sys_sendmsg+0x47a/0x840 net/socket.c:1969
[<ffffffff83016d41>] __sys_sendmmsg+0x161/0x3d0 net/socket.c:2059
[<ffffffff83016fe5>] SYSC_sendmmsg net/socket.c:2090 [inline]
[<ffffffff83016fe5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
[<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
[<ffffffff839f4653>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 3730:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
__kmalloc_track_caller+0xdc/0x2b0 mm/slub.c:4232
__kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138
__alloc_skb+0x11a/0x600 net/core/skbuff.c:231
alloc_skb include/linux/skbuff.h:919 [inline]
alloc_skb_with_frags+0xaf/0x520 net/core/skbuff.c:4678
sock_alloc_send_pskb+0x5a9/0x750 net/core/sock.c:1893
packet_alloc_skb net/packet/af_packet.c:2817 [inline]
packet_snd net/packet/af_packet.c:2908 [inline]
packet_sendmsg+0x1581/0x4470 net/packet/af_packet.c:2985
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xcc/0x110 net/socket.c:645
___sys_sendmsg+0x47a/0x840 net/socket.c:1969
__sys_sendmmsg+0x161/0x3d0 net/socket.c:2059
SYSC_sendmmsg net/socket.c:2090 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2085
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 3730:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
skb_free_head+0x8b/0xb0 net/core/skbuff.c:580
skb_release_data+0x329/0x400 net/core/skbuff.c:611
skb_release_all+0x4a/0x60 net/core/skbuff.c:670
__kfree_skb+0x15/0x20 net/core/skbuff.c:684
kfree_skb+0xcc/0x340 net/core/skbuff.c:705
__skb_complete_tx_timestamp+0x2ba/0x3a0 net/core/skbuff.c:3823
__skb_tstamp_tx+0x19a/0x4b0 net/core/skbuff.c:3895
__dev_queue_xmit+0x130f/0x2080 net/core/dev.c:3386
dev_queue_xmit+0x17/0x20 net/core/dev.c:3484
packet_snd net/packet/af_packet.c:2960 [inline]
packet_sendmsg+0x1eff/0x4470 net/packet/af_packet.c:2985
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xcc/0x110 net/socket.c:645
___sys_sendmsg+0x47a/0x840 net/socket.c:1969
__sys_sendmmsg+0x161/0x3d0 net/socket.c:2059
SYSC_sendmmsg net/socket.c:2090 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2085
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801c7affb80
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 194 bytes inside of
512-byte region [ffff8801c7affb80, ffff8801c7affd80)
The buggy address belongs to the page:
page:ffffea00071ebf80 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c7affb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c7affb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801c7affc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801c7affc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c7affd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches