Hello,
syzbot found the following crash on:
HEAD commit: fab7352c Merge upstream-f2fs-stable-linux-4.14.y into andr..
git tree: android-4.14
console output:
https://syzkaller.appspot.com/x/log.txt?x=116ff8a0c00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=9ed317eef2eaa25
dashboard link:
https://syzkaller.appspot.com/bug?extid=aafa720f6b294e50ab2f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=13882040c00000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=1207179f400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+aafa72...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1547326786.866:7): avc: denied { map } for
pid=1776 comm="syz-executor149" path="/root/syz-executor149230062"
dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183
[inline]
BUG: KASAN: use-after-free in nf_hook include/linux/netfilter.h:198 [inline]
BUG: KASAN: use-after-free in NF_HOOK include/linux/netfilter.h:248 [inline]
BUG: KASAN: use-after-free in ip_local_deliver+0x43d/0x450
net/ipv4/ip_input.c:257
Read of size 8 at addr ffff8881ccd84150 by task syz-executor149/1779
CPU: 0 PID: 1779 Comm: syz-executor149 Not tainted 4.14.92+ #5
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0xb9/0x10e lib/dump_stack.c:53
print_address_description+0x60/0x226 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0x88/0x2a5 mm/kasan/report.c:393
Allocated by task 1779:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.0+0x4f/0xd0 mm/kasan/kasan.c:551
slab_post_alloc_hook mm/slab.h:442 [inline]
slab_alloc_node mm/slub.c:2723 [inline]
slab_alloc mm/slub.c:2731 [inline]
kmem_cache_alloc+0xd2/0x2d0 mm/slub.c:2736
__build_skb+0x2e/0x2d0 net/core/skbuff.c:281
build_skb+0x1a/0x1f0 net/core/skbuff.c:312
tun_build_skb drivers/net/tun.c:1354 [inline]
tun_get_user+0x248b/0x3790 drivers/net/tun.c:1467
tun_chr_write_iter+0xcf/0x180 drivers/net/tun.c:1596
call_write_iter include/linux/fs.h:1784 [inline]
do_iter_readv_writev+0x379/0x580 fs/read_write.c:678
do_iter_write fs/read_write.c:957 [inline]
do_iter_write+0x152/0x550 fs/read_write.c:938
vfs_writev+0x146/0x2d0 fs/read_write.c:1002
do_writev+0xc9/0x240 fs/read_write.c:1037
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
Freed by task 1779:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:524
slab_free_hook mm/slub.c:1389 [inline]
slab_free_freelist_hook mm/slub.c:1410 [inline]
slab_free mm/slub.c:2966 [inline]
kmem_cache_free+0xc4/0x330 mm/slub.c:2988
kfree_skbmem net/core/skbuff.c:582 [inline]
kfree_skbmem+0xa0/0x100 net/core/skbuff.c:576
__kfree_skb net/core/skbuff.c:642 [inline]
kfree_skb+0xcd/0x350 net/core/skbuff.c:659
ip_frag_queue net/ipv4/ip_fragment.c:507 [inline]
ip_defrag+0x5f4/0x3b50 net/ipv4/ip_fragment.c:699
ip_local_deliver+0x165/0x450 net/ipv4/ip_input.c:253
dst_input include/net/dst.h:465 [inline]
ip_rcv_finish+0x5c9/0x1490 net/ipv4/ip_input.c:397
NF_HOOK include/linux/netfilter.h:250 [inline]
ip_rcv+0x9e2/0xf7a net/ipv4/ip_input.c:493
__netif_receive_skb_core+0x1364/0x2c60 net/core/dev.c:4477
__netif_receive_skb+0x55/0x1f0 net/core/dev.c:4515
netif_receive_skb_internal+0xec/0x5c0 net/core/dev.c:4588
tun_rx_batched.isra.0+0x45d/0x730 drivers/net/tun.c:1218
tun_get_user+0xd95/0x3790 drivers/net/tun.c:1570
tun_chr_write_iter+0xcf/0x180 drivers/net/tun.c:1596
call_write_iter include/linux/fs.h:1784 [inline]
do_iter_readv_writev+0x379/0x580 fs/read_write.c:678
do_iter_write fs/read_write.c:957 [inline]
do_iter_write+0x152/0x550 fs/read_write.c:938
vfs_writev+0x146/0x2d0 fs/read_write.c:1002
do_writev+0xc9/0x240 fs/read_write.c:1037
do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
The buggy address belongs to the object at ffff8881ccd84140
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 16 bytes inside of
224-byte region [ffff8881ccd84140, ffff8881ccd84220)
The buggy address belongs to the page:
page:ffffea0007336100 count:1 mapcount:0 mapping: (null)
index:0xffff8881ccd84dc0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 ffff8881ccd84dc0 00000001800c0009
raw: ffffea0007338400 0000000500000005 ffff8881dab58200 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ccd84000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881ccd84080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
> ffff8881ccd84100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8881ccd84180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881ccd84200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches