Hello,
syzbot found the following crash on:
HEAD commit: 12cd844a Linux 4.14.173
git tree: linux-4.14.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=154f961de00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=8a9d0602a0f7791e
dashboard link:
https://syzkaller.appspot.com/bug?extid=bdd9cefe13c3d2122c7e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=13b1b973e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+bdd9ce...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
==================================================================
BUG: KASAN: use-after-free in tcindex_set_parms+0x1521/0x16a0 net/sched/cls_tcindex.c:473
Write of size 16 at addr ffff8880a84e0b80 by task syz-executor.0/7569
CPU: 1 PID: 7569 Comm: syz-executor.0 Not tainted 4.14.173-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
tcindex_set_parms+0x1521/0x16a0 net/sched/cls_tcindex.c:473
tcindex_change+0x1b5/0x270 net/sched/cls_tcindex.c:534
tc_ctl_tfilter+0xf13/0x18e6 net/sched/cls_api.c:738
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c849
RSP: 002b:00007f29c6decc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f29c6ded6d4 RCX: 000000000045c849
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004ccb11 R15: 000000000076bf0c
Allocated by task 6042:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
load_elf_binary+0xc9/0x46b0 fs/binfmt_elf.c:703
search_binary_handler fs/exec.c:1638 [inline]
search_binary_handler+0x139/0x6c0 fs/exec.c:1616
exec_binprm fs/exec.c:1680 [inline]
do_execveat_common.isra.0+0xf32/0x1c70 fs/exec.c:1802
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x34/0x40 fs/exec.c:1923
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 6042:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
load_elf_binary+0x4cf/0x46b0 fs/binfmt_elf.c:1164
search_binary_handler fs/exec.c:1638 [inline]
search_binary_handler+0x139/0x6c0 fs/exec.c:1616
exec_binprm fs/exec.c:1680 [inline]
do_execveat_common.isra.0+0xf32/0x1c70 fs/exec.c:1802
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x34/0x40 fs/exec.c:1923
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a84e0b40
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 64 bytes inside of
128-byte region [ffff8880a84e0b40, ffff8880a84e0bc0)
The buggy address belongs to the page:
page:ffffea0002a13800 count:1 mapcount:0 mapping:ffff8880a84e0000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a84e0000 0000000000000000 0000000100000015
raw: ffffea0002a37de0 ffffea0002a1f920 ffff88812fe56640 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a84e0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
ffff8880a84e0b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880a84e0b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8880a84e0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a84e0c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches