KASAN: use-after-free Write in tcindex_set_parms

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 12cd844a Linux 4.14.173
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=154f961de00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a9d0602a0f7791e
dashboard link: https://syzkaller.appspot.com/bug?extid=bdd9cefe13c3d2122c7e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b1b973e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bdd9ce...@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
==================================================================
BUG: KASAN: use-after-free in tcindex_set_parms+0x1521/0x16a0 net/sched/cls_tcindex.c:473
Write of size 16 at addr ffff8880a84e0b80 by task syz-executor.0/7569

CPU: 1 PID: 7569 Comm: syz-executor.0 Not tainted 4.14.173-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
tcindex_set_parms+0x1521/0x16a0 net/sched/cls_tcindex.c:473
tcindex_change+0x1b5/0x270 net/sched/cls_tcindex.c:534
tc_ctl_tfilter+0xf13/0x18e6 net/sched/cls_api.c:738
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c849
RSP: 002b:00007f29c6decc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f29c6ded6d4 RCX: 000000000045c849
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004ccb11 R15: 000000000076bf0c

Allocated by task 6042:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
load_elf_binary+0xc9/0x46b0 fs/binfmt_elf.c:703
search_binary_handler fs/exec.c:1638 [inline]
search_binary_handler+0x139/0x6c0 fs/exec.c:1616
exec_binprm fs/exec.c:1680 [inline]
do_execveat_common.isra.0+0xf32/0x1c70 fs/exec.c:1802
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x34/0x40 fs/exec.c:1923
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 6042:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
load_elf_binary+0x4cf/0x46b0 fs/binfmt_elf.c:1164
search_binary_handler fs/exec.c:1638 [inline]
search_binary_handler+0x139/0x6c0 fs/exec.c:1616
exec_binprm fs/exec.c:1680 [inline]
do_execveat_common.isra.0+0xf32/0x1c70 fs/exec.c:1802
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x34/0x40 fs/exec.c:1923
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8880a84e0b40
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 64 bytes inside of
128-byte region [ffff8880a84e0b40, ffff8880a84e0bc0)
The buggy address belongs to the page:
page:ffffea0002a13800 count:1 mapcount:0 mapping:ffff8880a84e0000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8880a84e0000 0000000000000000 0000000100000015
raw: ffffea0002a37de0 ffffea0002a1f920 ffff88812fe56640 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8880a84e0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
ffff8880a84e0b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8880a84e0b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff8880a84e0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a84e0c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 12cd844a Linux 4.14.173
git tree: linux-4.14.y

console output: https://syzkaller.appspot.com/x/log.txt?x=1348a61de00000

kernel config: https://syzkaller.appspot.com/x/.config?x=8a9d0602a0f7791e
dashboard link: https://syzkaller.appspot.com/bug?extid=bdd9cefe13c3d2122c7e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1122cbe3e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16bbaeb1e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+bdd9ce...@syzkaller.appspotmail.com

audit: type=1400 audit(1584544978.913:36): avc: denied { map } for pid=7340 comm="syz-executor874" path="/root/syz-executor874015636" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
IPVS: ftp: loaded support on port[0] = 21

==================================================================
BUG: KASAN: use-after-free in tcindex_set_parms+0x1521/0x16a0 net/sched/cls_tcindex.c:473

Write of size 16 at addr ffff88809ba21400 by task syz-executor874/7345

CPU: 1 PID: 7345 Comm: syz-executor874 Not tainted 4.14.173-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
tcindex_set_parms+0x1521/0x16a0 net/sched/cls_tcindex.c:473
tcindex_change+0x1b5/0x270 net/sched/cls_tcindex.c:534
tc_ctl_tfilter+0xf13/0x18e6 net/sched/cls_api.c:738
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

RIP: 0033:0x4416f9
RSP: 002b:00007ffcd14bceb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9

RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003

RBP: 00007ffcd14bcec0 R08: 0000000100000000 R09: 0000000100000000
R10: 0000000100000000 R11: 0000000000000246 R12: 000000000000c075
R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 1:

save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]

kzalloc include/linux/slab.h:661 [inline]
call_usermodehelper_setup+0x6f/0x2e0 kernel/umh.c:374
kobject_uevent_env+0xa79/0xc50 lib/kobject_uevent.c:525
device_add+0xa02/0x1400 drivers/base/core.c:1916
device_create_groups_vargs+0x1dc/0x250 drivers/base/core.c:2513
device_create_with_groups+0xd4/0x100 drivers/base/core.c:2632
misc_register+0x3b1/0x5b0 drivers/char/misc.c:219
init_binder_device drivers/android/binder.c:5561 [inline]
binder_init+0x2bb/0x4e1 drivers/android/binder.c:5630
do_one_initcall+0x88/0x202 init/main.c:824
do_initcall_level init/main.c:890 [inline]
do_initcalls init/main.c:898 [inline]
do_basic_setup init/main.c:916 [inline]
kernel_init_freeable+0x465/0x526 init/main.c:1073
kernel_init+0xd/0x15b init/main.c:998
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Freed by task 3318:

save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815

call_usermodehelper_freeinfo kernel/umh.c:43 [inline]
umh_complete kernel/umh.c:57 [inline]
umh_complete+0x6d/0x80 kernel/umh.c:46
call_usermodehelper_exec_async+0x413/0x4c0 kernel/umh.c:110
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff88809ba213c0

which belongs to the cache kmalloc-128 of size 128
The buggy address is located 64 bytes inside of

128-byte region [ffff88809ba213c0, ffff88809ba21440)

The buggy address belongs to the page:

page:ffffea00026e8840 count:1 mapcount:0 mapping:ffff88809ba21000 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809ba21000 0000000000000000 0000000100000015
raw: ffffea00026b6960 ffffea00026e8be0 ffff88812fe56640 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff88809ba21300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
ffff88809ba21380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff88809ba21400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff88809ba21480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809ba21500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================

[syzbot]

syzbot suspects this bug was fixed by commit:

commit 9f8b6c44be178c2498a00b270872a6e30e7c8266
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Thu Mar 12 05:42:28 2020 +0000

net_sched: keep alloc_hash updated after hash allocation

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=149f9a5fe00000
start commit: 12cd844a Linux 4.14.173
git tree: linux-4.14.y

kernel config: https://syzkaller.appspot.com/x/.config?x=8a9d0602a0f7791e
dashboard link: https://syzkaller.appspot.com/bug?extid=bdd9cefe13c3d2122c7e

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12b68745e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12e2a68de00000

If the result looks correct, please mark the bug fixed by replying with:

#syz fix: net_sched: keep alloc_hash updated after hash allocation

For information about bisection process see: https://goo.gl/tpsmEJ#bisection