KASAN: use-after-free Read in macvlan_broadcast
13 views
Skip to first unread message
syzbot
Jan 6, 2020, 8:50:11 AM1/6/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13093751e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=67bcc84091a71c98
dashboard link: https://syzkaller.appspot.com/bug?extid=f0d66963aa2425f578ce
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f0d669...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __get_unaligned_cpu32
include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:255 [inline]
BUG: KASAN: use-after-free in macvlan_broadcast+0x4b9/0x5c0
drivers/net/macvlan.c:281
Read of size 4 at addr ffff8880a9729541 by task syz-executor.0/18180
CPU: 1 PID: 18180 Comm: syz-executor.0 Not tainted 4.14.162-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
__get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
mc_hash drivers/net/macvlan.c:255 [inline]
macvlan_broadcast+0x4b9/0x5c0 drivers/net/macvlan.c:281
macvlan_queue_xmit drivers/net/macvlan.c:522 [inline]
macvlan_start_xmit+0x56b/0x72d drivers/net/macvlan.c:565
__netdev_start_xmit include/linux/netdevice.h:4038 [inline]
netdev_start_xmit include/linux/netdevice.h:4047 [inline]
packet_direct_xmit+0x431/0x640 net/packet/af_packet.c:269
packet_snd net/packet/af_packet.c:2994 [inline]
packet_sendmsg+0x1dd4/0x5a60 net/packet/af_packet.c:3019
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45af49
RSP: 002b:00007f3fdd519c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045af49
RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3fdd51a6d4
R13: 00000000004ca8a7 R14: 00000000004e3ac0 R15: 00000000ffffffff
Allocated by task 3643:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
kernfs_iop_get_link fs/kernfs/symlink.c:127 [inline]
kernfs_iop_get_link+0x6a/0x650 fs/kernfs/symlink.c:118
generic_readlink fs/namei.c:4727 [inline]
vfs_readlink+0x1ac/0x410 fs/namei.c:4762
SYSC_readlinkat fs/stat.c:406 [inline]
SyS_readlinkat fs/stat.c:382 [inline]
SYSC_readlink fs/stat.c:421 [inline]
SyS_readlink+0x218/0x290 fs/stat.c:418
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 3643:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
kfree_link+0x16/0x20 fs/libfs.c:1070
do_delayed_call include/linux/delayed_call.h:28 [inline]
generic_readlink fs/namei.c:4732 [inline]
vfs_readlink+0x129/0x410 fs/namei.c:4762
SYSC_readlinkat fs/stat.c:406 [inline]
SyS_readlinkat fs/stat.c:382 [inline]
SYSC_readlink fs/stat.c:421 [inline]
SyS_readlink+0x218/0x290 fs/stat.c:418
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a9728600
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 3905 bytes inside of
4096-byte region [ffff8880a9728600, ffff8880a9729600)
The buggy address belongs to the page:
page:ffffea0002a5ca00 count:1 mapcount:0 mapping:ffff8880a9728600 index:0x0
compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a9728600 0000000000000000 0000000100000001
raw: ffffea0002667f20 ffffea00023bfaa0 ffff8880aa800dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a9729400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a9729480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a9729500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a9729580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a9729600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13093751e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=67bcc84091a71c98
dashboard link: https://syzkaller.appspot.com/bug?extid=f0d66963aa2425f578ce
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f0d669...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __get_unaligned_cpu32
include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:255 [inline]
BUG: KASAN: use-after-free in macvlan_broadcast+0x4b9/0x5c0
drivers/net/macvlan.c:281
Read of size 4 at addr ffff8880a9729541 by task syz-executor.0/18180
CPU: 1 PID: 18180 Comm: syz-executor.0 Not tainted 4.14.162-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
__get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
mc_hash drivers/net/macvlan.c:255 [inline]
macvlan_broadcast+0x4b9/0x5c0 drivers/net/macvlan.c:281
macvlan_queue_xmit drivers/net/macvlan.c:522 [inline]
macvlan_start_xmit+0x56b/0x72d drivers/net/macvlan.c:565
__netdev_start_xmit include/linux/netdevice.h:4038 [inline]
netdev_start_xmit include/linux/netdevice.h:4047 [inline]
packet_direct_xmit+0x431/0x640 net/packet/af_packet.c:269
packet_snd net/packet/af_packet.c:2994 [inline]
packet_sendmsg+0x1dd4/0x5a60 net/packet/af_packet.c:3019
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
SYSC_sendto+0x206/0x310 net/socket.c:1763
SyS_sendto+0x40/0x50 net/socket.c:1731
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45af49
RSP: 002b:00007f3fdd519c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045af49
RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3fdd51a6d4
R13: 00000000004ca8a7 R14: 00000000004e3ac0 R15: 00000000ffffffff
Allocated by task 3643:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
kernfs_iop_get_link fs/kernfs/symlink.c:127 [inline]
kernfs_iop_get_link+0x6a/0x650 fs/kernfs/symlink.c:118
generic_readlink fs/namei.c:4727 [inline]
vfs_readlink+0x1ac/0x410 fs/namei.c:4762
SYSC_readlinkat fs/stat.c:406 [inline]
SyS_readlinkat fs/stat.c:382 [inline]
SYSC_readlink fs/stat.c:421 [inline]
SyS_readlink+0x218/0x290 fs/stat.c:418
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 3643:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
kfree_link+0x16/0x20 fs/libfs.c:1070
do_delayed_call include/linux/delayed_call.h:28 [inline]
generic_readlink fs/namei.c:4732 [inline]
vfs_readlink+0x129/0x410 fs/namei.c:4762
SYSC_readlinkat fs/stat.c:406 [inline]
SyS_readlinkat fs/stat.c:382 [inline]
SYSC_readlink fs/stat.c:421 [inline]
SyS_readlink+0x218/0x290 fs/stat.c:418
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a9728600
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 3905 bytes inside of
4096-byte region [ffff8880a9728600, ffff8880a9729600)
The buggy address belongs to the page:
page:ffffea0002a5ca00 count:1 mapcount:0 mapping:ffff8880a9728600 index:0x0
compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a9728600 0000000000000000 0000000100000001
raw: ffffea0002667f20 ffffea00023bfaa0 ffff8880aa800dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a9729400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a9729480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a9729500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a9729580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a9729600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 6, 2020, 8:53:10 AM1/6/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 3d40d711 Linux 4.19.93
syzbot found the following crash on:
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1049ba56e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f02ca1f135b0c3c5
dashboard link: https://syzkaller.appspot.com/bug?extid=b95be9194cee45eb2a01
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b95be9...@syzkaller.appspotmail.com
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
==================================================================
BUG: KASAN: use-after-free in __get_unaligned_cpu32
include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:255 [inline]
drivers/net/macvlan.c:281
Read of size 4 at addr ffff88808ecfb081 by task syz-executor.4/31257
CPU: 1 PID: 31257 Comm: syz-executor.4 Not tainted 4.19.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
__get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
mc_hash drivers/net/macvlan.c:255 [inline]
macvlan_broadcast+0x57c/0x660 drivers/net/macvlan.c:281
mc_hash drivers/net/macvlan.c:255 [inline]
macvlan_queue_xmit drivers/net/macvlan.c:524 [inline]
macvlan_start_xmit+0x408/0x785 drivers/net/macvlan.c:563
__netdev_start_xmit include/linux/netdevice.h:4308 [inline]
netdev_start_xmit include/linux/netdevice.h:4317 [inline]
dev_direct_xmit+0x34d/0x650 net/core/dev.c:3909
packet_direct_xmit+0xf9/0x170 net/packet/af_packet.c:246
packet_snd net/packet/af_packet.c:2958 [inline]
packet_sendmsg+0x3bb2/0x6440 net/packet/af_packet.c:2983
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
__sys_sendto+0x262/0x380 net/socket.c:1787
__do_sys_sendto net/socket.c:1799 [inline]
__se_sys_sendto net/socket.c:1795 [inline]
__x64_sys_sendto+0xe1/0x1a0 net/socket.c:1795
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45af49
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f99531ffc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045af49
RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f99532006d4
R13: 00000000004ca8a7 R14: 00000000004e3ac0 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea00023b3ec0 count:0 mapcount:-128 mapping:0000000000000000
index:0x0
flags: 0xfffe0000000000()
raw: 00fffe0000000000 ffffea0002823908 ffffea00022a3848 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808ecfaf80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff88808ecfb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
kobject: 'loop1' (00000000edf1c11f): kobject_uevent_env
> ffff88808ecfb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808ecfb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808ecfb180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
syzbot
Jan 6, 2020, 9:19:11 AM1/6/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 3d40d711 Linux 4.19.93
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11806ec6e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e23e3ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b95be9...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
CPU: 0 PID: 7939 Comm: syz-executor633 Not tainted 4.19.93-syzkaller #0
RIP: 0033:0x442bd9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
RSP: 002b:00007ffc2ad49008 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442bd9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000404150 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea00022e92c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 ffffffff022e0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
ffff88808ba4af80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88808ba4b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808ba4b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808ba4b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
HEAD commit: 3d40d711 Linux 4.19.93
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f02ca1f135b0c3c5
dashboard link: https://syzkaller.appspot.com/bug?extid=b95be9194cee45eb2a01
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11893751e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b95be9194cee45eb2a01
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e23e3ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b95be9...@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
==================================================================
BUG: KASAN: use-after-free in __get_unaligned_cpu32
include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:255 [inline]
BUG: KASAN: use-after-free in macvlan_broadcast+0x57c/0x660
drivers/net/macvlan.c:281
Read of size 4 at addr ffff88808ba4b041 by task syz-executor633/7939
BUG: KASAN: use-after-free in __get_unaligned_cpu32
include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:255 [inline]
BUG: KASAN: use-after-free in macvlan_broadcast+0x57c/0x660
drivers/net/macvlan.c:281
CPU: 0 PID: 7939 Comm: syz-executor633 Not tainted 4.19.93-syzkaller #0
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc2ad49008 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442bd9
RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000404150 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 ffffffff022e0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808ba4af00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Memory state around the buggy address:
ffff88808ba4af80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88808ba4b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808ba4b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808ba4b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
syzbot
Jan 7, 2020, 12:40:09 PM1/7/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17ed0876e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14bae949e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f0d669...@syzkaller.appspotmail.com
device veth0_vlan entered promiscuous mode
device veth1_vlan entered promiscuous mode
CPU: 1 PID: 7101 Comm: syz-executor575 Not tainted 4.14.162-syzkaller #0
RIP: 0033:0x442329
RSP: 002b:00007fff4e3d11e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442329
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004038c0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6450:
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
getname_flags fs/namei.c:138 [inline]
getname_flags+0xcb/0x580 fs/namei.c:128
user_path_at_empty+0x2f/0x50 fs/namei.c:2630
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xcd/0x160 fs/stat.c:185
vfs_stat include/linux/fs.h:3060 [inline]
SYSC_newstat+0x95/0x100 fs/stat.c:337
SyS_newstat+0x1e/0x30 fs/stat.c:333
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 6450:
putname+0xdb/0x120 fs/namei.c:259
filename_lookup+0x23a/0x380 fs/namei.c:2385
user_path_at_empty+0x43/0x50 fs/namei.c:2630
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xcd/0x160 fs/stat.c:185
vfs_stat include/linux/fs.h:3060 [inline]
SYSC_newstat+0x95/0x100 fs/stat.c:337
SyS_newstat+0x1e/0x30 fs/stat.c:333
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88808cf16a40
which belongs to the cache names_cache of size 4096
The buggy address is located 2817 bytes inside of
4096-byte region [ffff88808cf16a40, ffff88808cf17a40)
raw: ffffea0001ff6520 ffffea00020af8a0 ffff8880aa9e9cc0 0000000000000000
ffff88808cf17480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88808cf17500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88808cf17580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808cf17600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=67bcc84091a71c98
dashboard link: https://syzkaller.appspot.com/bug?extid=f0d66963aa2425f578ce
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11dd7459e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=f0d66963aa2425f578ce
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14bae949e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f0d669...@syzkaller.appspotmail.com
device veth1_vlan entered promiscuous mode
IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
==================================================================
BUG: KASAN: use-after-free in __get_unaligned_cpu32
include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:255 [inline]
BUG: KASAN: use-after-free in macvlan_broadcast+0x4b9/0x5c0
drivers/net/macvlan.c:281
Read of size 4 at addr ffff88808cf17541 by task syz-executor575/7101
BUG: KASAN: use-after-free in __get_unaligned_cpu32
include/linux/unaligned/packed_struct.h:19 [inline]
BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:255 [inline]
BUG: KASAN: use-after-free in macvlan_broadcast+0x4b9/0x5c0
drivers/net/macvlan.c:281
CPU: 1 PID: 7101 Comm: syz-executor575 Not tainted 4.14.162-syzkaller #0
RSP: 002b:00007fff4e3d11e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442329
RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00007fff4e3d1210 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004038c0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6450:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
getname_flags fs/namei.c:138 [inline]
getname_flags+0xcb/0x580 fs/namei.c:128
user_path_at_empty+0x2f/0x50 fs/namei.c:2630
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xcd/0x160 fs/stat.c:185
vfs_stat include/linux/fs.h:3060 [inline]
SYSC_newstat+0x95/0x100 fs/stat.c:337
SyS_newstat+0x1e/0x30 fs/stat.c:333
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 6450:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
putname+0xdb/0x120 fs/namei.c:259
filename_lookup+0x23a/0x380 fs/namei.c:2385
user_path_at_empty+0x43/0x50 fs/namei.c:2630
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0xcd/0x160 fs/stat.c:185
vfs_stat include/linux/fs.h:3060 [inline]
SYSC_newstat+0x95/0x100 fs/stat.c:337
SyS_newstat+0x1e/0x30 fs/stat.c:333
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88808cf16a40
which belongs to the cache names_cache of size 4096
The buggy address is located 2817 bytes inside of
4096-byte region [ffff88808cf16a40, ffff88808cf17a40)
The buggy address belongs to the page:
page:ffffea000233c580 count:1 mapcount:0 mapping:ffff88808cf16a40 index:0x0
compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88808cf16a40 0000000000000000 0000000100000001
flags: 0xfffe0000008100(slab|head)
raw: ffffea0001ff6520 ffffea00020af8a0 ffff8880aa9e9cc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808cf17400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff88808cf17480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88808cf17500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88808cf17580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808cf17600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Feb 8, 2020, 12:09:02 PM2/8/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 5f3274c53ae7049755b29ec0c351f145cb68270c
Author: Eric Dumazet <edum...@google.com>
Date: Mon Jan 6 20:30:48 2020 +0000
macvlan: do not assume mac_header is set in macvlan_broadcast()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=155fb829e00000
start commit: 3d40d711 Linux 4.19.93
git tree: linux-4.19.y
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e58eb9e00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: macvlan: do not assume mac_header is set in macvlan_broadcast()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 5f3274c53ae7049755b29ec0c351f145cb68270c
Author: Eric Dumazet <edum...@google.com>
Date: Mon Jan 6 20:30:48 2020 +0000
macvlan: do not assume mac_header is set in macvlan_broadcast()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=155fb829e00000
start commit: 3d40d711 Linux 4.19.93
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=f02ca1f135b0c3c5
dashboard link: https://syzkaller.appspot.com/bug?extid=b95be9194cee45eb2a01
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15635ec6e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=b95be9194cee45eb2a01
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e58eb9e00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: macvlan: do not assume mac_header is set in macvlan_broadcast()
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Feb 8, 2020, 3:21:05 PM2/8/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 4a953272f2d2db63bba97137b64b3f1770634e00
Author: Eric Dumazet <edum...@google.com>
Date: Mon Jan 6 20:30:48 2020 +0000
macvlan: do not assume mac_header is set in macvlan_broadcast()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1533720de00000
Date: Mon Jan 6 20:30:48 2020 +0000
macvlan: do not assume mac_header is set in macvlan_broadcast()
start commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=67bcc84091a71c98
dashboard link: https://syzkaller.appspot.com/bug?extid=f0d66963aa2425f578ce
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=108162aee00000
dashboard link: https://syzkaller.appspot.com/bug?extid=f0d66963aa2425f578ce
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15ef2459e00000
Reply all
Reply to author
Forward
0 new messages