KASAN: slab-out-of-bounds Read in tcf_exts_destroy
20 views
Skip to first unread message
syzbot
Oct 16, 2019, 10:15:08 PM10/16/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: dafd6344 Linux 4.19.79
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14a55fe7600000
kernel config: https://syzkaller.appspot.com/x/.config?x=af1dc11a1b49548a
dashboard link: https://syzkaller.appspot.com/bug?extid=8c1bbc0a9622aa45bcf6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1480a76f600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12445c87600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8c1bbc...@syzkaller.appspotmail.com
netlink: 'syz-executor929': attribute type 2 has an invalid length.
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
netlink: 'syz-executor929': attribute type 2 has an invalid length.
==================================================================
BUG: KASAN: slab-out-of-bounds in tcf_exts_destroy+0xb3/0xd0
net/sched/cls_api.c:2041
Read of size 8 at addr ffff8880a4549790 by task syz-executor929/7634
CPU: 0 PID: 7634 Comm: syz-executor929 Not tainted 4.19.79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
tcf_exts_destroy+0xb3/0xd0 net/sched/cls_api.c:2041
tcindex_free_perfect_hash.isra.0+0xb3/0x150 net/sched/cls_tcindex.c:270
tcindex_set_parms+0x10e7/0x1e20 net/sched/cls_tcindex.c:484
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
tcindex_change+0x22d/0x315 net/sched/cls_tcindex.c:518
tc_new_tfilter+0xc54/0x1790 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
protocol 88fb is buggy, dev hsr_slave_0
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
protocol 88fb is buggy, dev hsr_slave_1
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x3e2/0x920 net/socket.c:2115
__sys_sendmmsg+0x1bf/0x4e0 net/socket.c:2210
__do_sys_sendmmsg net/socket.c:2239 [inline]
__se_sys_sendmmsg net/socket.c:2236 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443299
Code: e8 9c 07 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffde91bb8a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299
RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008
RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162
R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 7634:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15d/0x750 mm/slab.c:3736
kmalloc_array include/linux/slab.h:637 [inline]
kcalloc include/linux/slab.h:648 [inline]
tcindex_alloc_perfect_hash+0x5b/0x350 net/sched/cls_tcindex.c:278
tcindex_set_parms+0x44e/0x1e20 net/sched/cls_tcindex.c:339
tcindex_change+0x22d/0x315 net/sched/cls_tcindex.c:518
tc_new_tfilter+0xc54/0x1790 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x3e2/0x920 net/socket.c:2115
__sys_sendmmsg+0x1bf/0x4e0 net/socket.c:2210
__do_sys_sendmmsg net/socket.c:2239 [inline]
__se_sys_sendmmsg net/socket.c:2236 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 2232:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
call_usermodehelper_freeinfo kernel/umh.c:45 [inline]
umh_complete kernel/umh.c:59 [inline]
umh_complete+0x8d/0xa0 kernel/umh.c:48
call_usermodehelper_exec_async+0x560/0x640 kernel/umh.c:117
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880a4549700
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 144 bytes inside of
192-byte region [ffff8880a4549700, ffff8880a45497c0)
The buggy address belongs to the page:
page:ffffea0002915240 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea00028faa88 ffffea00028f1f88 ffff88812c3f0040
raw: 0000000000000000 ffff8880a4549000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4549680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a4549700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880a4549780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a4549800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a4549880: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: dafd6344 Linux 4.19.79
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14a55fe7600000
kernel config: https://syzkaller.appspot.com/x/.config?x=af1dc11a1b49548a
dashboard link: https://syzkaller.appspot.com/bug?extid=8c1bbc0a9622aa45bcf6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1480a76f600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12445c87600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8c1bbc...@syzkaller.appspotmail.com
netlink: 'syz-executor929': attribute type 2 has an invalid length.
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
netlink: 'syz-executor929': attribute type 2 has an invalid length.
==================================================================
BUG: KASAN: slab-out-of-bounds in tcf_exts_destroy+0xb3/0xd0
net/sched/cls_api.c:2041
Read of size 8 at addr ffff8880a4549790 by task syz-executor929/7634
CPU: 0 PID: 7634 Comm: syz-executor929 Not tainted 4.19.79 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
tcf_exts_destroy+0xb3/0xd0 net/sched/cls_api.c:2041
tcindex_free_perfect_hash.isra.0+0xb3/0x150 net/sched/cls_tcindex.c:270
tcindex_set_parms+0x10e7/0x1e20 net/sched/cls_tcindex.c:484
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
tcindex_change+0x22d/0x315 net/sched/cls_tcindex.c:518
tc_new_tfilter+0xc54/0x1790 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
protocol 88fb is buggy, dev hsr_slave_0
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
protocol 88fb is buggy, dev hsr_slave_1
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x3e2/0x920 net/socket.c:2115
__sys_sendmmsg+0x1bf/0x4e0 net/socket.c:2210
__do_sys_sendmmsg net/socket.c:2239 [inline]
__se_sys_sendmmsg net/socket.c:2236 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x443299
Code: e8 9c 07 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffde91bb8a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299
RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008
RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162
R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 7634:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc+0x15d/0x750 mm/slab.c:3736
kmalloc_array include/linux/slab.h:637 [inline]
kcalloc include/linux/slab.h:648 [inline]
tcindex_alloc_perfect_hash+0x5b/0x350 net/sched/cls_tcindex.c:278
tcindex_set_parms+0x44e/0x1e20 net/sched/cls_tcindex.c:339
tcindex_change+0x22d/0x315 net/sched/cls_tcindex.c:518
tc_new_tfilter+0xc54/0x1790 net/sched/cls_api.c:1320
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x3e2/0x920 net/socket.c:2115
__sys_sendmmsg+0x1bf/0x4e0 net/socket.c:2210
__do_sys_sendmmsg net/socket.c:2239 [inline]
__se_sys_sendmmsg net/socket.c:2236 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 2232:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
call_usermodehelper_freeinfo kernel/umh.c:45 [inline]
umh_complete kernel/umh.c:59 [inline]
umh_complete+0x8d/0xa0 kernel/umh.c:48
call_usermodehelper_exec_async+0x560/0x640 kernel/umh.c:117
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880a4549700
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 144 bytes inside of
192-byte region [ffff8880a4549700, ffff8880a45497c0)
The buggy address belongs to the page:
page:ffffea0002915240 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea00028faa88 ffffea00028f1f88 ffff88812c3f0040
raw: 0000000000000000 ffff8880a4549000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4549680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a4549700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880a4549780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a4549800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a4549880: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Oct 21, 2019, 3:23:11 AM10/21/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b98aebd2 Linux 4.14.150
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=165def08e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c52c93b368dac5a7
dashboard link: https://syzkaller.appspot.com/bug?extid=ce5af60a6faa9cb4d112
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=170e87cf600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1568b937600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
==================================================================
protocol 88fb is buggy, dev hsr_slave_1
BUG: KASAN: slab-out-of-bounds in tcf_exts_to_list
include/net/pkt_cls.h:150 [inline]
BUG: KASAN: slab-out-of-bounds in tcf_exts_destroy+0x2a3/0x320
net/sched/cls_api.c:897
Read of size 4 at addr ffff888096b8eeb4 by task syz-executor514/6959
CPU: 0 PID: 6959 Comm: syz-executor514 Not tainted 4.14.150 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x138/0x197 lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
tcf_exts_to_list include/net/pkt_cls.h:150 [inline]
tcf_exts_destroy+0x2a3/0x320 net/sched/cls_api.c:897
tcindex_free_perfect_hash.isra.0+0x9f/0x120 net/sched/cls_tcindex.c:291
tcindex_set_parms+0xece/0x1aa0 net/sched/cls_tcindex.c:502
tcindex_change+0x1cf/0x28d net/sched/cls_tcindex.c:535
tc_ctl_tfilter+0xff1/0x1aba net/sched/cls_api.c:738
rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x349/0x840 net/socket.c:2062
__sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2178
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x443299
RSP: 002b:00007ffde338f1e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299
RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008
RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162
R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 6959:
RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008
RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162
R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc+0x15d/0x7a0 mm/slab.c:3729
kmalloc_array include/linux/slab.h:607 [inline]
kcalloc include/linux/slab.h:618 [inline]
tcindex_alloc_perfect_hash+0x54/0x300 net/sched/cls_tcindex.c:299
tcindex_set_parms+0x3de/0x1aa0 net/sched/cls_tcindex.c:357
tcindex_change+0x1cf/0x28d net/sched/cls_tcindex.c:535
tc_ctl_tfilter+0xff1/0x1aba net/sched/cls_api.c:738
rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x349/0x840 net/socket.c:2062
__sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2178
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff888096b8ee40
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 116 bytes inside of
128-byte region [ffff888096b8ee40, ffff888096b8eec0)
The buggy address belongs to the page:
page:ffffea00025ae380 count:1 mapcount:0 mapping:ffff888096b8e000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888096b8e000 0000000000000000 0000000100000015
raw: ffffea0001ffa9e0 ffff8880aa801548 ffff8880aa800640 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888096b8ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff888096b8ee00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
> ffff888096b8ee80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
^
ffff888096b8ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888096b8ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
protocol 88fb is buggy, dev hsr_slave_1
syzbot
Mar 11, 2020, 6:51:03 PM3/11/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 478c4b2ffd44e5186c7e22ae7c38a86a5b9cfde5
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Mon Feb 3 05:14:35 2020 +0000
net_sched: fix an OOB access in cls_tcindex
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117cdcb1e00000
start commit: dafd6344 Linux 4.19.79
git tree: linux-4.19.y
#syz fix: net_sched: fix an OOB access in cls_tcindex
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 478c4b2ffd44e5186c7e22ae7c38a86a5b9cfde5
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Mon Feb 3 05:14:35 2020 +0000
net_sched: fix an OOB access in cls_tcindex
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117cdcb1e00000
start commit: dafd6344 Linux 4.19.79
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=af1dc11a1b49548a
dashboard link: https://syzkaller.appspot.com/bug?extid=8c1bbc0a9622aa45bcf6
dashboard link: https://syzkaller.appspot.com/bug?extid=8c1bbc0a9622aa45bcf6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1480a76f600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12445c87600000
If the result looks correct, please mark the bug fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12445c87600000
#syz fix: net_sched: fix an OOB access in cls_tcindex
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Mar 12, 2020, 7:34:08 AM3/12/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 6cb448ee493c8a514c9afa0c346f3f5b3227de85
Author: Cong Wang <xiyou.w...@gmail.com>
Date: Mon Feb 3 05:14:35 2020 +0000
net_sched: fix an OOB access in cls_tcindex
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10bc5591e00000
Date: Mon Feb 3 05:14:35 2020 +0000
net_sched: fix an OOB access in cls_tcindex
start commit: b98aebd2 Linux 4.14.150
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c52c93b368dac5a7
dashboard link: https://syzkaller.appspot.com/bug?extid=ce5af60a6faa9cb4d112
dashboard link: https://syzkaller.appspot.com/bug?extid=ce5af60a6faa9cb4d112
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=170e87cf600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1568b937600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1568b937600000
Reply all
Reply to author
Forward
0 new messages