KASAN: use-after-free Read in radix_tree_next_chunk

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=100fc149e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=67bcc84091a71c98
dashboard link: https://syzkaller.appspot.com/bug?extid=9ccb176dd94d3d649175
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9ccb17...@syzkaller.appspotmail.com

nla_parse: 7 callbacks suppressed
netlink: 20 bytes leftover after parsing attributes in process
`syz-executor.5'.
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183
[inline]
BUG: KASAN: use-after-free in radix_tree_load_root lib/radix-tree.c:602
[inline]
BUG: KASAN: use-after-free in radix_tree_next_chunk+0x953/0x9a0
lib/radix-tree.c:1736
Read of size 8 at addr ffff888068a3f288 by task syz-executor.5/31113

CPU: 0 PID: 31113 Comm: syz-executor.5 Not tainted 4.14.162-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__read_once_size include/linux/compiler.h:183 [inline]
radix_tree_load_root lib/radix-tree.c:602 [inline]
radix_tree_next_chunk+0x953/0x9a0 lib/radix-tree.c:1736
radix_tree_iter_lookup include/linux/radix-tree.h:440 [inline]
ida_remove+0xaa/0x230 lib/idr.c:377
ida_simple_remove+0x39/0x60 lib/idr.c:503
ipvlan_link_new+0x515/0xfe0 drivers/net/ipvlan/ipvlan_main.c:633
rtnl_newlink+0xecb/0x1700 net/core/rtnetlink.c:2719
rtnetlink_rcv_msg+0x3da/0xb70 net/core/rtnetlink.c:4306
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4318
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45af49
RSP: 002b:00007f37ec369c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045af49
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f37ec36a6d4
R13: 00000000004ca811 R14: 00000000004e39b8 R15: 00000000ffffffff

Allocated by task 31113:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
ipvlan_port_create drivers/net/ipvlan/ipvlan_main.c:140 [inline]
ipvlan_link_new+0x657/0xfe0 drivers/net/ipvlan/ipvlan_main.c:562
rtnl_newlink+0xecb/0x1700 net/core/rtnetlink.c:2719
rtnetlink_rcv_msg+0x3da/0xb70 net/core/rtnetlink.c:4306
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4318
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 31113:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
ipvlan_port_destroy+0x285/0x400 drivers/net/ipvlan/ipvlan_main.c:187
ipvlan_uninit+0xc1/0xf0 drivers/net/ipvlan/ipvlan_main.c:233
register_netdevice+0x79b/0xca0 net/core/dev.c:7719
ipvlan_link_new+0x49f/0xfe0 drivers/net/ipvlan/ipvlan_main.c:611
rtnl_newlink+0xecb/0x1700 net/core/rtnetlink.c:2719
rtnetlink_rcv_msg+0x3da/0xb70 net/core/rtnetlink.c:4306
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4318
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff888068a3e9c0
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 2248 bytes inside of
4096-byte region [ffff888068a3e9c0, ffff888068a3f9c0)
The buggy address belongs to the page:
page:ffffea0001a28f80 count:1 mapcount:0 mapping:ffff888068a3e9c0 index:0x0
compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888068a3e9c0 0000000000000000 0000000100000001
raw: ffffea00014e59a0 ffff8880aa801a48 ffff8880aa800dc0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888068a3f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888068a3f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888068a3f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888068a3f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888068a3f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: 84f5ad46 Linux 4.14.162
git tree: linux-4.14.y

console output: https://syzkaller.appspot.com/x/log.txt?x=11923e3ee00000

kernel config: https://syzkaller.appspot.com/x/.config?x=67bcc84091a71c98
dashboard link: https://syzkaller.appspot.com/bug?extid=9ccb176dd94d3d649175
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10fef49ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13f38115e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9ccb17...@syzkaller.appspotmail.com

audit: type=1400 audit(1578326945.404:36): avc: denied { map } for
pid=7198 comm="syz-executor245" path="/root/syz-executor245898594"
dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

netlink: 20 bytes leftover after parsing attributes in process

`syz-executor245'.

==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183
[inline]
BUG: KASAN: use-after-free in radix_tree_load_root lib/radix-tree.c:602
[inline]
BUG: KASAN: use-after-free in radix_tree_next_chunk+0x953/0x9a0
lib/radix-tree.c:1736

Read of size 8 at addr ffff8880991ee988 by task syz-executor245/7198

CPU: 1 PID: 7198 Comm: syz-executor245 Not tainted 4.14.162-syzkaller #0

RIP: 0033:0x440609
RSP: 002b:00007ffe8cec3d88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440609

RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000004

RBP: 00000000006ca018 R08: 0000000000000004 R09: 00000000004002c8
R10: 0000000000006e61 R11: 0000000000000246 R12: 0000000000401e90
R13: 0000000000401f20 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 7198:

Freed by task 7198:

The buggy address belongs to the object at ffff8880991ee0c0

which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 2248 bytes inside of

4096-byte region [ffff8880991ee0c0, ffff8880991ef0c0)

The buggy address belongs to the page:

page:ffffea0002647b80 count:1 mapcount:0 mapping:ffff8880991ee0c0 index:0x0

compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)

raw: 00fffe0000008100 ffff8880991ee0c0 0000000000000000 0000000100000001
raw: ffffea00020dfd20 ffffea0002092ca0 ffff8880aa800dc0 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8880991ee880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880991ee900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880991ee980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880991eea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880991eea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================