KASAN: use-after-free Read in qfq_search_class
11 views
Skip to first unread message
syzbot
Feb 23, 2020, 9:13:13 AM2/23/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4fccc250 Linux 4.19.105
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1305e265e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d603c1cf5fa8b03d
dashboard link: https://syzkaller.appspot.com/bug?extid=be654aa177a9b51f83b9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+be654a...@syzkaller.appspotmail.com
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000008
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00000000000009fa R14: 00000000004cc6eb R15: 0000000000000005
==================================================================
BUG: KASAN: use-after-free in qdisc_class_find include/net/sch_generic.h:528 [inline]
BUG: KASAN: use-after-free in qfq_find_class net/sched/sch_qfq.c:214 [inline]
BUG: KASAN: use-after-free in qfq_search_class+0x16e/0x1a0 net/sched/sch_qfq.c:565
Read of size 4 at addr ffff888091263a80 by task syz-executor.0/23301
CPU: 1 PID: 23301 Comm: syz-executor.0 Not tainted 4.19.105-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
qdisc_class_find include/net/sch_generic.h:528 [inline]
qfq_find_class net/sched/sch_qfq.c:214 [inline]
qfq_search_class+0x16e/0x1a0 net/sched/sch_qfq.c:565
tc_ctl_tclass+0x73b/0xc60 net/sched/sch_api.c:1956
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c429
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f68b34e9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f68b34ea6d4 RCX: 000000000045c429
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000076c060 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009fa R14: 00000000004cc6eb R15: 000000000076c06c
Allocated by task 23297:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
qfq_change_class+0x7e1/0x15ce net/sched/sch_qfq.c:476
tc_ctl_tclass+0x4f8/0xc60 net/sched/sch_api.c:1992
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 23297:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
qfq_change_class+0xff7/0x15ce net/sched/sch_qfq.c:530
tc_ctl_tclass+0x4f8/0xc60 net/sched/sch_api.c:1992
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888091263a80
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
128-byte region [ffff888091263a80, ffff888091263b00)
The buggy address belongs to the page:
page:ffffea00024498c0 count:1 mapcount:0 mapping:ffff88812c31c640 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002a63048 ffffea00025a3388 ffff88812c31c640
raw: 0000000000000000 ffff888091263000 0000000100000015 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888091263980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff888091263a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888091263a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888091263b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff888091263b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 4fccc250 Linux 4.19.105
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1305e265e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d603c1cf5fa8b03d
dashboard link: https://syzkaller.appspot.com/bug?extid=be654aa177a9b51f83b9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+be654a...@syzkaller.appspotmail.com
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000008
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00000000000009fa R14: 00000000004cc6eb R15: 0000000000000005
==================================================================
BUG: KASAN: use-after-free in qdisc_class_find include/net/sch_generic.h:528 [inline]
BUG: KASAN: use-after-free in qfq_find_class net/sched/sch_qfq.c:214 [inline]
BUG: KASAN: use-after-free in qfq_search_class+0x16e/0x1a0 net/sched/sch_qfq.c:565
Read of size 4 at addr ffff888091263a80 by task syz-executor.0/23301
CPU: 1 PID: 23301 Comm: syz-executor.0 Not tainted 4.19.105-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
qdisc_class_find include/net/sch_generic.h:528 [inline]
qfq_find_class net/sched/sch_qfq.c:214 [inline]
qfq_search_class+0x16e/0x1a0 net/sched/sch_qfq.c:565
tc_ctl_tclass+0x73b/0xc60 net/sched/sch_api.c:1956
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c429
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f68b34e9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f68b34ea6d4 RCX: 000000000045c429
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000076c060 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009fa R14: 00000000004cc6eb R15: 000000000076c06c
Allocated by task 23297:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
qfq_change_class+0x7e1/0x15ce net/sched/sch_qfq.c:476
tc_ctl_tclass+0x4f8/0xc60 net/sched/sch_api.c:1992
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 23297:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
qfq_change_class+0xff7/0x15ce net/sched/sch_qfq.c:530
tc_ctl_tclass+0x4f8/0xc60 net/sched/sch_api.c:1992
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888091263a80
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
128-byte region [ffff888091263a80, ffff888091263b00)
The buggy address belongs to the page:
page:ffffea00024498c0 count:1 mapcount:0 mapping:ffff88812c31c640 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002a63048 ffffea00025a3388 ffff88812c31c640
raw: 0000000000000000 ffff888091263000 0000000100000015 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888091263980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff888091263a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888091263a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888091263b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff888091263b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 23, 2020, 10:35:11 AM2/23/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 4fccc250 Linux 4.19.105
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14adc3e9e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e2cc81e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+be654a...@syzkaller.appspotmail.com
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcd9605dd80
R13: 0000000000000009 R14: 0000000000000000 R15: 0507002400000074
netlink: 24 bytes leftover after parsing attributes in process `syz-executor372'.
CPU: 0 PID: 11117 Comm: syz-executor372 Not tainted 4.19.105-syzkaller #0
RIP: 0033:0x4471f9
Code: e8 0c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fcd9603cd78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dcc78 RCX: 00000000004471f9
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 000000000000000f
RBP: 00000000006dcc70 R08: 0000000000000001 R09: 0000000000000036
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcd9603cd80
R13: 0000000000000010 R14: 0000000000000000 R15: 0507002400000074
Allocated by task 11102:
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002a1bbc8 ffffea00026c0f48 ffff88812c31c640
raw: 0000000000000000 ffff8880a0f21000 0000000100000015 0000000000000000
ffff8880a0f21a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a0f21b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880a0f21b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a0f21c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
==================================================================
HEAD commit: 4fccc250 Linux 4.19.105
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=d603c1cf5fa8b03d
dashboard link: https://syzkaller.appspot.com/bug?extid=be654aa177a9b51f83b9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1725e265e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=be654aa177a9b51f83b9
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e2cc81e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+be654a...@syzkaller.appspotmail.com
R13: 0000000000000009 R14: 0000000000000000 R15: 0507002400000074
netlink: 24 bytes leftover after parsing attributes in process `syz-executor372'.
==================================================================
BUG: KASAN: use-after-free in qdisc_class_find include/net/sch_generic.h:528 [inline]
BUG: KASAN: use-after-free in qfq_find_class net/sched/sch_qfq.c:214 [inline]
BUG: KASAN: use-after-free in qfq_search_class+0x16e/0x1a0 net/sched/sch_qfq.c:565
Read of size 4 at addr ffff8880a0f21b40 by task syz-executor372/11117
BUG: KASAN: use-after-free in qdisc_class_find include/net/sch_generic.h:528 [inline]
BUG: KASAN: use-after-free in qfq_find_class net/sched/sch_qfq.c:214 [inline]
BUG: KASAN: use-after-free in qfq_search_class+0x16e/0x1a0 net/sched/sch_qfq.c:565
CPU: 0 PID: 11117 Comm: syz-executor372 Not tainted 4.19.105-syzkaller #0
Code: e8 0c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fcd9603cd78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dcc78 RCX: 00000000004471f9
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 000000000000000f
RBP: 00000000006dcc70 R08: 0000000000000001 R09: 0000000000000036
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcd9603cd80
R13: 0000000000000010 R14: 0000000000000000 R15: 0507002400000074
Allocated by task 11102:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
qfq_change_class+0x7e1/0x15ce net/sched/sch_qfq.c:476
tc_ctl_tclass+0x4f8/0xc60 net/sched/sch_api.c:1992
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 11102:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
qfq_change_class+0x7e1/0x15ce net/sched/sch_qfq.c:476
tc_ctl_tclass+0x4f8/0xc60 net/sched/sch_api.c:1992
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
qfq_change_class+0xff7/0x15ce net/sched/sch_qfq.c:530
tc_ctl_tclass+0x4f8/0xc60 net/sched/sch_api.c:1992
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a0f21b40
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
qfq_change_class+0xff7/0x15ce net/sched/sch_qfq.c:530
tc_ctl_tclass+0x4f8/0xc60 net/sched/sch_api.c:1992
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4795
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x53a/0x730 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 0 bytes inside of
128-byte region [ffff8880a0f21b40, ffff8880a0f21bc0)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
page:ffffea000283c840 count:1 mapcount:0 mapping:ffff88812c31c640 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002a1bbc8 ffffea00026c0f48 ffff88812c31c640
raw: 0000000000000000 ffff8880a0f21000 0000000100000015 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a0f21a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff8880a0f21a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a0f21b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880a0f21b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880a0f21c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
==================================================================
syzbot
Jul 23, 2021, 10:55:09 PM7/23/21
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 98fd088c325429327fc5ddb0b12c6a203ebf7f30
Author: Eric Dumazet <edum...@google.com>
Date: Mon Jun 21 17:54:49 2021 +0000
pkt_sched: sch_qfq: fix qfq_change_class() error path
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1465d5ca300000
start commit: 4fccc2503536 Linux 4.19.105
git tree: linux-4.19.y
#syz fix: pkt_sched: sch_qfq: fix qfq_change_class() error path
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 98fd088c325429327fc5ddb0b12c6a203ebf7f30
Author: Eric Dumazet <edum...@google.com>
Date: Mon Jun 21 17:54:49 2021 +0000
pkt_sched: sch_qfq: fix qfq_change_class() error path
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1465d5ca300000
start commit: 4fccc2503536 Linux 4.19.105
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=d603c1cf5fa8b03d
dashboard link: https://syzkaller.appspot.com/bug?extid=be654aa177a9b51f83b9
dashboard link: https://syzkaller.appspot.com/bug?extid=be654aa177a9b51f83b9
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1725e265e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e2cc81e00000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e2cc81e00000
#syz fix: pkt_sched: sch_qfq: fix qfq_change_class() error path
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages