Hello,
syzkaller hit the following crash on
4147d50978df60f34d444c647dde9e5b34a4315e
git://
git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [
da...@davemloft.net kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org
net...@vger.kernel.org yosh...@linux-ipv6.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+439922...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
==================================================================
BUG: KASAN: use-after-free in fib6_ifdown+0x6ce/0x750 net/ipv6/route.c:3574
Read of size 8 at addr ffff8801d497a7c0 by task kworker/u4:0/5
CPU: 0 PID: 5 Comm: kworker/u4:0 Not tainted 4.15.0-rc7-mm1+ #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23b/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
fib6_ifdown+0x6ce/0x750 net/ipv6/route.c:3574
fib6_clean_node+0x389/0x580 net/ipv6/ip6_fib.c:1916
fib6_walk_continue+0x46c/0x8a0 net/ipv6/ip6_fib.c:1842
fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1890
fib6_clean_tree+0x1e6/0x340 net/ipv6/ip6_fib.c:1967
__fib6_clean_all+0x1f4/0x3a0 net/ipv6/ip6_fib.c:1983
fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:1994
rt6_sync_down_dev net/ipv6/route.c:3611 [inline]
rt6_disable_ip+0xfd/0x700 net/ipv6/route.c:3616
addrconf_ifdown+0x14b/0x14f0 net/ipv6/addrconf.c:3595
addrconf_notify+0x5f8/0x2310 net/ipv6/addrconf.c:3519
notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x32/0x70 net/core/dev.c:1708
call_netdevice_notifiers net/core/dev.c:1726 [inline]
netdev_wait_allrefs+0x229/0x410 net/core/dev.c:7999
netdev_run_todo+0x478/0xae0 net/core/dev.c:8090
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:108
sit_exit_batch_net+0x4ce/0x720 net/ipv6/sit.c:1873
ops_exit_list.isra.6+0x100/0x150 net/core/net_namespace.c:145
cleanup_net+0x5c7/0xb50 net/core/net_namespace.c:484
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x4b/0x60 arch/x86/entry/entry_64.S:547
Allocated by task 8280:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
dst_alloc+0x11f/0x1a0 net/core/dst.c:104
__ip6_dst_alloc+0x35/0x90 net/ipv6/route.c:361
ip6_dst_alloc+0x29/0xb0 net/ipv6/route.c:376
ip6_route_info_create+0x4ff/0x2dd0 net/ipv6/route.c:2548
ip6_route_add+0xa2/0x190 net/ipv6/route.c:2788
ipv6_route_ioctl+0x4db/0x6b0 net/ipv6/route.c:3308
inet6_ioctl+0xef/0x1e0 net/ipv6/af_inet6.c:520
sock_do_ioctl+0x65/0xb0 net/socket.c:956
sock_ioctl+0x2c2/0x440 net/socket.c:1053
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x29/0xa0
Freed by task 3503:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x86/0x2b0 mm/slab.c:3743
dst_destroy+0x257/0x370 net/core/dst.c:140
dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2675 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2934 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2901 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2918
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
The buggy address belongs to the object at ffff8801d497a7c0
which belongs to the cache ip6_dst_cache of size 320
The buggy address is located 0 bytes inside of
320-byte region [ffff8801d497a7c0, ffff8801d497a900)
The buggy address belongs to the page:
page:ffffea0007525e80 count:1 mapcount:0 mapping:ffff8801d497a040 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d497a040 0000000000000000 000000010000000a
raw: ffffea00070e78e0 ffffea0006abf420 ffff8801d3383900 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d497a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d497a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d497a780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8801d497a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d497a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See
https://goo.gl/tpsmEJ for details.
Direct all questions to
syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream