KASAN: invalid-free in dccp_feat_val_destructor
14 views
Skip to first unread message
syzbot
Mar 31, 2018, 4:47:13 PM3/31/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot hit the following crash on net-next commit
c0b6edef0bf0e33c12eaf80c676ff09def011518 (Thu Mar 29 19:58:10 2018 +0000)
tc-testing: Add newline when writing test case files
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=385a3d094baf660978ec
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5074895700492288
Kernel config:
https://syzkaller.appspot.com/x/.config?id=3327544840960562528
compiler: gcc (GCC) 7.1.1 20170620
CC: [da...@davemloft.net dc...@vger.kernel.org ger...@erg.abdn.ac.uk
linux-...@vger.kernel.org net...@vger.kernel.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+385a3d...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device lo left promiscuous mode
device lo entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
IPVS: set_ctl: invalid protocol: 98 0.0.0.6:20000 lc
==================================================================
BUG: KASAN: double-free or invalid-free in
dccp_feat_val_destructor+0xd2/0xf0 net/dccp/feat.c:388
CPU: 1 PID: 20208 Comm: syz-executor3 Not tainted 4.16.0-rc6+ #288
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:336
__kasan_slab_free+0x145/0x170 mm/kasan/kasan.c:500
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kfree+0xd9/0x260 mm/slab.c:3800
dccp_feat_val_destructor+0xd2/0xf0 net/dccp/feat.c:388
dccp_feat_entry_destructor.part.5+0x40/0x60 net/dccp/feat.c:417
dccp_feat_entry_destructor net/dccp/feat.c:416 [inline]
dccp_feat_list_purge+0xc2/0x1e0 net/dccp/feat.c:549
dccp_destroy_sock+0x2f4/0x3f0 net/dccp/proto.c:239
inet_csk_destroy_sock+0x166/0x3f0 net/ipv4/inet_connection_sock.c:831
dccp_close+0x854/0xc20 net/dccp/proto.c:1089
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427
sock_release+0x8d/0x1e0 net/socket.c:594
sock_close+0x16/0x20 net/socket.c:1149
__fput+0x327/0x7e0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ad0 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
get_signal+0x73a/0x16d0 kernel/signal.c:2469
do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454e79
RSP: 002b:00007fd1ac4eace8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072bf80 RCX: 0000000000454e79
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bf80
RBP: 000000000072bf80 R08: 0000000000000000 R09: 000000000072bf58
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000a3e81f R14: 00007fd1ac4eb9c0 R15: 0000000000000001
Allocated by task 4395:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
__do_kmalloc_node mm/slab.c:3669 [inline]
__kmalloc_node+0x47/0x70 mm/slab.c:3676
kmalloc_node include/linux/slab.h:554 [inline]
__vmalloc_area_node mm/vmalloc.c:1686 [inline]
__vmalloc_node_range+0x1a1/0x650 mm/vmalloc.c:1759
__vmalloc_node mm/vmalloc.c:1804 [inline]
__vmalloc_node_flags mm/vmalloc.c:1818 [inline]
vzalloc+0x45/0x50 mm/vmalloc.c:1857
alloc_counters.isra.11+0x9a/0x7d0 net/ipv4/netfilter/ip_tables.c:801
copy_entries_to_user net/ipv4/netfilter/ip_tables.c:823 [inline]
get_entries net/ipv4/netfilter/ip_tables.c:1025 [inline]
do_ipt_get_ctl+0x63b/0xac0 net/ipv4/netfilter/ip_tables.c:1701
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ip_getsockopt+0x152/0x200 net/ipv4/ip_sockglue.c:1564
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3338
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2998
SYSC_getsockopt net/socket.c:1881 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1863
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 4395:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kfree+0xd9/0x260 mm/slab.c:3800
kvfree+0x36/0x60 mm/util.c:438
__vunmap+0x2ac/0x380 mm/vmalloc.c:1542
vfree+0x50/0xe0 mm/vmalloc.c:1606
copy_entries_to_user net/ipv4/netfilter/ip_tables.c:868 [inline]
get_entries net/ipv4/netfilter/ip_tables.c:1025 [inline]
do_ipt_get_ctl+0x7f5/0xac0 net/ipv4/netfilter/ip_tables.c:1701
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ip_getsockopt+0x152/0x200 net/ipv4/ip_sockglue.c:1564
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3338
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2998
SYSC_getsockopt net/socket.c:1881 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1863
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8801d788ec80
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff8801d788ec80, ffff8801d788eca0)
The buggy address belongs to the page:
page:ffffea00075e2380 count:1 mapcount:0 mapping:ffff8801d788e000
index:0xffff8801d788efc1
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d788e000 ffff8801d788efc1 0000000100000030
raw: ffffea000740bd60 ffffea0006f4fd60 ffff8801dac001c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d788eb80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8801d788ec00: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
> ffff8801d788ec80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff8801d788ed00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8801d788ed80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot hit the following crash on net-next commit
c0b6edef0bf0e33c12eaf80c676ff09def011518 (Thu Mar 29 19:58:10 2018 +0000)
tc-testing: Add newline when writing test case files
syzbot dashboard link:
https://syzkaller.appspot.com/bug?extid=385a3d094baf660978ec
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:
https://syzkaller.appspot.com/x/log.txt?id=5074895700492288
Kernel config:
https://syzkaller.appspot.com/x/.config?id=3327544840960562528
compiler: gcc (GCC) 7.1.1 20170620
CC: [da...@davemloft.net dc...@vger.kernel.org ger...@erg.abdn.ac.uk
linux-...@vger.kernel.org net...@vger.kernel.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+385a3d...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device lo left promiscuous mode
device lo entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
IPVS: set_ctl: invalid protocol: 98 0.0.0.6:20000 lc
==================================================================
BUG: KASAN: double-free or invalid-free in
dccp_feat_val_destructor+0xd2/0xf0 net/dccp/feat.c:388
CPU: 1 PID: 20208 Comm: syz-executor3 Not tainted 4.16.0-rc6+ #288
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:336
__kasan_slab_free+0x145/0x170 mm/kasan/kasan.c:500
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kfree+0xd9/0x260 mm/slab.c:3800
dccp_feat_val_destructor+0xd2/0xf0 net/dccp/feat.c:388
dccp_feat_entry_destructor.part.5+0x40/0x60 net/dccp/feat.c:417
dccp_feat_entry_destructor net/dccp/feat.c:416 [inline]
dccp_feat_list_purge+0xc2/0x1e0 net/dccp/feat.c:549
dccp_destroy_sock+0x2f4/0x3f0 net/dccp/proto.c:239
inet_csk_destroy_sock+0x166/0x3f0 net/ipv4/inet_connection_sock.c:831
dccp_close+0x854/0xc20 net/dccp/proto.c:1089
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:427
sock_release+0x8d/0x1e0 net/socket.c:594
sock_close+0x16/0x20 net/socket.c:1149
__fput+0x327/0x7e0 fs/file_table.c:209
____fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ad0 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
get_signal+0x73a/0x16d0 kernel/signal.c:2469
do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809
exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ec/0x940 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454e79
RSP: 002b:00007fd1ac4eace8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000072bf80 RCX: 0000000000454e79
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000072bf80
RBP: 000000000072bf80 R08: 0000000000000000 R09: 000000000072bf58
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000a3e81f R14: 00007fd1ac4eb9c0 R15: 0000000000000001
Allocated by task 4395:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
__do_kmalloc_node mm/slab.c:3669 [inline]
__kmalloc_node+0x47/0x70 mm/slab.c:3676
kmalloc_node include/linux/slab.h:554 [inline]
__vmalloc_area_node mm/vmalloc.c:1686 [inline]
__vmalloc_node_range+0x1a1/0x650 mm/vmalloc.c:1759
__vmalloc_node mm/vmalloc.c:1804 [inline]
__vmalloc_node_flags mm/vmalloc.c:1818 [inline]
vzalloc+0x45/0x50 mm/vmalloc.c:1857
alloc_counters.isra.11+0x9a/0x7d0 net/ipv4/netfilter/ip_tables.c:801
copy_entries_to_user net/ipv4/netfilter/ip_tables.c:823 [inline]
get_entries net/ipv4/netfilter/ip_tables.c:1025 [inline]
do_ipt_get_ctl+0x63b/0xac0 net/ipv4/netfilter/ip_tables.c:1701
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ip_getsockopt+0x152/0x200 net/ipv4/ip_sockglue.c:1564
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3338
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2998
SYSC_getsockopt net/socket.c:1881 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1863
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 4395:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kfree+0xd9/0x260 mm/slab.c:3800
kvfree+0x36/0x60 mm/util.c:438
__vunmap+0x2ac/0x380 mm/vmalloc.c:1542
vfree+0x50/0xe0 mm/vmalloc.c:1606
copy_entries_to_user net/ipv4/netfilter/ip_tables.c:868 [inline]
get_entries net/ipv4/netfilter/ip_tables.c:1025 [inline]
do_ipt_get_ctl+0x7f5/0xac0 net/ipv4/netfilter/ip_tables.c:1701
nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
nf_getsockopt+0x6a/0xc0 net/netfilter/nf_sockopt.c:122
ip_getsockopt+0x152/0x200 net/ipv4/ip_sockglue.c:1564
tcp_getsockopt+0x82/0xd0 net/ipv4/tcp.c:3338
sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2998
SYSC_getsockopt net/socket.c:1881 [inline]
SyS_getsockopt+0x178/0x340 net/socket.c:1863
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8801d788ec80
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff8801d788ec80, ffff8801d788eca0)
The buggy address belongs to the page:
page:ffffea00075e2380 count:1 mapcount:0 mapping:ffff8801d788e000
index:0xffff8801d788efc1
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d788e000 ffff8801d788efc1 0000000100000030
raw: ffffea000740bd60 ffffea0006f4fd60 ffff8801dac001c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d788eb80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8801d788ec00: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
> ffff8801d788ec80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff8801d788ed00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8801d788ed80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzbot
Mar 31, 2018, 4:47:15 PM3/31/18
to syzkaller-upst...@googlegroups.com
Dmitry Vyukov
Apr 10, 2018, 11:17:12 AM4/10/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Let's assume this is fixed by "vlan: Fix vlan insertion for packets
without ethernet header", which caused a splash of random crashes.
#syz invalid
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/089e0825cec835f3470568bb76b6%40google.com.
>
> For more options, visit https://groups.google.com/d/optout.
without ethernet header", which caused a splash of random crashes.
#syz invalid
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/089e0825cec835f3470568bb76b6%40google.com.
>
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages