KASAN: use-after-free Read in rt6_mtu_change_route
7 views
Skip to first unread message
syzbot
Jan 11, 2018, 7:58:05 PM1/11/18
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
4147d50978df60f34d444c647dde9e5b34a4315e
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [da...@davemloft.net kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org
net...@vger.kernel.org yosh...@linux-ipv6.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+95829b...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
APIC base relocation is unsupported by KVM
==================================================================
BUG: KASAN: use-after-free in rt6_mtu_change_route+0x8ea/0x8f0
net/ipv6/route.c:3655
Read of size 8 at addr ffff8801c083dcc0 by task syz-executor6/26096
CPU: 1 PID: 26096 Comm: syz-executor6 Not tainted 4.15.0-rc7-mm1+ #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23b/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
rt6_mtu_change_route+0x8ea/0x8f0 net/ipv6/route.c:3655
fib6_clean_node+0x389/0x580 net/ipv6/ip6_fib.c:1916
fib6_walk_continue+0x46c/0x8a0 net/ipv6/ip6_fib.c:1842
fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1890
fib6_clean_tree+0x1e6/0x340 net/ipv6/ip6_fib.c:1967
__fib6_clean_all+0x1f4/0x3a0 net/ipv6/ip6_fib.c:1983
fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:1994
rt6_mtu_change+0xde/0x140 net/ipv6/route.c:3677
addrconf_notify+0x664/0x2310 net/ipv6/addrconf.c:3394
notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x32/0x70 net/core/dev.c:1708
call_netdevice_notifiers net/core/dev.c:1726 [inline]
dev_set_mtu+0x3c5/0x720 net/core/dev.c:7025
dev_ifsioc+0x73c/0x9b0 net/core/dev_ioctl.c:264
dev_ioctl+0x2d7/0xfb0 net/core/dev_ioctl.c:566
sock_do_ioctl+0x94/0xb0 net/socket.c:963
sock_ioctl+0x2c2/0x440 net/socket.c:1053
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x452ac9
RSP: 002b:00007fc3c6979c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 0000000020b08fd8 RSI: 0000000000008922 RDI: 0000000000000013
RBP: 0000000000000338 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2de0
R13: 00000000ffffffff R14: 00007fc3c697a6d4 R15: 0000000000000000
Allocated by task 20171:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
dst_alloc+0x11f/0x1a0 net/core/dst.c:104
__ip6_dst_alloc+0x35/0x90 net/ipv6/route.c:361
ip6_dst_alloc+0x29/0xb0 net/ipv6/route.c:376
ip6_route_info_create+0x4ff/0x2dd0 net/ipv6/route.c:2548
ip6_route_add+0xa2/0x190 net/ipv6/route.c:2788
ipv6_route_ioctl+0x4db/0x6b0 net/ipv6/route.c:3308
inet6_ioctl+0xef/0x1e0 net/ipv6/af_inet6.c:520
sock_do_ioctl+0x65/0xb0 net/socket.c:956
sock_ioctl+0x2c2/0x440 net/socket.c:1053
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x29/0xa0
Freed by task 26089:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x86/0x2b0 mm/slab.c:3743
dst_destroy+0x257/0x370 net/core/dst.c:140
dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2675 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2934 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2901 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2918
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
The buggy address belongs to the object at ffff8801c083dcc0
which belongs to the cache ip6_dst_cache of size 320
The buggy address is located 0 bytes inside of
320-byte region [ffff8801c083dcc0, ffff8801c083de00)
The buggy address belongs to the page:
page:ffffea0007020f40 count:1 mapcount:0 mapping:ffff8801c083d0c0 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801c083d0c0 0000000000000000 000000010000000a
raw: ffffea0007647560 ffffea000760dce0 ffff8801d3320d80 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c083db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c083dc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c083dc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8801c083dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c083dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
4147d50978df60f34d444c647dde9e5b34a4315e
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [da...@davemloft.net kuz...@ms2.inr.ac.ru linux-...@vger.kernel.org
net...@vger.kernel.org yosh...@linux-ipv6.org]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+95829b...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
APIC base relocation is unsupported by KVM
==================================================================
BUG: KASAN: use-after-free in rt6_mtu_change_route+0x8ea/0x8f0
net/ipv6/route.c:3655
Read of size 8 at addr ffff8801c083dcc0 by task syz-executor6/26096
CPU: 1 PID: 26096 Comm: syz-executor6 Not tainted 4.15.0-rc7-mm1+ #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23b/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
rt6_mtu_change_route+0x8ea/0x8f0 net/ipv6/route.c:3655
fib6_clean_node+0x389/0x580 net/ipv6/ip6_fib.c:1916
fib6_walk_continue+0x46c/0x8a0 net/ipv6/ip6_fib.c:1842
fib6_walk+0x91/0xf0 net/ipv6/ip6_fib.c:1890
fib6_clean_tree+0x1e6/0x340 net/ipv6/ip6_fib.c:1967
__fib6_clean_all+0x1f4/0x3a0 net/ipv6/ip6_fib.c:1983
fib6_clean_all+0x27/0x30 net/ipv6/ip6_fib.c:1994
rt6_mtu_change+0xde/0x140 net/ipv6/route.c:3677
addrconf_notify+0x664/0x2310 net/ipv6/addrconf.c:3394
notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x32/0x70 net/core/dev.c:1708
call_netdevice_notifiers net/core/dev.c:1726 [inline]
dev_set_mtu+0x3c5/0x720 net/core/dev.c:7025
dev_ifsioc+0x73c/0x9b0 net/core/dev_ioctl.c:264
dev_ioctl+0x2d7/0xfb0 net/core/dev_ioctl.c:566
sock_do_ioctl+0x94/0xb0 net/socket.c:963
sock_ioctl+0x2c2/0x440 net/socket.c:1053
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x29/0xa0
RIP: 0033:0x452ac9
RSP: 002b:00007fc3c6979c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 0000000020b08fd8 RSI: 0000000000008922 RDI: 0000000000000013
RBP: 0000000000000338 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2de0
R13: 00000000ffffffff R14: 00007fc3c697a6d4 R15: 0000000000000000
Allocated by task 20171:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
dst_alloc+0x11f/0x1a0 net/core/dst.c:104
__ip6_dst_alloc+0x35/0x90 net/ipv6/route.c:361
ip6_dst_alloc+0x29/0xb0 net/ipv6/route.c:376
ip6_route_info_create+0x4ff/0x2dd0 net/ipv6/route.c:2548
ip6_route_add+0xa2/0x190 net/ipv6/route.c:2788
ipv6_route_ioctl+0x4db/0x6b0 net/ipv6/route.c:3308
inet6_ioctl+0xef/0x1e0 net/ipv6/af_inet6.c:520
sock_do_ioctl+0x65/0xb0 net/socket.c:956
sock_ioctl+0x2c2/0x440 net/socket.c:1053
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x29/0xa0
Freed by task 26089:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
__cache_free mm/slab.c:3485 [inline]
kmem_cache_free+0x86/0x2b0 mm/slab.c:3743
dst_destroy+0x257/0x370 net/core/dst.c:140
dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2675 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2934 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2901 [inline]
rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2918
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
The buggy address belongs to the object at ffff8801c083dcc0
which belongs to the cache ip6_dst_cache of size 320
The buggy address is located 0 bytes inside of
320-byte region [ffff8801c083dcc0, ffff8801c083de00)
The buggy address belongs to the page:
page:ffffea0007020f40 count:1 mapcount:0 mapping:ffff8801c083d0c0 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801c083d0c0 0000000000000000 000000010000000a
raw: ffffea0007647560 ffffea000760dce0 ffff8801d3320d80 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c083db80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c083dc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c083dc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8801c083dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c083dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Jan 12, 2018, 12:22:33 AM1/12/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
#syz fix: ipv6: remove null_entry before adding default route
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a1140bf60984705056289c135%40google.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a1140bf60984705056289c135%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages