KASAN: use-after-free Read in __netif_receive_skb_core
7 views
Skip to first unread message
syzbot
Nov 1, 2017, 2:14:27 PM11/1/17
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
720bbe532b7c8f5613b48dea627fc58ed9ace707
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
CC: [jaso...@redhat.com linux-...@vger.kernel.org m...@redhat.com
net...@vger.kernel.org virtual...@lists.linux-foundation.org]
==================================================================
BUG: KASAN: use-after-free in deliver_ptype_list_skb net/core/dev.c:1871
[inline]
BUG: KASAN: use-after-free in __netif_receive_skb_core+0x2be3/0x33d0
net/core/dev.c:4406
Read of size 2 at addr ffff8801c5649500 by task syzkaller476907/7838
CPU: 0 PID: 7838 Comm: syzkaller476907 Not tainted 4.13.0-mm1+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
deliver_ptype_list_skb net/core/dev.c:1871 [inline]
__netif_receive_skb_core+0x2be3/0x33d0 net/core/dev.c:4406
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4461
netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4534
napi_skb_finish net/core/dev.c:4895 [inline]
napi_gro_receive+0x3d0/0x500 net/core/dev.c:4926
receive_buf+0xcc5/0x51f0 drivers/net/virtio_net.c:841
virtnet_receive drivers/net/virtio_net.c:1087 [inline]
virtnet_poll+0x304/0xad0 drivers/net/virtio_net.c:1168
napi_poll net/core/dev.c:5537 [inline]
net_rx_action+0x792/0x1910 net/core/dev.c:5603
__do_softirq+0x2bb/0xbd0 kernel/softirq.c:284
invoke_softirq kernel/softirq.c:364 [inline]
irq_exit+0x1d3/0x210 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
do_IRQ+0xf6/0x190 arch/x86/kernel/irq.c:253
common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:598
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:777
[inline]
RIP: 0010:lock_is_held_type+0x18b/0x210 kernel/locking/lockdep.c:4042
RSP: 0018:ffff8801c54ef650 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff6e
RAX: dffffc0000000000 RBX: 0000000000000282 RCX: 0000000000000000
RDX: 1ffffffff0b592fd RSI: ffffffff85b38180 RDI: 0000000000000282
RBP: ffff8801c54ef670 R08: ffff8801c54eeda8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801c52ee5c0
R13: 0000000000000000 R14: 00000000000011c9 R15: dffffc0000000000
lock_is_held include/linux/lockdep.h:436 [inline]
___might_sleep+0x39b/0x470 kernel/sched/core.c:5980
clear_huge_page+0x3e1/0x750 mm/memory.c:4553
__do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline]
do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728
create_huge_pmd mm/memory.c:3802 [inline]
__handle_mm_fault+0x1827/0x39c0 mm/memory.c:4005
handle_mm_fault+0x334/0x8d0 mm/memory.c:4071
__do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1445
do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1520
page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1066
RIP: 0033:0x400db4
RSP: 002b:00007f824b0f2dd0 EFLAGS: 00010202
RAX: 00007f824b0f3700 RBX: 0000000000000000 RCX: 0000000000402784
RDX: 2eece99104bcbcf1 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 0000000000000000 R08: 00007f824b0f3700 R09: 00007f824b0f3700
R10: 00007f824b0f39d0 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffd27a088ef R14: 00007f824b0f39c0 R15: 0000000000000000
Allocated by task 7777:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:666 [inline]
fanout_add+0xa50/0x1190 net/packet/af_packet.c:1733
packet_setsockopt+0xfdc/0x1e80 net/packet/af_packet.c:3795
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 7728:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
packet_release+0xa8f/0xd70 net/packet/af_packet.c:3033
sock_release+0x8d/0x1e0 net/socket.c:597
sock_close+0x16/0x20 net/socket.c:1126
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:112
exit_task_work include/linux/task_work.h:21 [inline]
do_exit+0xa52/0x1b40 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
SYSC_exit_group kernel/exit.c:979 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:977
entry_SYSCALL_64_fastpath+0x1f/0xbe
The buggy address belongs to the object at ffff8801c5648c80
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 2176 bytes inside of
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
720bbe532b7c8f5613b48dea627fc58ed9ace707
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
CC: [jaso...@redhat.com linux-...@vger.kernel.org m...@redhat.com
net...@vger.kernel.org virtual...@lists.linux-foundation.org]
==================================================================
BUG: KASAN: use-after-free in deliver_ptype_list_skb net/core/dev.c:1871
[inline]
BUG: KASAN: use-after-free in __netif_receive_skb_core+0x2be3/0x33d0
net/core/dev.c:4406
Read of size 2 at addr ffff8801c5649500 by task syzkaller476907/7838
CPU: 0 PID: 7838 Comm: syzkaller476907 Not tainted 4.13.0-mm1+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
deliver_ptype_list_skb net/core/dev.c:1871 [inline]
__netif_receive_skb_core+0x2be3/0x33d0 net/core/dev.c:4406
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4461
netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4534
napi_skb_finish net/core/dev.c:4895 [inline]
napi_gro_receive+0x3d0/0x500 net/core/dev.c:4926
receive_buf+0xcc5/0x51f0 drivers/net/virtio_net.c:841
virtnet_receive drivers/net/virtio_net.c:1087 [inline]
virtnet_poll+0x304/0xad0 drivers/net/virtio_net.c:1168
napi_poll net/core/dev.c:5537 [inline]
net_rx_action+0x792/0x1910 net/core/dev.c:5603
__do_softirq+0x2bb/0xbd0 kernel/softirq.c:284
invoke_softirq kernel/softirq.c:364 [inline]
irq_exit+0x1d3/0x210 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
do_IRQ+0xf6/0x190 arch/x86/kernel/irq.c:253
common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:598
</IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:777
[inline]
RIP: 0010:lock_is_held_type+0x18b/0x210 kernel/locking/lockdep.c:4042
RSP: 0018:ffff8801c54ef650 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff6e
RAX: dffffc0000000000 RBX: 0000000000000282 RCX: 0000000000000000
RDX: 1ffffffff0b592fd RSI: ffffffff85b38180 RDI: 0000000000000282
RBP: ffff8801c54ef670 R08: ffff8801c54eeda8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801c52ee5c0
R13: 0000000000000000 R14: 00000000000011c9 R15: dffffc0000000000
lock_is_held include/linux/lockdep.h:436 [inline]
___might_sleep+0x39b/0x470 kernel/sched/core.c:5980
clear_huge_page+0x3e1/0x750 mm/memory.c:4553
__do_huge_pmd_anonymous_page mm/huge_memory.c:570 [inline]
do_huge_pmd_anonymous_page+0x59c/0x1b00 mm/huge_memory.c:728
create_huge_pmd mm/memory.c:3802 [inline]
__handle_mm_fault+0x1827/0x39c0 mm/memory.c:4005
handle_mm_fault+0x334/0x8d0 mm/memory.c:4071
__do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1445
do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1520
page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1066
RIP: 0033:0x400db4
RSP: 002b:00007f824b0f2dd0 EFLAGS: 00010202
RAX: 00007f824b0f3700 RBX: 0000000000000000 RCX: 0000000000402784
RDX: 2eece99104bcbcf1 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 0000000000000000 R08: 00007f824b0f3700 R09: 00007f824b0f3700
R10: 00007f824b0f39d0 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffd27a088ef R14: 00007f824b0f39c0 R15: 0000000000000000
Allocated by task 7777:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:666 [inline]
fanout_add+0xa50/0x1190 net/packet/af_packet.c:1733
packet_setsockopt+0xfdc/0x1e80 net/packet/af_packet.c:3795
SYSC_setsockopt net/socket.c:1852 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1831
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 7728:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
packet_release+0xa8f/0xd70 net/packet/af_packet.c:3033
sock_release+0x8d/0x1e0 net/socket.c:597
sock_close+0x16/0x20 net/socket.c:1126
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:112
exit_task_work include/linux/task_work.h:21 [inline]
do_exit+0xa52/0x1b40 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
SYSC_exit_group kernel/exit.c:979 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:977
entry_SYSCALL_64_fastpath+0x1f/0xbe
The buggy address belongs to the object at ffff8801c5648c80
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 2176 bytes inside of
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Nov 1, 2017, 3:36:47 PM11/1/17
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
last happened Sep 24, repro does not work, seems to be fixed by something:
#syz invalid
On Wed, Nov 1, 2017 at 9:14 PM, syzbot
<bot+419bf7d71cf1114404...@syzkaller.appspotmail.com>
wrote:
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a1143b51c8497cb055cefd7ba%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
On Wed, Nov 1, 2017 at 9:14 PM, syzbot
<bot+419bf7d71cf1114404...@syzkaller.appspotmail.com>
wrote:
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a1143b51c8497cb055cefd7ba%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages