[Android 5.10] KASAN: use-after-free Read in macsec_get_iflink (2)
5 views
Skip to first unread message
syzbot
Nov 2, 2024, 12:17:22 PM11/2/24
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e5e5644ea27f Revert "udf: Avoid excessive partition lengths"
git tree: android13-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=1013cb40580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4b4a7b8638c3099
dashboard link: https://syzkaller.appspot.com/bug?extid=2de3ad92b239326eb338
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172d755f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ad755f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0a4309df0fe8/disk-e5e5644e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e5a70844d43b/vmlinux-e5e5644e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/985df9651f99/bzImage-e5e5644e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e6303d52706f/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2de3ad...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in macsec_get_iflink+0x70/0x80 drivers/net/macsec.c:3654
Read of size 4 at addr ffff88812303c100 by task kworker/u4:0/7
CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.10.226-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_unbound linkwatch_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:452
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
macsec_get_iflink+0x70/0x80 drivers/net/macsec.c:3654
dev_get_iflink+0x6f/0xc0 net/core/dev.c:824
default_operstate net/core/link_watch.c:41 [inline]
rfc2863_policy+0x127/0x2b0 net/core/link_watch.c:53
linkwatch_do_dev+0x3c/0x140 net/core/link_watch.c:160
__linkwatch_run_queue+0x4ca/0x7f0 net/core/link_watch.c:213
linkwatch_event+0x4c/0x60 net/core/link_watch.c:252
process_one_work+0x6dc/0xbd0 kernel/workqueue.c:2301
worker_thread+0xaea/0x1510 kernel/workqueue.c:2447
kthread+0x34b/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
Allocated by task 290:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:430 [inline]
____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:509
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:518
kasan_kmalloc include/linux/kasan.h:254 [inline]
__kmalloc+0x1aa/0x330 mm/slub.c:4033
__kmalloc_node include/linux/slab.h:418 [inline]
kmalloc_node include/linux/slab.h:575 [inline]
kvmalloc_node+0x82/0x130 mm/util.c:612
kvmalloc include/linux/mm.h:822 [inline]
kvzalloc include/linux/mm.h:830 [inline]
alloc_netdev_mqs+0x8e/0xcd0 net/core/dev.c:10507
rtnl_create_link+0x240/0x950 net/core/rtnetlink.c:3192
veth_newlink+0x287/0xb50 drivers/net/veth.c:1344
__rtnl_newlink net/core/rtnetlink.c:3479 [inline]
rtnl_newlink+0x1516/0x2000 net/core/rtnetlink.c:3527
rtnetlink_rcv_msg+0x955/0xc50 net/core/rtnetlink.c:5607
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2499
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5625
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x8df/0xac0 net/netlink/af_netlink.c:1348
netlink_sendmsg+0xa46/0xd00 net/netlink/af_netlink.c:1916
sock_sendmsg_nosec net/socket.c:652 [inline]
__sock_sendmsg net/socket.c:664 [inline]
__sys_sendto+0x545/0x700 net/socket.c:2006
__do_sys_sendto net/socket.c:2018 [inline]
__se_sys_sendto net/socket.c:2014 [inline]
__x64_sys_sendto+0xe5/0x100 net/socket.c:2014
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Freed by task 310:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:362
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
kasan_slab_free include/linux/kasan.h:220 [inline]
slab_free_hook mm/slub.c:1595 [inline]
slab_free_freelist_hook+0xc0/0x190 mm/slub.c:1621
slab_free mm/slub.c:3203 [inline]
kfree+0xc3/0x270 mm/slub.c:4191
kvfree+0x35/0x40 mm/util.c:647
netdev_freemem+0x3f/0x60 net/core/dev.c:10461
netdev_release+0x7f/0xb0 net/core/net-sysfs.c:1886
device_release+0x95/0x1c0
kobject_cleanup lib/kobject.c:713 [inline]
kobject_release lib/kobject.c:744 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x178/0x260 lib/kobject.c:761
netdev_run_todo+0xc26/0xdc0 net/core/dev.c:10332
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:112
default_device_exit_batch+0x38f/0x3f0 net/core/dev.c:11268
ops_exit_list net/core/net_namespace.c:190 [inline]
cleanup_net+0x6e9/0xcb0 net/core/net_namespace.c:609
process_one_work+0x6dc/0xbd0 kernel/workqueue.c:2301
worker_thread+0xaea/0x1510 kernel/workqueue.c:2447
kthread+0x34b/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
The buggy address belongs to the object at ffff88812303c000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 256 bytes inside of
4096-byte region [ffff88812303c000, ffff88812303d000)
The buggy address belongs to the page:
page:ffffea00048c0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123038
head:ffffea00048c0e00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042c00
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 290, ts 21376089922, free_ts 0
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2456 [inline]
prep_new_page+0x166/0x180 mm/page_alloc.c:2462
get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254
__alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5348
allocate_slab mm/slub.c:1808 [inline]
new_slab+0x80/0x400 mm/slub.c:1869
new_slab_objects mm/slub.c:2627 [inline]
___slab_alloc+0x302/0x4b0 mm/slub.c:2791
__slab_alloc+0x63/0xa0 mm/slub.c:2831
slab_alloc_node mm/slub.c:2913 [inline]
slab_alloc mm/slub.c:2955 [inline]
__kmalloc+0x204/0x330 mm/slub.c:4029
__kmalloc_node include/linux/slab.h:418 [inline]
kmalloc_node include/linux/slab.h:575 [inline]
kvmalloc_node+0x82/0x130 mm/util.c:612
kvmalloc include/linux/mm.h:822 [inline]
kvzalloc include/linux/mm.h:830 [inline]
alloc_netdev_mqs+0x8e/0xcd0 net/core/dev.c:10507
rtnl_create_link+0x240/0x950 net/core/rtnetlink.c:3192
veth_newlink+0x287/0xb50 drivers/net/veth.c:1344
__rtnl_newlink net/core/rtnetlink.c:3479 [inline]
rtnl_newlink+0x1516/0x2000 net/core/rtnetlink.c:3527
rtnetlink_rcv_msg+0x955/0xc50 net/core/rtnetlink.c:5607
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2499
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5625
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x8df/0xac0 net/netlink/af_netlink.c:1348
page_owner free stack trace missing
Memory state around the buggy address:
ffff88812303c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88812303c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88812303c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88812303c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88812303c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e5e5644ea27f Revert "udf: Avoid excessive partition lengths"
git tree: android13-5.10-lts
console output: https://syzkaller.appspot.com/x/log.txt?x=1013cb40580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4b4a7b8638c3099
dashboard link: https://syzkaller.appspot.com/bug?extid=2de3ad92b239326eb338
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=172d755f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ad755f980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0a4309df0fe8/disk-e5e5644e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e5a70844d43b/vmlinux-e5e5644e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/985df9651f99/bzImage-e5e5644e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e6303d52706f/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2de3ad...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in macsec_get_iflink+0x70/0x80 drivers/net/macsec.c:3654
Read of size 4 at addr ffff88812303c100 by task kworker/u4:0/7
CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.10.226-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_unbound linkwatch_event
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
print_address_description+0x81/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0x179/0x1c0 mm/kasan/report.c:452
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
macsec_get_iflink+0x70/0x80 drivers/net/macsec.c:3654
dev_get_iflink+0x6f/0xc0 net/core/dev.c:824
default_operstate net/core/link_watch.c:41 [inline]
rfc2863_policy+0x127/0x2b0 net/core/link_watch.c:53
linkwatch_do_dev+0x3c/0x140 net/core/link_watch.c:160
__linkwatch_run_queue+0x4ca/0x7f0 net/core/link_watch.c:213
linkwatch_event+0x4c/0x60 net/core/link_watch.c:252
process_one_work+0x6dc/0xbd0 kernel/workqueue.c:2301
worker_thread+0xaea/0x1510 kernel/workqueue.c:2447
kthread+0x34b/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
Allocated by task 290:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:430 [inline]
____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:509
__kasan_kmalloc+0x9/0x10 mm/kasan/common.c:518
kasan_kmalloc include/linux/kasan.h:254 [inline]
__kmalloc+0x1aa/0x330 mm/slub.c:4033
__kmalloc_node include/linux/slab.h:418 [inline]
kmalloc_node include/linux/slab.h:575 [inline]
kvmalloc_node+0x82/0x130 mm/util.c:612
kvmalloc include/linux/mm.h:822 [inline]
kvzalloc include/linux/mm.h:830 [inline]
alloc_netdev_mqs+0x8e/0xcd0 net/core/dev.c:10507
rtnl_create_link+0x240/0x950 net/core/rtnetlink.c:3192
veth_newlink+0x287/0xb50 drivers/net/veth.c:1344
__rtnl_newlink net/core/rtnetlink.c:3479 [inline]
rtnl_newlink+0x1516/0x2000 net/core/rtnetlink.c:3527
rtnetlink_rcv_msg+0x955/0xc50 net/core/rtnetlink.c:5607
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2499
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5625
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x8df/0xac0 net/netlink/af_netlink.c:1348
netlink_sendmsg+0xa46/0xd00 net/netlink/af_netlink.c:1916
sock_sendmsg_nosec net/socket.c:652 [inline]
__sock_sendmsg net/socket.c:664 [inline]
__sys_sendto+0x545/0x700 net/socket.c:2006
__do_sys_sendto net/socket.c:2018 [inline]
__se_sys_sendto net/socket.c:2014 [inline]
__x64_sys_sendto+0xe5/0x100 net/socket.c:2014
do_syscall_64+0x34/0x70
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Freed by task 310:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
____kasan_slab_free+0x121/0x160 mm/kasan/common.c:362
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:370
kasan_slab_free include/linux/kasan.h:220 [inline]
slab_free_hook mm/slub.c:1595 [inline]
slab_free_freelist_hook+0xc0/0x190 mm/slub.c:1621
slab_free mm/slub.c:3203 [inline]
kfree+0xc3/0x270 mm/slub.c:4191
kvfree+0x35/0x40 mm/util.c:647
netdev_freemem+0x3f/0x60 net/core/dev.c:10461
netdev_release+0x7f/0xb0 net/core/net-sysfs.c:1886
device_release+0x95/0x1c0
kobject_cleanup lib/kobject.c:713 [inline]
kobject_release lib/kobject.c:744 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x178/0x260 lib/kobject.c:761
netdev_run_todo+0xc26/0xdc0 net/core/dev.c:10332
rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:112
default_device_exit_batch+0x38f/0x3f0 net/core/dev.c:11268
ops_exit_list net/core/net_namespace.c:190 [inline]
cleanup_net+0x6e9/0xcb0 net/core/net_namespace.c:609
process_one_work+0x6dc/0xbd0 kernel/workqueue.c:2301
worker_thread+0xaea/0x1510 kernel/workqueue.c:2447
kthread+0x34b/0x3d0 kernel/kthread.c:313
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
The buggy address belongs to the object at ffff88812303c000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 256 bytes inside of
4096-byte region [ffff88812303c000, ffff88812303d000)
The buggy address belongs to the page:
page:ffffea00048c0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123038
head:ffffea00048c0e00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 dead000000000100 dead000000000122 ffff888100042c00
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 290, ts 21376089922, free_ts 0
set_page_owner include/linux/page_owner.h:35 [inline]
post_alloc_hook mm/page_alloc.c:2456 [inline]
prep_new_page+0x166/0x180 mm/page_alloc.c:2462
get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254
__alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5348
allocate_slab mm/slub.c:1808 [inline]
new_slab+0x80/0x400 mm/slub.c:1869
new_slab_objects mm/slub.c:2627 [inline]
___slab_alloc+0x302/0x4b0 mm/slub.c:2791
__slab_alloc+0x63/0xa0 mm/slub.c:2831
slab_alloc_node mm/slub.c:2913 [inline]
slab_alloc mm/slub.c:2955 [inline]
__kmalloc+0x204/0x330 mm/slub.c:4029
__kmalloc_node include/linux/slab.h:418 [inline]
kmalloc_node include/linux/slab.h:575 [inline]
kvmalloc_node+0x82/0x130 mm/util.c:612
kvmalloc include/linux/mm.h:822 [inline]
kvzalloc include/linux/mm.h:830 [inline]
alloc_netdev_mqs+0x8e/0xcd0 net/core/dev.c:10507
rtnl_create_link+0x240/0x950 net/core/rtnetlink.c:3192
veth_newlink+0x287/0xb50 drivers/net/veth.c:1344
__rtnl_newlink net/core/rtnetlink.c:3479 [inline]
rtnl_newlink+0x1516/0x2000 net/core/rtnetlink.c:3527
rtnetlink_rcv_msg+0x955/0xc50 net/core/rtnetlink.c:5607
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2499
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:5625
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x8df/0xac0 net/netlink/af_netlink.c:1348
page_owner free stack trace missing
Memory state around the buggy address:
ffff88812303c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88812303c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88812303c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88812303c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88812303c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages