Hello,
syzbot found the following crash on:
HEAD commit: ed0b11d2 Merge 4.9.149 into android-4.9
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=120fad10c00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=593db1e2f5c3d537
dashboard link:
https://syzkaller.appspot.com/bug?extid=fc5e94e70cb64d1042eb
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=142b5d80c00000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=10c18a4f400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+fc5e94...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: crng init done
==================================================================
BUG: KASAN: use-after-free in skb_clear_hash include/linux/skbuff.h:1062
[inline]
BUG: KASAN: use-after-free in ip_check_defrag net/ipv4/ip_fragment.c:738
[inline]
BUG: KASAN: use-after-free in ip_check_defrag+0x571/0x5b0
net/ipv4/ip_fragment.c:703
Write of size 4 at addr ffff8801d26e6e5c by task syz-executor527/2206
CPU: 1 PID: 2206 Comm: syz-executor527 Not tainted 4.9.149+ #4
ffff8801cc03f658 ffffffff81b46481 0000000000000001 ffffea000749b980
ffff8801d26e6e5c 0000000000000004 ffffffff824a2fe1 ffff8801cc03f690
ffffffff815020d5 0000000000000001 ffff8801d26e6e5c ffff8801d26e6e5c
Call Trace:
[<ffffffff81b46481>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b46481>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
[<ffffffff815020d5>] print_address_description+0x6f/0x238
mm/kasan/report.c:256
[<ffffffff8150232a>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff8150232a>] kasan_report mm/kasan/report.c:412 [inline]
[<ffffffff8150232a>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
[<ffffffff814f45a7>] __asan_report_store4_noabort+0x17/0x20
mm/kasan/report.c:437
[<ffffffff824a2fe1>] skb_clear_hash include/linux/skbuff.h:1062 [inline]
[<ffffffff824a2fe1>] ip_check_defrag net/ipv4/ip_fragment.c:738 [inline]
[<ffffffff824a2fe1>] ip_check_defrag+0x571/0x5b0 net/ipv4/ip_fragment.c:703
[<ffffffff827d933e>] packet_rcv_fanout+0x51e/0x5f0
net/packet/af_packet.c:1458
[<ffffffff822fac80>] dev_queue_xmit_nit+0x5e0/0x800 net/core/dev.c:1950
[<ffffffff823150a7>] xmit_one net/core/dev.c:2973 [inline]
[<ffffffff823150a7>] dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
[<ffffffff82316d53>] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
[<ffffffff82317798>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
[<ffffffff827d31e8>] packet_snd net/packet/af_packet.c:2966 [inline]
[<ffffffff827d31e8>] packet_sendmsg+0x2778/0x4840
net/packet/af_packet.c:2991
[<ffffffff822a1dfe>] sock_sendmsg_nosec net/socket.c:648 [inline]
[<ffffffff822a1dfe>] sock_sendmsg+0xbe/0x110 net/socket.c:658
[<ffffffff822a5e01>] SYSC_sendto net/socket.c:1683 [inline]
[<ffffffff822a5e01>] SyS_sendto+0x201/0x340 net/socket.c:1651
[<ffffffff810056bd>] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
[<ffffffff828146d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 2206:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:594
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
skb_clone+0x122/0x2a0 net/core/skbuff.c:1034
dev_queue_xmit_nit+0x2d2/0x800 net/core/dev.c:1919
xmit_one net/core/dev.c:2973 [inline]
dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
__dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
packet_snd net/packet/af_packet.c:2966 [inline]
packet_sendmsg+0x2778/0x4840 net/packet/af_packet.c:2991
sock_sendmsg_nosec net/socket.c:648 [inline]
sock_sendmsg+0xbe/0x110 net/socket.c:658
SYSC_sendto net/socket.c:1683 [inline]
SyS_sendto+0x201/0x340 net/socket.c:1651
do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 2206:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xbe/0x310 mm/slub.c:2980
kfree_skbmem+0x9f/0x100 net/core/skbuff.c:623
__kfree_skb net/core/skbuff.c:685 [inline]
kfree_skb+0xd4/0x350 net/core/skbuff.c:705
ip_frag_queue net/ipv4/ip_fragment.c:505 [inline]
ip_defrag+0x620/0x3bc0 net/ipv4/ip_fragment.c:690
ip_check_defrag net/ipv4/ip_fragment.c:736 [inline]
ip_check_defrag+0x3d6/0x5b0 net/ipv4/ip_fragment.c:703
packet_rcv_fanout+0x51e/0x5f0 net/packet/af_packet.c:1458
dev_queue_xmit_nit+0x5e0/0x800 net/core/dev.c:1950
xmit_one net/core/dev.c:2973 [inline]
dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993
__dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473
dev_queue_xmit+0x18/0x20 net/core/dev.c:3506
packet_snd net/packet/af_packet.c:2966 [inline]
packet_sendmsg+0x2778/0x4840 net/packet/af_packet.c:2991
sock_sendmsg_nosec net/socket.c:648 [inline]
sock_sendmsg+0xbe/0x110 net/socket.c:658
SYSC_sendto net/socket.c:1683 [inline]
SyS_sendto+0x201/0x340 net/socket.c:1651
do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801d26e6dc0
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 156 bytes inside of
224-byte region [ffff8801d26e6dc0, ffff8801d26e6ea0)
The buggy address belongs to the page:
page:ffffea000749b980 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d26e6d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8801d26e6d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801d26e6e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d26e6e80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801d26e6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc