KASAN: use-after-free Read in macvlan_dev_get_iflink
12 views
Skip to first unread message
syzbot
Mar 5, 2020, 8:40:11 PM3/5/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 78d697fc Linux 4.14.172
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17b7f7ede00000
kernel config: https://syzkaller.appspot.com/x/.config?x=31ad682bcda9b93f
dashboard link: https://syzkaller.appspot.com/bug?extid=d11c860b0130db28056e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d11c86...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
Read of size 4 at addr ffff88802911a508 by task syz-executor.5/2114
CPU: 1 PID: 2114 Comm: syz-executor.5 Not tainted 4.14.172-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
dev_get_iflink+0x73/0xe0 net/core/dev.c:690
rfc2863_policy+0x17e/0x1e0 net/core/link_watch.c:43
linkwatch_do_dev+0x16/0xe0 net/core/link_watch.c:157
linkwatch_forget_dev+0x15c/0x1f0 net/core/link_watch.c:223
netdev_wait_allrefs net/core/dev.c:7831 [inline]
netdev_run_todo+0x234/0x710 net/core/dev.c:7932
rtnl_unlock net/core/rtnetlink.c:106 [inline]
rtnetlink_rcv_msg+0x3cb/0xb10 net/core/rtnetlink.c:4317
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c479
RSP: 002b:00007fcfc82f0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fcfc82f16d4 RCX: 000000000045c479
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004cc71a R15: 000000000076bf2c
Allocated by task 2114:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x46/0xd0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvzalloc include/linux/mm.h:539 [inline]
alloc_netdev_mqs+0x76/0xb70 net/core/dev.c:8097
rtnl_create_link+0x1ab/0x880 net/core/rtnetlink.c:2460
rtnl_newlink+0xdd0/0x1720 net/core/rtnetlink.c:2718
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 2118:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
kvfree+0x45/0x50 mm/util.c:416
device_release+0x15f/0x1a0 drivers/base/core.c:833
kobject_cleanup lib/kobject.c:646 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x13e/0x1f0 lib/kobject.c:692
netdev_run_todo+0x4a9/0x710 net/core/dev.c:7954
rtnl_unlock net/core/rtnetlink.c:106 [inline]
rtnetlink_rcv_msg+0x3cb/0xb10 net/core/rtnetlink.c:4317
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88802911a400
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 264 bytes inside of
4096-byte region [ffff88802911a400, ffff88802911b400)
The buggy address belongs to the page:
page:ffffea0000a44680 count:1 mapcount:0 mapping:ffff88802911a400 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88802911a400 0000000000000000 0000000100000001
raw: ffffea0001374aa0 ffffea0002816c20 ffff88812fe56dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88802911a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802911a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802911a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802911a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802911a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 78d697fc Linux 4.14.172
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17b7f7ede00000
kernel config: https://syzkaller.appspot.com/x/.config?x=31ad682bcda9b93f
dashboard link: https://syzkaller.appspot.com/bug?extid=d11c860b0130db28056e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d11c86...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
Read of size 4 at addr ffff88802911a508 by task syz-executor.5/2114
CPU: 1 PID: 2114 Comm: syz-executor.5 Not tainted 4.14.172-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
dev_get_iflink+0x73/0xe0 net/core/dev.c:690
rfc2863_policy+0x17e/0x1e0 net/core/link_watch.c:43
linkwatch_do_dev+0x16/0xe0 net/core/link_watch.c:157
linkwatch_forget_dev+0x15c/0x1f0 net/core/link_watch.c:223
netdev_wait_allrefs net/core/dev.c:7831 [inline]
netdev_run_todo+0x234/0x710 net/core/dev.c:7932
rtnl_unlock net/core/rtnetlink.c:106 [inline]
rtnetlink_rcv_msg+0x3cb/0xb10 net/core/rtnetlink.c:4317
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c479
RSP: 002b:00007fcfc82f0c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fcfc82f16d4 RCX: 000000000045c479
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004cc71a R15: 000000000076bf2c
Allocated by task 2114:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x46/0xd0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvzalloc include/linux/mm.h:539 [inline]
alloc_netdev_mqs+0x76/0xb70 net/core/dev.c:8097
rtnl_create_link+0x1ab/0x880 net/core/rtnetlink.c:2460
rtnl_newlink+0xdd0/0x1720 net/core/rtnetlink.c:2718
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 2118:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
kvfree+0x45/0x50 mm/util.c:416
device_release+0x15f/0x1a0 drivers/base/core.c:833
kobject_cleanup lib/kobject.c:646 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x13e/0x1f0 lib/kobject.c:692
netdev_run_todo+0x4a9/0x710 net/core/dev.c:7954
rtnl_unlock net/core/rtnetlink.c:106 [inline]
rtnetlink_rcv_msg+0x3cb/0xb10 net/core/rtnetlink.c:4317
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88802911a400
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 264 bytes inside of
4096-byte region [ffff88802911a400, ffff88802911b400)
The buggy address belongs to the page:
page:ffffea0000a44680 count:1 mapcount:0 mapping:ffff88802911a400 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88802911a400 0000000000000000 0000000100000001
raw: ffffea0001374aa0 ffffea0002816c20 ffff88812fe56dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88802911a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802911a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802911a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802911a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802911a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 5, 2020, 8:52:12 PM3/5/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 7472c402 Linux 4.19.108
syzbot found the following crash on:
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=169b2f29e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=1bf7e5d5b217805a
dashboard link: https://syzkaller.appspot.com/bug?extid=714f24a8e74aafd52bc0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+714f24...@syzkaller.appspotmail.com
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
==================================================================
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1093
Read of size 4 at addr ffff888097344588 by task syz-executor.3/31969
CPU: 1 PID: 31969 Comm: syz-executor.3 Not tainted 4.19.108-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
Call Trace:
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1093
dev_get_iflink+0x73/0xe0 net/core/dev.c:691
rfc2863_policy+0x1ca/0x230 net/core/link_watch.c:43
linkwatch_do_dev+0x17/0x110 net/core/link_watch.c:157
linkwatch_forget_dev+0x16a/0x200 net/core/link_watch.c:223
netdev_wait_allrefs net/core/dev.c:8862 [inline]
netdev_run_todo+0x242/0x740 net/core/dev.c:8958
rtnl_unlock net/core/rtnetlink.c:117 [inline]
rtnetlink_rcv_msg+0x460/0xaf0 net/core/rtnetlink.c:4778
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1333182c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f13331836d4 RCX: 000000000045c479
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004cc71a R15: 000000000076bf2c
Allocated by task 31969:
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004cc71a R15: 000000000076bf2c
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0x61/0xf0 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
kvzalloc include/linux/mm.h:585 [inline]
alloc_netdev_mqs+0x97/0xd50 net/core/dev.c:9122
rtnl_create_link+0x1d4/0xa30 net/core/rtnetlink.c:2869
rtnl_newlink+0xe1a/0x1440 net/core/rtnetlink.c:3131
rtnetlink_rcv_msg+0x453/0xaf0 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 31975:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
kvfree+0x59/0x60 mm/util.c:452
device_release+0x76/0x210 drivers/base/core.c:926
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x17c/0x270 lib/kobject.c:708
netdev_run_todo+0x4f1/0x740 net/core/dev.c:8981
rtnl_unlock net/core/rtnetlink.c:117 [inline]
rtnetlink_rcv_msg+0x460/0xaf0 net/core/rtnetlink.c:4778
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888097344480
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 264 bytes inside of
4096-byte region [ffff888097344480, ffff888097345480)
The buggy address is located 264 bytes inside of
The buggy address belongs to the page:
page:ffffea00025cd100 count:1 mapcount:0 mapping:ffff88812c3dcdc0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea000261eb08 ffffea0001375b08 ffff88812c3dcdc0
raw: 0000000000000000 ffff888097344480 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888097344480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff888097344500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888097344580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888097344600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888097344680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
syzbot
Mar 5, 2020, 9:55:14 PM3/5/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 78d697fc Linux 4.14.172
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1201b62de00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d11c86...@syzkaller.appspotmail.com
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'.
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
device hsr_slave_0 left promiscuous mode
CPU: 0 PID: 8038 Comm: syz-executor.1 Not tainted 4.14.172-syzkaller #0
RSP: 002b:00007fd557d08c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fd557d096d4 RCX: 000000000045c479
rtnl_newlink+0xecb/0x1720 net/core/rtnetlink.c:2728
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 8045:
The buggy address belongs to the object at ffff888094d3a080
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888094d3a080 0000000000000000 0000000100000001
raw: ffffea00025581a0 ffffea00025250a0 ffff88812fe56dc0 0000000000000000
ffff888094d3a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888094d3a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888094d3a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888094d3a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 78d697fc Linux 4.14.172
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=31ad682bcda9b93f
dashboard link: https://syzkaller.appspot.com/bug?extid=d11c860b0130db28056e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1648ece3e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=d11c860b0130db28056e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d11c86...@syzkaller.appspotmail.com
device hsr_slave_1 left promiscuous mode
device hsr_slave_0 left promiscuous mode
device hsr_slave_0 left promiscuous mode
==================================================================
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
Read of size 4 at addr ffff888094d3a188 by task syz-executor.1/8038
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
CPU: 0 PID: 8038 Comm: syz-executor.1 Not tainted 4.14.172-syzkaller #0
RAX: ffffffffffffffda RBX: 00007fd557d096d4 RCX: 000000000045c479
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004cc71a R15: 000000000076bf2c
Allocated by task 7417:
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000009f9 R14: 00000000004cc71a R15: 000000000076bf2c
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x46/0xd0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvzalloc include/linux/mm.h:539 [inline]
alloc_netdev_mqs+0x76/0xb70 net/core/dev.c:8097
rtnl_create_link+0x1ab/0x880 net/core/rtnetlink.c:2460
veth_newlink+0x1e3/0x8a0 drivers/net/veth.c:400
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x46/0xd0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvzalloc include/linux/mm.h:539 [inline]
alloc_netdev_mqs+0x76/0xb70 net/core/dev.c:8097
rtnl_create_link+0x1ab/0x880 net/core/rtnetlink.c:2460
rtnl_newlink+0xecb/0x1720 net/core/rtnetlink.c:2728
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
SYSC_sendto+0x1c4/0x2b0 net/socket.c:1763
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2432
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 8045:
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 264 bytes inside of
4096-byte region [ffff888094d3a080, ffff888094d3b080)
The buggy address is located 264 bytes inside of
The buggy address belongs to the page:
page:ffffea0002534e80 count:1 mapcount:0 mapping:ffff888094d3a080 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888094d3a080 0000000000000000 0000000100000001
raw: ffffea00025581a0 ffffea00025250a0 ffff88812fe56dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888094d3a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff888094d3a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888094d3a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888094d3a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888094d3a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Mar 5, 2020, 10:21:14 PM3/5/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13f1e7b5e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c64e2de00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+714f24...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1093
Read of size 4 at addr ffff8880918de148 by task syz-executor025/10369
CPU: 0 PID: 10369 Comm: syz-executor025 Not tainted 4.19.108-syzkaller #0
RIP: 0033:0x446f79
Code: e8 8c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f967f3d0d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc88 RCX: 0000000000446f79
R10: 000000000000000a R11: 0000000000000246 R12: 00000000006dbc8c
R13: 0000000000000000 R14: 0000000000000000 R15: 0705001000000048
Allocated by task 10369:
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002552308 ffffea00025baf88 ffff88812c3dcdc0
raw: 0000000000000000 ffff8880918de040 0000000100000001 0000000000000000
ffff8880918de080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880918de100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880918de180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880918de200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 7472c402 Linux 4.19.108
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=1bf7e5d5b217805a
dashboard link: https://syzkaller.appspot.com/bug?extid=714f24a8e74aafd52bc0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=118182f9e00000
dashboard link: https://syzkaller.appspot.com/bug?extid=714f24a8e74aafd52bc0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c64e2de00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+714f24...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1093
CPU: 0 PID: 10369 Comm: syz-executor025 Not tainted 4.19.108-syzkaller #0
Code: e8 8c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f967f3d0d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc88 RCX: 0000000000446f79
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000006dbc80 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000000a R11: 0000000000000246 R12: 00000000006dbc8c
R13: 0000000000000000 R14: 0000000000000000 R15: 0705001000000048
Allocated by task 10369:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0x61/0xf0 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
kvzalloc include/linux/mm.h:585 [inline]
alloc_netdev_mqs+0x97/0xd50 net/core/dev.c:9122
rtnl_create_link+0x1d4/0xa30 net/core/rtnetlink.c:2869
rtnl_newlink+0xe1a/0x1440 net/core/rtnetlink.c:3131
rtnetlink_rcv_msg+0x453/0xaf0 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 10373:
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kvmalloc_node+0x61/0xf0 mm/util.c:423
kvmalloc include/linux/mm.h:577 [inline]
kvzalloc include/linux/mm.h:585 [inline]
alloc_netdev_mqs+0x97/0xd50 net/core/dev.c:9122
rtnl_create_link+0x1d4/0xa30 net/core/rtnetlink.c:2869
rtnl_newlink+0xe1a/0x1440 net/core/rtnetlink.c:3131
rtnetlink_rcv_msg+0x453/0xaf0 net/core/rtnetlink.c:4777
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
kvfree+0x59/0x60 mm/util.c:452
device_release+0x76/0x210 drivers/base/core.c:926
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x17c/0x270 lib/kobject.c:708
netdev_run_todo+0x4f1/0x740 net/core/dev.c:8981
rtnl_unlock net/core/rtnetlink.c:117 [inline]
rtnetlink_rcv_msg+0x460/0xaf0 net/core/rtnetlink.c:4778
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880918de040
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
kvfree+0x59/0x60 mm/util.c:452
device_release+0x76/0x210 drivers/base/core.c:926
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x17c/0x270 lib/kobject.c:708
netdev_run_todo+0x4f1/0x740 net/core/dev.c:8981
rtnl_unlock net/core/rtnetlink.c:117 [inline]
rtnetlink_rcv_msg+0x460/0xaf0 net/core/rtnetlink.c:4778
netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0xec/0x1b0 net/socket.c:2153
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 264 bytes inside of
4096-byte region [ffff8880918de040, ffff8880918df040)
The buggy address is located 264 bytes inside of
The buggy address belongs to the page:
page:ffffea0002463780 count:1 mapcount:0 mapping:ffff88812c3dcdc0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0002552308 ffffea00025baf88 ffff88812c3dcdc0
raw: 0000000000000000 ffff8880918de040 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880918de000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880918de080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880918de100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880918de180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880918de200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Mar 14, 2020, 8:19:15 AM3/14/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 12cd844a Linux 4.14.173
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=141be2a9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a9d0602a0f7791e
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143ce6b1e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d11c86...@syzkaller.appspotmail.com
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
CPU: 1 PID: 30218 Comm: syz-executor717 Not tainted 4.14.173-syzkaller #0
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
RSP: 002b:00007f8968756ce8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dcc98 RCX: 00000000004480e9
R10: 0000000000000010 R11: 0000000000000246 R12: 00000000006dcc9c
R13: 00007fffdd850a9f R14: 00007f89687579c0 R15: 0000000000000001
Allocated by task 30209:
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88809bef6680 0000000000000000 0000000100000001
raw: ffffea000222baa0 ffffea00024c4720 ffff88812fe56dc0 0000000000000000
ffff88809bef6700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809bef6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809bef6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809bef6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
nla_parse: 4 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
nla_parse: 2 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
HEAD commit: 12cd844a Linux 4.14.173
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=141be2a9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a9d0602a0f7791e
dashboard link: https://syzkaller.appspot.com/bug?extid=d11c860b0130db28056e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1299e0d3e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143ce6b1e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d11c86...@syzkaller.appspotmail.com
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
==================================================================
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
Read of size 4 at addr ffff88809bef6788 by task syz-executor717/30218
BUG: KASAN: use-after-free in macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
CPU: 1 PID: 30218 Comm: syz-executor717 Not tainted 4.14.173-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
dev_get_iflink+0x73/0xe0 net/core/dev.c:690
rfc2863_policy+0x17e/0x1e0 net/core/link_watch.c:43
linkwatch_do_dev+0x16/0xe0 net/core/link_watch.c:157
linkwatch_forget_dev+0x15c/0x1f0 net/core/link_watch.c:223
netdev_wait_allrefs net/core/dev.c:7831 [inline]
netdev_run_todo+0x234/0x710 net/core/dev.c:7932
rtnl_unlock net/core/rtnetlink.c:106 [inline]
rtnetlink_rcv_msg+0x3cb/0xb10 net/core/rtnetlink.c:4317
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
macvlan_dev_get_iflink+0x5f/0x70 drivers/net/macvlan.c:1095
dev_get_iflink+0x73/0xe0 net/core/dev.c:690
rfc2863_policy+0x17e/0x1e0 net/core/link_watch.c:43
linkwatch_do_dev+0x16/0xe0 net/core/link_watch.c:157
linkwatch_forget_dev+0x15c/0x1f0 net/core/link_watch.c:223
netdev_wait_allrefs net/core/dev.c:7831 [inline]
netdev_run_todo+0x234/0x710 net/core/dev.c:7932
rtnl_unlock net/core/rtnetlink.c:106 [inline]
rtnetlink_rcv_msg+0x3cb/0xb10 net/core/rtnetlink.c:4317
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4480e9
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RSP: 002b:00007f8968756ce8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dcc98 RCX: 00000000004480e9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 00000000006dcc90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000010 R11: 0000000000000246 R12: 00000000006dcc9c
R13: 00007fffdd850a9f R14: 00007f89687579c0 R15: 0000000000000001
Allocated by task 30209:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x46/0xd0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvzalloc include/linux/mm.h:539 [inline]
alloc_netdev_mqs+0x76/0xb70 net/core/dev.c:8097
rtnl_create_link+0x1ab/0x880 net/core/rtnetlink.c:2460
rtnl_newlink+0xdd0/0x1720 net/core/rtnetlink.c:2718
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x4c/0x70 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x46/0xd0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvzalloc include/linux/mm.h:539 [inline]
alloc_netdev_mqs+0x76/0xb70 net/core/dev.c:8097
rtnl_create_link+0x1ab/0x880 net/core/rtnetlink.c:2460
rtnl_newlink+0xdd0/0x1720 net/core/rtnetlink.c:2718
rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 30226:
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
kvfree+0x45/0x50 mm/util.c:416
device_release+0x15f/0x1a0 drivers/base/core.c:833
kobject_cleanup lib/kobject.c:646 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x13e/0x1f0 lib/kobject.c:692
netdev_run_todo+0x4a9/0x710 net/core/dev.c:7954
rtnl_unlock net/core/rtnetlink.c:106 [inline]
rtnetlink_rcv_msg+0x3cb/0xb10 net/core/rtnetlink.c:4317
netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
kvfree+0x45/0x50 mm/util.c:416
device_release+0x15f/0x1a0 drivers/base/core.c:833
kobject_cleanup lib/kobject.c:646 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x13e/0x1f0 lib/kobject.c:692
netdev_run_todo+0x4a9/0x710 net/core/dev.c:7954
rtnl_unlock net/core/rtnetlink.c:106 [inline]
rtnetlink_rcv_msg+0x3cb/0xb10 net/core/rtnetlink.c:4317
netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff88809bef6680
sock_sendmsg+0xc5/0x100 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xa3/0x120 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x27/0x40 net/socket.c:2103
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 264 bytes inside of
4096-byte region [ffff88809bef6680, ffff88809bef7680)
The buggy address is located 264 bytes inside of
The buggy address belongs to the page:
page:ffffea00026fbd80 count:1 mapcount:0 mapping:ffff88809bef6680 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88809bef6680 0000000000000000 0000000100000001
raw: ffffea000222baa0 ffffea00024c4720 ffff88812fe56dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809bef6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff88809bef6700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809bef6780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809bef6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809bef6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
nla_parse: 4 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
nla_parse: 2 callbacks suppressed
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor717'.
Reply all
Reply to author
Forward
0 new messages