KASAN: use-after-free Read in neigh_flush_dev
11 views
Skip to first unread message
syzbot
Dec 29, 2017, 12:58:04 PM12/29/17
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
fba961ab29e5ffb055592442808bb0f7962e05da
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [adob...@gmail.com da...@davemloft.net d...@cumulusnetworks.com
dwin...@gmail.com elena.r...@intel.com ihra...@redhat.com
ishk...@gmail.com johann...@intel.com kees...@chromium.org
linux-...@vger.kernel.org net...@vger.kernel.org
ro...@cumulusnetworks.com sowmini....@oracle.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a36314...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device lo entered promiscuous mode
==================================================================
BUG: KASAN: use-after-free in neigh_flush_dev+0x817/0x840
net/core/neighbour.c:244
Read of size 8 at addr ffff8801d8403680 by task syz-executor4/10275
CPU: 1 PID: 10275 Comm: syz-executor4 Not tainted 4.15.0-rc4+ #164
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
neigh_flush_dev+0x817/0x840 net/core/neighbour.c:244
neigh_ifdown+0x48/0x250 net/core/neighbour.c:293
addrconf_ifdown+0x143/0x14d0 net/ipv6/addrconf.c:3590
addrconf_notify+0x98e/0x21c0 net/ipv6/addrconf.c:3514
notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x32/0x60 net/core/dev.c:1696
call_netdevice_notifiers net/core/dev.c:1714 [inline]
__dev_notify_flags+0x15d/0x430 net/core/dev.c:6892
dev_change_flags+0xf5/0x140 net/core/dev.c:6928
devinet_ioctl+0x125b/0x19c0 net/ipv4/devinet.c:1083
inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:903
sock_do_ioctl+0x65/0xb0 net/socket.c:956
sock_ioctl+0x2c2/0x440 net/socket.c:1053
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452ac9
RSP: 002b:00007fd629eaac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 000000002003b000 RSI: 0000000000008914 RDI: 0000000000000016
RBP: 000000000000055d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f5158
R13: 00000000ffffffff R14: 00007fd629eab6d4 R15: 0000000000000000
Allocated by task 7650:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3708 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3717
kmalloc include/linux/slab.h:504 [inline]
kzalloc include/linux/slab.h:688 [inline]
neigh_alloc net/core/neighbour.c:322 [inline]
__neigh_create+0x296/0x1d90 net/core/neighbour.c:493
ip6_finish_output2+0x91b/0x2310 net/ipv6/ip6_output.c:117
ip6_finish_output+0x2f9/0x920 net/ipv6/ip6_output.c:146
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip6_output+0x1eb/0x840 net/ipv6/ip6_output.c:163
dst_output include/net/dst.h:443 [inline]
NF_HOOK.constprop.36+0xff/0x630 include/linux/netfilter.h:250
mld_sendpack+0x6a9/0xcc0 net/ipv6/mcast.c:1660
mld_send_cr net/ipv6/mcast.c:1956 [inline]
mld_ifc_timer_expire+0x3d9/0x770 net/ipv6/mcast.c:2453
call_timer_fn+0x228/0x820 kernel/time/timer.c:1320
expire_timers kernel/time/timer.c:1357 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1660
run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
Freed by task 3004:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3488 [inline]
kfree+0xd6/0x260 mm/slab.c:3803
syslog_print kernel/printk/printk.c:1343 [inline]
do_syslog+0x8b5/0xb80 kernel/printk/printk.c:1455
kmsg_read+0x74/0xa0 fs/proc/kmsg.c:40
proc_reg_read+0xef/0x170 fs/proc/inode.c:217
__vfs_read+0xef/0xa00 fs/read_write.c:411
vfs_read+0x11e/0x350 fs/read_write.c:447
SYSC_read fs/read_write.c:573 [inline]
SyS_read+0xef/0x220 fs/read_write.c:566
entry_SYSCALL_64_fastpath+0x1f/0x96
The buggy address belongs to the object at ffff8801d8403680
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 0 bytes inside of
1024-byte region [ffff8801d8403680, ffff8801d8403a80)
The buggy address belongs to the page:
page:00000000c916a8bc count:1 mapcount:0 mapping:00000000bb4b6d81 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d8402000 0000000000000000 0000000100000007
raw: ffffea00073a8a20 ffffea0006f3de20 ffff8801db000ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d8403580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d8403600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d8403680: fb fb fb fb 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff8801d8403700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801d8403780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
fba961ab29e5ffb055592442808bb0f7962e05da
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [adob...@gmail.com da...@davemloft.net d...@cumulusnetworks.com
dwin...@gmail.com elena.r...@intel.com ihra...@redhat.com
ishk...@gmail.com johann...@intel.com kees...@chromium.org
linux-...@vger.kernel.org net...@vger.kernel.org
ro...@cumulusnetworks.com sowmini....@oracle.com]
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a36314...@syzkaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
device lo entered promiscuous mode
==================================================================
BUG: KASAN: use-after-free in neigh_flush_dev+0x817/0x840
net/core/neighbour.c:244
Read of size 8 at addr ffff8801d8403680 by task syz-executor4/10275
CPU: 1 PID: 10275 Comm: syz-executor4 Not tainted 4.15.0-rc4+ #164
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
neigh_flush_dev+0x817/0x840 net/core/neighbour.c:244
neigh_ifdown+0x48/0x250 net/core/neighbour.c:293
addrconf_ifdown+0x143/0x14d0 net/ipv6/addrconf.c:3590
addrconf_notify+0x98e/0x21c0 net/ipv6/addrconf.c:3514
notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x32/0x60 net/core/dev.c:1696
call_netdevice_notifiers net/core/dev.c:1714 [inline]
__dev_notify_flags+0x15d/0x430 net/core/dev.c:6892
dev_change_flags+0xf5/0x140 net/core/dev.c:6928
devinet_ioctl+0x125b/0x19c0 net/ipv4/devinet.c:1083
inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:903
sock_do_ioctl+0x65/0xb0 net/socket.c:956
sock_ioctl+0x2c2/0x440 net/socket.c:1053
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452ac9
RSP: 002b:00007fd629eaac58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 000000002003b000 RSI: 0000000000008914 RDI: 0000000000000016
RBP: 000000000000055d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f5158
R13: 00000000ffffffff R14: 00007fd629eab6d4 R15: 0000000000000000
Allocated by task 7650:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc mm/slab.c:3708 [inline]
__kmalloc+0x162/0x760 mm/slab.c:3717
kmalloc include/linux/slab.h:504 [inline]
kzalloc include/linux/slab.h:688 [inline]
neigh_alloc net/core/neighbour.c:322 [inline]
__neigh_create+0x296/0x1d90 net/core/neighbour.c:493
ip6_finish_output2+0x91b/0x2310 net/ipv6/ip6_output.c:117
ip6_finish_output+0x2f9/0x920 net/ipv6/ip6_output.c:146
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip6_output+0x1eb/0x840 net/ipv6/ip6_output.c:163
dst_output include/net/dst.h:443 [inline]
NF_HOOK.constprop.36+0xff/0x630 include/linux/netfilter.h:250
mld_sendpack+0x6a9/0xcc0 net/ipv6/mcast.c:1660
mld_send_cr net/ipv6/mcast.c:1956 [inline]
mld_ifc_timer_expire+0x3d9/0x770 net/ipv6/mcast.c:2453
call_timer_fn+0x228/0x820 kernel/time/timer.c:1320
expire_timers kernel/time/timer.c:1357 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1660
run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
Freed by task 3004:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3488 [inline]
kfree+0xd6/0x260 mm/slab.c:3803
syslog_print kernel/printk/printk.c:1343 [inline]
do_syslog+0x8b5/0xb80 kernel/printk/printk.c:1455
kmsg_read+0x74/0xa0 fs/proc/kmsg.c:40
proc_reg_read+0xef/0x170 fs/proc/inode.c:217
__vfs_read+0xef/0xa00 fs/read_write.c:411
vfs_read+0x11e/0x350 fs/read_write.c:447
SYSC_read fs/read_write.c:573 [inline]
SyS_read+0xef/0x220 fs/read_write.c:566
entry_SYSCALL_64_fastpath+0x1f/0x96
The buggy address belongs to the object at ffff8801d8403680
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 0 bytes inside of
1024-byte region [ffff8801d8403680, ffff8801d8403a80)
The buggy address belongs to the page:
page:00000000c916a8bc count:1 mapcount:0 mapping:00000000bb4b6d81 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d8402000 0000000000000000 0000000100000007
raw: ffffea00073a8a20 ffffea0006f3de20 ffff8801db000ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d8403580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d8403600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801d8403680: fb fb fb fb 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff8801d8403700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801d8403780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Dec 29, 2017, 1:25:09 PM12/29/17
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
this looks like a memory corruption
there is only 1, if we don't get more probably need to mark it as invalid
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a1145e85e9c653005617e5ff8%40google.com.
> For more options, visit https://groups.google.com/d/optout.
there is only 1, if we don't get more probably need to mark it as invalid
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a1145e85e9c653005617e5ff8%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Dmitry Vyukov
Feb 13, 2018, 3:23:46 PM2/13/18
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
old bug bankruptcy
#syz invalid
#syz invalid
Reply all
Reply to author
Forward
0 new messages