From: syzbot <syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com>
To: davem@davemloft.net, kuznet@ms2.inr.ac.ru,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com, yoshfuji@linux-ipv6.org
Subject: KASAN: use-after-free Read in rt_cache_valid
Date: Tue, 12 Feb 2019 10:53:04 -0800 [thread overview]
Message-ID: <00000000000066aa5f0581b6effe@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: aa0c38cf39de Merge branch 'fixes' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1460eca7400000
kernel config: https://syzkaller.appspot.com/x/.config?x=ee434566c893c7b1
dashboard link: https://syzkaller.appspot.com/bug?extid=c4c4b2bb358bb936ad7e
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1197cb88c00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com
Enabling of bearer <udp:syz1> rejected, already enabled
Enabling of bearer <udp:syz1> rejected, already enabled
Enabling of bearer <udp:syz1> rejected, already enabled
Enabling of bearer <udp:syz1> rejected, already enabled
==================================================================
BUG: KASAN: use-after-free in rt_cache_valid+0x158/0x190
net/ipv4/route.c:1510
Read of size 2 at addr ffff88809bfce836 by task udevd/7435
CPU: 1 PID: 7435 Comm: udevd Not tainted 5.0.0-rc6+ #69
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load2_noabort+0x14/0x20 mm/kasan/generic_report.c:133
rt_cache_valid+0x158/0x190 net/ipv4/route.c:1510
__mkroute_output net/ipv4/route.c:2260 [inline]
ip_route_output_key_hash_rcu+0x89d/0x30e0 net/ipv4/route.c:2492
Enabling of bearer <udp:syz1> rejected, already enabled
ip_route_output_key_hash+0x212/0x380 net/ipv4/route.c:2321
Enabling of bearer <udp:syz1> rejected, already enabled
__ip_route_output_key include/net/route.h:124 [inline]
ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2576
ip_route_output_key include/net/route.h:134 [inline]
tipc_udp_xmit.isra.0+0x55d/0xcc0 net/tipc/udp_media.c:173
Enabling of bearer <udp:syz1> rejected, already enabled
tipc_udp_send_msg+0x295/0x4a0 net/tipc/udp_media.c:247
tipc_bearer_xmit_skb+0x172/0x360 net/tipc/bearer.c:503
Enabling of bearer <udp:syz1> rejected, already enabled
tipc_disc_timeout+0x933/0xd60 net/tipc/discover.c:332
call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
Enabling of bearer <udp:syz1> rejected, already enabled
expire_timers kernel/time/timer.c:1362 [inline]
__run_timers kernel/time/timer.c:1681 [inline]
__run_timers kernel/time/timer.c:1649 [inline]
run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
Enabling of bearer <udp:syz1> rejected, already enabled
__do_softirq+0x266/0x95a kernel/softirq.c:292
Enabling of bearer <udp:syz1> rejected, already enabled
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
</IRQ>
Enabling of bearer <udp:syz1> rejected, already enabled
RIP: 0010:generic_fillattr+0x54c/0x6e0 fs/stat.c:51
Code: 7c 24 0c 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03
38 d0 7c 08 84 d2 0f 85 ee 00 00 00 45 8b 64 24 0c 31 ff <41> 81 e4 00 08
00 00 44 89 e6 e8 15 21 bf ff 45 85 e4 74 2c e8 8b
RSP: 0018:ffff88809894fc58 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000007 RBX: ffff88809894fde8 RCX: ffffffff81b0c113
RDX: 0000000000000000 RSI: ffffffff81b0c146 RDI: 0000000000000000
RBP: ffff88809894fc78 R08: ffff8880925de340 R09: ffff88809894fde8
R10: ffffed1013129fcd R11: ffff88809894fe6f R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000800 R15: ffff888098d4d100
vfs_getattr_nosec+0x140/0x180 fs/stat.c:82
vfs_getattr+0x4b/0x70 fs/stat.c:116
Enabling of bearer <udp:syz1> rejected, already enabled
vfs_statx+0x157/0x200 fs/stat.c:189
Enabling of bearer <udp:syz1> rejected, already enabled
vfs_stat include/linux/fs.h:3171 [inline]
__do_sys_newstat+0xa4/0x130 fs/stat.c:339
Enabling of bearer <udp:syz1> rejected, already enabled
Enabling of bearer <udp:syz1> rejected, already enabled
kobject: 'loop0' (000000003275aa21): kobject_uevent_env
__se_sys_newstat fs/stat.c:335 [inline]
__x64_sys_newstat+0x54/0x80 fs/stat.c:335
kobject: 'loop0' (000000003275aa21): fill_kobj_path: path
= '/devices/virtual/block/loop0'
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fda7f482c65
Code: 00 00 00 e8 5d 01 00 00 48 83 c4 18 c3 90 90 90 90 90 90 90 90 83 ff
01 48 89 f0 77 18 48 89 c7 48 89 d6 b8 04 00 00 00 0f 05 <48> 3d 00 f0 ff
ff 77 17 f3 c3 90 48 8b 05 a1 51 2b 00 64 c7 00 16
RSP: 002b:00007ffefd39a338 EFLAGS: 00000246 ORIG_RAX: 0000000000000004
Enabling of bearer <udp:syz1> rejected, already enabled
RAX: ffffffffffffffda RBX: 00007ffefd39a3d0 RCX: 00007fda7f482c65
RDX: 00007ffefd39a340 RSI: 00007ffefd39a340 RDI: 00007ffefd39a3d0
RBP: 0000000001125980 R08: 00007ffefd39a3e0 R09: 00007fda7f4d9790
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000001114250
R13: 0000000000000000 R14: 00007ffefd39a840 R15: 0000000000000001
Enabling of bearer <udp:syz1> rejected, already enabled
Allocated by task 7724:
save_stack+0x45/0xd0 mm/kasan/common.c:73
kobject: 'loop0' (000000003275aa21): kobject_uevent_env
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc mm/kasan/common.c:496 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
kobject: 'loop0' (000000003275aa21): fill_kobj_path: path
= '/devices/virtual/block/loop0'
kasan_kmalloc mm/kasan/common.c:504 [inline]
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:411
Enabling of bearer <udp:syz1> rejected, already enabled
kmem_cache_alloc+0x12d/0x710 mm/slab.c:3543
dst_alloc+0x10e/0x1d0 net/core/dst.c:105
rt_dst_alloc+0x83/0x3f0 net/ipv4/route.c:1566
__mkroute_output net/ipv4/route.c:2265 [inline]
ip_route_output_key_hash_rcu+0x97d/0x30e0 net/ipv4/route.c:2492
Enabling of bearer <udp:syz1> rejected, already enabled
ip_route_output_key_hash+0x212/0x380 net/ipv4/route.c:2321
__ip_route_output_key include/net/route.h:124 [inline]
ip_route_connect include/net/route.h:302 [inline]
__ip4_datagram_connect+0x6fb/0x1330 net/ipv4/datagram.c:51
__ip6_datagram_connect+0xa6a/0x1390 net/ipv6/datagram.c:152
kobject: 'loop0' (000000003275aa21): kobject_uevent_env
ip6_datagram_connect+0x30/0x50 net/ipv6/datagram.c:273
inet_dgram_connect+0x150/0x2e0 net/ipv4/af_inet.c:571
__sys_connect+0x266/0x330 net/socket.c:1662
__do_sys_connect net/socket.c:1673 [inline]
__se_sys_connect net/socket.c:1670 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:1670
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
kobject: 'loop0' (000000003275aa21): fill_kobj_path: path
= '/devices/virtual/block/loop0'
Freed by task 0:
save_stack+0x45/0xd0 mm/kasan/common.c:73
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
__cache_free mm/slab.c:3487 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3749
dst_destroy+0x2a0/0x3c0 net/core/dst.c:141
dst_destroy_rcu+0x16/0x19 net/core/dst.c:154
__rcu_reclaim kernel/rcu/rcu.h:240 [inline]
rcu_do_batch kernel/rcu/tree.c:2452 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline]
rcu_process_callbacks+0x928/0x1390 kernel/rcu/tree.c:2754
cgroup: fork rejected by pids controller in /syz0
__do_softirq+0x266/0x95a kernel/softirq.c:292
The buggy address belongs to the object at ffff88809bfce800
which belongs to the cache ip_dst_cache of size 160
The buggy address is located 54 bytes inside of
160-byte region [ffff88809bfce800, ffff88809bfce8a0)
The buggy address belongs to the page:
page:ffffea00026ff380 count:1 mapcount:0 mapping:ffff88821af8d1c0 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea000297e848 ffff8880a68abd48 ffff88821af8d1c0
raw: 0000000000000000 ffff88809bfce000 0000000100000010 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809bfce700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88809bfce780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88809bfce800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809bfce880: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff88809bfce900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2019-02-12 18:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-12 18:53 syzbot [this message]
2019-03-23 21:10 ` KASAN: use-after-free Read in rt_cache_valid syzbot
2019-03-23 21:10 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000066aa5f0581b6effe@google.com \
--to=syzbot+c4c4b2bb358bb936ad7e@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.