All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+d702fd2351989927037c@syzkaller.appspotmail.com>
To: ap420073@gmail.com, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	xiyou.wangcong@gmail.com
Subject: Re: KASAN: use-after-free Read in vlan_dev_get_iflink
Date: Thu, 23 Jul 2020 14:30:07 -0700	[thread overview]
Message-ID: <00000000000073cea505ab228feb@google.com> (raw)
In-Reply-To: <CAM_iQpXq9dYj67Lrv73UazJWG5UVVuMO0iFwJJWg7S_H-z1YcA@mail.gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in vlan_get_link_net

general protection fault, probably for non-canonical address 0xdffffc00000000b3: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f]
CPU: 1 PID: 8207 Comm: syz-executor.3 Not tainted 5.8.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:read_pnet include/net/net_namespace.h:330 [inline]
RIP: 0010:dev_net include/linux/netdevice.h:2261 [inline]
RIP: 0010:vlan_get_link_net+0x46/0x70 net/8021q/vlan_netlink.c:279
Code: fa 48 c1 ea 03 80 3c 02 00 75 2e 48 8b 9b 70 0c 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 98 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 10 48 8b 83 98 05 00 00 5b c3 e8 86 1f 63 fa eb cb
RSP: 0018:ffffc90004706eb8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888092c85230
RDX: 00000000000000b3 RSI: ffffffff874ffe39 RDI: 0000000000000598
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8a7b8647
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90004706f80
R13: 0000000000000030 R14: ffff8880930ba900 R15: ffff8880930cc000
FS:  00007f4a9113a700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005643b6ad2140 CR3: 000000009335e000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rtnl_fill_link_netnsid net/core/rtnetlink.c:1569 [inline]
 rtnl_fill_ifinfo+0x1bc5/0x3c40 net/core/rtnetlink.c:1758
 rtmsg_ifinfo_build_skb+0xcd/0x1a0 net/core/rtnetlink.c:3706
 rollback_registered_many+0xb7d/0xf60 net/core/dev.c:8972
 unregister_netdevice_many.part.0+0x1a/0x2f0 net/core/dev.c:10113
 unregister_netdevice_many+0x36/0x50 net/core/dev.c:10112
 __rtnl_newlink+0x13bd/0x1750 net/core/rtnetlink.c:3381
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3398
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5461
 netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2469
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2406
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45c1f9
Code: Bad RIP value.
RSP: 002b:00007f4a91139c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002b580 RCX: 000000000045c1f9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
RBP: 000000000078bfe0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bfac
R13: 00007ffc004cce8f R14: 00007f4a9113a9c0 R15: 000000000078bfac
Modules linked in:
---[ end trace e42f7b565341dee6 ]---
RIP: 0010:read_pnet include/net/net_namespace.h:330 [inline]
RIP: 0010:dev_net include/linux/netdevice.h:2261 [inline]
RIP: 0010:vlan_get_link_net+0x46/0x70 net/8021q/vlan_netlink.c:279
Code: fa 48 c1 ea 03 80 3c 02 00 75 2e 48 8b 9b 70 0c 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 98 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 10 48 8b 83 98 05 00 00 5b c3 e8 86 1f 63 fa eb cb
RSP: 0018:ffffc90004706eb8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888092c85230
RDX: 00000000000000b3 RSI: ffffffff874ffe39 RDI: 0000000000000598
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8a7b8647
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90004706f80
R13: 0000000000000030 R14: ffff8880930ba900 R15: ffff8880930cc000
FS:  00007f4a9113a700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005643b6ad2140 CR3: 000000009335e000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit:         9506a941 net: fix a race condition in dev_get_iflink()
git tree:       https://github.com/congwang/linux.git net
console output: https://syzkaller.appspot.com/x/log.txt?x=158bd540900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dddbcb5a9f4192db
dashboard link: https://syzkaller.appspot.com/bug?extid=d702fd2351989927037c
compiler:       gcc (GCC) 10.1.0-syz 20200507


      reply	other threads:[~2020-07-23 21:30 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-23 18:12 KASAN: use-after-free Read in vlan_dev_get_iflink syzbot
2020-07-23 20:08 ` Cong Wang
2020-07-23 21:30   ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=00000000000073cea505ab228feb@google.com \
    --to=syzbot+d702fd2351989927037c@syzkaller.appspotmail.com \
    --cc=ap420073@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.