* net/ipv4: use-after-free in ip_queue_xmit
@ 2017-04-10 14:40 Andrey Konovalov
2017-04-10 17:42 ` Cong Wang
0 siblings, 1 reply; 9+ messages in thread
From: Andrey Konovalov @ 2017-04-10 14:40 UTC (permalink / raw)
To: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML
Cc: Eric Dumazet, Dmitry Vyukov, Kostya Serebryany, syzkaller
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
Unfortunately it's not reproducible.
BUG: KASAN: use-after-free in ip_select_ttl include/net/dst.h:176
[inline] at addr ffff88006ab3602c
BUG: KASAN: use-after-free in ip_queue_xmit+0x1817/0x1a30
net/ipv4/ip_output.c:485 at addr ffff88006ab3602c
Read of size 4 by task syz-executor1/12627
CPU: 3 PID: 12627 Comm: syz-executor1 Not tainted 4.11.0-rc6+ #206
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x292/0x398 lib/dump_stack.c:52
kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
print_address_description mm/kasan/report.c:202 [inline]
kasan_report_error mm/kasan/report.c:291 [inline]
kasan_report+0x252/0x510 mm/kasan/report.c:347
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:367
ip_select_ttl include/net/dst.h:176 [inline]
ip_queue_xmit+0x1817/0x1a30 net/ipv4/ip_output.c:485
sctp_v4_xmit+0x10d/0x140 net/sctp/protocol.c:994
sctp_packet_transmit+0x215c/0x3560 net/sctp/output.c:637
sctp_outq_flush+0xade/0x3f90 net/sctp/outqueue.c:885
sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:750
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1773 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1175 [inline]
sctp_do_sm+0x5a0/0x6a50 net/sctp/sm_sideeffect.c:1147
sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88
sctp_sendmsg+0x270d/0x3b50 net/sctp/socket.c:1954
inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
SYSC_sendto+0x660/0x810 net/socket.c:1696
SyS_sendto+0x40/0x50 net/socket.c:1664
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4458d9
RSP: 002b:00007fdceca85b58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004458d9
RDX: 0000000000000087 RSI: 0000000020003000 RDI: 0000000000000016
RBP: 00000000006e2fe0 R08: 0000000020003000 R09: 0000000000000010
R10: 0000000000040841 R11: 0000000000000282 R12: 00000000007080a8
R13: 000000000000000a R14: 0000000000000005 R15: 0000000000000084
Object at ffff88006ab36008, in cache kmalloc-64 size: 64
Allocated:
PID = 7243
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:513
set_track mm/kasan/kasan.c:525 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
kmalloc include/linux/slab.h:490 [inline]
kzalloc include/linux/slab.h:663 [inline]
fib_create_info+0x8e0/0x3a30 net/ipv4/fib_semantics.c:1040
fib_table_insert+0x1a5/0x1550 net/ipv4/fib_trie.c:1221
ip_rt_ioctl+0xddc/0x1590 net/ipv4/fib_frontend.c:597
inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:882
sock_do_ioctl+0x65/0xb0 net/socket.c:906
sock_ioctl+0x28f/0x440 net/socket.c:1004
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1bf/0x1780 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 12622
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:513
set_track mm/kasan/kasan.c:525 [inline]
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
slab_free_hook mm/slub.c:1357 [inline]
slab_free_freelist_hook mm/slub.c:1379 [inline]
slab_free mm/slub.c:2961 [inline]
kfree+0xe8/0x2b0 mm/slub.c:3882
free_fib_info_rcu+0x4ba/0x5e0 net/ipv4/fib_semantics.c:218
__rcu_reclaim kernel/rcu/rcu.h:118 [inline]
rcu_do_batch.isra.64+0x947/0xcc0 kernel/rcu/tree.c:2879
invoke_rcu_callbacks kernel/rcu/tree.c:3142 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:3109 [inline]
rcu_process_callbacks+0x2cc/0xb90 kernel/rcu/tree.c:3126
__do_softirq+0x2fb/0xb7d kernel/softirq.c:284
Memory state around the buggy address:
ffff88006ab35f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88006ab35f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88006ab36000: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
^
ffff88006ab36080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88006ab36100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: net/ipv4: use-after-free in ip_queue_xmit
2017-04-10 14:40 net/ipv4: use-after-free in ip_queue_xmit Andrey Konovalov
@ 2017-04-10 17:42 ` Cong Wang
2017-04-10 17:46 ` Andrey Konovalov
0 siblings, 1 reply; 9+ messages in thread
From: Cong Wang @ 2017-04-10 17:42 UTC (permalink / raw)
To: Andrey Konovalov
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Eric Dumazet,
Dmitry Vyukov, Kostya Serebryany, syzkaller
On Mon, Apr 10, 2017 at 7:40 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>
> Unfortunately it's not reproducible.
>
> BUG: KASAN: use-after-free in ip_select_ttl include/net/dst.h:176
> [inline] at addr ffff88006ab3602c
> BUG: KASAN: use-after-free in ip_queue_xmit+0x1817/0x1a30
> net/ipv4/ip_output.c:485 at addr ffff88006ab3602c
> Read of size 4 by task syz-executor1/12627
> CPU: 3 PID: 12627 Comm: syz-executor1 Not tainted 4.11.0-rc6+ #206
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:16 [inline]
> dump_stack+0x292/0x398 lib/dump_stack.c:52
> kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
> print_address_description mm/kasan/report.c:202 [inline]
> kasan_report_error mm/kasan/report.c:291 [inline]
> kasan_report+0x252/0x510 mm/kasan/report.c:347
> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:367
> ip_select_ttl include/net/dst.h:176 [inline]
Probably same as the one you reported on ipv4_mtu(), it would
be nice if you could test the patch I proposed:
https://patchwork.ozlabs.org/patch/747556/
Thanks!
> ip_queue_xmit+0x1817/0x1a30 net/ipv4/ip_output.c:485
> sctp_v4_xmit+0x10d/0x140 net/sctp/protocol.c:994
> sctp_packet_transmit+0x215c/0x3560 net/sctp/output.c:637
> sctp_outq_flush+0xade/0x3f90 net/sctp/outqueue.c:885
> sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:750
> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1773 [inline]
> sctp_side_effects net/sctp/sm_sideeffect.c:1175 [inline]
> sctp_do_sm+0x5a0/0x6a50 net/sctp/sm_sideeffect.c:1147
> sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88
> sctp_sendmsg+0x270d/0x3b50 net/sctp/socket.c:1954
> inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
> sock_sendmsg_nosec net/socket.c:633 [inline]
> sock_sendmsg+0xca/0x110 net/socket.c:643
> SYSC_sendto+0x660/0x810 net/socket.c:1696
> SyS_sendto+0x40/0x50 net/socket.c:1664
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> RIP: 0033:0x4458d9
> RSP: 002b:00007fdceca85b58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004458d9
> RDX: 0000000000000087 RSI: 0000000020003000 RDI: 0000000000000016
> RBP: 00000000006e2fe0 R08: 0000000020003000 R09: 0000000000000010
> R10: 0000000000040841 R11: 0000000000000282 R12: 00000000007080a8
> R13: 000000000000000a R14: 0000000000000005 R15: 0000000000000084
> Object at ffff88006ab36008, in cache kmalloc-64 size: 64
> Allocated:
> PID = 7243
> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
> set_track mm/kasan/kasan.c:525 [inline]
> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
> kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
> kmalloc include/linux/slab.h:490 [inline]
> kzalloc include/linux/slab.h:663 [inline]
> fib_create_info+0x8e0/0x3a30 net/ipv4/fib_semantics.c:1040
> fib_table_insert+0x1a5/0x1550 net/ipv4/fib_trie.c:1221
> ip_rt_ioctl+0xddc/0x1590 net/ipv4/fib_frontend.c:597
> inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:882
> sock_do_ioctl+0x65/0xb0 net/socket.c:906
> sock_ioctl+0x28f/0x440 net/socket.c:1004
> vfs_ioctl fs/ioctl.c:45 [inline]
> do_vfs_ioctl+0x1bf/0x1780 fs/ioctl.c:685
> SYSC_ioctl fs/ioctl.c:700 [inline]
> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
> entry_SYSCALL_64_fastpath+0x1f/0xc2
> Freed:
> PID = 12622
> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
> set_track mm/kasan/kasan.c:525 [inline]
> kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
> slab_free_hook mm/slub.c:1357 [inline]
> slab_free_freelist_hook mm/slub.c:1379 [inline]
> slab_free mm/slub.c:2961 [inline]
> kfree+0xe8/0x2b0 mm/slub.c:3882
> free_fib_info_rcu+0x4ba/0x5e0 net/ipv4/fib_semantics.c:218
> __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
> rcu_do_batch.isra.64+0x947/0xcc0 kernel/rcu/tree.c:2879
> invoke_rcu_callbacks kernel/rcu/tree.c:3142 [inline]
> __rcu_process_callbacks kernel/rcu/tree.c:3109 [inline]
> rcu_process_callbacks+0x2cc/0xb90 kernel/rcu/tree.c:3126
> __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
> Memory state around the buggy address:
> ffff88006ab35f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff88006ab35f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>ffff88006ab36000: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
> ^
> ffff88006ab36080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88006ab36100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: net/ipv4: use-after-free in ip_queue_xmit
2017-04-10 17:42 ` Cong Wang
@ 2017-04-10 17:46 ` Andrey Konovalov
2017-04-13 18:49 ` Andrey Konovalov
2017-05-04 14:20 ` Andrey Konovalov
0 siblings, 2 replies; 9+ messages in thread
From: Andrey Konovalov @ 2017-04-10 17:46 UTC (permalink / raw)
To: Cong Wang
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Eric Dumazet,
Dmitry Vyukov, Kostya Serebryany, syzkaller
On Mon, Apr 10, 2017 at 7:42 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Mon, Apr 10, 2017 at 7:40 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with syzkaller.
>>
>> On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>>
>> Unfortunately it's not reproducible.
>>
>> BUG: KASAN: use-after-free in ip_select_ttl include/net/dst.h:176
>> [inline] at addr ffff88006ab3602c
>> BUG: KASAN: use-after-free in ip_queue_xmit+0x1817/0x1a30
>> net/ipv4/ip_output.c:485 at addr ffff88006ab3602c
>> Read of size 4 by task syz-executor1/12627
>> CPU: 3 PID: 12627 Comm: syz-executor1 Not tainted 4.11.0-rc6+ #206
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:16 [inline]
>> dump_stack+0x292/0x398 lib/dump_stack.c:52
>> kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
>> print_address_description mm/kasan/report.c:202 [inline]
>> kasan_report_error mm/kasan/report.c:291 [inline]
>> kasan_report+0x252/0x510 mm/kasan/report.c:347
>> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:367
>> ip_select_ttl include/net/dst.h:176 [inline]
>
> Probably same as the one you reported on ipv4_mtu(), it would
> be nice if you could test the patch I proposed:
>
> https://patchwork.ozlabs.org/patch/747556/
Applied your patch.
The bug gets triggered very rarely (only twice so far), but I'll let
you know if I see it again.
Thanks!
>
>
> Thanks!
>
>> ip_queue_xmit+0x1817/0x1a30 net/ipv4/ip_output.c:485
>> sctp_v4_xmit+0x10d/0x140 net/sctp/protocol.c:994
>> sctp_packet_transmit+0x215c/0x3560 net/sctp/output.c:637
>> sctp_outq_flush+0xade/0x3f90 net/sctp/outqueue.c:885
>> sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:750
>> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1773 [inline]
>> sctp_side_effects net/sctp/sm_sideeffect.c:1175 [inline]
>> sctp_do_sm+0x5a0/0x6a50 net/sctp/sm_sideeffect.c:1147
>> sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88
>> sctp_sendmsg+0x270d/0x3b50 net/sctp/socket.c:1954
>> inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
>> sock_sendmsg_nosec net/socket.c:633 [inline]
>> sock_sendmsg+0xca/0x110 net/socket.c:643
>> SYSC_sendto+0x660/0x810 net/socket.c:1696
>> SyS_sendto+0x40/0x50 net/socket.c:1664
>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>> RIP: 0033:0x4458d9
>> RSP: 002b:00007fdceca85b58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
>> RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004458d9
>> RDX: 0000000000000087 RSI: 0000000020003000 RDI: 0000000000000016
>> RBP: 00000000006e2fe0 R08: 0000000020003000 R09: 0000000000000010
>> R10: 0000000000040841 R11: 0000000000000282 R12: 00000000007080a8
>> R13: 000000000000000a R14: 0000000000000005 R15: 0000000000000084
>> Object at ffff88006ab36008, in cache kmalloc-64 size: 64
>> Allocated:
>> PID = 7243
>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>> set_track mm/kasan/kasan.c:525 [inline]
>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
>> kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
>> kmalloc include/linux/slab.h:490 [inline]
>> kzalloc include/linux/slab.h:663 [inline]
>> fib_create_info+0x8e0/0x3a30 net/ipv4/fib_semantics.c:1040
>> fib_table_insert+0x1a5/0x1550 net/ipv4/fib_trie.c:1221
>> ip_rt_ioctl+0xddc/0x1590 net/ipv4/fib_frontend.c:597
>> inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:882
>> sock_do_ioctl+0x65/0xb0 net/socket.c:906
>> sock_ioctl+0x28f/0x440 net/socket.c:1004
>> vfs_ioctl fs/ioctl.c:45 [inline]
>> do_vfs_ioctl+0x1bf/0x1780 fs/ioctl.c:685
>> SYSC_ioctl fs/ioctl.c:700 [inline]
>> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>> Freed:
>> PID = 12622
>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>> set_track mm/kasan/kasan.c:525 [inline]
>> kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
>> slab_free_hook mm/slub.c:1357 [inline]
>> slab_free_freelist_hook mm/slub.c:1379 [inline]
>> slab_free mm/slub.c:2961 [inline]
>> kfree+0xe8/0x2b0 mm/slub.c:3882
>> free_fib_info_rcu+0x4ba/0x5e0 net/ipv4/fib_semantics.c:218
>> __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
>> rcu_do_batch.isra.64+0x947/0xcc0 kernel/rcu/tree.c:2879
>> invoke_rcu_callbacks kernel/rcu/tree.c:3142 [inline]
>> __rcu_process_callbacks kernel/rcu/tree.c:3109 [inline]
>> rcu_process_callbacks+0x2cc/0xb90 kernel/rcu/tree.c:3126
>> __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
>> Memory state around the buggy address:
>> ffff88006ab35f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>> ffff88006ab35f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>>ffff88006ab36000: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
>> ^
>> ffff88006ab36080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff88006ab36100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ==================================================================
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: net/ipv4: use-after-free in ip_queue_xmit
2017-04-10 17:46 ` Andrey Konovalov
@ 2017-04-13 18:49 ` Andrey Konovalov
2017-04-13 19:59 ` Cong Wang
2017-05-04 14:20 ` Andrey Konovalov
1 sibling, 1 reply; 9+ messages in thread
From: Andrey Konovalov @ 2017-04-13 18:49 UTC (permalink / raw)
To: Cong Wang
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Eric Dumazet,
Dmitry Vyukov, Kostya Serebryany, syzkaller
On Mon, Apr 10, 2017 at 7:46 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> On Mon, Apr 10, 2017 at 7:42 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
>> On Mon, Apr 10, 2017 at 7:40 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
>>> Hi,
>>>
>>> I've got the following error report while fuzzing the kernel with syzkaller.
>>>
>>> On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>>>
>>> Unfortunately it's not reproducible.
>>>
>>> BUG: KASAN: use-after-free in ip_select_ttl include/net/dst.h:176
>>> [inline] at addr ffff88006ab3602c
>>> BUG: KASAN: use-after-free in ip_queue_xmit+0x1817/0x1a30
>>> net/ipv4/ip_output.c:485 at addr ffff88006ab3602c
>>> Read of size 4 by task syz-executor1/12627
>>> CPU: 3 PID: 12627 Comm: syz-executor1 Not tainted 4.11.0-rc6+ #206
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>> Call Trace:
>>> __dump_stack lib/dump_stack.c:16 [inline]
>>> dump_stack+0x292/0x398 lib/dump_stack.c:52
>>> kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
>>> print_address_description mm/kasan/report.c:202 [inline]
>>> kasan_report_error mm/kasan/report.c:291 [inline]
>>> kasan_report+0x252/0x510 mm/kasan/report.c:347
>>> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:367
>>> ip_select_ttl include/net/dst.h:176 [inline]
>>
>> Probably same as the one you reported on ipv4_mtu(), it would
>> be nice if you could test the patch I proposed:
>>
>> https://patchwork.ozlabs.org/patch/747556/
>
> Applied your patch.
Oops, apparently your patch doesn't compile:
CC net/ipv4/route.o
net/ipv4/route.c: In function ‘ipv4_dst_destroy’:
net/ipv4/route.c:1394:8: error: ‘struct rtable’ has no member named ‘fi’
if (rt->fi) {
^~
net/ipv4/route.c:1395:18: error: ‘struct rtable’ has no member named ‘fi’
fib_info_put(rt->fi);
^~
net/ipv4/route.c:1396:5: error: ‘struct rtable’ has no member named ‘fi’
rt->fi = NULL;
^~
net/ipv4/route.c: In function ‘rt_init_metrics’:
net/ipv4/route.c:1440:5: error: ‘struct rtable’ has no member named ‘fi’
rt->fi = fi;
^~
net/ipv4/route.c: In function ‘rt_dst_alloc’:
net/ipv4/route.c:1512:5: error: ‘struct rtable’ has no member named ‘fi’
rt->fi = NULL;
^~
make[2]: *** [net/ipv4/route.o] Error 1
make[1]: *** [net/ipv4] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [net] Error 2
>
> The bug gets triggered very rarely (only twice so far), but I'll let
> you know if I see it again.
>
> Thanks!
>
>>
>>
>> Thanks!
>>
>>> ip_queue_xmit+0x1817/0x1a30 net/ipv4/ip_output.c:485
>>> sctp_v4_xmit+0x10d/0x140 net/sctp/protocol.c:994
>>> sctp_packet_transmit+0x215c/0x3560 net/sctp/output.c:637
>>> sctp_outq_flush+0xade/0x3f90 net/sctp/outqueue.c:885
>>> sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:750
>>> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1773 [inline]
>>> sctp_side_effects net/sctp/sm_sideeffect.c:1175 [inline]
>>> sctp_do_sm+0x5a0/0x6a50 net/sctp/sm_sideeffect.c:1147
>>> sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88
>>> sctp_sendmsg+0x270d/0x3b50 net/sctp/socket.c:1954
>>> inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
>>> sock_sendmsg_nosec net/socket.c:633 [inline]
>>> sock_sendmsg+0xca/0x110 net/socket.c:643
>>> SYSC_sendto+0x660/0x810 net/socket.c:1696
>>> SyS_sendto+0x40/0x50 net/socket.c:1664
>>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>>> RIP: 0033:0x4458d9
>>> RSP: 002b:00007fdceca85b58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
>>> RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004458d9
>>> RDX: 0000000000000087 RSI: 0000000020003000 RDI: 0000000000000016
>>> RBP: 00000000006e2fe0 R08: 0000000020003000 R09: 0000000000000010
>>> R10: 0000000000040841 R11: 0000000000000282 R12: 00000000007080a8
>>> R13: 000000000000000a R14: 0000000000000005 R15: 0000000000000084
>>> Object at ffff88006ab36008, in cache kmalloc-64 size: 64
>>> Allocated:
>>> PID = 7243
>>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>>> set_track mm/kasan/kasan.c:525 [inline]
>>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
>>> kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
>>> kmalloc include/linux/slab.h:490 [inline]
>>> kzalloc include/linux/slab.h:663 [inline]
>>> fib_create_info+0x8e0/0x3a30 net/ipv4/fib_semantics.c:1040
>>> fib_table_insert+0x1a5/0x1550 net/ipv4/fib_trie.c:1221
>>> ip_rt_ioctl+0xddc/0x1590 net/ipv4/fib_frontend.c:597
>>> inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:882
>>> sock_do_ioctl+0x65/0xb0 net/socket.c:906
>>> sock_ioctl+0x28f/0x440 net/socket.c:1004
>>> vfs_ioctl fs/ioctl.c:45 [inline]
>>> do_vfs_ioctl+0x1bf/0x1780 fs/ioctl.c:685
>>> SYSC_ioctl fs/ioctl.c:700 [inline]
>>> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
>>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>>> Freed:
>>> PID = 12622
>>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>>> set_track mm/kasan/kasan.c:525 [inline]
>>> kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
>>> slab_free_hook mm/slub.c:1357 [inline]
>>> slab_free_freelist_hook mm/slub.c:1379 [inline]
>>> slab_free mm/slub.c:2961 [inline]
>>> kfree+0xe8/0x2b0 mm/slub.c:3882
>>> free_fib_info_rcu+0x4ba/0x5e0 net/ipv4/fib_semantics.c:218
>>> __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
>>> rcu_do_batch.isra.64+0x947/0xcc0 kernel/rcu/tree.c:2879
>>> invoke_rcu_callbacks kernel/rcu/tree.c:3142 [inline]
>>> __rcu_process_callbacks kernel/rcu/tree.c:3109 [inline]
>>> rcu_process_callbacks+0x2cc/0xb90 kernel/rcu/tree.c:3126
>>> __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
>>> Memory state around the buggy address:
>>> ffff88006ab35f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>> ffff88006ab35f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>>>ffff88006ab36000: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
>>> ^
>>> ffff88006ab36080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff88006ab36100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ==================================================================
>>
>> --
>> You received this message because you are subscribed to the Google Groups "syzkaller" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: net/ipv4: use-after-free in ip_queue_xmit
2017-04-13 18:49 ` Andrey Konovalov
@ 2017-04-13 19:59 ` Cong Wang
2017-04-18 12:15 ` Andrey Konovalov
0 siblings, 1 reply; 9+ messages in thread
From: Cong Wang @ 2017-04-13 19:59 UTC (permalink / raw)
To: Andrey Konovalov
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Eric Dumazet,
Dmitry Vyukov, Kostya Serebryany, syzkaller
On Thu, Apr 13, 2017 at 11:49 AM, Andrey Konovalov
<andreyknvl@google.com> wrote:
> On Mon, Apr 10, 2017 at 7:46 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> On Mon, Apr 10, 2017 at 7:42 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
>>> On Mon, Apr 10, 2017 at 7:40 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
>>>> Hi,
>>>>
>>>> I've got the following error report while fuzzing the kernel with syzkaller.
>>>>
>>>> On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>>>>
>>>> Unfortunately it's not reproducible.
>>>>
>>>> BUG: KASAN: use-after-free in ip_select_ttl include/net/dst.h:176
>>>> [inline] at addr ffff88006ab3602c
>>>> BUG: KASAN: use-after-free in ip_queue_xmit+0x1817/0x1a30
>>>> net/ipv4/ip_output.c:485 at addr ffff88006ab3602c
>>>> Read of size 4 by task syz-executor1/12627
>>>> CPU: 3 PID: 12627 Comm: syz-executor1 Not tainted 4.11.0-rc6+ #206
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>> Call Trace:
>>>> __dump_stack lib/dump_stack.c:16 [inline]
>>>> dump_stack+0x292/0x398 lib/dump_stack.c:52
>>>> kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
>>>> print_address_description mm/kasan/report.c:202 [inline]
>>>> kasan_report_error mm/kasan/report.c:291 [inline]
>>>> kasan_report+0x252/0x510 mm/kasan/report.c:347
>>>> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:367
>>>> ip_select_ttl include/net/dst.h:176 [inline]
>>>
>>> Probably same as the one you reported on ipv4_mtu(), it would
>>> be nice if you could test the patch I proposed:
>>>
>>> https://patchwork.ozlabs.org/patch/747556/
>>
>> Applied your patch.
>
> Oops, apparently your patch doesn't compile:
>
Weird, it compiles fine here. Either you have a different config
or the following piece is missing for some reason?
@@ -69,6 +69,7 @@ struct rtable {
struct list_head rt_uncached;
struct uncached_list *rt_uncached_list;
+ struct fib_info *fi; /* for refcnt to shared metrics */
};
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: net/ipv4: use-after-free in ip_queue_xmit
2017-04-13 19:59 ` Cong Wang
@ 2017-04-18 12:15 ` Andrey Konovalov
2017-04-18 16:05 ` Cong Wang
0 siblings, 1 reply; 9+ messages in thread
From: Andrey Konovalov @ 2017-04-18 12:15 UTC (permalink / raw)
To: Cong Wang
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Eric Dumazet,
Dmitry Vyukov, Kostya Serebryany, syzkaller
On Thu, Apr 13, 2017 at 9:59 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Thu, Apr 13, 2017 at 11:49 AM, Andrey Konovalov
> <andreyknvl@google.com> wrote:
>> On Mon, Apr 10, 2017 at 7:46 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
>>> On Mon, Apr 10, 2017 at 7:42 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
>>>> On Mon, Apr 10, 2017 at 7:40 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
>>>>> Hi,
>>>>>
>>>>> I've got the following error report while fuzzing the kernel with syzkaller.
>>>>>
>>>>> On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>>>>>
>>>>> Unfortunately it's not reproducible.
>>>>>
>>>>> BUG: KASAN: use-after-free in ip_select_ttl include/net/dst.h:176
>>>>> [inline] at addr ffff88006ab3602c
>>>>> BUG: KASAN: use-after-free in ip_queue_xmit+0x1817/0x1a30
>>>>> net/ipv4/ip_output.c:485 at addr ffff88006ab3602c
>>>>> Read of size 4 by task syz-executor1/12627
>>>>> CPU: 3 PID: 12627 Comm: syz-executor1 Not tainted 4.11.0-rc6+ #206
>>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>>> Call Trace:
>>>>> __dump_stack lib/dump_stack.c:16 [inline]
>>>>> dump_stack+0x292/0x398 lib/dump_stack.c:52
>>>>> kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
>>>>> print_address_description mm/kasan/report.c:202 [inline]
>>>>> kasan_report_error mm/kasan/report.c:291 [inline]
>>>>> kasan_report+0x252/0x510 mm/kasan/report.c:347
>>>>> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:367
>>>>> ip_select_ttl include/net/dst.h:176 [inline]
>>>>
>>>> Probably same as the one you reported on ipv4_mtu(), it would
>>>> be nice if you could test the patch I proposed:
>>>>
>>>> https://patchwork.ozlabs.org/patch/747556/
>>>
>>> Applied your patch.
>>
>> Oops, apparently your patch doesn't compile:
>>
>
> Weird, it compiles fine here. Either you have a different config
> or the following piece is missing for some reason?
>
> @@ -69,6 +69,7 @@ struct rtable {
>
> struct list_head rt_uncached;
> struct uncached_list *rt_uncached_list;
> + struct fib_info *fi; /* for refcnt to shared metrics */
> };
Yes, I don't have this field in the rtable struct.
I'm on 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
I also don't see it in the cross reference:
http://lxr.free-electrons.com/source/include/net/route.h#L51
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: net/ipv4: use-after-free in ip_queue_xmit
2017-04-18 12:15 ` Andrey Konovalov
@ 2017-04-18 16:05 ` Cong Wang
2017-04-18 17:45 ` Andrey Konovalov
0 siblings, 1 reply; 9+ messages in thread
From: Cong Wang @ 2017-04-18 16:05 UTC (permalink / raw)
To: Andrey Konovalov
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Eric Dumazet,
Dmitry Vyukov, Kostya Serebryany, syzkaller
On Tue, Apr 18, 2017 at 5:15 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
> Yes, I don't have this field in the rtable struct.
>
> I'm on 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>
> I also don't see it in the cross reference:
> http://lxr.free-electrons.com/source/include/net/route.h#L51
>
It is provided by my patch: https://patchwork.ozlabs.org/patch/747556/
which means you applied an incomplete patch... :-/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: net/ipv4: use-after-free in ip_queue_xmit
2017-04-18 16:05 ` Cong Wang
@ 2017-04-18 17:45 ` Andrey Konovalov
0 siblings, 0 replies; 9+ messages in thread
From: Andrey Konovalov @ 2017-04-18 17:45 UTC (permalink / raw)
To: Cong Wang
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Eric Dumazet,
Dmitry Vyukov, Kostya Serebryany, syzkaller
On Tue, Apr 18, 2017 at 6:05 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Tue, Apr 18, 2017 at 5:15 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> Yes, I don't have this field in the rtable struct.
>>
>> I'm on 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>>
>> I also don't see it in the cross reference:
>> http://lxr.free-electrons.com/source/include/net/route.h#L51
>>
>
> It is provided by my patch: https://patchwork.ozlabs.org/patch/747556/
> which means you applied an incomplete patch... :-/
Oops, my bad.
Applied the patch.
Thanks!
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: net/ipv4: use-after-free in ip_queue_xmit
2017-04-10 17:46 ` Andrey Konovalov
2017-04-13 18:49 ` Andrey Konovalov
@ 2017-05-04 14:20 ` Andrey Konovalov
1 sibling, 0 replies; 9+ messages in thread
From: Andrey Konovalov @ 2017-05-04 14:20 UTC (permalink / raw)
To: Cong Wang
Cc: David S. Miller, Alexey Kuznetsov, James Morris,
Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Eric Dumazet,
Dmitry Vyukov, Kostya Serebryany, syzkaller
On Mon, Apr 10, 2017 at 7:46 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> On Mon, Apr 10, 2017 at 7:42 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
>> On Mon, Apr 10, 2017 at 7:40 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
>>> Hi,
>>>
>>> I've got the following error report while fuzzing the kernel with syzkaller.
>>>
>>> On commit 39da7c509acff13fc8cb12ec1bb20337c988ed36 (4.11-rc6).
>>>
>>> Unfortunately it's not reproducible.
>>>
>>> BUG: KASAN: use-after-free in ip_select_ttl include/net/dst.h:176
>>> [inline] at addr ffff88006ab3602c
>>> BUG: KASAN: use-after-free in ip_queue_xmit+0x1817/0x1a30
>>> net/ipv4/ip_output.c:485 at addr ffff88006ab3602c
>>> Read of size 4 by task syz-executor1/12627
>>> CPU: 3 PID: 12627 Comm: syz-executor1 Not tainted 4.11.0-rc6+ #206
>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>> Call Trace:
>>> __dump_stack lib/dump_stack.c:16 [inline]
>>> dump_stack+0x292/0x398 lib/dump_stack.c:52
>>> kasan_object_err+0x1c/0x70 mm/kasan/report.c:164
>>> print_address_description mm/kasan/report.c:202 [inline]
>>> kasan_report_error mm/kasan/report.c:291 [inline]
>>> kasan_report+0x252/0x510 mm/kasan/report.c:347
>>> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:367
>>> ip_select_ttl include/net/dst.h:176 [inline]
>>
>> Probably same as the one you reported on ipv4_mtu(), it would
>> be nice if you could test the patch I proposed:
>>
>> https://patchwork.ozlabs.org/patch/747556/
>
> Applied your patch.
>
> The bug gets triggered very rarely (only twice so far), but I'll let
> you know if I see it again.
Hi Cong,
I haven't seen those report any more.
Could you mail the patch?
Thanks!
>
> Thanks!
>
>>
>>
>> Thanks!
>>
>>> ip_queue_xmit+0x1817/0x1a30 net/ipv4/ip_output.c:485
>>> sctp_v4_xmit+0x10d/0x140 net/sctp/protocol.c:994
>>> sctp_packet_transmit+0x215c/0x3560 net/sctp/output.c:637
>>> sctp_outq_flush+0xade/0x3f90 net/sctp/outqueue.c:885
>>> sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:750
>>> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1773 [inline]
>>> sctp_side_effects net/sctp/sm_sideeffect.c:1175 [inline]
>>> sctp_do_sm+0x5a0/0x6a50 net/sctp/sm_sideeffect.c:1147
>>> sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:88
>>> sctp_sendmsg+0x270d/0x3b50 net/sctp/socket.c:1954
>>> inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
>>> sock_sendmsg_nosec net/socket.c:633 [inline]
>>> sock_sendmsg+0xca/0x110 net/socket.c:643
>>> SYSC_sendto+0x660/0x810 net/socket.c:1696
>>> SyS_sendto+0x40/0x50 net/socket.c:1664
>>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>>> RIP: 0033:0x4458d9
>>> RSP: 002b:00007fdceca85b58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
>>> RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004458d9
>>> RDX: 0000000000000087 RSI: 0000000020003000 RDI: 0000000000000016
>>> RBP: 00000000006e2fe0 R08: 0000000020003000 R09: 0000000000000010
>>> R10: 0000000000040841 R11: 0000000000000282 R12: 00000000007080a8
>>> R13: 000000000000000a R14: 0000000000000005 R15: 0000000000000084
>>> Object at ffff88006ab36008, in cache kmalloc-64 size: 64
>>> Allocated:
>>> PID = 7243
>>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>>> set_track mm/kasan/kasan.c:525 [inline]
>>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
>>> kmem_cache_alloc_trace+0x82/0x270 mm/slub.c:2745
>>> kmalloc include/linux/slab.h:490 [inline]
>>> kzalloc include/linux/slab.h:663 [inline]
>>> fib_create_info+0x8e0/0x3a30 net/ipv4/fib_semantics.c:1040
>>> fib_table_insert+0x1a5/0x1550 net/ipv4/fib_trie.c:1221
>>> ip_rt_ioctl+0xddc/0x1590 net/ipv4/fib_frontend.c:597
>>> inet_ioctl+0xf2/0x1c0 net/ipv4/af_inet.c:882
>>> sock_do_ioctl+0x65/0xb0 net/socket.c:906
>>> sock_ioctl+0x28f/0x440 net/socket.c:1004
>>> vfs_ioctl fs/ioctl.c:45 [inline]
>>> do_vfs_ioctl+0x1bf/0x1780 fs/ioctl.c:685
>>> SYSC_ioctl fs/ioctl.c:700 [inline]
>>> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
>>> entry_SYSCALL_64_fastpath+0x1f/0xc2
>>> Freed:
>>> PID = 12622
>>> save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>>> save_stack+0x43/0xd0 mm/kasan/kasan.c:513
>>> set_track mm/kasan/kasan.c:525 [inline]
>>> kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:589
>>> slab_free_hook mm/slub.c:1357 [inline]
>>> slab_free_freelist_hook mm/slub.c:1379 [inline]
>>> slab_free mm/slub.c:2961 [inline]
>>> kfree+0xe8/0x2b0 mm/slub.c:3882
>>> free_fib_info_rcu+0x4ba/0x5e0 net/ipv4/fib_semantics.c:218
>>> __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
>>> rcu_do_batch.isra.64+0x947/0xcc0 kernel/rcu/tree.c:2879
>>> invoke_rcu_callbacks kernel/rcu/tree.c:3142 [inline]
>>> __rcu_process_callbacks kernel/rcu/tree.c:3109 [inline]
>>> rcu_process_callbacks+0x2cc/0xb90 kernel/rcu/tree.c:3126
>>> __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
>>> Memory state around the buggy address:
>>> ffff88006ab35f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>> ffff88006ab35f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>>>ffff88006ab36000: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
>>> ^
>>> ffff88006ab36080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ffff88006ab36100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ==================================================================
>>
>> --
>> You received this message because you are subscribed to the Google Groups "syzkaller" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+unsubscribe@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-05-04 14:20 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-10 14:40 net/ipv4: use-after-free in ip_queue_xmit Andrey Konovalov
2017-04-10 17:42 ` Cong Wang
2017-04-10 17:46 ` Andrey Konovalov
2017-04-13 18:49 ` Andrey Konovalov
2017-04-13 19:59 ` Cong Wang
2017-04-18 12:15 ` Andrey Konovalov
2017-04-18 16:05 ` Cong Wang
2017-04-18 17:45 ` Andrey Konovalov
2017-05-04 14:20 ` Andrey Konovalov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).