From: syzbot <syzbot+aa9105f99c12b6abfe27@syzkaller.appspotmail.com>
To: davem@davemloft.net, kuznet@ms2.inr.ac.ru,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com, yoshfuji@linux-ipv6.org
Subject: KASAN: use-after-free Read in __icmp_send
Date: Wed, 27 Mar 2019 01:19:05 -0700 [thread overview]
Message-ID: <0000000000004cd71f05850f17c2@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: 1d965c4d Merge branch 'Refactor-flower-classifier-to-remov..
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14ff71df200000
kernel config: https://syzkaller.appspot.com/x/.config?x=f05902bca21d8935
dashboard link: https://syzkaller.appspot.com/bug?extid=aa9105f99c12b6abfe27
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+aa9105f99c12b6abfe27@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in queued_spin_trylock
include/asm-generic/qspinlock.h:69 [inline]
BUG: KASAN: use-after-free in do_raw_spin_trylock+0x6a/0x180
kernel/locking/spinlock_debug.c:119
Read of size 4 at addr ffff88808a28ccd4 by task syz-executor.0/17585
CPU: 0 PID: 17585 Comm: syz-executor.0 Not tainted 5.0.0+ #105
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x123/0x190 mm/kasan/generic.c:191
kasan_check_read+0x11/0x20 mm/kasan/common.c:102
atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
queued_spin_trylock include/asm-generic/qspinlock.h:69 [inline]
do_raw_spin_trylock+0x6a/0x180 kernel/locking/spinlock_debug.c:119
__raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
_raw_spin_trylock+0x1c/0x80 kernel/locking/spinlock.c:128
spin_trylock include/linux/spinlock.h:339 [inline]
icmp_xmit_lock net/ipv4/icmp.c:219 [inline]
__icmp_send+0x553/0x1400 net/ipv4/icmp.c:666
icmp_send include/net/icmp.h:47 [inline]
ipv4_link_failure+0x31/0x210 net/ipv4/route.c:1190
dst_link_failure include/net/dst.h:416 [inline]
arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
expire_timers kernel/time/timer.c:1362 [inline]
__run_timers kernel/time/timer.c:1681 [inline]
__run_timers kernel/time/timer.c:1649 [inline]
run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
__do_softirq+0x266/0x95a kernel/softirq.c:293
invoke_softirq kernel/softirq.c:374 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:414
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
</IRQ>
RIP: 0010:filename_mountpoint+0x25d/0x3c0 fs/namei.c:2722
Code: 14 02 4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 1c 01 00 00
45 8b 24 24 31 ff 44 89 e6 e8 58 ea ba ff 45 85 e4 74 62 <e8> ce e8 ba ff
e8 49 2a fe ff 4c 89 f7 e8 81 f2 ff ff e8 bc e8 ba
RSP: 0018:ffff8880a857fc30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: 1ffff110150aff88 RCX: ffffffff81b57ad4
RDX: 1ffff1100bd8e54c RSI: ffffffff81b57ae2 RDI: ffff88805ec72a60
RBP: ffff8880a857fdc8 R08: ffff88805ec72300 R09: 0000000000000001
R10: 000000000000001c R11: ffff8880ae82de3b R12: 0000000000000000
R13: 0000000000000000 R14: ffff888097790e00 R15: ffff8880a857fe68
user_path_mountpoint_at+0x3a/0x50 fs/namei.c:2745
ksys_umount+0x167/0xf00 fs/namespace.c:1687
__do_sys_umount fs/namespace.c:1713 [inline]
__se_sys_umount fs/namespace.c:1711 [inline]
__x64_sys_umount+0x54/0x80 fs/namespace.c:1711
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ac57
Code: 44 00 00 b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 4d 8e fb ff c3
66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 0f 83 2d 8e fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe6359ff08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ac57
RDX: 0000000000402ea0 RSI: 0000000000000002 RDI: 00007ffe6359ffb0
RBP: 00000000000019e0 R08: 0000000000000000 R09: 000000000000000d
R10: 0000000000000006 R11: 0000000000000202 R12: 00007ffe635a1040
R13: 0000000000bfa940 R14: 0000000000000000 R15: 00007ffe635a1040
Allocated by task 12478:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc mm/kasan/common.c:497 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
slab_post_alloc_hook mm/slab.h:436 [inline]
slab_alloc mm/slab.c:3392 [inline]
kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3554
getname_flags fs/namei.c:138 [inline]
getname_flags+0xd6/0x5b0 fs/namei.c:128
getname+0x1a/0x20 fs/namei.c:209
do_sys_open+0x2c9/0x5d0 fs/open.c:1057
__do_sys_open fs/open.c:1081 [inline]
__se_sys_open fs/open.c:1076 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1076
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 12478:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3498 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3764
putname+0xef/0x130 fs/namei.c:259
do_sys_open+0x318/0x5d0 fs/open.c:1072
__do_sys_open fs/open.c:1081 [inline]
__se_sys_open fs/open.c:1076 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1076
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88808a28c780
which belongs to the cache names_cache of size 4096
The buggy address is located 1364 bytes inside of
4096-byte region [ffff88808a28c780, ffff88808a28d780)
The buggy address belongs to the page:
page:ffffea000228a300 count:1 mapcount:0 mapping:ffff88812c2d8dc0 index:0x0
compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00025c8908 ffffea0001840a08 ffff88812c2d8dc0
raw: 0000000000000000 ffff88808a28c780 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808a28cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808a28cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88808a28cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88808a28cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808a28cd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
next reply other threads:[~2019-03-27 8:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-27 8:19 syzbot [this message]
2019-03-27 8:22 ` KASAN: use-after-free Read in __icmp_send Dmitry Vyukov
2019-03-27 9:20 ` Eric Dumazet
2019-03-27 9:27 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000004cd71f05850f17c2@google.com \
--to=syzbot+aa9105f99c12b6abfe27@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.