From: syzbot <syzbot+e5167d7144a62715044c@syzkaller.appspotmail.com>
To: hdanton@sina.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu
Date: Fri, 08 Mar 2024 03:09:05 -0800 [thread overview]
Message-ID: <0000000000005f8a2c061324380f@google.com> (raw)
In-Reply-To: <20240308105058.1649-1-hdanton@sina.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: null-ptr-deref Write in ipvlan_process_v4_outbound
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: null-ptr-deref in __refcount_add include/linux/refcount.h:182 [inline]
BUG: KASAN: null-ptr-deref in __refcount_inc include/linux/refcount.h:239 [inline]
BUG: KASAN: null-ptr-deref in refcount_inc include/linux/refcount.h:256 [inline]
BUG: KASAN: null-ptr-deref in ipvlan_process_v4_outbound+0x3f6/0x7b0 drivers/net/ipvlan/ipvlan_core.c:444
Write of size 4 at addr 0000000000000274 by task syz-executor.0/5580
CPU: 0 PID: 5580 Comm: syz-executor.0 Not tainted 6.8.0-rc7-syzkaller-g3aaa8ce7a335-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
print_report+0xe6/0x540 mm/kasan/report.c:491
kasan_report+0x142/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
__refcount_add include/linux/refcount.h:182 [inline]
__refcount_inc include/linux/refcount.h:239 [inline]
refcount_inc include/linux/refcount.h:256 [inline]
ipvlan_process_v4_outbound+0x3f6/0x7b0 drivers/net/ipvlan/ipvlan_core.c:444
ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:544 [inline]
ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:606 [inline]
ipvlan_queue_xmit+0xaa2/0x11f0 drivers/net/ipvlan/ipvlan_core.c:672
ipvlan_start_xmit+0x4a/0x150 drivers/net/ipvlan/ipvlan_main.c:222
__netdev_start_xmit include/linux/netdevice.h:4986 [inline]
netdev_start_xmit include/linux/netdevice.h:5000 [inline]
xmit_one net/core/dev.c:3547 [inline]
dev_hard_start_xmit+0x242/0x770 net/core/dev.c:3563
sch_direct_xmit+0x2b6/0x5f0 net/sched/sch_generic.c:342
qdisc_restart net/sched/sch_generic.c:407 [inline]
__qdisc_run+0xbed/0x2150 net/sched/sch_generic.c:415
__dev_xmit_skb net/core/dev.c:3839 [inline]
__dev_queue_xmit+0xfc6/0x3b10 net/core/dev.c:4317
packet_snd net/packet/af_packet.c:3081 [inline]
packet_sendmsg+0x47f4/0x6240 net/packet/af_packet.c:3113
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:745
__sys_sendto+0x3a4/0x4f0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2199
do_syscall_64+0xf9/0x240
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f5d1287dda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5d136b40c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f5d129abf80 RCX: 00007f5d1287dda9
RDX: 0000000000005c13 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f5d128ca47a R08: 0000000000000000 R09: 000000000000002f
R10: 0000000000000806 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f5d129abf80 R15: 00007fffdca46778
</TASK>
==================================================================
Tested on:
commit: 3aaa8ce7 Merge tag 'mm-hotfixes-stable-2024-03-07-16-1..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12503a49180000
kernel config: https://syzkaller.appspot.com/x/.config?x=165e1d0fff4d3c47
dashboard link: https://syzkaller.appspot.com/bug?extid=e5167d7144a62715044c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=154b4001180000
next prev parent reply other threads:[~2024-03-08 11:09 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-06 10:57 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in ip_skb_dst_mtu syzbot
2024-03-08 10:50 ` Hillf Danton
2024-03-08 11:09 ` syzbot [this message]
2024-03-08 12:15 ` Hillf Danton
2024-03-08 13:00 ` syzbot
2024-03-08 23:14 ` Hillf Danton
2024-03-09 1:32 ` syzbot
2024-03-09 4:53 ` Hillf Danton
2024-03-09 5:19 ` syzbot
2024-03-09 8:45 ` Hillf Danton
2024-03-09 9:13 ` syzbot
2024-03-09 10:19 ` Hillf Danton
2024-03-16 9:00 ` Hillf Danton
2024-03-16 10:54 ` syzbot
2024-03-17 10:04 ` Hillf Danton
2024-03-17 10:31 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000005f8a2c061324380f@google.com \
--to=syzbot+e5167d7144a62715044c@syzkaller.appspotmail.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.