Re: [syzbot] KASAN: use-after-free Read in dst_destroy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+736f4a4f98b21dba48f0@syzkaller.appspotmail.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
	yajun.deng@linux.dev
Subject: Re: [syzbot] KASAN: use-after-free Read in dst_destroy
Date: Wed, 27 Apr 2022 22:58:21 -0700	[thread overview]
Message-ID: <000000000000f8869805ddb09c27@google.com> (raw)
In-Reply-To: <000000000000af7f9905da904400@google.com>

syzbot has found a reproducer for the following issue on:

HEAD commit:    03fa8fc93e44 Merge branch 'remove-virt_to_bus-drivers'
git tree:       net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=13db7c44f00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6e95eee1a1aa4fb4
dashboard link: https://syzkaller.appspot.com/bug?extid=736f4a4f98b21dba48f0
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1239a4e4f00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13a4b3b8f00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+736f4a4f98b21dba48f0@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in dst_destroy+0x3c7/0x400 net/core/dst.c:118
Read of size 8 at addr ffff88801ebb8870 by task ksoftirqd/0/15

CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 5.18.0-rc3-syzkaller-01429-g03fa8fc93e44 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 dst_destroy+0x3c7/0x400 net/core/dst.c:118
 rcu_do_batch kernel/rcu/tree.c:2535 [inline]
 rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 run_ksoftirqd kernel/softirq.c:921 [inline]
 run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913
 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>

Allocated by task 3623:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:749 [inline]
 slab_alloc_node mm/slub.c:3217 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3232 [inline]
 kmem_cache_alloc+0x204/0x3b0 mm/slub.c:3242
 kmem_cache_zalloc include/linux/slab.h:704 [inline]
 net_alloc net/core/net_namespace.c:403 [inline]
 copy_net_ns+0x125/0x760 net/core/net_namespace.c:458
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3132
 __do_sys_unshare kernel/fork.c:3203 [inline]
 __se_sys_unshare kernel/fork.c:3201 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3201
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801ebb8000
 which belongs to the cache net_namespace of size 6784
The buggy address is located 2160 bytes inside of
 6784-byte region [ffff88801ebb8000, ffff88801ebb9a80)

The buggy address belongs to the physical page:
page:ffffea00007aee00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ebb8
head:ffffea00007aee00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010dcd3c0
raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3623, tgid 3623 (syz-executor323), ts 317565134167, free_ts 317561201837
 prep_new_page mm/page_alloc.c:2441 [inline]
 get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab+0x26c/0x3c0 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0x8df/0xf20 mm/slub.c:3005
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
 slab_alloc_node mm/slub.c:3183 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3232 [inline]
 kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242
 kmem_cache_zalloc include/linux/slab.h:704 [inline]
 net_alloc net/core/net_namespace.c:403 [inline]
 copy_net_ns+0x125/0x760 net/core/net_namespace.c:458
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3132
 __do_sys_unshare kernel/fork.c:3203 [inline]
 __se_sys_unshare kernel/fork.c:3201 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3201
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1356 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3328 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3423
 skb_free_head+0xac/0x110 net/core/skbuff.c:655
 skb_release_data+0x67a/0x810 net/core/skbuff.c:677
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb net/core/skbuff.c:756 [inline]
 consume_skb net/core/skbuff.c:915 [inline]
 consume_skb+0xc2/0x160 net/core/skbuff.c:909
 skb_free_datagram+0x1b/0x1f0 net/core/datagram.c:324
 netlink_recvmsg+0x61a/0xea0 net/netlink/af_netlink.c:1999
 sock_recvmsg_nosec net/socket.c:948 [inline]
 sock_recvmsg net/socket.c:966 [inline]
 sock_recvmsg net/socket.c:962 [inline]
 ____sys_recvmsg+0x2be/0x5f0 net/socket.c:2632
 ___sys_recvmsg+0x127/0x200 net/socket.c:2674
 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff88801ebb8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801ebb8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801ebb8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff88801ebb8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801ebb8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

next prev parent reply	other threads:[~2022-04-28  5:58 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-19 11:07 [syzbot] KASAN: use-after-free Read in dst_destroy syzbot
2022-04-28  5:58 ` syzbot [this message]
2022-04-28 11:32 ` syzbot
     [not found] <20220428160357.3884-1-hdanton@sina.com>
2022-04-28 16:22 ` syzbot
     [not found] <20220428231731.3954-1-hdanton@sina.com>
2022-04-29  4:01 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000f8869805ddb09c27@google.com \
    --to=syzbot+736f4a4f98b21dba48f0@syzkaller.appspotmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=yajun.deng@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.