From: David Ahern <dsahern@gmail.com>
To: syzbot <syzbot+a5b6e01ec8116d046842@syzkaller.appspotmail.com>,
davem@davemloft.net, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com,
Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: KASAN: user-memory-access Read in ip6_hold_safe (3)
Date: Sun, 2 Jun 2019 21:29:11 -0600 [thread overview]
Message-ID: <88c0d223-f958-06d1-067a-ee7f2c801d71@gmail.com> (raw)
In-Reply-To: <000000000000a7776f058a3ce9db@google.com>
On 6/1/19 12:05 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: dfb569f2 net: ll_temac: Fix compile error
just an FYI: this is before any of my IPv6 changes in 5.2-next that are
relevant. At this commit the only IPv6 changes of mine are:
19a3b7eea424 ipv6: export function to send route updates
cdaa16a4f70c ipv6: Add hook to bump sernum for a route to stubs
68a9b13d9219 ipv6: Add delete route hook to stubs
which are function exports - unused at commit dfb569f2.
> git tree: net-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=10afcb8aa00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=fc045131472947d7
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=a5b6e01ec8116d046842
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a5b6e01ec8116d046842@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: user-memory-access in atomic_read
> include/asm-generic/atomic-instrumented.h:26 [inline]
> BUG: KASAN: user-memory-access in atomic_fetch_add_unless
> include/linux/atomic-fallback.h:1086 [inline]
> BUG: KASAN: user-memory-access in atomic_add_unless
> include/linux/atomic-fallback.h:1111 [inline]
> BUG: KASAN: user-memory-access in atomic_inc_not_zero
> include/linux/atomic-fallback.h:1127 [inline]
> BUG: KASAN: user-memory-access in dst_hold_safe include/net/dst.h:297
> [inline]
> BUG: KASAN: user-memory-access in ip6_hold_safe+0xad/0x380
> net/ipv6/route.c:1050
> Read of size 4 at addr 0000000000001ec4 by task syz-executor.0/10106
0xc1ec4 is not a valid address for an allocated rt6_info.
>
> CPU: 0 PID: 10106 Comm: syz-executor.0 Not tainted 5.2.0-rc1+ #5
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> __kasan_report.cold+0x5/0x40 mm/kasan/report.c:321
> kasan_report+0x12/0x20 mm/kasan/common.c:614
> check_memory_region_inline mm/kasan/generic.c:185 [inline]
> check_memory_region+0x123/0x190 mm/kasan/generic.c:191
> kasan_check_read+0x11/0x20 mm/kasan/common.c:94
> atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
> atomic_fetch_add_unless include/linux/atomic-fallback.h:1086 [inline]
> atomic_add_unless include/linux/atomic-fallback.h:1111 [inline]
> atomic_inc_not_zero include/linux/atomic-fallback.h:1127 [inline]
> dst_hold_safe include/net/dst.h:297 [inline]
> ip6_hold_safe+0xad/0x380 net/ipv6/route.c:1050
> rt6_get_pcpu_route net/ipv6/route.c:1277 [inline]
My hunch is that this is memory corruption in the pcpu memory space.
In a fib6_info, rt6i_pcpu is non-NULL for ALL fib6_info except
fib6_null_entry for which pcpu routes are never generated.
rt6i_pcpu is allocated via pcpu_alloc which means this memory space is
amongst other pcpu users and easily stepped on by other pcpu users. The
entries stored in rt6_pcpu are kmem_cache entries for the ipv6 dst cache
and either a valid allocated memory address or NULL.
Past issues with pcpu routes was the 'from' (the fib6_info used to
generate the rt6_info) being NULL (several), the fib entry getting
released more than it should (0e2338749192) or not getting freed at all
(61fb0d016807).
prev parent reply other threads:[~2019-06-03 3:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-01 6:05 KASAN: user-memory-access Read in ip6_hold_safe (3) syzbot
2019-06-01 17:15 ` David Ahern
2019-06-03 6:56 ` Dmitry Vyukov
2019-06-24 4:38 ` Xin Long
2019-06-03 3:29 ` David Ahern [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=88c0d223-f958-06d1-067a-ee7f2c801d71@gmail.com \
--to=dsahern@gmail.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=syzbot+a5b6e01ec8116d046842@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).