We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ip_mc_drop_socket
Very likely the same as #371 as it is followed by a refcount warning... Reporting here for completeness.
syzkaller-id: f7fd4b52930a47edb24b4c289b5b682a4271e432
HEAD: de5e8fd
Trace:
MPTCP: addr_signal error, rm_addr=1 MPTCP: addr_signal error, rm_addr=1 ================================================================== BUG: KASAN: slab-use-after-free in ip_mc_drop_socket+0x21d/0x230 net/ipv4/igmp.c:2695 Read of size 8 at addr ffff888028289338 by task syz-executor.0/8217 CPU: 1 PID: 8217 Comm: syz-executor.0 Not tainted 6.3.0-rc1-gde5e8fd0123c #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x6e/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:319 [inline] print_report+0xc5/0x620 mm/kasan/report.c:430 kasan_report+0xad/0xe0 mm/kasan/report.c:536 ip_mc_drop_socket+0x21d/0x230 net/ipv4/igmp.c:2695 inet_release+0x4d/0x1f0 net/ipv4/af_inet.c:416 __sock_release+0xcf/0x290 net/socket.c:653 sock_close+0x15/0x20 net/socket.c:1395 __fput+0x250/0xa20 fs/file_table.c:321 task_work_run+0x14b/0x230 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x9b9/0x2440 kernel/exit.c:869 do_group_exit+0xc4/0x280 kernel/exit.c:1019 get_signal+0x1ee1/0x21e0 kernel/signal.c:2859 arch_do_signal_or_restart+0x74/0x5c0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0xa2/0x120 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:296 do_syscall_64+0x46/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x45c2d9 Code: Unable to access opcode bytes at 0x45c2af. RSP: 002b:00007f931f509cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000079c058 RCX: 000000000045c2d9 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000079c058 RBP: 000000000079c050 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000079c05c R13: 0000000000021000 R14: 0000000000000000 R15: 00007f931f50a700 </TASK> Allocated by task 13: kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x8b/0x90 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:196 [inline] __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc+0x55/0x160 mm/slab_common.c:980 kmalloc include/linux/slab.h:584 [inline] sk_prot_alloc.constprop.0+0x11c/0x230 net/core/sock.c:2040 sk_clone_lock+0x47/0x1420 net/core/sock.c:2244 mptcp_sk_clone+0x23/0x520 net/mptcp/protocol.c:3162 subflow_syn_recv_sock+0xc04/0x1320 net/mptcp/subflow.c:816 tcp_get_cookie_sock+0xcd/0x890 net/ipv4/syncookies.c:207 cookie_v4_check+0x157a/0x20c0 net/ipv4/syncookies.c:448 tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1670 [inline] tcp_v4_do_rcv+0x784/0xa30 net/ipv4/tcp_ipv4.c:1730 tcp_v4_rcv+0x35e3/0x39c0 net/ipv4/tcp_ipv4.c:2133 ip_protocol_deliver_rcu+0x6c/0xc30 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x29f/0x3b0 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:302 [inline] NF_HOOK include/linux/netfilter.h:296 [inline] ip_local_deliver+0x1ba/0x320 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:454 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:302 [inline] NF_HOOK include/linux/netfilter.h:296 [inline] ip_rcv+0x39b/0x410 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5477 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5591 process_backlog+0x1af/0x5a0 net/core/dev.c:5919 __napi_poll+0xb7/0x640 net/core/dev.c:6480 napi_poll net/core/dev.c:6547 [inline] net_rx_action+0x97f/0xd50 net/core/dev.c:6657 __do_softirq+0x1a5/0x5a0 kernel/softirq.c:571 Freed by task 8211: kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45 kasan_set_track+0x21/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2a/0x50 mm/kasan/generic.c:521 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x146/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook mm/slub.c:1807 [inline] slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x13f/0x280 mm/slub.c:3800 sk_prot_free net/core/sock.c:2076 [inline] __sk_destruct+0x4d7/0x700 net/core/sock.c:2168 rcu_do_batch kernel/rcu/tree.c:2112 [inline] rcu_core+0x5db/0x18c0 kernel/rcu/tree.c:2372 __do_softirq+0x1a5/0x5a0 kernel/softirq.c:571 Last potentially related work creation: kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0x9f/0xb0 mm/kasan/generic.c:491 __call_rcu_common.constprop.0+0x6b/0x9f0 kernel/rcu/tree.c:2622 sk_destruct+0x8e/0xe0 net/core/sock.c:2181 __sk_free+0xc4/0x3a0 net/core/sock.c:2194 sk_free+0x78/0xa0 net/core/sock.c:2205 sock_put include/net/sock.h:1968 [inline] mptcp_worker+0x78d/0x1080 net/mptcp/protocol.c:2742 process_one_work+0x868/0x1220 kernel/workqueue.c:2390 worker_thread+0xf5/0x1220 kernel/workqueue.c:2537 kthread+0x2ab/0x360 kernel/kthread.c:376 ret_from_fork+0x29/0x50 arch/x86/entry/entry_64.S:308 Second to last potentially related work creation: kasan_save_stack+0x1c/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0x9f/0xb0 mm/kasan/generic.c:491 insert_work+0x46/0x310 kernel/workqueue.c:1361 __queue_work+0x677/0x1070 kernel/workqueue.c:1524 queue_work_on+0x8e/0xa0 kernel/workqueue.c:1552 queue_work include/linux/workqueue.h:504 [inline] schedule_work include/linux/workqueue.h:565 [inline] mptcp_schedule_work+0x102/0x1d0 net/mptcp/protocol.c:882 subflow_sched_work_if_closed net/mptcp/subflow.c:1213 [inline] subflow_sched_work_if_closed net/mptcp/subflow.c:1206 [inline] subflow_check_data_avail net/mptcp/subflow.c:1303 [inline] mptcp_subflow_data_available+0x240c/0x3ca0 net/mptcp/subflow.c:1367 subflow_state_change+0x140/0x880 net/mptcp/subflow.c:1798 tcp_done+0x216/0x3a0 net/ipv4/tcp.c:4656 tcp_reset+0x10e/0x2b0 net/ipv4/tcp_input.c:4339 tcp_validate_incoming+0xd4c/0x16d0 net/ipv4/tcp_input.c:5817 tcp_rcv_established+0x51a/0x1e50 net/ipv4/tcp_input.c:6002 tcp_v4_do_rcv+0x640/0xa30 net/ipv4/tcp_ipv4.c:1721 tcp_v4_rcv+0x34d0/0x39c0 net/ipv4/tcp_ipv4.c:2143 ip_protocol_deliver_rcu+0x6c/0xc30 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x29f/0x3b0 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:302 [inline] NF_HOOK include/linux/netfilter.h:296 [inline] ip_local_deliver+0x1ba/0x320 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:454 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:302 [inline] NF_HOOK include/linux/netfilter.h:296 [inline] ip_rcv+0x39b/0x410 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0x199/0x1e0 net/core/dev.c:5477 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5591 process_backlog+0x1af/0x5a0 net/core/dev.c:5919 __napi_poll+0xb7/0x640 net/core/dev.c:6480 napi_poll net/core/dev.c:6547 [inline] net_rx_action+0x97f/0xd50 net/core/dev.c:6657 __do_softirq+0x1a5/0x5a0 kernel/softirq.c:571 The buggy address belongs to the object at ffff888028289000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 824 bytes inside of freed 2048-byte region [ffff888028289000, ffff888028289800) The buggy address belongs to the physical page: page:00000000192be094 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802828a000 pfn:0x28288 head:00000000192be094 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 ffff888100042000 ffffea0004287a10 ffffea0004095210 raw: ffff88802828a000 0000000000080004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888028289200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888028289280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888028289300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888028289380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888028289400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 8217 at lib/refcount.c:25 refcount_warn_saturate+0x1b4/0x1f0 lib/refcount.c:25 Modules linked in: CPU: 0 PID: 8217 Comm: syz-executor.0 Tainted: G B 6.3.0-rc1-gde5e8fd0123c #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:refcount_warn_saturate+0x1b4/0x1f0 lib/refcount.c:25 Code: 03 31 ff 89 de e8 9c 3f 4f ff 84 db 0f 85 f6 fe ff ff e8 af 47 4f ff 48 c7 c7 40 95 b6 84 c6 05 a1 dc c4 03 01 e8 ac 36 23 ff <0f> 0b e9 d7 fe ff ff e8 90 47 4f ff 48 c7 c7 00 96 b6 84 c6 05 80 RSP: 0018:ffffc9001232f988 EFLAGS: 00010296 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88801ff11700 RSI: ffffffff8112d797 RDI: 0000000000000001 RBP: ffff888028289080 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 746e756f63666572 R12: ffff888028289000 R13: ffff88802e485518 R14: 0000000000000000 R15: ffffffff82b610a0 FS: 0000000000000000(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fac554b4897 CR3: 00000000172a4003 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] sock_hold include/net/sock.h:775 [inline] __mptcp_close+0x881/0x9d0 net/mptcp/protocol.c:3051 mptcp_close+0x24/0xe0 net/mptcp/protocol.c:3072 inet_release+0xe6/0x1f0 net/ipv4/af_inet.c:429 __sock_release+0xcf/0x290 net/socket.c:653 sock_close+0x15/0x20 net/socket.c:1395 __fput+0x250/0xa20 fs/file_table.c:321 task_work_run+0x14b/0x230 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x9b9/0x2440 kernel/exit.c:869 do_group_exit+0xc4/0x280 kernel/exit.c:1019 get_signal+0x1ee1/0x21e0 kernel/signal.c:2859 arch_do_signal_or_restart+0x74/0x5c0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0xa2/0x120 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:296 do_syscall_64+0x46/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x45c2d9 Code: Unable to access opcode bytes at 0x45c2af. RSP: 002b:00007f931f509cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000079c058 RCX: 000000000045c2d9 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000079c058 RBP: 000000000079c050 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000079c05c R13: 0000000000021000 R14: 0000000000000000 R15: 00007f931f50a700 </TASK> ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 8217 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x1f0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 8217 Comm: syz-executor.0 Tainted: G B W 6.3.0-rc1-gde5e8fd0123c #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:refcount_warn_saturate+0x13c/0x1f0 lib/refcount.c:28 Code: 03 31 ff 89 de e8 14 40 4f ff 84 db 0f 85 6e ff ff ff e8 27 48 4f ff 48 c7 c7 a0 95 b6 84 c6 05 18 dd c4 03 01 e8 24 37 23 ff <0f> 0b e9 4f ff ff ff e8 08 48 4f ff 0f b6 1d fe dc c4 03 31 ff 89 RSP: 0018:ffffc9001232f968 EFLAGS: 00010296 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88801ff11700 RSI: ffffffff8112d797 RDI: 0000000000000001 RBP: ffff888028289080 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000063666572 R12: ffff888028289080 R13: ffff88802e485518 R14: 0000000000000000 R15: ffffffff82b610a0 FS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000001c690a8 CR3: 0000000103b67001 CR4: 0000000000770ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] sock_put include/net/sock.h:1967 [inline] __mptcp_destroy_sock+0x275/0x380 net/mptcp/protocol.c:2972 __mptcp_close+0x731/0x9d0 net/mptcp/protocol.c:3057 mptcp_close+0x24/0xe0 net/mptcp/protocol.c:3072 inet_release+0xe6/0x1f0 net/ipv4/af_inet.c:429 __sock_release+0xcf/0x290 net/socket.c:653 sock_close+0x15/0x20 net/socket.c:1395 __fput+0x250/0xa20 fs/file_table.c:321 task_work_run+0x14b/0x230 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x9b9/0x2440 kernel/exit.c:869 do_group_exit+0xc4/0x280 kernel/exit.c:1019 get_signal+0x1ee1/0x21e0 kernel/signal.c:2859 arch_do_signal_or_restart+0x74/0x5c0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0xa2/0x120 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:296 do_syscall_64+0x46/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x45c2d9 Code: Unable to access opcode bytes at 0x45c2af. RSP: 002b:00007f931f509cb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000079c058 RCX: 000000000045c2d9 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000079c058 RBP: 000000000079c050 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000079c05c R13: 0000000000021000 R14: 0000000000000000 R15: 00007f931f50a700 </TASK> ---[ end trace 0000000000000000 ]--- TCP: request_sock_subflow_v4: Possible SYN flooding on port 0.0.0.0:20004. Sending cookies. MPTCP: addr_signal error, rm_addr=1 openvswitch: netlink: Either Ethernet header or EtherType is required. openvswitch: netlink: Either Ethernet header or EtherType is required. openvswitch: netlink: Either Ethernet header or EtherType is required. netlink: 'syz-executor.4': attribute type 11 has an invalid length. netlink: 'syz-executor.4': attribute type 11 has an invalid length. netlink: 'syz-executor.4': attribute type 11 has an invalid length. dvmrp0: entered allmulticast mode xt_NFQUEUE: number of total queues is 0 IPVS: set_ctl: invalid protocol: 136 10.1.1.2:20000 xt_NFQUEUE: number of total queues is 0 IPVS: set_ctl: invalid protocol: 136 10.1.1.2:20000 xt_NFQUEUE: number of total queues is 0 IPVS: set_ctl: invalid protocol: 136 10.1.1.2:20000
Kconfig: Kconfig_k9_kasan.txt
No reproducer.
The text was updated successfully, but these errors were encountered:
even this one looks like being closely related to #371
Sorry, something went wrong.
No more happening. Closing.
No branches or pull requests
Very likely the same as #371 as it is followed by a refcount warning... Reporting here for completeness.
syzkaller-id: f7fd4b52930a47edb24b4c289b5b682a4271e432
HEAD: de5e8fd
Trace:
Kconfig:
Kconfig_k9_kasan.txt
No reproducer.
The text was updated successfully, but these errors were encountered: