lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ygnh5ytubfa4.fsf@nvidia.com>
Date:   Mon, 18 Oct 2021 17:04:19 +0300
From:   Vlad Buslov <vladbu@...dia.com>
To:     Paolo Abeni <pabeni@...hat.com>,
        Daniel Borkmann <daniel@...earbox.net>
CC:     syzbot <syzbot+62e474dd92a35e3060d8@...kaller.appspotmail.com>,
        <andrii@...nel.org>, <ast@...nel.org>, <bpf@...r.kernel.org>,
        <davem@...emloft.net>, <hawk@...nel.org>,
        <john.fastabend@...il.com>, <kafai@...com>, <kpsingh@...nel.org>,
        <kuba@...nel.org>, <linux-kernel@...r.kernel.org>,
        <netdev@...r.kernel.org>, <songliubraving@...com>,
        <syzkaller-bugs@...glegroups.com>, <yhs@...com>, <toke@...e.dk>,
        <joamaki@...il.com>, Saeed Mahameed <saeedm@...dia.com>,
        Maxim Mikityanskiy <maximmi@...dia.com>
Subject: Re: [syzbot] BUG: corrupted list in netif_napi_add


On Thu 14 Oct 2021 at 16:50, Paolo Abeni <pabeni@...hat.com> wrote:
> On Wed, 2021-10-13 at 15:35 +0200, Daniel Borkmann wrote:
>> On 10/13/21 1:40 PM, syzbot wrote:
>> > Hello,
>> > 
>> > syzbot found the following issue on:
>> 
>> [ +Paolo/Toke wrt veth/XDP, +Jussi wrt bond/XDP, please take a look, thanks! ]
>
> For the records: Toke and me are actively investigating this issue and
> the other recent related one. So far we could not find anything
> relevant. 
>
> The onluy note is that the reproducer is not extremelly reliable - I
> could not reproduce locally, and multiple syzbot runs on the same code
> give different results. Anyhow, so far the issue was only observerable
> on a specific 'next' commit which is currently "not reachable" from any
> branch. I'm wondering if the issue was caused by some incosistent
> status of such tree.

Hi,

We got a use-after-free with very similar trace [0] during nightly
regression. The issue happens when ip link up/down state is flipped
several times in loop and doesn't reproduce for me manually. The fact
that it didn't reproduce for me after running test ten times suggests
that it is either very hard to reproduce or that it is a result of some
interaction between several tests in our suite.

[0]:

[ 3187.779569] mlx5_core 0000:08:00.0 enp8s0f0: Link up
 [ 3187.890694] ==================================================================
 [ 3187.892518] BUG: KASAN: use-after-free in __list_add_valid+0xc3/0xf0
 [ 3187.894132] Read of size 8 at addr ffff8881150b3fb8 by task ip/119618
 [ 3187.895683] 
 [ 3187.896209] CPU: 0 PID: 119618 Comm: ip Not tainted 5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1
 [ 3187.898445] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 [ 3187.901075] Call Trace:
 [ 3187.901858]  dump_stack_lvl+0x57/0x7d
 [ 3187.902899]  print_address_description.constprop.0+0x1f/0x140
 [ 3187.904346]  ? __list_add_valid+0xc3/0xf0
 [ 3187.905439]  ? __list_add_valid+0xc3/0xf0
 [ 3187.906565]  kasan_report.cold+0x83/0xdf
 [ 3187.907619]  ? __list_add_valid+0xc3/0xf0
 [ 3187.908693]  __list_add_valid+0xc3/0xf0
 [ 3187.909765]  netif_napi_add+0x399/0x9a0
 [ 3187.910794]  ? kmalloc_order_trace+0x6a/0x120
 [ 3187.911944]  mlx5e_open_channels+0x91b/0x2e10 [mlx5_core]
 [ 3187.913872]  ? rwlock_bug.part.0+0x90/0x90
 [ 3187.914959]  ? mlx5e_close_cq+0x80/0x80 [mlx5_core]
 [ 3187.916584]  ? mutex_is_locked+0x13/0x50
 [ 3187.917703]  mlx5e_open_locked+0x6a/0x1f0 [mlx5_core]
 [ 3187.919368]  mlx5e_open+0x35/0xb0 [mlx5_core]
 [ 3187.920863]  __dev_open+0x22f/0x420
 [ 3187.921852]  ? dev_set_rx_mode+0x80/0x80
 [ 3187.922920]  ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core]
 [ 3187.924866]  ? __local_bh_enable_ip+0xa2/0x100
 [ 3187.926148]  ? trace_hardirqs_on+0x32/0x120
 [ 3187.927270]  __dev_change_flags+0x451/0x670
 [ 3187.928387]  ? dev_set_allmulti+0x10/0x10
 [ 3187.929480]  ? rtnl_fill_vfinfo+0x936/0xdb0
 [ 3187.930592]  dev_change_flags+0x8b/0x150
 [ 3187.931651]  do_setlink+0x820/0x2d60
 [ 3187.932631]  ? rtnetlink_put_metrics+0x490/0x490
 [ 3187.933852]  ? lock_release+0x460/0x750
 [ 3187.934881]  ? kvm_async_pf_task_wake+0x410/0x410
 [ 3187.936122]  ? lock_downgrade+0x6e0/0x6e0
 [ 3187.937203]  ? do_raw_spin_unlock+0x54/0x220
 [ 3187.938351]  ? memset+0x20/0x40
 [ 3187.939246]  ? __nla_validate_parse+0xb2/0x22c0
 [ 3187.940426]  ? do_raw_spin_lock+0x126/0x270
 [ 3187.941568]  ? push_cpu_stop+0x830/0x830
 [ 3187.942638]  ? rwlock_bug.part.0+0x90/0x90
 [ 3187.943733]  ? devlink_compat_switch_id_get+0xbb/0x100
 [ 3187.945065]  ? nla_get_range_signed+0x540/0x540
 [ 3187.946272]  ? memcpy+0x39/0x60
 [ 3187.947162]  ? memset+0x20/0x40
 [ 3187.948058]  ? memset+0x20/0x40
 [ 3187.948943]  __rtnl_newlink+0xac0/0x1370
 [ 3187.950038]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3187.951380]  ? rtnl_setlink+0x330/0x330
 [ 3187.952417]  ? deref_stack_reg+0x160/0x160
 [ 3187.953534]  ? deref_stack_reg+0xe6/0x160
 [ 3187.954619]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3187.955848]  ? lock_release+0x460/0x750
 [ 3187.956886]  ? is_bpf_text_address+0x54/0x110
 [ 3187.958047]  ? lock_downgrade+0x6e0/0x6e0
 [ 3187.959133]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3187.960469]  ? deref_stack_reg+0x160/0x160
 [ 3187.961592]  ? is_bpf_text_address+0x73/0x110
 [ 3187.962759]  ? kernel_text_address+0xda/0x100
 [ 3187.963920]  ? __kernel_text_address+0xe/0x30
 [ 3187.965069]  ? unwind_get_return_address+0x56/0xa0
 [ 3187.966334]  ? __thaw_task+0x70/0x70
 [ 3187.967320]  ? arch_stack_walk+0x98/0xf0
 [ 3187.968405]  ? lock_downgrade+0x6e0/0x6e0
 [ 3187.969510]  ? trace_hardirqs_on+0x32/0x120
 [ 3187.970644]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3187.971883]  rtnl_newlink+0x5f/0x90
 [ 3187.972866]  rtnetlink_rcv_msg+0x32b/0x950
 [ 3187.973968]  ? deref_stack_reg+0x160/0x160
 [ 3187.975088]  ? rtnl_fdb_dump+0x830/0x830
 [ 3187.976160]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3187.977393]  ? lock_acquire+0x38d/0x4c0
 [ 3187.978443]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3187.979685]  ? lock_acquire+0x38d/0x4c0
 [ 3187.980733]  netlink_rcv_skb+0x11d/0x340
 [ 3187.981812]  ? rtnl_fdb_dump+0x830/0x830
 [ 3187.982862]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3187.984105]  ? netlink_ack+0x930/0x930
 [ 3187.985136]  ? netlink_deliver_tap+0x140/0xb10
 [ 3187.986316]  ? netlink_deliver_tap+0x14c/0xb10
 [ 3187.987495]  ? _copy_from_iter+0x282/0xbe0
 [ 3187.988597]  netlink_unicast+0x433/0x700
 [ 3187.989693]  ? netlink_attachskb+0x740/0x740
 [ 3187.990819]  ? __alloc_skb+0x117/0x2c0
 [ 3187.991855]  netlink_sendmsg+0x707/0xbf0
 [ 3187.992921]  ? netlink_unicast+0x700/0x700
 [ 3187.994024]  ? netlink_unicast+0x700/0x700
 [ 3187.995121]  sock_sendmsg+0xb0/0xe0
 [ 3187.996091]  ____sys_sendmsg+0x4fa/0x6d0
 [ 3187.997163]  ? iovec_from_user+0x136/0x280
 [ 3187.998276]  ? kernel_sendmsg+0x30/0x30
 [ 3188.012806]  ? __import_iovec+0x51/0x610
 [ 3188.013858]  ___sys_sendmsg+0x12e/0x1b0
 [ 3188.014875]  ? do_recvmmsg+0x500/0x500
 [ 3188.015877]  ? get_max_files+0x10/0x10
 [ 3188.016866]  ? kasan_record_aux_stack+0xab/0xc0
 [ 3188.018108]  ? call_rcu+0x87/0xd40
 [ 3188.019041]  ? task_work_run+0xc5/0x160
 [ 3188.020044]  ? exit_to_user_mode_prepare+0x1d9/0x1e0
 [ 3188.021271]  ? syscall_exit_to_user_mode+0x19/0x50
 [ 3188.022563]  ? do_syscall_64+0x4a/0x90
 [ 3188.023559]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.024858]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.026121]  ? lock_release+0x460/0x750
 [ 3188.027174]  ? mntput_no_expire+0x113/0xb40
 [ 3188.028302]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.029398]  ? rwlock_bug.part.0+0x90/0x90
 [ 3188.030555]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.031812]  ? mntput_no_expire+0x132/0xb40
 [ 3188.032940]  ? __fget_light+0x51/0x220
 [ 3188.033986]  __sys_sendmsg+0xa4/0x120
 [ 3188.034992]  ? __sys_sendmsg_sock+0x20/0x20
 [ 3188.036115]  ? call_rcu+0x543/0xd40
 [ 3188.037084]  ? syscall_enter_from_user_mode+0x1d/0x50
 [ 3188.038406]  ? trace_hardirqs_on+0x32/0x120
 [ 3188.039515]  do_syscall_64+0x3d/0x90
 [ 3188.040502]  entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.041896] RIP: 0033:0x7f904ec94c17
 [ 3188.042891] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
 [ 3188.047412] RSP: 002b:00007ffc1a6c4a98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 [ 3188.049361] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f904ec94c17
 [ 3188.051121] RDX: 0000000000000000 RSI: 00007ffc1a6c4b00 RDI: 0000000000000003
 [ 3188.052881] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007f904ed55a40
 [ 3188.054645] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001
 [ 3188.056403] R13: 00007ffc1a6c51b0 R14: 00007ffc1a6c6c87 R15: 000000000048f520
 [ 3188.058189] 
 [ 3188.058732] The buggy address belongs to the page:
 [ 3188.059996] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3
 [ 3188.062378] flags: 0x8000000000000000(zone=2)
 [ 3188.063551] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000
 [ 3188.065548] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
 [ 3188.067518] page dumped because: kasan: bad access detected
 [ 3188.068930] 
 [ 3188.069481] Memory state around the buggy address:
 [ 3188.070730]  ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.072618]  ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.074508] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.076378]                                         ^
 [ 3188.077711]  ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.079584]  ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.081470] ==================================================================
 [ 3188.083406] ==================================================================
 [ 3188.085280] BUG: KASAN: use-after-free in netif_napi_add+0x8b7/0x9a0
 [ 3188.086952] Write of size 8 at addr ffff8881150b3fb8 by task ip/119618
 [ 3188.089181] 
 [ 3188.089987] CPU: 0 PID: 119618 Comm: ip Tainted: G    B             5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1
 [ 3188.092659] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 [ 3188.095481] Call Trace:
 [ 3188.096222]  dump_stack_lvl+0x57/0x7d
 [ 3188.097238]  print_address_description.constprop.0+0x1f/0x140
 [ 3188.098764]  ? netif_napi_add+0x8b7/0x9a0
 [ 3188.099862]  ? netif_napi_add+0x8b7/0x9a0
 [ 3188.100940]  kasan_report.cold+0x83/0xdf
 [ 3188.102041]  ? netif_napi_add+0x8b7/0x9a0
 [ 3188.103140]  netif_napi_add+0x8b7/0x9a0
 [ 3188.104180]  ? kmalloc_order_trace+0x6a/0x120
 [ 3188.105336]  mlx5e_open_channels+0x91b/0x2e10 [mlx5_core]
 [ 3188.107145]  ? rwlock_bug.part.0+0x90/0x90
 [ 3188.108238]  ? mlx5e_close_cq+0x80/0x80 [mlx5_core]
 [ 3188.109882]  ? mutex_is_locked+0x13/0x50
 [ 3188.110985]  mlx5e_open_locked+0x6a/0x1f0 [mlx5_core]
 [ 3188.112644]  mlx5e_open+0x35/0xb0 [mlx5_core]
 [ 3188.114215]  __dev_open+0x22f/0x420
 [ 3188.115186]  ? dev_set_rx_mode+0x80/0x80
 [ 3188.116247]  ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core]
 [ 3188.118252]  ? __local_bh_enable_ip+0xa2/0x100
 [ 3188.119438]  ? trace_hardirqs_on+0x32/0x120
 [ 3188.120554]  __dev_change_flags+0x451/0x670
 [ 3188.121705]  ? dev_set_allmulti+0x10/0x10
 [ 3188.122828]  ? rtnl_fill_vfinfo+0x936/0xdb0
 [ 3188.123943]  dev_change_flags+0x8b/0x150
 [ 3188.124995]  do_setlink+0x820/0x2d60
 [ 3188.126023]  ? rtnetlink_put_metrics+0x490/0x490
 [ 3188.127233]  ? lock_release+0x460/0x750
 [ 3188.128269]  ? kvm_async_pf_task_wake+0x410/0x410
 [ 3188.129502]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.130620]  ? do_raw_spin_unlock+0x54/0x220
 [ 3188.131781]  ? memset+0x20/0x40
 [ 3188.132663]  ? __nla_validate_parse+0xb2/0x22c0
 [ 3188.133894]  ? do_raw_spin_lock+0x126/0x270
 [ 3188.135066]  ? push_cpu_stop+0x830/0x830
 [ 3188.136136]  ? rwlock_bug.part.0+0x90/0x90
 [ 3188.137230]  ? devlink_compat_switch_id_get+0xbb/0x100
 [ 3188.138585]  ? nla_get_range_signed+0x540/0x540
 [ 3188.139780]  ? memcpy+0x39/0x60
 [ 3188.140683]  ? memset+0x20/0x40
 [ 3188.141580]  ? memset+0x20/0x40
 [ 3188.142517]  __rtnl_newlink+0xac0/0x1370
 [ 3188.143579]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.144914]  ? rtnl_setlink+0x330/0x330
 [ 3188.145974]  ? deref_stack_reg+0x160/0x160
 [ 3188.147078]  ? deref_stack_reg+0xe6/0x160
 [ 3188.148157]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.149378]  ? lock_release+0x460/0x750
 [ 3188.150490]  ? is_bpf_text_address+0x54/0x110
 [ 3188.151648]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.152725]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.154075]  ? deref_stack_reg+0x160/0x160
 [ 3188.155176]  ? is_bpf_text_address+0x73/0x110
 [ 3188.156353]  ? kernel_text_address+0xda/0x100
 [ 3188.157510]  ? __kernel_text_address+0xe/0x30
 [ 3188.158707]  ? unwind_get_return_address+0x56/0xa0
 [ 3188.159992]  ? __thaw_task+0x70/0x70
 [ 3188.160979]  ? arch_stack_walk+0x98/0xf0
 [ 3188.162072]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.163167]  ? trace_hardirqs_on+0x32/0x120
 [ 3188.164295]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.165546]  rtnl_newlink+0x5f/0x90
 [ 3188.166558]  rtnetlink_rcv_msg+0x32b/0x950
 [ 3188.167677]  ? deref_stack_reg+0x160/0x160
 [ 3188.168782]  ? rtnl_fdb_dump+0x830/0x830
 [ 3188.169857]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.171089]  ? lock_acquire+0x38d/0x4c0
 [ 3188.172131]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.173367]  ? lock_acquire+0x38d/0x4c0
 [ 3188.174472]  netlink_rcv_skb+0x11d/0x340
 [ 3188.175531]  ? rtnl_fdb_dump+0x830/0x830
 [ 3188.176592]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.177824]  ? netlink_ack+0x930/0x930
 [ 3188.178848]  ? netlink_deliver_tap+0x140/0xb10
 [ 3188.180013]  ? netlink_deliver_tap+0x14c/0xb10
 [ 3188.181188]  ? _copy_from_iter+0x282/0xbe0
 [ 3188.182351]  netlink_unicast+0x433/0x700
 [ 3188.183418]  ? netlink_attachskb+0x740/0x740
 [ 3188.184552]  ? __alloc_skb+0x117/0x2c0
 [ 3188.185606]  netlink_sendmsg+0x707/0xbf0
 [ 3188.186672]  ? netlink_unicast+0x700/0x700
 [ 3188.187783]  ? netlink_unicast+0x700/0x700
 [ 3188.188882]  sock_sendmsg+0xb0/0xe0
 [ 3188.189862]  ____sys_sendmsg+0x4fa/0x6d0
 [ 3188.190971]  ? iovec_from_user+0x136/0x280
 [ 3188.192074]  ? kernel_sendmsg+0x30/0x30
 [ 3188.193130]  ? __import_iovec+0x51/0x610
 [ 3188.194225]  ___sys_sendmsg+0x12e/0x1b0
 [ 3188.195267]  ? do_recvmmsg+0x500/0x500
 [ 3188.196301]  ? get_max_files+0x10/0x10
 [ 3188.197333]  ? kasan_record_aux_stack+0xab/0xc0
 [ 3188.198558]  ? call_rcu+0x87/0xd40
 [ 3188.199519]  ? task_work_run+0xc5/0x160
 [ 3188.200557]  ? exit_to_user_mode_prepare+0x1d9/0x1e0
 [ 3188.201872]  ? syscall_exit_to_user_mode+0x19/0x50
 [ 3188.203134]  ? do_syscall_64+0x4a/0x90
 [ 3188.204152]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.205511]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.206782]  ? lock_release+0x460/0x750
 [ 3188.207870]  ? mntput_no_expire+0x113/0xb40
 [ 3188.209025]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.210272]  ? rwlock_bug.part.0+0x90/0x90
 [ 3188.211864]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.213644]  ? mntput_no_expire+0x132/0xb40
 [ 3188.215253]  ? __fget_light+0x51/0x220
 [ 3188.216535]  __sys_sendmsg+0xa4/0x120
 [ 3188.217574]  ? __sys_sendmsg_sock+0x20/0x20
 [ 3188.218707]  ? call_rcu+0x543/0xd40
 [ 3188.219679]  ? syscall_enter_from_user_mode+0x1d/0x50
 [ 3188.221004]  ? trace_hardirqs_on+0x32/0x120
 [ 3188.235475]  do_syscall_64+0x3d/0x90
 [ 3188.236463]  entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.237744] RIP: 0033:0x7f904ec94c17
 [ 3188.238693] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
 [ 3188.242968] RSP: 002b:00007ffc1a6c4a98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 [ 3188.244834] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f904ec94c17
 [ 3188.246604] RDX: 0000000000000000 RSI: 00007ffc1a6c4b00 RDI: 0000000000000003
 [ 3188.248362] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007f904ed55a40
 [ 3188.250140] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001
 [ 3188.251889] R13: 00007ffc1a6c51b0 R14: 00007ffc1a6c6c87 R15: 000000000048f520
 [ 3188.253667] 
 [ 3188.254215] The buggy address belongs to the page:
 [ 3188.255460] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3
 [ 3188.257812] flags: 0x8000000000000000(zone=2)
 [ 3188.258985] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000
 [ 3188.260971] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
 [ 3188.262993] page dumped because: kasan: bad access detected
 [ 3188.264413] 
 [ 3188.264943] Memory state around the buggy address:
 [ 3188.266203]  ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.268082]  ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.269957] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.271818]                                         ^
 [ 3188.273122]  ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.275000]  ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.276862] ==================================================================
 [ 3188.371511] mlx5_core 0000:08:00.0 enp8s0f0: Link up
 [ 3188.376126] IPv6: ADDRCONF(NETDEV_CHANGE): enp8s0f0: link becomes ready
 [ 3188.430532] ==================================================================
 [ 3188.432378] BUG: KASAN: use-after-free in __list_del_entry_valid+0x14b/0x180
 [ 3188.434254] Read of size 8 at addr ffff8881150b3fb8 by task ip/119619
 [ 3188.435826] 
 [ 3188.436365] CPU: 3 PID: 119619 Comm: ip Tainted: G    B             5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1
 [ 3188.439688] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 [ 3188.442423] Call Trace:
 [ 3188.443172]  dump_stack_lvl+0x57/0x7d
 [ 3188.444186]  print_address_description.constprop.0+0x1f/0x140
 [ 3188.445703]  ? __list_del_entry_valid+0x14b/0x180
 [ 3188.447004]  ? __list_del_entry_valid+0x14b/0x180
 [ 3188.448255]  kasan_report.cold+0x83/0xdf
 [ 3188.449323]  ? __list_del_entry_valid+0x14b/0x180
 [ 3188.450670]  __list_del_entry_valid+0x14b/0x180
 [ 3188.451887]  ? _raw_spin_unlock+0x1f/0x30
 [ 3188.452969]  __netif_napi_del.part.0+0xec/0x4a0
 [ 3188.454453]  mlx5e_close_channel+0x7d/0xd0 [mlx5_core]
 [ 3188.456988]  mlx5e_close_channels+0xf9/0x200 [mlx5_core]
 [ 3188.459599]  mlx5e_close_locked+0x101/0x130 [mlx5_core]
 [ 3188.462156]  mlx5e_close+0xad/0x100 [mlx5_core]
 [ 3188.463961]  __dev_close_many+0x18e/0x2b0
 [ 3188.465045]  ? list_netdevice+0x3a0/0x3a0
 [ 3188.466187]  ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core]
 [ 3188.468156]  ? __local_bh_enable_ip+0xa2/0x100
 [ 3188.469333]  ? trace_hardirqs_on+0x32/0x120
 [ 3188.470496]  __dev_change_flags+0x254/0x670
 [ 3188.471605]  ? dev_set_allmulti+0x10/0x10
 [ 3188.472692]  ? rtnl_fill_vfinfo+0x936/0xdb0
 [ 3188.473854]  dev_change_flags+0x8b/0x150
 [ 3188.474965]  do_setlink+0x820/0x2d60
 [ 3188.475950]  ? rtnetlink_put_metrics+0x490/0x490
 [ 3188.477165]  ? lock_release+0x460/0x750
 [ 3188.478306]  ? kvm_async_pf_task_wake+0x410/0x410
 [ 3188.479542]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.480615]  ? do_raw_spin_unlock+0x54/0x220
 [ 3188.481790]  ? memset+0x20/0x40
 [ 3188.482963]  ? __nla_validate_parse+0xb2/0x22c0
 [ 3188.484167]  ? do_raw_spin_lock+0x126/0x270
 [ 3188.485281]  ? push_cpu_stop+0x830/0x830
 [ 3188.486457]  ? rwlock_bug.part.0+0x90/0x90
 [ 3188.487557]  ? devlink_compat_switch_id_get+0xbb/0x100
 [ 3188.488894]  ? nla_get_range_signed+0x540/0x540
 [ 3188.490168]  ? memcpy+0x39/0x60
 [ 3188.491083]  ? memset+0x20/0x40
 [ 3188.491966]  ? memset+0x20/0x40
 [ 3188.492855]  __rtnl_newlink+0xac0/0x1370
 [ 3188.493987]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.495384]  ? rtnl_setlink+0x330/0x330
 [ 3188.496446]  ? deref_stack_reg+0x160/0x160
 [ 3188.497551]  ? deref_stack_reg+0xe6/0x160
 [ 3188.498713]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.499929]  ? lock_release+0x460/0x750
 [ 3188.501232]  ? is_bpf_text_address+0x54/0x110
 [ 3188.502735]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.503831]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.505157]  ? deref_stack_reg+0x160/0x160
 [ 3188.506298]  ? is_bpf_text_address+0x73/0x110
 [ 3188.507459]  ? kernel_text_address+0xda/0x100
 [ 3188.508615]  ? __kernel_text_address+0xe/0x30
 [ 3188.509776]  ? unwind_get_return_address+0x56/0xa0
 [ 3188.511047]  ? __thaw_task+0x70/0x70
 [ 3188.512033]  ? arch_stack_walk+0x98/0xf0
 [ 3188.513059]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.514191]  ? trace_hardirqs_on+0x32/0x120
 [ 3188.515303]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.516524]  rtnl_newlink+0x5f/0x90
 [ 3188.517513]  rtnetlink_rcv_msg+0x32b/0x950
 [ 3188.518652]  ? deref_stack_reg+0x160/0x160
 [ 3188.519761]  ? rtnl_fdb_dump+0x830/0x830
 [ 3188.520816]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.522119]  ? lock_acquire+0x38d/0x4c0
 [ 3188.523211]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.524435]  ? lock_acquire+0x38d/0x4c0
 [ 3188.525498]  netlink_rcv_skb+0x11d/0x340
 [ 3188.526649]  ? rtnl_fdb_dump+0x830/0x830
 [ 3188.527722]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.528949]  ? netlink_ack+0x930/0x930
 [ 3188.530055]  ? netlink_deliver_tap+0x140/0xb10
 [ 3188.531347]  ? netlink_deliver_tap+0x14c/0xb10
 [ 3188.532549]  ? _copy_from_iter+0x282/0xbe0
 [ 3188.533711]  netlink_unicast+0x433/0x700
 [ 3188.534845]  ? netlink_attachskb+0x740/0x740
 [ 3188.535987]  ? __alloc_skb+0x117/0x2c0
 [ 3188.537006]  netlink_sendmsg+0x707/0xbf0
 [ 3188.538150]  ? netlink_unicast+0x700/0x700
 [ 3188.539337]  ? netlink_unicast+0x700/0x700
 [ 3188.540448]  sock_sendmsg+0xb0/0xe0
 [ 3188.541424]  ____sys_sendmsg+0x4fa/0x6d0
 [ 3188.542743]  ? iovec_from_user+0x136/0x280
 [ 3188.543932]  ? kernel_sendmsg+0x30/0x30
 [ 3188.544963]  ? __import_iovec+0x51/0x610
 [ 3188.546063]  ___sys_sendmsg+0x12e/0x1b0
 [ 3188.547189]  ? do_recvmmsg+0x500/0x500
 [ 3188.548209]  ? get_max_files+0x10/0x10
 [ 3188.549226]  ? kasan_record_aux_stack+0xab/0xc0
 [ 3188.550547]  ? call_rcu+0x87/0xd40
 [ 3188.551509]  ? task_work_run+0xc5/0x160
 [ 3188.552546]  ? exit_to_user_mode_prepare+0x1d9/0x1e0
 [ 3188.553896]  ? syscall_exit_to_user_mode+0x19/0x50
 [ 3188.555195]  ? do_syscall_64+0x4a/0x90
 [ 3188.556206]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.557634]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.558903]  ? lock_release+0x460/0x750
 [ 3188.559948]  ? mntput_no_expire+0x113/0xb40
 [ 3188.561059]  ? lock_downgrade+0x6e0/0x6e0
 [ 3188.562231]  ? rwlock_bug.part.0+0x90/0x90
 [ 3188.563338]  ? rcu_read_lock_sched_held+0x12/0x70
 [ 3188.564583]  ? mntput_no_expire+0x132/0xb40
 [ 3188.565731]  ? __fget_light+0x51/0x220
 [ 3188.566858]  __sys_sendmsg+0xa4/0x120
 [ 3188.567878]  ? __sys_sendmsg_sock+0x20/0x20
 [ 3188.568995]  ? call_rcu+0x543/0xd40
 [ 3188.570047]  ? syscall_enter_from_user_mode+0x1d/0x50
 [ 3188.571387]  ? trace_hardirqs_on+0x32/0x120
 [ 3188.572502]  do_syscall_64+0x3d/0x90
 [ 3188.573491]  entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3188.574916] RIP: 0033:0x7fc68ffd4c17
 [ 3188.575900] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
 [ 3188.580625] RSP: 002b:00007ffd26634f18 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 [ 3188.582945] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc68ffd4c17
 [ 3188.585684] RDX: 0000000000000000 RSI: 00007ffd26634f80 RDI: 0000000000000003
 [ 3188.587965] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007fc690095a40
 [ 3188.589788] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001
 [ 3188.591618] R13: 00007ffd26635630 R14: 00007ffd26635c85 R15: 000000000048f520
 [ 3188.593365] 
 [ 3188.593953] The buggy address belongs to the page:
 [ 3188.595288] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3
 [ 3188.597966] flags: 0x8000000000000000(zone=2)
 [ 3188.599643] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000
 [ 3188.601766] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
 [ 3188.603786] page dumped because: kasan: bad access detected
 [ 3188.622507] 
 [ 3188.623291] Memory state around the buggy address:
 [ 3188.625031]  ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.627617]  ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.630275] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.632956]                                         ^
 [ 3188.634838]  ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.637544]  ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 [ 3188.640221] ==================================================================

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ