lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+atr1+=gBJEWF0RAFPrzYHv7r_b6duuDRx4TVbvb4am9Q@mail.gmail.com>
Date:   Mon, 25 Oct 2021 08:41:46 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Hillf Danton <hdanton@...a.com>
Cc:     Vlad Buslov <vladbu@...dia.com>, Paolo Abeni <pabeni@...hat.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        syzbot <syzbot+62e474dd92a35e3060d8@...kaller.appspotmail.com>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] BUG: corrupted list in netif_napi_add

On Sat, 23 Oct 2021 at 15:45, Hillf Danton <hdanton@...a.com> wrote:
>
> On Mon, 18 Oct 2021 17:04:19 +0300 Vlad Buslov wrote:
> >On Thu 14 Oct 2021 at 16:50, Paolo Abeni <pabeni@...hat.com> wrote:
> >> On Wed, 2021-10-13 at 15:35 +0200, Daniel Borkmann wrote:
> >>> On 10/13/21 1:40 PM, syzbot wrote:
> >>> > Hello,
> >>> >
> >>> > syzbot found the following issue on:
> >>>
> >>> [ +Paolo/Toke wrt veth/XDP, +Jussi wrt bond/XDP, please take a look, thanks! ]
> >>
> >> For the records: Toke and me are actively investigating this issue and
> >> the other recent related one. So far we could not find anything
> >> relevant.
> >>
> >> The onluy note is that the reproducer is not extremelly reliable - I
> >> could not reproduce locally, and multiple syzbot runs on the same code
> >> give different results. Anyhow, so far the issue was only observerable
> >> on a specific 'next' commit which is currently "not reachable" from any
> >> branch. I'm wondering if the issue was caused by some incosistent
> >> status of such tree.
> >
> >Hi,
> >
> >We got a use-after-free with very similar trace [0] during nightly
> >regression. The issue happens when ip link up/down state is flipped
> >several times in loop and doesn't reproduce for me manually. The fact
> >that it didn't reproduce for me after running test ten times suggests
> >that it is either very hard to reproduce or that it is a result of some
> >interaction between several tests in our suite.
> >
> >[0]:
> >
> >[ 3187.779569] mlx5_core 0000:08:00.0 enp8s0f0: Link up
> > [ 3187.890694] ==================================================================
> > [ 3187.892518] BUG: KASAN: use-after-free in __list_add_valid+0xc3/0xf0
> > [ 3187.894132] Read of size 8 at addr ffff8881150b3fb8 by task ip/119618
> > [ 3187.895683]
> > [ 3187.896209] CPU: 0 PID: 119618 Comm: ip Not tainted 5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1
> > [ 3187.898445] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> > [ 3187.901075] Call Trace:
> > [ 3187.901858]  dump_stack_lvl+0x57/0x7d
> > [ 3187.902899]  print_address_description.constprop.0+0x1f/0x140
> > [ 3187.904346]  ? __list_add_valid+0xc3/0xf0
> > [ 3187.905439]  ? __list_add_valid+0xc3/0xf0
> > [ 3187.906565]  kasan_report.cold+0x83/0xdf
> > [ 3187.907619]  ? __list_add_valid+0xc3/0xf0
> > [ 3187.908693]  __list_add_valid+0xc3/0xf0
> > [ 3187.909765]  netif_napi_add+0x399/0x9a0
> > [ 3187.910794]  ? kmalloc_order_trace+0x6a/0x120
> > [ 3187.911944]  mlx5e_open_channels+0x91b/0x2e10 [mlx5_core]
> > [ 3187.913872]  ? rwlock_bug.part.0+0x90/0x90
> > [ 3187.914959]  ? mlx5e_close_cq+0x80/0x80 [mlx5_core]
> > [ 3187.916584]  ? mutex_is_locked+0x13/0x50
> > [ 3187.917703]  mlx5e_open_locked+0x6a/0x1f0 [mlx5_core]
> > [ 3187.919368]  mlx5e_open+0x35/0xb0 [mlx5_core]
> > [ 3187.920863]  __dev_open+0x22f/0x420
> > [ 3187.921852]  ? dev_set_rx_mode+0x80/0x80
> > [ 3187.922920]  ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core]
> > [ 3187.924866]  ? __local_bh_enable_ip+0xa2/0x100
> > [ 3187.926148]  ? trace_hardirqs_on+0x32/0x120
> > [ 3187.927270]  __dev_change_flags+0x451/0x670
> > [ 3187.928387]  ? dev_set_allmulti+0x10/0x10
> > [ 3187.929480]  ? rtnl_fill_vfinfo+0x936/0xdb0
> > [ 3187.930592]  dev_change_flags+0x8b/0x150
> > [ 3187.931651]  do_setlink+0x820/0x2d60
> > [ 3187.932631]  ? rtnetlink_put_metrics+0x490/0x490
> > [ 3187.933852]  ? lock_release+0x460/0x750
> > [ 3187.934881]  ? kvm_async_pf_task_wake+0x410/0x410
> > [ 3187.936122]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3187.937203]  ? do_raw_spin_unlock+0x54/0x220
> > [ 3187.938351]  ? memset+0x20/0x40
> > [ 3187.939246]  ? __nla_validate_parse+0xb2/0x22c0
> > [ 3187.940426]  ? do_raw_spin_lock+0x126/0x270
> > [ 3187.941568]  ? push_cpu_stop+0x830/0x830
> > [ 3187.942638]  ? rwlock_bug.part.0+0x90/0x90
> > [ 3187.943733]  ? devlink_compat_switch_id_get+0xbb/0x100
> > [ 3187.945065]  ? nla_get_range_signed+0x540/0x540
> > [ 3187.946272]  ? memcpy+0x39/0x60
> > [ 3187.947162]  ? memset+0x20/0x40
> > [ 3187.948058]  ? memset+0x20/0x40
> > [ 3187.948943]  __rtnl_newlink+0xac0/0x1370
> > [ 3187.950038]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3187.951380]  ? rtnl_setlink+0x330/0x330
> > [ 3187.952417]  ? deref_stack_reg+0x160/0x160
> > [ 3187.953534]  ? deref_stack_reg+0xe6/0x160
> > [ 3187.954619]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3187.955848]  ? lock_release+0x460/0x750
> > [ 3187.956886]  ? is_bpf_text_address+0x54/0x110
> > [ 3187.958047]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3187.959133]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3187.960469]  ? deref_stack_reg+0x160/0x160
> > [ 3187.961592]  ? is_bpf_text_address+0x73/0x110
> > [ 3187.962759]  ? kernel_text_address+0xda/0x100
> > [ 3187.963920]  ? __kernel_text_address+0xe/0x30
> > [ 3187.965069]  ? unwind_get_return_address+0x56/0xa0
> > [ 3187.966334]  ? __thaw_task+0x70/0x70
> > [ 3187.967320]  ? arch_stack_walk+0x98/0xf0
> > [ 3187.968405]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3187.969510]  ? trace_hardirqs_on+0x32/0x120
> > [ 3187.970644]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3187.971883]  rtnl_newlink+0x5f/0x90
> > [ 3187.972866]  rtnetlink_rcv_msg+0x32b/0x950
> > [ 3187.973968]  ? deref_stack_reg+0x160/0x160
> > [ 3187.975088]  ? rtnl_fdb_dump+0x830/0x830
> > [ 3187.976160]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3187.977393]  ? lock_acquire+0x38d/0x4c0
> > [ 3187.978443]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3187.979685]  ? lock_acquire+0x38d/0x4c0
> > [ 3187.980733]  netlink_rcv_skb+0x11d/0x340
> > [ 3187.981812]  ? rtnl_fdb_dump+0x830/0x830
> > [ 3187.982862]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3187.984105]  ? netlink_ack+0x930/0x930
> > [ 3187.985136]  ? netlink_deliver_tap+0x140/0xb10
> > [ 3187.986316]  ? netlink_deliver_tap+0x14c/0xb10
> > [ 3187.987495]  ? _copy_from_iter+0x282/0xbe0
> > [ 3187.988597]  netlink_unicast+0x433/0x700
> > [ 3187.989693]  ? netlink_attachskb+0x740/0x740
> > [ 3187.990819]  ? __alloc_skb+0x117/0x2c0
> > [ 3187.991855]  netlink_sendmsg+0x707/0xbf0
> > [ 3187.992921]  ? netlink_unicast+0x700/0x700
> > [ 3187.994024]  ? netlink_unicast+0x700/0x700
> > [ 3187.995121]  sock_sendmsg+0xb0/0xe0
> > [ 3187.996091]  ____sys_sendmsg+0x4fa/0x6d0
> > [ 3187.997163]  ? iovec_from_user+0x136/0x280
> > [ 3187.998276]  ? kernel_sendmsg+0x30/0x30
> > [ 3188.012806]  ? __import_iovec+0x51/0x610
> > [ 3188.013858]  ___sys_sendmsg+0x12e/0x1b0
> > [ 3188.014875]  ? do_recvmmsg+0x500/0x500
> > [ 3188.015877]  ? get_max_files+0x10/0x10
> > [ 3188.016866]  ? kasan_record_aux_stack+0xab/0xc0
> > [ 3188.018108]  ? call_rcu+0x87/0xd40
> > [ 3188.019041]  ? task_work_run+0xc5/0x160
> > [ 3188.020044]  ? exit_to_user_mode_prepare+0x1d9/0x1e0
> > [ 3188.021271]  ? syscall_exit_to_user_mode+0x19/0x50
> > [ 3188.022563]  ? do_syscall_64+0x4a/0x90
> > [ 3188.023559]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.024858]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.026121]  ? lock_release+0x460/0x750
> > [ 3188.027174]  ? mntput_no_expire+0x113/0xb40
> > [ 3188.028302]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.029398]  ? rwlock_bug.part.0+0x90/0x90
> > [ 3188.030555]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.031812]  ? mntput_no_expire+0x132/0xb40
> > [ 3188.032940]  ? __fget_light+0x51/0x220
> > [ 3188.033986]  __sys_sendmsg+0xa4/0x120
> > [ 3188.034992]  ? __sys_sendmsg_sock+0x20/0x20
> > [ 3188.036115]  ? call_rcu+0x543/0xd40
> > [ 3188.037084]  ? syscall_enter_from_user_mode+0x1d/0x50
> > [ 3188.038406]  ? trace_hardirqs_on+0x32/0x120
> > [ 3188.039515]  do_syscall_64+0x3d/0x90
> > [ 3188.040502]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.041896] RIP: 0033:0x7f904ec94c17
> > [ 3188.042891] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
> > [ 3188.047412] RSP: 002b:00007ffc1a6c4a98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > [ 3188.049361] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f904ec94c17
> > [ 3188.051121] RDX: 0000000000000000 RSI: 00007ffc1a6c4b00 RDI: 0000000000000003
> > [ 3188.052881] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007f904ed55a40
> > [ 3188.054645] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001
> > [ 3188.056403] R13: 00007ffc1a6c51b0 R14: 00007ffc1a6c6c87 R15: 000000000048f520
> > [ 3188.058189]
> > [ 3188.058732] The buggy address belongs to the page:
> > [ 3188.059996] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3
> > [ 3188.062378] flags: 0x8000000000000000(zone=2)
> > [ 3188.063551] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000
> > [ 3188.065548] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > [ 3188.067518] page dumped because: kasan: bad access detected
> > [ 3188.068930]
> > [ 3188.069481] Memory state around the buggy address:
> > [ 3188.070730]  ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.072618]  ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.074508] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.076378]                                         ^
> > [ 3188.077711]  ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.079584]  ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.081470] ==================================================================
> > [ 3188.083406] ==================================================================
> > [ 3188.085280] BUG: KASAN: use-after-free in netif_napi_add+0x8b7/0x9a0
> > [ 3188.086952] Write of size 8 at addr ffff8881150b3fb8 by task ip/119618
> > [ 3188.089181]
> > [ 3188.089987] CPU: 0 PID: 119618 Comm: ip Tainted: G    B             5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1
> > [ 3188.092659] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> > [ 3188.095481] Call Trace:
> > [ 3188.096222]  dump_stack_lvl+0x57/0x7d
> > [ 3188.097238]  print_address_description.constprop.0+0x1f/0x140
> > [ 3188.098764]  ? netif_napi_add+0x8b7/0x9a0
> > [ 3188.099862]  ? netif_napi_add+0x8b7/0x9a0
> > [ 3188.100940]  kasan_report.cold+0x83/0xdf
> > [ 3188.102041]  ? netif_napi_add+0x8b7/0x9a0
> > [ 3188.103140]  netif_napi_add+0x8b7/0x9a0
> > [ 3188.104180]  ? kmalloc_order_trace+0x6a/0x120
> > [ 3188.105336]  mlx5e_open_channels+0x91b/0x2e10 [mlx5_core]
> > [ 3188.107145]  ? rwlock_bug.part.0+0x90/0x90
> > [ 3188.108238]  ? mlx5e_close_cq+0x80/0x80 [mlx5_core]
> > [ 3188.109882]  ? mutex_is_locked+0x13/0x50
> > [ 3188.110985]  mlx5e_open_locked+0x6a/0x1f0 [mlx5_core]
> > [ 3188.112644]  mlx5e_open+0x35/0xb0 [mlx5_core]
> > [ 3188.114215]  __dev_open+0x22f/0x420
> > [ 3188.115186]  ? dev_set_rx_mode+0x80/0x80
> > [ 3188.116247]  ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core]
> > [ 3188.118252]  ? __local_bh_enable_ip+0xa2/0x100
> > [ 3188.119438]  ? trace_hardirqs_on+0x32/0x120
> > [ 3188.120554]  __dev_change_flags+0x451/0x670
> > [ 3188.121705]  ? dev_set_allmulti+0x10/0x10
> > [ 3188.122828]  ? rtnl_fill_vfinfo+0x936/0xdb0
> > [ 3188.123943]  dev_change_flags+0x8b/0x150
> > [ 3188.124995]  do_setlink+0x820/0x2d60
> > [ 3188.126023]  ? rtnetlink_put_metrics+0x490/0x490
> > [ 3188.127233]  ? lock_release+0x460/0x750
> > [ 3188.128269]  ? kvm_async_pf_task_wake+0x410/0x410
> > [ 3188.129502]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.130620]  ? do_raw_spin_unlock+0x54/0x220
> > [ 3188.131781]  ? memset+0x20/0x40
> > [ 3188.132663]  ? __nla_validate_parse+0xb2/0x22c0
> > [ 3188.133894]  ? do_raw_spin_lock+0x126/0x270
> > [ 3188.135066]  ? push_cpu_stop+0x830/0x830
> > [ 3188.136136]  ? rwlock_bug.part.0+0x90/0x90
> > [ 3188.137230]  ? devlink_compat_switch_id_get+0xbb/0x100
> > [ 3188.138585]  ? nla_get_range_signed+0x540/0x540
> > [ 3188.139780]  ? memcpy+0x39/0x60
> > [ 3188.140683]  ? memset+0x20/0x40
> > [ 3188.141580]  ? memset+0x20/0x40
> > [ 3188.142517]  __rtnl_newlink+0xac0/0x1370
> > [ 3188.143579]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.144914]  ? rtnl_setlink+0x330/0x330
> > [ 3188.145974]  ? deref_stack_reg+0x160/0x160
> > [ 3188.147078]  ? deref_stack_reg+0xe6/0x160
> > [ 3188.148157]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.149378]  ? lock_release+0x460/0x750
> > [ 3188.150490]  ? is_bpf_text_address+0x54/0x110
> > [ 3188.151648]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.152725]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.154075]  ? deref_stack_reg+0x160/0x160
> > [ 3188.155176]  ? is_bpf_text_address+0x73/0x110
> > [ 3188.156353]  ? kernel_text_address+0xda/0x100
> > [ 3188.157510]  ? __kernel_text_address+0xe/0x30
> > [ 3188.158707]  ? unwind_get_return_address+0x56/0xa0
> > [ 3188.159992]  ? __thaw_task+0x70/0x70
> > [ 3188.160979]  ? arch_stack_walk+0x98/0xf0
> > [ 3188.162072]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.163167]  ? trace_hardirqs_on+0x32/0x120
> > [ 3188.164295]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.165546]  rtnl_newlink+0x5f/0x90
> > [ 3188.166558]  rtnetlink_rcv_msg+0x32b/0x950
> > [ 3188.167677]  ? deref_stack_reg+0x160/0x160
> > [ 3188.168782]  ? rtnl_fdb_dump+0x830/0x830
> > [ 3188.169857]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.171089]  ? lock_acquire+0x38d/0x4c0
> > [ 3188.172131]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.173367]  ? lock_acquire+0x38d/0x4c0
> > [ 3188.174472]  netlink_rcv_skb+0x11d/0x340
> > [ 3188.175531]  ? rtnl_fdb_dump+0x830/0x830
> > [ 3188.176592]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.177824]  ? netlink_ack+0x930/0x930
> > [ 3188.178848]  ? netlink_deliver_tap+0x140/0xb10
> > [ 3188.180013]  ? netlink_deliver_tap+0x14c/0xb10
> > [ 3188.181188]  ? _copy_from_iter+0x282/0xbe0
> > [ 3188.182351]  netlink_unicast+0x433/0x700
> > [ 3188.183418]  ? netlink_attachskb+0x740/0x740
> > [ 3188.184552]  ? __alloc_skb+0x117/0x2c0
> > [ 3188.185606]  netlink_sendmsg+0x707/0xbf0
> > [ 3188.186672]  ? netlink_unicast+0x700/0x700
> > [ 3188.187783]  ? netlink_unicast+0x700/0x700
> > [ 3188.188882]  sock_sendmsg+0xb0/0xe0
> > [ 3188.189862]  ____sys_sendmsg+0x4fa/0x6d0
> > [ 3188.190971]  ? iovec_from_user+0x136/0x280
> > [ 3188.192074]  ? kernel_sendmsg+0x30/0x30
> > [ 3188.193130]  ? __import_iovec+0x51/0x610
> > [ 3188.194225]  ___sys_sendmsg+0x12e/0x1b0
> > [ 3188.195267]  ? do_recvmmsg+0x500/0x500
> > [ 3188.196301]  ? get_max_files+0x10/0x10
> > [ 3188.197333]  ? kasan_record_aux_stack+0xab/0xc0
> > [ 3188.198558]  ? call_rcu+0x87/0xd40
> > [ 3188.199519]  ? task_work_run+0xc5/0x160
> > [ 3188.200557]  ? exit_to_user_mode_prepare+0x1d9/0x1e0
> > [ 3188.201872]  ? syscall_exit_to_user_mode+0x19/0x50
> > [ 3188.203134]  ? do_syscall_64+0x4a/0x90
> > [ 3188.204152]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.205511]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.206782]  ? lock_release+0x460/0x750
> > [ 3188.207870]  ? mntput_no_expire+0x113/0xb40
> > [ 3188.209025]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.210272]  ? rwlock_bug.part.0+0x90/0x90
> > [ 3188.211864]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.213644]  ? mntput_no_expire+0x132/0xb40
> > [ 3188.215253]  ? __fget_light+0x51/0x220
> > [ 3188.216535]  __sys_sendmsg+0xa4/0x120
> > [ 3188.217574]  ? __sys_sendmsg_sock+0x20/0x20
> > [ 3188.218707]  ? call_rcu+0x543/0xd40
> > [ 3188.219679]  ? syscall_enter_from_user_mode+0x1d/0x50
> > [ 3188.221004]  ? trace_hardirqs_on+0x32/0x120
> > [ 3188.235475]  do_syscall_64+0x3d/0x90
> > [ 3188.236463]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.237744] RIP: 0033:0x7f904ec94c17
> > [ 3188.238693] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
> > [ 3188.242968] RSP: 002b:00007ffc1a6c4a98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > [ 3188.244834] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f904ec94c17
> > [ 3188.246604] RDX: 0000000000000000 RSI: 00007ffc1a6c4b00 RDI: 0000000000000003
> > [ 3188.248362] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007f904ed55a40
> > [ 3188.250140] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001
> > [ 3188.251889] R13: 00007ffc1a6c51b0 R14: 00007ffc1a6c6c87 R15: 000000000048f520
> > [ 3188.253667]
> > [ 3188.254215] The buggy address belongs to the page:
> > [ 3188.255460] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3
> > [ 3188.257812] flags: 0x8000000000000000(zone=2)
> > [ 3188.258985] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000
> > [ 3188.260971] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > [ 3188.262993] page dumped because: kasan: bad access detected
> > [ 3188.264413]
> > [ 3188.264943] Memory state around the buggy address:
> > [ 3188.266203]  ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.268082]  ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.269957] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.271818]                                         ^
> > [ 3188.273122]  ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.275000]  ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.276862] ==================================================================
> > [ 3188.371511] mlx5_core 0000:08:00.0 enp8s0f0: Link up
> > [ 3188.376126] IPv6: ADDRCONF(NETDEV_CHANGE): enp8s0f0: link becomes ready
> > [ 3188.430532] ==================================================================
> > [ 3188.432378] BUG: KASAN: use-after-free in __list_del_entry_valid+0x14b/0x180
> > [ 3188.434254] Read of size 8 at addr ffff8881150b3fb8 by task ip/119619
> > [ 3188.435826]
> > [ 3188.436365] CPU: 3 PID: 119619 Comm: ip Tainted: G    B             5.15.0-rc5_for_upstream_debug_2021_10_17_12_06 #1
> > [ 3188.439688] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
> > [ 3188.442423] Call Trace:
> > [ 3188.443172]  dump_stack_lvl+0x57/0x7d
> > [ 3188.444186]  print_address_description.constprop.0+0x1f/0x140
> > [ 3188.445703]  ? __list_del_entry_valid+0x14b/0x180
> > [ 3188.447004]  ? __list_del_entry_valid+0x14b/0x180
> > [ 3188.448255]  kasan_report.cold+0x83/0xdf
> > [ 3188.449323]  ? __list_del_entry_valid+0x14b/0x180
> > [ 3188.450670]  __list_del_entry_valid+0x14b/0x180
> > [ 3188.451887]  ? _raw_spin_unlock+0x1f/0x30
> > [ 3188.452969]  __netif_napi_del.part.0+0xec/0x4a0
> > [ 3188.454453]  mlx5e_close_channel+0x7d/0xd0 [mlx5_core]
> > [ 3188.456988]  mlx5e_close_channels+0xf9/0x200 [mlx5_core]
> > [ 3188.459599]  mlx5e_close_locked+0x101/0x130 [mlx5_core]
> > [ 3188.462156]  mlx5e_close+0xad/0x100 [mlx5_core]
> > [ 3188.463961]  __dev_close_many+0x18e/0x2b0
> > [ 3188.465045]  ? list_netdevice+0x3a0/0x3a0
> > [ 3188.466187]  ? __mlx5_eswitch_set_vport_vlan+0x290/0x290 [mlx5_core]
> > [ 3188.468156]  ? __local_bh_enable_ip+0xa2/0x100
> > [ 3188.469333]  ? trace_hardirqs_on+0x32/0x120
> > [ 3188.470496]  __dev_change_flags+0x254/0x670
> > [ 3188.471605]  ? dev_set_allmulti+0x10/0x10
> > [ 3188.472692]  ? rtnl_fill_vfinfo+0x936/0xdb0
> > [ 3188.473854]  dev_change_flags+0x8b/0x150
> > [ 3188.474965]  do_setlink+0x820/0x2d60
> > [ 3188.475950]  ? rtnetlink_put_metrics+0x490/0x490
> > [ 3188.477165]  ? lock_release+0x460/0x750
> > [ 3188.478306]  ? kvm_async_pf_task_wake+0x410/0x410
> > [ 3188.479542]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.480615]  ? do_raw_spin_unlock+0x54/0x220
> > [ 3188.481790]  ? memset+0x20/0x40
> > [ 3188.482963]  ? __nla_validate_parse+0xb2/0x22c0
> > [ 3188.484167]  ? do_raw_spin_lock+0x126/0x270
> > [ 3188.485281]  ? push_cpu_stop+0x830/0x830
> > [ 3188.486457]  ? rwlock_bug.part.0+0x90/0x90
> > [ 3188.487557]  ? devlink_compat_switch_id_get+0xbb/0x100
> > [ 3188.488894]  ? nla_get_range_signed+0x540/0x540
> > [ 3188.490168]  ? memcpy+0x39/0x60
> > [ 3188.491083]  ? memset+0x20/0x40
> > [ 3188.491966]  ? memset+0x20/0x40
> > [ 3188.492855]  __rtnl_newlink+0xac0/0x1370
> > [ 3188.493987]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.495384]  ? rtnl_setlink+0x330/0x330
> > [ 3188.496446]  ? deref_stack_reg+0x160/0x160
> > [ 3188.497551]  ? deref_stack_reg+0xe6/0x160
> > [ 3188.498713]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.499929]  ? lock_release+0x460/0x750
> > [ 3188.501232]  ? is_bpf_text_address+0x54/0x110
> > [ 3188.502735]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.503831]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.505157]  ? deref_stack_reg+0x160/0x160
> > [ 3188.506298]  ? is_bpf_text_address+0x73/0x110
> > [ 3188.507459]  ? kernel_text_address+0xda/0x100
> > [ 3188.508615]  ? __kernel_text_address+0xe/0x30
> > [ 3188.509776]  ? unwind_get_return_address+0x56/0xa0
> > [ 3188.511047]  ? __thaw_task+0x70/0x70
> > [ 3188.512033]  ? arch_stack_walk+0x98/0xf0
> > [ 3188.513059]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.514191]  ? trace_hardirqs_on+0x32/0x120
> > [ 3188.515303]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.516524]  rtnl_newlink+0x5f/0x90
> > [ 3188.517513]  rtnetlink_rcv_msg+0x32b/0x950
> > [ 3188.518652]  ? deref_stack_reg+0x160/0x160
> > [ 3188.519761]  ? rtnl_fdb_dump+0x830/0x830
> > [ 3188.520816]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.522119]  ? lock_acquire+0x38d/0x4c0
> > [ 3188.523211]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.524435]  ? lock_acquire+0x38d/0x4c0
> > [ 3188.525498]  netlink_rcv_skb+0x11d/0x340
> > [ 3188.526649]  ? rtnl_fdb_dump+0x830/0x830
> > [ 3188.527722]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.528949]  ? netlink_ack+0x930/0x930
> > [ 3188.530055]  ? netlink_deliver_tap+0x140/0xb10
> > [ 3188.531347]  ? netlink_deliver_tap+0x14c/0xb10
> > [ 3188.532549]  ? _copy_from_iter+0x282/0xbe0
> > [ 3188.533711]  netlink_unicast+0x433/0x700
> > [ 3188.534845]  ? netlink_attachskb+0x740/0x740
> > [ 3188.535987]  ? __alloc_skb+0x117/0x2c0
> > [ 3188.537006]  netlink_sendmsg+0x707/0xbf0
> > [ 3188.538150]  ? netlink_unicast+0x700/0x700
> > [ 3188.539337]  ? netlink_unicast+0x700/0x700
> > [ 3188.540448]  sock_sendmsg+0xb0/0xe0
> > [ 3188.541424]  ____sys_sendmsg+0x4fa/0x6d0
> > [ 3188.542743]  ? iovec_from_user+0x136/0x280
> > [ 3188.543932]  ? kernel_sendmsg+0x30/0x30
> > [ 3188.544963]  ? __import_iovec+0x51/0x610
> > [ 3188.546063]  ___sys_sendmsg+0x12e/0x1b0
> > [ 3188.547189]  ? do_recvmmsg+0x500/0x500
> > [ 3188.548209]  ? get_max_files+0x10/0x10
> > [ 3188.549226]  ? kasan_record_aux_stack+0xab/0xc0
> > [ 3188.550547]  ? call_rcu+0x87/0xd40
> > [ 3188.551509]  ? task_work_run+0xc5/0x160
> > [ 3188.552546]  ? exit_to_user_mode_prepare+0x1d9/0x1e0
> > [ 3188.553896]  ? syscall_exit_to_user_mode+0x19/0x50
> > [ 3188.555195]  ? do_syscall_64+0x4a/0x90
> > [ 3188.556206]  ? entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.557634]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.558903]  ? lock_release+0x460/0x750
> > [ 3188.559948]  ? mntput_no_expire+0x113/0xb40
> > [ 3188.561059]  ? lock_downgrade+0x6e0/0x6e0
> > [ 3188.562231]  ? rwlock_bug.part.0+0x90/0x90
> > [ 3188.563338]  ? rcu_read_lock_sched_held+0x12/0x70
> > [ 3188.564583]  ? mntput_no_expire+0x132/0xb40
> > [ 3188.565731]  ? __fget_light+0x51/0x220
> > [ 3188.566858]  __sys_sendmsg+0xa4/0x120
> > [ 3188.567878]  ? __sys_sendmsg_sock+0x20/0x20
> > [ 3188.568995]  ? call_rcu+0x543/0xd40
> > [ 3188.570047]  ? syscall_enter_from_user_mode+0x1d/0x50
> > [ 3188.571387]  ? trace_hardirqs_on+0x32/0x120
> > [ 3188.572502]  do_syscall_64+0x3d/0x90
> > [ 3188.573491]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > [ 3188.574916] RIP: 0033:0x7fc68ffd4c17
> > [ 3188.575900] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
> > [ 3188.580625] RSP: 002b:00007ffd26634f18 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > [ 3188.582945] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc68ffd4c17
> > [ 3188.585684] RDX: 0000000000000000 RSI: 00007ffd26634f80 RDI: 0000000000000003
> > [ 3188.587965] RBP: 00000000616c5eef R08: 0000000000000001 R09: 00007fc690095a40
> > [ 3188.589788] R10: fffffffffffff3d6 R11: 0000000000000246 R12: 0000000000000001
> > [ 3188.591618] R13: 00007ffd26635630 R14: 00007ffd26635c85 R15: 000000000048f520
> > [ 3188.593365]
> > [ 3188.593953] The buggy address belongs to the page:
> > [ 3188.595288] page:000000003ccb70fc refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1150b3
> > [ 3188.597966] flags: 0x8000000000000000(zone=2)
> > [ 3188.599643] raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000
> > [ 3188.601766] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > [ 3188.603786] page dumped because: kasan: bad access detected
> > [ 3188.622507]
> > [ 3188.623291] Memory state around the buggy address:
> > [ 3188.625031]  ffff8881150b3e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.627617]  ffff8881150b3f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.630275] >ffff8881150b3f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.632956]                                         ^
> > [ 3188.634838]  ffff8881150b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.637544]  ffff8881150b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> > [ 3188.640221] ==================================================================
> >
> >[...]
> >
> > [ 3188.574916] RIP: 0033:0x7fc68ffd4c17
> > [ 3188.237744] RIP: 0033:0x7f904ec94c17
>
> Dmitry, what addresses are these RIPs pointing to?

This report did not come from syzkaller/syzbot. We need to ask Vlad.
For syzkaller/syzbot I wouldn't be able to answer such a question. But
I guess it's just a code that executes the sendmsg syscall instruction
in user-space. What aspect of that code are you interested in?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ