[ovs-dev] [syzbot] KASAN: use-after-free Read in ovs_vport_locate
Hello, syzbot found the following issue on: HEAD commit:041fae9c105a Merge tag 'f2fs-for-6.2-rc1' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15c5d02048 kernel config: https://syzkaller.appspot.com/x/.config?x=836aafbf33f4fa6c dashboard link: https://syzkaller.appspot.com/bug?extid=8f4e2dcfcb3209ac35f9 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/30e749b24df4/disk-041fae9c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/dd6d972f5b02/vmlinux-041fae9c.xz kernel image: https://storage.googleapis.com/syzbot-assets/405163d7c7cc/bzImage-041fae9c.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8f4e2dcfcb3209ac3...@syzkaller.appspotmail.com netlink: 208 bytes leftover after parsing attributes in process `syz-executor.4'. == BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:383 [inline] BUG: KASAN: use-after-free in ovs_dp_get_net net/openvswitch/datapath.h:195 [inline] BUG: KASAN: use-after-free in ovs_vport_locate+0x131/0x150 net/openvswitch/vport.c:103 Read of size 8 at addr 88802055e360 by task syz-executor.4/5621 CPU: 0 PID: 5621 Comm: syz-executor.4 Not tainted 6.1.0-syzkaller-10971-g041fae9c105a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x461 mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 read_pnet include/net/net_namespace.h:383 [inline] ovs_dp_get_net net/openvswitch/datapath.h:195 [inline] ovs_vport_locate+0x131/0x150 net/openvswitch/vport.c:103 lookup_datapath+0x54/0x3a0 net/openvswitch/datapath.c:1628 ovs_dp_reset_user_features net/openvswitch/datapath.c:1639 [inline] ovs_dp_cmd_new+0xd5b/0x11c0 net/openvswitch/datapath.c:1848 genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968 genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356 netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 sys_sendmsg+0x712/0x8c0 net/socket.c:2476 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 __sys_sendmsg+0xf7/0x1c0 net/socket.c:2559 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f142348c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:7f14240ff168 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7f14235abf80 RCX: 7f142348c0d9 RDX: 0800 RSI: 2100 RDI: 0003 RBP: 7f14234e7ae9 R08: R09: R10: R11: 0246 R12: R13: 7ffdd965a34f R14: 7f14240ff300 R15: 00022000 Allocated by task 5564: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_kmalloc mm/kasan/common.c:371 [inline] kasan_kmalloc mm/kasan/common.c:330 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] kzalloc include/linux/slab.h:720 [inline] ovs_dp_cmd_new+0x1a3/0x11c0 net/openvswitch/datapath.c:1796 genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968 genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065 netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356 netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 sys_sendmsg+0x712/0x8c0 net/socket.c:2476 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 __sys_sendmsg+0xf7/0x1c0 net/socket.c:2559 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by
Re: [ovs-dev] [syzbot] KASAN: use-after-free Read in ovs_vport_locate
Paolo Abeni writes: > On Tue, 2022-12-20 at 00:22 -0800, syzbot wrote: >> HEAD commit:041fae9c105a Merge tag 'f2fs-for-6.2-rc1' of git://git.ker.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=15c5d02048 >> kernel config: https://syzkaller.appspot.com/x/.config?x=836aafbf33f4fa6c >> dashboard link: https://syzkaller.appspot.com/bug?extid=8f4e2dcfcb3209ac35f9 >> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils >> for Debian) 2.35.2 >> >> Unfortunately, I don't have any reproducer for this issue yet. >> >> Downloadable assets: >> disk image: >> https://storage.googleapis.com/syzbot-assets/30e749b24df4/disk-041fae9c.raw.xz >> vmlinux: >> https://storage.googleapis.com/syzbot-assets/dd6d972f5b02/vmlinux-041fae9c.xz >> kernel image: >> https://storage.googleapis.com/syzbot-assets/405163d7c7cc/bzImage-041fae9c.xz >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+8f4e2dcfcb3209ac3...@syzkaller.appspotmail.com >> >> netlink: 208 bytes leftover after parsing attributes in process >> `syz-executor.4'. >> == >> BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:383 >> [inline] >> BUG: KASAN: use-after-free in ovs_dp_get_net net/openvswitch/datapath.h:195 >> [inline] >> BUG: KASAN: use-after-free in ovs_vport_locate+0x131/0x150 >> net/openvswitch/vport.c:103 >> Read of size 8 at addr 88802055e360 by task syz-executor.4/5621 >> >> CPU: 0 PID: 5621 Comm: syz-executor.4 Not tainted >> 6.1.0-syzkaller-10971-g041fae9c105a #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >> Google 10/26/2022 >> Call Trace: >> >> __dump_stack lib/dump_stack.c:88 [inline] >> dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 >> print_address_description mm/kasan/report.c:306 [inline] >> print_report+0x15e/0x461 mm/kasan/report.c:417 >> kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 >> read_pnet include/net/net_namespace.h:383 [inline] >> ovs_dp_get_net net/openvswitch/datapath.h:195 [inline] >> ovs_vport_locate+0x131/0x150 net/openvswitch/vport.c:103 >> lookup_datapath+0x54/0x3a0 net/openvswitch/datapath.c:1628 >> ovs_dp_reset_user_features net/openvswitch/datapath.c:1639 [inline] >> ovs_dp_cmd_new+0xd5b/0x11c0 net/openvswitch/datapath.c:1848 >> genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968 >> genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] >> genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065 >> netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564 >> genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 >> netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] >> netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356 >> netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932 >> sock_sendmsg_nosec net/socket.c:714 [inline] >> sock_sendmsg+0xd3/0x120 net/socket.c:734 >> sys_sendmsg+0x712/0x8c0 net/socket.c:2476 >> ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 >> __sys_sendmsg+0xf7/0x1c0 net/socket.c:2559 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> RIP: 0033:0x7f142348c0d9 >> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 >> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff >> 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:7f14240ff168 EFLAGS: 0246 ORIG_RAX: 002e >> RAX: ffda RBX: 7f14235abf80 RCX: 7f142348c0d9 >> RDX: 0800 RSI: 2100 RDI: 0003 >> RBP: 7f14234e7ae9 R08: R09: >> R10: R11: 0246 R12: >> R13: 7ffdd965a34f R14: 7f14240ff300 R15: 00022000 >> >> >> Allocated by task 5564: >> kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 >> kasan_set_track+0x25/0x30 mm/kasan/common.c:52 >> kasan_kmalloc mm/kasan/common.c:371 [inline] >> kasan_kmalloc mm/kasan/common.c:330 [inline] >> __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 >> kmalloc include/linux/slab.h:580 [inline] >> kzalloc include/linux/slab.h:720 [inline] >> ovs_dp_cmd_new+0x1a3/0x11c0 net/openvswitch/datapath.c:1796 >> genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968 >> genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] >> genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065 >> netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564 >> genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 >> netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] >> netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356 >> netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932 >> sock_sendmsg_nosec net/socket.c:714 [inline] >>
Re: [ovs-dev] [syzbot] KASAN: use-after-free Read in ovs_vport_locate
On Tue, 2022-12-20 at 00:22 -0800, syzbot wrote: > HEAD commit:041fae9c105a Merge tag 'f2fs-for-6.2-rc1' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=15c5d02048 > kernel config: https://syzkaller.appspot.com/x/.config?x=836aafbf33f4fa6c > dashboard link: https://syzkaller.appspot.com/bug?extid=8f4e2dcfcb3209ac35f9 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils > for Debian) 2.35.2 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: > https://storage.googleapis.com/syzbot-assets/30e749b24df4/disk-041fae9c.raw.xz > vmlinux: > https://storage.googleapis.com/syzbot-assets/dd6d972f5b02/vmlinux-041fae9c.xz > kernel image: > https://storage.googleapis.com/syzbot-assets/405163d7c7cc/bzImage-041fae9c.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+8f4e2dcfcb3209ac3...@syzkaller.appspotmail.com > > netlink: 208 bytes leftover after parsing attributes in process > `syz-executor.4'. > == > BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:383 > [inline] > BUG: KASAN: use-after-free in ovs_dp_get_net net/openvswitch/datapath.h:195 > [inline] > BUG: KASAN: use-after-free in ovs_vport_locate+0x131/0x150 > net/openvswitch/vport.c:103 > Read of size 8 at addr 88802055e360 by task syz-executor.4/5621 > > CPU: 0 PID: 5621 Comm: syz-executor.4 Not tainted > 6.1.0-syzkaller-10971-g041fae9c105a #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 10/26/2022 > Call Trace: > > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 > print_address_description mm/kasan/report.c:306 [inline] > print_report+0x15e/0x461 mm/kasan/report.c:417 > kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 > read_pnet include/net/net_namespace.h:383 [inline] > ovs_dp_get_net net/openvswitch/datapath.h:195 [inline] > ovs_vport_locate+0x131/0x150 net/openvswitch/vport.c:103 > lookup_datapath+0x54/0x3a0 net/openvswitch/datapath.c:1628 > ovs_dp_reset_user_features net/openvswitch/datapath.c:1639 [inline] > ovs_dp_cmd_new+0xd5b/0x11c0 net/openvswitch/datapath.c:1848 > genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968 > genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] > genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065 > netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564 > genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 > netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] > netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356 > netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932 > sock_sendmsg_nosec net/socket.c:714 [inline] > sock_sendmsg+0xd3/0x120 net/socket.c:734 > sys_sendmsg+0x712/0x8c0 net/socket.c:2476 > ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 > __sys_sendmsg+0xf7/0x1c0 net/socket.c:2559 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7f142348c0d9 > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 > 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 > 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:7f14240ff168 EFLAGS: 0246 ORIG_RAX: 002e > RAX: ffda RBX: 7f14235abf80 RCX: 7f142348c0d9 > RDX: 0800 RSI: 2100 RDI: 0003 > RBP: 7f14234e7ae9 R08: R09: > R10: R11: 0246 R12: > R13: 7ffdd965a34f R14: 7f14240ff300 R15: 00022000 > > > Allocated by task 5564: > kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 > kasan_set_track+0x25/0x30 mm/kasan/common.c:52 > kasan_kmalloc mm/kasan/common.c:371 [inline] > kasan_kmalloc mm/kasan/common.c:330 [inline] > __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 > kmalloc include/linux/slab.h:580 [inline] > kzalloc include/linux/slab.h:720 [inline] > ovs_dp_cmd_new+0x1a3/0x11c0 net/openvswitch/datapath.c:1796 > genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968 > genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] > genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065 > netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564 > genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 > netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] > netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356 > netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932 > sock_sendmsg_nosec net/socket.c:714 [inline] > sock_sendmsg+0xd3/0x120 net/socket.c:734 > sys_sendmsg+0x712/0x8c0 net/socket.c:2476 > ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 >
