Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1683106imm; Wed, 1 Aug 2018 22:18:53 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdQSOaoVL+BERkOCOinsOlCP6yRGsjYscPFFO/TargHbXsE04Dz/vlHq4pGO5kAwBFXHbeN X-Received: by 2002:a63:68c1:: with SMTP id d184-v6mr1242300pgc.239.1533187133066; Wed, 01 Aug 2018 22:18:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533187133; cv=none; d=google.com; s=arc-20160816; b=voBMwmZkIsozfLy9vRWEsP/xyFWhRYQeB8pcnkIzmJrPjHshFOPXnK57Xako3g1gFK /E3NLwM5oiYtJjMuYmVRe/gMirWwFdJpb6EX4aqyDx+KGCRBcBIvePqByX/LagQsfLxV pt6EZnMynnxK8/RGrPyMgcvaOFE60Md1dG3s+A2bh3w9VioSOheaRY1p8TKIBNl2tEBp zKHjgFEkjQRsTjf+oDBprg+CwyZqVzG5t20RoLc4J5aRwQOf/flCZEVWjY4o5BtqzwoO H2aigd9AokpVSPCttpj0sit8MRMQvzCVRL8zSiRE8ZEUuQyE2mFOw0LQ3jgQN9aFHwDq hURw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=KLlLk72lJLv56FhCDGbi1AQnEboRfjZnd6MpRmxNcIk=; b=pdNGXwZRhCieW8QkiLj1D2YIC+9d6D5a0jXceAqtcYFbE/eAL+33m0xA7ceoLS0goC ZCAVNS6A6vblu+gq9samECZqupUAKWZFPFjEhqqdYN+nLbbIa6W5IYbiwujF8gJ2Srdh szbiQ2nvxQ+W9V0IAxBgrUDtHPpUSK3S0a1Ck9WdqlLVJyg87vERuc2RIEb+cTY8EzFV pUSmUtP6sJhkwXOrxIJKZ1r2lTb+GhGAgYwJCwy/APbXFf/Dp5t1v15Zpy+E79UI/vE4 d9tdUv6uaAKOIuIAN855RaGxSFB7ouOaGVqkaILopcYzieESaem4gSh26CobHsWn9f0A FBLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ulcmEJsJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i18-v6si1062610pgk.595.2018.08.01.22.18.38; Wed, 01 Aug 2018 22:18:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ulcmEJsJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726735AbeHBHGp (ORCPT + 99 others); Thu, 2 Aug 2018 03:06:45 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:46323 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726033AbeHBHGp (ORCPT ); Thu, 2 Aug 2018 03:06:45 -0400 Received: by mail-pf1-f195.google.com with SMTP id u24-v6so585154pfn.13; Wed, 01 Aug 2018 22:17:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KLlLk72lJLv56FhCDGbi1AQnEboRfjZnd6MpRmxNcIk=; b=ulcmEJsJkc9gd2IfZkyIqrmYIpNlPeIUjbiS11yMTmami+Q/UCyTlmq8qoZnXHzy4a c0/8pTdQlhRmEikk/HGGBI6QpiWyejuQkC3/BlcN7YYGAovtPIzGZnG+5l+1vU9gW7rr 7Yh3jCsA7/tFAemw3xZ6PPPCtbYOhesBt3Hu2M2UzdrPc5Eu8Q4ZT7kuW5+4ptSAfnA6 eRCf3R3j0sYxoiT+EBjWJBRUKIxQhTHYAWi228NTrC0i3QhZ8ZC0Vc2xb7cBqBmiotmp B937nBAw+zDDdIrRP/2LrUjpExbWC2c9wnw3Gb1avOLhWfxmhFst+8vBJT1/mtxe9GyH eNpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KLlLk72lJLv56FhCDGbi1AQnEboRfjZnd6MpRmxNcIk=; b=m6JwJy1qmK1aO9K0Fp4QpDmYFWgNzsUY0snztzrIYAxiAtOvLQddTWxH0S1Wcu60bU kxHjwzT0jVeEjUoih2tBf2eqR3P7Qyc0HeVEr76pQK4BU2T5yiHPJnzP1ZNSJXWC/d5Z VvfM32dCCnL2aLEIxXMp3ZTH2MF56dVbgBRPeGjz2CGH7l7hb08aS5sRU+7H4YbH7lZP vP/1uFEYTdVj73WSiHA0YTnYpg45yOHS1SwJ+SSOTee/jZF6bHWmzllqcvJxr6LrmlXW xPkniue7pZjiMgfSeeFPI3zirSkHKAA/ZOzp6HhFd2DVLmHbxgFWU203/XBLm2QnGvZ2 bfiQ== X-Gm-Message-State: AOUpUlE/GIcvT1DU/HbohH1MARsmKAcNmqNlyD6Rl+P6sTQieespYYJW qzBA1Ve8X6h6/7AwBLC5pa53Ef5tGpZfFgFzNywadQ== X-Received: by 2002:a65:5545:: with SMTP id t5-v6mr1237797pgr.157.1533187044841; Wed, 01 Aug 2018 22:17:24 -0700 (PDT) MIME-Version: 1.0 References: <0000000000004fe2be05724ac084@google.com> <20180731134014.GA32114@bistromath.localdomain> <20180801081537.GA31982@bistromath.localdomain> In-Reply-To: <20180801081537.GA31982@bistromath.localdomain> From: Cong Wang Date: Wed, 1 Aug 2018 22:23:42 -0700 Message-ID: Subject: Re: KASAN: use-after-free Read in rtnetlink_put_metrics To: Sabrina Dubroca Cc: Eric Dumazet , syzbot+41f9c04b50ef70c66947@syzkaller.appspotmail.com, Christian Brauner , David Miller , David Ahern , Florian Westphal , Jiri Benc , Kirill Tkhai , LKML , lucien xin , Linux Kernel Network Developers , syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 1, 2018 at 1:15 AM Sabrina Dubroca wrote: > > 2018-07-31, 16:03:13 -0700, Cong Wang wrote: > > On Tue, Jul 31, 2018 at 6:41 AM Sabrina Dubroca wrote: > > > > > > 2018-07-31, 05:41:56 -0700, Eric Dumazet wrote: > > > > > > > > > > > > On 07/31/2018 05:31 AM, syzbot wrote: > > > > > Hello, > > > > > > > > > > syzbot found the following crash on: > > > > > > > > > > HEAD commit: 61f4b23769f0 netlink: Don't shift with UB on nlk->ngroups > > > > > git tree: net > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=14a9de58400000 > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ffb4428fdc82f93b > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=41f9c04b50ef70c66947 > > > > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > > > > > > > > > Unfortunately, I don't have any reproducer for this crash yet. > > > [...] > > > > > > > Probably also caused by : > > > > > > > > > > > > commit df18b50448fab1dff093731dfd0e25e77e1afcd1 > > > > Author: Sabrina Dubroca > > > > Date: Mon Jul 30 16:23:10 2018 +0200 > > > > > > > > net/ipv6: fix metrics leak > > > > > > Yeah, I'm looking into both those reports :/ > > > > Looks like this commit is completely unnecessary, > > fib6_drop_pcpu_from() calls fib6_info_release() > > which calls fib6_info_destroy_rcu(), so this metrics > > will be released twice... > > kmemleak disagrees: This information is missing from changelog. :) > > unreferenced object 0xffff88006b605080 (size 96): > comm "ip", pid 433, jiffies 4294889793 (age 74.844s) > hex dump (first 32 bytes): > 00 00 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<000000002650e4e2>] ip6_route_info_create+0x770/0x4050 > [<000000000a8d4c52>] ip6_route_add+0x18/0x90 > [<00000000474d669c>] inet6_rtm_newroute+0xeb/0x100 > [<0000000019fb732d>] rtnetlink_rcv_msg+0x3b5/0xb40 > [<000000006f891e19>] netlink_rcv_skb+0x137/0x380 > [<0000000070451985>] netlink_unicast+0x47f/0x6e0 > [<000000004487d656>] netlink_sendmsg+0x7a7/0x10c0 > [<0000000089fdf5ae>] sock_sendmsg+0xac/0x160 > [<00000000aae19c54>] ___sys_sendmsg+0x6e0/0xbb0 > [<00000000a3906352>] __sys_sendmsg+0xdc/0x230 > [<00000000c7c8548a>] do_syscall_64+0x15d/0x740 > [<000000007dfdad73>] entry_SYSCALL_64_after_hwframe+0x49/0xbe > [<000000003adb705a>] 0xffffffffffffffff My kernel dev machine is broken now. I will take a look tomorrow after I fix my kernel dev machine. Thanks!