syzbot |
sign-in | mailing list | source | docs |
l2tp_core: tunl 4: fd 7 wrong protocol, got 1, expected 17 l2tp_core: tunl 4: fd 4 wrong protocol, got 1, expected 17 l2tp_core: tunl 4: fd 7 wrong protocol, got 1, expected 17 l2tp_core: tunl 4: fd 4 wrong protocol, got 1, expected 17 ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x2eff/0x3640 kernel/locking/lockdep.c:3224 Read of size 8 at addr ffff8801d3f99a20 by task syzkaller540979/4836 CPU: 0 PID: 4836 Comm: syzkaller540979 Not tainted 4.9.83-ga92bb8d #51 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d387f600 ffffffff81d95149 ffffea00074fe600 ffff8801d3f99a20 0000000000000000 ffff8801d3f99a20 ffff8801d3f99a20 ffff8801d387f638 ffffffff8153e213 ffff8801d3f99a20 0000000000000008 0000000000000000 Call Trace: [<ffffffff81d95149>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81d95149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff8153e213>] print_address_description+0x73/0x280 mm/kasan/report.c:252 [<ffffffff8153e735>] kasan_report_error mm/kasan/report.c:351 [inline] [<ffffffff8153e735>] kasan_report+0x275/0x360 mm/kasan/report.c:408 [<ffffffff8153e894>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [<ffffffff8123ef2f>] __lock_acquire+0x2eff/0x3640 kernel/locking/lockdep.c:3224 [<ffffffff812400ae>] lock_acquire+0x12e/0x410 kernel/locking/lockdep.c:3756 [<ffffffff838b43da>] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] [<ffffffff838b43da>] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175 [<ffffffff82ee5013>] spin_lock_bh include/linux/spinlock.h:307 [inline] [<ffffffff82ee5013>] lock_sock_nested+0x43/0x120 net/core/sock.c:2503 [<ffffffff8358f400>] lock_sock include/net/sock.h:1404 [inline] [<ffffffff8358f400>] pppol2tp_release+0x50/0x2e0 net/l2tp/l2tp_ppp.c:476 [<ffffffff82ed589d>] sock_release+0x8d/0x1e0 net/socket.c:599 [<ffffffff82ed5a06>] sock_close+0x16/0x20 net/socket.c:1046 [<ffffffff8157580c>] __fput+0x28c/0x6e0 fs/file_table.c:208 [<ffffffff81575ce5>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff81195855>] task_work_run+0x115/0x190 kernel/task_work.c:116 [<ffffffff8113c2c7>] exit_task_work include/linux/task_work.h:21 [inline] [<ffffffff8113c2c7>] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [<ffffffff811429d8>] do_group_exit+0x108/0x320 kernel/exit.c:937 [<ffffffff81165854>] get_signal+0x4d4/0x14e0 kernel/signal.c:2317 [<ffffffff81052c87>] do_signal+0x87/0x19f0 arch/x86/kernel/signal.c:807 [<ffffffff81003a31>] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:157 [<ffffffff81007261>] prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline] [<ffffffff81007261>] syscall_return_slowpath arch/x86/entry/common.c:260 [inline] [<ffffffff81007261>] do_syscall_32_irqs_on arch/x86/entry/common.c:331 [inline] [<ffffffff81007261>] do_fast_syscall_32+0x5c1/0x870 arch/x86/entry/common.c:387 [<ffffffff838b6590>] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 Allocated by task 4837: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] sk_prot_alloc+0x101/0x2a0 net/core/sock.c:1338 sk_alloc+0x3a/0x3a0 net/core/sock.c:1394 pppol2tp_create+0x33/0x1f0 net/l2tp/l2tp_ppp.c:534 pppox_create+0xf1/0x200 drivers/net/ppp/pppox.c:121 __sock_create+0x3ab/0x640 net/socket.c:1182 sock_create net/socket.c:1222 [inline] SYSC_socket net/socket.c:1252 [inline] SyS_socket+0xf0/0x1b0 net/socket.c:1232 do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline] do_fast_syscall_32+0x2f5/0x870 arch/x86/entry/common.c:387 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 Freed by task 4836: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0x103/0x300 mm/slub.c:3878 sk_prot_free net/core/sock.c:1377 [inline] __sk_destruct+0x47f/0x570 net/core/sock.c:1455 sk_destruct+0x47/0x80 net/core/sock.c:1463 __sk_free+0x57/0x230 net/core/sock.c:1471 sk_free+0x23/0x30 net/core/sock.c:1482 sock_put include/net/sock.h:1588 [inline] pppol2tp_session_sock_put+0x5a/0x70 net/l2tp/l2tp_ppp.c:271 l2tp_tunnel_closeall+0x254/0x3a0 net/l2tp/l2tp_core.c:1371 l2tp_udp_encap_destroy+0x87/0xe0 net/l2tp/l2tp_core.c:1394 udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1336 sk_common_release+0x6b/0x2f0 net/core/sock.c:2727 udp_lib_close+0x15/0x20 include/net/udp.h:203 inet_release+0xfa/0x1d0 net/ipv4/af_inet.c:434 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:440 sock_release+0x8d/0x1e0 net/socket.c:599 sock_close+0x16/0x20 net/socket.c:1046 __fput+0x28c/0x6e0 fs/file_table.c:208 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x115/0x190 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline] syscall_return_slowpath arch/x86/entry/common.c:260 [inline] do_syscall_32_irqs_on arch/x86/entry/common.c:331 [inline] do_fast_syscall_32+0x5c1/0x870 arch/x86/entry/common.c:387 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137 The buggy address belongs to the object at ffff8801d3f99980 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 160 bytes inside of 2048-byte region [ffff8801d3f99980, ffff8801d3f9a180) The buggy address belongs to the page: page:ffffea00074fe600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x8000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d3f99900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3f99980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d3f99a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d3f99a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d3f99b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/02/25 09:26 | https://android.googlesource.com/kernel/common android-4.9 | a92bb8d6eac3 | 5c1e0207 | .config | console log | report | syz | C | ci-android-49-kasan-gce-386 | |||
| 2018/08/23 02:36 | https://android.googlesource.com/kernel/common android-4.9 | 8dd3fc2ed765 | 95b5c82b | .config | console log | report | syz | ci-android-49-kasan-gce-root | ||||
| 2018/08/22 18:38 | https://android.googlesource.com/kernel/common android-4.9 | 8dd3fc2ed765 | 95b5c82b | .config | console log | report | syz | ci-android-49-kasan-gce | ||||
| 2018/08/22 19:10 | https://android.googlesource.com/kernel/common android-4.9 | 8dd3fc2ed765 | 95b5c82b | .config | console log | report | syz | ci-android-49-kasan-gce-386 | ||||
| 2018/07/05 00:39 | https://android.googlesource.com/kernel/common android-4.9 | 03c70feafdb2 | e1b966c6 | .config | console log | report | syz | ci-android-49-kasan-gce-386 | ||||
| 2018/06/02 06:41 | https://android.googlesource.com/kernel/common android-4.9 | d7e64f8022e4 | 2f93b54f | .config | console log | report | syz | ci-android-49-kasan-gce-386 | ||||
| 2018/04/27 00:29 | https://android.googlesource.com/kernel/common android-4.9 | 71fce1edd26d | 73417389 | .config | console log | report | syz | ci-android-49-kasan-gce-386 | ||||
| 2018/04/06 03:46 | https://android.googlesource.com/kernel/common android-4.9 | 7cd956196346 | a932eae6 | .config | console log | report | syz | ci-android-49-kasan-gce-386 | ||||
| 2018/08/04 23:49 | https://android.googlesource.com/kernel/common android-4.9 | 8b21e85d919c | 3476a2df | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/08/02 13:12 | https://android.googlesource.com/kernel/common android-4.9 | 0137ea2134c0 | 0a7cf4ec | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/07/30 01:36 | https://android.googlesource.com/kernel/common android-4.9 | 990559158c7b | 1a381291 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/07/23 14:08 | https://android.googlesource.com/kernel/common android-4.9 | 47bbcd6bf8f9 | f69c5fcd | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/07/23 04:33 | https://android.googlesource.com/kernel/common android-4.9 | 47bbcd6bf8f9 | 8cc079c3 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/07/17 20:35 | https://android.googlesource.com/kernel/common android-4.9 | f540ce029f50 | 6d5bd5b5 | .config | console log | report | ci-android-49-kasan-gce-root | |||||
| 2018/07/16 00:50 | https://android.googlesource.com/kernel/common android-4.9 | 9e7903954483 | 92a49505 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/06/25 19:02 | https://android.googlesource.com/kernel/common android-4.9 | 7cecc756ceae | 2064fc5c | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/06/24 05:21 | https://android.googlesource.com/kernel/common android-4.9 | 7cecc756ceae | 2064fc5c | .config | console log | report | ci-android-49-kasan-gce-root | |||||
| 2018/06/13 19:49 | https://android.googlesource.com/kernel/common android-4.9 | b7d377b4640b | 27c5f59f | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/06/05 06:06 | https://android.googlesource.com/kernel/common android-4.9 | 61aafb6b6e40 | a50d873b | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/05/29 13:51 | https://android.googlesource.com/kernel/common android-4.9 | 0cecdf831513 | e276de77 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/05/29 02:37 | https://android.googlesource.com/kernel/common android-4.9 | 0cecdf831513 | f48c20b8 | .config | console log | report | ci-android-49-kasan-gce-root | |||||
| 2018/05/28 18:36 | https://android.googlesource.com/kernel/common android-4.9 | 0cecdf831513 | f48c20b8 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/05/13 08:02 | https://android.googlesource.com/kernel/common android-4.9 | c2f9bce9fee8 | e726f42b | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/05/13 05:54 | https://android.googlesource.com/kernel/common android-4.9 | c2f9bce9fee8 | e726f42b | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/04/11 16:25 | https://android.googlesource.com/kernel/common android-4.9 | f6bec4e8c771 | 8b8de427 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/04/01 15:37 | https://android.googlesource.com/kernel/common android-4.9 | 9c3fb9cd6e63 | 0a78e248 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/26 06:47 | https://android.googlesource.com/kernel/common android-4.9 | dd1e37e64645 | e033c1f1 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/25 22:27 | https://android.googlesource.com/kernel/common android-4.9 | dd1e37e64645 | e033c1f1 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/21 16:52 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | f63eeee9 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/01 21:10 | https://android.googlesource.com/kernel/common android-4.9 | 4c4262aa50dc | c4089507 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/07/22 11:39 | https://android.googlesource.com/kernel/common android-4.9 | 47bbcd6bf8f9 | 8cc079c3 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/07/19 21:50 | https://android.googlesource.com/kernel/common android-4.9 | 47bbcd6bf8f9 | 49f35839 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/07/02 03:42 | https://android.googlesource.com/kernel/common android-4.9 | 00a0bcbfcfb6 | dba0b50e | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/04/20 13:59 | https://android.googlesource.com/kernel/common android-4.9 | 8683408f8e81 | cc402841 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/09 03:49 | https://android.googlesource.com/kernel/common android-4.9 | 00db063b0f88 | 36d1c454 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/07 02:44 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | c8a18476 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/02/25 17:03 | https://android.googlesource.com/kernel/common android-4.9 | a92bb8d6eac3 | 5c1e0207 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/02/25 08:44 | https://android.googlesource.com/kernel/common android-4.9 | a92bb8d6eac3 | 5c1e0207 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/02/10 17:42 | https://android.googlesource.com/kernel/common android-4.9 | 8a174b4749d3 | e67d44e0 | .config | console log | report | ci-android-49-kasan-gce-386 |