Hi, On 5/4/2024 6:21 PM, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 2506f6229bd0 Merge branch 'net-dsa-adjust_link-removal' > git tree: net-next > console output: https://syzkaller.appspot.com/x/log.txt?x=11ac64ef180000 > kernel config: https://syzkaller.appspot.com/x/.config?x=15dda165e1d20cf1 > dashboard link: https://syzkaller.appspot.com/bug?extid=061f58eec3bde7ee8ffa > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/fc61e6a6e169/disk-2506f622.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/3ed6cc1ccbe5/vmlinux-2506f622.xz > kernel image: https://storage.googleapis.com/syzbot-assets/c6ea42464245/bzImage-2506f622.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+061f58eec3bde7ee8ffa@xxxxxxxxxxxxxxxxxxxxxxxxx > > ================================================================== > BUG: KASAN: slab-use-after-free in lockdep_register_key+0x253/0x3f0 kernel/locking/lockdep.c:1225 > Read of size 8 at addr ffff88805fe2c298 by task syz-executor.1/5906 > > CPU: 1 PID: 5906 Comm: syz-executor.1 Not tainted 6.9.0-rc5-syzkaller-01473-g2506f6229bd0 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 > print_address_description mm/kasan/report.c:377 [inline] > print_report+0x169/0x550 mm/kasan/report.c:488 > kasan_report+0x143/0x180 mm/kasan/report.c:601 > lockdep_register_key+0x253/0x3f0 kernel/locking/lockdep.c:1225 > htab_map_alloc+0x9b/0xe60 kernel/bpf/hashtab.c:506 > map_create+0x90c/0x1200 kernel/bpf/syscall.c:1333 > __sys_bpf+0x6d1/0x810 kernel/bpf/syscall.c:5659 > __do_sys_bpf kernel/bpf/syscall.c:5784 [inline] > __se_sys_bpf kernel/bpf/syscall.c:5782 [inline] > __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5782 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f7781e7dea9 > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f7782c720c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 > RAX: ffffffffffffffda RBX: 00007f7781fabf80 RCX: 00007f7781e7dea9 > RDX: 0000000000000048 RSI: 0000000020000140 RDI: 0100000000000000 > RBP: 00007f7781eca4a4 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 000000000000000b R14: 00007f7781fabf80 R15: 00007ffe14057dd8 > </TASK> > > Allocated by task 5593: > kasan_save_stack mm/kasan/common.c:47 [inline] > kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:370 [inline] > __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 > kasan_kmalloc include/linux/kasan.h:211 [inline] > __do_kmalloc_node mm/slub.c:3966 [inline] > __kmalloc_node_track_caller+0x24e/0x4e0 mm/slub.c:3986 > kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:597 > __alloc_skb+0x1f3/0x440 net/core/skbuff.c:666 > alloc_skb include/linux/skbuff.h:1308 [inline] SNIP > > The buggy address belongs to the object at ffff88805fe2c000 > which belongs to the cache kmalloc-2k of size 2048 > The buggy address is located 664 bytes inside of > freed 2048-byte region [ffff88805fe2c000, ffff88805fe2c800) After checking all possible callers of lockdep_register_key(), it seems that the culprit is Qdisc instead of bpf hash-table, because only the offset of lock_class_key in Qdisc is 664. And I think the use-after-free problem happens as follow: (1) call qdisc_alloc() After calling lockdep_register_key(), qdisc_alloc() goes to errout1 due to netdev_alloc_pcpu_stats() fails. However it doesn't call lockdep_register_key() to unregister root_lock_key, but it frees the allocated memory (2) call htab_map_alloc During the calling of lockdep_register_key(), it finds the lockdep_key registered by free-ed Qdisc and triggers the use-after-free. Will post a simple patch to fix it.
