API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 26th, 2025
7
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.62 KB | None | 0 0
raw download clone embed print report
  1. ==================================================================
  2. BUG: KASAN: slab-use-after-free in dev_map_enqueue+0x3b/0x80 kernel/bpf/devmap.c:529
  3. Read of size 8 at addr ffff8881135c2480 by task syz.0.89/3134
  4.  
  5. CPU: 1 PID: 3134 Comm: syz.0.89 Not tainted 6.6.52-syzkaller #0
  6. Call Trace:
  7. <TASK>
  8. __dump_stack lib/dump_stack.c:88 [inline]
  9. dump_stack_lvl+0x1b5/0x2a0 lib/dump_stack.c:106
  10. print_address_description mm/kasan/report.c:364 [inline]
  11. print_report+0x164/0x510 mm/kasan/report.c:475
  12. kasan_report+0x107/0x140 mm/kasan/report.c:588
  13. dev_map_enqueue+0x3b/0x80 kernel/bpf/devmap.c:529
  14. __xdp_do_redirect_frame net/core/filter.c:4381 [inline]
  15. xdp_do_redirect+0x592/0xab0 net/core/filter.c:4421
  16. tun_xdp_act+0xea/0xc80 drivers/net/tun.c:1633
  17. tun_build_skb drivers/net/tun.c:1723 [inline]
  18. tun_get_user+0x2e86/0x3f20 drivers/net/tun.c:1826
  19. tun_chr_write_iter+0x113/0x1f0 drivers/net/tun.c:2055
  20. call_write_iter include/linux/fs.h:2018 [inline]
  21. new_sync_write fs/read_write.c:491 [inline]
  22. vfs_write+0x856/0xbd0 fs/read_write.c:584
  23. ksys_write+0x17c/0x2a0 fs/read_write.c:637
  24. do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  25. do_syscall_64+0x2d/0x50 arch/x86/entry/common.c:81
  26. entry_SYSCALL_64_after_hwframe+0x68/0xd2
  27. RIP: 0033:0x7f1c1a17cadf
  28. Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 c9 8d 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 1c 8e 02 00 48
  29. RSP: 002b:00007f1c1af2e000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
  30. RAX: ffffffffffffffda RBX: 00007f1c1a335f80 RCX: 00007f1c1a17cadf
  31. RDX: 0000000000000016 RSI: 0000000020001b40 RDI: 00000000000000c8
  32. RBP: 00007f1c1a1f0296 R08: 0000000000000000 R09: 0000000000000000
  33. R10: 0000000000000016 R11: 0000000000000293 R12: 0000000000000000
  34. R13: 0000000000000000 R14: 00007f1c1a335f80 R15: 00007ffd7b9bb328
  35. </TASK>
  36.  
  37. Allocated by task 3128:
  38. kasan_save_stack mm/kasan/common.c:45 [inline]
  39. kasan_set_track+0x40/0x70 mm/kasan/common.c:52
  40. ____kasan_kmalloc mm/kasan/common.c:374 [inline]
  41. __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
  42. kasan_kmalloc include/linux/kasan.h:198 [inline]
  43. __do_kmalloc_node mm/slab_common.c:1007 [inline]
  44. __kmalloc_node+0xb7/0x210 mm/slab_common.c:1014
  45. kmalloc_node include/linux/slab.h:620 [inline]
  46. bpf_map_kmalloc_node+0xd2/0x1c0 kernel/bpf/syscall.c:422
  47. __dev_map_alloc_node+0x56/0x490 kernel/bpf/devmap.c:856
  48. __dev_map_hash_update_elem kernel/bpf/devmap.c:967 [inline]
  49. dev_map_hash_update_elem+0x306/0x780 kernel/bpf/devmap.c:1001
  50. bpf_map_update_value+0x6ef/0x7c0 kernel/bpf/syscall.c:201
  51. map_update_elem+0x5b7/0x720 kernel/bpf/syscall.c:1552
  52. __sys_bpf+0x758/0x810 kernel/bpf/syscall.c:5416
  53. __do_sys_bpf kernel/bpf/syscall.c:5532 [inline]
  54. __se_sys_bpf kernel/bpf/syscall.c:5530 [inline]
  55. __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5530
  56. do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  57. do_syscall_64+0x2d/0x50 arch/x86/entry/common.c:81
  58. entry_SYSCALL_64_after_hwframe+0x68/0xd2
  59.  
  60. Freed by task 34:
  61. kasan_save_stack mm/kasan/common.c:45 [inline]
  62. kasan_set_track+0x40/0x70 mm/kasan/common.c:52
  63. kasan_save_free_info+0x25/0x40 mm/kasan/generic.c:522
  64. ____kasan_slab_free+0xb5/0x100 mm/kasan/common.c:236
  65. kasan_slab_free include/linux/kasan.h:164 [inline]
  66. __cache_free mm/slab.c:3370 [inline]
  67. __do_kmem_cache_free mm/slab.c:3557 [inline]
  68. __kmem_cache_free+0x1a1/0x2b0 mm/slab.c:3564
  69. dev_map_free+0x397/0x680 kernel/bpf/devmap.c:218
  70. bpf_map_free_deferred+0xd3/0xf0 kernel/bpf/syscall.c:700
  71. process_one_work kernel/workqueue.c:2631 [inline]
  72. process_scheduled_works+0x92d/0x14a0 kernel/workqueue.c:2704
  73. worker_thread+0xa5f/0xff0 kernel/workqueue.c:2785
  74. kthread+0x2a2/0x330 kernel/kthread.c:388
  75. ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
  76. ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
  77.  
  78. Last potentially related work creation:
  79. kasan_save_stack+0x2f/0x50 mm/kasan/common.c:45
  80. __kasan_record_aux_stack mm/kasan/generic.c:492 [inline]
  81. kasan_record_aux_stack_noalloc+0x81/0x90 mm/kasan/generic.c:502
  82. __call_rcu_common kernel/rcu/tree.c:2713 [inline]
  83. call_rcu+0x18b/0x14a0 kernel/rcu/tree.c:2827
  84. nf_hook_entries_free net/netfilter/core.c:88 [inline]
  85. __nf_register_net_hook+0x788/0x930 net/netfilter/core.c:457
  86. nf_register_net_hook+0xb0/0x190 net/netfilter/core.c:578
  87. nf_register_net_hooks+0x41/0x1a0 net/netfilter/core.c:594
  88. nf_nat_register_fn+0x3ac/0x570 net/netfilter/nf_nat_core.c:1123
  89. ipt_nat_register_lookups net/ipv4/netfilter/iptable_nat.c:77 [inline]
  90. iptable_nat_table_init+0xd4/0x2d0 net/ipv4/netfilter/iptable_nat.c:121
  91. xt_find_table_lock+0x2d0/0x3b0 net/netfilter/x_tables.c:1259
  92. xt_request_find_table_lock+0x26/0x100 net/netfilter/x_tables.c:1284
  93. get_info net/ipv4/netfilter/ip_tables.c:963 [inline]
  94. do_ipt_get_ctl+0x5a6/0x1590 net/ipv4/netfilter/ip_tables.c:1659
  95. nf_getsockopt+0x293/0x2c0 net/netfilter/nf_sockopt.c:116
  96. ip_getsockopt+0x1f3/0x2b0 net/ipv4/ip_sockglue.c:1790
  97. tcp_getsockopt+0x160/0x1c0 net/ipv4/tcp.c:4317
  98. do_sock_getsockopt+0x3bd/0x790 net/socket.c:2379
  99. __sys_getsockopt+0x1d9/0x2b0 net/socket.c:2408
  100. __do_sys_getsockopt net/socket.c:2418 [inline]
  101. __se_sys_getsockopt net/socket.c:2415 [inline]
  102. __x64_sys_getsockopt+0xb5/0xd0 net/socket.c:2415
  103. do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  104. do_syscall_64+0x2d/0x50 arch/x86/entry/common.c:81
  105. entry_SYSCALL_64_after_hwframe+0x68/0xd2
  106.  
  107. The buggy address belongs to the object at ffff8881135c2480
  108. which belongs to the cache kmalloc-cg-64 of size 64
  109. The buggy address is located 0 bytes inside of
  110. freed 64-byte region [ffff8881135c2480, ffff8881135c24c0)
  111.  
  112. The buggy address belongs to the physical page:
  113. page:ffffea00044d7080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1135c2
  114. memcg:ffff88810ff19201
  115. flags: 0x400000000000800(slab|node=0|zone=1)
  116. page_type: 0x20()
  117. raw: 0400000000000800 ffff888100043900 ffffea00040edd10 ffffea0005f18810
  118. raw: 0000000000000000 ffff8881135c2000 0000000100000020 ffff88810ff19201
  119. page dumped because: kasan: bad access detected
  120. page_owner tracks the page as allocated
  121. page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 1, tgid 1 (swapper/0), ts 4115548462, free_ts 4112513936
  122. set_page_owner include/linux/page_owner.h:31 [inline]
  123. post_alloc_hook+0x1e7/0x210 mm/page_alloc.c:1541
  124. prep_new_page mm/page_alloc.c:1548 [inline]
  125. get_page_from_freelist+0x2f35/0x32e0 mm/page_alloc.c:3178
  126. __alloc_pages+0x291/0x770 mm/page_alloc.c:4434
  127. __alloc_pages_node include/linux/gfp.h:237 [inline]
  128. kmem_getpages mm/slab.c:1356 [inline]
  129. cache_grow_begin+0x9f/0x620 mm/slab.c:2550
  130. cache_alloc_refill+0x31b/0x3e0 mm/slab.c:2923
  131. ____cache_alloc mm/slab.c:2999 [inline]
  132. __do_cache_alloc mm/slab.c:3185 [inline]
  133. slab_alloc_node mm/slab.c:3230 [inline]
  134. __kmem_cache_alloc_node+0x336/0x370 mm/slab.c:3521
  135. __do_kmalloc_node mm/slab_common.c:1006 [inline]
  136. __kmalloc_node+0xa6/0x210 mm/slab_common.c:1014
  137. kmalloc_node include/linux/slab.h:620 [inline]
  138. __alloc kernel/bpf/memalloc.c:151 [inline]
  139. alloc_bulk+0x45e/0x6e0 kernel/bpf/memalloc.c:245
  140. prefill_mem_cache kernel/bpf/memalloc.c:486 [inline]
  141. bpf_mem_alloc_init+0x765/0x910 kernel/bpf/memalloc.c:554
  142. bpf_global_ma_init+0x1a/0x40 kernel/bpf/core.c:2941
  143. do_one_initcall+0x247/0x850 init/main.c:1238
  144. do_initcall_level+0x157/0x210 init/main.c:1300
  145. do_initcalls+0x3f/0x80 init/main.c:1316
  146. kernel_init_freeable+0x3f1/0x590 init/main.c:1553
  147. kernel_init+0x1d/0x2a0 init/main.c:1443
  148. ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
  149. page last free stack trace:
  150. reset_page_owner include/linux/page_owner.h:24 [inline]
  151. free_pages_prepare mm/page_alloc.c:1141 [inline]
  152. free_unref_page_prepare+0x86b/0x950 mm/page_alloc.c:2323
  153. free_unref_page+0x37/0x340 mm/page_alloc.c:2416
  154. vfree+0x181/0x2d0 mm/vmalloc.c:2859
  155. delayed_vfree_work+0x56/0x80 mm/vmalloc.c:2780
  156. process_one_work kernel/workqueue.c:2631 [inline]
  157. process_scheduled_works+0x92d/0x14a0 kernel/workqueue.c:2704
  158. worker_thread+0xa5f/0xff0 kernel/workqueue.c:2785
  159. kthread+0x2a2/0x330 kernel/kthread.c:388
  160. ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
  161. ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
  162.  
  163. Memory state around the buggy address:
  164. ffff8881135c2380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  165. ffff8881135c2400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  166. >ffff8881135c2480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  167. ^
  168. ffff8881135c2500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  169. ffff8881135c2580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  170. ==================================================================
  171.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!