CVE-2021-47126

In the Linux kernel, the following vulnerability has been resolved:

ipv6: Fix KASAN: slab-out-of-bounds Read in fib6nhflush_exceptions

Reported by syzbot: HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7 compiler: Debian clang version 11.0.1-2

================================================================== BUG: KASAN: slab-out-of-bounds in fib6nhgetexcptnbucket net/ipv6/route.c:1604 [inline] BUG: KASAN: slab-out-of-bounds in fib6nhflush_exceptions+0xbd/0x360 net/ipv6/route.c:1732 Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760

CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0 Call Trace: <IRQ> _dumpstack lib/dumpstack.c:79 [inline] dumpstack+0x202/0x31e lib/dumpstack.c:120 printaddressdescription+0x5f/0x3b0 mm/kasan/report.c:232 _kasanreport mm/kasan/report.c:399 [inline] kasanreport+0x15c/0x200 mm/kasan/report.c:416 fib6nhgetexcptnbucket net/ipv6/route.c:1604 [inline] fib6nhflushexceptions+0xbd/0x360 net/ipv6/route.c:1732 fib6nhrelease+0x9a/0x430 net/ipv6/route.c:3536 fib6infodestroyrcu+0xcb/0x1c0 net/ipv6/ip6fib.c:174 rcudobatch kernel/rcu/tree.c:2559 [inline] rcucore+0x8f6/0x1450 kernel/rcu/tree.c:2794 _dosoftirq+0x372/0x7a6 kernel/softirq.c:345 invokesoftirq kernel/softirq.c:221 [inline] _irqexitrcu+0x22c/0x260 kernel/softirq.c:422 irqexitrcu+0x5/0x20 kernel/softirq.c:434 sysvecapictimerinterrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 </IRQ> asmsysvecapictimerinterrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632 RIP: 0010:lockacquire+0x1f6/0x720 kernel/locking/lockdep.c:5515 Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d RSP: 0018:ffffc90009e06560 EFLAGS: 00000206 RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1 R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4 rculockacquire+0x2a/0x30 include/linux/rcupdate.h:267 rcureadlock include/linux/rcupdate.h:656 [inline] ext4getgroupinfo+0xea/0x340 fs/ext4/ext4.h:3231 ext4mbprefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212 ext4mbregularallocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379 ext4mbnewblocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982 ext4extmapblocks+0x2be3/0x7210 fs/ext4/extents.c:4238 ext4mapblocks+0xab3/0x1cb0 fs/ext4/inode.c:638 ext4getblk+0x187/0x6c0 fs/ext4/inode.c:848 ext4bread+0x2a/0x1c0 fs/ext4/inode.c:900 ext4append+0x1a4/0x360 fs/ext4/namei.c:67 ext4initnewdir+0x337/0xa10 fs/ext4/namei.c:2768 ext4mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814 vfsmkdir+0x45b/0x640 fs/namei.c:3819 ovldomkdir fs/overlayfs/overlayfs.h:161 [inline] ovlmkdirreal+0x53/0x1a0 fs/overlayfs/dir.c:146 ovlcreatereal+0x280/0x490 fs/overlayfs/dir.c:193 ovlworkdircreate+0x425/0x600 fs/overlayfs/super.c:788 ovlmakeworkdir+0xed/0x1140 fs/overlayfs/super.c:1355 ovlgetworkdir fs/overlayfs/super.c:1492 [inline] ovlfillsuper+0x39ee/0x5370 fs/overlayfs/super.c:2035 mountnodev+0x52/0xe0 fs/super.c:1413 legacygettree+0xea/0x180 fs/fscontext.c:592 vfsgettree+0x86/0x270 fs/super.c:1497 donewmount fs/namespace.c:2903 [inline] pathmount+0x196f/0x2be0 fs/namespace.c:3233 domount fs/namespace.c:3246 [inline] _dosysmount fs/namespace.c:3454 [inline] _sesysmount+0x2f9/0x3b0 fs/namespace.c:3431 dosyscall64+0x2d/0x70 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 ---truncated---