syzbot


KASAN: use-after-free Read in perf_output_read (3)

Status: upstream: reported C repro on 2021/12/21 12:25
Reported-by: syzbot+4d67dcfa33379fc29ebb@syzkaller.appspotmail.com
First crash: 881d, last: 447d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in perf_output_read 2 1382d 1418d 0/1 auto-closed as invalid on 2020/12/05 08:38
linux-4.14 KASAN: use-after-free Read in perf_output_read (2) 1 1101d 1101d 0/1 auto-closed as invalid on 2021/09/12 12:28
android-414 KASAN: use-after-free Read in perf_output_read C 94 1636d 1866d 0/1 public: reported C repro on 2019/04/11 00:00
linux-4.14 KASAN: slab-out-of-bounds Read in perf_output_read C error 13 448d 1479d 0/1 upstream: reported C repro on 2020/05/02 11:43
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2023/01/31 08:42 36m bisect fix linux-4.14.y job log (0) log
2022/09/17 12:15 26m bisect fix linux-4.14.y job log (0) log
2022/08/18 11:52 22m bisect fix linux-4.14.y job log (0) log
2022/07/02 23:22 19m bisect fix linux-4.14.y job log (0) log
2022/04/20 05:09 20m bisect fix linux-4.14.y job log (0) log
2022/03/20 21:55 26m bisect fix linux-4.14.y job log (0) log
2022/02/18 21:30 24m bisect fix linux-4.14.y job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in primary_event_id kernel/events/core.c:1316 [inline]
BUG: KASAN: use-after-free in perf_output_read_group kernel/events/core.c:5897 [inline]
BUG: KASAN: use-after-free in perf_output_read+0x1046/0x1090 kernel/events/core.c:5932
Read of size 8 at addr ffff88809f471220 by task syz-executor117/17064

CPU: 1 PID: 17064 Comm: syz-executor117 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
 primary_event_id kernel/events/core.c:1316 [inline]
 perf_output_read_group kernel/events/core.c:5897 [inline]
 perf_output_read+0x1046/0x1090 kernel/events/core.c:5932
 perf_output_sample+0xa28/0x16f0 kernel/events/core.c:5974
 __perf_event_output kernel/events/core.c:6287 [inline]
 perf_event_output_forward+0xf8/0x1f0 kernel/events/core.c:6300
 __perf_event_overflow+0x113/0x310 kernel/events/core.c:7549
 perf_swevent_overflow kernel/events/core.c:7625 [inline]
 perf_swevent_event+0x299/0x460 kernel/events/core.c:7653
 do_perf_sw_event kernel/events/core.c:7766 [inline]
 ___perf_sw_event+0x2a1/0x480 kernel/events/core.c:7797
 __perf_sw_event+0x4f/0x100 kernel/events/core.c:7809
 perf_sw_event include/linux/perf_event.h:1046 [inline]
 __do_page_fault+0x692/0xad0 arch/x86/mm/fault.c:1483
 page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1126

Allocated by task 17035:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_node+0x146/0x410 mm/slab.c:3642
 __alloc_skb+0x5c/0x510 net/core/skbuff.c:193
 alloc_skb_fclone include/linux/skbuff.h:1022 [inline]
 sk_stream_alloc_skb+0xb1/0x760 net/ipv4/tcp.c:855
 tcp_connect+0x1123/0x3f20 net/ipv4/tcp_output.c:3542
 tcp_v4_connect+0x129d/0x1a70 net/ipv4/tcp_ipv4.c:255
 __inet_stream_connect+0x6ad/0xb90 net/ipv4/af_inet.c:618
 tcp_sendmsg_fastopen net/ipv4/tcp.c:1170 [inline]
 tcp_sendmsg_locked+0x1fac/0x2ef0 net/ipv4/tcp.c:1216
 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1457
 inet_sendmsg+0x11a/0x4e0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 SYSC_sendto net/socket.c:1763 [inline]
 SyS_sendto+0x1c7/0x2c0 net/socket.c:1731
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

Freed by task 17035:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
 kfree_skbmem+0x7e/0x100 net/core/skbuff.c:616
 tcp_drop net/ipv4/tcp_input.c:4397 [inline]
 tcp_rcv_state_process+0x342/0x4af0 net/ipv4/tcp_input.c:6208
 tcp_v4_do_rcv+0x2c9/0x800 net/ipv4/tcp_ipv4.c:1512
 sk_backlog_rcv include/net/sock.h:923 [inline]
 __release_sock+0x12a/0x350 net/core/sock.c:2284
 release_sock+0x54/0x1b0 net/core/sock.c:2822
 tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1458
 inet_sendmsg+0x11a/0x4e0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 SYSC_sendto net/socket.c:1763 [inline]
 SyS_sendto+0x1c7/0x2c0 net/socket.c:1731
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

The buggy address belongs to the object at ffff88809f471080
 which belongs to the cache skbuff_fclone_cache of size 472
The buggy address is located 416 bytes inside of
 472-byte region [ffff88809f471080, ffff88809f471258)
The buggy address belongs to the page:
page:ffffea00027d1c40 count:1 mapcount:0 mapping:ffff88809f471080 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff88809f471080 0000000000000000 0000000100000006
raw: ffffea00027eada0 ffffea00027f4520 ffff88823a8223c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f471100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809f471180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809f471200: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
                               ^
 ffff88809f471280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809f471300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (24):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/12/02 13:09 linux-4.14.y 179ef7fe8677 e080de16 .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/11/27 21:36 linux-4.14.y 179ef7fe8677 f4470a7b .config console log report syz C [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2021/12/26 21:04 linux-4.14.y 8ee0807eedf3 e4f103c4 .config console log report syz C ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2023/02/27 20:38 linux-4.14.y 7878a41b6cc1 9189cb53 .config console log report syz [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2023/02/20 19:50 linux-4.14.y a8ad60f2af58 2414209c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2023/02/06 13:46 linux-4.14.y a8ad60f2af58 0a9c11b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/12/20 02:28 linux-4.14.y c4215ee4771b c52b2efb .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/12/13 18:32 linux-4.14.y 65afe34ac33d f6511626 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/12/06 21:32 linux-4.14.y 179ef7fe8677 d88f3abb .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/11/24 08:04 linux-4.14.y e911713e40ca ff68ff8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/11/03 22:55 linux-4.14.y a901bb6c7db7 6d752409 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/10/11 15:43 linux-4.14.y 9d5c0b3a8e1a 02b6492e .config console log report info [disk image] [vmlinux] ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/09/26 10:07 linux-4.14.y 4edbf74132a4 d59ba983 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/07/19 11:52 linux-4.14.y 424a46ea058e 72a3cc0c .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/07/06 18:11 linux-4.14.y ed2e96e11936 bff65f44 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/06/02 23:22 linux-4.14.y 501eec4f9e13 02dddea8 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/05/08 05:25 linux-4.14.y e3a56aaade89 e60b1103 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/05/04 22:02 linux-4.14.y e3a56aaade89 dc9e5259 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/01/19 21:20 linux-4.14.y 4ba8e26127c3 5da9499f .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/01/10 20:25 linux-4.14.y bfdef05c8da4 ddb0ab8c .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2022/01/07 16:44 linux-4.14.y bfdef05c8da4 2ca0d385 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2021/12/28 17:05 linux-4.14.y 8ee0807eedf3 76c8cf06 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2021/12/26 14:17 linux-4.14.y 8ee0807eedf3 e4f103c4 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
2021/12/21 12:24 linux-4.14.y 9dfbac0e6b86 a938f0b8 .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in perf_output_read
* Struck through repros no longer work on HEAD.