KASAN: use-after-free Read in sock_def_write

Title	Replies (including bot)	Last reply
[PATCH 5.4 00/19] 5.4.55-rc1 review	24 (24)	2020/07/31 17:15
[PATCH 5.7 00/20] 5.7.12-rc1 review	24 (24)	2020/07/31 17:15
[PATCH 4.19 00/17] 4.19.136-rc1 review	20 (20)	2020/07/31 12:00
[Patch net v2] qrtr: orphan socket in qrtr_release()	3 (3)	2020/07/25 00:31
[Patch net] qrtr: orphan skb before queuing in xmit	5 (5)	2020/07/24 06:10
KASAN: use-after-free Read in sock_def_write_space (2)	0 (1)	2020/07/21 04:41

Title

Replies (including bot)

Last reply

[PATCH 5.4 00/19] 5.4.55-rc1 review

24 (24)

2020/07/31 17:15

[PATCH 5.7 00/20] 5.7.12-rc1 review

24 (24)

2020/07/31 17:15

[PATCH 4.19 00/17] 4.19.136-rc1 review

20 (20)

2020/07/31 12:00

[Patch net v2] qrtr: orphan socket in qrtr_release()

3 (3)

2020/07/25 00:31

[Patch net] qrtr: orphan skb before queuing in xmit

5 (5)

2020/07/24 06:10

KASAN: use-after-free Read in sock_def_write_space (2)

0 (1)

2020/07/21 04:41

Kernel	Title	Repro	Cause bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in sock_def_write_space (3) intel-wired-lan			21	1072d	1308d	0/26	auto-closed as invalid on 2021/08/18 10:16
linux-5.15	KASAN: use-after-free Read in sock_def_write_space (2)			1	142d	142d	0/3	auto-obsoleted due to no activity on 2024/03/15 00:45
upstream	KASAN: use-after-free Read in sock_def_write_space (4) net virt			7	720d	888d	0/26	auto-closed as invalid on 2022/08/04 16:53
linux-5.15	KASAN: use-after-free Read in sock_def_write_space			1	274d	274d	0/3	auto-obsoleted due to no activity on 2023/11/03 11:19
upstream	KASAN: use-after-free Read in sock_def_write_space arm-msm net	C	done	67	1376d	1741d	15/26	fixed on 2020/07/20 08:03

Created	Duration	User	Patch	Repo	Result
2020/07/24 14:18	16m	xiyou.wangcong@gmail.com		https://github.com/congwang/linux.git net	OK
2020/07/24 02:40	16m	xiyou.wangcong@gmail.com		https://github.com/congwang/linux.git net	OK

Created

Duration

User

Patch

Repo

Result

2020/07/24 14:18

16m

xiyou.wangcong@gmail.com

https://github.com/congwang/linux.git net

2020/07/24 02:40

16m

xiyou.wangcong@gmail.com

https://github.com/congwang/linux.git net

IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KASAN: use-after-free in list_empty include/linux/list.h:282 [inline] BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:127 [inline] BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:161 [inline] BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2143 [inline] BUG: KASAN: use-after-free in sock_def_write_space+0x609/0x630 net/core/sock.c:2926 Read of size 8 at addr ffff8880866ed5c0 by task syz-executor525/6922 CPU: 1 PID: 6922 Comm: syz-executor525 Not tainted 5.8.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 list_empty include/linux/list.h:282 [inline] waitqueue_active include/linux/wait.h:127 [inline] wq_has_sleeper include/linux/wait.h:161 [inline] skwq_has_sleeper include/net/sock.h:2143 [inline] sock_def_write_space+0x609/0x630 net/core/sock.c:2926 sock_wfree+0x1cc/0x240 net/core/sock.c:2060 skb_release_head_state+0x9f/0x250 net/core/skbuff.c:651 skb_release_all net/core/skbuff.c:662 [inline] __kfree_skb net/core/skbuff.c:678 [inline] kfree_skb.part.0+0x89/0x350 net/core/skbuff.c:696 kfree_skb+0x7d/0x100 include/linux/refcount.h:270 skb_queue_purge+0x14/0x30 net/core/skbuff.c:3077 qrtr_tun_release+0x40/0x60 net/qrtr/tun.c:118 __fput+0x33c/0x880 fs/file_table.c:281 task_work_run+0xdd/0x190 kernel/task_work.c:135 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:239 [inline] __prepare_exit_to_usermode+0x1e9/0x1f0 arch/x86/entry/common.c:269 do_syscall_64+0x6c/0xe0 arch/x86/entry/common.c:393 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x401040 Code: Bad RIP value. RSP: 002b:00007ffdd92190e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000401040 RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000006 RBP: 00007ffdd92190f0 R08: 0000000120080522 R09: 0000000120080522 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a5ff0 R13: 0000000000402150 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 6922: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x12c/0x3b0 mm/slab.c:3484 sock_alloc_inode+0x18/0x1c0 net/socket.c:253 alloc_inode+0x61/0x230 fs/inode.c:232 new_inode_pseudo+0x14/0xe0 fs/inode.c:928 sock_alloc+0x3c/0x260 net/socket.c:573 __sock_create+0xb9/0x740 net/socket.c:1392 sock_create net/socket.c:1479 [inline] __sys_socket+0xef/0x200 net/socket.c:1521 __do_sys_socket net/socket.c:1530 [inline] __se_sys_socket net/socket.c:1528 [inline] __x64_sys_socket+0x6f/0xb0 net/socket.c:1528 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 0: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455 __cache_free mm/slab.c:3426 [inline] kmem_cache_free+0x7f/0x310 mm/slab.c:3694 i_callback+0x3f/0x70 fs/inode.c:221 rcu_do_batch kernel/rcu/tree.c:2414 [inline] rcu_core+0x5c7/0x1160 kernel/rcu/tree.c:2641 __do_softirq+0x34c/0xa60 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880866ed540 which belongs to the cache sock_inode_cache of size 1216 The buggy address is located 128 bytes inside of 1216-byte region [ffff8880866ed540, ffff8880866eda00) The buggy address belongs to the page: page:ffffea000219bb40 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880866edffd flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea000219bb08 ffff8880a9751d50 ffff88821b77f700 raw: ffff8880866edffd ffff8880866ed000 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880866ed480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880866ed500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8880866ed580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880866ed600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880866ed680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (29):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Manager
2020/07/25 00:43	upstream	f37e99aca03f	554af388	.config	console log	report	syz	C		ci-upstream-kasan-gce-root
2020/07/24 19:04	upstream	f37e99aca03f	554af388	.config	console log	report	syz	C		ci-upstream-kasan-gce-selinux-root
2020/07/23 06:27	upstream	8c26c87b0532	340ea530	.config	console log	report	syz	C		ci-upstream-kasan-gce-smack-root
2020/07/22 20:26	upstream	4fa640dc5230	128cd85f	.config	console log	report	syz	C		ci-upstream-kasan-gce
2020/07/20 18:56	upstream	5714ee50bb43	4285ffa3	.config	console log	report	syz	C		ci-upstream-kasan-gce-386
2020/07/24 23:36	linux-next	26027945c94a	554af388	.config	console log	report	syz	C		ci-upstream-linux-next-kasan-gce-root
2020/09/16 09:06	upstream	fc4f28bb3daf	18d7d030	.config	console log	report			info	ci-qemu-upstream
2020/09/12 10:46	upstream	729e3d091984	21d289c2	.config	console log	report				ci-qemu-upstream
2020/09/11 20:31	upstream	e8878ab82545	79fb24e2	.config	console log	report				ci-qemu-upstream
2020/09/09 06:19	upstream	fffe3ae0ee84	0ea7a887	.config	console log	report				ci-qemu-upstream
2020/09/08 07:26	upstream	fffe3ae0ee84	abf9ba4f	.config	console log	report				ci-qemu-upstream
2020/09/08 06:39	upstream	fffe3ae0ee84	abf9ba4f	.config	console log	report				ci-qemu-upstream
2020/09/06 23:59	upstream	fffe3ae0ee84	abf9ba4f	.config	console log	report				ci-qemu-upstream
2020/09/05 16:29	upstream	fffe3ae0ee84	abf9ba4f	.config	console log	report				ci-qemu-upstream
2020/09/03 23:59	upstream	fffe3ae0ee84	abf9ba4f	.config	console log	report				ci-qemu-upstream
2020/08/07 02:35	upstream	fffe3ae0ee84	cb436c69	.config	console log	report				ci-qemu-upstream
2020/07/25 07:06	upstream	68845a55c31b	1f7cc1ca	.config	console log	report				ci-upstream-kasan-gce-root
2020/07/23 17:47	upstream	d15be546031c	70c104a1	.config	console log	report				ci-upstream-kasan-gce
2020/07/23 16:35	upstream	d15be546031c	70c104a1	.config	console log	report				ci-qemu-upstream
2020/09/07 11:45	upstream	f4d51dffc6c0	abf9ba4f	.config	console log	report				ci-qemu-upstream-386
2020/08/19 03:47	upstream	00e4db51259a	e1c29030	.config	console log	report				ci-qemu-upstream-386
2020/07/20 18:33	upstream	5714ee50bb43	4285ffa3	.config	console log	report				ci-upstream-kasan-gce-386
2020/09/05 21:28	net-old	cc8e58f8325c	abf9ba4f	.config	console log	report				ci-upstream-net-this-kasan-gce
2020/09/01 03:45	net-old	bb8872a1e6bc	d5a3ae1f	.config	console log	report				ci-upstream-net-this-kasan-gce
2020/08/01 03:25	net-old	85496a292241	d895b3be	.config	console log	report				ci-upstream-net-this-kasan-gce
2020/09/12 16:21	net-next-old	5a6bd84f8154	ce441f06	.config	console log	report				ci-upstream-net-kasan-gce
2020/09/01 08:39	net-next-old	c30a3c957c88	d5a3ae1f	.config	console log	report				ci-upstream-net-kasan-gce
2020/08/11 00:28	net-next-old	bfdd5aaa54b0	7adc7b65	.config	console log	report				ci-upstream-net-kasan-gce
2020/08/04 00:48	net-next-old	bd0b33b24897	196277c4	.config	console log	report				ci-upstream-net-kasan-gce

Crashes (29):

Assets (help?)

2020/07/25 00:43

upstream