KASAN: use-after-free Read in corrupted (3)

Status: fixed on 2019/08/27 17:15
Subsystems: kernel
[Documentation on labels]
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1790d, last: 1790d
Cause bisection: introduced by (bisect log) :
commit e9db4ef6bf4ca9894bb324c76e01b8f1a16b2650
Author: John Fastabend <>
Date: Sat Jun 30 13:17:47 2018 +0000

  bpf: sockhash fix omitted bucket lock in sock_close

Crash: KASAN: use-after-free Write in bpf_tcp_close (log)
Repro: syz .config
Discussions (2)
Title Replies (including bot) Last reply
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
KASAN: use-after-free Read in corrupted (3) 0 (2) 2019/06/26 23:55
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in corrupted mm C 2 2196d 2199d 8/26 fixed on 2018/07/09 18:05
linux-4.14 KASAN: use-after-free Read in corrupted syz error 1 812d 1282d 0/1 upstream: reported syz repro on 2020/11/15 10:58
android-414 KASAN: use-after-free Read in corrupted C 2 1751d 1752d 0/1 public: reported C repro on 2019/08/03 12:36
upstream KASAN: use-after-free Read in corrupted (2) usb syz 1 1852d 1852d 0/26 closed as invalid on 2019/04/25 11:05
upstream KASAN: use-after-free Read in corrupted (4) C done error 10 386d 1378d 0/26 upstream: reported C repro on 2020/08/11 12:47

Sample crash report:
BUG: KASAN: use-after-free in vsnprintf+0x1727/0x19a0 lib/vsprintf.c:2503
Read of size 8 at addr ffff8880952500a0 by task syz-executor.1/9180

CPU: 0 PID: 9180 Comm: syz-executor.1 Not tainted 5.2.0-rc5+ #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:

Allocated by task 8:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc mm/slab.c:3326 [inline]
 kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488
 vm_area_dup+0x21/0x170 kernel/fork.c:343
 dup_mmap kernel/fork.c:528 [inline]
 dup_mm+0x8c4/0x13b0 kernel/fork.c:1341
 copy_mm kernel/fork.c:1397 [inline]
 copy_process.part.0+0x2cde/0x6790 kernel/fork.c:2032
 copy_process kernel/fork.c:1800 [inline]
 _do_fork+0x25d/0xfe0 kernel/fork.c:2369
 __do_sys_clone kernel/fork.c:2476 [inline]
 __se_sys_clone kernel/fork.c:2470 [inline]
 __x64_sys_clone+0xbf/0x150 kernel/fork.c:2470
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301

Freed by task 2502230480:
------------[ cut here ]------------
Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected to SLAB object 'shmem_inode_cache' (offset 1040, size 1)!
WARNING: CPU: 0 PID: 9180 at mm/usercopy.c:74 usercopy_warn+0xeb/0x110 mm/usercopy.c:74
Kernel panic - not syncing: panic_on_warn set ...
Shutting down cpus with NMI
Kernel Offset: disabled

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/26 10:16 net-next-old 045df37e743c 0a8d1a96 .config console log report syz ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.