KASAN: use-after-free Read in tipc_mcast

Kernel	Title	Repro	Cause bisect	Count	Last	Reported	Patched	Status
android-54	KASAN: use-after-free Read in tipc_mcast_xmit	C		23	1284d	1305d	0/2	auto-obsoleted due to no activity on 2023/04/17 09:09
upstream	KASAN: use-after-free Read in tipc_mcast_xmit (2) tipc	C	done	37	1288d	1302d	15/26	fixed on 2020/11/16 12:12
upstream	KASAN: use-after-free Read in tipc_mcast_xmit tipc	syz		7	1950d	1957d	11/26	fixed on 2019/01/11 01:22

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402200 R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 Failed do clone local mcast rcv buffer ================================================================== BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:1911 [inline] BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:1931 [inline] BUG: KASAN: use-after-free in __skb_queue_purge include/linux/skbuff.h:2648 [inline] BUG: KASAN: use-after-free in tipc_mcast_xmit+0x89f/0x950 net/tipc/bcast.c:322 Read of size 8 at addr ffff8880901faa80 by task syz-executor873/6490 CPU: 1 PID: 6490 Comm: syz-executor873 Not tainted 4.19.149-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 print_address_description.cold+0x56/0x25c mm/kasan/report.c:256 kasan_report_error.cold+0x66/0xb9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 __skb_unlink include/linux/skbuff.h:1911 [inline] __skb_dequeue include/linux/skbuff.h:1931 [inline] __skb_queue_purge include/linux/skbuff.h:2648 [inline] tipc_mcast_xmit+0x89f/0x950 net/tipc/bcast.c:322 tipc_sendmcast+0xa90/0xc10 net/tipc/socket.c:808 __tipc_sendmsg+0xe82/0x1320 net/tipc/socket.c:1342 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1276 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x441339 Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fffb68f1ce8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441339 RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000004 RBP: 00000000006cd018 R08: 0000000000000001 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402200 R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 6490: kmem_cache_alloc_node+0x146/0x4d0 mm/slab.c:3649 __alloc_skb+0x71/0x580 net/core/skbuff.c:193 alloc_skb_fclone include/linux/skbuff.h:1037 [inline] tipc_buf_acquire+0x28/0xf0 net/tipc/msg.c:66 tipc_msg_build+0x686/0x1040 net/tipc/msg.c:309 tipc_sendmcast+0x901/0xc10 net/tipc/socket.c:804 __tipc_sendmsg+0xe82/0x1320 net/tipc/socket.c:1342 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1276 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 6490: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x2b0 mm/slab.c:3765 kfree_skbmem+0xa4/0x140 net/core/skbuff.c:607 __kfree_skb net/core/skbuff.c:646 [inline] kfree_skb+0x127/0x3f0 net/core/skbuff.c:663 tipc_buf_append+0x655/0xc30 net/tipc/msg.c:188 tipc_msg_reassemble+0x175/0x4f0 net/tipc/msg.c:649 tipc_mcast_xmit+0x34d/0x950 net/tipc/bcast.c:305 tipc_sendmcast+0xa90/0xc10 net/tipc/socket.c:808 __tipc_sendmsg+0xe82/0x1320 net/tipc/socket.c:1342 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1276 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880901faa80 which belongs to the cache skbuff_fclone_cache of size 472 The buggy address is located 0 bytes inside of 472-byte region [ffff8880901faa80, ffff8880901fac58) The buggy address belongs to the page: page:ffffea0002407e80 count:1 mapcount:0 mapping:ffff88821b6af9c0 index:0x0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffffea0002788008 ffff8880a9b5e448 ffff88821b6af9c0 raw: 0000000000000000 ffff8880901fa080 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880901fa980: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc ffff8880901faa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880901faa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880901fab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880901fab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (3):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Manager
2020/10/05 11:47	linux-4.19.y	b09c34517e1a	5ef9c291	.config	console log	report	syz	C		ci2-linux-4-19
2020/10/28 20:13	linux-4.19.y	ad326970d25c	f24824d3	.config	console log	report			info	ci2-linux-4-19
2020/10/05 11:34	linux-4.19.y	b09c34517e1a	5ef9c291	.config	console log	report			info	ci2-linux-4-19

Crashes (3):

Assets (help?)