KASAN: use-after-free Write in __alloc_skb

Status: fixed on 2020/02/11 15:16
Fix commit: be1a2be7a7b0 net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
First crash: 1130d, last: 1062d

Fix bisection: fixed by (bisect log) :
commit be1a2be7a7b0ed5a758fd8decc39386ba3b5d556
Author: Eric Dumazet <>
Date: Wed Jan 22 06:47:29 2020 +0000

  net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()

similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in __alloc_skb (3) C done inconclusive 2 495d 863d 0/24 upstream: reported C repro on 2020/07/29 18:24
upstream KASAN: use-after-free Write in __alloc_skb (2) C done 7 1076d 1093d 16/24 fixed on 2020/02/18 14:31
linux-4.14 KASAN: use-after-free Write in __alloc_skb (2) C 1 44d 869d 0/1 upstream: reported C repro on 2020/07/24 01:04
upstream KASAN: use-after-free Write in __alloc_skb 2 1117d 1123d 0/24 closed as invalid on 2019/12/08 05:44
linux-4.14 KASAN: use-after-free Write in __alloc_skb C done 1 1062d 1092d 1/1 fixed on 2020/02/14 21:56

Sample crash report:
audit: type=1400 audit(1576230604.619:39): avc:  denied  { read } for  pid=7655 comm="syz-executor358" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
BUG: KASAN: use-after-free in memset include/linux/string.h:333 [inline]
BUG: KASAN: use-after-free in __alloc_skb+0x381/0x5f0 net/core/skbuff.c:234
Write of size 32 at addr ffff8881a3a4a540 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.19.89-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
 memset+0x24/0x40 mm/kasan/kasan.c:285
 memset include/linux/string.h:333 [inline]
 __alloc_skb+0x381/0x5f0 net/core/skbuff.c:234
 alloc_skb include/linux/skbuff.h:995 [inline]
 alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5303
 sock_alloc_send_pskb+0x72d/0x8a0 net/core/sock.c:2085
 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2102
 mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1611
 add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1715
 add_grec+0x7e7/0x10c0 net/ipv6/mcast.c:1846
 mld_send_cr net/ipv6/mcast.c:1972 [inline]
 mld_ifc_timer_expire+0x3d4/0x8b0 net/ipv6/mcast.c:2479
 call_timer_fn+0x18d/0x720 kernel/time/timer.c:1326
 expire_timers kernel/time/timer.c:1363 [inline]
 __run_timers kernel/time/timer.c:1684 [inline]
 __run_timers kernel/time/timer.c:1652 [inline]
 run_timer_softirq+0x64f/0x16a0 kernel/time/timer.c:1697
 __do_softirq+0x25c/0x921 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x180/0x1d0 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1094
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:893
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: ff ff 48 89 df e8 92 64 56 fa eb 82 e9 07 00 00 00 0f 00 2d 84 73 5b 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 74 73 5b 00 fb f4 <c3> 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 1e 43 0d fa e8 f9
RSP: 0018:ffff8880aa3b7d08 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff11e4b7c RBX: ffff8880aa3a43c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff8880aa3a4c3c
RBP: ffff8880aa3b7d38 R08: ffff8880aa3a43c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffffffff88f25bd0 R14: 0000000000000000 R15: ffff8880aa3a43c0
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:556
 default_idle_call+0x36/0x90 kernel/sched/idle.c:93
 cpuidle_idle_call kernel/sched/idle.c:153 [inline]
 do_idle+0x30c/0x4d0 kernel/sched/idle.c:263
 cpu_startup_entry+0xc8/0xe0 kernel/sched/idle.c:369
 start_secondary+0x3e8/0x5b0 arch/x86/kernel/smpboot.c:271
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243

The buggy address belongs to the page:
page:ffffea00068e9280 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x57ffe0000000000()
raw: 057ffe0000000000 ffffea00068e9288 ffffea00068e9288 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881a3a4a400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881a3a4a480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881a3a4a500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881a3a4a580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881a3a4a600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2019/12/13 09:52 linux-4.19.y 312017a460d5 2a752b7c .config log report syz C
ci2-linux-4-19 2019/11/05 11:01 linux-4.19.y ef244c308885 76630fc9 .config log report
* Struck through repros no longer work on HEAD.