KASAN: use-after-free Read in pppol2tp

Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
android-44	KASAN: use-after-free Read in pppol2tp_connect	C		28	2275d	2049d	0/2	public: reported C repro on 2019/04/13 00:00
upstream	KASAN: use-after-free Read in pppol2tp_connect (2) net	C		10	2435d	2450d	4/28	fixed on 2018/03/23 18:14
linux-4.14	KASAN: use-after-free Read in pppol2tp_connect	syz	inconclusive	7	1636d	1884d	0/1	upstream: reported syz repro on 2019/09/25 11:59
upstream	KASAN: use-after-free Read in pppol2tp_connect (3) net	C		22	2415d	2433d	5/28	fixed on 2018/05/08 18:30
upstream	KASAN: use-after-free Read in pppol2tp_connect net	C		25	2452d	2501d	4/28	fixed on 2018/03/06 13:29

================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1695 [inline] BUG: KASAN: use-after-free in pppol2tp_connect+0x1580/0x18f0 net/l2tp/l2tp_ppp.c:746 Read of size 8 at addr ffff8801ced401d8 by task syz-executor7/9507 CPU: 0 PID: 9507 Comm: syz-executor7 Not tainted 4.9.119-g9dc978d #75 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a16d7ad0 ffffffff81eb4be9 ffffea00073b5000 ffff8801ced401d8 0000000000000000 ffff8801ced401d8 0000000000000000 ffff8801a16d7b08 ffffffff81567f89 ffff8801ced401d8 0000000000000008 0000000000000000 Call Trace: [<ffffffff81eb4be9>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81eb4be9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff81567f89>] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [<ffffffff81568393>] kasan_report_error mm/kasan/report.c:355 [inline] [<ffffffff81568393>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [<ffffffff8153bf14>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 [<ffffffff836c94a0>] __read_once_size include/linux/compiler.h:243 [inline] [<ffffffff836c94a0>] sk_dst_get include/net/sock.h:1695 [inline] [<ffffffff836c94a0>] pppol2tp_connect+0x1580/0x18f0 net/l2tp/l2tp_ppp.c:746 [<ffffffff83019958>] SYSC_connect+0x1b8/0x300 net/socket.c:1563 [<ffffffff8301c224>] SyS_connect+0x24/0x30 net/socket.c:1544 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 [<ffffffff839fccd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 8791: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xbe/0x290 mm/slub.c:2728 sk_prot_alloc+0x69/0x290 net/core/sock.c:1332 sk_alloc+0x3a/0x3a0 net/core/sock.c:1394 inet6_create+0x2d9/0xd80 net/ipv6/af_inet6.c:198 __sock_create+0x2ef/0x5f0 net/socket.c:1183 sock_create net/socket.c:1223 [inline] SYSC_socket net/socket.c:1253 [inline] SyS_socket+0xf0/0x1b0 net/socket.c:1233 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 8874: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xbe/0x310 mm/slub.c:2980 sk_prot_free net/core/sock.c:1375 [inline] __sk_destruct+0x3b9/0x590 net/core/sock.c:1455 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037 __do_softirq+0x20b/0x937 kernel/softirq.c:284 The buggy address belongs to the object at ffff8801ced40000 which belongs to the cache UDPv6 of size 1496 The buggy address is located 472 bytes inside of 1496-byte region [ffff8801ced40000, ffff8801ced405d8) The buggy address belongs to the page: page:ffffea00073b5000 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x8000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801ced40080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ced40100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801ced40180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ced40200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ced40280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Manager
2018/08/11 23:34	https://android.googlesource.com/kernel/common android-4.9	9dc978d43ec7	7a88b141	.config	console log	report	ci-android-49-kasan-gce
2018/08/08 01:21	https://android.googlesource.com/kernel/common android-4.9	47b77b8d01c4	1beb8136	.config	console log	report	ci-android-49-kasan-gce-root
2018/07/15 17:29	https://android.googlesource.com/kernel/common android-4.9	9e7903954483	92a49505	.config	console log	report	ci-android-49-kasan-gce-root
2018/05/18 10:10	https://android.googlesource.com/kernel/common android-4.9	73fdfa38c59d	c992b767	.config	console log	report	ci-android-49-kasan-gce
2018/01/31 11:00	https://android.googlesource.com/kernel/common android-4.9	7be198545491	02553e22	.config	console log	report	ci-android-49-kasan-gce
2018/01/18 23:34	https://android.googlesource.com/kernel/common android-4.9	87883134eb71	161c1d64	.config	console log	report	ci-android-49-kasan-gce
2018/03/01 04:02	https://android.googlesource.com/kernel/common android-4.9	6e463bb69c99	05b5a32c	.config	console log	report	ci-android-49-kasan-gce-386
2018/02/21 20:52	https://android.googlesource.com/kernel/common android-4.9	7ec482be026a	04cbdbd1	.config	console log	report	ci-android-49-kasan-gce-386