KASAN: use-after-free Read in rhashtable_last

Kernel	Title	Count	Last	Reported	Patched	Status
android-49	KASAN: use-after-free Read in rhashtable_last_table	2	1610d	1693d	0/3	auto-closed as invalid on 2020/03/20 18:26
upstream	KASAN: use-after-free Read in rhashtable_last_table (2) net	1	1793d	1793d	12/26	fixed on 2019/08/05 13:45
linux-4.19	KASAN: use-after-free Read in rhashtable_last_table	2	1066d	1140d	0/1	auto-closed as invalid on 2021/09/15 21:37
linux-4.19	KASAN: use-after-free Read in rhashtable_last_table (2)	1	861d	861d	0/1	auto-closed as invalid on 2022/04/09 15:34
linux-4.19	KASAN: use-after-free Read in rhashtable_last_table (3)	1	628d	628d	0/1	auto-obsoleted due to no activity on 2022/11/27 23:30
linux-4.14	KASAN: use-after-free Read in rhashtable_last_table	1	1100d	1100d	0/1	auto-closed as invalid on 2021/08/13 13:57

bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_0 entered promiscuous mode bridge0: port 2(bridge_slave_1) entered blocking state ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:191 [inline] BUG: KASAN: use-after-free in rhashtable_last_table+0x220/0x250 lib/rhashtable.c:217 bridge0: port 2(bridge_slave_1) entered disabled state Read of size 8 at addr ffff88808c993280 by task kworker/0:2/23357 CPU: 0 PID: 23357 Comm: kworker/0:2 Not tainted 5.0.0-rc1+ #17 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events rht_deferred_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 device bridge_slave_1 entered promiscuous mode kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __read_once_size include/linux/compiler.h:191 [inline] rhashtable_last_table+0x220/0x250 lib/rhashtable.c:217 rht_deferred_worker+0x126/0x1de0 lib/rhashtable.c:410 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296 kthread+0x357/0x430 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Allocated by task 18331: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc mm/kasan/common.c:496 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504 __do_kmalloc_node mm/slab.c:3673 [inline] __kmalloc_node+0x4e/0x70 mm/slab.c:3680 kmalloc_node include/linux/slab.h:588 [inline] kvmalloc_node+0x68/0x100 mm/util.c:416 kvmalloc include/linux/mm.h:604 [inline] kvzalloc include/linux/mm.h:612 [inline] bucket_table_alloc+0x9f/0x540 lib/rhashtable.c:176 rhashtable_init+0x525/0xa60 lib/rhashtable.c:1065 inet_frags_init_net include/net/inet_frag.h:111 [inline] ipv6_frags_init_net+0x1de/0x4d0 net/ipv6/reassembly.c:635 ops_init+0x109/0x5d0 net/core/net_namespace.c:129 setup_net+0x326/0x8c0 net/core/net_namespace.c:314 copy_net_ns+0x2ae/0x4b0 net/core/net_namespace.c:437 create_new_namespaces+0x4ce/0x930 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x6d7/0xfb0 kernel/fork.c:2550 __do_sys_unshare kernel/fork.c:2618 [inline] __se_sys_unshare kernel/fork.c:2616 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7752: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466 __cache_free mm/slab.c:3487 [inline] kfree+0xcf/0x230 mm/slab.c:3806 kvfree+0x61/0x70 mm/util.c:445 bucket_table_free+0xde/0x260 lib/rhashtable.c:108 rhashtable_free_and_destroy+0x155/0x8f0 lib/rhashtable.c:1163 inet_frags_exit_net+0x3d/0x50 net/ipv4/inet_fragment.c:96 ipv6_frags_exit_net+0x86/0xa0 net/ipv6/reassembly.c:648 ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153 cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296 kthread+0x357/0x430 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff88808c993240 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 64 bytes inside of 1024-byte region [ffff88808c993240, ffff88808c993640) The buggy address belongs to the page: page:ffffea0002326480 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0xffff88808c9924c0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea000277d788 ffffea00028c1388 ffff88812c3f0ac0 raw: ffff88808c9924c0 ffff88808c992040 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808c993180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88808c993200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff88808c993280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88808c993300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808c993380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== bond0: Enslaving bond_slave_0 as an active interface with an up link bond0: Enslaving bond_slave_1 as an active interface with an up link IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready team0: Port device team_slave_0 added

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Manager
2019/01/10 10:56	upstream	4064e47c8281	45c0c1b1	.config	console log	report	ci-upstream-kasan-gce-root
2019/01/20 11:34	upstream	b0efca46b570	353f32ea	.config	console log	report	ci-upstream-kasan-gce-386
2018/11/01 07:01	net-old	d48051c5b837	1f38e9ae	.config	console log	report	ci-upstream-net-this-kasan-gce
2018/09/30 19:37	bpf	4288ea006c73	41e4b329	.config	console log	report	ci-upstream-bpf-kasan-gce

Crashes (4):

Assets (help?)