KASAN: use-after-free Write in __alloc_skb (3)

Status: upstream: reported C repro on 2020/07/29 18:24
First crash: 918d, last: 545d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config

Fix bisection: the fix commit could be any of (bisect log):
  68845a55c31b Merge branch 'akpm' into master (patches from Andrew)
  9e9fb7655ed5 Merge tag 'net-next-5.15' of git://
similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Write in __alloc_skb C done 2 1113d 1181d 1/1 fixed on 2020/02/11 15:16
upstream KASAN: use-after-free Write in __alloc_skb (2) C done 7 1127d 1143d 16/24 fixed on 2020/02/18 14:31
linux-4.14 KASAN: use-after-free Write in __alloc_skb (2) C 1 9d19h 919d 0/1 upstream: reported C repro on 2020/07/24 01:04
upstream KASAN: use-after-free Write in __alloc_skb 2 1167d 1173d 0/24 closed as invalid on 2019/12/08 05:44
linux-4.14 KASAN: use-after-free Write in __alloc_skb C done 1 1113d 1143d 1/1 fixed on 2020/02/14 21:56
Last patch testing requests:
Created Duration User Patch Repo Result
2022/12/25 11:31 20m retest repro upstream OK log
2022/10/10 13:30 16m retest repro linux-next error
2022/09/16 08:29 11m retest repro upstream report log
2021/04/15 14:15 12m upstream report log
2020/08/29 06:31 11m upstream report log

Sample crash report:
BUG: KASAN: use-after-free in memset include/linux/string.h:391 [inline]
BUG: KASAN: use-after-free in __alloc_skb+0x2f6/0x550 net/core/skbuff.c:239
Write of size 32 at addr ffff88819e6dfe40 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.8.0-rc6-next-20200724-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 memset+0x20/0x40 mm/kasan/common.c:84
 memset include/linux/string.h:391 [inline]
 __alloc_skb+0x2f6/0x550 net/core/skbuff.c:239
 alloc_skb include/linux/skbuff.h:1084 [inline]
 alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5770
 sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2346
 mld_newpack+0x1e0/0x770 net/ipv6/mcast.c:1606
 add_grhead+0x265/0x330 net/ipv6/mcast.c:1710
 add_grec+0xe2c/0x1090 net/ipv6/mcast.c:1841
 mld_send_cr net/ipv6/mcast.c:1967 [inline]
 mld_ifc_timer_expire+0x596/0xf10 net/ipv6/mcast.c:2474
 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1415
 expire_timers kernel/time/timer.c:1460 [inline]
 __run_timers.part.0+0x54c/0xa20 kernel/time/timer.c:1784
 __run_timers kernel/time/timer.c:1756 [inline]
 run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1797
 __do_softirq+0x2df/0xa22 kernel/softirq.c:298
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 do_softirq_own_stack+0x9d/0xd0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:393 [inline]
 __irq_exit_rcu kernel/softirq.c:423 [inline]
 irq_exit_rcu+0x1f3/0x230 kernel/softirq.c:435
 sysvec_apic_timer_interrupt+0x51/0xf0 arch/x86/kernel/apic/apic.c:1090
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:590
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: ff 4c 89 ef e8 83 ee c4 f9 e9 8e fe ff ff 48 89 df e8 76 ee c4 f9 eb 8a cc cc cc cc e9 07 00 00 00 0f 00 2d 44 94 59 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 34 94 59 00 f4 c3 cc cc 55 53 e8 19
RSP: 0018:ffffffff89a07c70 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1ffffffff1571651
RDX: ffffffff89a85d00 RSI: ffffffff87ef2658 RDI: ffffffff87ef262e
RBP: ffff88821a8dd064 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88821a8dd064
R13: 1ffffffff1340f98 R14: ffff88821a8dd065 R15: 0000000000000001
 arch_safe_halt arch/x86/include/asm/paravirt.h:150 [inline]
 acpi_safe_halt+0x8d/0x110 drivers/acpi/processor_idle.c:111
 acpi_idle_do_entry+0x15c/0x1b0 drivers/acpi/processor_idle.c:524
 acpi_idle_enter+0x3f9/0xab0 drivers/acpi/processor_idle.c:650
 cpuidle_enter_state+0xff/0x960 drivers/cpuidle/cpuidle.c:235
 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:346
 call_cpuidle kernel/sched/idle.c:126 [inline]
 cpuidle_idle_call kernel/sched/idle.c:214 [inline]
 do_idle+0x431/0x6d0 kernel/sched/idle.c:276
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:372
 start_kernel+0x9cb/0xa06 init/main.c:1045
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
The buggy address belongs to the page:
page:0000000005f830ec refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19e6df
flags: 0x57ffe0000000000()
raw: 057ffe0000000000 ffffea000679b7c8 ffffea000679b7c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
 ffff88819e6dfd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88819e6dfd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88819e6dfe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88819e6dfe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88819e6dff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-linux-next-kasan-gce-root 2020/07/27 08:23 linux-next 26027945c94a 51265195 .config console log report syz C
ci-upstream-kasan-gce 2020/07/25 18:21 upstream 68845a55c31b 1f7cc1ca .config console log report syz C
* Struck through repros no longer work on HEAD.