syzbot


KASAN: use-after-free Write in __alloc_skb (3)

Status: upstream: reported C repro on 2020/07/29 18:24
Reported-by: syzbot+7569bc4cd6fad9f1e551@syzkaller.appspotmail.com
First crash: 792d, last: 420d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: WARNING in sysfs_warn_dup (log)
Repro: C syz .config

Fix bisection: the fix commit could be any of (bisect log):
  68845a55c31b Merge branch 'akpm' into master (patches from Andrew)
  9e9fb7655ed5 Merge tag 'net-next-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Write in __alloc_skb C done 2 987d 1055d 1/1 fixed on 2020/02/11 15:16
upstream KASAN: use-after-free Write in __alloc_skb (2) C done 7 1001d 1018d 16/24 fixed on 2020/02/18 14:31
linux-4.14 KASAN: use-after-free Write in __alloc_skb (2) C 1 7d05h 794d 0/1 upstream: reported C repro on 2020/07/24 01:04
upstream KASAN: use-after-free Write in __alloc_skb 2 1042d 1048d 0/24 closed as invalid on 2019/12/08 05:44
linux-4.14 KASAN: use-after-free Write in __alloc_skb C done 1 987d 1017d 1/1 fixed on 2020/02/14 21:56
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/16 08:29 11m upstream report log
2021/04/15 14:15 12m alaaemadhossney.ae@gmail.com upstream report log
2020/08/29 06:31 11m brookebasile@gmail.com upstream report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in memset include/linux/string.h:391 [inline]
BUG: KASAN: use-after-free in __alloc_skb+0x2f6/0x550 net/core/skbuff.c:239
Write of size 32 at addr ffff8881a7463f40 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.8.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 check_memory_region_inline mm/kasan/generic.c:186 [inline]
 check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
 memset+0x20/0x40 mm/kasan/common.c:84
 memset include/linux/string.h:391 [inline]
 __alloc_skb+0x2f6/0x550 net/core/skbuff.c:239
 alloc_skb include/linux/skbuff.h:1083 [inline]
 alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5770
 sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2356
 mld_newpack+0x1e0/0x770 net/ipv6/mcast.c:1606
 add_grhead+0x265/0x330 net/ipv6/mcast.c:1710
 add_grec+0xe2c/0x1090 net/ipv6/mcast.c:1841
 mld_send_cr net/ipv6/mcast.c:1967 [inline]
 mld_ifc_timer_expire+0x596/0xf10 net/ipv6/mcast.c:2474
 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1415
 expire_timers kernel/time/timer.c:1460 [inline]
 __run_timers.part.0+0x54c/0xa20 kernel/time/timer.c:1784
 __run_timers kernel/time/timer.c:1756 [inline]
 run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1797
 __do_softirq+0x34c/0xa60 kernel/softirq.c:292
 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:711
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
 do_softirq_own_stack+0x111/0x170 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:387 [inline]
 __irq_exit_rcu kernel/softirq.c:417 [inline]
 irq_exit_rcu+0x229/0x270 kernel/softirq.c:429
 sysvec_apic_timer_interrupt+0x54/0x120 arch/x86/kernel/apic/apic.c:1091
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:585
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: ff 4c 89 ef e8 33 c9 ca f9 e9 8e fe ff ff 48 89 df e8 26 c9 ca f9 eb 8a cc cc cc cc e9 07 00 00 00 0f 00 2d 74 5f 60 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 5f 60 00 f4 c3 cc cc 55 53 e8 29
RSP: 0018:ffffc90000d3fc88 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880a9636340 RSI: ffffffff87e85c48 RDI: ffffffff87e85c1e
RBP: ffff8880a68e7864 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff8880a68e7864
R13: 1ffff920001a7f9b R14: ffff8880a68e7865 R15: 0000000000000001
 arch_safe_halt arch/x86/include/asm/paravirt.h:150 [inline]
 acpi_safe_halt+0x8d/0x110 drivers/acpi/processor_idle.c:111
 acpi_idle_do_entry+0x15c/0x1b0 drivers/acpi/processor_idle.c:525
 acpi_idle_enter+0x3f9/0xab0 drivers/acpi/processor_idle.c:651
 cpuidle_enter_state+0xff/0x960 drivers/cpuidle/cpuidle.c:235
 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:346
 call_cpuidle kernel/sched/idle.c:126 [inline]
 cpuidle_idle_call kernel/sched/idle.c:214 [inline]
 do_idle+0x431/0x6d0 kernel/sched/idle.c:276
 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:372
 start_secondary+0x2b3/0x370 arch/x86/kernel/smpboot.c:268
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243

The buggy address belongs to the page:
page:ffffea00069d18c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x57ffe0000000000()
raw: 057ffe0000000000 ffffea00069d18c8 ffffea00069d18c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881a7463e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881a7463e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881a7463f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff8881a7463f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881a7464000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2020/07/25 18:21 upstream 68845a55c31b 1f7cc1ca .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/07/27 08:23 linux-next 26027945c94a 51265195 .config log report syz C
* Struck through repros no longer work on HEAD.