syzbot


KASAN: use-after-free Write in skb_release_data

Status: auto-closed as invalid on 2020/02/13 13:09
Reported-by: syzbot+da67ebd08c9fcf9dee54@syzkaller.appspotmail.com
First crash: 1784d, last: 1705d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in skb_release_data net C 1903 2214d 2266d 8/27 fixed on 2018/08/07 13:43
linux-4.19 KASAN: use-after-free Write in skb_release_data 1 1526d 1526d 0/1 auto-closed as invalid on 2020/08/10 01:37
upstream KASAN: use-after-free Write in skb_release_data (2) net C done unreliable 875 1011d 2071d 0/27 auto-obsoleted due to no activity on 2023/04/16 03:59
linux-4.19 KASAN: use-after-free Write in skb_release_data (2) 3 1141d 1217d 0/1 auto-closed as invalid on 2021/08/30 12:28
android-54 KASAN: use-after-free Write in skb_release_data 2 1417d 1448d 0/2 auto-closed as invalid on 2020/11/26 21:03

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:258 [inline]
BUG: KASAN: use-after-free in skb_release_data+0x101/0x770 net/core/skbuff.c:563
Write of size 4 at addr ffff88819c0d25e4 by task syz-executor.5/8332

CPU: 1 PID: 8332 Comm: syz-executor.5 Not tainted 4.14.149+ #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 atomic_sub_return include/asm-generic/atomic-instrumented.h:258 [inline]
 skb_release_data+0x101/0x770 net/core/skbuff.c:563
 skb_release_all+0x46/0x60 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 kfree_skb+0xe3/0x370 net/core/skbuff.c:663
 vti6_tnl_xmit+0x2ba/0x1660 net/ipv6/ip6_vti.c:570
 __netdev_start_xmit include/linux/netdevice.h:4033 [inline]
 netdev_start_xmit include/linux/netdevice.h:4042 [inline]
 xmit_one net/core/dev.c:3009 [inline]
 dev_hard_start_xmit+0x19f/0x8c0 net/core/dev.c:3025
 __dev_queue_xmit+0x11e0/0x1d00 net/core/dev.c:3525
 packet_sendmsg_spkt+0xb4f/0x1210 net/packet/af_packet.c:2014
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 ___sys_sendmsg+0x752/0x890 net/socket.c:2062
 __sys_sendmsg+0xb6/0x150 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459a59
RSP: 002b:00007f0a3e2f5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459a59
RDX: 0000000000000001 RSI: 00000000200014c0 RDI: 0000000000000007
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3e2f66d4
R13: 00000000004c752c R14: 00000000004dd268 R15: 00000000ffffffff

Allocated by task 8332:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
 slab_post_alloc_hook mm/slab.h:439 [inline]
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2800 [inline]
 __kmalloc_track_caller+0x10d/0x390 mm/slub.c:4367
 __kmalloc_reserve.isra.0+0x2d/0xc0 net/core/skbuff.c:137
 __alloc_skb+0x118/0x5c0 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:980 [inline]
 sock_wmalloc+0xb6/0x110 net/core/sock.c:1930
 packet_sendmsg_spkt+0x3bb/0x1210 net/packet/af_packet.c:1962
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 ___sys_sendmsg+0x752/0x890 net/socket.c:2062
 __sys_sendmsg+0xb6/0x150 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

Freed by task 8332:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kfree+0x108/0x3a0 mm/slub.c:3976
 skb_free_head+0x83/0xa0 net/core/skbuff.c:554
 skb_release_data+0x4e5/0x770 net/core/skbuff.c:574
 skb_release_all+0x46/0x60 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 consume_skb+0xdc/0x360 net/core/skbuff.c:705
 packet_rcv+0xdf/0x1290 net/packet/af_packet.c:2178
 dev_queue_xmit_nit+0x6e1/0x970 net/core/dev.c:1975
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0xa3/0x8c0 net/core/dev.c:3025
 __dev_queue_xmit+0x11e0/0x1d00 net/core/dev.c:3525
 packet_sendmsg_spkt+0xb4f/0x1210 net/packet/af_packet.c:2014
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 ___sys_sendmsg+0x752/0x890 net/socket.c:2062
 __sys_sendmsg+0xb6/0x150 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

The buggy address belongs to the object at ffff88819c0d2500
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 228 bytes inside of
 512-byte region [ffff88819c0d2500, ffff88819c0d2700)
The buggy address belongs to the page:
page:ffffea0006703480 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
raw: ffffea000725d000 0000000600000006 ffff8881da802c00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88819c0d2480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88819c0d2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88819c0d2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff88819c0d2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88819c0d2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/16 13:08 android-4.14 248a268ad139 d4ea592f .config console log report ci-android-414-kasan-gce-root
2019/08/22 10:01 android-4.14 e204fa49a029 984250d5 .config console log report ci-android-414-kasan-gce-root
2019/07/29 13:59 android-4.14 54fa720a6f32 c85e1c5b .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.