KASAN: use-after-free Read in kfree

similar bugs (4):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in kfree_skb				1	1569d	1569d	12/24	fixed on 2018/11/12 21:25
linux-4.19	KASAN: use-after-free Read in kfree_skb	C		done	95	1169d	1289d	1/1	fixed on 2019/12/28 10:32
upstream	KASAN: use-after-free Read in kfree_skb (2)	C			66	1510d	1519d	12/24	fixed on 2019/01/11 01:22
upstream	KASAN: use-after-free Read in kfree_skb (3)	C	done	error	313	1169d	1372d	0/24	auto-obsoleted due to no activity on 2022/12/22 07:00

similar bugs (4):

upstream

KASAN: use-after-free Read in kfree_skb

1569d

12/24

fixed on 2018/11/12 21:25

linux-4.19

KASAN: use-after-free Read in kfree_skb

done

1169d

1289d

1/1

fixed on 2019/12/28 10:32

upstream

KASAN: use-after-free Read in kfree_skb (2)

1510d

1519d

12/24

fixed on 2019/01/11 01:22

upstream

KASAN: use-after-free Read in kfree_skb (3)

done

error

313

1169d

1372d

0/24

auto-obsoleted due to no activity on 2022/12/22 07:00

Bluetooth: Error in BCSP hdr checksum
Bluetooth: Error in BCSP hdr checksum
Bluetooth: Error in BCSP hdr checksum
Bluetooth: hci0 command 0x1009 tx timeout
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:27 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:42 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:952 [inline]
BUG: KASAN: use-after-free in kfree_skb+0x2e9/0x340 net/core/skbuff.c:659
Read of size 4 at addr ffff88807cc72ae4 by task syz-executor650/6915

CPU: 0 PID: 6915 Comm: syz-executor650 Not tainted 4.14.150 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 __read_once_size include/linux/compiler.h:183 [inline]
 atomic_read arch/x86/include/asm/atomic.h:27 [inline]
 refcount_read include/linux/refcount.h:42 [inline]
 skb_unref include/linux/skbuff.h:952 [inline]
 kfree_skb+0x2e9/0x340 net/core/skbuff.c:659
 bcsp_close+0xc7/0x130 drivers/bluetooth/hci_bcsp.c:761
 hci_uart_tty_close+0x1cb/0x230 drivers/bluetooth/hci_ldisc.c:551
 tty_ldisc_close.isra.0+0x99/0xd0 drivers/tty/tty_ldisc.c:498
 tty_ldisc_kill+0x4b/0xc0 drivers/tty/tty_ldisc.c:644
 tty_ldisc_release+0xb6/0x230 drivers/tty/tty_ldisc.c:811
 tty_release_struct+0x1b/0x50 drivers/tty/tty_io.c:1603
 tty_release+0xaa3/0xd60 drivers/tty/tty_io.c:1776
 __fput+0x275/0x7a0 fs/file_table.c:210
 ____fput+0x16/0x20 fs/file_table.c:244
 task_work_run+0x114/0x190 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x7df/0x2c10 kernel/exit.c:874
 do_group_exit+0x111/0x330 kernel/exit.c:977
 get_signal+0x381/0x1cd0 kernel/signal.c:2409
 do_signal+0x86/0x19a0 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441309
RSP: 002b:00007fffe51432c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 00000000003654c0 RBX: 0000000000000000 RCX: 0000000000441309
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00008000fffffffe R11: 0000000000000246 R12: 0000000000402130
R13: 00000000004021c0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 2549:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc_node+0x144/0x780 mm/slab.c:3642
 __alloc_skb+0x9c/0x500 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:980 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:336 [inline]
 bcsp_recv+0x38a/0x1450 drivers/bluetooth/hci_bcsp.c:684
 hci_uart_tty_receive+0x1f4/0x4d0 drivers/bluetooth/hci_ldisc.c:616
 tty_ldisc_receive_buf+0x14d/0x1a0 drivers/tty/tty_buffer.c:459
 tty_port_default_receive_buf+0x73/0xa0 drivers/tty/tty_port.c:37
 receive_buf drivers/tty/tty_buffer.c:475 [inline]
 flush_to_ldisc+0x1ec/0x400 drivers/tty/tty_buffer.c:527
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Freed by task 2549:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 kfree_skbmem net/core/skbuff.c:586 [inline]
 kfree_skbmem+0xac/0x120 net/core/skbuff.c:580
 __kfree_skb net/core/skbuff.c:646 [inline]
 kfree_skb+0xbd/0x340 net/core/skbuff.c:663
 bcsp_recv+0x28c/0x1450 drivers/bluetooth/hci_bcsp.c:622
 hci_uart_tty_receive+0x1f4/0x4d0 drivers/bluetooth/hci_ldisc.c:616
 tty_ldisc_receive_buf+0x14d/0x1a0 drivers/tty/tty_buffer.c:459
 tty_port_default_receive_buf+0x73/0xa0 drivers/tty/tty_port.c:37
 receive_buf drivers/tty/tty_buffer.c:475 [inline]
 flush_to_ldisc+0x1ec/0x400 drivers/tty/tty_buffer.c:527
 process_one_work+0x863/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248
 kthread+0x319/0x430 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff88807cc72a00
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 228 bytes inside of
 232-byte region [ffff88807cc72a00, ffff88807cc72ae8)
The buggy address belongs to the page:
page:ffffea0001f31c80 count:1 mapcount:0 mapping:ffff88807cc72000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88807cc72000 0000000000000000 000000010000000c
raw: ffffea0002803c20 ffffea00024cdc20 ffff8880a9e19a80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88807cc72980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
 ffff88807cc72a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807cc72a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                                                       ^
 ffff88807cc72b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff88807cc72b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (98):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci2-linux-4-14	2019/10/19 22:00	linux-4.14.y	b98aebd29824	8c88c9c1	.config	console log	report	syz	C
ci2-linux-4-14	2019/08/03 15:52	linux-4.14.y	10d6aa565d05	6affd8e8	.config	console log	report	syz	C
ci2-linux-4-14	2019/09/24 07:16	linux-4.14.y	f6e27dbb1afa	c68252d2	.config	console log	report	syz
ci2-linux-4-14	2019/08/02 03:38	linux-4.14.y	10d6aa565d05	835dffe7	.config	console log	report	syz
ci2-linux-4-14	2019/11/28 00:32	linux-4.14.y	43598c571e7e	0d63f89c	.config	console log	report
ci2-linux-4-14	2019/11/27 13:58	linux-4.14.y	43598c571e7e	1048481f	.config	console log	report
ci2-linux-4-14	2019/11/26 16:31	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/26 15:02	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/26 10:54	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/26 09:28	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/26 05:55	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/26 04:37	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/26 01:54	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/25 23:44	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/25 15:41	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/25 14:41	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/25 08:56	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/24 09:40	linux-4.14.y	f56f3d0e65ad	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/24 00:16	linux-4.14.y	f56f3d0e65ad	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/23 20:11	linux-4.14.y	f56f3d0e65ad	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/23 16:46	linux-4.14.y	f56f3d0e65ad	598ca6c8	.config	console log	report
ci2-linux-4-14	2019/11/22 00:27	linux-4.14.y	f56f3d0e65ad	8098ea0f	.config	console log	report
ci2-linux-4-14	2019/11/20 03:45	linux-4.14.y	775d01b65b5d	432c7650	.config	console log	report
ci2-linux-4-14	2019/11/19 21:31	linux-4.14.y	775d01b65b5d	432c7650	.config	console log	report
ci2-linux-4-14	2019/11/19 04:44	linux-4.14.y	775d01b65b5d	d5696d51	.config	console log	report
ci2-linux-4-14	2019/11/19 01:23	linux-4.14.y	775d01b65b5d	d5696d51	.config	console log	report
ci2-linux-4-14	2019/11/18 23:52	linux-4.14.y	775d01b65b5d	d5696d51	.config	console log	report
ci2-linux-4-14	2019/11/18 17:01	linux-4.14.y	775d01b65b5d	d5696d51	.config	console log	report
ci2-linux-4-14	2019/11/18 00:41	linux-4.14.y	775d01b65b5d	d5696d51	.config	console log	report
ci2-linux-4-14	2019/11/17 21:01	linux-4.14.y	775d01b65b5d	d5696d51	.config	console log	report
ci2-linux-4-14	2019/11/16 23:38	linux-4.14.y	775d01b65b5d	cdac920b	.config	console log	report
ci2-linux-4-14	2019/11/16 16:45	linux-4.14.y	775d01b65b5d	cdac920b	.config	console log	report
ci2-linux-4-14	2019/11/16 05:53	linux-4.14.y	775d01b65b5d	cdac920b	.config	console log	report
ci2-linux-4-14	2019/11/15 01:11	linux-4.14.y	775d01b65b5d	048f2d49	.config	console log	report
ci2-linux-4-14	2019/11/14 09:01	linux-4.14.y	775d01b65b5d	048f2d49	.config	console log	report
ci2-linux-4-14	2019/11/13 16:23	linux-4.14.y	4762bcd451a9	048f2d49	.config	console log	report
ci2-linux-4-14	2019/11/12 06:11	linux-4.14.y	4762bcd451a9	377d77fa	.config	console log	report
ci2-linux-4-14	2019/11/11 13:26	linux-4.14.y	c9fda4f22428	dc438b91	.config	console log	report
ci2-linux-4-14	2019/11/09 20:22	linux-4.14.y	c9fda4f22428	1e35461e	.config	console log	report
ci2-linux-4-14	2019/11/09 09:02	linux-4.14.y	c9fda4f22428	1e35461e	.config	console log	report
ci2-linux-4-14	2019/11/08 21:38	linux-4.14.y	c9fda4f22428	1e35461e	.config	console log	report
ci2-linux-4-14	2019/11/08 09:36	linux-4.14.y	c9fda4f22428	1e35461e	.config	console log	report
ci2-linux-4-14	2019/11/08 03:01	linux-4.14.y	c9fda4f22428	f39aff9e	.config	console log	report
ci2-linux-4-14	2019/11/06 22:41	linux-4.14.y	c9fda4f22428	da505f84	.config	console log	report
ci2-linux-4-14	2019/11/01 11:44	linux-4.14.y	ddef1e8e3f6e	a41ca8fa	.config	console log	report
ci2-linux-4-14	2019/10/21 07:12	linux-4.14.y	b98aebd29824	8c88c9c1	.config	console log	report
ci2-linux-4-14	2019/10/20 22:48	linux-4.14.y	b98aebd29824	8c88c9c1	.config	console log	report
ci2-linux-4-14	2019/10/20 19:48	linux-4.14.y	b98aebd29824	8c88c9c1	.config	console log	report
ci2-linux-4-14	2019/10/20 03:18	linux-4.14.y	b98aebd29824	8c88c9c1	.config	console log	report
ci2-linux-4-14	2019/10/20 02:10	linux-4.14.y	b98aebd29824	8c88c9c1	.config	console log	report
ci2-linux-4-14	2019/10/19 15:07	linux-4.14.y	b98aebd29824	8c88c9c1	.config	console log	report
ci2-linux-4-14	2019/08/02 00:52	linux-4.14.y	10d6aa565d05	835dffe7	.config	console log	report
ci2-linux-4-14	2019/07/23 10:43	linux-4.14.y	ff33472c282e	bb071d58	.config	console log	report

Crashes (98):

ci2-linux-4-14

2019/10/19 22:00

linux-4.14.y

ci2-linux-4-14

2019/08/03 15:52

linux-4.14.y

ci2-linux-4-14

2019/09/24 07:16

linux-4.14.y

ci2-linux-4-14

2019/08/02 03:38

linux-4.14.y

ci2-linux-4-14

2019/11/28 00:32

linux-4.14.y

ci2-linux-4-14

2019/11/27 13:58

linux-4.14.y

ci2-linux-4-14

2019/11/26 16:31

linux-4.14.y

ci2-linux-4-14

2019/11/26 15:02

linux-4.14.y

ci2-linux-4-14

2019/11/26 10:54

linux-4.14.y

ci2-linux-4-14

2019/11/26 09:28

linux-4.14.y

ci2-linux-4-14

2019/11/26 05:55

linux-4.14.y

ci2-linux-4-14

2019/11/26 04:37

linux-4.14.y

ci2-linux-4-14

2019/11/26 01:54

linux-4.14.y

ci2-linux-4-14

2019/11/25 23:44

linux-4.14.y

ci2-linux-4-14

2019/11/25 15:41

linux-4.14.y

ci2-linux-4-14

2019/11/25 14:41

linux-4.14.y

ci2-linux-4-14

2019/11/25 08:56

linux-4.14.y

ci2-linux-4-14

2019/11/24 09:40

linux-4.14.y

ci2-linux-4-14

2019/11/24 00:16

linux-4.14.y

ci2-linux-4-14

2019/11/23 20:11

linux-4.14.y

ci2-linux-4-14

2019/11/23 16:46

linux-4.14.y

ci2-linux-4-14

2019/11/22 00:27

linux-4.14.y

ci2-linux-4-14

2019/11/20 03:45

linux-4.14.y

ci2-linux-4-14

2019/11/19 21:31

linux-4.14.y

ci2-linux-4-14

2019/11/19 04:44

linux-4.14.y

ci2-linux-4-14

2019/11/19 01:23

linux-4.14.y

ci2-linux-4-14

2019/11/18 23:52

linux-4.14.y

ci2-linux-4-14

2019/11/18 17:01

linux-4.14.y

ci2-linux-4-14

2019/11/18 00:41

linux-4.14.y

ci2-linux-4-14

2019/11/17 21:01

linux-4.14.y

ci2-linux-4-14

2019/11/16 23:38

linux-4.14.y

ci2-linux-4-14

2019/11/16 16:45

linux-4.14.y

ci2-linux-4-14

2019/11/16 05:53

linux-4.14.y

ci2-linux-4-14

2019/11/15 01:11

linux-4.14.y

ci2-linux-4-14

2019/11/14 09:01

linux-4.14.y

ci2-linux-4-14

2019/11/13 16:23

linux-4.14.y

ci2-linux-4-14

2019/11/12 06:11

linux-4.14.y

ci2-linux-4-14

2019/11/11 13:26

linux-4.14.y

ci2-linux-4-14

2019/11/09 20:22

linux-4.14.y

ci2-linux-4-14

2019/11/09 09:02

linux-4.14.y

ci2-linux-4-14

2019/11/08 21:38

linux-4.14.y

ci2-linux-4-14

2019/11/08 09:36

linux-4.14.y

ci2-linux-4-14

2019/11/08 03:01

linux-4.14.y

ci2-linux-4-14

2019/11/06 22:41

linux-4.14.y

ci2-linux-4-14

2019/11/01 11:44

linux-4.14.y

ci2-linux-4-14

2019/10/21 07:12

linux-4.14.y

ci2-linux-4-14

2019/10/20 22:48

linux-4.14.y

ci2-linux-4-14

2019/10/20 19:48

linux-4.14.y

ci2-linux-4-14

2019/10/20 03:18

linux-4.14.y

ci2-linux-4-14

2019/10/20 02:10

linux-4.14.y

ci2-linux-4-14

2019/10/19 15:07

linux-4.14.y

ci2-linux-4-14

2019/08/02 00:52

linux-4.14.y

ci2-linux-4-14

2019/07/23 10:43

linux-4.14.y