syzbot

RBP: 00007ffd8bea4880 R08: 0000000000000001 R09: 00007ffd8bea4910
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00007ffd8bea48b0 R14: 00007ffd8bea4880 R15: 0000000000000000
 </TASK>
dccp_parse_options: DCCP(ffff88814a3c8ac0): Option 32 (len=7) error=9
==================================================================
BUG: KASAN: use-after-free in dccp_ackvec_runlen net/dccp/ccids/../ackvec.h:43 [inline]
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x2042/0x2a50 net/dccp/ccids/ccid2.c:592
Read of size 1 at addr ffff888078b25494 by task syz-executor226/5057

CPU: 1 PID: 5057 Comm: syz-executor226 Not tainted 6.2.0-rc1-syzkaller-00095-ge4cf7c25bae5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x74/0x340 mm/kasan/report.c:306
 print_report+0x107/0x220 mm/kasan/report.c:417
 kasan_report+0x139/0x170 mm/kasan/report.c:517
 dccp_ackvec_runlen net/dccp/ccids/../ackvec.h:43 [inline]
 ccid2_hc_tx_packet_recv+0x2042/0x2a50 net/dccp/ccids/ccid2.c:592
 ccid_hc_tx_packet_recv net/dccp/ccid.h:189 [inline]
 dccp_deliver_input_to_ccids net/dccp/input.c:182 [inline]
 dccp_rcv_established+0x284/0x310 net/dccp/input.c:374
 dccp_v4_do_rcv+0xfc/0x1f0 net/dccp/ipv4.c:674
 sk_backlog_rcv include/net/sock.h:1113 [inline]
 __release_sock+0x1d8/0x4c0 net/core/sock.c:2928
 release_sock+0x5d/0x1c0 net/core/sock.c:3485
 dccp_sendmsg+0x502/0x820 net/dccp/proto.c:790
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 ____sys_sendmsg+0x597/0x8e0 net/socket.c:2476
 ___sys_sendmsg net/socket.c:2530 [inline]
 __sys_sendmmsg+0x3d7/0x770 net/socket.c:2616
 __do_sys_sendmmsg net/socket.c:2645 [inline]
 __se_sys_sendmmsg net/socket.c:2642 [inline]
 __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2642
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ffad54edd09
Code: 46 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd8bea4868 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffad54edd09
RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000005
RBP: 00007ffd8bea4880 R08: 0000000000000001 R09: 00007ffd8bea4910
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00007ffd8bea48b0 R14: 00007ffd8bea4880 R15: 0000000000000000
 </TASK>

Allocated by task 5057:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:371 [inline]
 __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:968 [inline]
 __kmalloc_node_track_caller+0xad/0x190 mm/slab_common.c:988
 kmalloc_reserve net/core/skbuff.c:492 [inline]
 __alloc_skb+0x12c/0x2c0 net/core/skbuff.c:565
 alloc_skb include/linux/skbuff.h:1270 [inline]
 dccp_send_ack+0xa0/0x300 net/dccp/output.c:585
 ccid2_hc_rx_packet_recv+0xf1/0x180 net/dccp/ccids/ccid2.c:771
 ccid_hc_rx_packet_recv net/dccp/ccid.h:182 [inline]
 dccp_deliver_input_to_ccids net/dccp/input.c:176 [inline]
 dccp_rcv_established+0x1b2/0x310 net/dccp/input.c:374
 dccp_v4_do_rcv+0xfc/0x1f0 net/dccp/ipv4.c:674
 sk_backlog_rcv include/net/sock.h:1113 [inline]
 __sk_receive_skb+0x43f/0x9e0 net/core/sock.c:565
 ip_protocol_deliver_rcu+0x5d5/0xd40 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x269/0x480 net/ipv4/ip_input.c:233
 __netif_receive_skb_one_core net/core/dev.c:5482 [inline]
 __netif_receive_skb+0x1c5/0x500 net/core/dev.c:5596
 process_backlog+0x568/0x920 net/core/dev.c:5924
 __napi_poll+0xbe/0x4b0 net/core/dev.c:6485
 napi_poll net/core/dev.c:6552 [inline]
 net_rx_action+0x76c/0x1100 net/core/dev.c:6663
 __do_softirq+0x277/0x75b kernel/softirq.c:571

Freed by task 5057:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
 slab_free mm/slub.c:3787 [inline]
 __kmem_cache_free+0x71/0x110 mm/slub.c:3800
 skb_free_head net/core/skbuff.c:822 [inline]
 skb_release_data+0x4f6/0x710 net/core/skbuff.c:851
 skb_release_all net/core/skbuff.c:916 [inline]
 __kfree_skb net/core/skbuff.c:930 [inline]
 kfree_skb_reason+0xfa/0x2c0 net/core/skbuff.c:956
 kfree_skb include/linux/skbuff.h:1218 [inline]
 dccp_v4_do_rcv+0x143/0x1f0 net/dccp/ipv4.c:709
 sk_backlog_rcv include/net/sock.h:1113 [inline]
 __release_sock+0x1d8/0x4c0 net/core/sock.c:2928
 release_sock+0x5d/0x1c0 net/core/sock.c:3485
 dccp_sendmsg+0x502/0x820 net/dccp/proto.c:790
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 ____sys_sendmsg+0x597/0x8e0 net/socket.c:2476
 ___sys_sendmsg net/socket.c:2530 [inline]
 __sys_sendmmsg+0x3d7/0x770 net/socket.c:2616
 __do_sys_sendmmsg net/socket.c:2645 [inline]
 __se_sys_sendmmsg net/socket.c:2642 [inline]
 __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2642
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888078b25000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1172 bytes inside of
 2048-byte region [ffff888078b25000, ffff888078b25800)

The buggy address belongs to the physical page:
page:ffffea0001e2c800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78b20
head:ffffea0001e2c800 order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffff888012842000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5053, tgid 5053 (strace-static-x), ts 53593701360, free_ts 33150100132
 prep_new_page mm/page_alloc.c:2531 [inline]
 get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4283
 __alloc_pages+0x259/0x560 mm/page_alloc.c:5549
 alloc_slab_page+0xbd/0x190 mm/slub.c:1851
 allocate_slab+0x5e/0x3c0 mm/slub.c:1998
 new_slab mm/slub.c:2051 [inline]
 ___slab_alloc+0x7f4/0xeb0 mm/slub.c:3193
 __slab_alloc mm/slub.c:3292 [inline]
 __slab_alloc_node mm/slub.c:3345 [inline]
 slab_alloc_node mm/slub.c:3442 [inline]
 __kmem_cache_alloc_node+0x25b/0x340 mm/slub.c:3491
 __do_kmalloc_node mm/slab_common.c:967 [inline]
 __kmalloc+0x9e/0x190 mm/slab_common.c:981
 kmalloc include/linux/slab.h:584 [inline]
 sk_prot_alloc+0xde/0x200 net/core/sock.c:2038
 sk_alloc+0x34/0x360 net/core/sock.c:2091
 __netlink_create+0x6b/0x2b0 net/netlink/af_netlink.c:647
 netlink_create+0x368/0x530 net/netlink/af_netlink.c:710
 __sock_create+0x3fd/0x850 net/socket.c:1515
 sock_create net/socket.c:1566 [inline]
 __sys_socket_create net/socket.c:1603 [inline]
 __sys_socket+0x137/0x3a0 net/socket.c:1636
 __do_sys_socket net/socket.c:1649 [inline]
 __se_sys_socket net/socket.c:1647 [inline]
 __x64_sys_socket+0x76/0x80 net/socket.c:1647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1446 [inline]
 free_pcp_prepare+0x751/0x780 mm/page_alloc.c:1496
 free_unref_page_prepare mm/page_alloc.c:3369 [inline]
 free_unref_page+0x19/0x4c0 mm/page_alloc.c:3464
 discard_slab mm/slub.c:2098 [inline]
 __unfreeze_partials+0x1a5/0x1e0 mm/slub.c:2637
 put_cpu_partial+0x116/0x180 mm/slub.c:2713
 qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:302
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slab.h:761 [inline]
 slab_alloc_node mm/slub.c:3452 [inline]
 slab_alloc mm/slub.c:3460 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3467 [inline]
 kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
 vm_area_alloc+0x20/0xe0 kernel/fork.c:458
 mmap_region+0xd75/0x1e60 mm/mmap.c:2601
 do_mmap+0x8d9/0xf30 mm/mmap.c:1411
 vm_mmap_pgoff+0x1e5/0x2f0 mm/util.c:520
 ksys_mmap_pgoff+0x48c/0x6d0 mm/mmap.c:1457
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888078b25380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888078b25400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888078b25480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888078b25500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888078b25580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================