KASAN: slab-out-of-bounds Read in __dev_queue

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in __dev_queue_xmit net	C			6	2314d	2303d	4/26	fixed on 2018/01/29 03:39
android-44	KASAN: slab-out-of-bounds Read in __dev_queue_xmit	C			2	2308d	1853d	0/2	public: reported C repro on 2019/04/14 00:00

device syz0 entered promiscuous mode ================================================================== BUG: KASAN: slab-out-of-bounds in __tcp_hdrlen include/linux/tcp.h:35 [inline] BUG: KASAN: slab-out-of-bounds in tcp_hdrlen include/linux/tcp.h:40 [inline] BUG: KASAN: slab-out-of-bounds in qdisc_pkt_len_init net/core/dev.c:3087 [inline] BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x1db6/0x1e60 net/core/dev.c:3369 Read of size 2 at addr ffff8801ca233a60 by task syzkaller440157/3345 CPU: 0 PID: 3345 Comm: syzkaller440157 Not tainted 4.9.76-g8e170a5 #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8397688 ffffffff81d93149 ffffea0007288c00 ffff8801ca233a60 0000000000000000 ffff8801ca233a60 0000000000000005 ffff8801c83976c0 ffffffff8153cb43 ffff8801ca233a60 0000000000000002 0000000000000000 Call Trace: [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff8153cb43>] print_address_description+0x73/0x280 mm/kasan/report.c:252 [<ffffffff8153d065>] kasan_report_error mm/kasan/report.c:351 [inline] [<ffffffff8153d065>] kasan_report+0x275/0x360 mm/kasan/report.c:408 [<ffffffff8153d184>] __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:427 [<ffffffff82f4ad06>] __tcp_hdrlen include/linux/tcp.h:35 [inline] [<ffffffff82f4ad06>] tcp_hdrlen include/linux/tcp.h:40 [inline] [<ffffffff82f4ad06>] qdisc_pkt_len_init net/core/dev.c:3087 [inline] [<ffffffff82f4ad06>] __dev_queue_xmit+0x1db6/0x1e60 net/core/dev.c:3369 [<ffffffff810002b8>] ? 0xffffffff810002b8 [<ffffffff82f4adc7>] dev_queue_xmit+0x17/0x20 net/core/dev.c:3458 [<ffffffff835571dc>] packet_snd net/packet/af_packet.c:2953 [inline] [<ffffffff835571dc>] packet_sendmsg+0x2ccc/0x4760 net/packet/af_packet.c:2978 [<ffffffff82ed5baa>] sock_sendmsg_nosec net/socket.c:635 [inline] [<ffffffff82ed5baa>] sock_sendmsg+0xca/0x110 net/socket.c:645 [<ffffffff82ed5e16>] sock_write_iter+0x226/0x3b0 net/socket.c:843 [<ffffffff8156d1ef>] new_sync_write fs/read_write.c:499 [inline] [<ffffffff8156d1ef>] __vfs_write+0x4bf/0x680 fs/read_write.c:512 [<ffffffff8156eb19>] vfs_write+0x189/0x530 fs/read_write.c:560 [<ffffffff81572609>] SYSC_write fs/read_write.c:607 [inline] [<ffffffff81572609>] SyS_write+0xd9/0x1b0 fs/read_write.c:599 [<ffffffff81006fc7>] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline] [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384 [<ffffffff838b2334>] entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127 Allocated by task 3345: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb include/linux/skbuff.h:919 [inline] alloc_skb_with_frags+0xac/0x4f0 net/core/skbuff.c:4657 sock_alloc_send_pskb+0x5ad/0x740 net/core/sock.c:1893 packet_alloc_skb net/packet/af_packet.c:2810 [inline] packet_snd net/packet/af_packet.c:2901 [inline] packet_sendmsg+0x18a1/0x4760 net/packet/af_packet.c:2978 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384 entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801ca233600 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 96 bytes to the right of 1024-byte region [ffff8801ca233600, ffff8801ca233a00) The buggy address belongs to the page: page:ffffea0007288c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x8000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801ca233900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801ca233980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801ca233a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801ca233a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801ca233b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (3):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2018/01/12 22:29	https://android.googlesource.com/kernel/common android-4.9	8e170a589bd4	9dc808a6	.config	console log	report	syz	C	ci-android-49-kasan-gce-386
2017/12/31 17:21	https://android.googlesource.com/kernel/common android-4.9	f3f3457d4582	00193447	.config	console log	report	syz	C	ci-android-49-kasan-gce
2019/11/20 05:35	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	f4b7ed07	.config	console log	report			ci-android-49-kasan-gce-386

Crashes (3):

Assets (help?)