KASAN: use-after-free Read in tipc_mcast

KASAN: use-after-free Read in tipc_mcast_xmit (2)
Status: upstream: reported C repro on 2020/10/02 15:38
Reported-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com
Fix commit: ed42989e tipc: fix the skb_unshare() in tipc_buf_append()
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386]
First crash: 24d, last: 10d

Cause bisection: introduced by (bisect log) :
commit ff48b6222e65ebdba5a403ef1deba6214e749193
Author: Xin Long <lucien.xin@gmail.com>
Date: Sun Sep 13 11:37:31 2020 +0000

tipc: use skb_unshare() instead in tipc_buf_append()

Crash: WARNING: refcount bug in tipc_mcast_xmit (log)
Repro: C syz .config

similar bugs (3):
Kernel	Title	Repro	Count	Last	Reported	Patched	Status
android-54	KASAN: use-after-free Read in tipc_mcast_xmit	C	23	6d07h	26d	0/1	upstream: reported C repro on 2020/09/29 18:19
upstream	KASAN: use-after-free Read in tipc_mcast_xmit	syz	7	672d	679d	12/17	fixed on 2019/01/11 01:22
linux-4.19	KASAN: use-after-free Read in tipc_mcast_xmit	C	2	21d	21d	0/1	upstream: reported C repro on 2020/10/05 11:34

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/10/08 03:08	17m	xiyou.wangcong@gmail.com		https://github.com/congwang/linux.git net	OK

Sample crash report:

R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004028a0
R13: 0000000000402930 R14: 0000000000000000 R15: 0000000000000000
tipc: Failed do clone local mcast rcv buffer
==================================================================
BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:2063 [inline]
BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:2082 [inline]
BUG: KASAN: use-after-free in __skb_queue_purge include/linux/skbuff.h:2793 [inline]
BUG: KASAN: use-after-free in tipc_mcast_xmit+0xfaa/0x1170 net/tipc/bcast.c:422
Read of size 8 at addr ffff8880a73e2040 by task syz-executor657/6887

CPU: 1 PID: 6887 Comm: syz-executor657 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __skb_unlink include/linux/skbuff.h:2063 [inline]
 __skb_dequeue include/linux/skbuff.h:2082 [inline]
 __skb_queue_purge include/linux/skbuff.h:2793 [inline]
 tipc_mcast_xmit+0xfaa/0x1170 net/tipc/bcast.c:422
 tipc_sendmcast+0xaaf/0xef0 net/tipc/socket.c:865
 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1454
 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1387
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4419d9
Code: e8 cc ac 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe0cace4c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419d9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 000000000000f0ee R08: 0000000000000001 R09: 0000000000402930
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004028a0
R13: 0000000000402930 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6887:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:518 [inline]
 slab_alloc_node mm/slab.c:3254 [inline]
 kmem_cache_alloc_node+0x136/0x430 mm/slab.c:3574
 __alloc_skb+0x71/0x550 net/core/skbuff.c:198
 alloc_skb_fclone include/linux/skbuff.h:1144 [inline]
 tipc_buf_acquire+0x28/0xf0 net/tipc/msg.c:76
 tipc_msg_build+0x6b8/0x10c0 net/tipc/msg.c:428
 tipc_sendmcast+0x855/0xef0 net/tipc/socket.c:859
 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1454
 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1387
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 6887:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693
 kfree_skbmem+0x166/0x1b0 net/core/skbuff.c:643
 kfree_skb+0x7d/0x100 include/linux/refcount.h:270
 tipc_buf_append+0x6dc/0xcf0 net/tipc/msg.c:198
 tipc_msg_reassemble+0x175/0x4f0 net/tipc/msg.c:790
 tipc_mcast_xmit+0x699/0x1170 net/tipc/bcast.c:386
 tipc_sendmcast+0xaaf/0xef0 net/tipc/socket.c:865
 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1454
 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1387
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8880a73e2040
 which belongs to the cache skbuff_fclone_cache of size 456
The buggy address is located 0 bytes inside of
 456-byte region [ffff8880a73e2040, ffff8880a73e2208)
The buggy address belongs to the page:
page:000000001368f319 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa73e2
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffff8880a9050f50 ffffea00028ff188 ffff8880a903dc00
raw: 0000000000000000 ffff8880a73e2040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a73e1f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
 ffff8880a73e1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a73e2000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                                           ^
 ffff8880a73e2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a73e2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (37):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Maintainers
ci-upstream-bpf-kasan-gce	2020/10/01 23:13	bpf	a59cf619	9602ddf4	.config	log	report	syz	C		davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/16 07:01	bpf	28802e7c	6e262c73	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/16 03:15	bpf	28802e7c	6e262c73	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/16 01:56	bpf	28802e7c	6e262c73	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/15 09:45	bpf	28802e7c	63869021	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/14 20:01	bpf	28802e7c	fc7735a2	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/12 10:36	bpf	28802e7c	4a77ae0b	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/12 08:38	bpf	28802e7c	4a77ae0b	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/10 22:36	bpf	28802e7c	4a77ae0b	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/10 00:51	bpf	28802e7c	d81b165e	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/07 18:53	bpf	d82a532a	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/06 13:15	bpf	d82a532a	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/06 13:12	bpf	d82a532a	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/06 12:35	bpf	d82a532a	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/05 23:06	bpf	d82a532a	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/05 13:36	bpf	d82a532a	5ef9c291	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/02 11:49	bpf	a59cf619	9602ddf4	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/02 07:33	bpf	a59cf619	9602ddf4	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/02 00:58	bpf	a59cf619	9602ddf4	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-kasan-gce	2020/10/01 22:56	bpf	a59cf619	9602ddf4	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/12 17:40	bpf-next	376dcfe3	d32b0bbf	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/10 14:30	bpf-next	ac53a0d3	93817d89	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/10 11:13	bpf-next	ac53a0d3	93817d89	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/09 04:18	bpf-next	1e9259ec	92390980	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/08 02:50	bpf-next	bf88a80a	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/07 11:35	bpf-next	67ed3755	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/07 01:46	bpf-next	dca4121c	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/07 00:58	bpf-next	dca4121c	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-net-kasan-gce	2020/10/06 07:54	net-next	c2568c8c	1880b4a9	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/05 15:15	bpf-next	1028ae40	5ef9c291	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/05 14:35	bpf-next	1028ae40	5ef9c291	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/03 19:05	bpf-next	1028ae40	2653fa43	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/03 18:31	bpf-next	1028ae40	2653fa43	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/03 13:50	bpf-next	1028ae40	2653fa43	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/02 20:01	bpf-next	360f8987	4969d6ca	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/02 10:43	bpf-next	6208689f	9602ddf4	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com
ci-upstream-bpf-next-kasan-gce	2020/10/02 02:15	bpf-next	6208689f	9602ddf4	.config	log	report			info	davem@davemloft.net, jmaloy@redhat.com, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, ying.xue@windriver.com