KASAN: use-after-free Write in skb_release

[upstream] KASAN: use-after-free Write in skb_release_data (2)
Status: upstream: reported on 2018/10/15 06:30
Reported-by: syzbot+580be3953ed99133804f@syzkaller.appspotmail.com
First: 99d, last: 32d

similar bugs:
Kernel	Title	Repro	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Write in skb_release_data	C	1903	238d	291d	9/12	fixed on 2018/08/07 13:43

Sample crash report:

IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:305 [inline]
BUG: KASAN: use-after-free in skb_release_data+0x1a3/0x880 net/core/skbuff.c:559
Write of size 4 at addr ffff8881b7f19b60 by task syz-executor0/11683

CPU: 0 PID: 11683 Comm: syz-executor0 Not tainted 4.20.0-rc3+ #341
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x244/0x39d lib/dump_stack.c:113
 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
 atomic_sub_return include/asm-generic/atomic-instrumented.h:305 [inline]
 skb_release_data+0x1a3/0x880 net/core/skbuff.c:559
 skb_release_all+0x4a/0x60 net/core/skbuff.c:627
 __kfree_skb net/core/skbuff.c:641 [inline]
 kfree_skb+0x1bb/0x580 net/core/skbuff.c:659
 ip6_tnl_start_xmit+0xb0c/0x25a0 net/ipv6/ip6_tunnel.c:1426
 __netdev_start_xmit include/linux/netdevice.h:4356 [inline]
 netdev_start_xmit include/linux/netdevice.h:4365 [inline]
 xmit_one net/core/dev.c:3252 [inline]
 dev_hard_start_xmit+0x295/0xc80 net/core/dev.c:3268
 __dev_queue_xmit+0x2f71/0x3ad0 net/core/dev.c:3838
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3871
 packet_sendmsg_spkt+0xf44/0x16e9 net/packet/af_packet.c:1975
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 ___sys_sendmsg+0x51d/0x930 net/socket.c:2116
 __sys_sendmmsg+0x246/0x6d0 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg net/socket.c:2237 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2237
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb0356a4c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457569
RDX: 0000000000000001 RSI: 0000000020002140 RDI: 0000000000000003
RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb0356a56d4
R13: 00000000004c37d5 R14: 00000000004d5970 R15: 00000000ffffffff

Allocated by task 11683:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3684 [inline]
 __kmalloc_node_track_caller+0x50/0x70 mm/slab.c:3698
 __kmalloc_reserve.isra.40+0x41/0xe0 net/core/skbuff.c:137
 __alloc_skb+0x155/0x770 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:997 [inline]
 sock_wmalloc+0x16d/0x1f0 net/core/sock.c:1935
 packet_sendmsg_spkt+0x48a/0x16e9 net/packet/af_packet.c:1922
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 ___sys_sendmsg+0x51d/0x930 net/socket.c:2116
 __sys_sendmmsg+0x246/0x6d0 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg net/socket.c:2237 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2237
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 11683:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x230 mm/slab.c:3817
 skb_free_head+0x99/0xc0 net/core/skbuff.c:550
 skb_release_data+0x6a4/0x880 net/core/skbuff.c:570
 skb_release_all+0x4a/0x60 net/core/skbuff.c:627
 __kfree_skb net/core/skbuff.c:641 [inline]
 consume_skb+0x1ae/0x570 net/core/skbuff.c:701
 tpacket_rcv+0x224/0x3190 net/packet/af_packet.c:2374
 dev_queue_xmit_nit+0x927/0xc90 net/core/dev.c:2053
 xmit_one net/core/dev.c:3248 [inline]
 dev_hard_start_xmit+0x186/0xc80 net/core/dev.c:3268
 __dev_queue_xmit+0x2f71/0x3ad0 net/core/dev.c:3838
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3871
 packet_sendmsg_spkt+0xf44/0x16e9 net/packet/af_packet.c:1975
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 ___sys_sendmsg+0x51d/0x930 net/socket.c:2116
 __sys_sendmmsg+0x246/0x6d0 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg net/socket.c:2237 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2237
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881b7f19a80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 224 bytes inside of
 512-byte region [ffff8881b7f19a80, ffff8881b7f19c80)
The buggy address belongs to the page:
page:ffffea0006dfc640 count:1 mapcount:0 mapping:ffff8881da800940 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 ffffea0007586ec8 ffffea0006d3d408 ffff8881da800940
raw: 0000000000000000 ffff8881b7f19080 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881b7f19a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881b7f19a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881b7f19b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8881b7f19b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881b7f19c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

All crashes (15):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Maintainers
ci-upstream-kasan-gce-root	2018/11/20 02:07	upstream	f2ce1065	adf636a8	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/12/08 10:01	net	1b4e5ad5	65ed2472	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/12/06 07:36	net	64d47902	764b42c4	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/12/05 15:40	net	0fb628f0	ac6c0578	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/12/05 09:11	net	7b566f70	f162ad97	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/12/04 09:59	net	d2a36971	03f94a45	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/12/04 08:57	net	d2a36971	03f94a45	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/12/02 20:29	net	35b827b6	e0d8c853	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/12/02 01:36	net	35b827b6	5a581673	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/11/29 16:20	net	60b54823	4b6d14f2	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/11/27 08:57	net	69500127	ac912200	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2018/11/26 18:38	net	69500127	ac912200	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-kasan-gce	2018/10/11 05:22	net-next	e40a826a	5f818b4b	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-kasan-gce	2018/12/17 23:11	net-next	ae6750e0	def91db3	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-kasan-gce	2018/12/08 02:48	net-next	9f4c2cff	65ed2472	.config	log	report	davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org