syzbot


KASAN: use-after-free Read in skb_dequeue

Status: auto-closed as invalid on 2019/02/25 16:09
First crash: 2276d, last: 2276d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in skb_dequeue syz 1 1193d 1193d 0/2 auto-obsoleted due to no activity on 2023/04/23 02:47
android-49 KASAN: use-after-free Read in skb_dequeue (2) 8 2303d 2469d 0/3 auto-closed as invalid on 2019/02/22 12:37
upstream general protection fault in skb_dequeue (2) bluetooth C inconclusive done 9 1138d 1222d 0/28 auto-closed as invalid on 2022/10/03 17:36
upstream KASAN: use-after-free Read in skb_dequeue net C 4 2345d 2345d 8/28 fixed on 2018/07/09 18:05
linux-4.19 KASAN: use-after-free Read in skb_dequeue syz done 1 1366d 1570d 1/1 fixed on 2021/03/29 19:17
linux-4.19 KASAN: use-after-free Read in skb_dequeue (2) C done 2 1163d 1193d 1/1 fixed on 2021/10/15 14:38

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3c66/0x5270 kernel/locking/lockdep.c:3092
Read of size 8 at addr ffff8801cc1636f0 by task syz-executor6/7898

CPU: 0 PID: 7898 Comm: syz-executor6 Not tainted 4.4.153-g5e24b4e #90
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 90a0fc68d07cb0cb ffff8800a16b77f0 ffffffff81e162ed
 ffffea0007305880 ffff8801cc1636f0 0000000000000000 ffff8801cc1636f0
 0000000000000000 ffff8800a16b7828 ffffffff8151b4d9 ffff8801cc1636f0
Call Trace:
 [<ffffffff81e162ed>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e162ed>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8151b4d9>] print_address_description+0x6c/0x216 mm/kasan/report.c:252
 [<ffffffff8151b7f8>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8151b7f8>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff814fe784>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff81235cf6>] __lock_acquire+0x3c66/0x5270 kernel/locking/lockdep.c:3092
 [<ffffffff81238ade>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
 [<ffffffff838cc4be>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:112 [inline]
 [<ffffffff838cc4be>] _raw_spin_lock_irqsave+0x4e/0x70 kernel/locking/spinlock.c:159
 [<ffffffff82f3d452>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2337
 [<ffffffff835a4e1b>] l2tp_session_queue_purge+0xab/0x100 net/l2tp/l2tp_core.c:831
 [<ffffffff835b196f>] pppol2tp_release+0x1ff/0x310 net/l2tp/l2tp_ppp.c:509
 [<ffffffff82f213c9>] __sock_release+0xd9/0x260 net/socket.c:592
 [<ffffffff82f21569>] sock_close+0x19/0x20 net/socket.c:1050
 [<ffffffff815288c5>] __fput+0x235/0x6f0 fs/file_table.c:208
 [<ffffffff81528e05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff8118ee9f>] task_work_run+0x10f/0x190 kernel/task_work.c:115
 [<ffffffff811622e0>] get_signal+0x1190/0x14b0 kernel/signal.c:2151
 [<ffffffff8100df4b>] do_signal+0x8b/0x1d30 arch/x86/kernel/signal.c:712
 [<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:249
 [<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:284 [inline]
 [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:349
 [<ffffffff838cc9f5>] int_ret_from_sys_call+0x25/0xa3

Allocated by task 7898:
 [<ffffffff81034676>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fd823>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fdb07>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fdb07>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
 [<ffffffff814fa244>] __kmalloc+0x124/0x310 mm/slub.c:3613
 [<ffffffff835aa279>] kmalloc include/linux/slab.h:481 [inline]
 [<ffffffff835aa279>] kzalloc include/linux/slab.h:620 [inline]
 [<ffffffff835aa279>] l2tp_session_create+0x39/0x1030 net/l2tp/l2tp_core.c:1748
 [<ffffffff835aef80>] pppol2tp_connect+0x10f0/0x1910 net/l2tp/l2tp_ppp.c:725
 [<ffffffff82f27ef8>] SYSC_connect+0x1b8/0x300 net/socket.c:1570
 [<ffffffff82f2a844>] SyS_connect+0x24/0x30 net/socket.c:1551
 [<ffffffff838cc865>] entry_SYSCALL_64_fastpath+0x22/0x9e

Freed by task 7883:
 [<ffffffff81034676>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fd823>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fe152>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fe152>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
 [<ffffffff814fb6b4>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff814fb6b4>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff814fb6b4>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff814fb6b4>] kfree+0xf4/0x310 mm/slub.c:3749
 [<ffffffff835a71e0>] l2tp_session_free+0x170/0x200 net/l2tp/l2tp_core.c:1676
 [<ffffffff835a9599>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:293 [inline]
 [<ffffffff835a9599>] l2tp_tunnel_closeall+0x2b9/0x350 net/l2tp/l2tp_core.c:1279
 [<ffffffff835aa0ab>] l2tp_udp_encap_destroy+0x8b/0xf0 net/l2tp/l2tp_core.c:1300
 [<ffffffff8349bf11>] udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1421
 [<ffffffff82f38ddd>] sk_common_release+0x6d/0x300 net/core/sock.c:2680
 [<ffffffff8349abc5>] udp_lib_close+0x15/0x20 include/net/udp.h:190
 [<ffffffff8330274f>] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435
 [<ffffffff834251c0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:424
 [<ffffffff82f213c9>] __sock_release+0xd9/0x260 net/socket.c:592
 [<ffffffff82f21569>] sock_close+0x19/0x20 net/socket.c:1050
 [<ffffffff815288c5>] __fput+0x235/0x6f0 fs/file_table.c:208
 [<ffffffff81528e05>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff8118ee9f>] task_work_run+0x10f/0x190 kernel/task_work.c:115
 [<ffffffff811622e0>] get_signal+0x1190/0x14b0 kernel/signal.c:2151
 [<ffffffff8100df4b>] do_signal+0x8b/0x1d30 arch/x86/kernel/signal.c:712
 [<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:249
 [<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:284 [inline]
 [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:349
 [<ffffffff838cc9f5>] int_ret_from_sys_call+0x25/0xa3

The buggy address belongs to the object at ffff8801cc163680
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 112 bytes inside of
 512-byte region [ffff8801cc163680, ffff8801cc163880)
The buggy address belongs to the page:
BUG: unable to handle kernel paging request at fffffffc8ff969c0
IP: [<ffffffff81227dd5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
PGD 440f067 PUD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3834 Comm: syz-fuzzer Not tainted 4.4.153-g5e24b4e #90
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801ce3f9800 task.stack: ffff8801c7dc8000
RIP: 0010:[<ffffffff81227dd5>]  [<ffffffff81227dd5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
RSP: 0018:ffff8801c7dcfca0  EFLAGS: 00010046
RAX: 1ffffffff089521f RBX: 00000000000185a8 RCX: ffffffff84a16740
RDX: fffffbff91ff2d38 RSI: fffffffc8ff969c0 RDI: ffffffff844a90f8
RBP: ffff8801c7dcfce0 R08: ffff8801ce3fa178 R09: 0000000000000001
R10: 0000000000000001 R11: ffff8801ce3f9800 R12: ffffffff844a9020
R13: dffffc0000000000 R14: 000000003debbe39 R15: ffffffffa16b0050
FS:  000000c420028768(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffc8ff969c0 CR3: 00000001cd7aa000 CR4: 00000000001606f0
Stack:
 ffffffff81227ce0 0000000000000046 0000000000000003 ffff8801b941e060
 ffff8801b941e000 000000003debbe39 ffff8801b941e0b0 0000000000000000
 ffff8801c7dcfd28 ffffffff811dc359 0000000000000005 ffff8801db21f558
Call Trace:
 [<ffffffff811dc359>] update_curr+0x2c9/0x6d0 kernel/sched/fair.c:882
 [<ffffffff811e755a>] enqueue_entity kernel/sched/fair.c:3512 [inline]
 [<ffffffff811e755a>] enqueue_task_fair+0x2fa/0x2790 kernel/sched/fair.c:4695
 [<ffffffff811bea3d>] enqueue_task kernel/sched/core.c:858 [inline]
 [<ffffffff811bea3d>] activate_task+0x14d/0x280 kernel/sched/core.c:874
 [<ffffffff811bfa6f>] ttwu_activate kernel/sched/core.c:1736 [inline]
 [<ffffffff811bfa6f>] ttwu_do_activate.constprop.109+0xbf/0x1e0 kernel/sched/core.c:1789
 [<ffffffff811c2c80>] ttwu_queue kernel/sched/core.c:1934 [inline]
 [<ffffffff811c2c80>] try_to_wake_up+0x660/0xf00 kernel/sched/core.c:2068
 [<ffffffff811c57d0>] wake_up_state+0x10/0x20 kernel/sched/core.c:2148
 [<ffffffff81158b54>] signal_wake_up_state+0x44/0x70 kernel/signal.c:659
 [<ffffffff8115d5e3>] signal_wake_up include/linux/sched.h:3332 [inline]
 [<ffffffff8115d5e3>] zap_other_threads+0x123/0x170 kernel/signal.c:1213
 [<ffffffff8113e39c>] do_group_exit+0x26c/0x330 kernel/exit.c:880
 [<ffffffff8113e47d>] SYSC_exit_group kernel/exit.c:896 [inline]
 [<ffffffff8113e47d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:894
 [<ffffffff838cc865>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 
RIP  [<ffffffff81227dd5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
 RSP <ffff8801c7dcfca0>
CR2: fffffffc8ff969c0
---[ end trace 14a168418c281137 ]---

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/29 16:08 https://android.googlesource.com/kernel/common android-4.4 5e24b4e4d372 53ff8784 .config console log report ci-android-44-kasan-gce
* Struck through repros no longer work on HEAD.