KASAN: use-after-free Read in skb

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-54	KASAN: use-after-free Read in skb_dequeue	19	syz			1	1532d	1532d	0/2	auto-obsoleted due to no activity on 2023/04/23 02:47
android-49	KASAN: use-after-free Read in skb_dequeue (2)	19				8	2643d	2808d	0/3	auto-closed as invalid on 2019/02/22 12:37
upstream	general protection fault in skb_dequeue (2) bluetooth	19	C	inconclusive	done	9	1477d	1562d	0/29	auto-closed as invalid on 2022/10/03 17:36
upstream	KASAN: use-after-free Read in skb_dequeue net	19	C			4	2684d	2685d	8/29	fixed on 2018/07/09 18:05
linux-4.19	KASAN: use-after-free Read in skb_dequeue	19	syz		done	1	1705d	1910d	1/1	fixed on 2021/03/29 19:17
linux-4.19	KASAN: use-after-free Read in skb_dequeue (2)	19	C		done	2	1503d	1533d	1/1	fixed on 2021/10/15 14:38

================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3c66/0x5270 kernel/locking/lockdep.c:3092 Read of size 8 at addr ffff8801cc1636f0 by task syz-executor6/7898 CPU: 0 PID: 7898 Comm: syz-executor6 Not tainted 4.4.153-g5e24b4e #90 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 90a0fc68d07cb0cb ffff8800a16b77f0 ffffffff81e162ed ffffea0007305880 ffff8801cc1636f0 0000000000000000 ffff8801cc1636f0 0000000000000000 ffff8800a16b7828 ffffffff8151b4d9 ffff8801cc1636f0 Call Trace: [<ffffffff81e162ed>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81e162ed>] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [<ffffffff8151b4d9>] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [<ffffffff8151b7f8>] kasan_report_error mm/kasan/report.c:351 [inline] [<ffffffff8151b7f8>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [<ffffffff814fe784>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [<ffffffff81235cf6>] __lock_acquire+0x3c66/0x5270 kernel/locking/lockdep.c:3092 [<ffffffff81238ade>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592 [<ffffffff838cc4be>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:112 [inline] [<ffffffff838cc4be>] _raw_spin_lock_irqsave+0x4e/0x70 kernel/locking/spinlock.c:159 [<ffffffff82f3d452>] skb_dequeue+0x22/0x180 net/core/skbuff.c:2337 [<ffffffff835a4e1b>] l2tp_session_queue_purge+0xab/0x100 net/l2tp/l2tp_core.c:831 [<ffffffff835b196f>] pppol2tp_release+0x1ff/0x310 net/l2tp/l2tp_ppp.c:509 [<ffffffff82f213c9>] __sock_release+0xd9/0x260 net/socket.c:592 [<ffffffff82f21569>] sock_close+0x19/0x20 net/socket.c:1050 [<ffffffff815288c5>] __fput+0x235/0x6f0 fs/file_table.c:208 [<ffffffff81528e05>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff8118ee9f>] task_work_run+0x10f/0x190 kernel/task_work.c:115 [<ffffffff811622e0>] get_signal+0x1190/0x14b0 kernel/signal.c:2151 [<ffffffff8100df4b>] do_signal+0x8b/0x1d30 arch/x86/kernel/signal.c:712 [<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:249 [<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:284 [inline] [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:349 [<ffffffff838cc9f5>] int_ret_from_sys_call+0x25/0xa3 Allocated by task 7898: [<ffffffff81034676>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [<ffffffff814fd823>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [<ffffffff814fdb07>] set_track mm/kasan/kasan.c:524 [inline] [<ffffffff814fdb07>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [<ffffffff814fa244>] __kmalloc+0x124/0x310 mm/slub.c:3613 [<ffffffff835aa279>] kmalloc include/linux/slab.h:481 [inline] [<ffffffff835aa279>] kzalloc include/linux/slab.h:620 [inline] [<ffffffff835aa279>] l2tp_session_create+0x39/0x1030 net/l2tp/l2tp_core.c:1748 [<ffffffff835aef80>] pppol2tp_connect+0x10f0/0x1910 net/l2tp/l2tp_ppp.c:725 [<ffffffff82f27ef8>] SYSC_connect+0x1b8/0x300 net/socket.c:1570 [<ffffffff82f2a844>] SyS_connect+0x24/0x30 net/socket.c:1551 [<ffffffff838cc865>] entry_SYSCALL_64_fastpath+0x22/0x9e Freed by task 7883: [<ffffffff81034676>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [<ffffffff814fd823>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [<ffffffff814fe152>] set_track mm/kasan/kasan.c:524 [inline] [<ffffffff814fe152>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [<ffffffff814fb6b4>] slab_free_hook mm/slub.c:1383 [inline] [<ffffffff814fb6b4>] slab_free_freelist_hook mm/slub.c:1405 [inline] [<ffffffff814fb6b4>] slab_free mm/slub.c:2859 [inline] [<ffffffff814fb6b4>] kfree+0xf4/0x310 mm/slub.c:3749 [<ffffffff835a71e0>] l2tp_session_free+0x170/0x200 net/l2tp/l2tp_core.c:1676 [<ffffffff835a9599>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:293 [inline] [<ffffffff835a9599>] l2tp_tunnel_closeall+0x2b9/0x350 net/l2tp/l2tp_core.c:1279 [<ffffffff835aa0ab>] l2tp_udp_encap_destroy+0x8b/0xf0 net/l2tp/l2tp_core.c:1300 [<ffffffff8349bf11>] udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1421 [<ffffffff82f38ddd>] sk_common_release+0x6d/0x300 net/core/sock.c:2680 [<ffffffff8349abc5>] udp_lib_close+0x15/0x20 include/net/udp.h:190 [<ffffffff8330274f>] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435 [<ffffffff834251c0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:424 [<ffffffff82f213c9>] __sock_release+0xd9/0x260 net/socket.c:592 [<ffffffff82f21569>] sock_close+0x19/0x20 net/socket.c:1050 [<ffffffff815288c5>] __fput+0x235/0x6f0 fs/file_table.c:208 [<ffffffff81528e05>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff8118ee9f>] task_work_run+0x10f/0x190 kernel/task_work.c:115 [<ffffffff811622e0>] get_signal+0x1190/0x14b0 kernel/signal.c:2151 [<ffffffff8100df4b>] do_signal+0x8b/0x1d30 arch/x86/kernel/signal.c:712 [<ffffffff8100360a>] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:249 [<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:284 [inline] [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:349 [<ffffffff838cc9f5>] int_ret_from_sys_call+0x25/0xa3 The buggy address belongs to the object at ffff8801cc163680 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 112 bytes inside of 512-byte region [ffff8801cc163680, ffff8801cc163880) The buggy address belongs to the page: BUG: unable to handle kernel paging request at fffffffc8ff969c0 IP: [<ffffffff81227dd5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247 PGD 440f067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 3834 Comm: syz-fuzzer Not tainted 4.4.153-g5e24b4e #90 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801ce3f9800 task.stack: ffff8801c7dc8000 RIP: 0010:[<ffffffff81227dd5>] [<ffffffff81227dd5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247 RSP: 0018:ffff8801c7dcfca0 EFLAGS: 00010046 RAX: 1ffffffff089521f RBX: 00000000000185a8 RCX: ffffffff84a16740 RDX: fffffbff91ff2d38 RSI: fffffffc8ff969c0 RDI: ffffffff844a90f8 RBP: ffff8801c7dcfce0 R08: ffff8801ce3fa178 R09: 0000000000000001 R10: 0000000000000001 R11: ffff8801ce3f9800 R12: ffffffff844a9020 R13: dffffc0000000000 R14: 000000003debbe39 R15: ffffffffa16b0050 FS: 000000c420028768(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffc8ff969c0 CR3: 00000001cd7aa000 CR4: 00000000001606f0 Stack: ffffffff81227ce0 0000000000000046 0000000000000003 ffff8801b941e060 ffff8801b941e000 000000003debbe39 ffff8801b941e0b0 0000000000000000 ffff8801c7dcfd28 ffffffff811dc359 0000000000000005 ffff8801db21f558 Call Trace: [<ffffffff811dc359>] update_curr+0x2c9/0x6d0 kernel/sched/fair.c:882 [<ffffffff811e755a>] enqueue_entity kernel/sched/fair.c:3512 [inline] [<ffffffff811e755a>] enqueue_task_fair+0x2fa/0x2790 kernel/sched/fair.c:4695 [<ffffffff811bea3d>] enqueue_task kernel/sched/core.c:858 [inline] [<ffffffff811bea3d>] activate_task+0x14d/0x280 kernel/sched/core.c:874 [<ffffffff811bfa6f>] ttwu_activate kernel/sched/core.c:1736 [inline] [<ffffffff811bfa6f>] ttwu_do_activate.constprop.109+0xbf/0x1e0 kernel/sched/core.c:1789 [<ffffffff811c2c80>] ttwu_queue kernel/sched/core.c:1934 [inline] [<ffffffff811c2c80>] try_to_wake_up+0x660/0xf00 kernel/sched/core.c:2068 [<ffffffff811c57d0>] wake_up_state+0x10/0x20 kernel/sched/core.c:2148 [<ffffffff81158b54>] signal_wake_up_state+0x44/0x70 kernel/signal.c:659 [<ffffffff8115d5e3>] signal_wake_up include/linux/sched.h:3332 [inline] [<ffffffff8115d5e3>] zap_other_threads+0x123/0x170 kernel/signal.c:1213 [<ffffffff8113e39c>] do_group_exit+0x26c/0x330 kernel/exit.c:880 [<ffffffff8113e47d>] SYSC_exit_group kernel/exit.c:896 [inline] [<ffffffff8113e47d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:894 [<ffffffff838cc865>] entry_SYSCALL_64_fastpath+0x22/0x9e Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 RIP [<ffffffff81227dd5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247 RSP <ffff8801c7dcfca0> CR2: fffffffc8ff969c0 ---[ end trace 14a168418c281137 ]---