general protection fault in skb_release

general protection fault in skb_release_data
Status: fixed on 2017/10/23 20:15
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 304b4101 ipv6: fix out of bound writes in __ip6_append_data()
First crash: 1302d, last: 1302d

similar bugs (4):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.19	general protection fault in skb_release_data	C		error	2	178d	181d	0/1	upstream: reported C repro on 2020/09/07 04:13
upstream	general protection fault in skb_release_data (2)	C	done	error	7	41d	179d	0/21	upstream: reported C repro on 2020/09/09 09:58
linux-4.14	general protection fault in skb_release_data	C			1	14d	179d	0/1	upstream: reported C repro on 2020/09/08 19:28
upstream	general protection fault in skb_release_data	syz			198	1298d	1299d	3/21	fixed on 2017/10/24 06:54

Sample crash report:

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 12431 Comm: syz-executor4 Not tainted 4.9.42-g02f29ab #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801ba9f4800 task.stack: ffff8801d16e0000
RIP: 0010:[<ffffffff82ee7bbb>]  [<ffffffff82ee7bbb>] __read_once_size include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff82ee7bbb>]  [<ffffffff82ee7bbb>] compound_head include/linux/page-flags.h:143 [inline]
RIP: 0010:[<ffffffff82ee7bbb>]  [<ffffffff82ee7bbb>] put_page include/linux/mm.h:777 [inline]
RIP: 0010:[<ffffffff82ee7bbb>]  [<ffffffff82ee7bbb>] __skb_frag_unref include/linux/skbuff.h:2592 [inline]
RIP: 0010:[<ffffffff82ee7bbb>]  [<ffffffff82ee7bbb>] skb_release_data+0x17b/0x3f0 net/core/skbuff.c:594
RSP: 0018:ffff8801d16e7808  EFLAGS: 00010202
RAX: 0000000000000004 RBX: ffff8801cd1999c0 RCX: ffffc90003b20000
RDX: 00000000000002fe RSI: 0000000000000001 RDI: 0000000000000020
RBP: ffff8801d16e7848 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 1ffff1003a2dcec6 R12: ffff8801cd1999f0
R13: dffffc0000000000 R14: ffff8801bb747a00 R15: 0000000000000000
FS:  00007f6beb533700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c3d10 CR3: 00000001ce630000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffed0039a33338 ffff8801bb747a00 0000000082ede790 ffff8801bb747a00
 ffffffff831f5326 ffff8801d99b15d0 ffffed003b336268 ffff8801bb747a00
 ffff8801d16e7860 ffffffff82ee7e7a ffff8801bb747a00 ffff8801d16e7878
Call Trace:
 [<ffffffff82ee7e7a>] skb_release_all+0x4a/0x60 net/core/skbuff.c:670
 [<ffffffff82ee7ea5>] __kfree_skb+0x15/0x20 net/core/skbuff.c:684
 [<ffffffff82ee7f7c>] kfree_skb+0xcc/0x330 net/core/skbuff.c:705
 [<ffffffff831f5326>] __ip_flush_pending_frames.isra.49+0x106/0x2b0 net/ipv4/ip_output.c:1517
 [<ffffffff83200030>] ip_flush_pending_frames+0x20/0x30 net/ipv4/ip_output.c:1524
 [<ffffffff832b2334>] udp_flush_pending_frames net/ipv4/udp.c:716 [inline]
 [<ffffffff832b2334>] udp_sendmsg+0x1574/0x1c10 net/ipv4/udp.c:1088
 [<ffffffff832e4dfc>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 [<ffffffff82ecab9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ecab9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ecae06>] sock_write_iter+0x226/0x3b0 net/socket.c:843
 [<ffffffff8156a84f>] new_sync_write fs/read_write.c:499 [inline]
 [<ffffffff8156a84f>] __vfs_write+0x4bf/0x680 fs/read_write.c:512
 [<ffffffff8156e5c0>] vfs_write+0x170/0x4e0 fs/read_write.c:560
 [<ffffffff81571fb9>] SYSC_write fs/read_write.c:607 [inline]
 [<ffffffff81571fb9>] SyS_write+0xd9/0x1b0 fs/read_write.c:599
 [<ffffffff838a5a05>] entry_SYSCALL_64_fastpath+0x23/0xc6
Code: 84 c0 00 00 00 e8 06 25 48 fe 4c 89 e0 48 c1 e8 03 42 80 3c 28 00 0f 85 4b 02 00 00 4d 8b 3c 24 49 8d 7f 20 48 89 f8 48 c1 e8 03 <42> 80 3c 28 00 0f 85 3e 02 00 00 49 8b 47 20 a8 01 0f 85 88 01 
RIP  [<ffffffff82ee7bbb>] __read_once_size include/linux/compiler.h:243 [inline]
RIP  [<ffffffff82ee7bbb>] compound_head include/linux/page-flags.h:143 [inline]
RIP  [<ffffffff82ee7bbb>] put_page include/linux/mm.h:777 [inline]
RIP  [<ffffffff82ee7bbb>] __skb_frag_unref include/linux/skbuff.h:2592 [inline]
RIP  [<ffffffff82ee7bbb>] skb_release_data+0x17b/0x3f0 net/core/skbuff.c:594
 RSP <ffff8801d16e7808>
---[ end trace b111a6d122dd242a ]---

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-android-49-kasan-gce	2017/08/13 09:27	https://android.googlesource.com/kernel/common android-4.9	02f29ab1	6a0246bf	.config	log	report