KASAN: use-after-free Read in skb

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-54	KASAN: use-after-free Read in skb_dequeue	syz			1	977d	977d	0/2	auto-obsoleted due to no activity on 2023/04/23 02:47
android-49	KASAN: use-after-free Read in skb_dequeue (2)				8	2087d	2253d	0/3	auto-closed as invalid on 2019/02/22 12:37
upstream	general protection fault in skb_dequeue (2) bluetooth	C	inconclusive	done	9	922d	1007d	0/26	auto-closed as invalid on 2022/10/03 17:36
upstream	KASAN: use-after-free Read in skb_dequeue net	C			4	2129d	2129d	8/26	fixed on 2018/07/09 18:05
linux-4.19	KASAN: use-after-free Read in skb_dequeue	syz		done	1	1150d	1354d	1/1	fixed on 2021/03/29 19:17
android-44	KASAN: use-after-free Read in skb_dequeue				1	2060d	2060d	0/2	auto-closed as invalid on 2019/02/25 16:09
upstream	general protection fault in skb_dequeue (3) wireless	C	done		6	434d	443d	22/26	fixed on 2023/06/08 14:41

Created	Duration	User	Patch	Repo	Result
2021/10/15 07:51	3h44m	bisect fix		linux-4.19.y	job log (1)
2021/09/15 06:21	33m	bisect fix		linux-4.19.y	job log (0) log

Created

Duration

User

Patch

Repo

Result

2021/10/15 07:51

3h44m

bisect fix

linux-4.19.y

job log (1)

2021/09/15 06:21

33m

bisect fix

linux-4.19.y

job log (0) log

Bluetooth: hci10: Frame reassembly failed (-84) Bluetooth: hci10: Received unexpected HCI Event 00000000 Bluetooth: hci11: Frame reassembly failed (-84) Bluetooth: hci11: Received unexpected HCI Event 00000000 ================================================================== BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:1916 [inline] BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:1936 [inline] BUG: KASAN: use-after-free in skb_dequeue+0x15f/0x180 net/core/skbuff.c:2838 Read of size 8 at addr ffff8880a154ee80 by task kworker/u5:3/8166 CPU: 0 PID: 8166 Comm: kworker/u5:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: hci11 hci_rx_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 __skb_unlink include/linux/skbuff.h:1916 [inline] __skb_dequeue include/linux/skbuff.h:1936 [inline] skb_dequeue+0x15f/0x180 net/core/skbuff.c:2838 hci_rx_work+0x6d/0xc70 net/bluetooth/hci_core.c:4331 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 9547: kmem_cache_alloc_node+0x146/0x3b0 mm/slab.c:3649 __alloc_skb+0x71/0x560 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:995 [inline] bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline] h4_recv_buf+0x57c/0xda0 drivers/bluetooth/hci_h4.c:197 h4_recv+0xdf/0x1f0 drivers/bluetooth/hci_h4.c:131 hci_uart_tty_receive+0x221/0x530 drivers/bluetooth/hci_ldisc.c:621 tiocsti drivers/tty/tty_io.c:2194 [inline] tty_ioctl+0xff8/0x15c0 drivers/tty/tty_io.c:2580 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8166: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 kfree_skbmem+0xc1/0x140 net/core/skbuff.c:595 __kfree_skb net/core/skbuff.c:655 [inline] kfree_skb+0x127/0x3d0 net/core/skbuff.c:672 hci_event_packet+0x32c/0x7e20 net/bluetooth/hci_event.c:5963 hci_rx_work+0x4ad/0xc70 net/bluetooth/hci_core.c:4366 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff8880a154ee80 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 0 bytes inside of 232-byte region [ffff8880a154ee80, ffff8880a154ef68) The buggy address belongs to the page: page:ffffea0002855380 count:1 mapcount:0 mapping:ffff8880b5b8fd80 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002662908 ffffea000266a808 ffff8880b5b8fd80 raw: 0000000000000000 ffff8880a154e0c0 000000010000000c 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a154ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a154ee00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc >ffff8880a154ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a154ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff8880a154ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (2):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2021/08/16 06:05	linux-4.19.y	59456c9cc40c	2489ab88	.config	console log	report	syz	C			ci2-linux-4-19	KASAN: use-after-free Read in skb_dequeue
2021/08/16 06:21	linux-4.19.y	59456c9cc40c	2489ab88	.config	console log	report	syz				ci2-linux-4-19	KASAN: use-after-free Read in skb_dequeue

Crashes (2):

Assets (help?)