KASAN: use-after-free Read in receive

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in receive_buf (2) net virt				1	636d	636d	0/28	auto-obsoleted due to no activity on 2023/09/20 11:49
upstream	general protection fault in receive_buf net virt				2	1365d	1373d	0/28	auto-closed as invalid on 2021/07/03 00:24

================================================================== BUG: KASAN: use-after-free in receive_buf+0x3c45/0x54b0 Read of size 2 at addr ffff88801e05780a by task syz-fuzzer/5286 CPU: 0 PID: 5286 Comm: syz-fuzzer Not tainted 6.2.0-rc7-syzkaller-00018-g0983f6bf2bfc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: <TASK> dump_stack_lvl+0x1b5/0x2a0 print_report+0x163/0x4c0 kasan_report+0xce/0x100 receive_buf+0x3c45/0x54b0 virtnet_poll+0x629/0x1260 __napi_poll+0xc7/0x470 net_rx_action+0x6f8/0xe80 __do_softirq+0x308/0xaf7 __irq_exit_rcu+0x13e/0x230 irq_exit_rcu+0x9/0x20 common_interrupt+0x53/0xc0 asm_common_interrupt+0x26/0x40 RIP: 0033:0x4fcec4 Code: b8 d0 01 00 00 00 0f 85 ff 00 00 00 48 8b 70 18 48 83 fe 40 4d 19 c0 44 0f b7 cb 89 ca 48 89 f1 49 d3 e1 4d 21 c1 4c 0b 48 10 <4c> 89 48 10 0f b7 f2 48 03 70 18 48 89 70 18 48 83 fe 30 0f 82 be RSP: 002b:000000c000247588 EFLAGS: 00000202 RAX: 000000c0002341e0 RBX: 000000000000004d RCX: 000000000000002c RDX: 0000000000000007 RSI: 000000000000002c RDI: 0000000000000045 RBP: 000000c0002475a8 R08: ffffffffffffffff R09: 0004db98c8136b29 R10: 0000000001183600 R11: 0000000000000002 R12: 0000000000000103 R13: 0000000000000000 R14: 000000c000447a00 R15: 000000000000007f </TASK> The buggy address belongs to the physical page: page:ffffea00007815c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e057 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 ffffea00007815c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 15, tgid 15 (ksoftirqd/0), ts 554848077778, free_ts 612244992154 get_page_from_freelist+0x3403/0x3580 __alloc_pages+0x291/0x7e0 skb_page_frag_refill+0x158/0x2f0 try_fill_recv+0x594/0x18e0 virtnet_poll+0x858/0x1260 __napi_poll+0xc7/0x470 net_rx_action+0x6f8/0xe80 __do_softirq+0x308/0xaf7 page last free stack trace: free_unref_page_prepare+0xf3a/0x1040 free_unref_page+0x37/0x3f0 page_to_skb+0x470/0xb60 receive_buf+0x428/0x54b0 virtnet_poll+0x629/0x1260 __napi_poll+0xc7/0x470 net_rx_action+0x6f8/0xe80 __do_softirq+0x308/0xaf7 Memory state around the buggy address: ffff88801e057700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801e057780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88801e057800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88801e057880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801e057900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================