KASAN: use-after-free Write in __alloc_skb

Status: fixed on 2020/02/14 21:56
Fix commit: e841252840c4 net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
First crash: 1151d, last: 1121d

Fix bisection: fixed by (bisect log) :
commit e841252840c48e9a0e5add9d82796b1d55c0f653
Author: Eric Dumazet <>
Date: Wed Jan 22 06:47:29 2020 +0000

  net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()

similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Write in __alloc_skb C done 2 1121d 1189d 1/1 fixed on 2020/02/11 15:16
upstream KASAN: use-after-free Write in __alloc_skb (3) C done inconclusive 2 553d 922d 0/24 upstream: reported C repro on 2020/07/29 18:24
upstream KASAN: use-after-free Write in __alloc_skb (2) C done 7 1135d 1151d 16/24 fixed on 2020/02/18 14:31
linux-4.14 KASAN: use-after-free Write in __alloc_skb (2) C 1 17d 927d 0/1 upstream: reported C repro on 2020/07/24 01:04
upstream KASAN: use-after-free Write in __alloc_skb 2 1175d 1181d 0/24 closed as invalid on 2019/12/08 05:44

Sample crash report:
audit: type=1400 audit(1576233567.448:39): avc:  denied  { read } for  pid=7007 comm="syz-executor975" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1
BUG: KASAN: use-after-free in memset include/linux/string.h:332 [inline]
BUG: KASAN: use-after-free in __alloc_skb+0x318/0x500 net/core/skbuff.c:234
Write of size 36 at addr ffff8881974a1900 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.14.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x142/0x197 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
 memset+0x24/0x40 mm/kasan/kasan.c:285
 memset include/linux/string.h:332 [inline]
 __alloc_skb+0x318/0x500 net/core/skbuff.c:234
 alloc_skb include/linux/skbuff.h:980 [inline]
 alloc_skb_with_frags+0x86/0x4b0 net/core/skbuff.c:5228
 sock_alloc_send_pskb+0x5db/0x740 net/core/sock.c:2078
 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2095
 mld_newpack+0x1c0/0x7a0 net/ipv6/mcast.c:1585
 add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1691
 add_grec+0x69c/0xef0 net/ipv6/mcast.c:1822
 mld_send_cr net/ipv6/mcast.c:1948 [inline]
 mld_ifc_timer_expire+0x33e/0x7b0 net/ipv6/mcast.c:2455
 call_timer_fn+0x161/0x670 kernel/time/timer.c:1279
 expire_timers kernel/time/timer.c:1318 [inline]
 __run_timers kernel/time/timer.c:1636 [inline]
 __run_timers kernel/time/timer.c:1604 [inline]
 run_timer_softirq+0x5b7/0x1520 kernel/time/timer.c:1649
 __do_softirq+0x244/0x9a0 kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x160/0x1b0 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:648 [inline]
 smp_apic_timer_interrupt+0x146/0x5e0 arch/x86/kernel/apic/apic.c:1102
 apic_timer_interrupt+0x96/0xa0 arch/x86/entry/entry_64.S:792
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
RSP: 0018:ffff8880a9d37e70 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10
RAX: 1ffffffff0fe2d2c RBX: ffff8880a9d2a340 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff8880a9d2abbc
RBP: ffff8880a9d37e98 R08: 1ffffffff1164701 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff87f16950
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880a9d2a340
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:557
 default_idle_call+0x36/0x90 kernel/sched/idle.c:98
 cpuidle_idle_call kernel/sched/idle.c:156 [inline]
 do_idle+0x262/0x3d0 kernel/sched/idle.c:246
 cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:351
 start_secondary+0x346/0x4b0 arch/x86/kernel/smpboot.c:272
 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:240

The buggy address belongs to the page:
page:ffffea00065d2840 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x57ffe0000000000()
raw: 057ffe0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea00065d2860 ffffea00065d2860 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881974a1800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881974a1880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881974a1900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881974a1980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881974a1a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-14 2019/12/13 10:42 linux-4.14.y a844dc4c5442 2a752b7c .config console log report syz C
* Struck through repros no longer work on HEAD.