syzbot

 sign-in | mailing list | source | docs
🐞 Open [1169] Subsystems 🐞 Fixed [4404] 🐞 Invalid [9906] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in kfree_skb (3)

Status: auto-obsoleted due to no activity on 2022/12/22 07:00
Reported-by: syzbot+dcb1305dd05699c40640@syzkaller.appspotmail.com
First crash: 1433d, last: 1216d

Cause bisection: introduced by (bisect log) :
commit 5ec8c48a6235175f7ff59ed1acbe91d4d0398026
Author: Thierry Reding <thierry.reding@gmail.com>
Date: Thu Jul 6 15:16:47 2017 +0000

  Merge branch 'for-4.13/drivers' into for-next

Crash: unregister_netdevice: waiting for DEV to become free (log)
Repro: C syz .config

Fix bisection: failed (error log, bisect log)
similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in kfree_skb net 1 1616d 1616d 12/24 fixed on 2018/11/12 21:25
linux-4.14 KASAN: use-after-free Read in kfree_skb C done 98 1214d 1342d 1/1 fixed on 2019/12/28 10:32
linux-4.19 KASAN: use-after-free Read in kfree_skb C done 95 1215d 1336d 1/1 fixed on 2019/12/28 10:32
upstream KASAN: use-after-free Read in kfree_skb (2) tipc C 66 1557d 1566d 12/24 fixed on 2019/01/11 01:22
Last patch testing requests:
Created Duration User Patch Repo Result
2022/12/21 22:31 22m retest repro upstream OK log
2022/12/20 06:31 18m retest repro upstream OK log
2022/12/20 02:31 18m retest repro upstream OK log
2022/12/19 22:31 19m retest repro upstream OK log
2022/12/19 19:31 19m retest repro upstream OK log
2022/12/19 15:31 19m retest repro upstream OK log
2022/12/19 11:31 20m retest repro upstream OK log
2022/12/19 08:31 21m retest repro upstream OK log
2022/12/18 07:31 20m retest repro upstream OK log
2022/12/18 04:31 19m retest repro upstream OK log
2021/03/15 01:53 18m ducheng2@gmail.com upstream OK

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1010 [inline]
BUG: KASAN: use-after-free in kfree_skb+0x2a/0xb0 net/core/skbuff.c:693
Read of size 4 at addr ffff8880a0ee3c54 by task syz-executor933/7994

CPU: 1 PID: 7994 Comm: syz-executor933 Not tainted 5.4.0-rc6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
 print_address_description+0x75/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:182 [inline]
 check_memory_region+0x2cf/0x2e0 mm/kasan/generic.c:192
 __kasan_check_read+0x11/0x20 mm/kasan/common.c:92
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 refcount_read include/linux/refcount.h:43 [inline]
 skb_unref include/linux/skbuff.h:1010 [inline]
 kfree_skb+0x2a/0xb0 net/core/skbuff.c:693
 bcsp_close+0xb1/0xf0 drivers/bluetooth/hci_bcsp.c:748
 hci_uart_tty_close+0x201/0x240 drivers/bluetooth/hci_ldisc.c:548
 tty_ldisc_close+0x126/0x180 drivers/tty/tty_ldisc.c:494
 tty_ldisc_kill drivers/tty/tty_ldisc.c:642 [inline]
 tty_ldisc_release+0x248/0x5a0 drivers/tty/tty_ldisc.c:814
 tty_release_struct+0x2a/0xe0 drivers/tty/tty_io.c:1612
 tty_release+0xce9/0xfa0 drivers/tty/tty_io.c:1785
 __fput+0x2e4/0x740 fs/file_table.c:280
 ____fput+0x15/0x20 fs/file_table.c:313
 task_work_run+0x17e/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x459/0x580 arch/x86/entry/common.c:194
 syscall_return_slowpath+0x113/0x4a0 arch/x86/entry/common.c:274
 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4076d1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 24 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe59a19680 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004076d1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006dec4c R08: 00000000004b1469 R09: 00000000004b1469
R10: 00007ffe59a196a0 R11: 0000000000000293 R12: 00000000006dec50
R13: 0000000000000000 R14: 20c49ba5e353f7cf R15: 0000000000000009

Allocated by task 7:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slab.c:3262 [inline]
 kmem_cache_alloc_node+0x235/0x280 mm/slab.c:3574
 __alloc_skb+0x9f/0x500 net/core/skbuff.c:197
 alloc_skb include/linux/skbuff.h:1049 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 bcsp_recv+0x12e7/0x1720 drivers/bluetooth/hci_bcsp.c:670
 hci_uart_tty_receive+0x16b/0x470 drivers/bluetooth/hci_ldisc.c:613
 tty_ldisc_receive_buf+0x12e/0x170 drivers/tty/tty_buffer.c:465
 tty_port_default_receive_buf+0x82/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:481 [inline]
 flush_to_ldisc+0x328/0x550 drivers/tty/tty_buffer.c:533
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 7:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kmem_cache_free+0x81/0xf0 mm/slab.c:3693
 kfree_skbmem net/core/skbuff.c:644 [inline]
 __kfree_skb+0x118/0x170 net/core/skbuff.c:680
 kfree_skb+0x6f/0xb0 net/core/skbuff.c:697
 bcsp_recv+0x99c/0x1720 drivers/bluetooth/hci_bcsp.c:608
 hci_uart_tty_receive+0x16b/0x470 drivers/bluetooth/hci_ldisc.c:613
 tty_ldisc_receive_buf+0x12e/0x170 drivers/tty/tty_buffer.c:465
 tty_port_default_receive_buf+0x82/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:481 [inline]
 flush_to_ldisc+0x328/0x550 drivers/tty/tty_buffer.c:533
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880a0ee3b80
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 212 bytes inside of
 224-byte region [ffff8880a0ee3b80, ffff8880a0ee3c60)
The buggy address belongs to the page:
page:ffffea000283b8c0 refcount:1 mapcount:0 mapping:ffff8880a99baa80 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002284008 ffffea0002299d48 ffff8880a99baa80
raw: 0000000000000000 ffff8880a0ee3040 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a0ee3b00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a0ee3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a0ee3c00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                 ^
 ffff8880a0ee3c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880a0ee3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (313):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2019/11/04 23:40 upstream a99d8080aaf3 76630fc9 .config console log report syz C
ci-upstream-kasan-gce 2019/11/04 09:34 upstream a99d8080aaf3 b35fad31 .config console log report syz C
ci-upstream-kasan-gce-root 2019/10/18 08:39 upstream 283ea345934d 8c88c9c1 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2019/10/17 11:36 upstream bc88f85c6c09 8c88c9c1 .config console log report syz C
ci-upstream-kasan-gce-root 2019/10/12 16:33 upstream 1c0cc5f1ae5e 426631dd .config console log report syz C
ci-upstream-kasan-gce-smack-root 2019/10/12 14:47 upstream 1c0cc5f1ae5e 426631dd .config console log report syz C
ci-upstream-kasan-gce 2019/10/05 17:16 upstream b145b0eb2031 f3f7d9c8 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2019/06/10 16:29 upstream d1fdb6d8f6a4 0159583c .config console log report syz C
ci-upstream-kasan-gce-root 2019/06/10 14:53 upstream d1fdb6d8f6a4 0159583c .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/10/30 05:04 linux-next c57cf3833c66 5ea87a66 .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/10/16 06:21 linux-next 0e9d28bc6c81 d4ea592f .config console log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/08/04 00:12 linux-next 7b4980e0bcf4 6affd8e8 .config console log report syz C
ci-upstream-kasan-gce-selinux-root 2019/11/07 12:21 upstream 4dd58158254c d797d201 .config console log report syz
ci-upstream-kasan-gce-root 2019/11/01 10:55 upstream e472c64aa4fa a41ca8fa .config console log report syz
ci-upstream-kasan-gce-smack-root 2019/11/01 10:46 upstream e472c64aa4fa a41ca8fa .config console log report syz
ci-upstream-kasan-gce-smack-root 2019/10/31 13:57 upstream e472c64aa4fa a41ca8fa .config console log report syz
ci-upstream-kasan-gce-selinux-root 2019/10/15 17:41 upstream 5bc52f64e884 b5268b89 .config console log report syz
ci-upstream-kasan-gce-smack-root 2019/10/11 08:15 upstream fb20da6af705 1a3bad90 .config console log report syz
ci-upstream-kasan-gce-root 2019/09/16 15:18 upstream 4d856f72c10e cb936299 .config console log report syz
ci-upstream-kasan-gce 2019/09/15 20:47 upstream 1609d7604b84 32d59357 .config console log report syz
ci-upstream-kasan-gce-smack-root 2019/09/15 16:18 upstream 1609d7604b84 32d59357 .config console log report syz
ci-upstream-kasan-gce-selinux-root 2019/09/15 16:12 upstream 1609d7604b84 32d59357 .config console log report syz
ci-upstream-kasan-gce-selinux-root 2019/08/04 00:55 upstream dcb8cfbd8fe9 6affd8e8 .config console log report syz
ci-upstream-kasan-gce-smack-root 2019/08/02 06:52 upstream 1e78030e5e5b 835dffe7 .config console log report syz
ci-upstream-kasan-gce-root 2019/08/02 05:20 upstream 1e78030e5e5b 835dffe7 .config console log report syz
ci-upstream-kasan-gce-selinux-root 2019/08/02 05:19 upstream 1e78030e5e5b 835dffe7 .config console log report syz
ci-upstream-kasan-gce-386 2019/11/01 10:56 upstream e472c64aa4fa a41ca8fa .config console log report syz
ci-upstream-kasan-gce-386 2019/10/11 06:46 upstream fb20da6af705 1a3bad90 .config console log report syz
ci-upstream-kasan-gce-386 2019/09/15 07:36 upstream 1609d7604b84 32d59357 .config console log report syz
ci-upstream-kasan-gce-selinux-root 2019/11/24 23:46 upstream 6b8a79467876 598ca6c8 .config console log report
ci-upstream-kasan-gce-root 2019/11/24 21:49 upstream 6b8a79467876 598ca6c8 .config console log report
ci-upstream-kasan-gce 2019/11/24 17:37 upstream 6b8a79467876 598ca6c8 .config console log report
ci-upstream-kasan-gce 2019/11/22 22:07 upstream a6b0373ffcd8 598ca6c8 .config console log report
ci-upstream-kasan-gce-selinux-root 2019/11/22 11:12 upstream 81429eb8d9ca 8098ea0f .config console log report
ci-upstream-kasan-gce-smack-root 2019/11/22 01:14 upstream 81429eb8d9ca 8098ea0f .config console log report
ci-upstream-kasan-gce 2019/11/20 13:07 upstream c74386d50fba f4b7ed07 .config console log report
ci-upstream-kasan-gce-root 2019/11/20 01:58 upstream af42d3466bdc 5bc70212 .config console log report
ci-upstream-kasan-gce-smack-root 2019/11/19 14:42 upstream af42d3466bdc 5bc70212 .config console log report
ci-upstream-kasan-gce 2019/11/19 10:09 upstream af42d3466bdc 5bc70212 .config console log report
ci-upstream-kasan-gce-selinux-root 2019/11/18 22:19 upstream af42d3466bdc 1daed50a .config console log report
ci-upstream-kasan-gce-root 2019/11/17 00:32 upstream 6c9594bdd474 d5696d51 .config console log report
ci-upstream-kasan-gce 2019/11/16 22:22 upstream 6c9594bdd474 d5696d51 .config console log report
ci-upstream-kasan-gce-smack-root 2019/11/16 00:52 upstream eb70e26cd79d cdac920b .config console log report
ci-upstream-kasan-gce 2019/11/15 21:17 upstream eb70e26cd79d cdac920b .config console log report
ci-upstream-kasan-gce-selinux-root 2019/11/14 07:20 upstream bf9294798930 048f2d49 .config console log report
ci-upstream-kasan-gce-smack-root 2019/11/13 20:33 upstream 0e3f1ad80fc8 048f2d49 .config console log report
ci-upstream-kasan-gce-smack-root 2019/11/13 15:21 upstream 0e3f1ad80fc8 048f2d49 .config console log report
ci-upstream-kasan-gce-selinux-root 2019/11/12 09:40 upstream de620fb99ef2 048f2d49 .config console log report
ci-upstream-kasan-gce 2019/11/12 08:32 upstream de620fb99ef2 048f2d49 .config console log report
ci-upstream-kasan-gce-root 2019/11/11 17:45 upstream 31f4f5b495a6 048f2d49 .config console log report
ci-upstream-kasan-gce-root 2019/11/11 14:49 upstream 9805a68371ce dc438b91 .config console log report
ci-upstream-kasan-gce 2019/11/11 13:33 upstream 9805a68371ce dc438b91 .config console log report
ci-upstream-kasan-gce 2019/11/10 12:56 upstream 00aff6836241 dc438b91 .config console log report
ci-upstream-kasan-gce 2019/11/10 02:01 upstream 0058b0a506e4 dc438b91 .config console log report
ci-upstream-kasan-gce-root 2019/11/09 00:45 upstream 6737e7634951 dc438b91 .config console log report
ci-upstream-kasan-gce-selinux-root 2019/11/07 23:30 upstream 847120f859cc f39aff9e .config console log report
ci-upstream-kasan-gce-selinux-root 2019/11/07 05:42 upstream 4dd58158254c d797d201 .config console log report
ci-upstream-kasan-gce 2019/11/05 07:44 upstream a99d8080aaf3 76630fc9 .config console log report
ci-upstream-kasan-gce-root 2019/11/01 04:25 upstream e472c64aa4fa a41ca8fa .config console log report
ci-upstream-kasan-gce 2019/10/31 10:10 upstream e472c64aa4fa a41ca8fa .config console log report
ci-upstream-kasan-gce-root 2019/10/28 23:35 upstream 9e5eefba3d09 439d7b14 .config console log report
ci-upstream-kasan-gce 2019/10/28 20:17 upstream 9e5eefba3d09 439d7b14 .config console log report
ci-upstream-kasan-gce-selinux-root 2019/10/28 15:54 upstream 9e5eefba3d09 25bb509e .config console log report
ci-upstream-kasan-gce 2019/10/26 18:39 upstream f877bee5ea0b 25bb509e .config console log report
ci-upstream-kasan-gce-smack-root 2019/10/25 21:37 upstream 39a38bcba4ab c2e837da .config console log report
ci-upstream-kasan-gce-selinux-root 2019/10/25 03:25 upstream f116b96685a0 d01bb02a .config console log report
ci-upstream-kasan-gce 2019/10/25 01:49 upstream f116b96685a0 d01bb02a .config console log report
ci-upstream-kasan-gce-selinux-root 2019/10/24 12:59 upstream f116b96685a0 d01bb02a .config console log report
ci-upstream-kasan-gce 2019/10/23 16:35 upstream 13b86bc4cd64 b602d64b .config console log report
ci-upstream-kasan-gce 2019/10/21 06:22 upstream 4fe34d61a3a9 8c88c9c1 .config console log report
ci-upstream-kasan-gce-selinux-root 2019/04/22 17:32 upstream 085b7755808a 0a77c33c .config console log report
ci-upstream-kasan-gce-386 2019/11/26 07:41 upstream 0be0ee71816b f746151a .config console log report
ci-upstream-kasan-gce-386 2019/11/23 22:54 upstream 2027cabe6afe 598ca6c8 .config console log report
ci-upstream-kasan-gce-386 2019/11/19 03:33 upstream af42d3466bdc 5bc70212 .config console log report
ci-upstream-kasan-gce-386 2019/11/18 16:41 upstream af42d3466bdc 1daed50a .config console log report
ci-upstream-kasan-gce-386 2019/11/15 16:27 upstream 96b95eff4a59 cdac920b .config console log report
ci-upstream-bpf-kasan-gce 2019/08/06 17:17 bpf cb8ffde5694a c6f01e54 .config console log report
ci-upstream-linux-next-kasan-gce-root 2019/10/20 15:41 linux-next c4b9850b3676 8c88c9c1 .config console log report
* Struck through repros no longer work on HEAD.