KASAN: use-after-free Read in kfree

KASAN: use-after-free Read in kfree_skb (3)
Status: upstream: reported C repro on 2019/05/07 09:36
Reported-by: syzbot+dcb1305dd05699c40640@syzkaller.appspotmail.com
First crash: 685d, last: 467d

Cause bisection: introduced by (bisect log) :
commit 5ec8c48a6235175f7ff59ed1acbe91d4d0398026
Author: Thierry Reding <thierry.reding@gmail.com>
Date: Thu Jul 6 15:16:47 2017 +0000

Merge branch 'for-4.13/drivers' into for-next

Crash: unregister_netdevice: waiting for DEV to become free (log)
Repro: C syz .config

Fix bisection: failed (bisect log)

similar bugs (4):
Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in kfree_skb			1	867d	867d	12/21	fixed on 2018/11/12 21:25
linux-4.14	KASAN: use-after-free Read in kfree_skb	C	done	98	465d	593d	1/1	fixed on 2019/12/28 10:32
linux-4.19	KASAN: use-after-free Read in kfree_skb	C	done	95	467d	587d	1/1	fixed on 2019/12/28 10:32
upstream	KASAN: use-after-free Read in kfree_skb (2)	C		66	808d	818d	12/21	fixed on 2019/01/11 01:22

Sample crash report:

==================================================================
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1010 [inline]
BUG: KASAN: use-after-free in kfree_skb+0x2a/0xb0 net/core/skbuff.c:693
Read of size 4 at addr ffff8880a0ee3c54 by task syz-executor933/7994

CPU: 1 PID: 7994 Comm: syz-executor933 Not tainted 5.4.0-rc6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
 print_address_description+0x75/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:182 [inline]
 check_memory_region+0x2cf/0x2e0 mm/kasan/generic.c:192
 __kasan_check_read+0x11/0x20 mm/kasan/common.c:92
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 refcount_read include/linux/refcount.h:43 [inline]
 skb_unref include/linux/skbuff.h:1010 [inline]
 kfree_skb+0x2a/0xb0 net/core/skbuff.c:693
 bcsp_close+0xb1/0xf0 drivers/bluetooth/hci_bcsp.c:748
 hci_uart_tty_close+0x201/0x240 drivers/bluetooth/hci_ldisc.c:548
 tty_ldisc_close+0x126/0x180 drivers/tty/tty_ldisc.c:494
 tty_ldisc_kill drivers/tty/tty_ldisc.c:642 [inline]
 tty_ldisc_release+0x248/0x5a0 drivers/tty/tty_ldisc.c:814
 tty_release_struct+0x2a/0xe0 drivers/tty/tty_io.c:1612
 tty_release+0xce9/0xfa0 drivers/tty/tty_io.c:1785
 __fput+0x2e4/0x740 fs/file_table.c:280
 ____fput+0x15/0x20 fs/file_table.c:313
 task_work_run+0x17e/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x459/0x580 arch/x86/entry/common.c:194
 syscall_return_slowpath+0x113/0x4a0 arch/x86/entry/common.c:274
 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4076d1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 24 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe59a19680 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004076d1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006dec4c R08: 00000000004b1469 R09: 00000000004b1469
R10: 00007ffe59a196a0 R11: 0000000000000293 R12: 00000000006dec50
R13: 0000000000000000 R14: 20c49ba5e353f7cf R15: 0000000000000009

Allocated by task 7:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slab.c:3262 [inline]
 kmem_cache_alloc_node+0x235/0x280 mm/slab.c:3574
 __alloc_skb+0x9f/0x500 net/core/skbuff.c:197
 alloc_skb include/linux/skbuff.h:1049 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 bcsp_recv+0x12e7/0x1720 drivers/bluetooth/hci_bcsp.c:670
 hci_uart_tty_receive+0x16b/0x470 drivers/bluetooth/hci_ldisc.c:613
 tty_ldisc_receive_buf+0x12e/0x170 drivers/tty/tty_buffer.c:465
 tty_port_default_receive_buf+0x82/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:481 [inline]
 flush_to_ldisc+0x328/0x550 drivers/tty/tty_buffer.c:533
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 7:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kmem_cache_free+0x81/0xf0 mm/slab.c:3693
 kfree_skbmem net/core/skbuff.c:644 [inline]
 __kfree_skb+0x118/0x170 net/core/skbuff.c:680
 kfree_skb+0x6f/0xb0 net/core/skbuff.c:697
 bcsp_recv+0x99c/0x1720 drivers/bluetooth/hci_bcsp.c:608
 hci_uart_tty_receive+0x16b/0x470 drivers/bluetooth/hci_ldisc.c:613
 tty_ldisc_receive_buf+0x12e/0x170 drivers/tty/tty_buffer.c:465
 tty_port_default_receive_buf+0x82/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:481 [inline]
 flush_to_ldisc+0x328/0x550 drivers/tty/tty_buffer.c:533
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880a0ee3b80
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 212 bytes inside of
 224-byte region [ffff8880a0ee3b80, ffff8880a0ee3c60)
The buggy address belongs to the page:
page:ffffea000283b8c0 refcount:1 mapcount:0 mapping:ffff8880a99baa80 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002284008 ffffea0002299d48 ffff8880a99baa80
raw: 0000000000000000 ffff8880a0ee3040 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a0ee3b00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a0ee3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a0ee3c00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                 ^
 ffff8880a0ee3c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880a0ee3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (313):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci-upstream-kasan-gce-smack-root	2019/11/04 23:40	upstream	a99d8080	76630fc9	.config	log	report	syz	C
ci-upstream-kasan-gce	2019/11/04 09:34	upstream	a99d8080	b35fad31	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2019/10/18 08:39	upstream	283ea345	8c88c9c1	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2019/10/17 11:36	upstream	bc88f85c	8c88c9c1	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2019/10/12 16:33	upstream	1c0cc5f1	426631dd	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2019/10/12 14:47	upstream	1c0cc5f1	426631dd	.config	log	report	syz	C
ci-upstream-kasan-gce	2019/10/05 17:16	upstream	b145b0eb	f3f7d9c8	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2019/06/10 16:29	upstream	d1fdb6d8	0159583c	.config	log	report	syz	C
ci-upstream-kasan-gce-root	2019/06/10 14:53	upstream	d1fdb6d8	0159583c	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2019/10/30 05:04	linux-next	c57cf383	5ea87a66	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2019/10/16 06:21	linux-next	0e9d28bc	d4ea592f	.config	log	report	syz	C
ci-upstream-linux-next-kasan-gce-root	2019/08/04 00:12	linux-next	7b4980e0	6affd8e8	.config	log	report	syz	C
ci-upstream-kasan-gce-selinux-root	2019/11/07 12:21	upstream	4dd58158	d797d201	.config	log	report	syz
ci-upstream-kasan-gce-root	2019/11/01 10:55	upstream	e472c64a	a41ca8fa	.config	log	report	syz
ci-upstream-kasan-gce-smack-root	2019/11/01 10:46	upstream	e472c64a	a41ca8fa	.config	log	report	syz
ci-upstream-kasan-gce-smack-root	2019/10/31 13:57	upstream	e472c64a	a41ca8fa	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2019/10/15 17:41	upstream	5bc52f64	b5268b89	.config	log	report	syz
ci-upstream-kasan-gce-smack-root	2019/10/11 08:15	upstream	fb20da6a	1a3bad90	.config	log	report	syz
ci-upstream-kasan-gce-root	2019/09/16 15:18	upstream	4d856f72	cb936299	.config	log	report	syz
ci-upstream-kasan-gce	2019/09/15 20:47	upstream	1609d760	32d59357	.config	log	report	syz
ci-upstream-kasan-gce-smack-root	2019/09/15 16:18	upstream	1609d760	32d59357	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2019/09/15 16:12	upstream	1609d760	32d59357	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2019/08/04 00:55	upstream	dcb8cfbd	6affd8e8	.config	log	report	syz
ci-upstream-kasan-gce-smack-root	2019/08/02 06:52	upstream	1e78030e	835dffe7	.config	log	report	syz
ci-upstream-kasan-gce-root	2019/08/02 05:20	upstream	1e78030e	835dffe7	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2019/08/02 05:19	upstream	1e78030e	835dffe7	.config	log	report	syz
ci-upstream-kasan-gce-386	2019/11/01 10:56	upstream	e472c64a	a41ca8fa	.config	log	report	syz
ci-upstream-kasan-gce-386	2019/10/11 06:46	upstream	fb20da6a	1a3bad90	.config	log	report	syz
ci-upstream-kasan-gce-386	2019/09/15 07:36	upstream	1609d760	32d59357	.config	log	report	syz
ci-upstream-kasan-gce-selinux-root	2019/11/24 23:46	upstream	6b8a7946	598ca6c8	.config	log	report
ci-upstream-kasan-gce-root	2019/11/24 21:49	upstream	6b8a7946	598ca6c8	.config	log	report
ci-upstream-kasan-gce	2019/11/24 17:37	upstream	6b8a7946	598ca6c8	.config	log	report
ci-upstream-kasan-gce	2019/11/22 22:07	upstream	a6b0373f	598ca6c8	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/11/22 11:12	upstream	81429eb8	8098ea0f	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/11/22 01:14	upstream	81429eb8	8098ea0f	.config	log	report
ci-upstream-kasan-gce	2019/11/20 13:07	upstream	c74386d5	f4b7ed07	.config	log	report
ci-upstream-kasan-gce-root	2019/11/20 01:58	upstream	af42d346	5bc70212	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/11/19 14:42	upstream	af42d346	5bc70212	.config	log	report
ci-upstream-kasan-gce	2019/11/19 10:09	upstream	af42d346	5bc70212	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/11/18 22:19	upstream	af42d346	1daed50a	.config	log	report
ci-upstream-kasan-gce-root	2019/11/17 00:32	upstream	6c9594bd	d5696d51	.config	log	report
ci-upstream-kasan-gce	2019/11/16 22:22	upstream	6c9594bd	d5696d51	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/11/16 00:52	upstream	eb70e26c	cdac920b	.config	log	report
ci-upstream-kasan-gce	2019/11/15 21:17	upstream	eb70e26c	cdac920b	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/11/14 07:20	upstream	bf929479	048f2d49	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/11/13 20:33	upstream	0e3f1ad8	048f2d49	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/11/13 15:21	upstream	0e3f1ad8	048f2d49	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/11/12 09:40	upstream	de620fb9	048f2d49	.config	log	report
ci-upstream-kasan-gce	2019/11/12 08:32	upstream	de620fb9	048f2d49	.config	log	report
ci-upstream-kasan-gce-root	2019/11/11 17:45	upstream	31f4f5b4	048f2d49	.config	log	report
ci-upstream-kasan-gce-root	2019/11/11 14:49	upstream	9805a683	dc438b91	.config	log	report
ci-upstream-kasan-gce	2019/11/11 13:33	upstream	9805a683	dc438b91	.config	log	report
ci-upstream-kasan-gce	2019/11/10 12:56	upstream	00aff683	dc438b91	.config	log	report
ci-upstream-kasan-gce	2019/11/10 02:01	upstream	0058b0a5	dc438b91	.config	log	report
ci-upstream-kasan-gce-root	2019/11/09 00:45	upstream	6737e763	dc438b91	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/11/07 23:30	upstream	847120f8	f39aff9e	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/11/07 05:42	upstream	4dd58158	d797d201	.config	log	report
ci-upstream-kasan-gce	2019/11/05 07:44	upstream	a99d8080	76630fc9	.config	log	report
ci-upstream-kasan-gce-root	2019/11/01 04:25	upstream	e472c64a	a41ca8fa	.config	log	report
ci-upstream-kasan-gce	2019/10/31 10:10	upstream	e472c64a	a41ca8fa	.config	log	report
ci-upstream-kasan-gce-root	2019/10/28 23:35	upstream	9e5eefba	439d7b14	.config	log	report
ci-upstream-kasan-gce	2019/10/28 20:17	upstream	9e5eefba	439d7b14	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/10/28 15:54	upstream	9e5eefba	25bb509e	.config	log	report
ci-upstream-kasan-gce	2019/10/26 18:39	upstream	f877bee5	25bb509e	.config	log	report
ci-upstream-kasan-gce-smack-root	2019/10/25 21:37	upstream	39a38bcb	c2e837da	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/10/25 03:25	upstream	f116b966	d01bb02a	.config	log	report
ci-upstream-kasan-gce	2019/10/25 01:49	upstream	f116b966	d01bb02a	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/10/24 12:59	upstream	f116b966	d01bb02a	.config	log	report
ci-upstream-kasan-gce	2019/10/23 16:35	upstream	13b86bc4	b602d64b	.config	log	report
ci-upstream-kasan-gce	2019/10/21 06:22	upstream	4fe34d61	8c88c9c1	.config	log	report
ci-upstream-kasan-gce-selinux-root	2019/04/22 17:32	upstream	085b7755	0a77c33c	.config	log	report
ci-upstream-kasan-gce-386	2019/11/26 07:41	upstream	0be0ee71	f746151a	.config	log	report
ci-upstream-kasan-gce-386	2019/11/23 22:54	upstream	2027cabe	598ca6c8	.config	log	report
ci-upstream-kasan-gce-386	2019/11/19 03:33	upstream	af42d346	5bc70212	.config	log	report
ci-upstream-kasan-gce-386	2019/11/18 16:41	upstream	af42d346	1daed50a	.config	log	report
ci-upstream-kasan-gce-386	2019/11/15 16:27	upstream	96b95eff	cdac920b	.config	log	report
ci-upstream-bpf-kasan-gce	2019/08/06 17:17	bpf	cb8ffde5	c6f01e54	.config	log	report
ci-upstream-linux-next-kasan-gce-root	2019/10/20 15:41	linux-next	c4b9850b	8c88c9c1	.config	log	report