ci2 starts bisection 2023-12-12 23:24:25.66431285 +0000 UTC m=+41145.699001666 bisecting fixing commit since 80529b4968a8052f894d00021a576d8a2d89aa08 building syzkaller on d80eec66c939240cfc674221138f637197659116 ensuring issue is reproducible on original commit 80529b4968a8052f894d00021a576d8a2d89aa08 testing commit 80529b4968a8052f894d00021a576d8a2d89aa08 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b45e25b72dbeeb520a7886938c791b06c7bb5210c3389cdc83d93a08056ee024 run #0: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #1: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #10: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #11: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #12: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #13: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #14: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #15: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #16: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #17: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #18: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #19: crashed: KASAN: use-after-free Read in __skb_datagram_iter representative crash: KASAN: use-after-free Read in __skb_datagram_iter, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 80529b4968a8052f894d00021a576d8a2d89aa08 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e2762150c0a3e17a8f4e43a5fbf9f0549f4690f4e3a18ada334720dac7338710 run #0: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #3: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #9: crashed: KASAN: use-after-free Read in __skb_datagram_iter representative crash: KASAN: use-after-free Read in __skb_datagram_iter, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=3703 full=7267 leaves diff=1983 split chunks (needed=false): <1983> split chunk #0 of len 1983 into 5 parts testing without sub-chunk 1/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 80529b4968a8052f894d00021a576d8a2d89aa08 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dd46487f5be59633796fff832f446e0ad44ce5bb158be783d148ebeae6fdee32 run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #3: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 80529b4968a8052f894d00021a576d8a2d89aa08 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 80971113aeae17a3804228f1884c77a609c77af7184f4e9b8f633c660361bedf run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #9: crashed: KASAN: use-after-free Read in __skb_datagram_iter representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 80529b4968a8052f894d00021a576d8a2d89aa08 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 86645bbba2fa67dc771335c6c41d7a8b62598d894f664d705f1cd2a5fa7a3c38 run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #1: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #2: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #6: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #8: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 80529b4968a8052f894d00021a576d8a2d89aa08 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 312e783d4e0c495c69a726618bad482840eefe93dd20b5e1622ce9e2bcf216ae run #0: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #1: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #5: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #9: crashed: KASAN: use-after-free Read in __skb_datagram_iter representative crash: KASAN: use-after-free Read in __skb_datagram_iter, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 80529b4968a8052f894d00021a576d8a2d89aa08 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ee9f25a68501e3fdb92b01733686c074366e39f7b07035eabe0d0449cf29fe57 run #0: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #1: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #3: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #9: crashed: KASAN: use-after-free Read in __skb_datagram_iter representative crash: KASAN: use-after-free Read in __skb_datagram_iter, types: [KASAN] the chunk can be dropped disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing current HEAD 8a1d809b05454b2e08fb3d801787917975fdb037 testing commit 8a1d809b05454b2e08fb3d801787917975fdb037 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: afb55708f922107852e2fe7fba90927d07cb7add53d325476639a6128e6d1a00 all runs: OK false negative chance: 0.000 # git bisect start 8a1d809b05454b2e08fb3d801787917975fdb037 80529b4968a8052f894d00021a576d8a2d89aa08 Bisecting: 331 revisions left to test after this (roughly 8 steps) [194454afa6aa9d6ed74f0c57127bc8beb27c20df] SUNRPC: Fix RPC client cleaned up the freed pipefs dentries determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit 194454afa6aa9d6ed74f0c57127bc8beb27c20df gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 03ab96495d793e8643f55d97aa7c9bd5ff2ce01313320cf650f8a81e8b384c83 run #0: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #1: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #8: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #9: crashed: KASAN: use-after-free Read in __skb_datagram_iter representative crash: KASAN: use-after-free Read in __skb_datagram_iter, types: [KASAN] # git bisect good 194454afa6aa9d6ed74f0c57127bc8beb27c20df Bisecting: 165 revisions left to test after this (roughly 7 steps) [d0d831e7d68dc7a840e040ea78b63b4351a1da2f] media: sharp: fix sharp encoding determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit d0d831e7d68dc7a840e040ea78b63b4351a1da2f gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 44caf60ed38c9f45696d25a27f3a877100776fd31eaa118adf56c456e13cdca3 all runs: OK false negative chance: 0.000 # git bisect bad d0d831e7d68dc7a840e040ea78b63b4351a1da2f Bisecting: 82 revisions left to test after this (roughly 6 steps) [936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9] arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit 936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 181377d29099221ffed069cf7b250e5f1773d712a1b688951fe4ad1832d18229 all runs: OK false negative chance: 0.000 # git bisect bad 936c9c10efaefaf1ab3ef020e1f8aaaaff1ad2f9 Bisecting: 41 revisions left to test after this (roughly 5 steps) [0045c1ff7ac0b682a2a4ce49dcd85693bf3e89f5] tools/power/turbostat: Fix a knl bug determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit 0045c1ff7ac0b682a2a4ce49dcd85693bf3e89f5 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 39a0c78c726c1275f807d3698e623d14b6565ebcc03e3b6e5fc475666cdd243b all runs: OK false negative chance: 0.000 # git bisect bad 0045c1ff7ac0b682a2a4ce49dcd85693bf3e89f5 Bisecting: 20 revisions left to test after this (roughly 4 steps) [b67d16b2373b757aec2252560e5308432d20f183] xen/events: fix delayed eoi list handling determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit b67d16b2373b757aec2252560e5308432d20f183 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a64df93a78f2a06a37637f0567d681a1dd76d0d4c498b305195f8a9129cd435d run #0: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #1: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #3: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #4: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #7: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #8: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #9: crashed: KASAN: use-after-free Read in unix_stream_read_actor representative crash: KASAN: use-after-free Read in __skb_datagram_iter, types: [KASAN] # git bisect good b67d16b2373b757aec2252560e5308432d20f183 Bisecting: 10 revisions left to test after this (roughly 3 steps) [b8b514b2a6cdfac24911e4910461bcb9db15ca8d] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit b8b514b2a6cdfac24911e4910461bcb9db15ca8d gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 39a0c78c726c1275f807d3698e623d14b6565ebcc03e3b6e5fc475666cdd243b all runs: OK false negative chance: 0.000 # git bisect bad b8b514b2a6cdfac24911e4910461bcb9db15ca8d Bisecting: 4 revisions left to test after this (roughly 2 steps) [0b480c654ef2f1bd09b29d6a6e79f24d8a35005e] net: ethernet: cortina: Fix MTU max setting determine whether the revision contains the guilty commit revision 194454afa6aa9d6ed74f0c57127bc8beb27c20df crashed and is reachable testing commit 0b480c654ef2f1bd09b29d6a6e79f24d8a35005e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4dfcce7068227c2fc3fe05d9da631ec0fd61277b323cd6c7801098dde4e099d7 run #0: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #1: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #2: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #3: crashed: KASAN: use-after-free Read in unix_stream_read_actor run #4: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #5: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #6: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #7: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #8: crashed: KASAN: use-after-free Read in __skb_datagram_iter run #9: crashed: KASAN: use-after-free Read in __skb_datagram_iter representative crash: KASAN: use-after-free Read in unix_stream_read_actor, types: [KASAN] # git bisect good 0b480c654ef2f1bd09b29d6a6e79f24d8a35005e Bisecting: 2 revisions left to test after this (roughly 1 step) [7d3901bf3baa7a5219f4ff79bff4721f465bf4f1] netfilter: nf_conntrack_bridge: initialize err to 0 determine whether the revision contains the guilty commit revision 80529b4968a8052f894d00021a576d8a2d89aa08 crashed and is reachable testing commit 7d3901bf3baa7a5219f4ff79bff4721f465bf4f1 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 39a0c78c726c1275f807d3698e623d14b6565ebcc03e3b6e5fc475666cdd243b all runs: OK false negative chance: 0.000 # git bisect bad 7d3901bf3baa7a5219f4ff79bff4721f465bf4f1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [75bcfc188abf4fae9c1d5f5dc0a03540be602eef] af_unix: fix use-after-free in unix_stream_read_actor() determine whether the revision contains the guilty commit revision 0b480c654ef2f1bd09b29d6a6e79f24d8a35005e crashed and is reachable testing commit 75bcfc188abf4fae9c1d5f5dc0a03540be602eef gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 39a0c78c726c1275f807d3698e623d14b6565ebcc03e3b6e5fc475666cdd243b all runs: OK false negative chance: 0.000 # git bisect bad 75bcfc188abf4fae9c1d5f5dc0a03540be602eef 75bcfc188abf4fae9c1d5f5dc0a03540be602eef is the first bad commit commit 75bcfc188abf4fae9c1d5f5dc0a03540be602eef Author: Eric Dumazet Date: Mon Nov 13 13:49:38 2023 +0000 af_unix: fix use-after-free in unix_stream_read_actor() [ Upstream commit 4b7b492615cf3017190f55444f7016812b66611d ] syzbot reported the following crash [1] After releasing unix socket lock, u->oob_skb can be changed by another thread. We must temporarily increase skb refcount to make sure this other thread will not free the skb under us. [1] BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297 CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866 unix_stream_recv_urg net/unix/af_unix.c:2587 [inline] unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666 unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x170 net/socket.c:1066 ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803 ___sys_recvmsg+0x115/0x1a0 net/socket.c:2845 __sys_recvmsg+0x114/0x1e0 net/socket.c:2875 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7fc67492c559 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559 RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340 R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388 Allocated by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523 __alloc_skb+0x287/0x330 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] queue_oob net/unix/af_unix.c:2147 [inline] unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 5295: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] kmem_cache_free+0xf8/0x340 mm/slub.c:3831 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015 __kfree_skb net/core/skbuff.c:1073 [inline] consume_skb net/core/skbuff.c:1288 [inline] consume_skb+0xdf/0x170 net/core/skbuff.c:1282 queue_oob net/unix/af_unix.c:2178 [inline] unix_stream_sendmsg+0xd49/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b The buggy address belongs to the object at ffff88801f3b9c80 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 68 bytes inside of freed 240-byte region [ffff88801f3b9c80, ffff88801f3b9d70) The buggy address belongs to the physical page: page:ffffea00007cee40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f3b9 flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000800 ffff888142a60640 dead000000000122 0000000000000000 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 5299, tgid 5283 (syz-executor107), ts 103803840339, free_ts 103600093431 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1544 [inline] get_page_from_freelist+0xa25/0x36c0 mm/page_alloc.c:3312 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4568 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133 alloc_slab_page mm/slub.c:1870 [inline] allocate_slab+0x251/0x380 mm/slub.c:2017 new_slab mm/slub.c:2070 [inline] ___slab_alloc+0x8c7/0x1580 mm/slub.c:3223 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322 __slab_alloc_node mm/slub.c:3375 [inline] slab_alloc_node mm/slub.c:3468 [inline] kmem_cache_alloc_node+0x132/0x3c0 mm/slub.c:3523 __alloc_skb+0x287/0x330 net/core/skbuff.c:641 alloc_skb include/linux/skbuff.h:1286 [inline] alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331 sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780 sock_alloc_send_skb include/net/sock.h:1884 [inline] queue_oob net/unix/af_unix.c:2147 [inline] unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1137 [inline] free_unref_page_prepare+0x4f8/0xa90 mm/page_alloc.c:2347 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2487 __unfreeze_partials+0x21d/0x240 mm/slub.c:2655 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3478 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc+0x15d/0x380 mm/slub.c:3502 vm_area_dup+0x21/0x2f0 kernel/fork.c:500 __split_vma+0x17d/0x1070 mm/mmap.c:2365 split_vma mm/mmap.c:2437 [inline] vma_modify+0x25d/0x450 mm/mmap.c:2472 vma_modify_flags include/linux/mm.h:3271 [inline] mprotect_fixup+0x228/0xc80 mm/mprotect.c:635 do_mprotect_pkey+0x852/0xd60 mm/mprotect.c:809 __do_sys_mprotect mm/mprotect.c:830 [inline] __se_sys_mprotect mm/mprotect.c:827 [inline] __x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:827 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Memory state around the buggy address: ffff88801f3b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801f3b9c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc >ffff88801f3b9c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801f3b9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ffff88801f3b9d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb Fixes: 876c14ad014d ("af_unix: fix holding spinlock in oob handling") Reported-and-tested-by: syzbot+7a2d546fa43e49315ed3@syzkaller.appspotmail.com Signed-off-by: Eric Dumazet Cc: Rao Shoaib Reviewed-by: Rao shoaib Link: https://lore.kernel.org/r/20231113134938.168151-1-edumazet@google.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin net/unix/af_unix.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) accumulated error probability: 0.00 culprit signature: 39a0c78c726c1275f807d3698e623d14b6565ebcc03e3b6e5fc475666cdd243b parent signature: 4dfcce7068227c2fc3fe05d9da631ec0fd61277b323cd6c7801098dde4e099d7 revisions tested: 17, total time: 3h30m31.062142489s (build: 1h3m19.682410449s, test: 2h22m57.730159308s) first good commit: 75bcfc188abf4fae9c1d5f5dc0a03540be602eef af_unix: fix use-after-free in unix_stream_read_actor() recipients (to): ["edumazet@google.com" "pabeni@redhat.com" "rao.shoaib@oracle.com" "sashal@kernel.org" "syzbot+7a2d546fa43e49315ed3@syzkaller.appspotmail.com"] recipients (cc): []