================================================================== BUG: KASAN: use-after-free in unix_stream_read_actor+0x87/0xb0 net/unix/af_unix.c:2713 Read of size 4 at addr ffff88812138eb84 by task syz-executor.0/510 CPU: 1 PID: 510 Comm: syz-executor.0 Not tainted 5.14.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x38/0x49 lib/dump_stack.c:105 print_address_description.constprop.0+0x24/0x150 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x82/0xdb mm/kasan/report.c:436 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 unix_stream_read_actor+0x87/0xb0 net/unix/af_unix.c:2713 unix_stream_recv_urg net/unix/af_unix.c:2448 [inline] unix_stream_read_generic+0x1410/0x1d80 net/unix/af_unix.c:2519 unix_stream_recvmsg+0x9d/0xd0 net/unix/af_unix.c:2729 sock_recvmsg_nosec net/socket.c:944 [inline] sock_recvmsg net/socket.c:962 [inline] sock_recvmsg net/socket.c:958 [inline] ____sys_recvmsg+0x286/0x700 net/socket.c:2622 ___sys_recvmsg+0x109/0x1d0 net/socket.c:2664 __sys_recvmsg+0xc0/0x160 net/socket.c:2694 __do_sys_recvmsg net/socket.c:2704 [inline] __se_sys_recvmsg net/socket.c:2701 [inline] __x64_sys_recvmsg+0x73/0xb0 net/socket.c:2701 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f40f980bae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f40f934c0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007f40f992b120 RCX: 00007f40f980bae9 RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004 RBP: 00007f40f985747a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f40f992b120 R15: 00007ffcdebfc348 Allocated by task 509: kasan_save_stack+0x23/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x8a/0xb0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2956 [inline] slab_alloc mm/slub.c:2964 [inline] kmem_cache_alloc+0x2f0/0x480 mm/slub.c:2969 kmem_cache_alloc_node include/linux/slab.h:462 [inline] __alloc_skb+0x14b/0x250 net/core/skbuff.c:414 alloc_skb include/linux/skbuff.h:1116 [inline] alloc_skb_with_frags+0x76/0x4a0 net/core/skbuff.c:6073 sock_alloc_send_pskb+0x687/0x840 net/core/sock.c:2475 sock_alloc_send_skb+0x13/0x20 net/core/sock.c:2492 queue_oob net/unix/af_unix.c:1905 [inline] unix_stream_sendmsg+0x9f9/0xe20 net/unix/af_unix.c:2030 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:724 ____sys_sendmsg+0x694/0x990 net/socket.c:2403 ___sys_sendmsg+0xfc/0x190 net/socket.c:2457 __sys_sendmsg+0xc3/0x160 net/socket.c:2486 __do_sys_sendmsg net/socket.c:2495 [inline] __se_sys_sendmsg net/socket.c:2493 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2493 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 509: kasan_save_stack+0x23/0x50 mm/kasan/common.c:38 kasan_set_track+0x20/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x24/0x40 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0x10d/0x150 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1625 [inline] slab_free_freelist_hook+0x8f/0x190 mm/slub.c:1650 slab_free mm/slub.c:3210 [inline] kmem_cache_free+0xfa/0x3a0 mm/slub.c:3226 kfree_skbmem+0x95/0x140 net/core/skbuff.c:699 __kfree_skb net/core/skbuff.c:756 [inline] kfree_skb net/core/skbuff.c:773 [inline] kfree_skb+0xb1/0x1d0 net/core/skbuff.c:767 queue_oob net/unix/af_unix.c:1924 [inline] unix_stream_sendmsg+0xaf2/0xe20 net/unix/af_unix.c:2030 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:724 ____sys_sendmsg+0x694/0x990 net/socket.c:2403 ___sys_sendmsg+0xfc/0x190 net/socket.c:2457 __sys_sendmsg+0xc3/0x160 net/socket.c:2486 __do_sys_sendmsg net/socket.c:2495 [inline] __se_sys_sendmsg net/socket.c:2493 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2493 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88812138eb40 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 68 bytes inside of 224-byte region [ffff88812138eb40, ffff88812138ec20) The buggy address belongs to the page: page:ffffea000484e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12138e flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 0000000000000000 dead000000000122 ffff8881081c38c0 raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 509, ts 42713417511, free_ts 42655745407 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2430 [inline] prep_new_page mm/page_alloc.c:2436 [inline] get_page_from_freelist+0x236f/0x32a0 mm/page_alloc.c:4169 __alloc_pages+0x275/0x5b0 mm/page_alloc.c:5391 __alloc_pages_node include/linux/gfp.h:570 [inline] alloc_pages_node include/linux/gfp.h:584 [inline] alloc_pages include/linux/gfp.h:597 [inline] alloc_slab_page mm/slub.c:1688 [inline] allocate_slab+0x330/0x480 mm/slub.c:1828 new_slab mm/slub.c:1891 [inline] new_slab_objects mm/slub.c:2637 [inline] ___slab_alloc.constprop.0+0x2f9/0x700 mm/slub.c:2800 __slab_alloc.constprop.0+0x3d/0x60 mm/slub.c:2840 slab_alloc_node mm/slub.c:2922 [inline] slab_alloc mm/slub.c:2964 [inline] kmem_cache_alloc+0x447/0x480 mm/slub.c:2969 kmem_cache_alloc_node include/linux/slab.h:462 [inline] __alloc_skb+0x14b/0x250 net/core/skbuff.c:414 alloc_skb include/linux/skbuff.h:1116 [inline] alloc_skb_with_frags+0x76/0x4a0 net/core/skbuff.c:6073 sock_alloc_send_pskb+0x687/0x840 net/core/sock.c:2475 sock_alloc_send_skb+0x13/0x20 net/core/sock.c:2492 queue_oob net/unix/af_unix.c:1905 [inline] unix_stream_sendmsg+0x9f9/0xe20 net/unix/af_unix.c:2030 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:724 ____sys_sendmsg+0x694/0x990 net/socket.c:2403 ___sys_sendmsg+0xfc/0x190 net/socket.c:2457 __sys_sendmsg+0xc3/0x160 net/socket.c:2486 __do_sys_sendmsg net/socket.c:2495 [inline] __se_sys_sendmsg net/socket.c:2493 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2493 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1346 [inline] free_pcp_prepare+0x19c/0x4a0 mm/page_alloc.c:1419 free_unref_page_prepare mm/page_alloc.c:3332 [inline] free_unref_page+0x1c/0x200 mm/page_alloc.c:3411 free_the_page mm/page_alloc.c:707 [inline] __free_pages+0xdc/0xf0 mm/page_alloc.c:5464 __vunmap+0x4b2/0x7b0 mm/vmalloc.c:2587 free_work+0x51/0x70 mm/vmalloc.c:82 process_one_work+0x61d/0xe70 kernel/workqueue.c:2276 worker_thread+0x48e/0xdb0 kernel/workqueue.c:2422 kthread+0x324/0x3e0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88812138ea80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88812138eb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff88812138eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88812138ec00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff88812138ec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================