Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp89990iog;
        Thu, 23 Jun 2022 23:17:21 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1u4No/p8g34noYagv9iVQ3GTrDKp9UgDW076h7e520MxtbRN0II40Hfw0xiZ2o4lzInzM2s
X-Received: by 2002:a17:902:cf10:b0:168:ef35:5bee with SMTP id i16-20020a170902cf1000b00168ef355beemr42585442plg.99.1656051441349;
        Thu, 23 Jun 2022 23:17:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656051441; cv=none;
        d=google.com; s=arc-20160816;
        b=c1xnE8vouV4Tgd4nFwZTfzNQUReASv/VT4+HcOLZ/vzDjwSYCzlRmUo9V3mYerIVfy
         VmpXfFp99nyixMjJn+fwnYoESjBzDc9OJcqeqBInc+pCEr//eByLjIIEcvcNEzgviuLl
         qiVy1ke1f5WpZ0H2+2fMjmw8+A8XYoUvHeQ2cK4VeKYPAgxatkX5vyOnMIFNTaD/ilqr
         S/vCu+yRDZk7I/nQVeWR3VkZGJHljN3OXrxiGPmoA6f1vfeTob8PGOjAox+4ORaw8EEl
         BACGjQjttV4um39G+qzIlgvsbyq+jc1MK6vAt49+UjVuf+LJV0NSncT2GB9iC2A0Mr9t
         Yx4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=C1a6oxIg8BJkfZE7zO8cItN6ndUGTYkyVHxPHeTpF40=;
        b=lTrn8Esbr1pr3P3PZhxRZdXVeaahRA9qp9puGHZiT3h6eA+V9vuCBbqNXVW7dsXxRE
         mcaO07I4a5uzuFAmKVktvYsN8RGiamnOf7Kh7z3/zv7arKI7ii0icpKRscHHsLVyKAeZ
         J5jGxP5cmSPx39FTl6wSemrk+DchEIaEanay8Rr44Oxq6V1Rma9gCuRWkYxxGRq9n1i2
         HN/A6/XvHhLGmK9+h8JdZbiu0p/7twwxaCmVtAhKtlghWyBxQLdFBdZDqw+FXMv4TsUG
         gHzB7I7POxa2Pb9gN9XT/udhQ6rxUWqScvNPv9vLHdcwNVYmWP9wiBlkEPDOc+sLa7lJ
         aJPw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=WKr12c+N;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id x24-20020a63db58000000b003fa34f038afsi2034720pgi.159.2022.06.23.23.17.09;
        Thu, 23 Jun 2022 23:17:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=WKr12c+N;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230268AbiFXGID (ORCPT <rfc822;albcamus@gmail.com> + 99 others);
        Fri, 24 Jun 2022 02:08:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51508 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229932AbiFXGIB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 24 Jun 2022 02:08:01 -0400
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C02E35F61;
        Thu, 23 Jun 2022 23:07:59 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id m14so1246104plg.5;
        Thu, 23 Jun 2022 23:07:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=date:from:to:subject:message-id:mime-version:content-disposition;
        bh=C1a6oxIg8BJkfZE7zO8cItN6ndUGTYkyVHxPHeTpF40=;
        b=WKr12c+NfCT1qWs7/l7kOUmDCjOkDEtJE0iojwr3uImzVmDh7HJYW277+fXhEfg7GD
         QgpM2KoLEOnbSjK2nyJyNCekZ3e+TOCjFoByNK1lN4ATGRh7RPiaacS1M14Kit//d6Nn
         chdaGxQBgY3AAwS10ud2EdeLinB40VCTq+yiy8GonRqN9X7RkixdsFItYWj++cPhATPp
         XZhIuGyBpi9X/dkkIjdsOF6/8Hc6950nWF7H4vCFyTrqcLApUbgmXAV73QedJvSypwYe
         t5NuVnHELXO+ICW8BSDGIx4cbzCc5IIz5t2QnTaO5WcaGFXEtdbil3gaGJ0OO+yulABH
         dS8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:subject:message-id:mime-version
         :content-disposition;
        bh=C1a6oxIg8BJkfZE7zO8cItN6ndUGTYkyVHxPHeTpF40=;
        b=mWoX8rFdOvq4p++8q3/l61cnNm0wZbtScGDVoZHTkiu0ULrIgYazOm8NP5feluXcqb
         iXrlDyMrkXaY1VT3xdLdi7P8wCIPaKO7y0kGm3BLCDuhLDq1sn8VipKwEUxTvZaMGXln
         uSSlqT4+I+0RIcCsAJmhxWGKOV/v1t2bdD+w3Y9cEcfCXdQ/xfZNMKNrKikXY/LAbsF4
         WU5kGRR7gR2TY5/HAq7eQUyzpvPnDhH2o2D1vA4gDqaik6T/sRS8wKtJ1b9md9ldcm37
         FhXcqXTVZdUgx73lFbtOnuHkSGg2uJNdcjvaVcTDGFLRHqicI1UCJexNNzwUf/FmYZrc
         aSEw==
X-Gm-Message-State: AJIora/EMUzU8XEqcCN42/aMsJmtGCsWb8SoZZMfS9d/5xjJs2XqijzO
        IzNMqlByAQDM6u0sGwsmZwc=
X-Received: by 2002:a17:90a:a40b:b0:1ec:a22d:5c3 with SMTP id y11-20020a17090aa40b00b001eca22d05c3mr2125942pjp.118.1656050879075;
        Thu, 23 Jun 2022 23:07:59 -0700 (PDT)
Received: from archdragon (dragonet.kaist.ac.kr. [143.248.133.220])
        by smtp.gmail.com with ESMTPSA id u22-20020a63f656000000b0040cd8f71424sm654449pgj.69.2022.06.23.23.07.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Jun 2022 23:07:58 -0700 (PDT)
Date:   Fri, 24 Jun 2022 15:07:54 +0900
From:   "Dae R. Jeong" <threeearcat@gmail.com>
To:     davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
        pabeni@redhat.com, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: KASAN: use-after-free Read in cfusbl_device_notify
Message-ID: <YrVUujEka5jSXZvt@archdragon>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

We observed a crash "KASAN: use-after-free Read in cfusbl_device_notify" during fuzzing.

Unfortunately, we have not found a reproducer for the crash yet. We
will inform you if we have any update on this crash.

Detailed crash information is attached at the end of this email.


Best regards,
Dae R. Jeong.
------

- Kernel commit:
b13baccc3850ca

- Crash report: 
==================================================================
BUG: KASAN: use-after-free in cfusbl_device_notify+0x155/0xf40 net/caif/caif_usb.c:138
Read of size 8 at addr ffff88804bc4c6f0 by task kworker/u8:0/18109

CPU: 1 PID: 18109 Comm: kworker/u8:0 Not tainted 5.19.0-rc2-31838-gef9c98f9637f #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x240/0x35a lib/dump_stack.c:106
 print_address_description+0x65/0x4f0 mm/kasan/report.c:313
 print_report+0xf4/0x1e0 mm/kasan/report.c:429
 kasan_report+0xe5/0x110 mm/kasan/report.c:491
 cfusbl_device_notify+0x155/0xf40 net/caif/caif_usb.c:138
 notifier_call_chain kernel/notifier.c:87 [inline]
 raw_notifier_call_chain+0xd4/0x170 kernel/notifier.c:455
 call_netdevice_notifiers_info net/core/dev.c:1943 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1981 [inline]
 call_netdevice_notifiers net/core/dev.c:1995 [inline]
 netdev_wait_allrefs_any net/core/dev.c:10225 [inline]
 netdev_run_todo+0x14e6/0x23c0 net/core/dev.c:10337
 default_device_exit_batch+0x99a/0xa10 net/core/dev.c:11329
 ops_exit_list net/core/net_namespace.c:167 [inline]
 cleanup_net+0xd23/0x15a0 net/core/net_namespace.c:594
 process_one_work+0x909/0x12b0 kernel/workqueue.c:2289
 worker_thread+0xab1/0x1320 kernel/workqueue.c:2436
 kthread+0x294/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 6688:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 __kasan_kmalloc+0xac/0xe0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 __kmalloc_node+0xed/0x780 mm/slub.c:4465
 kmalloc_node include/linux/slab.h:623 [inline]
 kvmalloc_node+0x6e/0x1a0 mm/util.c:613
 kvmalloc include/linux/slab.h:750 [inline]
 kvzalloc include/linux/slab.h:758 [inline]
 alloc_netdev_mqs+0x94/0x1da0 net/core/dev.c:10576
 rtnl_create_link+0x4ec/0x1360 net/core/rtnetlink.c:3241
 veth_newlink+0x4a9/0x1810 drivers/net/veth.c:1749
 rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3580 [inline]
 rtnl_newlink+0x251d/0x2fc0 net/core/rtnetlink.c:3593
 rtnetlink_rcv_msg+0x1103/0x1a60 net/core/rtnetlink.c:6089
 netlink_rcv_skb+0x2b6/0x670 net/netlink/af_netlink.c:2501
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0xc68/0xff0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x11a0/0x1680 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:693 [inline]
 sock_sendmsg net/socket.c:713 [inline]
 __sys_sendto+0x544/0x770 net/socket.c:2098
 __do_sys_sendto net/socket.c:2110 [inline]
 __se_sys_sendto net/socket.c:2106 [inline]
 __x64_sys_sendto+0x1bb/0x250 net/socket.c:2106
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 18109:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x3d/0x60 mm/kasan/common.c:45
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0xb2/0xf0 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1727 [inline]
 slab_free_freelist_hook+0x20c/0x540 mm/slub.c:1753
 slab_free mm/slub.c:3507 [inline]
 kfree+0x117/0x7e0 mm/slub.c:4555
 device_release+0xf5/0x390
 kobject_cleanup+0x340/0x4e0 lib/kobject.c:673
 netdev_run_todo+0x211c/0x23c0 net/core/dev.c:10358
 default_device_exit_batch+0x99a/0xa10 net/core/dev.c:11329
 ops_exit_list net/core/net_namespace.c:167 [inline]
 cleanup_net+0xd23/0x15a0 net/core/net_namespace.c:594
 process_one_work+0x909/0x12b0 kernel/workqueue.c:2289
 worker_thread+0xab1/0x1320 kernel/workqueue.c:2436
 kthread+0x294/0x330 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff88804bc4c000
 which belongs to the cache kmalloc-cg-4k of size 4096
The buggy address is located 1776 bytes inside of
 4096-byte region [ffff88804bc4c000, ffff88804bc4d000)

The buggy address belongs to the physical page:
page:ffffea00012f1200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4bc48
head:ffffea00012f1200 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff88801844c140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6688, tgid 6688 (syz-executor.0), ts 297836664488, free_ts 31867390869
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0xa7c/0xf50 mm/page_alloc.c:4198
 __alloc_pages+0x30e/0x710 mm/page_alloc.c:5426
 alloc_slab_page+0x66/0x250 mm/slub.c:1797
 allocate_slab+0xc0/0xe40 mm/slub.c:1942
 new_slab mm/slub.c:2002 [inline]
 ___slab_alloc+0x629/0x17a0 mm/slub.c:3002
 __slab_alloc mm/slub.c:3089 [inline]
 slab_alloc_node mm/slub.c:3180 [inline]
 slab_alloc mm/slub.c:3222 [inline]
 __kmalloc_track_caller+0x53a/0x600 mm/slub.c:4919
 kmemdup+0x21/0x50 mm/util.c:129
 _Z7kmemdupPKvU17pass_object_size0mj include/linux/fortify-string.h:456 [inline]
 __addrconf_sysctl_register+0x97/0x680 net/ipv6/addrconf.c:7061
 addrconf_sysctl_register+0x1c3/0x2a0 net/ipv6/addrconf.c:7126
 ipv6_add_dev+0x170e/0x1f80 net/ipv6/addrconf.c:450
 addrconf_notify+0xa36/0x3730 net/ipv6/addrconf.c:3532
 notifier_call_chain kernel/notifier.c:87 [inline]
 raw_notifier_call_chain+0xd4/0x170 kernel/notifier.c:455
 call_netdevice_notifiers_info net/core/dev.c:1943 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1981 [inline]
 call_netdevice_notifiers net/core/dev.c:1995 [inline]
 register_netdevice+0x23b1/0x32c0 net/core/dev.c:10078
 hsr_dev_finalize+0x803/0xd50 net/hsr/hsr_device.c:539
 hsr_newlink+0xba5/0xcf0 net/hsr/hsr_netlink.c:102
 rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3580 [inline]
 rtnl_newlink+0x251d/0x2fc0 net/core/rtnetlink.c:3593
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0xa65/0xc90 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x7e/0x740 mm/page_alloc.c:3438
 free_contig_range+0xd9/0x240 mm/page_alloc.c:9314
 destroy_args+0x153/0xee4 mm/debug_vm_pgtable.c:1031
 debug_vm_pgtable+0x4bd/0x553 mm/debug_vm_pgtable.c:1354
 do_one_initcall+0x1a8/0x410 init/main.c:1295
 do_initcall_level+0x168/0x21d init/main.c:1368
 do_initcalls+0x50/0x91 init/main.c:1384
 kernel_init_freeable+0x40d/0x59a init/main.c:1610
 kernel_init+0x19/0x2c0 init/main.c:1499
 ret_from_fork+0x1f/0x30

Memory state around the buggy address:
 ffff88804bc4c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804bc4c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804bc4c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff88804bc4c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804bc4c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================