syzbot

 sign-in | mailing list | source | docs
🐞 Open [81] 🐞 Fixed [21] 🐞 Invalid [294] 📈 Kernel Health 📈 Bugs/Month 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Write in detach_if_pending

Status: upstream: reported C repro on 2023/02/10 18:19
Reported-by: syzbot+2db3ce7c2c48587cff89@syzkaller.appspotmail.com
First crash: 489d, last: 4h28m
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in detach_if_pending net C 4169 2427d 2422d 3/27 fixed on 2017/11/28 03:36
upstream general protection fault in detach_if_pending (2) net 1 824d 824d 0/27 auto-closed as invalid on 2022/06/11 02:46
linux-4.14 general protection fault in detach_if_pending (2) 1 1133d 1133d 0/1 auto-closed as invalid on 2021/09/04 11:36
upstream general protection fault in detach_if_pending (3) bcachefs 3 15d 23d 0/27 moderation: reported on 2024/05/22 06:18
upstream KASAN: invalid-access Write in detach_if_pending wireguard 2 1214d 1215d 0/27 auto-closed as invalid on 2021/05/17 08:51
upstream KASAN: slab-use-after-free Write in detach_if_pending wireguard batman 2 405d 415d 0/27 auto-obsoleted due to no activity on 2023/11/08 05:10
upstream general protection fault in detach_if_pending 1 2466d 2466d 0/27 closed as invalid on 2017/10/22 12:45
linux-4.14 general protection fault in detach_if_pending 1 1712d 1712d 0/1 auto-closed as invalid on 2020/02/03 13:10

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:295 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:789 [inline]
BUG: KASAN: use-after-free in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: use-after-free in detach_if_pending+0x160/0x360 kernel/time/timer.c:841
Write of size 8 at addr ffff8881da8231c0 by task syz-executor292/415

CPU: 0 PID: 415 Comm: syz-executor292 Not tainted 5.4.254-syzkaller-00011-g2ac128c04e33 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __write_once_size include/linux/compiler.h:295 [inline]
 __hlist_del include/linux/list.h:789 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 detach_if_pending+0x160/0x360 kernel/time/timer.c:841
 try_to_del_timer_sync kernel/time/timer.c:1238 [inline]
 del_timer_sync+0x13c/0x230 kernel/time/timer.c:1379
 tun_flow_uninit+0x2c/0x280 drivers/net/tun.c:1451
 tun_free_netdev+0x77/0x190 drivers/net/tun.c:2401
 netdev_run_todo+0xb7f/0xdf0 net/core/dev.c:9450
 tun_detach drivers/net/tun.c:765 [inline]
 tun_chr_close+0xc1/0x130 drivers/net/tun.c:3554
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 ptrace_notify+0x29e/0x350 kernel/signal.c:2271
 ptrace_report_syscall include/linux/tracehook.h:66 [inline]
 tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
 syscall_slow_exit_work+0x167/0x400 arch/x86/entry/common.c:246
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x19d/0x1c0 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the page:
page:ffffea00076a08c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 ffffea00076a08c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x46dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 kmalloc_order mm/slab_common.c:1342 [inline]
 kmalloc_order_trace+0x2a/0x100 mm/slab_common.c:1358
 __kmalloc_node include/linux/slab.h:422 [inline]
 kmalloc_node include/linux/slab.h:599 [inline]
 kvmalloc_node+0x7e/0xf0 mm/util.c:596
 kvmalloc include/linux/mm.h:759 [inline]
 kvzalloc include/linux/mm.h:767 [inline]
 alloc_netdev_mqs+0x85/0xc70 net/core/dev.c:9602
 tun_set_iff+0x51f/0xdc0 drivers/net/tun.c:2887
 __tun_chr_ioctl+0x860/0x1d50 drivers/net/tun.c:3180
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4959
 device_release+0x6b/0x190 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:708 [inline]
 kobject_release lib/kobject.c:739 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e6/0x2f0 lib/kobject.c:756
 tun_set_iff+0x870/0xdc0 drivers/net/tun.c:2918
 __tun_chr_ioctl+0x860/0x1d50 drivers/net/tun.c:3180
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881da823080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881da823100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881da823180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff8881da823200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881da823280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (459):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/11/14 07:08 android12-5.4 2ac128c04e33 cb976f63 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/14 06:36 android12-5.4 6f97bd951d82 a9616ff5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/13 20:17 android12-5.4 6f97bd951d82 a9616ff5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/13 09:47 android12-5.4 6f97bd951d82 2aa5052f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/13 00:20 android12-5.4 6f97bd951d82 f815599d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/12 23:04 android12-5.4 6f97bd951d82 f815599d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/12 17:25 android12-5.4 6f97bd951d82 f815599d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/11 15:46 android12-5.4 4433e72c494f b7d9eb04 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/11 02:06 android12-5.4 dd432c37afcd 048c640a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/10 05:35 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/09 10:48 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/08 18:50 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/08 07:36 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/07 22:52 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/07 21:17 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/07 14:21 android12-5.4 dd432c37afcd 121701b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/07 07:58 android12-5.4 dd432c37afcd 121701b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/07 00:23 android12-5.4 dd432c37afcd 121701b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/06 17:13 android12-5.4 dd432c37afcd 121701b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/06 00:02 android12-5.4 dd432c37afcd 5aa1a7c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/05 20:23 android12-5.4 dd432c37afcd 5aa1a7c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/05 17:38 android12-5.4 dd432c37afcd 5aa1a7c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/05 16:21 android12-5.4 dd432c37afcd 5aa1a7c9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/05 04:50 android12-5.4 dd432c37afcd e1e2c66e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/05 01:07 android12-5.4 dd432c37afcd e1e2c66e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/04 22:52 android12-5.4 dd432c37afcd 11f2afa5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/04 13:16 android12-5.4 dd432c37afcd 11f2afa5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/04 11:12 android12-5.4 dd432c37afcd a1feae05 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/04 03:52 android12-5.4 dd432c37afcd a1feae05 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/02 03:18 android12-5.4 70fafe094510 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/01 16:54 android12-5.4 70fafe094510 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/05/31 14:27 android12-5.4 8322246edffa 0c378259 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/05/28 11:19 android12-5.4 8322246edffa f550015e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/05/26 17:59 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/05/26 15:13 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/05/22 12:40 android12-5.4 51cf29fc2bfc 4d098039 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/05/17 17:37 android12-5.4 51cf29fc2bfc a12e99e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/05/12 21:13 android12-5.4 51cf29fc2bfc 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2023/02/10 18:18 android12-5.4 6a5ec6cea0cd e29a17f5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/10 23:33 android12-5.4 dd432c37afcd 048c640a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/07 21:18 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/06 03:28 android12-5.4 dd432c37afcd 121701b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/05 08:09 android12-5.4 dd432c37afcd e1e2c66e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/04 20:44 android12-5.4 dd432c37afcd 11f2afa5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/04 03:50 android12-5.4 dd432c37afcd a1feae05 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/05/31 04:14 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/05/27 07:25 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/05/24 12:44 android12-5.4 51cf29fc2bfc 8f98448e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/05/23 13:28 android12-5.4 51cf29fc2bfc 4c2072ee .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/05/14 20:27 android12-5.4 51cf29fc2bfc fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/02/03 09:45 android12-5.4 bf4c80bc4358 60bf9982 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: out-of-bounds Write in detach_if_pending
2024/01/29 13:14 android12-5.4 4d7b888b5774 991a98f4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan general protection fault in detach_if_pending
* Struck through repros no longer work on HEAD.