syzbot

 sign-in | mailing list | source | docs
🐞 Open [79] 🐞 Fixed [21] 🐞 Invalid [282] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Write in detach_if_pending

Status: upstream: reported C repro on 2023/02/10 18:19
Reported-by: syzbot+2db3ce7c2c48587cff89@syzkaller.appspotmail.com
First crash: 433d, last: 21h48m
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in detach_if_pending net C 4169 2370d 2365d 3/26 fixed on 2017/11/28 03:36
upstream general protection fault in detach_if_pending (2) net 1 768d 768d 0/26 auto-closed as invalid on 2022/06/11 02:46
linux-4.14 general protection fault in detach_if_pending (2) 1 1077d 1077d 0/1 auto-closed as invalid on 2021/09/04 11:36
upstream KASAN: invalid-access Write in detach_if_pending wireguard 2 1157d 1159d 0/26 auto-closed as invalid on 2021/05/17 08:51
upstream KASAN: slab-use-after-free Write in detach_if_pending wireguard batman 2 349d 358d 0/26 auto-obsoleted due to no activity on 2023/11/08 05:10
upstream general protection fault in detach_if_pending 1 2409d 2409d 0/26 closed as invalid on 2017/10/22 12:45
linux-4.14 general protection fault in detach_if_pending 1 1656d 1656d 0/1 auto-closed as invalid on 2020/02/03 13:10

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:295 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:789 [inline]
BUG: KASAN: use-after-free in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: use-after-free in detach_if_pending+0x160/0x360 kernel/time/timer.c:841
Write of size 8 at addr ffff8881da8231c0 by task syz-executor292/415

CPU: 0 PID: 415 Comm: syz-executor292 Not tainted 5.4.254-syzkaller-00011-g2ac128c04e33 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __write_once_size include/linux/compiler.h:295 [inline]
 __hlist_del include/linux/list.h:789 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 detach_if_pending+0x160/0x360 kernel/time/timer.c:841
 try_to_del_timer_sync kernel/time/timer.c:1238 [inline]
 del_timer_sync+0x13c/0x230 kernel/time/timer.c:1379
 tun_flow_uninit+0x2c/0x280 drivers/net/tun.c:1451
 tun_free_netdev+0x77/0x190 drivers/net/tun.c:2401
 netdev_run_todo+0xb7f/0xdf0 net/core/dev.c:9450
 tun_detach drivers/net/tun.c:765 [inline]
 tun_chr_close+0xc1/0x130 drivers/net/tun.c:3554
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 ptrace_notify+0x29e/0x350 kernel/signal.c:2271
 ptrace_report_syscall include/linux/tracehook.h:66 [inline]
 tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
 syscall_slow_exit_work+0x167/0x400 arch/x86/entry/common.c:246
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x19d/0x1c0 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the page:
page:ffffea00076a08c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 ffffea00076a08c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x46dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 kmalloc_order mm/slab_common.c:1342 [inline]
 kmalloc_order_trace+0x2a/0x100 mm/slab_common.c:1358
 __kmalloc_node include/linux/slab.h:422 [inline]
 kmalloc_node include/linux/slab.h:599 [inline]
 kvmalloc_node+0x7e/0xf0 mm/util.c:596
 kvmalloc include/linux/mm.h:759 [inline]
 kvzalloc include/linux/mm.h:767 [inline]
 alloc_netdev_mqs+0x85/0xc70 net/core/dev.c:9602
 tun_set_iff+0x51f/0xdc0 drivers/net/tun.c:2887
 __tun_chr_ioctl+0x860/0x1d50 drivers/net/tun.c:3180
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4959
 device_release+0x6b/0x190 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:708 [inline]
 kobject_release lib/kobject.c:739 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e6/0x2f0 lib/kobject.c:756
 tun_set_iff+0x870/0xdc0 drivers/net/tun.c:2918
 __tun_chr_ioctl+0x860/0x1d50 drivers/net/tun.c:3180
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881da823080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881da823100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881da823180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff8881da823200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881da823280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (375):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/11/14 07:08 android12-5.4 2ac128c04e33 cb976f63 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/18 05:00 android12-5.4 2d5d8240a7cb acc528cb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/16 20:39 android12-5.4 2d5d8240a7cb 18f6e127 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/16 16:09 android12-5.4 2d5d8240a7cb 18f6e127 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/16 03:32 android12-5.4 2d5d8240a7cb 0d592ce4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/15 14:16 android12-5.4 002e7f61a061 b9af7e61 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/14 21:20 android12-5.4 d0d34dcb02cc c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/14 08:21 android12-5.4 d0d34dcb02cc c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/14 06:12 android12-5.4 d0d34dcb02cc c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/14 01:27 android12-5.4 d0d34dcb02cc c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/13 09:46 android12-5.4 d0d34dcb02cc c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/13 08:12 android12-5.4 d0d34dcb02cc c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/13 03:52 android12-5.4 d0d34dcb02cc c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/13 00:24 android12-5.4 d0d34dcb02cc c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/12 12:18 android12-5.4 d0d34dcb02cc 27de0a5c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/12 02:23 android12-5.4 d0d34dcb02cc 27de0a5c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/09 21:16 android12-5.4 d0d34dcb02cc 171ec371 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/09 05:44 android12-5.4 d0d34dcb02cc f3234354 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/09 02:26 android12-5.4 d0d34dcb02cc f3234354 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/08 12:55 android12-5.4 d0d34dcb02cc 53df08b6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/07 02:35 android12-5.4 d0d34dcb02cc ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/06 13:20 android12-5.4 d0d34dcb02cc ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/03 23:17 android12-5.4 d0d34dcb02cc 51c4dcff .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/03 18:31 android12-5.4 d0d34dcb02cc 51c4dcff .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/03 10:29 android12-5.4 d0d34dcb02cc 7925100d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/03 05:25 android12-5.4 d0d34dcb02cc 7925100d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/03 04:22 android12-5.4 d0d34dcb02cc 7925100d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/03 02:10 android12-5.4 d0d34dcb02cc 7925100d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/28 22:58 android12-5.4 47710d1d3563 e91187ee .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/12 03:08 android12-5.4 43a5ead9254d 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/11 11:47 android12-5.4 43a5ead9254d 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/10 04:59 android12-5.4 43a5ead9254d 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/09 15:17 android12-5.4 43a5ead9254d 6ee49f2e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/08 16:40 android12-5.4 43a5ead9254d 8e75c913 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/07 11:08 android12-5.4 50cb39f34248 f39a7eed .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/07 00:22 android12-5.4 50cb39f34248 f39a7eed .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/05 23:06 android12-5.4 50cb39f34248 f39a7eed .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/05 00:09 android12-5.4 50cb39f34248 3717835d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/04 19:54 android12-5.4 50cb39f34248 3717835d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/04 07:33 android12-5.4 50cb39f34248 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/03 12:34 android12-5.4 50cb39f34248 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/03 04:21 android12-5.4 50cb39f34248 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/02 18:51 android12-5.4 50cb39f34248 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/03/02 15:12 android12-5.4 50cb39f34248 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2023/02/10 18:18 android12-5.4 6a5ec6cea0cd e29a17f5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/04/17 06:48 android12-5.4 2d5d8240a7cb 18f6e127 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/04/06 11:59 android12-5.4 d0d34dcb02cc ca620dd8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/03/20 02:34 android12-5.4 43a5ead9254d a485f239 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/03/03 09:26 android12-5.4 50cb39f34248 25905f5d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/02/03 09:45 android12-5.4 bf4c80bc4358 60bf9982 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: out-of-bounds Write in detach_if_pending
2024/01/29 13:14 android12-5.4 4d7b888b5774 991a98f4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan general protection fault in detach_if_pending
* Struck through repros no longer work on HEAD.