syzbot

 sign-in | mailing list | source | docs
🐞 Open [70]
🐞 Fixed [22]
🐞 Invalid [333]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Write in detach_if_pending

Status: upstream: reported C repro on 2023/02/10 18:19
Reported-by: syzbot+2db3ce7c2c48587cff89@syzkaller.appspotmail.com
First crash: 649d, last: 140d
Similar bugs (9)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in detach_if_pending net C 4169 2587d 2582d 3/28 fixed on 2017/11/28 03:36
android-6-1 KASAN: use-after-free Write in detach_if_pending 1 33d 33d 0/2 premoderation: reported on 2024/10/18 20:02
upstream general protection fault in detach_if_pending (2) net 1 984d 984d 0/28 auto-closed as invalid on 2022/06/11 02:46
linux-4.14 general protection fault in detach_if_pending (2) 1 1294d 1294d 0/1 auto-closed as invalid on 2021/09/04 11:36
upstream general protection fault in detach_if_pending (3) bcachefs kvm 5 149d 149d 0/28 closed as invalid on 2024/08/16 18:25
upstream KASAN: invalid-access Write in detach_if_pending wireguard 2 1374d 1375d 0/28 auto-closed as invalid on 2021/05/17 08:51
upstream KASAN: slab-use-after-free Write in detach_if_pending wireguard batman 2 566d 575d 0/28 auto-obsoleted due to no activity on 2023/11/08 05:10
upstream general protection fault in detach_if_pending 1 2626d 2626d 0/28 closed as invalid on 2017/10/22 12:45
linux-4.14 general protection fault in detach_if_pending 1 1873d 1873d 0/1 auto-closed as invalid on 2020/02/03 13:10
Last patch testing requests (2)
Created Duration User Patch Repo Result
2024/09/27 06:58 15m retest repro android12-5.4 report log
2024/07/18 19:41 5m retest repro android12-5.4 report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:295 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:789 [inline]
BUG: KASAN: use-after-free in detach_timer kernel/time/timer.c:824 [inline]
BUG: KASAN: use-after-free in detach_if_pending+0x160/0x360 kernel/time/timer.c:841
Write of size 8 at addr ffff8881da8231c0 by task syz-executor292/415

CPU: 0 PID: 415 Comm: syz-executor292 Not tainted 5.4.254-syzkaller-00011-g2ac128c04e33 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 __write_once_size include/linux/compiler.h:295 [inline]
 __hlist_del include/linux/list.h:789 [inline]
 detach_timer kernel/time/timer.c:824 [inline]
 detach_if_pending+0x160/0x360 kernel/time/timer.c:841
 try_to_del_timer_sync kernel/time/timer.c:1238 [inline]
 del_timer_sync+0x13c/0x230 kernel/time/timer.c:1379
 tun_flow_uninit+0x2c/0x280 drivers/net/tun.c:1451
 tun_free_netdev+0x77/0x190 drivers/net/tun.c:2401
 netdev_run_todo+0xb7f/0xdf0 net/core/dev.c:9450
 tun_detach drivers/net/tun.c:765 [inline]
 tun_chr_close+0xc1/0x130 drivers/net/tun.c:3554
 __fput+0x262/0x680 fs/file_table.c:281
 task_work_run+0x140/0x170 kernel/task_work.c:113
 ptrace_notify+0x29e/0x350 kernel/signal.c:2271
 ptrace_report_syscall include/linux/tracehook.h:66 [inline]
 tracehook_report_syscall_exit include/linux/tracehook.h:129 [inline]
 syscall_slow_exit_work+0x167/0x400 arch/x86/entry/common.c:246
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x19d/0x1c0 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the page:
page:ffffea00076a08c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 ffffea00076a08c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x46dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 kmalloc_order mm/slab_common.c:1342 [inline]
 kmalloc_order_trace+0x2a/0x100 mm/slab_common.c:1358
 __kmalloc_node include/linux/slab.h:422 [inline]
 kmalloc_node include/linux/slab.h:599 [inline]
 kvmalloc_node+0x7e/0xf0 mm/util.c:596
 kvmalloc include/linux/mm.h:759 [inline]
 kvzalloc include/linux/mm.h:767 [inline]
 alloc_netdev_mqs+0x85/0xc70 net/core/dev.c:9602
 tun_set_iff+0x51f/0xdc0 drivers/net/tun.c:2887
 __tun_chr_ioctl+0x860/0x1d50 drivers/net/tun.c:3180
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4953 [inline]
 __free_pages+0x91/0x140 mm/page_alloc.c:4959
 device_release+0x6b/0x190 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:708 [inline]
 kobject_release lib/kobject.c:739 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e6/0x2f0 lib/kobject.c:756
 tun_set_iff+0x870/0xdc0 drivers/net/tun.c:2918
 __tun_chr_ioctl+0x860/0x1d50 drivers/net/tun.c:3180
 do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Memory state around the buggy address:
 ffff8881da823080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881da823100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881da823180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff8881da823200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881da823280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (494):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/11/14 07:08 android12-5.4 2ac128c04e33 cb976f63 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/07/03 17:47 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/07/03 07:41 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/07/02 10:06 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/07/01 03:16 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/30 22:34 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/28 15:05 android12-5.4 6f97bd951d82 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/27 19:17 android12-5.4 6f97bd951d82 6ef39602 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/24 05:45 android12-5.4 6f97bd951d82 edc5149a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/22 19:19 android12-5.4 6f97bd951d82 edc5149a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/22 05:09 android12-5.4 6f97bd951d82 edc5149a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/20 11:31 android12-5.4 6f97bd951d82 dac2aa43 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/19 10:12 android12-5.4 6f97bd951d82 41b7e219 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/19 06:14 android12-5.4 6f97bd951d82 41b7e219 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/18 23:46 android12-5.4 6f97bd951d82 639d6cdf .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/18 11:17 android12-5.4 6f97bd951d82 639d6cdf .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/17 06:19 android12-5.4 6f97bd951d82 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/17 02:45 android12-5.4 6f97bd951d82 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/16 08:18 android12-5.4 6f97bd951d82 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/16 02:53 android12-5.4 6f97bd951d82 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/15 12:36 android12-5.4 6f97bd951d82 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/15 03:32 android12-5.4 6f97bd951d82 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/14 18:11 android12-5.4 6f97bd951d82 8d849073 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/14 11:41 android12-5.4 6f97bd951d82 8d849073 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/14 06:36 android12-5.4 6f97bd951d82 a9616ff5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/13 20:17 android12-5.4 6f97bd951d82 a9616ff5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/13 09:47 android12-5.4 6f97bd951d82 2aa5052f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/13 00:20 android12-5.4 6f97bd951d82 f815599d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/12 23:04 android12-5.4 6f97bd951d82 f815599d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/12 17:25 android12-5.4 6f97bd951d82 f815599d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/11 15:46 android12-5.4 4433e72c494f b7d9eb04 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/11 02:06 android12-5.4 dd432c37afcd 048c640a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/10 05:35 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/09 10:48 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/08 18:50 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/08 07:36 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/06/07 22:52 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2023/02/10 18:18 android12-5.4 6a5ec6cea0cd e29a17f5 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in detach_if_pending
2024/07/03 00:19 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/07/02 20:08 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/07/01 20:44 android12-5.4 4275fce9fe94 b294e901 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/30 19:26 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/20 21:59 android12-5.4 6f97bd951d82 dac2aa43 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/17 13:45 android12-5.4 6f97bd951d82 1f11cfd7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/16 22:59 android12-5.4 6f97bd951d82 f429ab00 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/10 23:33 android12-5.4 dd432c37afcd 048c640a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/06/07 21:18 android12-5.4 dd432c37afcd 82c05ab8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in detach_if_pending
2024/02/03 09:45 android12-5.4 bf4c80bc4358 60bf9982 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: out-of-bounds Write in detach_if_pending
2024/01/29 13:14 android12-5.4 4d7b888b5774 991a98f4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan general protection fault in detach_if_pending
* Struck through repros no longer work on HEAD.