syzbot

 sign-in | mailing list | source | docs
🐞 Open [717]
🐞 Fixed [181]
🐞 Invalid [640]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in drm_getunique

Status: upstream: reported syz repro on 2020/12/15 15:58
Reported-by: syzbot+4f9a7322e7df98511d8c@syzkaller.appspotmail.com
First crash: 1723d, last: 1283d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in drm_getunique dri 19 syz inconclusive 2 1555d 1554d 20/29 fixed on 2021/11/10 00:50
linux-4.19 KASAN: use-after-free Read in drm_getunique 19 syz done 2 1561d 1729d 1/1 fixed on 2021/06/26 05:18
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/02/15 16:32 12m retest repro linux-4.14.y report log
2022/10/11 17:30 14m retest repro linux-4.14.y report log
Fix bisection attempts (16)
Created Duration User Patch Repo Result
2022/03/30 21:08 13m bisect fix linux-4.14.y error job log
2022/02/28 18:29 28m bisect fix linux-4.14.y OK (0) job log log
2022/01/29 17:41 28m bisect fix linux-4.14.y OK (0) job log log
2021/12/30 17:05 29m bisect fix linux-4.14.y OK (0) job log log
2021/11/30 15:45 24m bisect fix linux-4.14.y OK (0) job log log
2021/10/31 15:13 21m bisect fix linux-4.14.y OK (0) job log log
2021/09/24 03:42 27m bisect fix linux-4.14.y OK (0) job log log
2021/08/24 22:11 27m bisect fix linux-4.14.y OK (0) job log log
2021/07/25 21:45 25m bisect fix linux-4.14.y OK (0) job log log
2021/06/25 21:09 20m bisect fix linux-4.14.y OK (0) job log log
2021/05/26 20:41 28m bisect fix linux-4.14.y OK (0) job log log
2021/04/26 20:06 29m bisect fix linux-4.14.y OK (0) job log log
2021/03/27 10:17 21m bisect fix linux-4.14.y OK (0) job log log
2021/02/25 01:24 22m bisect fix linux-4.14.y OK (0) job log log
2021/02/13 17:57 0m bisect fix linux-4.14.y error job log
2021/01/14 17:33 23m bisect fix linux-4.14.y OK (0) job log log

Sample crash report:
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
Bluetooth: hci0 command 0x0409 tx timeout
==================================================================
BUG: KASAN: use-after-free in drm_getunique+0x1b4/0x250 drivers/gpu/drm/drm_ioctl.c:118
Read of size 4 at addr ffff8880af695818 by task syz-executor.0/8538

CPU: 1 PID: 8538 Comm: syz-executor.0 Not tainted 4.14.212-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load4_noabort+0x68/0x70 mm/kasan/report.c:429
 drm_getunique+0x1b4/0x250 drivers/gpu/drm/drm_ioctl.c:118
 drm_ioctl_kernel+0x14c/0x200 drivers/gpu/drm/drm_ioctl.c:736
 drm_ioctl+0x419/0x870 drivers/gpu/drm/drm_ioctl.c:836
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x45e159
RSP: 002b:00007fdd9f7dfc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e159
RDX: 0000000020000180 RSI: 00000000c0145401 RDI: 0000000000000003
RBP: 000000000119c068 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119c034
R13: 00007fff4256ec3f R14: 00007fdd9f7e09c0 R15: 000000000119c034

Allocated by task 8536:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
 kmalloc include/linux/slab.h:488 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 drm_master_create drivers/gpu/drm/drm_auth.c:100 [inline]
 drm_new_set_master+0x11a/0x5e0 drivers/gpu/drm/drm_auth.c:138
 drm_master_open+0xee/0x120 drivers/gpu/drm/drm_auth.c:236
 drm_open_helper drivers/gpu/drm/drm_file.c:251 [inline]
 drm_open+0x873/0x1010 drivers/gpu/drm/drm_file.c:155
 drm_stub_open+0x27b/0x400 drivers/gpu/drm/drm_drv.c:944
 chrdev_open+0x23c/0x6d0 fs/char_dev.c:423
 do_dentry_open+0x44b/0xec0 fs/open.c:777
 vfs_open+0x105/0x220 fs/open.c:888
 do_last fs/namei.c:3428 [inline]
 path_openat+0x628/0x2970 fs/namei.c:3569
 do_filp_open+0x179/0x3c0 fs/namei.c:3603
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 8536:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 drm_master_destroy drivers/gpu/drm/drm_auth.c:322 [inline]
 kref_put include/linux/kref.h:70 [inline]
 drm_master_put+0x134/0x180 drivers/gpu/drm/drm_auth.c:333
 drm_new_set_master+0x3b1/0x5e0 drivers/gpu/drm/drm_auth.c:157
 drm_setmaster_ioctl+0x222/0x2c0 drivers/gpu/drm/drm_auth.c:190
 drm_ioctl_kernel+0x14c/0x200 drivers/gpu/drm/drm_ioctl.c:736
 drm_ioctl+0x419/0x870 drivers/gpu/drm/drm_ioctl.c:836
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

The buggy address belongs to the object at ffff8880af695800
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 24 bytes inside of
 256-byte region [ffff8880af695800, ffff8880af695900)
The buggy address belongs to the page:
page:ffffea0002bda540 count:1 mapcount:0 mapping:ffff8880af695080 index:0xffff8880af695940
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880af695080 ffff8880af695940 000000010000000a
raw: ffffea0002bda160 ffffea0002ca30e0 ffff88813fe807c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880af695700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880af695780: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880af695800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880af695880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880af695900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/15 15:57 linux-4.14.y 3f2ecb86cb90 97183ed7 .config console log report syz ci2-linux-4-14
* Struck through repros no longer work on HEAD.