syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [79] 🐞 Fixed [21] 🐞 Invalid [282] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| android-5-10 | KASAN: use-after-free Read in f2fs_remove_dirty_inode | C | error | error | 4 | 346d | 402d | 0/2 | auto-obsoleted due to no activity on 2023/08/23 09:03 |
| android-5-15 | KASAN: use-after-free Read in f2fs_remove_dirty_inode origin:lts | syz | error | error | 1 | 402d | 402d | 0/2 | auto-obsoleted due to no activity on 2023/06/26 19:00 |
================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x80/0x120 lib/list_debug.c:59 Read of size 8 at addr ffff8881eb592398 by task kworker/u4:1/8171 CPU: 0 PID: 8171 Comm: kworker/u4:1 Not tainted 5.4.233-syzkaller-00011-g0108362f3305 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 Workqueue: writeback wb_workfn (flush-7:5) Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x600 mm/kasan/report.c:384 __kasan_report+0xf3/0x120 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 __list_del_entry_valid+0x80/0x120 lib/list_debug.c:59 __list_del_entry include/linux/list.h:131 [inline] list_del_init include/linux/list.h:190 [inline] __remove_dirty_inode fs/f2fs/checkpoint.c:1015 [inline] f2fs_remove_dirty_inode+0x214/0x3e0 fs/f2fs/checkpoint.c:1051 __f2fs_write_data_pages fs/f2fs/data.c:3247 [inline] f2fs_write_data_pages+0x24b5/0x2c20 fs/f2fs/data.c:3261 do_writepages+0x12b/0x270 mm/page-writeback.c:2344 __writeback_single_inode+0xd9/0xcc0 fs/fs-writeback.c:1467 writeback_sb_inodes+0xa2c/0x1990 fs/fs-writeback.c:1730 wb_writeback+0x403/0xd70 fs/fs-writeback.c:1905 wb_do_writeback fs/fs-writeback.c:2050 [inline] wb_workfn+0x3a9/0x10c0 fs/fs-writeback.c:2091 process_one_work+0x765/0xd20 kernel/workqueue.c:2287 worker_thread+0xaef/0x1470 kernel/workqueue.c:2433 kthread+0x2da/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 Allocated by task 9620: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x130/0x1d0 mm/kasan/common.c:529 kmalloc include/linux/slab.h:556 [inline] copy_mount_options+0x5c/0x300 fs/namespace.c:3040 ksys_mount+0x97/0xf0 fs/namespace.c:3367 __do_sys_mount fs/namespace.c:3386 [inline] __se_sys_mount fs/namespace.c:3383 [inline] __x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Freed by task 9620: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] kasan_set_free_info mm/kasan/common.c:345 [inline] __kasan_slab_free+0x178/0x230 mm/kasan/common.c:487 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook mm/slub.c:1494 [inline] slab_free mm/slub.c:3080 [inline] kfree+0xeb/0x320 mm/slub.c:4071 ksys_mount+0xcd/0xf0 fs/namespace.c:3374 __do_sys_mount fs/namespace.c:3386 [inline] __se_sys_mount fs/namespace.c:3383 [inline] __x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 The buggy address belongs to the object at ffff8881eb592000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 920 bytes inside of 4096-byte region [ffff8881eb592000, ffff8881eb593000) The buggy address belongs to the page: page:ffffea0007ad6400 refcount:1 mapcount:0 mapping:ffff8881f5c0c280 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5c0c280 raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2ce8/0x2d70 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891 alloc_slab_page+0x39/0x3c0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x440 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x2fe/0x490 mm/slub.c:2667 __slab_alloc+0x5a/0x90 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc_trace+0x128/0x240 mm/slub.c:2854 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:690 [inline] uevent_show+0x158/0x2e0 drivers/base/core.c:1938 dev_attr_show+0x50/0xb0 drivers/base/core.c:1647 sysfs_kf_seq_show+0x265/0x3e0 fs/sysfs/file.c:61 seq_read+0x4df/0xe60 fs/seq_file.c:232 __vfs_read+0x103/0x730 fs/read_write.c:425 vfs_read+0x148/0x360 fs/read_write.c:461 ksys_read+0x199/0x2c0 fs/read_write.c:587 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x83d/0x940 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4953 [inline] __free_pages+0x91/0x140 mm/page_alloc.c:4959 __free_slab+0x221/0x2e0 mm/slub.c:1774 __slab_free+0x33e/0x350 mm/slub.c:3012 qlist_free_all+0x43/0xb0 mm/kasan/quarantine.c:167 quarantine_reduce+0x174/0x190 mm/kasan/quarantine.c:260 __kasan_kmalloc+0x43/0x1d0 mm/kasan/common.c:507 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2829 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0xd0/0x220 mm/slub.c:2842 getname_flags+0xb8/0x4e0 fs/namei.c:141 do_sys_open+0x357/0x810 fs/open.c:1107 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Memory state around the buggy address: ffff8881eb592280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881eb592300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881eb592380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881eb592400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881eb592480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== list_del corruption. prev->next should be ffff8881a15d9358, but was 0000000000000000 ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:61! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 8171 Comm: kworker/u4:1 Tainted: G B 5.4.233-syzkaller-00011-g0108362f3305 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 Workqueue: writeback wb_workfn (flush-7:5) RIP: 0010:__list_del_entry_valid+0x107/0x120 lib/list_debug.c:59 Code: 4c 89 f6 e8 ec 5b 0f 02 0f 0b 48 c7 c7 a0 bc d9 84 4c 89 f6 e8 db 5b 0f 02 0f 0b 48 c7 c7 00 bd d9 84 4c 89 f6 e8 ca 5b 0f 02 <0f> 0b 48 c7 c7 60 bd d9 84 4c 89 f6 e8 b9 5b 0f 02 0f 0b 66 0f 1f RSP: 0018:ffff8881d813f098 EFLAGS: 00010246 RAX: 0000000000000054 RBX: ffff8881eb592398 RCX: cfac6219cf552e00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff814ca536 R09: ffffed103edcaa08 R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000 R13: ffff8881a15d9358 R14: ffff8881a15d9358 R15: ffff8881eb592398 FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff28381478 CR3: 00000001b0b53000 CR4: 00000000003406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry include/linux/list.h:131 [inline] list_del_init include/linux/list.h:190 [inline] __remove_dirty_inode fs/f2fs/checkpoint.c:1015 [inline] f2fs_remove_dirty_inode+0x214/0x3e0 fs/f2fs/checkpoint.c:1051 __f2fs_write_data_pages fs/f2fs/data.c:3247 [inline] f2fs_write_data_pages+0x24b5/0x2c20 fs/f2fs/data.c:3261 do_writepages+0x12b/0x270 mm/page-writeback.c:2344 __writeback_single_inode+0xd9/0xcc0 fs/fs-writeback.c:1467 writeback_sb_inodes+0xa2c/0x1990 fs/fs-writeback.c:1730 wb_writeback+0x403/0xd70 fs/fs-writeback.c:1905 wb_do_writeback fs/fs-writeback.c:2050 [inline] wb_workfn+0x3a9/0x10c0 fs/fs-writeback.c:2091 process_one_work+0x765/0xd20 kernel/workqueue.c:2287 worker_thread+0xaef/0x1470 kernel/workqueue.c:2433 kthread+0x2da/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 Modules linked in: ---[ end trace b1ee2024487b884b ]--- RIP: 0010:__list_del_entry_valid+0x107/0x120 lib/list_debug.c:59 Code: 4c 89 f6 e8 ec 5b 0f 02 0f 0b 48 c7 c7 a0 bc d9 84 4c 89 f6 e8 db 5b 0f 02 0f 0b 48 c7 c7 00 bd d9 84 4c 89 f6 e8 ca 5b 0f 02 <0f> 0b 48 c7 c7 60 bd d9 84 4c 89 f6 e8 b9 5b 0f 02 0f 0b 66 0f 1f RSP: 0018:ffff8881d813f098 EFLAGS: 00010246 RAX: 0000000000000054 RBX: ffff8881eb592398 RCX: cfac6219cf552e00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff814ca536 R09: ffffed103edcaa08 R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000 R13: ffff8881a15d9358 R14: ffff8881a15d9358 R15: ffff8881eb592398 FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff28381478 CR3: 00000001b0b53000 CR4: 00000000003406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023/04/22 02:54 | android12-5.4 | 0108362f3305 | 2b32bd34 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-5-4-kasan | KASAN: use-after-free Read in f2fs_remove_dirty_inode | ||
| 2023/04/08 12:34 | android12-5.4 | 21086923c1e6 | 71147e29 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-5-4-kasan | KASAN: use-after-free Read in f2fs_remove_dirty_inode |