syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [297]
🐞 Invalid [838]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in tasklet_action_common

Status: upstream: reported C repro on 2020/05/17 20:44
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+999c19450d1efd698a94@syzkaller.appspotmail.com
First crash: 1678d, last: 655d
Fix bisection: failed (error log, bisect log)
  
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2020/10/15 12:47 3m bisect fix linux-4.19.y error job log
2020/09/15 12:15 32m bisect fix linux-4.19.y OK (0) job log log
2020/06/17 08:13 38m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in tasklet_action_common.constprop.0+0x29e/0x360 kernel/softirq.c:515
Read of size 8 at addr ffff8880913ec590 by task ksoftirqd/1/18

CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 tasklet_action_common.constprop.0+0x29e/0x360 kernel/softirq.c:515
 __do_softirq+0x265/0x980 kernel/softirq.c:292
 run_ksoftirqd+0x57/0x110 kernel/softirq.c:653
 smpboot_thread_fn+0x655/0x9e0 kernel/smpboot.c:164
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 24848:
 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 bcm_tx_setup net/can/bcm.c:947 [inline]
 bcm_sendmsg+0x25d7/0x4150 net/can/bcm.c:1386
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xc3/0x120 net/socket.c:661
 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2227
 __sys_sendmsg net/socket.c:2265 [inline]
 __do_sys_sendmsg net/socket.c:2274 [inline]
 __se_sys_sendmsg net/socket.c:2272 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2272
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 24848:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 bcm_release+0x260/0x950 net/can/bcm.c:1561
 __sock_release+0xcd/0x2a0 net/socket.c:599
 sock_close+0x15/0x20 net/socket.c:1214
 __fput+0x2ce/0x890 fs/file_table.c:278
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880913ec4c0
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 208 bytes inside of
 1024-byte region [ffff8880913ec4c0, ffff8880913ec8c0)
The buggy address belongs to the page:
page:ffffea000244fb00 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0xffff8880913edb40 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002491308 ffffea0002448d88 ffff88813bff0ac0
raw: ffff8880913edb40 ffff8880913ec040 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880913ec480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880913ec500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880913ec580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8880913ec600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880913ec680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (477):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/02/19 23:28 linux-4.19.y 3f8a27f9e27b bcdf85f8 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/10 01:50 linux-4.19.y 3f8a27f9e27b 07980f9d .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2022/12/21 05:56 linux-4.19.y 3f8a27f9e27b d3e76707 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2022/12/16 13:13 linux-4.19.y 3f8a27f9e27b 6f9c033e .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2022/12/06 01:10 linux-4.19.y 3f8a27f9e27b 045cbb84 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2022/11/09 07:04 linux-4.19.y 3f8a27f9e27b 5fa28208 .config console log report syz C [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2022/08/15 20:37 linux-4.19.y 3f8a27f9e27b 8dfcaa3d .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2022/05/12 01:03 linux-4.19.y 3f8a27f9e27b beb0b407 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2022/02/02 17:49 linux-4.19.y 3f8a27f9e27b 4ebb2798 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2021/12/25 13:58 linux-4.19.y 3f8a27f9e27b 6caa12e4 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2021/12/22 02:33 linux-4.19.y 3f8a27f9e27b 6caa12e4 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2021/09/14 21:46 linux-4.19.y b172b44fcb17 07e953c1 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2021/08/21 08:59 linux-4.19.y 59456c9cc40c b599f2fc .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2020/05/18 08:13 linux-4.19.y 258f0cf7ac3b 37bccd4e .config console log report syz C ci2-linux-4-19
2022/12/08 22:17 linux-4.19.y 3f8a27f9e27b 1034e5fa .config console log report syz [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2022/05/19 17:28 linux-4.19.y 3f8a27f9e27b cb1ac2e7 .config console log report syz ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2021/05/06 02:01 linux-4.19.y 97a8651cadce 06c27ff5 .config console log report syz ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/03/07 05:09 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/03/07 00:46 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/03/05 09:06 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/03/04 16:20 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/03/03 22:20 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/03/03 10:51 linux-4.19.y 3f8a27f9e27b f8902b57 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/03/01 08:16 linux-4.19.y 3f8a27f9e27b ef65e6cb .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/28 20:56 linux-4.19.y 3f8a27f9e27b 95aee97a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/27 23:35 linux-4.19.y 3f8a27f9e27b 95aee97a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/27 09:16 linux-4.19.y 3f8a27f9e27b 9189cb53 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/27 00:39 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/25 22:17 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/25 19:40 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/25 08:58 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/25 01:29 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/24 18:53 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/24 12:40 linux-4.19.y 3f8a27f9e27b ee50e71c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/23 11:48 linux-4.19.y 3f8a27f9e27b 9e2ebb3c .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/21 17:08 linux-4.19.y 3f8a27f9e27b f949448d .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/21 12:06 linux-4.19.y 3f8a27f9e27b f949448d .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/21 08:50 linux-4.19.y 3f8a27f9e27b f949448d .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/19 09:58 linux-4.19.y 3f8a27f9e27b bcdf85f8 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/18 04:56 linux-4.19.y 3f8a27f9e27b d02e9a70 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/18 03:37 linux-4.19.y 3f8a27f9e27b cf8c2d39 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/17 11:44 linux-4.19.y 3f8a27f9e27b 3e7039f4 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/16 23:05 linux-4.19.y 3f8a27f9e27b 851bc19a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/16 10:14 linux-4.19.y 3f8a27f9e27b 38b317a7 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/16 02:25 linux-4.19.y 3f8a27f9e27b 6be0f1f5 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/15 15:06 linux-4.19.y 3f8a27f9e27b 6be0f1f5 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/15 09:59 linux-4.19.y 3f8a27f9e27b e62ba3c1 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/15 03:02 linux-4.19.y 3f8a27f9e27b e62ba3c1 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/14 21:31 linux-4.19.y 3f8a27f9e27b e62ba3c1 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/14 02:07 linux-4.19.y 3f8a27f9e27b 93ae7e0a .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/13 10:27 linux-4.19.y 3f8a27f9e27b 957959cb .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/13 05:09 linux-4.19.y 3f8a27f9e27b 93e26d60 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/13 01:52 linux-4.19.y 3f8a27f9e27b 93e26d60 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/12 00:10 linux-4.19.y 3f8a27f9e27b 93e26d60 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/11 17:19 linux-4.19.y 3f8a27f9e27b 93e26d60 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/11 14:44 linux-4.19.y 3f8a27f9e27b 93e26d60 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/11 09:37 linux-4.19.y 3f8a27f9e27b 93e26d60 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/11 00:50 linux-4.19.y 3f8a27f9e27b 93e26d60 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/10 09:28 linux-4.19.y 3f8a27f9e27b 07980f9d .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/09 17:02 linux-4.19.y 3f8a27f9e27b 07980f9d .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/09 12:49 linux-4.19.y 3f8a27f9e27b 14a312c8 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/09 04:34 linux-4.19.y 3f8a27f9e27b 14a312c8 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/08 14:50 linux-4.19.y 3f8a27f9e27b fc9c934e .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/07 07:16 linux-4.19.y 3f8a27f9e27b 5bc3be51 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2023/02/06 14:51 linux-4.19.y 3f8a27f9e27b 0a9c11b6 .config console log report info [disk image] [vmlinux] ci2-linux-4-19 KASAN: use-after-free Read in tasklet_action_common
2020/11/10 07:36 linux-4.19.y b94de4d19498 cca87986 .config console log report info ci2-linux-4-19
2020/05/17 20:43 linux-4.19.y 258f0cf7ac3b 37bccd4e .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.