syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [297]
🐞 Invalid [838]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

general protection fault in tipc_conn_close

Status: upstream: reported C repro on 2021/05/01 19:58
Reported-by: syzbot+cae65bcdcf43a3593dd6@syzkaller.appspotmail.com
First crash: 1839d, last: 1331d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (21)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 general protection fault in tipc_conn_close (2) 2 2 933d 1008d 0/2 auto-obsoleted due to no activity on 2024/01/22 16:54
android-5-15 general protection fault in tipc_conn_close (2) 2 4 853d 969d 0/2 auto-obsoleted due to no activity on 2024/04/11 01:35
android-6-1 general protection fault in tipc_conn_close (4) 2 2 6d04h 11d 0/2 premoderation: reported on 2026/05/03 09:20
android-54 general protection fault in tipc_conn_close 19 9 1151d 1416d 0/2 auto-obsoleted due to no activity on 2023/07/18 14:57
android-5-10 general protection fault in tipc_conn_close (3) 2 1 972d 972d 0/2 auto-obsoleted due to no activity on 2023/12/14 05:20
android-54 general protection fault in tipc_conn_close (3) 2 1 427d 427d 0/2 auto-obsoleted due to no activity on 2025/06/11 23:15
android-5-15 general protection fault in tipc_conn_close (4) 2 1 195d 195d 0/2 auto-obsoleted due to no activity on 2026/01/29 07:23
upstream general protection fault in tipc_conn_close (4) tipc 2 1 320d 316d 29/29 fixed on 2025/09/04 16:57
upstream general protection fault in tipc_conn_close tipc 2 C 3 3006d 3007d 5/29 fixed on 2018/05/08 18:30
android-6-1 general protection fault in tipc_conn_close 2 6 826d 1052d 0/2 auto-obsoleted due to no activity on 2024/05/18 20:39
android-5-10 general protection fault in tipc_conn_close 2 1 1461d 1461d 0/2 auto-closed as invalid on 2022/08/12 11:37
android-6-1 general protection fault in tipc_conn_close (2) 2 1 346d 346d 0/2 auto-obsoleted due to no activity on 2025/08/31 08:25
android-5-10 general protection fault in tipc_conn_close (2) 2 6 1246d 1332d 0/2 auto-obsoleted due to no activity on 2023/04/11 05:56
android-5-10 general protection fault in tipc_conn_close (5) 19 5 58d 214d 0/2 premoderation: reported on 2025/10/12 19:22
upstream general protection fault in tipc_conn_close (5) tipc 2 2 142d 190d 0/29 closed as invalid on 2026/01/09 17:04
upstream general protection fault in tipc_conn_close (3) tipc 2 1 937d 933d 0/29 auto-obsoleted due to no activity on 2024/01/18 09:00
upstream general protection fault in tipc_conn_close (2) tipc 2 21 1050d 1622d 0/29 auto-obsoleted due to no activity on 2023/10/06 23:51
android-6-1 general protection fault in tipc_conn_close (3) 2 3 127d 171d 0/2 auto-obsoleted due to no activity on 2026/04/07 00:50
android-5-15 general protection fault in tipc_conn_close 19 4 1080d 1294d 0/2 auto-obsoleted due to no activity on 2023/08/28 21:57
android-5-15 general protection fault in tipc_conn_close (3) 2 1 299d 299d 0/2 auto-obsoleted due to no activity on 2025/10/17 12:07
android-5-10 general protection fault in tipc_conn_close (4) 2 2 350d 416d 0/2 auto-obsoleted due to no activity on 2025/08/27 20:16
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2021/10/17 21:36 11m bisect fix linux-4.19.y error job log
2021/09/17 20:50 45m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435

CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]
 tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722
 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 23:
 kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
 kmalloc include/linux/slab.h:515 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192
 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Freed by task 23:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]
 kref_put include/linux/kref.h:70 [inline]
 conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff888099305a00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 512-byte region [ffff888099305a00, ffff888099305c00)
The buggy address belongs to the page:
page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940
raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/08/18 20:50 linux-4.19.y 59456c9cc40c a2fe1cb5 .config console log report syz C ci2-linux-4-19 KASAN: use-after-free Read in tipc_conn_close
2022/09/21 08:53 linux-4.19.y 3f8a27f9e27b c4b8ccfd .config console log report info [disk image] [vmlinux] ci2-linux-4-19 general protection fault in tipc_conn_close
2021/05/01 19:57 linux-4.19.y 97a8651cadce 77e2b668 .config console log report info ci2-linux-4-19 general protection fault in tipc_conn_close
* Struck through repros no longer work on HEAD.