syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Rank 🛈 | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Read in ip6_fragment (2) net | 19 | 1 | 965d | 960d | 22/29 | fixed on 2023/02/24 13:50 | |||
| upstream | KASAN: use-after-free Read in ip6_fragment net | 19 | 1 | 2250d | 2250d | 12/29 | fixed on 2019/06/18 17:49 |
hrtimer: interrupt took 36333 ns ================================================================== BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:147 [inline] BUG: KASAN: use-after-free in ip6_fragment+0x2d4a/0x2f30 net/ipv6/ip6_output.c:768 Read of size 8 at addr ffff8881c57c7118 by task syz-executor742/2396 CPU: 1 PID: 2396 Comm: syz-executor742 Not tainted 4.14.147+ #0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xca/0x134 lib/dump_stack.c:53 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 ip6_dst_idev include/net/ip6_fib.h:147 [inline] ip6_fragment+0x2d4a/0x2f30 net/ipv6/ip6_output.c:768 ip6_finish_output+0x66d/0xb40 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1dc/0x680 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:462 [inline] ip6_local_out+0x98/0x170 net/ipv6/output_core.c:178 ip6_send_skb+0x9b/0x2f0 net/ipv6/ip6_output.c:1688 udp_v6_send_skb+0x4e2/0xe80 net/ipv6/udp.c:1081 udp_v6_push_pending_frames+0x224/0x330 net/ipv6/udp.c:1114 udpv6_sendmsg+0x194b/0x2500 net/ipv6/udp.c:1380 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb7/0x100 net/socket.c:656 SYSC_sendto net/socket.c:1763 [inline] SyS_sendto+0x1de/0x2f0 net/socket.c:1731 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x447c79 RSP: 002b:00007f983ea1bda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000006ddc28 RCX: 0000000000447c79 RDX: 000000000000ffb3 RSI: 00000000200003c0 RDI: 0000000000000004 RBP: 00000000006ddc20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000004000000 R11: 0000000000000246 R12: 00000000006ddc2c R13: 00007ffca1d278ff R14: 00007f983ea1c9c0 R15: 00000000006ddc2c Allocated by task 2396: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501 slab_post_alloc_hook mm/slab.h:439 [inline] slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2800 [inline] kmem_cache_alloc+0xee/0x360 mm/slub.c:2805 dst_alloc+0xe6/0x1a0 net/core/dst.c:107 __ip6_dst_alloc+0x2e/0x50 net/ipv6/route.c:355 ip6_rt_pcpu_alloc net/ipv6/route.c:1034 [inline] rt6_make_pcpu_route net/ipv6/route.c:1064 [inline] ip6_pol_route+0xfed/0x26d0 net/ipv6/route.c:1189 fib6_rule_lookup+0xdb/0x420 net/ipv6/fib6_rules.c:83 ip6_route_output include/net/ip6_route.h:81 [inline] ip6_dst_lookup_tail+0xdab/0x16f0 net/ipv6/ip6_output.c:975 ip6_dst_lookup_flow+0xac/0x210 net/ipv6/ip6_output.c:1098 ip6_sk_dst_lookup_flow+0x397/0x540 net/ipv6/ip6_output.c:1129 udpv6_sendmsg+0x1833/0x2500 net/ipv6/udp.c:1329 inet_sendmsg+0x15b/0x520 net/ipv4/af_inet.c:760 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb7/0x100 net/socket.c:656 SYSC_sendto net/socket.c:1763 [inline] SyS_sendto+0x1de/0x2f0 net/socket.c:1731 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0xffffffffffffffff Freed by task 7: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463 slab_free_hook mm/slub.c:1407 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3039 [inline] kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055 dst_destroy+0x1cc/0x2d0 net/core/dst.c:138 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x59f/0xf60 kernel/rcu/tree.c:2946 __do_softirq+0x234/0x9ec kernel/softirq.c:288 The buggy address belongs to the object at ffff8881c57c6fc0 which belongs to the cache ip6_dst_cache of size 384 The buggy address is located 344 bytes inside of 384-byte region [ffff8881c57c6fc0, ffff8881c57c7140) The buggy address belongs to the page: page:ffffea000715f180 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000010200(slab|head) raw: 4000000000010200 0000000000000000 0000000000000000 0000000180120012 raw: dead000000000100 dead000000000200 ffff8881d1947c00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881c57c7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881c57c7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881c57c7100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8881c57c7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881c57c7200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2019/10/07 08:20 | android-4.14 | 9674240fb29c | f3f7d9c8 | .config | console log | report | syz | C | ci-android-414-kasan-gce-root | |||
| 2019/10/07 07:31 | android-4.14 | 9674240fb29c | f3f7d9c8 | .config | console log | report | ci-android-414-kasan-gce-root | |||||
| 2019/08/18 08:34 | android-4.14 | 5d8bfdf81cde | 55bf8926 | .config | console log | report | ci-android-414-kasan-gce-root | |||||
| 2019/08/18 05:33 | android-4.14 | 5d8bfdf81cde | 55bf8926 | .config | console log | report | ci-android-414-kasan-gce-root |