syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [938] 🐞 Fixed [4015] 🐞 Invalid [8885] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.19 | KASAN: use-after-free Write in __alloc_skb | C | done | 2 | 987d | 1055d | 1/1 | fixed on 2020/02/11 15:16 | |
| upstream | KASAN: use-after-free Write in __alloc_skb (2) | C | done | 7 | 1001d | 1018d | 16/24 | fixed on 2020/02/18 14:31 | |
| linux-4.14 | KASAN: use-after-free Write in __alloc_skb (2) | C | 1 | 7d05h | 794d | 0/1 | upstream: reported C repro on 2020/07/24 01:04 | ||
| upstream | KASAN: use-after-free Write in __alloc_skb | 2 | 1042d | 1048d | 0/24 | closed as invalid on 2019/12/08 05:44 | |||
| linux-4.14 | KASAN: use-after-free Write in __alloc_skb | C | done | 1 | 987d | 1017d | 1/1 | fixed on 2020/02/14 21:56 |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2022/09/16 08:29 | 11m | upstream | report log | ||
| 2021/04/15 14:15 | 12m | alaaemadhossney.ae@gmail.com | upstream | report log | |
| 2020/08/29 06:31 | 11m | brookebasile@gmail.com | upstream | report log |
================================================================== BUG: KASAN: use-after-free in memset include/linux/string.h:391 [inline] BUG: KASAN: use-after-free in __alloc_skb+0x2f6/0x550 net/core/skbuff.c:239 Write of size 32 at addr ffff8881a7463f40 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.8.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:192 memset+0x20/0x40 mm/kasan/common.c:84 memset include/linux/string.h:391 [inline] __alloc_skb+0x2f6/0x550 net/core/skbuff.c:239 alloc_skb include/linux/skbuff.h:1083 [inline] alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5770 sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2356 mld_newpack+0x1e0/0x770 net/ipv6/mcast.c:1606 add_grhead+0x265/0x330 net/ipv6/mcast.c:1710 add_grec+0xe2c/0x1090 net/ipv6/mcast.c:1841 mld_send_cr net/ipv6/mcast.c:1967 [inline] mld_ifc_timer_expire+0x596/0xf10 net/ipv6/mcast.c:2474 call_timer_fn+0x1ac/0x760 kernel/time/timer.c:1415 expire_timers kernel/time/timer.c:1460 [inline] __run_timers.part.0+0x54c/0xa20 kernel/time/timer.c:1784 __run_timers kernel/time/timer.c:1756 [inline] run_timer_softirq+0xae/0x1a0 kernel/time/timer.c:1797 __do_softirq+0x34c/0xa60 kernel/softirq.c:292 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:711 </IRQ> __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0x111/0x170 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:387 [inline] __irq_exit_rcu kernel/softirq.c:417 [inline] irq_exit_rcu+0x229/0x270 kernel/softirq.c:429 sysvec_apic_timer_interrupt+0x54/0x120 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:585 RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61 Code: ff 4c 89 ef e8 33 c9 ca f9 e9 8e fe ff ff 48 89 df e8 26 c9 ca f9 eb 8a cc cc cc cc e9 07 00 00 00 0f 00 2d 74 5f 60 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d 64 5f 60 00 f4 c3 cc cc 55 53 e8 29 RSP: 0018:ffffc90000d3fc88 EFLAGS: 00000293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff8880a9636340 RSI: ffffffff87e85c48 RDI: ffffffff87e85c1e RBP: ffff8880a68e7864 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: ffff8880a68e7864 R13: 1ffff920001a7f9b R14: ffff8880a68e7865 R15: 0000000000000001 arch_safe_halt arch/x86/include/asm/paravirt.h:150 [inline] acpi_safe_halt+0x8d/0x110 drivers/acpi/processor_idle.c:111 acpi_idle_do_entry+0x15c/0x1b0 drivers/acpi/processor_idle.c:525 acpi_idle_enter+0x3f9/0xab0 drivers/acpi/processor_idle.c:651 cpuidle_enter_state+0xff/0x960 drivers/cpuidle/cpuidle.c:235 cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:346 call_cpuidle kernel/sched/idle.c:126 [inline] cpuidle_idle_call kernel/sched/idle.c:214 [inline] do_idle+0x431/0x6d0 kernel/sched/idle.c:276 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:372 start_secondary+0x2b3/0x370 arch/x86/kernel/smpboot.c:268 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 The buggy address belongs to the page: page:ffffea00069d18c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x57ffe0000000000() raw: 057ffe0000000000 ffffea00069d18c8 ffffea00069d18c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881a7463e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881a7463e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881a7463f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881a7463f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881a7464000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================
| Manager | Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|
| ci-upstream-kasan-gce | 2020/07/25 18:21 | upstream | 68845a55c31b | 1f7cc1ca | .config | log | report | syz | C | ||
| ci-upstream-linux-next-kasan-gce-root | 2020/07/27 08:23 | linux-next | 26027945c94a | 51265195 | .config | log | report | syz | C |