syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [976] 🐞 Fixed [3871] 🐞 Invalid [8352] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.19 | KASAN: use-after-free Read in hci_send_acl | C | done | 3 | 405d | 697d | 1/1 | fixed on 2021/06/23 17:43 | |
| linux-4.14 | KASAN: use-after-free Read in hci_send_acl | C | 4 | 5d02h | 697d | 0/1 | upstream: reported C repro on 2020/08/02 14:47 |
================================================================== BUG: KASAN: use-after-free in hci_send_acl+0xabe/0xc60 net/bluetooth/hci_core.c:3991 Read of size 8 at addr ffff8880a6ff8818 by task kworker/u5:2/6855 CPU: 1 PID: 6855 Comm: kworker/u5:2 Not tainted 5.8.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: hci0 hci_rx_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x436 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 hci_send_acl+0xabe/0xc60 net/bluetooth/hci_core.c:3991 l2cap_send_cmd+0x6d5/0x8a0 net/bluetooth/l2cap_core.c:949 l2cap_send_move_chan_cfm_icid net/bluetooth/l2cap_core.c:4917 [inline] l2cap_move_fail net/bluetooth/l2cap_core.c:5401 [inline] l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5440 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5719 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:6418 [inline] l2cap_recv_frame+0x6936/0xae10 net/bluetooth/l2cap_core.c:7660 l2cap_recv_acldata+0x7f6/0x8e0 net/bluetooth/l2cap_core.c:8313 hci_acldata_packet net/bluetooth/hci_core.c:4520 [inline] hci_rx_work+0x4c7/0xb10 net/bluetooth/hci_core.c:4710 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 6855: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:494 kmem_cache_alloc_trace+0x14f/0x2d0 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] hci_chan_create+0x9b/0x330 net/bluetooth/hci_conn.c:1692 l2cap_conn_add.part.0+0x1e/0xe10 net/bluetooth/l2cap_core.c:7699 l2cap_conn_add net/bluetooth/l2cap_core.c:8139 [inline] l2cap_connect_cfm+0x23b/0x1090 net/bluetooth/l2cap_core.c:8097 hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline] hci_remote_features_evt net/bluetooth/hci_event.c:3210 [inline] hci_event_packet+0x3e01/0x86f5 net/bluetooth/hci_event.c:6061 hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Freed by task 6855: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0xf5/0x140 mm/kasan/common.c:455 __cache_free mm/slab.c:3426 [inline] kfree+0x103/0x2c0 mm/slab.c:3757 hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4999 [inline] hci_event_packet+0x319a/0x86f5 net/bluetooth/hci_event.c:6188 hci_rx_work+0x22e/0xb10 net/bluetooth/hci_core.c:4705 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 The buggy address belongs to the object at ffff8880a6ff8800 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 24 bytes inside of 128-byte region [ffff8880a6ff8800, ffff8880a6ff8880) The buggy address belongs to the page: page:ffffea00029bfe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a6ff8c00 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002934388 ffff8880aa001540 ffff8880aa000700 raw: ffff8880a6ff8c00 ffff8880a6ff8000 000000010000000c 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a6ff8700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a6ff8780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a6ff8800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a6ff8880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a6ff8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Manager | Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|
| ci-upstream-kasan-gce-selinux-root | 2021/03/01 07:30 | upstream | fe07bfda2fb9 | 63a73341 | .config | log | report | syz | C | ||
| ci-upstream-kasan-gce-selinux-root | 2021/01/07 16:02 | upstream | 71c061d24438 | 63a73341 | .config | log | report | syz | C | ||
| ci-upstream-kasan-gce-selinux-root | 2020/12/07 15:25 | upstream | 0477e9288185 | 63a73341 | .config | log | report | syz | C | ||
| ci-upstream-kasan-gce-selinux-root | 2020/11/07 06:59 | upstream | 659caaf65dc9 | 63a73341 | .config | log | report | syz | C | ||
| ci-upstream-kasan-gce-selinux-root | 2020/10/08 05:00 | upstream | c85fb28b6f99 | 63a73341 | .config | log | report | syz | C | ||
| ci-upstream-kasan-gce-selinux-root | 2020/09/02 16:04 | upstream | 9c7d619be5a0 | 63a73341 | .config | log | report | syz | C |
| Manager | Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|
| ci-upstream-kasan-gce-selinux-root | 2020/08/02 19:29 | upstream | ac3a0c847296 | 63a73341 | .config | log | report | syz | C | ||
| ci-upstream-kasan-gce-smack-root | 2020/08/02 13:37 | upstream | ac3a0c847296 | 63a73341 | .config | log | report | syz | C |