| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| android-44 | KASAN: use-after-free Read in sg_remove_request | 221 | 2433d | 2533d | 0/2 | auto-closed as invalid on 2019/02/22 14:37 |
syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| android-44 | KASAN: use-after-free Read in sg_remove_request | 221 | 2433d | 2533d | 0/2 | auto-closed as invalid on 2019/02/22 14:37 |
================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] BUG: KASAN: use-after-free in list_empty include/linux/list.h:189 [inline] BUG: KASAN: use-after-free in sg_remove_request+0x103/0x120 drivers/scsi/sg.c:2120 Read of size 8 at addr ffff8801cd59f040 by task syzkaller040432/3338 CPU: 1 PID: 3338 Comm: syzkaller040432 Not tainted 4.9.76-g8dec074 #13 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c7def9b0 ffffffff81d93169 ffffea00073567c0 ffff8801cd59f040 0000000000000000 ffff8801cd59f040 ffff8801c7d84438 ffff8801c7def9e8 ffffffff8153cb43 ffff8801cd59f040 0000000000000008 0000000000000000 Call Trace: [<ffffffff81d93169>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81d93169>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff8153cb43>] print_address_description+0x73/0x280 mm/kasan/report.c:252 [<ffffffff8153d065>] kasan_report_error mm/kasan/report.c:351 [inline] [<ffffffff8153d065>] kasan_report+0x275/0x360 mm/kasan/report.c:408 [<ffffffff8153d1c4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [<ffffffff82666273>] __read_once_size include/linux/compiler.h:243 [inline] [<ffffffff82666273>] list_empty include/linux/list.h:189 [inline] [<ffffffff82666273>] sg_remove_request+0x103/0x120 drivers/scsi/sg.c:2120 [<ffffffff826667f5>] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 [<ffffffff8266862c>] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [<ffffffff8156b571>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [<ffffffff8156f3e0>] do_loop_readv_writev fs/read_write.c:880 [inline] [<ffffffff8156f3e0>] do_readv_writev+0x520/0x750 fs/read_write.c:874 [<ffffffff8156f694>] vfs_readv+0x84/0xc0 fs/read_write.c:898 [<ffffffff8156f7b6>] do_readv+0xe6/0x250 fs/read_write.c:924 [<ffffffff81572ca7>] SYSC_readv fs/read_write.c:1011 [inline] [<ffffffff81572ca7>] SyS_readv+0x27/0x30 fs/read_write.c:1008 [<ffffffff838b0aa8>] entry_SYSCALL_64_fastpath+0x23/0xe2 Allocated by task 3334: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 skb_clone+0x142/0x2c0 net/core/skbuff.c:1032 dev_queue_xmit_nit+0x29f/0x870 net/core/dev.c:1897 xmit_one net/core/dev.c:2944 [inline] dev_hard_start_xmit+0xa6/0x8a0 net/core/dev.c:2964 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3133 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3393 dev_queue_xmit+0x17/0x20 net/core/dev.c:3458 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xe2 Freed by task 3334: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xc7/0x300 mm/slub.c:2980 kfree_skbmem+0xd7/0xf0 net/core/skbuff.c:623 __kfree_skb+0x1d/0x20 net/core/skbuff.c:685 kfree_skb+0xcc/0x330 net/core/skbuff.c:705 packet_rcv_spkt+0xda/0x4c0 net/packet/af_packet.c:1832 dev_queue_xmit_nit+0x5ab/0x870 net/core/dev.c:1928 xmit_one net/core/dev.c:2944 [inline] dev_hard_start_xmit+0xa6/0x8a0 net/core/dev.c:2964 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3133 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3393 dev_queue_xmit+0x17/0x20 net/core/dev.c:3458 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xe2 The buggy address belongs to the object at ffff8801cd59f000 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 64 bytes inside of 224-byte region [ffff8801cd59f000, ffff8801cd59f0e0) The buggy address belongs to the page: page:ffffea00073567c0 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000080(slab) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cd59ef00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff8801cd59ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801cd59f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801cd59f080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8801cd59f100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/01/16 17:40 | https://android.googlesource.com/kernel/common android-4.9 | 8dec074e888a | 4198e588 | .config | console log | report | syz | C | ci-android-49-kasan-gce | |||
| 2018/03/22 05:08 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | 95c88d7a | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/21 20:58 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | f63eeee9 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/21 04:25 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | 113a43ff | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/20 21:46 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | 72c33b66 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/20 12:39 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | 72c33b66 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/19 23:49 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | 7e7d7ed2 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/19 12:01 | https://android.googlesource.com/kernel/common android-4.9 | bb52bba67e35 | 7e7d7ed2 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/17 22:19 | https://android.googlesource.com/kernel/common android-4.9 | fc8bd0f6ffec | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/17 11:59 | https://android.googlesource.com/kernel/common android-4.9 | fc8bd0f6ffec | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/17 05:49 | https://android.googlesource.com/kernel/common android-4.9 | fc8bd0f6ffec | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/16 17:23 | https://android.googlesource.com/kernel/common android-4.9 | fc8bd0f6ffec | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/15 15:02 | https://android.googlesource.com/kernel/common android-4.9 | 3a3a0844ac38 | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/13 10:01 | https://android.googlesource.com/kernel/common android-4.9 | a2904940bde8 | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/08 20:34 | https://android.googlesource.com/kernel/common android-4.9 | 00db063b0f88 | acd0caa5 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/08 11:00 | https://android.googlesource.com/kernel/common android-4.9 | d3a2afb9382e | d50edb7e | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/07 16:54 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | a5e76540 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/07 13:04 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | c8a18476 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/07 08:09 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | c8a18476 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/07 06:36 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | c8a18476 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/06 16:39 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | aef0b792 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/06 07:44 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | aef0b792 | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/05 13:58 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | bbd5104f | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/05 12:45 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | bbd5104f | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/05 09:15 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | 2c6f473e | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/04 22:24 | https://android.googlesource.com/kernel/common android-4.9 | e0b05e693a9d | 2c6f473e | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/02 20:46 | https://android.googlesource.com/kernel/common android-4.9 | f67385227a42 | 2c6f473e | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/02 15:03 | https://android.googlesource.com/kernel/common android-4.9 | 4c4262aa50dc | 2c6f473e | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/02 08:59 | https://android.googlesource.com/kernel/common android-4.9 | 4c4262aa50dc | 2c6f473e | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/02/28 14:01 | https://android.googlesource.com/kernel/common android-4.9 | e7f51a5b0be6 | 05b5a32c | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/02/28 02:17 | https://android.googlesource.com/kernel/common android-4.9 | e7f51a5b0be6 | 05b5a32c | .config | console log | report | ci-android-49-kasan-gce | |||||
| 2018/03/21 17:17 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | f63eeee9 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/21 11:06 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | 113a43ff | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/21 07:16 | https://android.googlesource.com/kernel/common android-4.9 | 71df7bbae4d8 | 113a43ff | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/19 05:30 | https://android.googlesource.com/kernel/common android-4.9 | bb52bba67e35 | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/17 20:04 | https://android.googlesource.com/kernel/common android-4.9 | fc8bd0f6ffec | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/17 18:13 | https://android.googlesource.com/kernel/common android-4.9 | fc8bd0f6ffec | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/16 09:36 | https://android.googlesource.com/kernel/common android-4.9 | d6f27745679a | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/15 12:26 | https://android.googlesource.com/kernel/common android-4.9 | 3a3a0844ac38 | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/14 08:01 | https://android.googlesource.com/kernel/common android-4.9 | 97d7f1c7c0f0 | 08dacaa0 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/12 17:52 | https://android.googlesource.com/kernel/common android-4.9 | a2904940bde8 | f505ca4b | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/10 19:54 | https://android.googlesource.com/kernel/common android-4.9 | 00db063b0f88 | 36d1c454 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/09 02:20 | https://android.googlesource.com/kernel/common android-4.9 | 00db063b0f88 | 36d1c454 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/07 00:50 | https://android.googlesource.com/kernel/common android-4.9 | b324a701539e | c8a18476 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/01 23:48 | https://android.googlesource.com/kernel/common android-4.9 | 4c4262aa50dc | 2c6f473e | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/03/01 21:31 | https://android.googlesource.com/kernel/common android-4.9 | 4c4262aa50dc | c4089507 | .config | console log | report | ci-android-49-kasan-gce-386 | |||||
| 2018/02/27 15:11 | https://android.googlesource.com/kernel/common android-4.9 | e7f51a5b0be6 | 05b5a32c | .config | console log | report | ci-android-49-kasan-gce-386 |