syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [1165] 🐞 Fixed [4326] 🐞 Invalid [9670] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.14 | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv (2) | C | done | inconclusive | 3 | 978d | 1186d | 0/1 | upstream: reported C repro on 2019/11/09 21:41 |
| linux-4.14 | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | 1 | 1337d | 1337d | 0/1 | auto-closed as invalid on 2019/10/25 08:37 | |||
| linux-4.19 | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | C | done | error | 2 | 971d | 1191d | 0/1 | upstream: reported C repro on 2019/11/04 11:20 |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2022/09/17 00:29 | 11m | retest repro | upstream | error | |
| 2021/06/23 19:42 | 9m | rajatasthana4@gmail.com | upstream | report log |
RBP: 00007ffd8bea4880 R08: 0000000000000001 R09: 00007ffd8bea4910 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 R13: 00007ffd8bea48b0 R14: 00007ffd8bea4880 R15: 0000000000000000 </TASK> dccp_parse_options: DCCP(ffff88814a3c8ac0): Option 32 (len=7) error=9 ================================================================== BUG: KASAN: use-after-free in dccp_ackvec_runlen net/dccp/ccids/../ackvec.h:43 [inline] BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x2042/0x2a50 net/dccp/ccids/ccid2.c:592 Read of size 1 at addr ffff888078b25494 by task syz-executor226/5057 CPU: 1 PID: 5057 Comm: syz-executor226 Not tainted 6.2.0-rc1-syzkaller-00095-ge4cf7c25bae5 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:306 print_report+0x107/0x220 mm/kasan/report.c:417 kasan_report+0x139/0x170 mm/kasan/report.c:517 dccp_ackvec_runlen net/dccp/ccids/../ackvec.h:43 [inline] ccid2_hc_tx_packet_recv+0x2042/0x2a50 net/dccp/ccids/ccid2.c:592 ccid_hc_tx_packet_recv net/dccp/ccid.h:189 [inline] dccp_deliver_input_to_ccids net/dccp/input.c:182 [inline] dccp_rcv_established+0x284/0x310 net/dccp/input.c:374 dccp_v4_do_rcv+0xfc/0x1f0 net/dccp/ipv4.c:674 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x1d8/0x4c0 net/core/sock.c:2928 release_sock+0x5d/0x1c0 net/core/sock.c:3485 dccp_sendmsg+0x502/0x820 net/dccp/proto.c:790 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x597/0x8e0 net/socket.c:2476 ___sys_sendmsg net/socket.c:2530 [inline] __sys_sendmmsg+0x3d7/0x770 net/socket.c:2616 __do_sys_sendmmsg net/socket.c:2645 [inline] __se_sys_sendmmsg net/socket.c:2642 [inline] __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2642 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ffad54edd09 Code: 46 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8bea4868 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffad54edd09 RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000005 RBP: 00007ffd8bea4880 R08: 0000000000000001 R09: 00007ffd8bea4910 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 R13: 00007ffd8bea48b0 R14: 00007ffd8bea4880 R15: 0000000000000000 </TASK> Allocated by task 5057: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:968 [inline] __kmalloc_node_track_caller+0xad/0x190 mm/slab_common.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __alloc_skb+0x12c/0x2c0 net/core/skbuff.c:565 alloc_skb include/linux/skbuff.h:1270 [inline] dccp_send_ack+0xa0/0x300 net/dccp/output.c:585 ccid2_hc_rx_packet_recv+0xf1/0x180 net/dccp/ccids/ccid2.c:771 ccid_hc_rx_packet_recv net/dccp/ccid.h:182 [inline] dccp_deliver_input_to_ccids net/dccp/input.c:176 [inline] dccp_rcv_established+0x1b2/0x310 net/dccp/input.c:374 dccp_v4_do_rcv+0xfc/0x1f0 net/dccp/ipv4.c:674 sk_backlog_rcv include/net/sock.h:1113 [inline] __sk_receive_skb+0x43f/0x9e0 net/core/sock.c:565 ip_protocol_deliver_rcu+0x5d5/0xd40 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x269/0x480 net/ipv4/ip_input.c:233 __netif_receive_skb_one_core net/core/dev.c:5482 [inline] __netif_receive_skb+0x1c5/0x500 net/core/dev.c:5596 process_backlog+0x568/0x920 net/core/dev.c:5924 __napi_poll+0xbe/0x4b0 net/core/dev.c:6485 napi_poll net/core/dev.c:6552 [inline] net_rx_action+0x76c/0x1100 net/core/dev.c:6663 __do_softirq+0x277/0x75b kernel/softirq.c:571 Freed by task 5057: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 skb_free_head net/core/skbuff.c:822 [inline] skb_release_data+0x4f6/0x710 net/core/skbuff.c:851 skb_release_all net/core/skbuff.c:916 [inline] __kfree_skb net/core/skbuff.c:930 [inline] kfree_skb_reason+0xfa/0x2c0 net/core/skbuff.c:956 kfree_skb include/linux/skbuff.h:1218 [inline] dccp_v4_do_rcv+0x143/0x1f0 net/dccp/ipv4.c:709 sk_backlog_rcv include/net/sock.h:1113 [inline] __release_sock+0x1d8/0x4c0 net/core/sock.c:2928 release_sock+0x5d/0x1c0 net/core/sock.c:3485 dccp_sendmsg+0x502/0x820 net/dccp/proto.c:790 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x597/0x8e0 net/socket.c:2476 ___sys_sendmsg net/socket.c:2530 [inline] __sys_sendmmsg+0x3d7/0x770 net/socket.c:2616 __do_sys_sendmmsg net/socket.c:2645 [inline] __se_sys_sendmmsg net/socket.c:2642 [inline] __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2642 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff888078b25000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1172 bytes inside of 2048-byte region [ffff888078b25000, ffff888078b25800) The buggy address belongs to the physical page: page:ffffea0001e2c800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78b20 head:ffffea0001e2c800 order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffff888012842000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5053, tgid 5053 (strace-static-x), ts 53593701360, free_ts 33150100132 prep_new_page mm/page_alloc.c:2531 [inline] get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4283 __alloc_pages+0x259/0x560 mm/page_alloc.c:5549 alloc_slab_page+0xbd/0x190 mm/slub.c:1851 allocate_slab+0x5e/0x3c0 mm/slub.c:1998 new_slab mm/slub.c:2051 [inline] ___slab_alloc+0x7f4/0xeb0 mm/slub.c:3193 __slab_alloc mm/slub.c:3292 [inline] __slab_alloc_node mm/slub.c:3345 [inline] slab_alloc_node mm/slub.c:3442 [inline] __kmem_cache_alloc_node+0x25b/0x340 mm/slub.c:3491 __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc+0x9e/0x190 mm/slab_common.c:981 kmalloc include/linux/slab.h:584 [inline] sk_prot_alloc+0xde/0x200 net/core/sock.c:2038 sk_alloc+0x34/0x360 net/core/sock.c:2091 __netlink_create+0x6b/0x2b0 net/netlink/af_netlink.c:647 netlink_create+0x368/0x530 net/netlink/af_netlink.c:710 __sock_create+0x3fd/0x850 net/socket.c:1515 sock_create net/socket.c:1566 [inline] __sys_socket_create net/socket.c:1603 [inline] __sys_socket+0x137/0x3a0 net/socket.c:1636 __do_sys_socket net/socket.c:1649 [inline] __se_sys_socket net/socket.c:1647 [inline] __x64_sys_socket+0x76/0x80 net/socket.c:1647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1446 [inline] free_pcp_prepare+0x751/0x780 mm/page_alloc.c:1496 free_unref_page_prepare mm/page_alloc.c:3369 [inline] free_unref_page+0x19/0x4c0 mm/page_alloc.c:3464 discard_slab mm/slub.c:2098 [inline] __unfreeze_partials+0x1a5/0x1e0 mm/slub.c:2637 put_cpu_partial+0x116/0x180 mm/slub.c:2713 qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:302 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:761 [inline] slab_alloc_node mm/slub.c:3452 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476 vm_area_alloc+0x20/0xe0 kernel/fork.c:458 mmap_region+0xd75/0x1e60 mm/mmap.c:2601 do_mmap+0x8d9/0xf30 mm/mmap.c:1411 vm_mmap_pgoff+0x1e5/0x2f0 mm/util.c:520 ksys_mmap_pgoff+0x48c/0x6d0 mm/mmap.c:1457 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff888078b25380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888078b25400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888078b25480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888078b25500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888078b25580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Manager | Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ci-upstream-kasan-gce-smack-root | 2023/01/01 21:34 | upstream | e4cf7c25bae5 | ab32d508 | .config | strace log | report | syz | C | [disk image] [vmlinux] [kernel image] | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | |
| ci-upstream-kasan-gce-root | 2022/10/21 23:45 | upstream | e35184f32151 | 4bfd3c27 | .config | strace log | report | syz | C | [disk image] [vmlinux] | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | |
| ci-upstream-kasan-gce | 2022/10/11 06:31 | upstream | 55be6084c8e0 | 2b253ced | .config | strace log | report | syz | C | [disk image] [vmlinux] | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | |
| ci-upstream-net-this-kasan-gce | 2022/10/11 01:06 | net | af7d23f9d96a | aea5da89 | .config | strace log | report | syz | C | [disk image] [vmlinux] | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | |
| ci-upstream-net-kasan-gce | 2022/10/11 01:05 | net-next | 0326074ff465 | aea5da89 | .config | console log | report | syz | C | [disk image] [vmlinux] | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | |
| ci-upstream-linux-next-kasan-gce-root | 2022/11/20 08:34 | linux-next | 15f3bff12cf6 | 5bb70014 | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | |
| ci-upstream-kasan-gce | 2018/05/25 13:51 | upstream | b50694381cfc | f48c20b8 | .config | console log | report | syz | C | |||
| ci-upstream-kasan-gce | 2021/08/22 04:07 | upstream | 002c0aef1090 | b599f2fc | .config | console log | report | info | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | |||
| ci-upstream-net-kasan-gce | 2022/12/16 00:29 | net-next | 7e68dd7d07a2 | 6f9c033e | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | KASAN: use-after-free Read in ccid2_hc_tx_packet_recv | ||
| ci-upstream-kasan-gce | 2020/05/21 09:50 | upstream | b85051e755b0 | c61086ab | .config | console log | report | |||||
| ci-upstream-kasan-gce | 2020/01/28 23:14 | upstream | c677124e631d | c8e81ce4 | .config | console log | report | |||||
| ci-upstream-kasan-gce | 2020/01/25 04:48 | upstream | 6381b442836e | 2e95ab33 | .config | console log | report | |||||
| ci-upstream-kasan-gce-root | 2020/01/15 23:46 | upstream | 51d69817519f | f9b69507 | .config | console log | report | |||||
| ci-upstream-kasan-gce | 2019/09/14 02:20 | upstream | a7f89616b737 | 32d59357 | .config | console log | report | |||||
| ci-upstream-kasan-gce | 2019/08/22 00:58 | upstream | bb7ba8069de9 | 984250d5 | .config | console log | report | |||||
| ci-upstream-kasan-gce | 2019/08/07 21:39 | upstream | 33920f1ec5bf | e6ebef88 | .config | console log | report | |||||
| ci-upstream-kasan-gce-root | 2019/06/26 03:41 | upstream | 249155c20f9b | 0a8d1a96 | .config | console log | report | |||||
| ci-upstream-kasan-gce-smack-root | 2019/04/28 04:50 | upstream | 037904a22bf8 | b617407b | .config | console log | report | |||||
| ci-upstream-kasan-gce-selinux-root | 2019/03/26 18:38 | upstream | a3ac7917b730 | 55684ce1 | .config | console log | report | |||||
| ci-upstream-kasan-gce | 2019/02/14 01:51 | upstream | 1f947a7a011f | 0a49c954 | .config | console log | report | |||||
| ci-upstream-kasan-gce | 2019/02/01 20:00 | upstream | 5b4746a03199 | 0c07abcf | .config | console log | report | |||||
| ci-upstream-kasan-gce | 2019/01/27 19:40 | upstream | ba6069759381 | c73f090a | .config | console log | report | |||||
| ci-upstream-kasan-gce-smack-root | 2019/01/25 04:13 | upstream | c04e2a780caf | bfab9cd8 | .config | console log | report | |||||
| ci-upstream-kasan-gce-386 | 2019/08/12 05:22 | upstream | 296d05cb0d3c | acb51638 | .config | console log | report | |||||
| ci-upstream-kasan-gce-386 | 2018/04/02 00:13 | upstream | 0adb32858b0b | dc889257 | .config | console log | report | |||||
| ci-upstream-net-this-kasan-gce | 2019/10/02 07:01 | net | 569aad4fcd82 | b7a87a83 | .config | console log | report | |||||
| ci-upstream-net-this-kasan-gce | 2019/08/08 02:40 | net | 33920f1ec5bf | e6ebef88 | .config | console log | report | |||||
| ci-upstream-net-this-kasan-gce | 2019/05/02 06:55 | net | d2f0c961148f | 7516d9fa | .config | console log | report | |||||
| ci-upstream-net-this-kasan-gce | 2019/04/29 18:48 | net | 2ae7a39770c7 | b617407b | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2020/06/23 16:07 | net-next | cb8e59cc8720 | 54566aff | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2020/05/20 19:52 | net-next | 4f65e2f483b6 | 1255f02a | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2020/03/17 17:34 | net-next | 86e85bf6981c | 749688d2 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/12/21 21:35 | net-next | 994baea28957 | bc586918 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/12/11 00:29 | net-next | 08cbc75f9602 | 5a5826a1 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/11/15 04:14 | net-next | abfb228ae642 | a24fe792 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/10/14 23:41 | net-next | 7e0d15ee0d8b | 05ad7292 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/09/02 01:03 | net-next | 4bc61b0b1695 | bad3cce2 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/08/10 21:36 | net-next | 38b9e0f6d981 | acb51638 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/06/27 09:51 | net-next | 177d935a1370 | 7509bf36 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/05/11 03:38 | net-next | b970afcfcabd | 46caad94 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/04/28 14:10 | net-next | b1a79360ee86 | b617407b | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/04/26 22:49 | net-next | 148f025d41a8 | b617407b | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/04/23 23:22 | net-next | a93f7fe13454 | 4d3d6a50 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/04/21 19:54 | net-next | 4e54507ab1a9 | b0e8efcb | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/04/19 06:33 | net-next | 5e42574b022b | b0e8efcb | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/04/17 20:24 | net-next | 3a6f7892acc1 | b0e8efcb | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/04/15 07:07 | net-next | 0ed1d3ddedb9 | 505ab413 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/04/07 23:08 | net-next | f1054c65bca6 | c34fde03 | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/03/29 00:23 | net-next | 356d71e00d27 | 14c58f8d | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/02/02 00:59 | net-next | 962c382d482a | 564f9a4f | .config | console log | report | |||||
| ci-upstream-net-kasan-gce | 2019/01/19 17:26 | net-next | f04d402f2f00 | 8aa587b0 | .config | console log | report | |||||
| ci-upstream-linux-next-kasan-gce-root | 2019/09/08 08:29 | linux-next | 6d028043b55e | a60cb4cd | .config | console log | report |