syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ip6_xmit

Status: closed as invalid on 2019/01/29 20:22
First crash: 2499d, last: 2275d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ip6_xmit net C 5174 2435d 2513d 5/28 fixed on 2018/05/09 07:47
android-44 KASAN: use-after-free Read in ip6_xmit C 137 2276d 2499d 0/2 closed as invalid on 2019/01/29 20:22

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:141 [inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1bc7/0x1bd0 net/ipv6/ip6_output.c:254
Read of size 8 at addr ffff8801cfc333d8 by task syzkaller322434/3337

CPU: 0 PID: 3337 Comm: syzkaller322434 Not tainted 4.9.78-g68d447c #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c7fff5a0 ffffffff81d943a9 ffffea00073f0cc0 ffff8801cfc333d8
 0000000000000000 ffff8801cfc333d8 ffff8801c8e004e4 ffff8801c7fff5d8
 ffffffff8153dc23 ffff8801cfc333d8 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81d943a9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d943a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153dc23>] print_address_description+0x73/0x280 mm/kasan/report.c:252
 [<ffffffff8153e145>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8153e145>] kasan_report+0x275/0x360 mm/kasan/report.c:408
 [<ffffffff8153e2a4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff83420387>] ip6_dst_idev include/net/ip6_fib.h:141 [inline]
 [<ffffffff83420387>] ip6_xmit+0x1bc7/0x1bd0 net/ipv6/ip6_output.c:254
 [<ffffffff834e59bd>] inet6_csk_xmit+0x27d/0x4d0 net/ipv6/inet6_connection_sock.c:178
 [<ffffffff83581c8c>] l2tp_xmit_core net/l2tp/l2tp_core.c:1178 [inline]
 [<ffffffff83581c8c>] l2tp_xmit_skb+0xcdc/0xf50 net/l2tp/l2tp_core.c:1273
 [<ffffffff8358da00>] pppol2tp_sendmsg+0x5c0/0x7a0 net/l2tp/l2tp_ppp.c:339
 [<ffffffff82ed7baa>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed7baa>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed93f0>] ___sys_sendmsg+0x320/0x7e0 net/socket.c:1969
 [<ffffffff82edba39>] __sys_sendmmsg+0x159/0x3a0 net/socket.c:2059
 [<ffffffff82edbcb5>] SYSC_sendmmsg net/socket.c:2090 [inline]
 [<ffffffff82edbcb5>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
 [<ffffffff838b2c6e>] entry_SYSCALL_64_fastpath+0x29/0xe8

Allocated by task 3263:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
 dst_alloc+0x11f/0x1a0 net/core/dst.c:210
 rt_dst_alloc+0x78/0x430 net/ipv4/route.c:1475
 __mkroute_output net/ipv4/route.c:2133 [inline]
 __ip_route_output_key_hash+0xa4e/0x23e0 net/ipv4/route.c:2343
 __ip_route_output_key include/net/route.h:122 [inline]
 ip_route_connect include/net/route.h:289 [inline]
 __ip4_datagram_connect+0xa17/0x1160 net/ipv4/datagram.c:51
 __ip6_datagram_connect+0x6f9/0xdf0 net/ipv6/datagram.c:157
 ip6_datagram_connect+0x2f/0x50 net/ipv6/datagram.c:268
 inet_dgram_connect+0x16b/0x1f0 net/ipv4/af_inet.c:549
 SYSC_connect+0x1b6/0x310 net/socket.c:1562
 SyS_connect+0x24/0x30 net/socket.c:1543
 entry_SYSCALL_64_fastpath+0x29/0xe8

Freed by task 3284:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xc7/0x300 mm/slub.c:2980
 dst_destroy+0x1fd/0x360 net/core/dst.c:270
 dst_destroy_rcu+0x15/0x40 net/core/dst.c:295
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x898/0x1300 kernel/rcu/tree.c:3037
 __do_softirq+0x206/0x951 kernel/softirq.c:284

The buggy address belongs to the object at ffff8801cfc333c0
 which belongs to the cache ip_dst_cache of size 216
The buggy address is located 24 bytes inside of
 216-byte region [ffff8801cfc333c0, ffff8801cfc33498)
The buggy address belongs to the page:
page:ffffea00073f0cc0 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cfc33280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cfc33300: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>ffff8801cfc33380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801cfc33400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cfc33480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (151):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/01/27 04:34 https://android.googlesource.com/kernel/common android-4.9 68d447c0a37b 1d18b112 .config console log report syz C ci-android-49-kasan-gce
2018/01/24 20:49 https://android.googlesource.com/kernel/common android-4.9 e9dabe69deb8 866f1102 .config console log report syz C ci-android-49-kasan-gce
2018/01/22 16:02 https://android.googlesource.com/kernel/common android-4.9 e12a9c4458ff 228e3d95 .config console log report syz C ci-android-49-kasan-gce
2018/01/22 01:59 https://android.googlesource.com/kernel/common android-4.9 e12a9c4458ff fbbdcd92 .config console log report syz C ci-android-49-kasan-gce
2018/01/20 12:52 https://android.googlesource.com/kernel/common android-4.9 e12a9c4458ff fbbdcd92 .config console log report syz C ci-android-49-kasan-gce
2018/01/18 12:02 https://android.googlesource.com/kernel/common android-4.9 033d019ce29c 56cc113a .config console log report syz C ci-android-49-kasan-gce
2018/02/09 09:40 https://android.googlesource.com/kernel/common android-4.9 20c8a0089294 9fb5ec43 .config console log report syz C ci-android-49-kasan-gce-386
2018/01/19 02:00 https://android.googlesource.com/kernel/common android-4.9 87883134eb71 161c1d64 .config console log report syz C ci-android-49-kasan-gce-386
2018/08/29 19:54 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 4937cb2b .config console log report ci-android-49-kasan-gce-root
2018/08/29 14:25 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 53ff8784 .config console log report ci-android-49-kasan-gce
2018/08/29 11:44 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 53ff8784 .config console log report ci-android-49-kasan-gce-root
2018/08/29 09:06 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 53ff8784 .config console log report ci-android-49-kasan-gce
2018/08/29 07:53 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 53ff8784 .config console log report ci-android-49-kasan-gce-root
2018/08/28 18:36 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c b771b17e .config console log report ci-android-49-kasan-gce
2018/08/28 05:11 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 7ef1de9e .config console log report ci-android-49-kasan-gce
2018/08/28 02:31 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 7ef1de9e .config console log report ci-android-49-kasan-gce
2018/08/28 01:26 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 7ef1de9e .config console log report ci-android-49-kasan-gce
2018/08/27 11:28 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 758cd203 .config console log report ci-android-49-kasan-gce
2018/08/26 20:35 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 758cd203 .config console log report ci-android-49-kasan-gce
2018/08/26 16:33 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 758cd203 .config console log report ci-android-49-kasan-gce
2018/08/26 11:46 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 758cd203 .config console log report ci-android-49-kasan-gce-root
2018/08/25 17:01 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 9be5aa1d .config console log report ci-android-49-kasan-gce-root
2018/08/25 13:35 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 9be5aa1d .config console log report ci-android-49-kasan-gce
2018/08/25 12:21 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 9be5aa1d .config console log report ci-android-49-kasan-gce
2018/08/25 10:55 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 9be5aa1d .config console log report ci-android-49-kasan-gce
2018/08/25 08:02 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 9be5aa1d .config console log report ci-android-49-kasan-gce-root
2018/08/25 04:21 https://android.googlesource.com/kernel/common android-4.9 6a1b5923548a 9b0f5c75 .config console log report ci-android-49-kasan-gce-root
2018/08/25 02:44 https://android.googlesource.com/kernel/common android-4.9 6a1b5923548a 9b0f5c75 .config console log report ci-android-49-kasan-gce-root
2018/08/24 20:41 https://android.googlesource.com/kernel/common android-4.9 6a1b5923548a 9b0f5c75 .config console log report ci-android-49-kasan-gce
2018/08/24 12:41 https://android.googlesource.com/kernel/common android-4.9 520d10d31ca4 95b5c82b .config console log report ci-android-49-kasan-gce
2018/08/24 07:59 https://android.googlesource.com/kernel/common android-4.9 520d10d31ca4 95b5c82b .config console log report ci-android-49-kasan-gce
2018/08/24 02:18 https://android.googlesource.com/kernel/common android-4.9 7fa8c15e72a4 95b5c82b .config console log report ci-android-49-kasan-gce
2018/08/24 00:12 https://android.googlesource.com/kernel/common android-4.9 7fa8c15e72a4 95b5c82b .config console log report ci-android-49-kasan-gce-root
2018/08/23 23:36 https://android.googlesource.com/kernel/common android-4.9 7fa8c15e72a4 95b5c82b .config console log report ci-android-49-kasan-gce-root
2018/08/23 21:17 https://android.googlesource.com/kernel/common android-4.9 7fa8c15e72a4 95b5c82b .config console log report ci-android-49-kasan-gce-root
2018/08/23 21:16 https://android.googlesource.com/kernel/common android-4.9 7fa8c15e72a4 95b5c82b .config console log report ci-android-49-kasan-gce
2018/08/23 13:47 https://android.googlesource.com/kernel/common android-4.9 8dd3fc2ed765 95b5c82b .config console log report ci-android-49-kasan-gce
2018/08/28 22:37 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c b771b17e .config console log report ci-android-49-kasan-gce-386
2018/08/28 21:35 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c b771b17e .config console log report ci-android-49-kasan-gce-386
2018/08/28 19:15 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c b771b17e .config console log report ci-android-49-kasan-gce-386
2018/08/27 20:46 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 758cd203 .config console log report ci-android-49-kasan-gce-386
2018/08/26 00:42 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 76e7c3df .config console log report ci-android-49-kasan-gce-386
2018/08/25 15:58 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 9be5aa1d .config console log report ci-android-49-kasan-gce-386
2018/08/25 01:32 https://android.googlesource.com/kernel/common android-4.9 6a1b5923548a 9b0f5c75 .config console log report ci-android-49-kasan-gce-386
2018/08/24 19:35 https://android.googlesource.com/kernel/common android-4.9 6a1b5923548a 9b0f5c75 .config console log report ci-android-49-kasan-gce-386
2018/08/24 15:24 https://android.googlesource.com/kernel/common android-4.9 520d10d31ca4 95b5c82b .config console log report ci-android-49-kasan-gce-386
2018/08/23 19:19 https://android.googlesource.com/kernel/common android-4.9 7fa8c15e72a4 95b5c82b .config console log report ci-android-49-kasan-gce-386
2018/08/23 12:42 https://android.googlesource.com/kernel/common android-4.9 8dd3fc2ed765 95b5c82b .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.