| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.14 | KASAN: use-after-free Read in blk_trace_startstop | 1 | 1573d | 1573d | 0/1 | auto-closed as invalid on 2020/04/26 10:55 |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [196] 🐞 Fixed [42] 🐞 Invalid [470] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
binder: undelivered TRANSACTION_ERROR: 29189 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1564 sclass=netlink_route_socket pig=15384 comm=syz-executor6 netlink: 76 bytes leftover after parsing attributes in process `syz-executor7'. ================================================================== BUG: KASAN: use-after-free in __list_add+0x183/0x1c0 lib/list_debug.c:26 Read of size 8 at addr ffff8801c00aba20 by task syz-executor6/15505 CPU: 0 PID: 15505 Comm: syz-executor6 Not tainted 4.9.116-g0137ea2 #70 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d7c07a00 ffffffff81eb46a9 ffffea0007002ac0 ffff8801c00aba20 0000000000000000 ffff8801c00aba20 0000000000000001 ffff8801d7c07a38 ffffffff81567d49 ffff8801c00aba20 0000000000000008 0000000000000000 Call Trace: [<ffffffff81eb46a9>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81eb46a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff81567d49>] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [<ffffffff81568153>] kasan_report_error mm/kasan/report.c:355 [inline] [<ffffffff81568153>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [<ffffffff8153bcd4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 [<ffffffff81f1c3e3>] __list_add+0x183/0x1c0 lib/list_debug.c:26 [<ffffffff813b219c>] list_add include/linux/list.h:63 [inline] [<ffffffff813b219c>] blk_trace_startstop+0x24c/0x340 kernel/trace/blktrace.c:626 [<ffffffff8277aa4d>] sg_ioctl+0x11ad/0x2940 drivers/scsi/sg.c:1135 [<ffffffff815b2e5c>] vfs_ioctl fs/ioctl.c:43 [inline] [<ffffffff815b2e5c>] file_ioctl fs/ioctl.c:493 [inline] [<ffffffff815b2e5c>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677 [<ffffffff815b3edf>] SYSC_ioctl fs/ioctl.c:694 [inline] [<ffffffff815b3edf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 [<ffffffff839fbc13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 3841: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609 kmem_cache_alloc_trace+0xfd/0x2b0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] sock_alloc_inode+0x66/0x260 net/socket.c:253 alloc_inode+0x63/0x180 fs/inode.c:207 new_inode_pseudo+0x17/0xe0 fs/inode.c:890 sock_alloc+0x41/0x280 net/socket.c:567 __sock_create+0x8d/0x5f0 net/socket.c:1146 sock_create net/socket.c:1222 [inline] SYSC_socket net/socket.c:1252 [inline] SyS_socket+0xf0/0x1b0 net/socket.c:1232 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 17: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xfb/0x310 mm/slub.c:3878 __rcu_reclaim kernel/rcu/rcu.h:113 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x9d5/0x12b0 kernel/rcu/tree.c:3037 __do_softirq+0x20b/0x937 kernel/softirq.c:284 The buggy address belongs to the object at ffff8801c00ab9c0 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 96 bytes inside of 128-byte region [ffff8801c00ab9c0, ffff8801c00aba40) The buggy address belongs to the page: page:ffffea0007002ac0 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000080(slab) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c00ab900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c00ab980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801c00aba00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8801c00aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c00abb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/08/03 03:26 | https://android.googlesource.com/kernel/common android-4.9 | 0137ea2134c0 | 5b7e23bb | .config | console log | report | ci-android-49-kasan-gce |