syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Rank 🛈 | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| linux-4.14 | KASAN: use-after-free Read in bpf_skb_change_tail | 19 | 1 | 2160d | 2160d | 0/1 | auto-closed as invalid on 2019/12/13 14:45 | |||
| android-414 | KASAN: use-after-free Read in bpf_skb_change_tail (2) | 19 | C | 3 | 2160d | 2165d | 0/1 | public: reported C repro on 2019/08/10 10:38 |
================================================================== BUG: KASAN: use-after-free in ____bpf_skb_change_tail net/core/filter.c:2370 [inline] BUG: KASAN: use-after-free in bpf_skb_change_tail+0xa2c/0xb90 net/core/filter.c:2367 Read of size 8 at addr ffff8801d3c556d0 by task syz-executor1/23888 CPU: 1 PID: 23888 Comm: syz-executor1 Not tainted 4.14.81+ #6 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 print_address_description+0x60/0x22b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409 ____bpf_skb_change_tail net/core/filter.c:2370 [inline] bpf_skb_change_tail+0xa2c/0xb90 net/core/filter.c:2367 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012 Allocated by task 6176: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551 slab_post_alloc_hook mm/slab.h:442 [inline] slab_alloc_node mm/slub.c:2723 [inline] slab_alloc mm/slub.c:2731 [inline] kmem_cache_alloc+0xe4/0x2b0 mm/slub.c:2736 kmem_cache_alloc_node include/linux/slab.h:361 [inline] __alloc_skb+0xd8/0x550 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:980 [inline] nlmsg_new include/net/netlink.h:511 [inline] inet6_netconf_notify_devconf+0x6f/0x140 net/ipv6/addrconf.c:591 __addrconf_sysctl_unregister.isra.17+0x9c/0xd0 net/ipv6/addrconf.c:6471 addrconf_sysctl_unregister+0x87/0xf0 net/ipv6/addrconf.c:6495 addrconf_ifdown+0xdd9/0x12e0 net/ipv6/addrconf.c:3755 addrconf_notify+0x8f1/0x1b30 net/ipv6/addrconf.c:3525 notifier_call_chain+0x114/0x1b0 kernel/notifier.c:93 call_netdevice_notifiers net/core/dev.c:1687 [inline] rollback_registered_many+0x6b5/0xac0 net/core/dev.c:7206 unregister_netdevice_many+0x43/0x210 net/core/dev.c:8255 sit_exit_net+0x42a/0x600 net/ipv6/sit.c:1868 ops_exit_list.isra.3+0xa8/0x150 net/core/net_namespace.c:142 cleanup_net+0x3e9/0x880 net/core/net_namespace.c:483 process_one_work+0x86e/0x1670 kernel/workqueue.c:2114 worker_thread+0xdc/0x1000 kernel/workqueue.c:2248 kthread+0x348/0x420 kernel/kthread.c:232 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402 Freed by task 6176: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1410 [inline] slab_free mm/slub.c:2966 [inline] kmem_cache_free+0x12d/0x350 mm/slub.c:2988 kfree_skbmem+0x9e/0x100 net/core/skbuff.c:582 __kfree_skb net/core/skbuff.c:642 [inline] consume_skb+0xc9/0x330 net/core/skbuff.c:701 netlink_broadcast_filtered+0x2b7/0xa30 net/netlink/af_netlink.c:1488 netlink_broadcast+0x35/0x40 net/netlink/af_netlink.c:1510 nlmsg_multicast include/net/netlink.h:591 [inline] nlmsg_notify+0x86/0x150 net/netlink/af_netlink.c:2475 inet6_netconf_notify_devconf+0xc1/0x140 net/ipv6/addrconf.c:603 __addrconf_sysctl_unregister.isra.17+0x9c/0xd0 net/ipv6/addrconf.c:6471 addrconf_sysctl_unregister+0x87/0xf0 net/ipv6/addrconf.c:6495 addrconf_ifdown+0xdd9/0x12e0 net/ipv6/addrconf.c:3755 addrconf_notify+0x8f1/0x1b30 net/ipv6/addrconf.c:3525 notifier_call_chain+0x114/0x1b0 kernel/notifier.c:93 call_netdevice_notifiers net/core/dev.c:1687 [inline] rollback_registered_many+0x6b5/0xac0 net/core/dev.c:7206 unregister_netdevice_many+0x43/0x210 net/core/dev.c:8255 sit_exit_net+0x42a/0x600 net/ipv6/sit.c:1868 ops_exit_list.isra.3+0xa8/0x150 net/core/net_namespace.c:142 cleanup_net+0x3e9/0x880 net/core/net_namespace.c:483 process_one_work+0x86e/0x1670 kernel/workqueue.c:2114 worker_thread+0xdc/0x1000 kernel/workqueue.c:2248 kthread+0x348/0x420 kernel/kthread.c:232 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402 The buggy address belongs to the object at ffff8801d3c55640 which belongs to the cache skbuff_head_cache of size 224 The buggy address is located 144 bytes inside of 224-byte region [ffff8801d3c55640, ffff8801d3c55720) The buggy address belongs to the page: page:ffffea00074f1540 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000100(slab) raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c raw: ffffea00072bf840 0000000700000007 ffff8801dab70200 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d3c55580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8801d3c55600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801d3c55680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d3c55700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3c55780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/11/19 04:12 | android-4.14 | 4e76528bd48d | adf636a8 | .config | console log | report | ci-android-414-kasan-gce-root | |||||
| 2018/10/04 12:01 | android-4.14 | 8c958cd74663 | 8b311eaf | .config | console log | report | ci-android-414-kasan-gce-root |