syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [712] 🐞 Fixed [297] 🐞 Invalid [838] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Read in tcf_action_destroy net | C | done | 8 | 1299d | 1314d | 15/26 | fixed on 2020/11/16 12:12 | |
| upstream | KASAN: slab-use-after-free Read in tcf_action_destroy net | C | error | 32 | 350d | 425d | 22/26 | fixed on 2023/06/08 14:41 |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2021/10/19 07:36 | 13m | bisect fix | linux-4.19.y | error job log (0) | |
| 2021/09/19 06:31 | 38m | bisect fix | linux-4.19.y | job log (0) log | |
| 2021/08/20 06:00 | 31m | bisect fix | linux-4.19.y | job log (0) log | |
| 2021/07/21 05:25 | 35m | bisect fix | linux-4.19.y | job log (0) log | |
| 2021/06/21 04:46 | 37m | bisect fix | linux-4.19.y | job log (0) log | |
| 2021/05/21 17:00 | 31m | bisect fix | linux-4.19.y | job log (0) log | |
| 2021/04/21 16:30 | 29m | bisect fix | linux-4.19.y | job log (0) log | |
| 2021/03/22 15:35 | 27m | bisect fix | linux-4.19.y | job log (0) log | |
| 2021/02/20 15:05 | 29m | bisect fix | linux-4.19.y | job log (0) log | |
| 2021/02/17 21:15 | 19m | bisect fix | linux-4.19.y | error job log (0) | |
| 2021/02/04 00:14 | 1m | bisect fix | linux-4.19.y | error job log (0) | |
| 2021/01/04 23:26 | 29m | bisect fix | linux-4.19.y | job log (0) log | |
| 2020/12/05 23:00 | 26m | bisect fix | linux-4.19.y | job log (0) log | |
| 2020/10/25 05:46 | 24m | bisect fix | linux-4.19.y | job log (0) log |
netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. ================================================================== BUG: KASAN: use-after-free in tcf_action_destroy+0x188/0x1b0 net/sched/act_api.c:655 Read of size 8 at addr ffff88809fad7bc0 by task syz-executor703/6504 CPU: 0 PID: 6504 Comm: syz-executor703 Not tainted 4.19.147-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 print_address_description.cold+0x56/0x25c mm/kasan/report.c:256 kasan_report_error.cold+0x66/0xb9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tcf_action_destroy+0x188/0x1b0 net/sched/act_api.c:655 tcf_action_init+0x2ff/0x490 net/sched/act_api.c:949 tcf_action_add+0xd9/0x360 net/sched/act_api.c:1314 tc_ctl_action+0x337/0x417 net/sched/act_api.c:1369 rtnetlink_rcv_msg+0x498/0xc10 net/core/rtnetlink.c:4778 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x446d29 Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fc5afe92d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446d29 RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 Allocated by task 6503: __do_kmalloc mm/slab.c:3727 [inline] __kmalloc+0x15a/0x4f0 mm/slab.c:3736 kmalloc include/linux/slab.h:520 [inline] kzalloc include/linux/slab.h:709 [inline] tcf_idr_create+0x5b/0x650 net/sched/act_api.c:361 tcf_connmark_init+0x4f3/0x7fa net/sched/act_connmark.c:127 tcf_action_init_1+0x962/0xc40 net/sched/act_api.c:870 tcf_action_init+0x2c3/0x490 net/sched/act_api.c:933 tcf_action_add+0xd9/0x360 net/sched/act_api.c:1314 tc_ctl_action+0x337/0x417 net/sched/act_api.c:1369 rtnetlink_rcv_msg+0x498/0xc10 net/core/rtnetlink.c:4778 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 6524: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x250 mm/slab.c:3822 __tcf_action_put+0xf4/0x130 net/sched/act_api.c:112 __tcf_idr_release net/sched/act_api.c:142 [inline] __tcf_idr_release net/sched/act_api.c:122 [inline] tcf_del_walker net/sched/act_api.c:266 [inline] tcf_generic_walker+0x62d/0xa20 net/sched/act_api.c:292 tca_action_flush net/sched/act_api.c:1142 [inline] tca_action_gd+0x95f/0x1720 net/sched/act_api.c:1248 tc_ctl_action+0x27d/0x417 net/sched/act_api.c:1377 rtnetlink_rcv_msg+0x498/0xc10 net/core/rtnetlink.c:4778 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x717/0xcc0 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc7/0x130 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8f0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x670 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88809fad7bc0 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 0 bytes inside of 256-byte region [ffff88809fad7bc0, ffff88809fad7cc0) The buggy address belongs to the page: page:ffffea00027eb5c0 count:1 mapcount:0 mapping:ffff88812c3f67c0 index:0xffff88809fad7e40 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffffea00027e3c88 ffffea00027f3648 ffff88812c3f67c0 raw: ffff88809fad7e40 ffff88809fad7080 0000000100000004 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809fad7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809fad7b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88809fad7b80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff88809fad7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809fad7c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2020/09/25 05:46 | linux-4.19.y | d09b80172c22 | 54289b08 | .config | console log | report | syz | C | ci2-linux-4-19 | |||
| 2020/11/05 23:00 | linux-4.19.y | b94de4d19498 | cba33199 | .config | console log | report | info | ci2-linux-4-19 |