syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [736] 🐞 Fixed [297] 🐞 Invalid [814] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| android-49 | KASAN: use-after-free Read in __queue_work | C | 19 | 1678d | 1440d | 0/3 | public: reported C repro on 2019/04/13 00:00 | ||
| linux-4.14 | KASAN: use-after-free Read in __queue_work | syz | error | 4 | 197d | 961d | 0/1 | upstream: reported syz repro on 2020/08/03 15:06 | |
| upstream | KASAN: use-after-free Read in __queue_work | syz | 2 | 2008d | 1972d | 0/24 | closed as invalid on 2017/10/27 09:34 | ||
| upstream | KASAN: use-after-free Read in __queue_work (3) bluetooth | syz | done | done | 83 | 127d | 956d | 0/24 | upstream: reported syz repro on 2020/08/08 21:27 |
| upstream | KASAN: use-after-free Read in __queue_work (2) | C | done | done | 577 | 1364d | 1718d | 16/24 | fixed on 2020/01/08 01:07 |
| upstream | general protection fault in __queue_work (2) | C | done | 7043 | 342d | 1111d | 0/24 | auto-obsoleted due to no activity on 2022/11/16 06:42 | |
| linux-4.19 | general protection fault in __queue_work (2) | 1 | 434d | 434d | 0/1 | auto-closed as invalid on 2022/05/12 22:08 |
================================================================== BUG: KASAN: use-after-free in __queue_work+0xdff/0x1100 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:1383 Read of size 4 at addr ffff8880b3b02b80 by task syz-executor.5/14347 CPU: 0 PID: 14347 Comm: syz-executor.5 Not tainted 4.19.172-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack syzkaller/managers/linux-4-19/kernel/lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef syzkaller/managers/linux-4-19/kernel/lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 syzkaller/managers/linux-4-19/kernel/mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 syzkaller/managers/linux-4-19/kernel/mm/kasan/report.c:354 kasan_report syzkaller/managers/linux-4-19/kernel/mm/kasan/report.c:412 [inline] __asan_report_load4_noabort+0x88/0x90 syzkaller/managers/linux-4-19/kernel/mm/kasan/report.c:432 __queue_work+0xdff/0x1100 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:1383 queue_work_on+0x17e/0x1f0 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:1488 queue_work syzkaller/managers/linux-4-19/kernel/./include/linux/workqueue.h:512 [inline] req_run+0x2d4/0x500 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_request.c:87 hci_req_run_skb syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_request.c:99 [inline] __hci_req_sync+0x212/0x8a0 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_request.c:212 hci_req_sync+0x7d/0xb0 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_request.c:279 hci_inquiry+0x6a6/0x920 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_core.c:1310 hci_sock_ioctl+0x1a7/0x7d0 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_sock.c:1048 sock_do_ioctl+0xcb/0x2d0 syzkaller/managers/linux-4-19/kernel/net/socket.c:950 sock_ioctl+0x2ef/0x5d0 syzkaller/managers/linux-4-19/kernel/net/socket.c:1074 vfs_ioctl syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:46 [inline] file_ioctl syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:705 __do_sys_ioctl syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:712 [inline] __se_sys_ioctl syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 syzkaller/managers/linux-4-19/kernel/fs/ioctl.c:710 do_syscall_64+0xf9/0x620 syzkaller/managers/linux-4-19/kernel/arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x465b09 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f1157c8f188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000056c0b0 RCX: 0000000000465b09 RDX: 0000000020000240 RSI: 00000000800448f0 RDI: 0000000000000005 RBP: 00000000004b069f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0b0 R13: 00007ffe571d8e5f R14: 00007f1157c8f300 R15: 0000000000022000 Allocated by task 25: __do_kmalloc syzkaller/managers/linux-4-19/kernel/mm/slab.c:3727 [inline] __kmalloc+0x15a/0x3c0 syzkaller/managers/linux-4-19/kernel/mm/slab.c:3736 kmalloc syzkaller/managers/linux-4-19/kernel/./include/linux/slab.h:520 [inline] kzalloc syzkaller/managers/linux-4-19/kernel/./include/linux/slab.h:709 [inline] __alloc_workqueue_key+0x789/0xed0 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:4094 hci_register_dev+0x1ce/0x960 syzkaller/managers/linux-4-19/kernel/net/bluetooth/hci_core.c:3179 __vhci_create_device+0x2b5/0x580 syzkaller/managers/linux-4-19/kernel/drivers/bluetooth/hci_vhci.c:139 vhci_create_device syzkaller/managers/linux-4-19/kernel/drivers/bluetooth/hci_vhci.c:163 [inline] vhci_open_timeout+0x35/0x50 syzkaller/managers/linux-4-19/kernel/drivers/bluetooth/hci_vhci.c:319 process_one_work+0x864/0x1570 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 syzkaller/managers/linux-4-19/kernel/kernel/workqueue.c:2298 kthread+0x33f/0x460 syzkaller/managers/linux-4-19/kernel/kernel/kthread.c:259 ret_from_fork+0x24/0x30 syzkaller/managers/linux-4-19/kernel/arch/x86/entry/entry_64.S:415 Freed by task 9: __cache_free syzkaller/managers/linux-4-19/kernel/mm/slab.c:3503 [inline] kfree+0xcc/0x210 syzkaller/managers/linux-4-19/kernel/mm/slab.c:3822 __rcu_reclaim syzkaller/managers/linux-4-19/kernel/kernel/rcu/rcu.h:236 [inline] rcu_do_batch syzkaller/managers/linux-4-19/kernel/kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks syzkaller/managers/linux-4-19/kernel/kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks syzkaller/managers/linux-4-19/kernel/kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0x8ff/0x18b0 syzkaller/managers/linux-4-19/kernel/kernel/rcu/tree.c:2881 __do_softirq+0x265/0x980 syzkaller/managers/linux-4-19/kernel/kernel/softirq.c:292 The buggy address belongs to the object at ffff8880b3b02a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 384 bytes inside of 512-byte region [ffff8880b3b02a00, ffff8880b3b02c00) The buggy address belongs to the page: page:ffffea0002cec080 count:1 mapcount:0 mapping:ffff88813bff0940 index:0xffff8880b3b02280 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002770148 ffffea00026de6c8 ffff88813bff0940 raw: ffff8880b3b02280 ffff8880b3b02000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880b3b02a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880b3b02b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880b3b02b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880b3b02c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880b3b02c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Manager | Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ci2-linux-4-19 | 2021/02/11 01:48 | linux-4.19.y | 811218eceeaa | a52ee10a | .config | console log | report | syz | KASAN: use-after-free Read in __queue_work | |||
| ci2-linux-4-19 | 2020/08/05 06:46 | linux-4.19.y | 13af6c74b14a | 02034dac | .config | console log | report | syz | ||||
| ci2-linux-4-19 | 2020/08/03 04:15 | linux-4.19.y | 13af6c74b14a | 96dd3623 | .config | console log | report | syz | ||||
| ci2-linux-4-19 | 2021/01/04 15:49 | linux-4.19.y | 3207316b3bee | 79264ae3 | .config | console log | report | info | ||||
| ci2-linux-4-19 | 2020/08/22 03:25 | linux-4.19.y | d18b78abc0c6 | 6436ce4b | .config | console log | report |