syzbot

 sign-in | mailing list | source | docs
🐞 Open [977] Subsystems 🐞 Fixed [5235] 🐞 Invalid [12492] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in __netif_receive_skb_core

Status: closed as invalid on 2017/11/01 19:36
Reported-by: syzbot+419bf7d71cf1114404ffddf98fbc58df0a3a3051@syzkaller.appspotmail.com
First crash: 2424d, last: 2402d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in __netif_receive_skb_core syz error 20 752d 1293d 0/1 upstream: reported syz repro on 2020/10/08 04:31
linux-4.14 KASAN: use-after-free Read in __netif_receive_skb_core syz error 19 1020d 1437d 0/1 upstream: reported syz repro on 2020/05/16 19:24

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in deliver_ptype_list_skb net/core/dev.c:1871 [inline]
BUG: KASAN: use-after-free in __netif_receive_skb_core+0x2be3/0x33d0 net/core/dev.c:4406
Read of size 2 at addr ffff8801c64c7340 by task syzkaller279297/2991

CPU: 0 PID: 2991 Comm: syzkaller279297 Not tainted 4.13.0+ #81
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x24e/0x340 mm/kasan/report.c:409
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
 deliver_ptype_list_skb net/core/dev.c:1871 [inline]
 __netif_receive_skb_core+0x2be3/0x33d0 net/core/dev.c:4406
 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4461
 netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4534
 napi_skb_finish net/core/dev.c:4895 [inline]
 napi_gro_receive+0x3d0/0x500 net/core/dev.c:4926
 receive_buf+0xcc5/0x51f0 drivers/net/virtio_net.c:841
 virtnet_receive drivers/net/virtio_net.c:1087 [inline]
 virtnet_poll+0x304/0xad0 drivers/net/virtio_net.c:1168
 napi_poll net/core/dev.c:5537 [inline]
 net_rx_action+0x792/0x1910 net/core/dev.c:5603
 __do_softirq+0x2bb/0xbd0 kernel/softirq.c:284
 invoke_softirq kernel/softirq.c:364 [inline]
 irq_exit+0x1d3/0x210 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:638 [inline]
 do_IRQ+0xf6/0x190 arch/x86/kernel/irq.c:253
 common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:598
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:814 [inline]
RIP: 0010:lock_acquire+0x256/0x580 kernel/locking/lockdep.c:4005
RSP: 0018:ffff8801ce5eeb78 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff6e
RAX: dffffc0000000000 RBX: ffff8801ce706240 RCX: 0000000000000000
RDX: 1ffffffff0b592fd RSI: 00000000c74c155f RDI: 0000000000000282
RBP: ffff8801ce5eec70 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: ffffffff87060ca0 R12: 1ffff10039cbdd75
R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:244 [inline]
 rcu_read_lock include/linux/rcupdate.h:630 [inline]
 __is_insn_slot_addr+0xb4/0x330 kernel/kprobes.c:293
 is_kprobe_optinsn_slot include/linux/kprobes.h:344 [inline]
 __kernel_text_address+0x8f/0xe0 kernel/extable.c:111
 unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18
 __save_stack_trace+0x7e/0xd0 arch/x86/kernel/stacktrace.c:45
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3561
 dup_mmap kernel/fork.c:649 [inline]
 dup_mm kernel/fork.c:1179 [inline]
 copy_mm+0x8d7/0x1310 kernel/fork.c:1233
 copy_process.part.36+0x1eae/0x4af0 kernel/fork.c:1735
 copy_process kernel/fork.c:1548 [inline]
 _do_fork+0x1ef/0xfe0 kernel/fork.c:2027

Crashes (239):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/09/13 13:51 upstream 6d8ef53e8b2f c12eb94a .config console log report syz C ci-upstream-kasan-gce
2017/09/12 14:47 upstream c971aa3693e1 0bd6a0a5 .config console log report syz C ci-upstream-kasan-gce
2017/09/09 16:44 upstream 0e271fd59fe9 d18bfda0 .config console log report syz C ci-upstream-kasan-gce
2017/09/03 04:01 upstream d0d6ab53c9ab a54dce00 .config console log report syz C ci-upstream-kasan-gce
2017/09/02 20:04 upstream d0d6ab53c9ab a54dce00 .config console log report syz C ci-upstream-kasan-gce
2017/09/02 18:41 upstream d0d6ab53c9ab a54dce00 .config console log report syz C ci-upstream-kasan-gce
2017/09/12 03:08 net-next-old ad9a19d00370 96b8e399 .config console log report syz C ci-upstream-net-kasan-gce
2017/09/07 16:59 net-next-old 80cee03bf1d6 d18bfda0 .config console log report syz C ci-upstream-net-kasan-gce
2017/09/02 19:36 net-next-old 32d9b70a053a a54dce00 .config console log report syz C ci-upstream-net-kasan-gce
2017/09/24 17:05 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/22 03:48 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/21 22:41 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/21 12:06 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/21 09:52 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/20 14:53 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/20 10:52 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/20 08:47 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/20 08:31 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/19 11:42 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/19 07:15 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/19 02:51 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/19 00:41 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/13 14:18 linux-next 6f20b7a58cb9 96b8e399 .config console log report syz C skylake-linux-next-kasan-qemu
2017/09/09 16:44 linux-next 58bcd35f859b d18bfda0 .config console log report syz C skylake-linux-next-kasan-qemu
2017/09/09 16:39 linux-next 58bcd35f859b d18bfda0 .config console log report syz C skylake-linux-next-kasan-qemu
2017/09/08 01:40 linux-next c6be5a0e3ceb 0ed1da4a .config console log report syz C skylake-linux-next-kasan-qemu
2017/09/04 17:33 linux-next 9829d9f31f6c f400a0da .config console log report syz C ci-upstream-next-kasan-gce
2017/09/04 07:21 linux-next 1d53d908b79d a54dce00 .config console log report syz C ci-upstream-next-kasan-gce
2017/09/04 01:47 linux-next 1d53d908b79d a54dce00 .config console log report syz C ci-upstream-next-kasan-gce
2017/09/04 01:12 linux-next 1d53d908b79d a54dce00 .config console log report syz C ci-upstream-next-kasan-gce
2017/09/15 03:01 upstream 7a95bdb092c6 96b8e399 .config console log report ci-upstream-kasan-gce
2017/09/11 07:20 upstream d719518d9ce9 d18bfda0 .config console log report ci-upstream-kasan-gce
2017/09/19 16:41 upstream 12fcf66e74b1 d394531e .config console log report ci-upstream-kasan-gce-386
2017/09/23 19:11 net-next-old 3fb5ec06578e c26ea367 .config console log report ci-upstream-net-kasan-gce
2017/09/23 09:01 net-next-old dd5437974964 c26ea367 .config console log report ci-upstream-net-kasan-gce
2017/09/17 23:27 net-next-old 2bd6bf03f4c1 96b8e399 .config console log report ci-upstream-net-kasan-gce
2017/09/10 00:14 net-next-old ad9a19d00370 96b8e399 .config console log report ci-upstream-net-kasan-gce
2017/09/09 08:00 net-next-old 80cee03bf1d6 d18bfda0 .config console log report ci-upstream-net-kasan-gce
2017/09/08 17:18 net-next-old 80cee03bf1d6 d18bfda0 .config console log report ci-upstream-net-kasan-gce
2017/09/08 10:14 net-next-old 80cee03bf1d6 d18bfda0 .config console log report ci-upstream-net-kasan-gce
2017/09/08 08:27 net-next-old 80cee03bf1d6 d18bfda0 .config console log report ci-upstream-net-kasan-gce
2017/09/20 05:26 mmots 720bbe532b7c c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/09/19 16:11 linux-next 840cc455c5f5 92f543f0 .config console log report ci-upstream-next-kasan-gce
2017/09/19 12:58 linux-next 840cc455c5f5 92f543f0 .config console log report skylake-linux-next-kasan-qemu
2017/09/16 03:38 linux-next 1f183459b514 da1873aa .config console log report skylake-linux-next-kasan-qemu
2017/09/14 21:30 linux-next 31fc38c47623 96b8e399 .config console log report skylake-linux-next-kasan-qemu
2017/09/14 13:23 linux-next 31fc38c47623 96b8e399 .config console log report skylake-linux-next-kasan-qemu
2017/09/14 08:08 linux-next 31fc38c47623 96b8e399 .config console log report skylake-linux-next-kasan-qemu
2017/09/04 18:39 linux-next 9829d9f31f6c f400a0da .config console log report skylake-linux-next-kasan-qemu
2017/09/03 17:52 linux-next 1d53d908b79d a54dce00 .config console log report ci-upstream-next-kasan-gce
* Struck through repros no longer work on HEAD.