syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [708] 🐞 Fixed [181] 🐞 Invalid [624] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.19 | KASAN: slab-out-of-bounds Read in tcf_exts_destroy | C | done | 1 | 1093d | 1209d | 1/1 | fixed on 2020/03/11 23:02 | |
| upstream | KASAN: slab-out-of-bounds Read in tcf_exts_destroy | C | done | error | 8 | 1207d | 1110d | 16/24 | fixed on 2020/02/18 14:31 |
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready 8021q: adding VLAN 0 to HW filter on device batadv0 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 ================================================================== BUG: KASAN: slab-out-of-bounds in tcf_exts_to_list include/net/pkt_cls.h:150 [inline] BUG: KASAN: slab-out-of-bounds in tcf_exts_destroy+0x2a3/0x320 net/sched/cls_api.c:897 Read of size 4 at addr ffff888096b8eeb4 by task syz-executor514/6959 CPU: 0 PID: 6959 Comm: syz-executor514 Not tainted 4.14.150 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 tcf_exts_to_list include/net/pkt_cls.h:150 [inline] tcf_exts_destroy+0x2a3/0x320 net/sched/cls_api.c:897 tcindex_free_perfect_hash.isra.0+0x9f/0x120 net/sched/cls_tcindex.c:291 tcindex_set_parms+0xece/0x1aa0 net/sched/cls_tcindex.c:502 tcindex_change+0x1cf/0x28d net/sched/cls_tcindex.c:535 tc_ctl_tfilter+0xff1/0x1aba net/sched/cls_api.c:738 rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285 netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xce/0x110 net/socket.c:656 ___sys_sendmsg+0x349/0x840 net/socket.c:2062 __sys_sendmmsg+0x152/0x3a0 net/socket.c:2152 SYSC_sendmmsg net/socket.c:2183 [inline] SyS_sendmmsg+0x35/0x60 net/socket.c:2178 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x443299 RSP: 002b:00007ffde338f1e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299 RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008 RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162 R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 6959: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 __do_kmalloc mm/slab.c:3720 [inline] __kmalloc+0x15d/0x7a0 mm/slab.c:3729 kmalloc_array include/linux/slab.h:607 [inline] kcalloc include/linux/slab.h:618 [inline] tcindex_alloc_perfect_hash+0x54/0x300 net/sched/cls_tcindex.c:299 tcindex_set_parms+0x3de/0x1aa0 net/sched/cls_tcindex.c:357 tcindex_change+0x1cf/0x28d net/sched/cls_tcindex.c:535 tc_ctl_tfilter+0xff1/0x1aba net/sched/cls_api.c:738 rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285 netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xce/0x110 net/socket.c:656 ___sys_sendmsg+0x349/0x840 net/socket.c:2062 __sys_sendmmsg+0x152/0x3a0 net/socket.c:2152 SYSC_sendmmsg net/socket.c:2183 [inline] SyS_sendmmsg+0x35/0x60 net/socket.c:2178 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888096b8ee40 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 116 bytes inside of 128-byte region [ffff888096b8ee40, ffff888096b8eec0) The buggy address belongs to the page: page:ffffea00025ae380 count:1 mapcount:0 mapping:ffff888096b8e000 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff888096b8e000 0000000000000000 0000000100000015 raw: ffffea0001ffa9e0 ffff8880aa801548 ffff8880aa800640 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888096b8ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888096b8ee00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 >ffff888096b8ee80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff888096b8ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888096b8ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1
| Manager | Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ci2-linux-4-14 | 2019/10/21 06:22 | linux-4.14.y | b98aebd29824 | 8c88c9c1 | .config | console log | report | syz | C |