syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [1028] ≡ Subsystems 🐞 Fixed [5251] 🐞 Invalid [12569] ⬇ Missing Backports [86] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-out-of-bounds Read in do_csum net | C | 160 | 209d | 250d | 23/26 | fixed on 2023/10/12 12:48 | ||
| upstream | BUG: unable to handle kernel paging request in do_csum (3) kernel | C | error | error | 31 | 987d | 1244d | 0/26 | closed as invalid on 2022/01/07 18:56 |
| upstream | KASAN: use-after-free Read in do_csum net | C | 72 | 333d | 499d | 22/26 | fixed on 2023/06/08 14:41 |
================================================================== BUG: KASAN: slab-use-after-free in do_csum+0x11c/0x18c arch/arm64/lib/csum.c:66 Read at addr fcff0000343da240 by task syz-executor.0/7145 Pointer tag: [fc], memory tag: [f8] CPU: 1 PID: 7145 Comm: syz-executor.0 Not tainted 6.6.0-rc5-syzkaller-00243-g727fb8376504 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x108/0x618 mm/kasan/report.c:475 kasan_report+0x88/0xac mm/kasan/report.c:588 report_tag_fault arch/arm64/mm/fault.c:334 [inline] do_tag_recovery arch/arm64/mm/fault.c:346 [inline] __do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393 do_bad_area arch/arm64/mm/fault.c:493 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:770 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:846 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:590 do_csum+0x11c/0x18c arch/arm64/lib/csum.c:66 gso_make_checksum include/net/gso.h:74 [inline] __skb_udp_tunnel_segment net/ipv4/udp_offload.c:140 [inline] skb_udp_tunnel_segment+0x34c/0x5a8 net/ipv4/udp_offload.c:182 udp6_ufo_fragment+0x25c/0x2e0 net/ipv6/udp_offload.c:35 ipv6_gso_segment+0x120/0x55c net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0xb8/0x178 net/core/gso.c:53 __skb_gso_segment+0x64/0x14c net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] ip6_finish_output_gso_slowpath_drop net/ipv6/ip6_output.c:153 [inline] __ip6_finish_output net/ipv6/ip6_output.c:189 [inline] ip6_finish_output+0x2d8/0x354 net/ipv6/ip6_output.c:207 NF_HOOK_COND include/linux/netfilter.h:293 [inline] ip6_output+0x74/0x1cc net/ipv6/ip6_output.c:228 dst_output include/net/dst.h:458 [inline] ip6_local_out+0x48/0x5c net/ipv6/output_core.c:155 ip6tunnel_xmit include/net/ip6_tunnel.h:161 [inline] udp_tunnel6_xmit_skb+0x16c/0x350 net/ipv6/ip6_udp_tunnel.c:109 geneve6_xmit_skb drivers/net/geneve.c:1071 [inline] geneve_xmit+0x7f8/0xf3c drivers/net/geneve.c:1100 __netdev_start_xmit include/linux/netdevice.h:4889 [inline] netdev_start_xmit include/linux/netdevice.h:4903 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x8c/0x10c net/core/dev.c:3564 __dev_queue_xmit+0x1c0/0xe48 net/core/dev.c:4344 dev_queue_xmit include/linux/netdevice.h:3082 [inline] packet_xmit+0xcc/0x144 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x828/0x1530 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x54/0x60 net/socket.c:745 __sys_sendto+0x10c/0x164 net/socket.c:2194 __do_sys_sendto net/socket.c:2206 [inline] __se_sys_sendto net/socket.c:2202 [inline] __arm64_sys_sendto+0x28/0x38 net/socket.c:2202 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595 Allocated by task 3090: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45 save_stack_info+0x38/0x118 mm/kasan/tags.c:104 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x150/0x2b8 mm/slub.c:3523 kmalloc_reserve+0xc4/0x128 net/core/skbuff.c:559 __alloc_skb+0x8c/0x19c net/core/skbuff.c:650 alloc_skb_fclone include/linux/skbuff.h:1336 [inline] tcp_stream_alloc_skb+0x2c/0x140 net/ipv4/tcp.c:869 tcp_sendmsg_locked+0x428/0xbe4 net/ipv4/tcp.c:1150 tcp_sendmsg+0x38/0x60 net/ipv4/tcp.c:1336 inet_sendmsg+0x44/0x70 net/ipv4/af_inet.c:840 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x54/0x60 net/socket.c:745 sock_write_iter+0x98/0xf8 net/socket.c:1158 call_write_iter include/linux/fs.h:1956 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x298/0x300 fs/read_write.c:584 ksys_write+0xe8/0x104 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __arm64_sys_write+0x1c/0x28 fs/read_write.c:646 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595 Freed by task 3106: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45 save_stack_info+0x38/0x118 mm/kasan/tags.c:104 kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:143 ____kasan_slab_free.constprop.0+0x180/0x1c8 mm/kasan/common.c:236 __kasan_slab_free+0x10/0x1c mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0xac/0x1c4 mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] kmem_cache_free+0x18c/0x314 mm/slub.c:3831 skb_kfree_head net/core/skbuff.c:943 [inline] skb_kfree_head net/core/skbuff.c:940 [inline] skb_free_head+0xa4/0xb4 net/core/skbuff.c:957 skb_release_data+0x154/0x1f8 net/core/skbuff.c:987 skb_release_all net/core/skbuff.c:1053 [inline] __kfree_skb+0x30/0x48 net/core/skbuff.c:1067 tcp_wmem_free_skb include/net/tcp.h:300 [inline] tcp_rtx_queue_unlink_and_free include/net/tcp.h:1975 [inline] tcp_clean_rtx_queue net/ipv4/tcp_input.c:3351 [inline] tcp_ack+0x710/0x1280 net/ipv4/tcp_input.c:3907 tcp_rcv_established+0x348/0x750 net/ipv4/tcp_input.c:5962 tcp_v4_do_rcv+0x1dc/0x300 net/ipv4/tcp_ipv4.c:1728 tcp_v4_rcv+0xbc8/0xc38 net/ipv4/tcp_ipv4.c:2150 ip_protocol_deliver_rcu+0x38/0x1d4 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x7c/0xe8 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:304 [inline] NF_HOOK include/linux/netfilter.h:298 [inline] ip_local_deliver+0x118/0x124 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:468 [inline] ip_sublist_rcv_finish+0x68/0x8c net/ipv4/ip_input.c:580 ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline] ip_sublist_rcv+0x190/0x21c net/ipv4/ip_input.c:639 ip_list_rcv+0x128/0x1c8 net/ipv4/ip_input.c:674 __netif_receive_skb_list_ptype net/core/dev.c:5570 [inline] __netif_receive_skb_list_core+0x14c/0x264 net/core/dev.c:5618 __netif_receive_skb_list net/core/dev.c:5670 [inline] netif_receive_skb_list_internal+0x208/0x310 net/core/dev.c:5761 gro_normal_list include/net/gro.h:439 [inline] gro_normal_list include/net/gro.h:435 [inline] napi_complete_done+0x68/0x1c0 net/core/dev.c:6101 virtqueue_napi_complete drivers/net/virtio_net.c:440 [inline] virtnet_poll+0x358/0x554 drivers/net/virtio_net.c:2155 __napi_poll+0x38/0x18c net/core/dev.c:6531 napi_poll net/core/dev.c:6598 [inline] net_rx_action+0x30c/0x384 net/core/dev.c:6731 __do_softirq+0x10c/0x284 kernel/softirq.c:553 The buggy address belongs to the object at ffff0000343da240 which belongs to the cache skbuff_small_head of size 576 The buggy address is located 0 bytes inside of 576-byte region [ffff0000343da240, ffff0000343da480) The buggy address belongs to the physical page: page:00000000b0a98dd0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x743da head:00000000b0a98dd0 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 ksm flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) page_type: 0xffffffff() raw: 01ffc00000000840 f4ff000002c3bd00 fffffc0000f6e500 0000000000000003 raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000343da000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000343da100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000343da200: fc fc fc fc f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff0000343da300: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff0000343da400: f8 f8 f8 f8 f8 f8 f8 f8 f0 f0 f0 f0 f0 f0 f0 f0 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2023/10/15 00:07 | upstream | 727fb8376504 | f757a323 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu2-arm64-mte | KASAN: slab-use-after-free Read in do_csum |