syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [983] ≡ Subsystems 🐞 Fixed [4543] 🐞 Invalid [10476] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Read in tcp_sk_exit | 7 | 1441d | 1573d | 0/24 | auto-closed as invalid on 2019/10/25 08:37 | |||
| android-5-10 | general protection fault in tcp_sk_exit | 1 | 415d | 415d | 0/2 | auto-closed as invalid on 2022/07/07 14:15 | |||
| android-5-10 | general protection fault in tcp_sk_exit (2) | 1 | 316d | 316d | 0/2 | auto-obsoleted due to no activity on 2022/10/15 01:07 |
================================================================== BUG: KASAN: use-after-free in inet_ctl_sock_destroy include/net/inet_common.h:65 [inline] BUG: KASAN: use-after-free in tcp_sk_exit+0x2a4/0x2e0 net/ipv4/tcp_ipv4.c:2868 Read of size 8 at addr ffff88807bbf29c0 by task kworker/u4:1/10 CPU: 0 PID: 10 Comm: kworker/u4:1 Not tainted 5.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 inet_ctl_sock_destroy include/net/inet_common.h:65 [inline] tcp_sk_exit+0x2a4/0x2e0 net/ipv4/tcp_ipv4.c:2868 ops_exit_list+0xb0/0x160 net/core/net_namespace.c:175 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 26470: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x84/0xa0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2956 [inline] slab_alloc mm/slub.c:2964 [inline] kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2969 sk_prot_alloc+0x5f/0x290 net/core/sock.c:1802 sk_alloc+0x32/0xbc0 net/core/sock.c:1861 inet_create net/ipv4/af_inet.c:322 [inline] inet_create+0x395/0xea0 net/ipv4/af_inet.c:248 __sock_create+0x353/0x790 net/socket.c:1450 inet_ctl_sock_create+0x88/0x1d0 net/ipv4/af_inet.c:1654 icmp_sk_init net/ipv4/icmp.c:1460 [inline] icmp_sk_init+0xfd/0x500 net/ipv4/icmp.c:1449 ops_init+0xaf/0x470 net/core/net_namespace.c:140 setup_net+0x40f/0xa30 net/core/net_namespace.c:333 copy_net_ns+0x319/0x760 net/core/net_namespace.c:474 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 copy_namespaces+0x391/0x450 kernel/nsproxy.c:178 copy_process+0x2cfc/0x74d0 kernel/fork.c:2122 kernel_clone+0xe7/0xac0 kernel/fork.c:2509 __do_sys_clone+0xc8/0x110 kernel/fork.c:2626 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 10: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1625 [inline] slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1650 slab_free mm/slub.c:3210 [inline] kmem_cache_free+0x8e/0x5a0 mm/slub.c:3226 sk_prot_free net/core/sock.c:1842 [inline] __sk_destruct+0x5a2/0x900 net/core/sock.c:1929 sk_destruct+0xbd/0xe0 net/core/sock.c:1944 __sk_free+0xef/0x3d0 net/core/sock.c:1955 sk_free net/core/sock.c:1966 [inline] sock_put include/net/sock.h:1816 [inline] sk_common_release+0x292/0x390 net/core/sock.c:3399 inet_release+0x12e/0x280 net/ipv4/af_inet.c:431 __sock_release net/socket.c:648 [inline] sock_release+0x87/0x1b0 net/socket.c:676 inet_ctl_sock_destroy include/net/inet_common.h:65 [inline] icmp_sk_exit+0x14c/0x280 net/ipv4/icmp.c:1444 ops_exit_list+0xb0/0x160 net/core/net_namespace.c:175 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff88807bbf2580 which belongs to the cache RAW of size 1432 The buggy address is located 1088 bytes inside of 1432-byte region [ffff88807bbf2580, ffff88807bbf2b18) The buggy address belongs to the page: page:ffffea0001eefc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bbf0 head:ffffea0001eefc00 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea00013df000 0000000200000002 ffff888018f16780 raw: 0000000000000000 0000000000140014 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 26225, ts 358625456759, free_ts 0 prep_new_page mm/page_alloc.c:2433 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4166 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5388 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2244 alloc_slab_page mm/slub.c:1688 [inline] allocate_slab+0x32e/0x4b0 mm/slub.c:1828 new_slab mm/slub.c:1891 [inline] new_slab_objects mm/slub.c:2637 [inline] ___slab_alloc+0x4ba/0x820 mm/slub.c:2800 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2840 slab_alloc_node mm/slub.c:2922 [inline] slab_alloc mm/slub.c:2964 [inline] kmem_cache_alloc+0x3e1/0x4a0 mm/slub.c:2969 sk_prot_alloc+0x5f/0x290 net/core/sock.c:1802 sk_alloc+0x32/0xbc0 net/core/sock.c:1861 inet_create net/ipv4/af_inet.c:322 [inline] inet_create+0x395/0xea0 net/ipv4/af_inet.c:248 __sock_create+0x353/0x790 net/socket.c:1450 inet_ctl_sock_create+0x88/0x1d0 net/ipv4/af_inet.c:1654 tcp_sk_init net/ipv4/tcp_ipv4.c:2883 [inline] tcp_sk_init+0x102/0x1370 net/ipv4/tcp_ipv4.c:2872 ops_init+0xaf/0x470 net/core/net_namespace.c:140 setup_net+0x40f/0xa30 net/core/net_namespace.c:333 copy_net_ns+0x319/0x760 net/core/net_namespace.c:474 page_owner free stack trace missing Memory state around the buggy address: ffff88807bbf2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807bbf2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807bbf2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807bbf2a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807bbf2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2021/07/20 11:08 | upstream | 2734d6c1b1a0 | bc48c9ab | .config | console log | report | syz | ci-upstream-kasan-gce-root | KASAN: use-after-free Read in tcp_sk_exit | |||
| 2021/08/04 12:17 | upstream | d5ad8ec3cfb5 | 6c236867 | .config | console log | report | info | ci-upstream-kasan-gce | KASAN: use-after-free Read in tcp_sk_exit | |||
| 2021/10/29 03:27 | net-next-old | f2edaa4ad5d5 | be531bb4 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in tcp_sk_exit | |||
| 2021/10/21 15:55 | net-next-old | dfcb63ce1de6 | c5cb7da8 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in tcp_sk_exit | |||
| 2021/09/06 07:10 | net-next-old | 29ce8f970107 | d236a457 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in tcp_sk_exit | |||
| 2021/07/04 10:25 | net-next-old | 5e437416ff66 | 55aa55c2 | .config | console log | report | info | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in tcp_sk_exit |