syzbot

 sign-in | mailing list | source | docs
🐞 Open [983] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12500] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: invalid-access Write in tcp_init_congestion_control

Status: auto-closed as invalid on 2021/08/20 02:01
Subsystems: net
[Documentation on labels]
First crash: 1081d, last: 1069d

Sample crash report:
==================================================================
BUG: KASAN: invalid-access in tcp_init_congestion_control+0x14/0xfc net/ipv4/tcp_cong.c:178
Write at addr f7ff0000285e880c by task syz-executor.0/8482
Pointer tag: [f7], memory tag: [fe]

CPU: 1 PID: 8482 Comm: syz-executor.0 Not tainted 5.13.0-rc2-syzkaller-00191-g79a106fc6585 #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x0/0x1b0 arch/arm64/kernel/stacktrace.c:138
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:217
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0xd0/0x12c lib/dump_stack.c:120
 print_address_description+0x70/0x2ac mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x134/0x380 mm/kasan/report.c:436
 report_tag_fault arch/arm64/mm/fault.c:324 [inline]
 do_tag_recovery arch/arm64/mm/fault.c:336 [inline]
 __do_kernel_fault+0x1a8/0x1dc arch/arm64/mm/fault.c:378
 do_bad_area arch/arm64/mm/fault.c:474 [inline]
 do_tag_check_fault+0x74/0x90 arch/arm64/mm/fault.c:745
 do_mem_abort+0x44/0xb4 arch/arm64/mm/fault.c:821
 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:171
 el1_sync_handler+0xac/0xd0 arch/arm64/kernel/entry-common.c:255
 el1_sync+0x78/0x100 arch/arm64/kernel/entry.S:710
 tcp_init_congestion_control+0x14/0xfc net/ipv4/tcp_cong.c:178
 tcp_reinit_congestion_control net/ipv4/tcp_cong.c:207 [inline]
 tcp_set_congestion_control+0x23c/0x270 net/ipv4/tcp_cong.c:381
 mptcp_setsockopt_sol_tcp_congestion net/mptcp/sockopt.c:550 [inline]
 mptcp_setsockopt_sol_tcp net/mptcp/sockopt.c:563 [inline]
 mptcp_setsockopt+0x3ac/0x770 net/mptcp/sockopt.c:599
 sock_common_setsockopt+0x1c/0x30 net/core/sock.c:3257
 __sys_setsockopt+0xa0/0x1a0 net/socket.c:2117
 __do_sys_setsockopt net/socket.c:2128 [inline]
 __se_sys_setsockopt net/socket.c:2125 [inline]
 __arm64_sys_setsockopt+0x2c/0x40 net/socket.c:2125
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52
 el0_svc_common.constprop.0+0x44/0xcc arch/arm64/kernel/syscall.c:145
 do_el0_svc+0x70/0x90 arch/arm64/kernel/syscall.c:184
 el0_svc+0x2c/0x54 arch/arm64/kernel/entry-common.c:408
 el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:424
 el0_sync+0x1b4/0x1c0 arch/arm64/kernel/entry.S:734

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff0000285e8800
 which belongs to the cache MPTCPv6 of size 1992
The buggy address is located 12 bytes inside of
 1992-byte region [ffff0000285e8800, ffff0000285e8fc8)
The buggy address belongs to the page:
page:00000000a47c1be4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x685e8
head:00000000a47c1be4 order:3 compound_mapcount:0 compound_pincount:0
memcg:fbff0000062dfb01
flags: 0x1ffc00000010200(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
raw: 01ffc00000010200 dead000000000100 dead000000000122 faff000005616a00
raw: 0000000000000000 0000000080100010 00000001ffffffff fbff0000062dfb01
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000285e8600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 ffff0000285e8700: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fe fe fe
>ffff0000285e8800: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
                   ^
 ffff0000285e8900: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
 ffff0000285e8a00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/05/22 01:58 upstream 79a106fc6585 3c7fef33 .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Write in tcp_init_congestion_control
2021/05/20 15:57 upstream c3d0e3fd41b7 c560a65d .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Write in tcp_init_congestion_control
2021/05/18 10:04 upstream 8ac91e6c6033 a343ba6b .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Write in tcp_init_congestion_control
2021/05/17 19:36 upstream d07f6ca923ea a2eb125d .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Write in tcp_init_congestion_control
2021/05/15 18:21 upstream 25a1298726e9 93f844de .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Write in tcp_init_congestion_control
2021/05/14 12:24 upstream 315d99318179 8bdd5343 .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Write in tcp_init_congestion_control
2021/05/09 15:13 upstream b741596468b0 bc5434be .config console log report info ci-qemu2-arm64-mte KASAN: invalid-access Write in tcp_init_congestion_control
* Struck through repros no longer work on HEAD.