syzbot

 sign-in | mailing list | source | docs
🐞 Open [79] 🐞 Fixed [21] 🐞 Invalid [282] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Write in __internal_add_timer

Status: upstream: reported C repro on 2020/07/04 17:00
Reported-by: syzbot+808b558a11df12fd2957@syzkaller.appspotmail.com
First crash: 1384d, last: 443d
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in __internal_add_timer net C 36071 2371d 2360d 0/26 closed as invalid on 2017/11/01 19:41
android-54 KASAN: slab-out-of-bounds Write in __internal_add_timer (2) 4 986d 1161d 0/2 auto-closed as invalid on 2021/12/05 06:45
android-54 KASAN: slab-out-of-bounds Write in __internal_add_timer 4 1299d 1373d 0/2 auto-closed as invalid on 2021/01/26 06:16
upstream KASAN: slab-out-of-bounds Write in __internal_add_timer 4 2405d 2360d 0/26 closed as invalid on 2017/11/05 08:51
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/02/15 22:57 7m retest repro android12-5.4 report log
2024/02/15 22:12 32m retest repro android12-5.4 report log
2023/12/07 22:26 20m retest repro android12-5.4 report log
2023/12/07 21:40 14m retest repro android12-5.4 report log
2023/09/28 22:03 13m retest repro android12-5.4 report log
2023/09/28 21:28 11m retest repro android12-5.4 report log
2023/07/20 21:13 22m retest repro android12-5.4 report log
2023/07/20 21:13 13m retest repro android12-5.4 report log
2023/05/11 20:54 13m retest repro android12-5.4 report log
2023/05/11 20:17 15m retest repro android12-5.4 report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:796 [inline]
BUG: KASAN: use-after-free in enqueue_timer kernel/time/timer.c:541 [inline]
BUG: KASAN: use-after-free in __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554
Write of size 8 at addr ffff8881e88d71c8 by task syz-executor683/9667

CPU: 1 PID: 9667 Comm: syz-executor683 Not tainted 5.4.197-syzkaller-00015-gf0306959ab7c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18e/0x1d5 lib/dump_stack.c:118
 print_address_description+0x8c/0x630 mm/kasan/report.c:384
 __kasan_report+0xf6/0x130 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 hlist_add_head include/linux/list.h:796 [inline]
 enqueue_timer kernel/time/timer.c:541 [inline]
 __internal_add_timer+0x2a6/0x4a0 kernel/time/timer.c:554
 internal_add_timer kernel/time/timer.c:604 [inline]
 __mod_timer+0x9ce/0x1a40 kernel/time/timer.c:1065
 tun_set_iff+0x8ca/0x1050 drivers/net/tun.c:2854
 __tun_chr_ioctl+0x6c7/0x1b70 drivers/net/tun.c:3149
 do_vfs_ioctl+0x6d1/0x15b0 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f14585329b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f14584e4318 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f14585ba3e8 RCX: 00007f14585329b9
RDX: 0000000020000040 RSI: 00000000400454ca RDI: 0000000000000003
RBP: 00007f14585ba3e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 74656e2f7665642f
R13: 00007ffe391a6e8f R14: 00007f14584e4400 R15: 0000000000022000

The buggy address belongs to the page:
page:ffffea0007a235c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 ffffea0007a235c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x46dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP|__GFP_ZERO)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x194/0x380 mm/page_alloc.c:2171
 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x2ab/0x6f0 mm/page_alloc.c:4857
 __alloc_pages include/linux/gfp.h:503 [inline]
 __alloc_pages_node include/linux/gfp.h:516 [inline]
 alloc_pages_node include/linux/gfp.h:530 [inline]
 kmalloc_order mm/slab_common.c:1342 [inline]
 kmalloc_order_trace+0x2a/0xf0 mm/slab_common.c:1358
 __kmalloc_node include/linux/slab.h:422 [inline]
 kmalloc_node include/linux/slab.h:599 [inline]
 kvmalloc_node+0x7e/0xf0 mm/util.c:564
 kvmalloc include/linux/mm.h:758 [inline]
 kvzalloc include/linux/mm.h:766 [inline]
 alloc_netdev_mqs+0x86/0xc30 net/core/dev.c:9597
 tun_set_iff+0x4f9/0x1050 drivers/net/tun.c:2814
 __tun_chr_ioctl+0x6c7/0x1b70 drivers/net/tun.c:3149
 do_vfs_ioctl+0x6d1/0x15b0 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1176 [inline]
 __free_pages_ok+0x7ee/0x920 mm/page_alloc.c:1438
 free_the_page mm/page_alloc.c:4919 [inline]
 __free_pages+0x45/0x1e0 mm/page_alloc.c:4925
 kfree+0x1ef/0x260 mm/slub.c:4068
 device_release+0x70/0x1a0 drivers/base/core.c:1776
 kobject_cleanup lib/kobject.c:708 [inline]
 kobject_release+0x1f3/0x3d0 lib/kobject.c:739
 tun_set_iff+0xc0b/0x1050 drivers/net/tun.c:2906
 __tun_chr_ioctl+0x6c7/0x1b70 drivers/net/tun.c:3149
 do_vfs_ioctl+0x6d1/0x15b0 fs/ioctl.c:47
 ksys_ioctl fs/ioctl.c:742 [inline]
 __do_sys_ioctl fs/ioctl.c:749 [inline]
 __se_sys_ioctl fs/ioctl.c:747 [inline]
 __x64_sys_ioctl+0xd4/0x110 fs/ioctl.c:747
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Memory state around the buggy address:
 ffff8881e88d7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881e88d7100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881e88d7180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff8881e88d7200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881e88d7280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (155):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/09/03 23:36 android12-5.4 f0306959ab7c 28811d0a .config console log report syz C [disk image] [vmlinux] ci2-android-5-4-kasan KASAN: use-after-free Write in __internal_add_timer
2020/07/08 22:55 https://android.googlesource.com/kernel/common android-5.4 07da2129a868 9f9845eb .config console log report syz ci2-android-5-4-kasan
2023/01/28 21:53 android12-5.4 ac6c87b5296b 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2023/01/24 00:16 android12-5.4 57b9129d0863 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2023/01/22 18:38 android12-5.4 a0eae55f26a0 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2023/01/15 18:03 android12-5.4 a0eae55f26a0 a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2023/01/13 22:31 android12-5.4 a0eae55f26a0 529798b0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2023/01/05 13:45 android12-5.4 a8aad8851131 1dac8c7a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2023/01/04 15:19 android12-5.4 a8aad8851131 1dac8c7a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/12/22 07:47 android12-5.4 a8aad8851131 4067838e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/12/18 01:45 android12-5.4 a76dfbc99260 05494336 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/12/17 17:49 android12-5.4 a76dfbc99260 05494336 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/12/15 22:18 android12-5.4 a76dfbc99260 6f9c033e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/12/15 07:34 android12-5.4 a76dfbc99260 b18f0a64 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/10/27 10:16 android12-5.4 035e4939365c 86777b7f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/10/14 23:57 android12-5.4 ff63a5f5cdf6 67cb024c .config console log report info [disk image] [vmlinux] ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/10/03 03:33 android12-5.4 3ee2a37108c8 feb56351 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/10/01 17:06 android12-5.4 3ee2a37108c8 feb56351 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/09/23 00:03 android12-5.4 def19b1cf16c 0042f2b4 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/09/13 09:13 android12-5.4 704c7d053806 a08652b0 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/09/10 14:46 android12-5.4 704c7d053806 356d8217 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/09/08 10:29 android12-5.4 704c7d053806 435aeef7 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/09/06 15:56 android12-5.4 a5eb56fb2ab4 65aea2b9 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/09/02 06:08 android12-5.4 f0306959ab7c a805568e .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/30 22:15 android12-5.4 f0306959ab7c 4a380809 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/29 13:09 android12-5.4 f0306959ab7c 94da0b6b .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/23 17:27 android12-5.4 f3c75e616e3f cea8b0f7 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/19 12:03 android12-5.4 c991311c3375 26a13b38 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/18 23:16 android12-5.4 2bf0b614f0fb 26a13b38 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/16 23:32 android12-5.4 2bf0b614f0fb 9e4b39c2 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/14 16:01 android12-5.4 2bf0b614f0fb 8dfcaa3d .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/10 15:04 android12-5.4 c7a5efa26008 aaa9eaa0 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/06 07:11 android12-5.4 19a66b6f3cd8 e853abd9 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2022/08/06 03:17 android12-5.4 19a66b6f3cd8 e853abd9 .config console log report info ci2-android-5-4-perf-kasan KASAN: use-after-free Write in __internal_add_timer
2023/01/31 17:19 android12-5.4 1641d36fd98f b68fb8d6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/12/08 12:58 android12-5.4 d7e5d5321233 d88f3abb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/12/07 22:00 android12-5.4 d7e5d5321233 d88f3abb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: out-of-bounds Write in __internal_add_timer
2022/12/05 04:55 android12-5.4 1c84384fbdc7 e080de16 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/11/09 09:09 android12-5.4 5e295dcf7dcb 5fa28208 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/11/01 15:50 android12-5.4 dd9d210aa955 a1d8560a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/10/28 06:07 android12-5.4 035e4939365c 5c716ff6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/10/24 06:21 android12-5.4 8c70a830a157 23bf86af .config console log report info [disk image] [vmlinux] ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/09/30 20:06 android12-5.4 3ee2a37108c8 feb56351 .config console log report info ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/09/23 18:49 android12-5.4 def19b1cf16c 0042f2b4 .config console log report info ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/09/04 00:56 android12-5.4 f0306959ab7c 28811d0a .config console log report info ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/09/01 15:40 android12-5.4 f0306959ab7c 86c46e46 .config console log report info ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/08/27 15:29 android12-5.4 f0306959ab7c 07177916 .config console log report info ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/08/23 05:25 android12-5.4 f3c75e616e3f 26a13b38 .config console log report info ci2-android-5-4-perf-kasan KASAN: out-of-bounds Write in __internal_add_timer
2022/08/16 06:09 android12-5.4 2bf0b614f0fb 7a7cb304 .config console log report info ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/08/06 14:43 android12-5.4 19a66b6f3cd8 88e3a122 .config console log report info ci2-android-5-4-perf-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2022/03/07 01:44 android12-5.4 8a3679a75730 7bdd8b2c .config console log report info ci2-android-5-4-kasan KASAN: slab-out-of-bounds Write in __internal_add_timer
2021/01/03 08:18 android12-5.4 e627b02af655 79264ae3 .config console log report info ci2-android-5-4-kasan
2020/07/04 16:59 https://android.googlesource.com/kernel/common android-5.4 45217b91eaaa 4f739670 .config console log report ci2-android-5-4-kasan
* Struck through repros no longer work on HEAD.