KASAN: slab-use-after-free Write in collect_expired

Title	Replies (including bot)	Last reply
[syzbot] Monthly fat report (Jul 2023)	3 (4)	2023/07/14 23:29
[syzbot] [reiserfs?] [fat?] [acpi?] KASAN: slab-use-after-free Write in collect_expired_timers	0 (1)	2023/06/22 17:39

Title

Replies (including bot)

Last reply

[syzbot] Monthly fat report (Jul 2023)

3 (4)

2023/07/14 23:29

[syzbot] [reiserfs?] [fat?] [acpi?] KASAN: slab-use-after-free Write in collect_expired_timers

0 (1)

2023/06/22 17:39

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Write in collect_expired_timers arm				1	529d	524d	0/26	closed as dup on 2022/11/24 06:31

upstream

KASAN: use-after-free Write in collect_expired_timers arm

529d

524d

0/26

closed as dup on 2022/11/24 06:31

Created	Duration	User	Patch	Repo	Result
2024/02/20 10:07	21m	retest repro		upstream	OK log
2023/12/12 09:37	14m	retest repro		upstream	report log

Created

Duration

User

Patch

Repo

Result

2024/02/20 10:07

21m

retest repro

upstream

OK log

2023/12/12 09:37

14m

retest repro

upstream

report log


Created	Duration	User	Patch	Repo	Result
2023/10/02 21:13	2h05m	bisect fix		upstream	error job log (0)
2023/07/27 06:53	2h39m	bisect fix		upstream	job log (0) log

BUG: unable to handle page fault for address: fffff5200002af99 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4993 Comm: syz-executor193 Not tainted 6.4.0-rc7-syzkaller-00072-gdad9774deaf1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 RIP: 0010:hlist_move_list include/linux/list.h:1029 [inline] RIP: 0010:collect_expired_timers+0x13b/0x200 kernel/time/timer.c:1772 Code: 49 89 45 00 48 89 44 24 10 74 29 e8 bf 21 11 00 48 8b 44 24 10 48 b9 00 00 00 00 00 fc ff df 48 8d 78 08 48 89 fa 48 c1 ea 03 <80> 3c 0a 00 75 7a 4c 89 68 08 e8 96 21 11 00 4d 89 fd 49 c7 04 24 RSP: 0018:ffffc900001e0e20 EFLAGS: 00010016 RAX: ffffc90000157cc0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 1ffff9200002af99 RSI: ffffffff81732551 RDI: ffffc90000157cc8 RBP: 00000000ffff9b50 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: ffff8880b993cf98 R12: ffff8880b99297e0 R13: ffffc900001e0eb8 R14: ffff8880b9929720 R15: ffffc900001e0ec0 FS: 00005555561173c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffff5200002af99 CR3: 0000000079098000 CR4: 0000000000350ee0 Call Trace: <IRQ> ---------------- Code disassembly (best guess): 0: 49 89 45 00 mov %rax,0x0(%r13) 4: 48 89 44 24 10 mov %rax,0x10(%rsp) 9: 74 29 je 0x34 b: e8 bf 21 11 00 callq 0x1121cf 10: 48 8b 44 24 10 mov 0x10(%rsp),%rax 15: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx 1c: fc ff df 1f: 48 8d 78 08 lea 0x8(%rax),%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 0a 00 cmpb $0x0,(%rdx,%rcx,1) <-- trapping instruction 2e: 75 7a jne 0xaa 30: 4c 89 68 08 mov %r13,0x8(%rax) 34: e8 96 21 11 00 callq 0x1121cf 39: 4d 89 fd mov %r15,%r13 3c: 49 rex.WB 3d: c7 .byte 0xc7 3e: 04 24 add $0x24,%al

Crashes (2):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2023/06/22 17:39	upstream	dad9774deaf1	09ffe269	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-kasan-gce-root	BUG: unable to handle kernel paging request in collect_expired_timers
2023/05/07 19:05	net	27c1eaa07283	90c93c40	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-this-kasan-gce	KASAN: slab-use-after-free Write in collect_expired_timers

Crashes (2):

Assets (help?)