syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [979] ≡ Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] ⬇ Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:673 [inline] BUG: KASAN: use-after-free in enqueue_timer kernel/time/timer.c:520 [inline] BUG: KASAN: use-after-free in __mod_timer kernel/time/timer.c:1021 [inline] BUG: KASAN: use-after-free in mod_timer+0x11d3/0x15b0 kernel/time/timer.c:1071 Write of size 8 at addr ffff8801d42a4188 by task ksoftirqd/1/16 CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 4.13.0+ #73 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x24e/0x340 mm/kasan/report.c:409 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435 hlist_add_head include/linux/list.h:673 [inline] enqueue_timer kernel/time/timer.c:520 [inline] __mod_timer kernel/time/timer.c:1021 [inline] mod_timer+0x11d3/0x15b0 kernel/time/timer.c:1071 sk_reset_timer+0x22/0x50 net/core/sock.c:2664 inet_csk_reset_xmit_timer include/net/inet_connection_sock.h:243 [inline] tcp_v4_err+0x16f7/0x17e0 net/ipv4/tcp_ipv4.c:492 icmp_socket_deliver+0x21a/0x440 net/ipv4/icmp.c:771 icmp_unreach+0x3d0/0xc50 net/ipv4/icmp.c:879 icmp_rcv+0x6b6/0x1250 net/ipv4/icmp.c:1060 ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:249 [inline] ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:478 [inline] ip_rcv_finish+0x8db/0x19c0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:249 [inline] ip_rcv+0xc3f/0x17d0 net/ipv4/ip_input.c:488 __netif_receive_skb_core+0x19af/0x33d0 net/core/dev.c:4418 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4456 process_backlog+0x203/0x740 net/core/dev.c:5132 napi_poll net/core/dev.c:5530 [inline] net_rx_action+0x792/0x1910 net/core/dev.c:5596 __do_softirq+0x2bb/0xbd0 kernel/softirq.c:284 run_ksoftirqd+0x50/0x100 kernel/softirq.c:676 smpboot_thread_fn+0x489/0x850 kernel/smpboot.c:164 kthread+0x39c/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Allocated by task 22518: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 __do_kmalloc_node mm/slab.c:3689 [inline] __kmalloc_node+0x47/0x70 mm/slab.c:3696 kmalloc_node include/linux/slab.h:535 [inline] kvmalloc_node+0x64/0xd0 mm/util.c:397 kvmalloc include/linux/mm.h:528 [inline] kvzalloc include/linux/mm.h:536 [inline] alloc_netdev_mqs+0x16e/0xed0 net/core/dev.c:8011 tun_set_iff drivers/net/tun.c:2022 [inline] __tun_chr_ioctl+0x12be/0x3d40 drivers/net/tun.c:2276 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2521 vfs_ioctl fs/ioctl.c:45 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 22518: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kfree+0xca/0x250 mm/slab.c:3820 kvfree+0x36/0x60 mm/util.c:416 netdev_freemem net/core/dev.c:7963 [inline] free_netdev+0x2cf/0x360 net/core/dev.c:8125 tun_set_iff drivers/net/tun.c:2105 [inline] __tun_chr_ioctl+0x2cff/0x3d40 drivers/net/tun.c:2276 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2521 vfs_ioctl fs/ioctl.c:45 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x1f/0xbe The buggy address belongs to the object at ffff8801d42a0d80 which belongs to the cache kmalloc-16384 of size 16384 The buggy address is located 13320 bytes inside of 16384-byte region [ffff8801d42a0d80, ffff8801d42a4d80) The buggy address belongs to the page: page:ffffea000750a800 count:1 mapcount:0 mapping:ffff8801d42a0d80 index:0x0 compound_mapcount: 0 flags: 0x200000000008100(slab|head) raw: 0200000000008100 ffff8801d42a0d80 0000000000000000 0000000100000001 raw: ffffea000711b620 ffffea000754ea20 ffff8801dac02200 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d42a4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d42a4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d42a4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d42a4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d42a4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2017/09/08 09:50 | upstream | 8dc5b3a6cb2f | 0ed1da4a | .config | console log | report | ci-upstream-kasan-gce | |||||
| 2017/09/07 15:19 | upstream | 3b9f8ed25dbe | 0ed1da4a | .config | console log | report | ci-upstream-kasan-gce | |||||
| 2017/10/15 14:46 | upstream | e7a36a6ec9cf | c26ea367 | .config | console log | report | ci-upstream-kasan-gce-386 | |||||
| 2017/10/01 01:04 | upstream | 74d83ec2b734 | c26ea367 | .config | console log | report | ci-upstream-kasan-gce-386 | |||||
| 2017/09/24 06:48 | upstream | cd4175b11685 | c26ea367 | .config | console log | report | ci-upstream-kasan-gce-386 | |||||
| 2017/09/21 07:40 | upstream | c52f56a69d10 | 653022e6 | .config | console log | report | ci-upstream-kasan-gce-386 | |||||
| 2017/10/17 23:03 | linux-next | 49827b977a2e | 441d64d9 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/10/17 12:14 | linux-next | 49827b977a2e | 441d64d9 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/10/03 20:13 | mmots | 9af872441677 | c26ea367 | .config | console log | report | ci-upstream-mmots-kasan-gce | |||||
| 2017/09/26 19:08 | linux-next | d35adcbe86c1 | c26ea367 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/09/23 22:36 | mmots | 720bbe532b7c | c26ea367 | .config | console log | report | ci-upstream-mmots-kasan-gce | |||||
| 2017/09/22 12:22 | mmots | 720bbe532b7c | c26ea367 | .config | console log | report | ci-upstream-mmots-kasan-gce | |||||
| 2017/09/21 02:02 | linux-next | 0b093a564fe0 | 4e341009 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/09/19 12:25 | mmots | 720bbe532b7c | c26ea367 | .config | console log | report | ci-upstream-mmots-kasan-gce | |||||
| 2017/09/13 20:15 | linux-next | 6f20b7a58cb9 | 96b8e399 | .config | console log | report | skylake-linux-next-kasan-qemu | |||||
| 2017/09/12 10:06 | linux-next | 0d71e2d4aa14 | 0bd6a0a5 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/09/09 23:03 | linux-next | 58bcd35f859b | d18bfda0 | .config | console log | report | skylake-linux-next-kasan-qemu | |||||
| 2017/09/03 02:29 | linux-next | 1d53d908b79d | a54dce00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/08/30 21:45 | linux-next | 9458bf6edfa8 | ed7f9598 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/08/29 14:55 | linux-next | 9458bf6edfa8 | ed7f9598 | .config | console log | report | skylake-linux-next-kasan-qemu |