syzbot

 sign-in | mailing list | source | docs
🐞 Open [196] 🐞 Fixed [42] 🐞 Invalid [470] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: wild-memory-access Read of size 176

Status: closed as invalid on 2017/10/18 09:01
First crash: 2385d, last: 2385d

Sample crash report:
==================================================================
BUG: KASAN: wild-memory-access on address ffe708746f171000
Read of size 176 by task syz-executor6/13226
CPU: 1 PID: 13226 Comm: syz-executor6 Not tainted 4.9.52-g96a28fc #57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cf34f9e8 ffffffff81d93149 ffe708746f171000 00000000000000b0
 0000000000000000 ffff8801a610c180 ffe708746f171000 ffff8801cf34fa70
 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153d08f>] kasan_report_error mm/kasan/report.c:284 [inline]
 [<ffffffff8153d08f>] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309
 [<ffffffff8153d460>] kasan_report+0x20/0x30 mm/kasan/report.c:296
 [<ffffffff8153bda7>] check_memory_region_inline mm/kasan/kasan.c:308 [inline]
 [<ffffffff8153bda7>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315
 [<ffffffff8153be11>] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320
 [<ffffffff826648db>] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline]
 [<ffffffff826648db>] sg_read_oxfer drivers/scsi/sg.c:1978 [inline]
 [<ffffffff826648db>] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520
 [<ffffffff8156b741>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156f510>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156f510>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156f7c4>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156f8e6>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff81572ca7>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff81572ca7>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
IPVS: Creating netns size=2536 id=35
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=13299 comm=syz-executor1
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=32 sclass=netlink_tcpdiag_socket pig=13299 comm=syz-executor1
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
9pnet_virtio: no channels available for device ./file0
9pnet_virtio: no channels available for device ./file0
IPVS: Creating netns size=2536 id=36
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
IPVS: Creating netns size=2536 id=37
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
device syz1 left promiscuous mode
tmpfs: No value for mount option 'I'
device syz6 entered promiscuous mode
device syz6 left promiscuous mode
tmpfs: No value for mount option 'I'
device syz6 entered promiscuous mode
device syz6 left promiscuous mode
binder: 13742:13744 ioctl 4c00 6 returned -22
binder: 13742:13744 ioctl 4c00 18 returned -22
device syz5 left promiscuous mode
9pnet_virtio: no channels available for device ./file0
9pnet_virtio: no channels available for device ./file0
device syz7 entered promiscuous mode
device syz7 left promiscuous mode
device syz7 entered promiscuous mode
IPVS: Creating netns size=2536 id=38
IPVS: Creating netns size=2536 id=39
binder: 14146:14148 ioctl 5609 20219ffa returned -22
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=14158 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket pig=14158 comm=syz-executor3
sd 0:0:1:0: [sg0] tag#431 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#431 CDB: opcode=0xff (vendor)
sd 0:0:1:0: [sg0] tag#431 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 54 52 d5 59
binder: 14146:14164 ioctl 5609 20219ffa returned -22
sd 0:0:1:0: [sg0] tag#431 CDB[10]: 00 00 00 00 b3 64 09 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#431 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#431 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#431 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#431 CDB: opcode=0xff (vendor)
sd 0:0:1:0: [sg0] tag#431 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 54 52 d5 59
sd 0:0:1:0: [sg0] tag#431 CDB[10]: 00 00 00 00 2e 82 0a 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#431 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
sd 0:0:1:0: [sg0] tag#431 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00
handle_userfault: 1 callbacks suppressed
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 14298 Comm: syz-executor0 Tainted: G    B           4.9.52-g96a28fc #57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d5c7f780 ffffffff81d93149 ffff8801d5c7fa60 0000000000000000
 ffff8801d94e3610 ffff8801d5c7f950 ffff8801d94e3500 ffff8801d5c7f978
 ffffffff81660dc8 ffff8801d5c7f8d0 0000000000000000 00000001c3ea3067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815b2228>] SYSC_select fs/select.c:652 [inline]
 [<ffffffff815b2228>] SyS_select+0x158/0x1e0 fs/select.c:634
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
nla_parse: 26 callbacks suppressed
netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'.
device syz0 left promiscuous mode
device syz0 entered promiscuous mode
device syz7 left promiscuous mode
device syz4 left promiscuous mode
device syz0 left promiscuous mode
device syz0 entered promiscuous mode
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26783 sclass=netlink_route_socket pig=14650 comm=syz-executor7
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26783 sclass=netlink_route_socket pig=14650 comm=syz-executor7
netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'.
device syz5 entered promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor6'.
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'.
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'.
IPVS: length: 24 != 49176
9pnet_virtio: no channels available for device ./file0
9pnet_virtio: no channels available for device ./file0
IPVS: length: 24 != 49176
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15038 comm=syz-executor3
binder_alloc: binder_alloc_mmap_handler: 15039 204f0000-204f4000 already mapped failed -16
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15038 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15079 comm=syz-executor6
binder_alloc: binder_alloc_mmap_handler: 15039 204f0000-204f4000 already mapped failed -16
tc_dump_action: action bad kind
tc_dump_action: action bad kind
device gre0 entered promiscuous mode
binder: binder_mmap: 15269 2007d000-2007e000 bad vm_flags failed -1
binder: binder_mmap: 15269 2007d000-2007e000 bad vm_flags failed -1
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
binder: 15498:15500 ioctl 40485404 20185000 returned -22
binder: 15498:15500 ioctl 40485404 20185000 returned -22
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
binder: 15860:15868 ioctl 40084504 20386ff8 returned -22
binder: 15860:15884 ioctl 40084504 20386ff8 returned -22
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15878 comm=syz-executor5
==================================================================
BUG: KASAN: wild-memory-access on address ffe708746f171000
Read of size 37 by task syz-executor0/15933
CPU: 0 PID: 15933 Comm: syz-executor0 Tainted: G    B           4.9.52-g96a28fc #57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d93e7ae8 ffffffff81d93149 ffe708746f171000 0000000000000025
 0000000000000000 ffff8801a62fbf00 ffe708746f171000 ffff8801d93e7b70
 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153d08f>] kasan_report_error mm/kasan/report.c:284 [inline]
 [<ffffffff8153d08f>] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309
 [<ffffffff8153d460>] kasan_report+0x20/0x30 mm/kasan/report.c:296
 [<ffffffff8153bda7>] check_memory_region_inline mm/kasan/kasan.c:308 [inline]
 [<ffffffff8153bda7>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315
 [<ffffffff8153be11>] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320
 [<ffffffff826648db>] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline]
 [<ffffffff826648db>] sg_read_oxfer drivers/scsi/sg.c:1978 [inline]
 [<ffffffff826648db>] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520
 [<ffffffff8156d353>] __vfs_read+0x103/0x670 fs/read_write.c:452
 [<ffffffff8156e8e7>] vfs_read+0x107/0x330 fs/read_write.c:475
 [<ffffffff815724c9>] SYSC_read fs/read_write.c:591 [inline]
 [<ffffffff815724c9>] SyS_read+0xd9/0x1b0 fs/read_write.c:584
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
IPVS: Creating netns size=2536 id=40
FAULT_FLAG_ALLOW_RETRY missing 30
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 16047 Comm: syz-executor2 Tainted: G    B           4.9.52-g96a28fc #57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d9387960 ffffffff81d93149 ffff8801d9387c40 0000000000000000
 ffff8801d94e3910 ffff8801d9387b30 ffff8801d94e3800 ffff8801d9387b58
 ffffffff81660dc8 ffff8801d9387ab0 0000000000000292 00000001a8201067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff8116a374>] SyS_rt_sigqueueinfo+0x24/0x30 kernel/signal.c:2967
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 16009 Comm: syz-executor2 Tainted: G    B           4.9.52-g96a28fc #57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c73af9a0 ffffffff81d93149 ffff8801c73afc80 0000000000000000
 ffff8801d94e3910 ffff8801c73afb70 ffff8801d94e3800 ffff8801c73afb98
 ffffffff81660dc8 ffff8801c73afaf0 ffff8801c73afbb8 00000001a8201067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: 16048:16049 ioctl 5420 20185ffc returned -22
binder: 16048:16076 ioctl 5420 20185ffc returned -22
IPVS: Creating netns size=2536 id=41
CPU: 1 PID: 16059 Comm: syz-executor2 Tainted: G    B           4.9.52-g96a28fc #57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d6937780 ffffffff81d93149 ffff8801d6937a60 0000000000000000
 ffff8801d94e3910 ffff8801d6937950 ffff8801d94e3800 ffff8801d6937978
 ffffffff81660dc8 ffff8801d69378d0 0000000000000000 00000001a8201067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815b2228>] SYSC_select fs/select.c:652 [inline]
 [<ffffffff815b2228>] SyS_select+0x158/0x1e0 fs/select.c:634
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=6 sclass=netlink_route_socket pig=16150 comm=syz-executor3
nla_parse: 12 callbacks suppressed
netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'.
binder: 16141:16142 ioctl 6430 0 returned -22
9pnet_virtio: no channels available for device ./file0
netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'.
binder: 16141:16142 ioctl 6430 0 returned -22
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=6 sclass=netlink_route_socket pig=16150 comm=syz-executor3
9pnet_virtio: no channels available for device ./file0
device lo entered promiscuous mode
device syz3 entered promiscuous mode

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/10/04 21:27 https://android.googlesource.com/kernel/common android-4.9 96a28fcc7c92 c26ea367 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.