syzbot

 sign-in | mailing list | source | docs
🐞 Open [1034] Subsystems 🐞 Fixed [5252] 🐞 Invalid [12580] Missing Backports [85] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in receive_buf

Status: closed as invalid on 2023/02/08 20:19
Subsystems: kernel
[Documentation on labels]
First crash: 452d, last: 452d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in receive_buf (2) net virt 1 368d 368d 0/26 auto-obsoleted due to no activity on 2023/09/20 11:49
upstream general protection fault in receive_buf net virt 2 1098d 1105d 0/26 auto-closed as invalid on 2021/07/03 00:24

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in receive_buf+0x3c45/0x54b0
Read of size 2 at addr ffff88801e05780a by task syz-fuzzer/5286

CPU: 0 PID: 5286 Comm: syz-fuzzer Not tainted 6.2.0-rc7-syzkaller-00018-g0983f6bf2bfc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
 <TASK>
 dump_stack_lvl+0x1b5/0x2a0
 print_report+0x163/0x4c0
 kasan_report+0xce/0x100
 receive_buf+0x3c45/0x54b0
 virtnet_poll+0x629/0x1260
 __napi_poll+0xc7/0x470
 net_rx_action+0x6f8/0xe80
 __do_softirq+0x308/0xaf7
 __irq_exit_rcu+0x13e/0x230
 irq_exit_rcu+0x9/0x20
 common_interrupt+0x53/0xc0
 asm_common_interrupt+0x26/0x40
RIP: 0033:0x4fcec4
Code: b8 d0 01 00 00 00 0f 85 ff 00 00 00 48 8b 70 18 48 83 fe 40 4d 19 c0 44 0f b7 cb 89 ca 48 89 f1 49 d3 e1 4d 21 c1 4c 0b 48 10 <4c> 89 48 10 0f b7 f2 48 03 70 18 48 89 70 18 48 83 fe 30 0f 82 be
RSP: 002b:000000c000247588 EFLAGS: 00000202
RAX: 000000c0002341e0 RBX: 000000000000004d RCX: 000000000000002c
RDX: 0000000000000007 RSI: 000000000000002c RDI: 0000000000000045
RBP: 000000c0002475a8 R08: ffffffffffffffff R09: 0004db98c8136b29
R10: 0000000001183600 R11: 0000000000000002 R12: 0000000000000103
R13: 0000000000000000 R14: 000000c000447a00 R15: 000000000000007f
 </TASK>

The buggy address belongs to the physical page:
page:ffffea00007815c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e057
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 ffffea00007815c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 15, tgid 15 (ksoftirqd/0), ts 554848077778, free_ts 612244992154
 get_page_from_freelist+0x3403/0x3580
 __alloc_pages+0x291/0x7e0
 skb_page_frag_refill+0x158/0x2f0
 try_fill_recv+0x594/0x18e0
 virtnet_poll+0x858/0x1260
 __napi_poll+0xc7/0x470
 net_rx_action+0x6f8/0xe80
 __do_softirq+0x308/0xaf7
page last free stack trace:
 free_unref_page_prepare+0xf3a/0x1040
 free_unref_page+0x37/0x3f0
 page_to_skb+0x470/0xb60
 receive_buf+0x428/0x54b0
 virtnet_poll+0x629/0x1260
 __napi_poll+0xc7/0x470
 net_rx_action+0x6f8/0xe80
 __do_softirq+0x308/0xaf7

Memory state around the buggy address:
 ffff88801e057700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88801e057780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88801e057800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff88801e057880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88801e057900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/02/08 10:24 upstream 0983f6bf2bfc 15c3d445 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in receive_buf
* Struck through repros no longer work on HEAD.