syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [977] ≡ Subsystems 🐞 Fixed [5208] 🐞 Invalid [12459] ⬇ Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [PATCH net 0/6] rxrpc: Syzbot-inspired fixes | 8 (8) | 2019/10/07 13:13 |
| Re: KASAN: use-after-free Read in rxrpc_release_call | 1 (1) | 2019/10/04 14:40 |
| Reminder: 3 open syzbot reports in "net/rxrpc" subsystem | 1 (1) | 2019/10/04 04:13 |
| KASAN: use-after-free Read in rxrpc_release_call | 0 (3) | 2019/09/21 17:41 |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2019/10/04 14:39 | 16m | dhowells@redhat.com | git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git 37932e658d77ff16d67f5e3cd24096d48931c2be | OK |
================================================================== BUG: KASAN: use-after-free in rxrpc_release_call+0x3f3/0x540 net/rxrpc/call_object.c:493 Read of size 8 at addr ffff8880a8475a50 by task syz-executor.4/32454 CPU: 0 PID: 32454 Comm: syz-executor.4 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113 print_address_description+0x75/0x5c0 mm/kasan/report.c:374 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:634 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 rxrpc_release_call+0x3f3/0x540 net/rxrpc/call_object.c:493 rxrpc_release_calls_on_socket+0x6b7/0x7e0 net/rxrpc/call_object.c:523 rxrpc_release_sock net/rxrpc/af_rxrpc.c:897 [inline] rxrpc_release+0x2dc/0x460 net/rxrpc/af_rxrpc.c:927 __sock_release net/socket.c:590 [inline] sock_close+0xe1/0x260 net/socket.c:1268 __fput+0x2e4/0x740 fs/file_table.c:280 ____fput+0x15/0x20 fs/file_table.c:313 task_work_run+0x17e/0x1b0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x459/0x580 arch/x86/entry/common.c:194 syscall_return_slowpath+0x113/0x4a0 arch/x86/entry/common.c:274 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:300 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x413741 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fff690c3300 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000413741 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff R10: 00007fff690c33e0 R11: 0000000000000293 R12: 000000000075bf20 R13: 000000000019413d R14: 0000000000761278 R15: 000000000075bf2c Allocated by task 32455: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:524 kmem_cache_alloc_trace+0x221/0x2f0 mm/slab.c:3550 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:690 [inline] rxrpc_alloc_connection+0x79/0x490 net/rxrpc/conn_object.c:41 rxrpc_alloc_client_connection net/rxrpc/conn_client.c:176 [inline] rxrpc_get_client_conn net/rxrpc/conn_client.c:339 [inline] rxrpc_connect_call+0xb30/0x2c40 net/rxrpc/conn_client.c:697 rxrpc_new_client_call+0x6d5/0xb60 net/rxrpc/call_object.c:289 rxrpc_new_client_call_for_sendmsg net/rxrpc/sendmsg.c:595 [inline] rxrpc_do_sendmsg+0xf2b/0x19b0 net/rxrpc/sendmsg.c:652 rxrpc_sendmsg+0x5eb/0x8b0 net/rxrpc/af_rxrpc.c:585 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg net/socket.c:657 [inline] ___sys_sendmsg+0x60d/0x910 net/socket.c:2311 __sys_sendmmsg+0x239/0x470 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2439 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 __cache_free mm/slab.c:3425 [inline] kfree+0x115/0x200 mm/slab.c:3756 rxrpc_destroy_connection+0x1ec/0x240 net/rxrpc/conn_object.c:372 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2157 [inline] rcu_core+0x843/0x1050 kernel/rcu/tree.c:2377 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386 __do_softirq+0x333/0x7c4 arch/x86/include/asm/paravirt.h:766 The buggy address belongs to the object at ffff8880a8475800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 592 bytes inside of 1024-byte region [ffff8880a8475800, ffff8880a8475c00) The buggy address belongs to the page: page:ffffea0002a11d40 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0xffff8880a8475000 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea000285a648 ffffea00029ee008 ffff8880aa400c40 raw: ffff8880a8475000 ffff8880a8475000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a8475900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a8475980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a8475a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a8475a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a8475b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2019/10/16 23:01 | upstream | bc88f85c6c09 | 8c88c9c1 | .config | console log | report | syz | ci-upstream-kasan-gce-smack-root | ||||
| 2019/10/06 07:04 | upstream | 4ea655343ce4 | f3f7d9c8 | .config | console log | report | syz | ci-upstream-kasan-gce-selinux-root | ||||
| 2019/09/23 01:54 | upstream | f7c3bf8fa7e5 | d96e88f3 | .config | console log | report | syz | ci-upstream-kasan-gce | ||||
| 2019/09/21 11:07 | upstream | f97c81dc6ca5 | d96e88f3 | .config | console log | report | syz | ci-upstream-kasan-gce-smack-root | ||||
| 2019/09/26 10:14 | linux-next | d47175169c28 | 24d405a3 | .config | console log | report | syz | ci-upstream-linux-next-kasan-gce-root | ||||
| 2019/09/23 14:10 | upstream | 619e17cf75dd | 1e9788a0 | .config | console log | report | ci-upstream-kasan-gce-selinux-root | |||||
| 2019/09/23 01:14 | upstream | f7c3bf8fa7e5 | d96e88f3 | .config | console log | report | ci-upstream-kasan-gce | |||||
| 2019/09/19 21:09 | upstream | b41dae061bbd | eb940044 | .config | console log | report | ci-upstream-kasan-gce-root | |||||
| 2019/09/27 16:42 | net-old | 2b6fd3ea438c | d8074e0b | .config | console log | report | ci-upstream-net-this-kasan-gce | |||||
| 2019/09/23 05:37 | net-old | 34b4688425d9 | d96e88f3 | .config | console log | report | ci-upstream-net-this-kasan-gce | |||||
| 2019/10/17 20:31 | net-next-old | a8c41a68076e | 8c88c9c1 | .config | console log | report | ci-upstream-net-kasan-gce | |||||
| 2019/08/22 17:15 | net-next-old | fed07ef3b072 | d003d6d0 | .config | console log | report | ci-upstream-net-kasan-gce | |||||
| 2019/08/30 18:53 | linux-next | ed2393ca0910 | fd37b39e | .config | console log | report | ci-upstream-linux-next-kasan-gce-root |