syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [552] 🐞 Fixed [296] 🐞 Invalid [695] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes |
audit: type=1400 audit(1572250958.120:36): avc: denied { map } for pid=7660 comm="syz-executor726" path="/root/syz-executor726039997" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
hrtimer: interrupt took 46364 ns
syz-executor726 (7662) used greatest stack depth: 21888 bytes left
==================================================================
BUG: KASAN: use-after-free in tc_chain_fill_node+0x891/0x8b0 net/sched/cls_api.c:1733
Read of size 8 at addr ffff88807b45ec80 by task syz-executor726/7767
CPU: 0 PID: 7767 Comm: syz-executor726 Not tainted 4.19.80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
tc_chain_fill_node+0x891/0x8b0 net/sched/cls_api.c:1733
tc_chain_notify+0x102/0x200 net/sched/cls_api.c:1771
__tcf_chain_put+0x380/0x500 net/sched/cls_api.c:330
tcf_chain_put net/sched/cls_api.c:340 [inline]
tc_ctl_chain+0xbca/0xff0 net/sched/cls_api.c:1932
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446e19
Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f6cd9300d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc98 RCX: 0000000000446e19
RDX: 0000000000000000 RSI: 0000000020000300 RDI: 000000000000000b
RBP: 00000000006dbc90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc9c
R13: 0000000000000000 R14: 0000000000000000 R15: 0507002400000048
Allocated by task 7758:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc_node mm/slab.c:3689 [inline]
__kmalloc_node+0x51/0x80 mm/slab.c:3696
kmalloc_node include/linux/slab.h:557 [inline]
kzalloc_node include/linux/slab.h:720 [inline]
qdisc_alloc+0xbb/0xa60 net/sched/sch_generic.c:824
qdisc_create+0xec/0x1230 net/sched/sch_api.c:1113
tc_modify_qdisc+0xab0/0x1bdc net/sched/sch_api.c:1554
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 7761:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
qdisc_free+0x89/0x100 net/sched/sch_generic.c:945
qdisc_destroy+0x4cf/0x690 net/sched/sch_generic.c:985
notify_and_destroy+0xa2/0xb0 net/sched/sch_api.c:924
qdisc_graft+0x4f3/0x1030 net/sched/sch_api.c:991
tc_modify_qdisc+0xcae/0x1bdc net/sched/sch_api.c:1582
rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:4747
netlink_rcv_skb+0x17d/0x460 net/netlink/af_netlink.c:2454
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4765
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x537/0x720 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x803/0x920 net/socket.c:2115
__sys_sendmsg+0x105/0x1d0 net/socket.c:2153
__do_sys_sendmsg net/socket.c:2162 [inline]
__se_sys_sendmsg net/socket.c:2160 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88807b45ec40
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 64 bytes inside of
4096-byte region [ffff88807b45ec40, ffff88807b45fc40)
The buggy address belongs to the page:
page:ffffea0001ed1780 count:1 mapcount:0 mapping:ffff88812c3f0dc0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffffea000272c488 ffffea0001ed1008 ffff88812c3f0dc0
raw: 0000000000000000 ffff88807b45ec40 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88807b45eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807b45ec00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff88807b45ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807b45ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807b45ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
| Manager | Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|
| ci2-linux-4-19 | 2019/10/28 08:25 | linux-4.19.y | c3038e718a19 | 25bb509e | .config | log | report | syz | C | ||
| ci2-linux-4-19 | 2019/10/22 08:00 | linux-4.19.y | c3038e718a19 | c59a7cd8 | .config | log | report | syz | C | ||
| ci2-linux-4-19 | 2019/10/13 15:44 | linux-4.19.y | dafd634415a7 | 2f661ec4 | .config | log | report | syz | C | ||
| ci2-linux-4-19 | 2022/08/18 05:23 | linux-4.19.y | 3f8a27f9e27b | a9409d47 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/14 17:30 | linux-4.19.y | 3f8a27f9e27b | 8dfcaa3d | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/14 11:16 | linux-4.19.y | 3f8a27f9e27b | 8dfcaa3d | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/14 06:32 | linux-4.19.y | 3f8a27f9e27b | 8dfcaa3d | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/07 11:13 | linux-4.19.y | 3f8a27f9e27b | 88e3a122 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/07 05:57 | linux-4.19.y | 3f8a27f9e27b | 88e3a122 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/05 13:30 | linux-4.19.y | 3f8a27f9e27b | a65a7ce9 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/05 03:55 | linux-4.19.y | 3f8a27f9e27b | 1c9013ac | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/05 01:09 | linux-4.19.y | 3f8a27f9e27b | 1c9013ac | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/01 19:32 | linux-4.19.y | 3f8a27f9e27b | fef302b1 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/08/01 01:23 | linux-4.19.y | 3f8a27f9e27b | fef302b1 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/28 05:27 | linux-4.19.y | 3f8a27f9e27b | fb95c74d | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/26 07:44 | linux-4.19.y | 3f8a27f9e27b | 34795c51 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/21 17:44 | linux-4.19.y | 3f8a27f9e27b | 6e67af9d | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/19 16:46 | linux-4.19.y | 3f8a27f9e27b | 72a3cc0c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/19 07:04 | linux-4.19.y | 3f8a27f9e27b | ff988920 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/15 21:42 | linux-4.19.y | 3f8a27f9e27b | 5d921b08 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/15 15:21 | linux-4.19.y | 3f8a27f9e27b | 5d921b08 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/14 01:06 | linux-4.19.y | 3f8a27f9e27b | 5d921b08 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/11 19:12 | linux-4.19.y | 3f8a27f9e27b | f3f217ff | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/10 04:45 | linux-4.19.y | 3f8a27f9e27b | b5765a15 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/08 00:37 | linux-4.19.y | 3f8a27f9e27b | bff65f44 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/03 22:21 | linux-4.19.y | 3f8a27f9e27b | 1434eec0 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/03 16:31 | linux-4.19.y | 3f8a27f9e27b | 1434eec0 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/03 11:10 | linux-4.19.y | 3f8a27f9e27b | 1434eec0 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/02 14:31 | linux-4.19.y | 3f8a27f9e27b | 1434eec0 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/07/02 12:59 | linux-4.19.y | 3f8a27f9e27b | 1434eec0 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/30 06:38 | linux-4.19.y | 3f8a27f9e27b | 1434eec0 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/27 05:56 | linux-4.19.y | 3f8a27f9e27b | a371c43c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/26 23:33 | linux-4.19.y | 3f8a27f9e27b | a371c43c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/26 12:42 | linux-4.19.y | 3f8a27f9e27b | a371c43c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/26 07:03 | linux-4.19.y | 3f8a27f9e27b | a371c43c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/25 17:07 | linux-4.19.y | 3f8a27f9e27b | a371c43c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/25 08:21 | linux-4.19.y | 3f8a27f9e27b | a371c43c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/25 04:09 | linux-4.19.y | 3f8a27f9e27b | a371c43c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/24 20:17 | linux-4.19.y | 3f8a27f9e27b | a371c43c | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/24 01:29 | linux-4.19.y | 3f8a27f9e27b | 912f5df7 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/23 20:15 | linux-4.19.y | 3f8a27f9e27b | 912f5df7 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/22 00:28 | linux-4.19.y | 3f8a27f9e27b | 0fc5c330 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/21 21:49 | linux-4.19.y | 3f8a27f9e27b | 0fc5c330 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/18 07:27 | linux-4.19.y | 3f8a27f9e27b | 8f633d84 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/18 03:01 | linux-4.19.y | 3f8a27f9e27b | 8f633d84 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/17 03:02 | linux-4.19.y | 3f8a27f9e27b | 1719ee24 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2022/06/16 21:37 | linux-4.19.y | 3f8a27f9e27b | 1719ee24 | .config | log | report | info | KASAN: use-after-free Read in tc_chain_fill_node | ||
| ci2-linux-4-19 | 2021/01/12 12:56 | linux-4.19.y | 610bdbf6a174 | 2c1f2513 | .config | log | report | info | |||
| ci2-linux-4-19 | 2019/10/07 21:25 | linux-4.19.y | 58fce2064530 | 28ac6e64 | .config | log | report |