KASAN: use-after-free Write in ex_handler_refcount
21 views
Skip to first unread message
syzbot
Feb 6, 2020, 1:42:12 AM2/6/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: e0f8b8a6 Linux 4.14.170
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1682894ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=633dd9db249084f5
dashboard link: https://syzkaller.appspot.com/bug?extid=de475a73984b7512adb2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+de475a...@syzkaller.appspotmail.com
(unnamed net_device) (uninitialized): Unable to set up delay as MII monitoring is disabled
==================================================================
batman_adv: Cannot find parent device
BUG: KASAN: use-after-free in ex_handler_refcount+0x162/0x1a0 arch/x86/mm/extable.c:49
Write of size 4 at addr ffff8880a40ea5bc by task syz-executor.3/12157
CPU: 0 PID: 12157 Comm: syz-executor.3 Not tainted 4.14.170-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:434
ex_handler_refcount+0x162/0x1a0 arch/x86/mm/extable.c:49
fixup_exception+0x8b/0xb9 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:208 [inline]
do_trap+0x65/0x250 arch/x86/kernel/traps.c:257
do_error_trap+0x153/0x310 arch/x86/kernel/traps.c:301
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:963
RIP: 0010:inat_get_avx_attribute+0x3c9d/0x7ad5
RSP: 0018:ffff8880482ef6e0 EFLAGS: 00010296
RAX: 0000000000040000 RBX: ffff888048962280 RCX: ffff8880a40ea5bc
RDX: 0000000000001461 RSI: ffffffff85180e5e RDI: ffff8880a40ea380
RBP: ffff8880482ef6e8 R08: ffff88803fa2a600 R09: ffff88803fa2aec8
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a40ea380
R13: ffffffff85e7e0d0 R14: 0000000000000000 R15: 0000000000000000
sock_put include/net/sock.h:1658 [inline]
pppol2tp_session_sock_put+0x66/0x80 net/l2tp/l2tp_ppp.c:271
l2tp_nl_cmd_session_delete+0xc4/0x1c0 net/l2tp/l2tp_netlink.c:684
genl_family_rcv_msg+0x614/0xc30 net/netlink/genetlink.c:600
genl_rcv_msg+0xb4/0x150 net/netlink/genetlink.c:625
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
genl_rcv+0x29/0x40 net/netlink/genetlink.c:636
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007f5683da3c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f5683da46d4 RCX: 000000000045b399
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000009
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000092a R14: 00000000004ca87e R15: 000000000075bf2c
Allocated by task 7496:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x51/0x80 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x4e/0xe0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvmalloc_array include/linux/mm.h:547 [inline]
alloc_fdtable+0xcf/0x280 fs/file.c:120
dup_fd+0x693/0xa40 fs/file.c:315
copy_files kernel/fork.c:1304 [inline]
copy_process.part.0+0x1b5a/0x6a70 kernel/fork.c:1759
copy_process kernel/fork.c:1586 [inline]
_do_fork+0x19e/0xce0 kernel/fork.c:2070
SYSC_clone kernel/fork.c:2180 [inline]
SyS_clone+0x37/0x50 kernel/fork.c:2174
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 11960:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
kvfree+0x4d/0x60 mm/util.c:416
__free_fdtable+0x34/0x80 fs/file.c:36
put_files_struct fs/file.c:425 [inline]
put_files_struct+0x233/0x2d0 fs/file.c:418
exit_files+0x83/0xb0 fs/file.c:450
do_exit+0x9ec/0x2cd0 kernel/exit.c:853
do_group_exit+0x111/0x330 kernel/exit.c:955
get_signal+0x381/0x1cd0 kernel/signal.c:2418
do_signal+0x86/0x19a0 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a40ea380
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 572 bytes inside of
2048-byte region [ffff8880a40ea380, ffff8880a40eab80)
The buggy address belongs to the page:
page:ffffea0002903a80 count:1 mapcount:0 mapping:ffff8880a40ea380 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a40ea380 0000000000000000 0000000100000003
raw: ffffea00029f9ba0 ffffea000229aa20 ffff8880aa800c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a40ea480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a40ea500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a40ea580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a40ea600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a40ea680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: e0f8b8a6 Linux 4.14.170
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1682894ee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=633dd9db249084f5
dashboard link: https://syzkaller.appspot.com/bug?extid=de475a73984b7512adb2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+de475a...@syzkaller.appspotmail.com
(unnamed net_device) (uninitialized): Unable to set up delay as MII monitoring is disabled
==================================================================
batman_adv: Cannot find parent device
BUG: KASAN: use-after-free in ex_handler_refcount+0x162/0x1a0 arch/x86/mm/extable.c:49
Write of size 4 at addr ffff8880a40ea5bc by task syz-executor.3/12157
CPU: 0 PID: 12157 Comm: syz-executor.3 Not tainted 4.14.170-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:434
ex_handler_refcount+0x162/0x1a0 arch/x86/mm/extable.c:49
fixup_exception+0x8b/0xb9 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:208 [inline]
do_trap+0x65/0x250 arch/x86/kernel/traps.c:257
do_error_trap+0x153/0x310 arch/x86/kernel/traps.c:301
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:963
RIP: 0010:inat_get_avx_attribute+0x3c9d/0x7ad5
RSP: 0018:ffff8880482ef6e0 EFLAGS: 00010296
RAX: 0000000000040000 RBX: ffff888048962280 RCX: ffff8880a40ea5bc
RDX: 0000000000001461 RSI: ffffffff85180e5e RDI: ffff8880a40ea380
RBP: ffff8880482ef6e8 R08: ffff88803fa2a600 R09: ffff88803fa2aec8
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a40ea380
R13: ffffffff85e7e0d0 R14: 0000000000000000 R15: 0000000000000000
sock_put include/net/sock.h:1658 [inline]
pppol2tp_session_sock_put+0x66/0x80 net/l2tp/l2tp_ppp.c:271
l2tp_nl_cmd_session_delete+0xc4/0x1c0 net/l2tp/l2tp_netlink.c:684
genl_family_rcv_msg+0x614/0xc30 net/netlink/genetlink.c:600
genl_rcv_msg+0xb4/0x150 net/netlink/genetlink.c:625
netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
genl_rcv+0x29/0x40 net/netlink/genetlink.c:636
netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312
netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x70a/0x840 net/socket.c:2062
__sys_sendmsg+0xb9/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2103
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45b399
RSP: 002b:00007f5683da3c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f5683da46d4 RCX: 000000000045b399
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000009
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000092a R14: 00000000004ca87e R15: 000000000075bf2c
Allocated by task 7496:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc_node mm/slab.c:3682 [inline]
__kmalloc_node+0x51/0x80 mm/slab.c:3689
kmalloc_node include/linux/slab.h:530 [inline]
kvmalloc_node+0x4e/0xe0 mm/util.c:397
kvmalloc include/linux/mm.h:531 [inline]
kvmalloc_array include/linux/mm.h:547 [inline]
alloc_fdtable+0xcf/0x280 fs/file.c:120
dup_fd+0x693/0xa40 fs/file.c:315
copy_files kernel/fork.c:1304 [inline]
copy_process.part.0+0x1b5a/0x6a70 kernel/fork.c:1759
copy_process kernel/fork.c:1586 [inline]
_do_fork+0x19e/0xce0 kernel/fork.c:2070
SYSC_clone kernel/fork.c:2180 [inline]
SyS_clone+0x37/0x50 kernel/fork.c:2174
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 11960:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
kvfree+0x4d/0x60 mm/util.c:416
__free_fdtable+0x34/0x80 fs/file.c:36
put_files_struct fs/file.c:425 [inline]
put_files_struct+0x233/0x2d0 fs/file.c:418
exit_files+0x83/0xb0 fs/file.c:450
do_exit+0x9ec/0x2cd0 kernel/exit.c:853
do_group_exit+0x111/0x330 kernel/exit.c:955
get_signal+0x381/0x1cd0 kernel/signal.c:2418
do_signal+0x86/0x19a0 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a40ea380
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 572 bytes inside of
2048-byte region [ffff8880a40ea380, ffff8880a40eab80)
The buggy address belongs to the page:
page:ffffea0002903a80 count:1 mapcount:0 mapping:ffff8880a40ea380 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a40ea380 0000000000000000 0000000100000003
raw: ffffea00029f9ba0 ffffea000229aa20 ffff8880aa800c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a40ea480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a40ea500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a40ea580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a40ea600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a40ea680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Feb 6, 2020, 11:32:13 AM2/6/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: b499cf4b Linux 4.19.102
syzbot found the following crash on:
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11d946d9e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=7ebf58b0a913d3ef
dashboard link: https://syzkaller.appspot.com/bug?extid=9c84cc6d4604e4deaa1c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9c84cc...@syzkaller.appspotmail.com
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
==================================================================
BUG: KASAN: use-after-free in ex_handler_refcount+0x18d/0x1c0 arch/x86/mm/extable.c:49
Write of size 4 at addr ffff88804cff2098 by task kworker/1:1/24
CPU: 1 PID: 24 Comm: kworker/1:1 Not tainted 4.19.102-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437
ex_handler_refcount+0x18d/0x1c0 arch/x86/mm/extable.c:49
fixup_exception+0x8b/0xb9 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:209 [inline]
do_trap+0x65/0x250 arch/x86/kernel/traps.c:258
do_error_trap+0x187/0x360 arch/x86/kernel/traps.c:303
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
RIP: 0010:csum_partial_copy_generic+0x6765/0x87ce
Code: 8d 80 00 00 00 0f 0b 49 8d 8c 24 80 00 00 00 0f 0b 49 8d 8c 24 80 00 00 00 0f 0b 48 8d 0b 0f 0b 49 8d 0c 24 0f 0b 48 8d 4b 18 <0f> 0b 48 8d 8b b8 02 00 00 0f 0b 49 8d 8c 24 b8 02 00 00 0f 0b 48
RSP: 0018:ffff8880a997fc20 EFLAGS: 00010297
RAX: ffff8880a9970640 RBX: ffff88804cff2080 RCX: ffff88804cff2098
RDX: 0000000000000000 RSI: ffffffff86947fcf RDI: ffff88804cff2080
RBP: ffff8880a997fc30 R08: ffff8880a9970640 R09: fffffbfff1363255
R10: fffffbfff1363254 R11: ffffffff89b192a3 R12: ffff88804cff2098
R13: ffff88804cff2080 R14: dead000000000200 R15: ffff8880a997fca8
do_enable_set+0x541/0x950 net/bluetooth/6lowpan.c:1087
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 24:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
l2cap_chan_create+0x45/0x390 net/bluetooth/l2cap_core.c:441
chan_create+0x10/0xe0 net/bluetooth/6lowpan.c:652
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
do_enable_set+0x579/0x950 net/bluetooth/6lowpan.c:1090
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 5:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
l2cap_chan_destroy+0x14f/0x1c0 net/bluetooth/l2cap_core.c:479
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x3a/0x50 net/bluetooth/l2cap_core.c:493
do_enable_set+0x541/0x950 net/bluetooth/6lowpan.c:1087
process_one_work+0x989/0x1750 kernel/workqueue.c:2153
worker_thread+0x98/0xe40 kernel/workqueue.c:2296
kthread+0x354/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff88804cff2080
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 24 bytes inside of
2048-byte region [ffff88804cff2080, ffff88804cff2880)
The buggy address belongs to the page:
page:ffffea000133fc80 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0001339b08 ffffea000133ef08 ffff88812c31cc40
raw: 0000000000000000 ffff88804cff2080 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88804cff1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff88804cff2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88804cff2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88804cff2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804cff2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
syzbot
Feb 28, 2020, 9:13:12 AM2/28/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: f25804f3 Linux 4.19.106
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16d992c3e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5f029a69ae922fd
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1579d22de00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9c84cc...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ex_handler_refcount+0x18f/0x1c0 arch/x86/mm/extable.c:49
Write of size 4 at addr ffff8880982bf558 by task kworker/0:1/14
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.106-syzkaller #0
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
ex_handler_refcount+0x18f/0x1c0 arch/x86/mm/extable.c:49
fixup_exception+0x8a/0xc3 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:209 [inline]
do_trap+0x72/0x230 arch/x86/kernel/traps.c:258
do_error_trap+0x15d/0x310 arch/x86/kernel/traps.c:303
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
RIP: 0010:csum_partial_copy_generic+0x6675/0x864e
Code: 8d 8c 24 80 00 00 00 0f 0b 48 8d 8d 80 00 00 00 0f 0b 48 8d 8d 80 00 00 00 0f 0b 48 8d 0b 0f 0b 48 8d 4d 00 0f 0b 48 8d 4b 18 <0f> 0b 48 8d 8b b8 02 00 00 0f 0b 49 8d 8c 24 b8 02 00 00 0f 0b 48
RSP: 0018:ffff8880a9ee7c50 EFLAGS: 00010297
RAX: ffff8880a9ed8380 RBX: ffff8880982bf540 RCX: ffff8880982bf558
RDX: 0000000000000000 RSI: ffffffff866555aa RDI: ffff8880982bf540
RBP: ffff8880982bf558 R08: ffff8880a9ed8380 R09: ffffed1015cc4733
R10: ffffed1015cc4732 R11: ffff8880ae623993 R12: 0000000000000000
R13: ffff8880a7ae7f00 R14: ffff8880a9e16800 R15: ffff8880ae62ba80
do_enable_set+0x4d1/0x8d0 net/bluetooth/6lowpan.c:1087
process_one_work+0x91f/0x1640 kernel/workqueue.c:2153
worker_thread+0x96/0xe20 kernel/workqueue.c:2296
kthread+0x34a/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 14:
kmem_cache_alloc_trace+0x14d/0x7a0 mm/slab.c:3625
chan_create+0xc/0xd0 net/bluetooth/6lowpan.c:652
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
do_enable_set+0x507/0x8d0 net/bluetooth/6lowpan.c:1090
process_one_work+0x91f/0x1640 kernel/workqueue.c:2153
worker_thread+0x96/0xe20 kernel/workqueue.c:2296
kthread+0x34a/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 3389:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x35/0x40 net/bluetooth/l2cap_core.c:493
do_enable_set+0x4d1/0x8d0 net/bluetooth/6lowpan.c:1087
process_one_work+0x91f/0x1640 kernel/workqueue.c:2153
worker_thread+0x96/0xe20 kernel/workqueue.c:2296
kthread+0x34a/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880982bf540
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00025f3d88 ffffea0002572308 ffff88812c3dcc40
raw: 0000000000000000 ffff8880982be440 0000000100000003 0000000000000000
ffff8880982bf480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880982bf500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880982bf580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880982bf600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: f25804f3 Linux 4.19.106
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16d992c3e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5f029a69ae922fd
dashboard link: https://syzkaller.appspot.com/bug?extid=9c84cc6d4604e4deaa1c
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15392c55e00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1579d22de00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9c84cc...@syzkaller.appspotmail.com
==================================================================
Write of size 4 at addr ffff8880982bf558 by task kworker/0:1/14
CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
kasan_report mm/kasan/report.c:412 [inline]
ex_handler_refcount+0x18f/0x1c0 arch/x86/mm/extable.c:49
fixup_exception+0x8a/0xc3 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:209 [inline]
do_trap+0x72/0x230 arch/x86/kernel/traps.c:258
do_error_trap+0x15d/0x310 arch/x86/kernel/traps.c:303
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
RIP: 0010:csum_partial_copy_generic+0x6675/0x864e
Code: 8d 8c 24 80 00 00 00 0f 0b 48 8d 8d 80 00 00 00 0f 0b 48 8d 8d 80 00 00 00 0f 0b 48 8d 0b 0f 0b 48 8d 4d 00 0f 0b 48 8d 4b 18 <0f> 0b 48 8d 8b b8 02 00 00 0f 0b 49 8d 8c 24 b8 02 00 00 0f 0b 48
RSP: 0018:ffff8880a9ee7c50 EFLAGS: 00010297
RAX: ffff8880a9ed8380 RBX: ffff8880982bf540 RCX: ffff8880982bf558
RDX: 0000000000000000 RSI: ffffffff866555aa RDI: ffff8880982bf540
RBP: ffff8880982bf558 R08: ffff8880a9ed8380 R09: ffffed1015cc4733
R10: ffffed1015cc4732 R11: ffff8880ae623993 R12: 0000000000000000
R13: ffff8880a7ae7f00 R14: ffff8880a9e16800 R15: ffff8880ae62ba80
do_enable_set+0x4d1/0x8d0 net/bluetooth/6lowpan.c:1087
process_one_work+0x91f/0x1640 kernel/workqueue.c:2153
worker_thread+0x96/0xe20 kernel/workqueue.c:2296
kthread+0x34a/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Allocated by task 14:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kmem_cache_alloc_trace+0x14d/0x7a0 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
l2cap_chan_create+0x40/0x380 net/bluetooth/l2cap_core.c:441
kzalloc include/linux/slab.h:709 [inline]
chan_create+0xc/0xd0 net/bluetooth/6lowpan.c:652
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
do_enable_set+0x507/0x8d0 net/bluetooth/6lowpan.c:1090
process_one_work+0x91f/0x1640 kernel/workqueue.c:2153
worker_thread+0x96/0xe20 kernel/workqueue.c:2296
kthread+0x34a/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Freed by task 3389:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
__cache_free mm/slab.c:3503 [inline]
kfree+0xce/0x220 mm/slab.c:3822
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x35/0x40 net/bluetooth/l2cap_core.c:493
do_enable_set+0x4d1/0x8d0 net/bluetooth/6lowpan.c:1087
process_one_work+0x91f/0x1640 kernel/workqueue.c:2153
worker_thread+0x96/0xe20 kernel/workqueue.c:2296
kthread+0x34a/0x420 kernel/kthread.c:246
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
The buggy address belongs to the object at ffff8880982bf540
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 24 bytes inside of
2048-byte region [ffff8880982bf540, ffff8880982bfd40)
The buggy address is located 24 bytes inside of
The buggy address belongs to the page:
page:ffffea000260af80 count:1 mapcount:0 mapping:ffff88812c3dcc40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00025f3d88 ffffea0002572308 ffff88812c3dcc40
raw: 0000000000000000 ffff8880982be440 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880982bf400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff8880982bf480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880982bf500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880982bf580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880982bf600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Mar 2, 2020, 11:27:14 AM3/2/20
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 78d697fc Linux 4.14.172
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=107cac55e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=31ad682bcda9b93f
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166a52c3e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+de475a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ex_handler_refcount+0x164/0x1a0 arch/x86/mm/extable.c:49
Write of size 4 at addr ffff88808f782a18 by task kworker/0:2/2827
CPU: 0 PID: 2827 Comm: kworker/0:2 Not tainted 4.14.172-syzkaller #0
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
ex_handler_refcount+0x164/0x1a0 arch/x86/mm/extable.c:49
fixup_exception+0x8a/0xc3 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:208 [inline]
do_trap+0x72/0x230 arch/x86/kernel/traps.c:257
do_error_trap+0x132/0x2d0 arch/x86/kernel/traps.c:301
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:963
RIP: 0010:inat_get_avx_attribute+0x5986/0x7953
RSP: 0018:ffff88809e8c7c98 EFLAGS: 00010297
RAX: ffff88809e81a000 RBX: ffff88808f782a00 RCX: ffff88808f782a18
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88808f782a00
RBP: ffff88808f782a00 R08: 0000000000007d6d R09: ffffffff8a09a428
R10: ffff88809e81a8a8 R11: ffff88809e81a000 R12: ffff88809e8c7dd8
R13: ffff88809ac3b680 R14: ffff88809efdc600 R15: ffff8880aea2acc0
do_enable_set+0x466/0x7f0 net/bluetooth/6lowpan.c:1087
process_one_work+0x813/0x1540 kernel/workqueue.c:2114
worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 2827:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
l2cap_chan_create+0x3e/0x3c0 net/bluetooth/l2cap_core.c:441
process_one_work+0x813/0x1540 kernel/workqueue.c:2114
worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 2818:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x27/0x30 net/bluetooth/l2cap_core.c:493
do_enable_set+0x466/0x7f0 net/bluetooth/6lowpan.c:1087
process_one_work+0x813/0x1540 kernel/workqueue.c:2114
worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
The buggy address belongs to the object at ffff88808f782a00
2048-byte region [ffff88808f782a00, ffff88808f783200)
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88808f782180 0000000000000000 0000000100000003
raw: ffffea00023dbba0 ffffea000251a320 ffff88812fe56c40 0000000000000000
ffff88808f782980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808f782a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88808f782a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808f782b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 78d697fc Linux 4.14.172
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=107cac55e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=31ad682bcda9b93f
dashboard link: https://syzkaller.appspot.com/bug?extid=de475a73984b7512adb2
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a287ede00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166a52c3e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+de475a...@syzkaller.appspotmail.com
BUG: KASAN: use-after-free in ex_handler_refcount+0x164/0x1a0 arch/x86/mm/extable.c:49
Write of size 4 at addr ffff88808f782a18 by task kworker/0:2/2827
CPU: 0 PID: 2827 Comm: kworker/0:2 Not tainted 4.14.172-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events do_enable_set
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
__dump_stack lib/dump_stack.c:17 [inline]
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
kasan_report mm/kasan/report.c:409 [inline]
ex_handler_refcount+0x164/0x1a0 arch/x86/mm/extable.c:49
fixup_exception+0x8a/0xc3 arch/x86/mm/extable.c:197
do_trap_no_signal arch/x86/kernel/traps.c:208 [inline]
do_trap+0x72/0x230 arch/x86/kernel/traps.c:257
do_error_trap+0x132/0x2d0 arch/x86/kernel/traps.c:301
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:963
RIP: 0010:inat_get_avx_attribute+0x5986/0x7953
RSP: 0018:ffff88809e8c7c98 EFLAGS: 00010297
RAX: ffff88809e81a000 RBX: ffff88808f782a00 RCX: ffff88808f782a18
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88808f782a00
RBP: ffff88808f782a00 R08: 0000000000007d6d R09: ffffffff8a09a428
R10: ffff88809e81a8a8 R11: ffff88809e81a000 R12: ffff88809e8c7dd8
R13: ffff88809ac3b680 R14: ffff88809efdc600 R15: ffff8880aea2acc0
do_enable_set+0x466/0x7f0 net/bluetooth/6lowpan.c:1087
process_one_work+0x813/0x1540 kernel/workqueue.c:2114
worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Allocated by task 2827:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kmem_cache_alloc_trace+0x14d/0x7b0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
l2cap_chan_create+0x3e/0x3c0 net/bluetooth/l2cap_core.c:441
chan_create+0xc/0xd0 net/bluetooth/6lowpan.c:652
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
do_enable_set+0x493/0x7f0 net/bluetooth/6lowpan.c:1090
bt_6lowpan_listen net/bluetooth/6lowpan.c:971 [inline]
process_one_work+0x813/0x1540 kernel/workqueue.c:2114
worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Freed by task 2818:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcb/0x260 mm/slab.c:3815
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kref_put include/linux/kref.h:70 [inline]
l2cap_chan_put+0x27/0x30 net/bluetooth/l2cap_core.c:493
do_enable_set+0x466/0x7f0 net/bluetooth/6lowpan.c:1087
process_one_work+0x813/0x1540 kernel/workqueue.c:2114
worker_thread+0x5d1/0x1070 kernel/workqueue.c:2248
kthread+0x30d/0x420 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
The buggy address belongs to the object at ffff88808f782a00
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 24 bytes inside of
2048-byte region [ffff88808f782a00, ffff88808f783200)
The buggy address belongs to the page:
page:ffffea00023de080 count:1 mapcount:0 mapping:ffff88808f782180 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88808f782180 0000000000000000 0000000100000003
raw: ffffea00023dbba0 ffffea000251a320 ffff88812fe56c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808f782900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff88808f782980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808f782a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88808f782a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88808f782b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Oct 2, 2020, 8:04:11 AM10/2/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 29e1dfcd5150097f32f34891c85a50d9ead19df3
Author: Lihong Kou <koul...@huawei.com>
Date: Tue Jun 23 12:28:41 2020 +0000
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=168d00b3900000
start commit: c076c79e Linux 4.19.137
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b8bacc01843402f4
dashboard link: https://syzkaller.appspot.com/bug?extid=9c84cc6d4604e4deaa1c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e78efa900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1197e002900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: Bluetooth: add a mutex lock to avoid UAF in do_enale_set
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 29e1dfcd5150097f32f34891c85a50d9ead19df3
Author: Lihong Kou <koul...@huawei.com>
Date: Tue Jun 23 12:28:41 2020 +0000
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=168d00b3900000
start commit: c076c79e Linux 4.19.137
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b8bacc01843402f4
dashboard link: https://syzkaller.appspot.com/bug?extid=9c84cc6d4604e4deaa1c
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e78efa900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1197e002900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: Bluetooth: add a mutex lock to avoid UAF in do_enale_set
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Oct 2, 2020, 1:00:10 PM10/2/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit af7122cfbaeef4a854a242b43fa2fa5bb9e4eac9
Author: Lihong Kou <koul...@huawei.com>
Date: Tue Jun 23 12:28:41 2020 +0000
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16de8493900000
Date: Tue Jun 23 12:28:41 2020 +0000
Bluetooth: add a mutex lock to avoid UAF in do_enale_set
start commit: 14b58326 Linux 4.14.193
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=68ef0287ccbc3b42
dashboard link: https://syzkaller.appspot.com/bug?extid=de475a73984b7512adb2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141f1d76900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12530ffa900000
Reply all
Reply to author
Forward
0 new messages