syzbot

 sign-in | mailing list | source | docs
🐞 Open [1515]
Subsystems
🐞 Fixed [6635]
🐞 Invalid [17004]
Missing Backports [212]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: out-of-bounds Write in __run_timers

Status: closed as invalid on 2017/10/22 12:45
First crash: 2947d, last: 2947d

Sample crash report:
==================================================================
BUG: KASAN: out-of-bounds in __collect_expired_timers include/linux/list.h:729 [inline]
BUG: KASAN: out-of-bounds in collect_expired_timers kernel/time/timer.c:1569 [inline]
BUG: KASAN: out-of-bounds in __run_timers+0xa2e/0xb90 kernel/time/timer.c:1616
Write of size 8 at addr ffff88003b964008 by task syz-executor4/29389

CPU: 1 PID: 29389 Comm: syz-executor4 Not tainted 4.13.0-next-20170914+ #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x24e/0x340 mm/kasan/report.c:409
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435
 __collect_expired_timers include/linux/list.h:729 [inline]
 collect_expired_timers kernel/time/timer.c:1569 [inline]
 __run_timers+0xa2e/0xb90 kernel/time/timer.c:1616
 run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1646
 __do_softirq+0x2bb/0xbd0 kernel/softirq.c:284
 invoke_softirq kernel/softirq.c:364 [inline]
 irq_exit+0x1d3/0x210 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:638 [inline]
 smp_apic_timer_interrupt+0x177/0x710 arch/x86/kernel/apic/apic.c:1048
 apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:577
 </IRQ>
RIP: 0010:rep_nop arch/x86/include/asm/processor.h:634 [inline]
RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:639 [inline]
RIP: 0010:csd_lock_wait kernel/smp.c:108 [inline]
RIP: 0010:smp_call_function_many+0x6ea/0x930 kernel/smp.c:468
RSP: 0018:ffff88004d0f6750 EFLAGS: 00000297 ORIG_RAX: ffffffffffffff10
RAX: ffff880068e56540 RBX: ffff88006de30fe0 RCX: 0000000000000004
RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffffffff857eba70
RBP: ffff88004d0f6878 R08: fffffbffffeaf02e R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88006de30ff8
R13: dffffc0000000000 R14: ffff88004d0f6850 R15: ffffed0009a1ed02
 smp_call_function kernel/smp.c:492 [inline]
 on_each_cpu+0x3d/0x1b0 kernel/smp.c:602
 text_poke_bp+0xe4/0x170 arch/x86/kernel/alternative.c:819
 __jump_label_transform.isra.0+0x6a5/0x8a0 arch/x86/kernel/jump_label.c:101
 arch_jump_label_transform+0x2f/0x40 arch/x86/kernel/jump_label.c:109
 __jump_label_update+0x207/0x2d0 kernel/jump_label.c:368
 jump_label_update+0x22c/0x2b0 kernel/jump_label.c:735
 static_key_slow_dec_cpuslocked+0x176/0x1d0 kernel/jump_label.c:204
 __static_key_slow_dec kernel/jump_label.c:214 [inline]
 static_key_slow_dec+0x56/0x90 kernel/jump_label.c:228
 tracepoint_remove_func kernel/tracepoint.c:253 [inline]
 tracepoint_probe_unregister+0x70d/0x870 kernel/tracepoint.c:324
 trace_event_reg+0xed/0x320 kernel/trace/trace_events.c:309
 perf_trace_event_unreg.isra.2+0xad/0x1f0 kernel/trace/trace_event_perf.c:155
 perf_trace_destroy+0xbc/0x100 kernel/trace/trace_event_perf.c:236
 tp_perf_event_destroy+0x15/0x20 kernel/events/core.c:8021
 _free_event+0x401/0x1130 kernel/events/core.c:4193
 put_event+0x24/0x30 kernel/events/core.c:4276
 perf_event_release_kernel+0x407/0xc00 kernel/events/core.c:4377
 perf_release+0x37/0x50 kernel/events/core.c:4387
 __fput+0x333/0x7f0 fs/file_table.c:210
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x199/0x270 kernel/task_work.c:112
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0xa52/0x1b40 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x7e8/0x17e0 kernel/signal.c:2334
 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
 exit_to_usermode_loop+0x224/0x300 arch/x86/entry/common.c:158
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath+0x42f/0x500 arch/x86/entry/common.c:266
 entry_SYSCALL_64_fastpath+0xbc/0xbe
RIP: 0033:0x447299
RSP: 002b:00007f8e39973c08 EFLAGS: 00000282 ORIG_RAX: 000000000000012a
RAX: 0000000000000005 RBX: 000000002001d000 RCX: 0000000000447299
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000002001d000
RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000282 R12: 00000000ffffffff
R13: 0000000000003d10 R14: 00000000006e6dd0 R15: 0000000000000000

Allocated by task 29423:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3703
 __kmalloc_reserve.isra.40+0x41/0xd0 net/core/skbuff.c:138
 __alloc_skb+0x13b/0x740 net/core/skbuff.c:206
 alloc_skb include/linux/skbuff.h:976 [inline]
 alloc_skb_with_frags+0x10d/0x710 net/core/skbuff.c:5137
 sock_alloc_send_pskb+0x7b4/0x9d0 net/core/sock.c:2073
 unix_dgram_sendmsg+0x52d/0x1600 net/unix/af_unix.c:1681
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:643
 ___sys_sendmsg+0x75b/0x8a0 net/socket.c:2049
 __sys_sendmsg+0xe5/0x210 net/socket.c:2083
 SYSC_sendmsg net/socket.c:2094 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2090
 entry_SYSCALL_64_fastpath+0x1f/0xbe

Freed by task 28974:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xca/0x250 mm/slab.c:3820
 kvfree+0x36/0x60 mm/util.c:416
 netdev_freemem net/core/dev.c:7970 [inline]
 free_netdev+0x2cf/0x360 net/core/dev.c:8132
 tun_set_iff drivers/net/tun.c:2105 [inline]
 __tun_chr_ioctl+0x2cf6/0x3d20 drivers/net/tun.c:2276
 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2521
 vfs_ioctl fs/ioctl.c:45 [inline]
 do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
 SYSC_ioctl fs/ioctl.c:700 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
 entry_SYSCALL_64_fastpath+0x1f/0xbe

The buggy address belongs to the object at ffff88003b960c00
 which belongs to the cache kmalloc-16384 of size 16384
The buggy address is located 13320 bytes inside of
 16384-byte region [ffff88003b960c00, ffff88003b964c00)
The buggy address belongs to the page:
page:ffffea0000ee5800 count:1 mapcount:0 mapping:ffff88003b960c00 index:0x0 compound_mapcount: 0
flags: 0x100000000008100(slab|head)
raw: 0100000000008100 ffff88003b960c00 0000000000000000 0000000100000001
raw: ffffea0000c37220 ffffea0000f0aa20 ffff88003e802200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88003b963f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88003b963f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88003b964000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                         ^
 ffff88003b964080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88003b964100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/09/15 03:35 linux-next 31fc38c47623 96b8e399 .config console log report skylake-linux-next-kasan-qemu
* Struck through repros no longer work on HEAD.