On Tue, 20 Apr 2021 at 19:47, Eric Dumazet wrote:
>
> On Tue, Apr 20, 2021 at 3:45 PM Naresh Kamboju
> wrote:
> >
> > Following kernel BUG reported on qemu-arm64 running linux next 20210420
> > the config is enabled with KASAN.
> >
> > steps to reproduce:
> >
> > - Bu
appspotmail.com
======
BUG: KASAN: use-after-free in instrument_atomic_read_write
include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_relaxed
include/asm-generic/atomic-instrumented.h:142 [inline]
BUG: KASAN: us
On Tue, Apr 20, 2021 at 3:45 PM Naresh Kamboju
wrote:
>
> Following kernel BUG reported on qemu-arm64 running linux next 20210420
> the config is enabled with KASAN.
>
> steps to reproduce:
>
> - Build the arm64 kernel with KASAN enabled.
> - boot it with below command
crash log:
-
[ 23.711647] BUG: KASAN: use-after-free in page_to_skb.isra.0+0x300/0x418
[ 23.715349] Read of size 12 at addr cf63f800 by task systemd/1
[ 23.718528]
[ 23.719331] CPU: 0 PID: 1 Comm: systemd Not tainted
5.12.0-rc8-next-20210420 #1
[ 23.722836] Hardware name: linux,dumm
l.com
==
BUG: KASAN: use-after-free in
sctp_do_8_2_transport_strike.constprop.0+0xa27/0xab0
net/sctp/sm_sideeffect.c:531
Read of size 4 at addr 888024d65154 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.12.0-rc8-syzkaller #0
Hardware name: Google Google Compute E
On 4/19/21 8:41 AM, syzbot wrote:
> syzbot suspects this issue was fixed by commit:
>
> commit 470ec4ed8c91b4db398ad607c700e9ce88365202
> Author: Jens Axboe
> Date: Fri Feb 26 17:20:34 2021 +
>
> io-wq: fix double put of 'wq' in error path
>
> bisection log: https://syzkaller.appspot
On Tue, Apr 13, 2021 at 10:19:25PM +0800, Hao Sun wrote:
> Jason Gunthorpe 于2021年4月13日周二 下午9:45写道:
> >
> > On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
> > > Jason Gunthorpe 于2021年4月13日周二 下午9:34写道:
> > > >
> > > > On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > > > > Hi
>
syzbot suspects this issue was fixed by commit:
commit 470ec4ed8c91b4db398ad607c700e9ce88365202
Author: Jens Axboe
Date: Fri Feb 26 17:20:34 2021 +
io-wq: fix double put of 'wq' in error path
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11e89cc5d0
start commit: c
On 4/15/21 7:28 PM, syzbot wrote:
> syzbot suspects this issue was fixed by commit:
>
> commit 61cf93700fe6359552848ed5e3becba6cd760efa
> Author: Matthew Wilcox (Oracle)
> Date: Mon Mar 8 14:16:16 2021 +
>
> io_uring: Convert personality_idr to XArray
>
> bisection log: https://syzka
syzbot suspects this issue was fixed by commit:
commit 61cf93700fe6359552848ed5e3becba6cd760efa
Author: Matthew Wilcox (Oracle)
Date: Mon Mar 8 14:16:16 2021 +
io_uring: Convert personality_idr to XArray
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=16f91b9ad0
start
appspotmail.com
======
BUG: KASAN: use-after-free in instrument_atomic_read_write
include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release
include/asm-generic/atomic-instrumented.h:220 [inline]
BUG: KASAN: us
r for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+08062910481610616...@syzkaller.appspotmail.com
>
> ==========
> BUG: KASAN: use-after-free in walk_stac
yzbot+08062910481610616...@syzkaller.appspotmail.com
==
BUG: KASAN: use-after-free in walk_stackframe arch/riscv/kernel/stacktrace.c:60
[inline]
BUG: KASAN: use-after-free in get_wchan+0x156/0x196
arch/riscv/kernel/stacktrace.c:136
Re
Jason Gunthorpe 于2021年4月13日周二 下午9:45写道:
>
> On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
> > Jason Gunthorpe 于2021年4月13日周二 下午9:34写道:
> > >
> > > On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > > > Hi
> > > >
> > > > When using Healer(https://github.com/SunHao-0/healer/tre
> On 13 Apr 2021, at 15:44, Jason Gunthorpe wrote:
>
> On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
>> Jason Gunthorpe 于2021年4月13日周二 下午9:34写道:
>>>
>>> On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
Hi
When using Healer(https://github.com/SunHao-0/healer/t
On Tue, Apr 13, 2021 at 09:42:43PM +0800, Hao Sun wrote:
> Jason Gunthorpe 于2021年4月13日周二 下午9:34写道:
> >
> > On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > > Hi
> > >
> > > When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> > > the Linux kernel, I found two use-af
Jason Gunthorpe 于2021年4月13日周二 下午9:34写道:
>
> On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> > Hi
> >
> > When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> > the Linux kernel, I found two use-after-free bugs which have been
> > reported a long time ago by Syzbot.
>
On Tue, Apr 13, 2021 at 11:36:41AM +0800, Hao Sun wrote:
> Hi
>
> When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
> the Linux kernel, I found two use-after-free bugs which have been
> reported a long time ago by Syzbot.
> Although the corresponding patches have been merged i
appspotmail.com
======
BUG: KASAN: use-after-free in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: use-after-free in skcipher_next_copy crypto/skcipher.c:292 [inline]
BUG: KASAN: use-after-free in skcipher_walk_next+0xb69/0x1680
crypto
On Tue, Apr 6, 2021 at 6:01 AM syzbot
wrote:
> ==
> BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0
> kernel/locking/lockdep.c:4770
> Read of size 8 at addr 888024f66238 by task syz-executor.1/14202
&g
> Happy to do it once Hao will echo confirming it works for him.
It looks like the patch solved the problem, nice!
Here's what I did. First, I compiled the kernel (5e46d1b7) with the
attached configuration, then I ran the reproducing program
(repro.cprog) and the same vulnerability was triggered,
tag to the commit:
Reported-by: syzbot+7b6548ae483d6f4c6...@syzkaller.appspotmail.com
Fixes: 997acaf6b4b5 ("lockdep: report broken irq restoration")
==
BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0
kern
On Sun, Apr 04, 2021 at 08:39:34PM +0800, Hillf Danton wrote:
> On Sun, 4 Apr 2021 17:05:17 Hao Sun wrote:
> > Besides, the 'refcount bug in cdev_del' bug still exists too.
>
> Thanks for your report, Hao.
> >
> > Here is the detailed information:
> > commit: 5e46d1b78a03d52306f21f77a4e4a144b6d
rmware load for regulatory.db failed with
> error -2
> platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
> ==
> BUG: KASAN: use-after-free in __list_add_valid+0x36/0xc0 lib/list_debug.c:23
> Read of
uble abort case with
fw_load_sysfs_fallback")
platform regulatory.0: Direct firmware load for regulatory.db failed with error
-2
platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
==========
BUG: KASA
rride BLKFLSBUF")
==========
BUG: KASAN: use-after-free in kobject_put+0x493/0x540 lib/kobject.c:749
Read of size 1 at addr 8880135d453c by task syz-executor372/8533
CPU: 0 PID: 8533 Comm: syz-executor372 Not tainted
5.12.0-rc4-next-20210326-syzkaller #0
Hardware name: Google Google Compute Engine/G
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any
issue:
Reported-and-tested-by: syzbot+099593561bbd1805b...@syzkaller.appspotmail.com
Tested on:
commit: 24996dbd io_uring: reg buffer overflow checks hardening
git tree: git://git.kernel.dk/linux-b
805b...@syzkaller.appspotmail.com
> Fixes: 4d004099a668 ("lockdep: Fix lockdep recursion")
>
> ==
> BUG: KASAN: use-after-free in create_worker_cb+0xaa/0xc0 fs/io-wq.c:272
> Read of size 8 at addr 88801bf150e8
?x=16f96b7cd0
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+099593561bbd1805b...@syzkaller.appspotmail.com
Fixes: 4d004099a668 ("lockdep: Fix lockdep recursion")
==
BUG:
irq restoration")
==========
BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0
kernel/locking/lockdep.c:4770
Read of size 8 at addr 888144614468 by task syz-executor242/8422
CPU: 0 PID: 8422 Comm: syz-executor242 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute E
On Sat, Mar 27, 2021 at 1:01 AM syzbot
wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering
> an issue:
> WARNING in kvm_wait
>
> [ cut here ]
> raw_local_irq_restore() called with IRQs enabled
> WARNING: CPU: 1 PID: 10753 at ke
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an
issue:
WARNING in kvm_wait
[ cut here ]
raw_local_irq_restore() called with IRQs enabled
WARNING: CPU: 1 PID: 10753 at kernel/locking/irqflag-debug.c:10
warn_bogus_irq_restore+0x1d/0x20
On Sun, Mar 14, 2021 at 7:10 PM syzbot
wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:280d542f Merge tag 'drm-fixes-2021-03-05' of git://anongit..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15ade5aed0
> kernel config:
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an
issue:
KASAN: use-after-free Read in bdgrab
==
BUG: KASAN: use-after-free in bdgrab+0x4c/0x50 fs/block_dev.c:929
Read of size 8 at addr
#syz test: git://git.infradead.org/users/hch/block.git part-iter-fix
On Sun, Mar 21, 2021 at 05:40:05AM -0700, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit a33df75c6328bf40078b35f2040d8e54d574c357
> Author: Christoph Hellwig
> Date: Sun Jan 24 10:02:41 2021 +
>
> blo
On 3/22/21 12:18 AM, Christoph Hellwig wrote:
I've been running the reproducer on a KASAN enable VM for about
15 minutes now, but haven't been able to reproduce it.
Is there a way to inject this proposed fix into the syzbot queue?
diff --git a/block/partitions/core.c b/block/partitions/core.c
i
y syzkaller fuzzer with custom
> modifications and reproduced in 5.12.0-rc3+ too.
>
> There are use-after-free crashes in nilfs_mdt_destroy in fs/nilfs2/mdt.c.
>
> and there is a latest crash logs as follows:
>
> ==============
failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being e
failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being e
failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being e
failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being e
failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being e
failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being e
failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being e
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an
issue:
KASAN: use-after-free Read in bdgrab
==
BUG: KASAN: use-after-free in bdgrab+0x4c/0x50 fs/block_dev.c:938
Read of size 8 at addr
:
==
BUG: KASAN: use-after-free in nilfs_mdt_destroy+0x6f/0x80 fs/nilfs2/mdt.c:485
Read of size 8 at addr 8880478f0098 by task syz-executor325/8480
CPU: 1 PID: 8480 Comm: syz-executor325 Not tainted 5.12.0-rc3+ #42
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1 04/01
On Sun, Mar 14, 2021 at 7:10 PM syzbot
wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:280d542f Merge tag 'drm-fixes-2021-03-05' of git://anongit..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15ade5aed0
> kernel config:
Hi, I reported a bug found by syzkaller fuzzer with custom modifications.
reproduce it in 5.12.0-rc3+ and crash log is as fellow:
==
BUG: KASAN: use-after-free in f2fs_test_bit fs/f2fs/f2fs.h:2572 [inline]
BUG: KASAN: use-after-free
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an
issue:
KASAN: use-after-free Read in disk_part_iter_next
==
BUG: KASAN: use-after-free in bdev_nr_sectors include/linux/genhd.h:266 [inline]
BUG
On Mon, Mar 22, 2021 at 8:18 AM Christoph Hellwig wrote:
>
> I've been running the reproducer on a KASAN enable VM for about
> 15 minutes now, but haven't been able to reproduce it.
>
> Is there a way to inject this proposed fix into the syzbot queue?
Hi Christoph,
Yes, since this bug has a repr
I've been running the reproducer on a KASAN enable VM for about
15 minutes now, but haven't been able to reproduce it.
Is there a way to inject this proposed fix into the syzbot queue?
diff --git a/block/partitions/core.c b/block/partitions/core.c
index 1a7558917c47d6..f5d5872b89d57e 100644
--- a
On 3/21/21 7:35 PM, Ming Lei wrote:
> On Mon, Mar 22, 2021 at 7:03 AM Bart Van Assche wrote:
>>
>> On 3/14/21 4:08 AM, syzbot wrote:
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:280d542f Merge tag 'drm-fixes-2021-03-05' of git://anongit..
>>> git tree: upstream
>>> consol
On Mon, Mar 22, 2021 at 7:03 AM Bart Van Assche wrote:
>
> On 3/14/21 4:08 AM, syzbot wrote:
> > syzbot found the following issue on:
> >
> > HEAD commit:280d542f Merge tag 'drm-fixes-2021-03-05' of git://anongit..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an
issue:
KASAN: use-after-free Read in disk_part_iter_next
==
BUG: KASAN: use-after-free in bdev_nr_sectors include/linux/genhd.h:266 [inline]
BUG
On 3/14/21 4:08 AM, syzbot wrote:
> syzbot found the following issue on:
>
> HEAD commit:280d542f Merge tag 'drm-fixes-2021-03-05' of git://anongit..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15ade5aed0
> kernel config: https://syzkaller.appspo
syzbot has bisected this issue to:
commit a33df75c6328bf40078b35f2040d8e54d574c357
Author: Christoph Hellwig
Date: Sun Jan 24 10:02:41 2021 +
block: use an xarray for disk->part_tbl
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17989906d0
start commit: 1c273e10 Me
g tag to the commit:
Reported-by: syzbot+de271708674e20930...@syzkaller.appspotmail.com
platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
==
BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 lib/list_debug
lowing tag to the commit:
Reported-by: syzbot+8fede7e30c7cee0de...@syzkaller.appspotmail.com
==
BUG: KASAN: use-after-free in bdev_nr_sectors include/linux/genhd.h:266 [inline]
BUG: KASAN: use-after-free in disk_part_iter_next+0x49d/0
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any
issue:
Reported-and-tested-by: syzbot+12056a09a0311d758...@syzkaller.appspotmail.com
Tested on:
commit: ece5fae7 io_uring: don't leak creds on SQO attach error
git tree: git://git.kernel.dk/linux-b
On 18/12/2020 16:44, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering
> an issue:
> KASAN: use-after-free Read in idr_for_each
#syz test: git://git.kernel.dk/linux-bloc
I don't have any reproducer for this issue yet.
>
> Looks like the same cause as
> Reported-by: syzbot+de271708674e20930...@syzkaller.appspotmail.com
Hi Hillf,
Let's tell syzbot about this then:
#syz dup: KASAN: use-after-free Read in firmware_fallback_sysfs
Please see http://bi
l.com
==
BUG: KASAN: use-after-free in kill_pending_fw_fallback_reqs+0x2fb/0x370
drivers/base/firmware_loader/fallback.c:116
Read of size 8 at addr 8880757caac0 by task syz-executor.1/14981
CPU: 0 PID: 14981 Comm: syz-executor.1 Not tainted 5.12.
On Tue, 9 Mar 2021 at 07:31, Hillf Danton wrote:
> At the first glance, the zero pointer goes out of the box of race because
>
> 1/ the Call Trace shows it is the free path (of the supposed race victim),
>
> 2/ on the race winner side however either list_del or list_del_init
>would not leave a
appspotmail.com
======
BUG: KASAN: use-after-free in bdev_nr_sectors include/linux/genhd.h:266 [inline]
BUG: KASAN: use-after-free in disk_part_iter_next+0x49d/0x530 block/genhd.c:207
Read of size 8 at addr 88804b0022e8 by task systemd-udevd/9804
C
930...@syzkaller.appspotmail.com
platform regulatory.0: Direct firmware load for regulatory.db failed with error
-2
platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
==
BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0
nected and connected quickly, in the failed case,
> > cn->configuration memory has been released by usb_string_copy kfree but
> > configfs_composite_bind hasn't been run in time to assign new allocated
> > "cn->configuration" pointer to "cn->string
ocated
> "cn->configuration" pointer to "cn->strings.s".
>
> When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
> memory is accessed, "BUG: KASAN: use-after-free" error occurs.
>
> Signed-off-by: Jim Lin
> Signe
b_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".
When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
memory is accessed, "BUG: KASAN: us
678fbc60167d46f...@syzkaller.appspotmail.com
======
BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2293 [inline]
BUG: KASAN: use-after-free in h4_recv_buf+0x3d5/0xd00
drivers/bluetooth/hci_h4.c:200
Write of
ppspotmail.com
> > Fixes: 9799110825db ("ALSA: usb-audio: Disable USB autosuspend properly in
> > setup_disable_autosuspend()")
> >
> > usb 1-1: USB disconnect, device number 2
> > ==
> > BUG: KASA
if you fix the issue, please add the following tag to the
>> > commit:
>> > Reported-by: syzbot+ffad4c74b3b3ea3aa...@syzkaller.appspotmail.com
>> > Fixes: 9799110825db ("ALSA: usb-audio: Disable USB autosuspend properly in
>> > setup_disable_autosuspe
ease add the following tag to the commit:
> Reported-by: syzbot+ffad4c74b3b3ea3aa...@syzkaller.appspotmail.com
> Fixes: 9799110825db ("ALSA: usb-audio: Disable USB autosuspend properly in
> setup_disable_autosuspend()")
>
> usb 1-1: USB disconnect, device number 2
> ==
ly in
setup_disable_autosuspend()")
usb 1-1: USB disconnect, device number 2
==
BUG: KASAN: use-after-free in usb_audio_disconnect+0x750/0x800
sound/usb/card.c:918
Read of size 2 at addr 888027a08f24 by task kworker/0:2/2966
CPU: 0 PID:
On Fri, 5 Mar 2021 at 19:22, Hillf Danton wrote:
>
> Yes, it is the same race as we saw before. But after cutting the race
> between poo->stale_lock and pool->lock with the patch above, the race
> between the free path and isolate/putback path came up.
>
> Try the diff below in combination with th
l.com
==
BUG: KASAN: use-after-free in file_inode include/linux/fs.h:1301 [inline]
BUG: KASAN: use-after-free in ovl_real_fdget_meta+0x482/0x500
fs/overlayfs/file.c:118
Read of size 8 at addr 88801854d420 by task syz-executor.2/18364
CPU: 0 PID: 18364
On Mon, 1 Mar 2021 at 08:11, Hillf Danton wrote:
>
> What we learn from your reports is
>
> 1/ in z3fold_free(), kref_put() creates the ground zero for the race
> cases reported,
>
> 2/ the stale_lock in combination with lock makes things more
> complicated than thought.
>
> Instead of dropping so
compiler: Debian clang version 11.0.1-2
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+521772a90166b3fca...@syzkaller.appspot
issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+521772a90166b3fca...@syzkaller.appspotmail.com
>
> ==========
> BUG: KASAN: use-after-free in instrument_atomic_r
1772a90166b3fca...@syzkaller.appspotmail.com
======
BUG: KASAN: use-after-free in instrument_atomic_read_write
include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release
include/asm-generic/atomic
On Tue, Mar 2, 2021 at 2:15 PM Dmitry Vyukov wrote:
...
> Not sure if it's the root cause or not, but I am looking at this
> reference drop in cipso_v4_doi_remove:
> https://elixir.bootlin.com/linux/v5.12-rc1/source/net/ipv4/cipso_ipv4.c#L522
> The thing is that it does not remove from the list
the commit:
> Reported-by: syzbot+9ec037722d2603a9f...@syzkaller.appspotmail.com
>
> ==============
> BUG: KASAN: use-after-free in cipso_v4_genopt+0x1078/0x1700
> net/ipv4/cipso_ipv4.c:1784
> Read of size 1 at addr 8881437d5710 by task syz-ex
NT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ec037722d2603a9f...@syzkaller.appspotmail.com
==
BUG: KASAN: use-after-free in cipso_v4_genopt+0x1078/0x1700
net/ipv4/cipso_ipv4.c:1784
Read of
On Tue, Mar 2, 2021 at 5:10 PM Paul Moore wrote:
>
> On Tue, Mar 2, 2021 at 6:03 AM Dmitry Vyukov wrote:
> >
>
> ...
>
> > Besides these 2 crashes, we've also seen one on a 4.19 based kernel, see
> > below.
> > Based on the reports with mismatching stacks, it looks like
> > cipso_v4_genopt is do
On Tue, Mar 2, 2021 at 6:03 AM Dmitry Vyukov wrote:
>
...
> Besides these 2 crashes, we've also seen one on a 4.19 based kernel, see
> below.
> Based on the reports with mismatching stacks, it looks like
> cipso_v4_genopt is doing some kind of wild pointer access (uninit
> pointer?).
Hmm, inte
issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9ec037722d2603a9f...@syzkaller.appspotmail.com
>
> ==========
> BUG: KASAN: use-after-free in cipso_v4_gen
c037722d2603a9f...@syzkaller.appspotmail.com
======
BUG: KASAN: use-after-free in cipso_v4_genopt+0x1078/0x1700
net/ipv4/cipso_ipv4.c:1784
Read of size 1 at addr 888017bba510 by task kworker/1:3/4821
CPU: 1 PID: 4821 Comm: kworker/
gt;
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a157ac7c03a56397f...@syzkaller.appspotmail.com
>
> ==========
> BUG: KASAN: use-after-free in __tctx_task_work fs/io_uring
On Sat, 13 Feb 2021 at 08:03, Hillf Danton wrote:
>
> The comment below shows a race instance, though I failed to put things
> together to see how within two hours. Cut it and see what will come up.
>
> --- a/mm/z3fold.c
> +++ b/mm/z3fold.c
> @@ -1129,19 +1129,22 @@ retry:
> page = NULL;
>
57ac7c03a56397f...@syzkaller.appspotmail.com
======
BUG: KASAN: use-after-free in __tctx_task_work fs/io_uring.c:2217 [inline]
BUG: KASAN: use-after-free in tctx_task_work+0x238/0x280 fs/io_uring.c:2230
Read of size 4 at addr 88802178e
commit:
Reported-by: syzbot+38769495e847cea2d...@syzkaller.appspotmail.com
==
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:835 [inline]
BUG: KASAN: use-after-free in hlist_del include/linux/list.h:852 [inline]
BUG
On 2/26/21 2:33 PM, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:d01f2f7e Add linux-next specific files for 20210226
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=114fa9ccd0
> kernel config: https://sy
==
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:835 [inline]
BUG: KASAN: use-after-free in hlist_del include/linux/list.h:852 [inline]
BUG: KASAN: use-after-free in __cpuhp_state_remove_instance+0x58b/0x5b0
kernel
the following tag to the commit:
> Reported-by: syzbot+38769495e847cea2d...@syzkaller.appspotmail.com
looks like an issue in io_uring
+io_uring maintainers
> ==========
> BUG: KASAN: use-after-free in __hlist_del include/linux/list.
l.com
==
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:835 [inline]
BUG: KASAN: use-after-free in hlist_del include/linux/list.h:852 [inline]
BUG: KASAN: use-after-free in __cpuhp_state_remove_instance+0x58b/0x5b0
kernel/cpu.c:2002
Read of s
:
Reported-by: syzbot+edf737ddc30018954...@syzkaller.appspotmail.com
==
BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0
kernel/locking/lockdep.c:4770
Read of size 8 at addr 8881444a3a88 by task iou-sqp-7185/7188
CPU: 0 PID
d0
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+7bf785eedca35ca05...@syzkaller.appspotmail.com
>
> ==============
> BUG: KASAN: use-after-free in __lock_acquire+0x3e6
:
Reported-by: syzbot+7bf785eedca35ca05...@syzkaller.appspotmail.com
==
BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0
kernel/locking/lockdep.c:4770
Read of size 8 at addr 888030dc08d0 by task syz-executor199/9383
CPU: 1 PID
7b7f64b139d1dfe...@syzkaller.appspotmail.com
======
BUG: KASAN: use-after-free in addr6_resolve drivers/infiniband/core/addr.c:439
[inline]
BUG: KASAN: use-after-free in addr_resolve+0x1844/0x1b40
drivers/infiniband/core/addr.c:590
Wri
gt; cn->configuration memory has been released by usb_string_copy kfree but
> > configfs_composite_bind hasn't been run in time to assign new allocated
> > "cn->configuration" pointer to "cn->strings.s".
> >
> > When "strlen(s->s) of us
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any
issue:
Reported-and-tested-by: syzbot+429d3f82d757c211b...@syzkaller.appspotmail.com
Tested on:
commit: 2b31ee47 nbd: handle device refs for DESTROY_ON_DISCONNECT..
git tree:
git://git.kernel.org/
1 - 100 of 1001 matches
Mail list logo
