[v5.15] KASAN: use-after-free Read in crc_itu_t
0 views
Skip to first unread message
syzbot
Mar 29, 2023, 7:09:55 PM3/29/23
Hello,
syzbot found the following issue on:
HEAD commit: 115472395b0a Linux 5.15.104
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1290bd49c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5592cc4916e1c2f
dashboard link: https://syzkaller.appspot.com/bug?extid=a2296f1483a9201c63a3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6c2c0744c7e0/disk-11547239.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7ea4c5ecca4f/vmlinux-11547239.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9a231dbcf423/bzImage-11547239.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x218/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff88802f948000 by task syz-executor.3/13673
CPU: 0 PID: 13673 Comm: syz-executor.3 Not tainted 5.15.104-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
crc_itu_t+0x218/0x2a0 lib/crc-itu-t.c:60
udf_finalize_lvid fs/udf/super.c:2025 [inline]
udf_sync_fs+0x1ce/0x380 fs/udf/super.c:2381
iterate_supers+0x127/0x1e0 fs/super.c:696
ksys_sync+0xc8/0x1c0 fs/sync.c:103
__do_sys_sync+0xa/0x10 fs/sync.c:113
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f5c7ccea0f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5c7b25c168 EFLAGS: 00000246 ORIG_RAX: 00000000000000a2
RAX: ffffffffffffffda RBX: 00007f5c7ce09f80 RCX: 00007f5c7ccea0f9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f5c7cd45b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff69332c8f R14: 00007f5c7b25c300 R15: 0000000000022000
</TASK>
The buggy address belongs to the page:
page:ffffea0000be5200 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x100 pfn:0x2f948
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00013baa08 ffffea0000bf0608 0000000000000000
raw: 0000000000000100 0000000000000003 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 9955, ts 572278496101, free_ts 574264968372
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
alloc_pages_vma+0x39a/0x800 mm/mempolicy.c:2146
wp_page_copy+0x245/0x2000 mm/memory.c:3011
handle_pte_fault mm/memory.c:4612 [inline]
__handle_mm_fault mm/memory.c:4729 [inline]
handle_mm_fault+0x2a3d/0x5950 mm/memory.c:4827
do_user_addr_fault arch/x86/mm/fault.c:1397 [inline]
handle_page_fault arch/x86/mm/fault.c:1485 [inline]
exc_page_fault+0x271/0x740 arch/x86/mm/fault.c:1541
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
__put_user_nocheck_4+0x3/0x11
____sys_recvmsg+0x35b/0x530 net/socket.c:2644
___sys_recvmsg+0x1ec/0x690 net/socket.c:2673
do_recvmmsg+0x36f/0x8f0 net/socket.c:2767
__sys_recvmmsg net/socket.c:2846 [inline]
__do_sys_recvmmsg net/socket.c:2869 [inline]
__se_sys_recvmmsg net/socket.c:2862 [inline]
__x64_sys_recvmmsg+0x195/0x240 net/socket.c:2862
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu+0xc8/0x170 mm/mmu_gather.c:247
zap_pte_range mm/memory.c:1445 [inline]
zap_pmd_range mm/memory.c:1494 [inline]
zap_pud_range mm/memory.c:1523 [inline]
zap_p4d_range mm/memory.c:1544 [inline]
unmap_page_range+0x214d/0x2630 mm/memory.c:1565
unmap_vmas+0x1f8/0x390 mm/memory.c:1642
exit_mmap+0x3b6/0x670 mm/mmap.c:3186
__mmput+0x112/0x3b0 kernel/fork.c:1118
exit_mm+0x688/0x7f0 kernel/exit.c:548
do_exit+0x626/0x2480 kernel/exit.c:859
do_group_exit+0x144/0x310 kernel/exit.c:994
get_signal+0xc66/0x14e0 kernel/signal.c:2889
arch_do_signal_or_restart+0xc3/0x1890 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop+0x97/0x130 kernel/entry/common.c:172
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x5d/0x250 kernel/entry/common.c:300
Memory state around the buggy address:
ffff88802f947f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88802f947f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88802f948000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88802f948080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88802f948100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 115472395b0a Linux 5.15.104
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1290bd49c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5592cc4916e1c2f
dashboard link: https://syzkaller.appspot.com/bug?extid=a2296f1483a9201c63a3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6c2c0744c7e0/disk-11547239.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7ea4c5ecca4f/vmlinux-11547239.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9a231dbcf423/bzImage-11547239.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x218/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff88802f948000 by task syz-executor.3/13673
CPU: 0 PID: 13673 Comm: syz-executor.3 Not tainted 5.15.104-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
crc_itu_t+0x218/0x2a0 lib/crc-itu-t.c:60
udf_finalize_lvid fs/udf/super.c:2025 [inline]
udf_sync_fs+0x1ce/0x380 fs/udf/super.c:2381
iterate_supers+0x127/0x1e0 fs/super.c:696
ksys_sync+0xc8/0x1c0 fs/sync.c:103
__do_sys_sync+0xa/0x10 fs/sync.c:113
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f5c7ccea0f9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5c7b25c168 EFLAGS: 00000246 ORIG_RAX: 00000000000000a2
RAX: ffffffffffffffda RBX: 00007f5c7ce09f80 RCX: 00007f5c7ccea0f9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f5c7cd45b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff69332c8f R14: 00007f5c7b25c300 R15: 0000000000022000
</TASK>
The buggy address belongs to the page:
page:ffffea0000be5200 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x100 pfn:0x2f948
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00013baa08 ffffea0000bf0608 0000000000000000
raw: 0000000000000100 0000000000000003 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 9955, ts 572278496101, free_ts 574264968372
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
alloc_pages_vma+0x39a/0x800 mm/mempolicy.c:2146
wp_page_copy+0x245/0x2000 mm/memory.c:3011
handle_pte_fault mm/memory.c:4612 [inline]
__handle_mm_fault mm/memory.c:4729 [inline]
handle_mm_fault+0x2a3d/0x5950 mm/memory.c:4827
do_user_addr_fault arch/x86/mm/fault.c:1397 [inline]
handle_page_fault arch/x86/mm/fault.c:1485 [inline]
exc_page_fault+0x271/0x740 arch/x86/mm/fault.c:1541
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
__put_user_nocheck_4+0x3/0x11
____sys_recvmsg+0x35b/0x530 net/socket.c:2644
___sys_recvmsg+0x1ec/0x690 net/socket.c:2673
do_recvmmsg+0x36f/0x8f0 net/socket.c:2767
__sys_recvmmsg net/socket.c:2846 [inline]
__do_sys_recvmmsg net/socket.c:2869 [inline]
__se_sys_recvmmsg net/socket.c:2862 [inline]
__x64_sys_recvmmsg+0x195/0x240 net/socket.c:2862
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu+0xc8/0x170 mm/mmu_gather.c:247
zap_pte_range mm/memory.c:1445 [inline]
zap_pmd_range mm/memory.c:1494 [inline]
zap_pud_range mm/memory.c:1523 [inline]
zap_p4d_range mm/memory.c:1544 [inline]
unmap_page_range+0x214d/0x2630 mm/memory.c:1565
unmap_vmas+0x1f8/0x390 mm/memory.c:1642
exit_mmap+0x3b6/0x670 mm/mmap.c:3186
__mmput+0x112/0x3b0 kernel/fork.c:1118
exit_mm+0x688/0x7f0 kernel/exit.c:548
do_exit+0x626/0x2480 kernel/exit.c:859
do_group_exit+0x144/0x310 kernel/exit.c:994
get_signal+0xc66/0x14e0 kernel/signal.c:2889
arch_do_signal_or_restart+0xc3/0x1890 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop+0x97/0x130 kernel/entry/common.c:172
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x5d/0x250 kernel/entry/common.c:300
Memory state around the buggy address:
ffff88802f947f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88802f947f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88802f948000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88802f948080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88802f948100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 24, 2023, 12:17:55 PM5/24/23
syzbot has found a reproducer for the following issue on:
HEAD commit: 9d6bde853685 Linux 5.15.112
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12906772280000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61e8195d8bdf36e
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1456ace5280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b65d6c2ec328/disk-9d6bde85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf811ebac37b/vmlinux-9d6bde85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b2f32fdecf97/bzImage-9d6bde85.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/5f28530b6e40/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/05115bbb4a0a/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
UDF-fs: error (device loop0): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0
UDF-fs: warning (device loop0): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff8880704b3000 by task syz-executor221/3501
CPU: 0 PID: 3501 Comm: syz-executor221 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
generic_shutdown_super+0x6e/0x2c0 fs/super.c:448
kill_block_super+0x7a/0xe0 fs/super.c:1405
deactivate_locked_super+0xa0/0x110 fs/super.c:335
cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
task_work_run+0x129/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x6a3/0x2480 kernel/exit.c:872
do_group_exit+0x144/0x310 kernel/exit.c:994
__do_sys_exit_group kernel/exit.c:1005 [inline]
__se_sys_exit_group kernel/exit.c:1003 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1003
Code: Unable to access opcode bytes at RIP 0x7f5a21ac157f.
RSP: 002b:00007ffdd171c348 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f5a21b68470 RCX: 00007f5a21ac15a9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5a21b68470
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c12d08 ffffea0001f4ea48 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
handle_pte_fault mm/memory.c:4606 [inline]
__handle_mm_fault mm/memory.c:4743 [inline]
handle_mm_fault+0x2f49/0x5950 mm/memory.c:4841
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
unmap_region+0x304/0x350 mm/mmap.c:2668
__do_munmap+0x12db/0x1740 mm/mmap.c:2899
__vm_munmap+0x134/0x230 mm/mmap.c:2922
__do_sys_munmap mm/mmap.c:2948 [inline]
__se_sys_munmap mm/mmap.c:2944 [inline]
__x64_sys_munmap+0x67/0x70 mm/mmap.c:2944
ffff8880704b2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880704b3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880704b3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880704b3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 9d6bde853685 Linux 5.15.112
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12906772280000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61e8195d8bdf36e
dashboard link: https://syzkaller.appspot.com/bug?extid=a2296f1483a9201c63a3
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11db80c1280000
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1456ace5280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b65d6c2ec328/disk-9d6bde85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf811ebac37b/vmlinux-9d6bde85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b2f32fdecf97/bzImage-9d6bde85.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/5f28530b6e40/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/05115bbb4a0a/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
UDF-fs: warning (device loop0): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff8880704b3000 by task syz-executor221/3501
CPU: 0 PID: 3501 Comm: syz-executor221 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
udf_finalize_lvid fs/udf/super.c:2025 [inline]
udf_sync_fs+0x1ce/0x380 fs/udf/super.c:2381
sync_filesystem+0xe8/0x220 fs/sync.c:56
udf_sync_fs+0x1ce/0x380 fs/udf/super.c:2381
generic_shutdown_super+0x6e/0x2c0 fs/super.c:448
kill_block_super+0x7a/0xe0 fs/super.c:1405
deactivate_locked_super+0xa0/0x110 fs/super.c:335
cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
task_work_run+0x129/0x1a0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x6a3/0x2480 kernel/exit.c:872
do_group_exit+0x144/0x310 kernel/exit.c:994
__do_sys_exit_group kernel/exit.c:1005 [inline]
__se_sys_exit_group kernel/exit.c:1003 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1003
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f5a21ac15a9
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Code: Unable to access opcode bytes at RIP 0x7f5a21ac157f.
RSP: 002b:00007ffdd171c348 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f5a21b68470 RCX: 00007f5a21ac15a9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5a21b68470
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
The buggy address belongs to the page:
page:ffffea0001c12cc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x704b3
The buggy address belongs to the page:
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c12d08 ffffea0001f4ea48 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 3491, ts 47938476688, free_ts 47957151035
page_owner tracks the page as freed
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
alloc_pages_vma+0x39a/0x800 mm/mempolicy.c:2146
do_anonymous_page mm/memory.c:3795 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
alloc_pages_vma+0x39a/0x800 mm/mempolicy.c:2146
handle_pte_fault mm/memory.c:4606 [inline]
__handle_mm_fault mm/memory.c:4743 [inline]
handle_mm_fault+0x2f49/0x5950 mm/memory.c:4841
do_user_addr_fault arch/x86/mm/fault.c:1397 [inline]
handle_page_fault arch/x86/mm/fault.c:1485 [inline]
exc_page_fault+0x271/0x740 arch/x86/mm/fault.c:1541
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
handle_page_fault arch/x86/mm/fault.c:1485 [inline]
exc_page_fault+0x271/0x740 arch/x86/mm/fault.c:1541
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
unmap_region+0x304/0x350 mm/mmap.c:2668
__do_munmap+0x12db/0x1740 mm/mmap.c:2899
__vm_munmap+0x134/0x230 mm/mmap.c:2922
__do_sys_munmap mm/mmap.c:2948 [inline]
__se_sys_munmap mm/mmap.c:2944 [inline]
__x64_sys_munmap+0x67/0x70 mm/mmap.c:2944
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Memory state around the buggy address:
ffff8880704b2f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880704b2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880704b3000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880704b3080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880704b3100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
May 30, 2023, 10:40:59 AM5/30/23
Hello,
syzbot found the following issue on:
HEAD commit: a343b0dd87b4 Linux 6.1.30
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=146e47c1280000
kernel config: https://syzkaller.appspot.com/x/.config?x=5265a3c898f3cbbb
dashboard link: https://syzkaller.appspot.com/bug?extid=5cf976404e004598be30
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161f54cd280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/195d974b1f1c/disk-a343b0dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea41850547fb/vmlinux-a343b0dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/13ec9e70ad28/bzImage-a343b0dd.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/b3c5520d093d/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/20f528931104/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
UDF-fs: error (device loop0): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0
UDF-fs: warning (device loop0): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff8880713dc000 by task syz-executor159/3543
CPU: 0 PID: 3543 Comm: syz-executor159 Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
udf_finalize_lvid fs/udf/super.c:2022 [inline]
udf_sync_fs+0x1ce/0x380 fs/udf/super.c:2378
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x340 fs/super.c:474
kill_block_super+0x7a/0xe0 fs/super.c:1450
deactivate_locked_super+0xa0/0x110 fs/super.c:332
cleanup_mnt+0x490/0x520 fs/namespace.c:1186
task_work_run+0x246/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x6fb/0x2300 kernel/exit.c:869
do_group_exit+0x202/0x2b0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
RIP: 0033:0x7f32f6dca4e9
Code: Unable to access opcode bytes at 0x7f32f6dca4bf.
RSP: 002b:00007ffd883df788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f32f6e69450 RCX: 00007f32f6dca4e9
page:ffffea0001c4f700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x713dc
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c09f48 ffffea0001c4eb08 0000000000000000
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
__folio_alloc+0xf/0x30 mm/page_alloc.c:5591
vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2241
alloc_page_vma include/linux/gfp.h:284 [inline]
do_anonymous_page mm/memory.c:4123 [inline]
handle_pte_fault mm/memory.c:4962 [inline]
__handle_mm_fault mm/memory.c:5106 [inline]
handle_mm_fault+0x2e85/0x5330 mm/memory.c:5227
faultin_page mm/gup.c:1009 [inline]
__get_user_pages+0x4f3/0x1190 mm/gup.c:1233
__get_user_pages_locked mm/gup.c:1437 [inline]
__get_user_pages_remote+0x1cd/0x750 mm/gup.c:2190
get_arg_page+0x147/0x370 fs/exec.c:220
copy_string_kernel+0x144/0x1e0 fs/exec.c:637
do_execveat_common+0x3ba/0x720 fs/exec.c:1916
do_execve fs/exec.c:2016 [inline]
__do_sys_execve fs/exec.c:2092 [inline]
__se_sys_execve fs/exec.c:2087 [inline]
__x64_sys_execve+0x8e/0xa0 fs/exec.c:2087
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page_list+0x107/0x810 mm/page_alloc.c:3530
release_pages+0x2836/0x2b40 mm/swap.c:1055
tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
tlb_flush_mmu+0xfc/0x210 mm/mmu_gather.c:261
tlb_finish_mmu+0xce/0x1f0 mm/mmu_gather.c:361
exit_mmap+0x3c3/0x9f0 mm/mmap.c:3139
__mmput+0x115/0x3c0 kernel/fork.c:1191
exit_mm+0x226/0x300 kernel/exit.c:563
do_exit+0x67e/0x2300 kernel/exit.c:856
do_group_exit+0x202/0x2b0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
Memory state around the buggy address:
ffff8880713dbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880713dbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880713dc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880713dc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880713dc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a343b0dd87b4 Linux 6.1.30
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=146e47c1280000
kernel config: https://syzkaller.appspot.com/x/.config?x=5265a3c898f3cbbb
dashboard link: https://syzkaller.appspot.com/bug?extid=5cf976404e004598be30
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e73bb9280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=161f54cd280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/195d974b1f1c/disk-a343b0dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea41850547fb/vmlinux-a343b0dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/13ec9e70ad28/bzImage-a343b0dd.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/b3c5520d093d/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/20f528931104/mount_3.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
UDF-fs: error (device loop0): udf_read_tagged: tag version 0x0000 != 0x0002 || 0x0003, block 0
UDF-fs: warning (device loop0): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
CPU: 0 PID: 3543 Comm: syz-executor159 Not tainted 6.1.30-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
crc_itu_t+0x1d1/0x2a0 lib/crc-itu-t.c:60
udf_finalize_lvid fs/udf/super.c:2022 [inline]
udf_sync_fs+0x1ce/0x380 fs/udf/super.c:2378
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x340 fs/super.c:474
kill_block_super+0x7a/0xe0 fs/super.c:1450
deactivate_locked_super+0xa0/0x110 fs/super.c:332
cleanup_mnt+0x490/0x520 fs/namespace.c:1186
task_work_run+0x246/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x6fb/0x2300 kernel/exit.c:869
do_group_exit+0x202/0x2b0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
RIP: 0033:0x7f32f6dca4e9
Code: Unable to access opcode bytes at 0x7f32f6dca4bf.
RSP: 002b:00007ffd883df788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f32f6e69450 RCX: 00007f32f6dca4e9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f32f6e69450
RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
The buggy address belongs to the physical page:
</TASK>
page:ffffea0001c4f700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x713dc
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001c09f48 ffffea0001c4eb08 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 3542, tgid 3542 (sh), ts 64109654106, free_ts 64434310084
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
__folio_alloc+0xf/0x30 mm/page_alloc.c:5591
vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2241
alloc_page_vma include/linux/gfp.h:284 [inline]
do_anonymous_page mm/memory.c:4123 [inline]
handle_pte_fault mm/memory.c:4962 [inline]
__handle_mm_fault mm/memory.c:5106 [inline]
handle_mm_fault+0x2e85/0x5330 mm/memory.c:5227
faultin_page mm/gup.c:1009 [inline]
__get_user_pages+0x4f3/0x1190 mm/gup.c:1233
__get_user_pages_locked mm/gup.c:1437 [inline]
__get_user_pages_remote+0x1cd/0x750 mm/gup.c:2190
get_arg_page+0x147/0x370 fs/exec.c:220
copy_string_kernel+0x144/0x1e0 fs/exec.c:637
do_execveat_common+0x3ba/0x720 fs/exec.c:1916
do_execve fs/exec.c:2016 [inline]
__do_sys_execve fs/exec.c:2092 [inline]
__se_sys_execve fs/exec.c:2087 [inline]
__x64_sys_execve+0x8e/0xa0 fs/exec.c:2087
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page_list+0x107/0x810 mm/page_alloc.c:3530
release_pages+0x2836/0x2b40 mm/swap.c:1055
tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
tlb_flush_mmu+0xfc/0x210 mm/mmu_gather.c:261
tlb_finish_mmu+0xce/0x1f0 mm/mmu_gather.c:361
exit_mmap+0x3c3/0x9f0 mm/mmap.c:3139
__mmput+0x115/0x3c0 kernel/fork.c:1191
exit_mm+0x226/0x300 kernel/exit.c:563
do_exit+0x67e/0x2300 kernel/exit.c:856
do_group_exit+0x202/0x2b0 kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1028
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
Memory state around the buggy address:
ffff8880713dbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880713dc000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880713dc080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880713dc100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages