Found bugs
Most latest bugs are reported by syzbot and are listed here and on the dashboard. Additional USB bugs are here.
newer first
- KASAN: use-after-free Read in screen_glyph_unicode
- KASAN: use-after-free Read in vc_do_resize
- KASAN: use-after-free in usb_hcd_unlink_urb
- KASAN: slab-out-of-bounds Read in gadget_dev_desc_UDC_store
- KASAN: use-after-free Write in snd_rawmidi_kernel_write1
- KASAN: use-after-free Write in config_item_get
- KASAN: use-after-free Read in f_hidg_poll
- KASAN: use-after-free Read in printer_ioctl
- KASAN: null-ptr-deref Read in tty_wakeup
- KASAN: use-after-free in afs_wake_up_async_call
- KASAN: use-after-free Read in gs_flush_chars
- kernel BUG at net/core/skbuff.c
- io_uring: avoid page allocation warnings
- io_uring: free allocated io_memory once
- io_uring: fix SQPOLL cpu validation
- locks: use-after-free in perf_trace_lock_acquire CVE-2019-19769
- cirrusfb: divide errors in cirrusfb_check_var/cirrusfb_check_pixclock/cirrusfb_set_par_foo
- floppy: fix out-of-bounds read in copy_buffer
- floppy: fix invalid pointer dereference in drive_name
- floppy: fix out-of-bounds read in next_valid_format
- floppy: fix div-by-zero in setup_format_params
- bpf: BPF_PROG_TEST_RUN leads to unkillable process
- timer_settime leads to unkillable process
- UBSAN: Undefined behaviour in drivers/scsi/sr_ioctl.c
- KASAN: use-after-free Read in ata_scsi_mode_select_xlat
- UBSAN: Undefined behaviour in fs/f2fs/extent_cache.c
- UBSAN: Undefined behaviour in drivers/input/misc/uinput.c
- general protection fault in spk_ttyio_ldisc_close
- rtnetlink: give a user socket to get_target_net() CVE-2018-14646
- tipc: NULL deref in tipc_net_finalize
- Kernel crash at i2cdev_ioctl_rdwr in drivers/i2c/i2c-dev.c
- UBSAN: Undefined behaviour in drivers/input/mousedev.c
- UBSAN: Undefined behaviour in mm/page_alloc.c
- WARNING in pkt setup dev
- UBSAN: Undefined behaviour in drivers/net/ppp/ppp_generic.c
- KASAN: use-after-free Read in raw_cmd_done
- KMSAN: uninit-value in selinux_socket_bind, selinux_socket_connect_helper
- UBSAN: Undefined behaviour in drivers/block/floppy.c
- net: BUG still has locks held in unix_stream_splice_read
- general protection fault in sockfs_setattr CVE-2018-12232
- KASAN: slab out of bounds Write in __jfs_setxattr CVE-2018-12233
- RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPslogin
- KASAN: use-after-free Read in set_page_dirty_lock
- System freeze and NULL pointer dereference
- RDS: WARNING in rds_recv_hs_exthdrs
- RDS: slab-out-of-bounds Read in rds_rdma_extra_size
- netfilter: fix out-of-bounds accesses in clusterip_tg_check()
- net: hang in unregister_netdevice: waiting for lo to become free
- scsi: sg: assorted memory corruptions
- kcm: memory leak in kcm_sendmsg
- AF_KEY: memory leak in key_notify_policy
- sctp: memory leak in sctp_endpoint_init
- tipc: memory leak in tipc_nl_node_get_link
- tun: memory leak in tun_set_iff
- net/8021q: memory leak in register_vlan_dev
- net: memory leak in socket
- scsi: memory leak in sg_start_req
- sunrpc: infinite unkillable console spam in xs_tcp_setup_socket
- fs: possible deadlock in do_iter_write/do_splice
- net/ipv6: warning in __alloc_pages_slowpath/ipip6_tunnel_get_prl
- net/ipv6: GPF in rt6_ifdown
- net/ipv4: trying to register non-static key in ip_mc_clear_src
- net/can: trying to register non-static key in can_rx_register
- net: general protection fault in deactivate_slab
- net/ipv4: use-after-free in add_grec
- net/ipv6: use-after-free in ip6_dst_ifdown
- tty: possible deadlock in tty_buffer_flush
- net/ipv6: general protection fault in skb_release_data CVE-2017-9242
- drivers/net/hamradio: divide error in hdlcdrv_ioctl
- tty: fix port buffer locking
- kvm: warning in kvm_load_guest_fpu
- drivers/scsi: GPF in sg_read
- net/ipv4: use-after-free in ip_mc_drop_socket CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
- net/ipv6: GPF in rt6_device_match
- x86: warning: kernel stack regs has bad ‘bp’ value
- net/key: slab-out-of-bounds in pfkey_compile_policy
- net/ipv6: warning in inet6_ifa_finish_destroy
- net/ipv6: use-after-free in __call_rcu/in6_dev_finish_destroy_rcu
- net/ipv6: slab-out-of-bounds in ip6_tnl_xmit
- net/rose: null-ptr-deref in rose_route_frame
- time: hang due to timer_create/timer_settime
- net/core: BUG in unregister_netdevice_many
- net/xfrm: stack-out-of-bounds in xfrm_state_find
- net/bonding: stack-out-of-bounds in bond_enslave
- net: ipv6: RTF_PCPU should not be settable from userspace
- fs/notify/inotify: slab-out-of-bounds write in strcpy CVE-2017-7533
- net/ipv6: slab-out-of-bounds read in seg6_validate_srh
- kernel BUG at mm/hugetlb.c:742!
- net/key: slab-out-of-bounds in parse_ipsecrequests
- net/ipv4: use-after-free in ipv4_datagram_support_cmsg
- net/ipv4: use-after-free in ip_queue_xmit
- net: use-after-free in __ns_get_path
- net/ipv4: use-after-free in ip_check_mc_rcu
- net/ipv6: use-after-free in ipv6_sock_ac_close
- net/ipv4: use-after-free in ipv4_mtu
- net/dccp: BUG in tfrc_rx_hist_sample_rtt
- net/sctp: list double add warning in sctp_endpoint_add_asoc
- kvm: use-after-free in srcu_reschedule
- ata: WARNING in ata_bmdma_qc_issue
- net/sched: GPF in qdisc_hash_add
- sg: random memory corruptions
- fs: GPF in deactivate_locked_super
- loop: WARNING in sysfs_remove_group
- lib, fs, cgroup: WARNING in percpu_ref_kill_and_confirm
- ata: WARNING in ata_qc_issue
- security, hugetlbfs: write to user memory in hugetlbfs_destroy_inode
- netlink: NULL timer crash
- kvm: use-after-free function call in kvm_io_bus_destroy
- sound: use-after-free in snd_seq_cell_alloc
- usb: use-after-free write in usb_hcd_link_urb_to_ep
- net/kcm: double free of kcm inode
- crypto: out-of-bounds write in pre_crypt
- security: double-free in superblock_doinit
- kvm: WARNING in kvm_apic_accept_events
- tcp: fix potential double free issue for fastopen_req
- net/udp: slab-out-of-bounds Read in udp_recvmsg
- net: deadlock between ip_expire/sch_direct_xmit
- srcu: BUG in __synchronize_srcu
- net/sctp: recursive locking in sctp_do_peeloff
- kvm: WARNING in vmx_handle_exit
- futex: use-after-free in futex_wait_requeue_pi
- kvm/arm64: use-after-free in kvm_vm_ioctl/vmacache_update
- kvm/arm64: use-after-free in kvm_unmap_hva_handler/unmap_stage2_pmds
- local privilege escalation flaw in n_hdlc CVE-2017-2636
- netlink: GPF in netlink_unicast
- perf: use-after-free in perf_release
- net/ipv6: null-ptr-deref in ip6mr_sk_done
- bpf: kernel NULL pointer dereference in map_get_next_key
- crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
- kvm: use-after-free in vmx_check_nested_events/vmcs12_guest_cr0
- sound: another deadlock in snd_seq_pool_done
- rcu: WARNING in rcu_seq_end
- fs: use-after-free in path_lookupat
- ucount: use-after-free read in inc_ucount & dec_ucount
- net/ipv4: division by 0 in tcp_select_window
- net: heap out-of-bounds in fib6_clean_node/rt6_fill_node/fib6_age/fib6_prune_clone
- mm: use-after-free in zap_page_range
- net/kcm: use-after-free in kcm_wq
- idr: use-after-free write in ida_get_new_above
- sg: stack out-of-bounds write in sg_write CVE-2017-7187
- cgroup: WARNING in cgroup_kill_sb
- net/rds: use-after-free in rds_find_bound/memcmp
- net: sleeping function called from invalid context in net_enable_timestamp
- net: use-after-free in neigh_timer_handler/sock_wfree
- net/sctp: use-after-free in sctp_association_put
- fs: use-after-free in userfaultfd_exit
- net/ipv4: inconsistent lock state in tcp_conn_request/inet_ehash_insert
- net/ipv4: suspicious RCU usage in ip_ra_control
- net/ipv4: deadlock in ip_ra_control
- net/dccp: dccp_create_openreq_child freed held lock
- nested_vmx_merge_msr_bitmap
- ipc: use-after-free in shm_get_unmapped_area
- sounds: deadlocked processed in snd_seq_pool_done
- net/atm: vcc_sendmsg calls kmem_cache_alloc in non-blocking context
- ata: WARNING in ata_sff_qc_issue
- net/rds: use-after-free in inet_create
- mm: fault in __do_fault
- kvm: WARNING in nested_vmx_vmexit
- net: GPF in rt6_nexthop_info
- sound: spinlock lockup in snd_timer_user_tinterrupt
- mm: GPF in bdi_put
- net/sctp: use-after-free in sctp_hash_transport
- net/bridge: warning in br_fdb_find
- net/ipv6: null-ptr-deref in ip6_route_del/lock_acquire
- net: possible deadlock in skb_queue_tail
- DCCP double-free vulnerability (local root) CVE-2017-6074
- net: warning in inet_sock_destruct
- net/pptp: use-after-free in dst_release
- net/udp: slab-out-of-bounds in udp_recvmsg/do_csum CVE-2017-6347
- WARNING in skb_warn_bad_offload
- tty: panic in tty_ldisc_restore
- net: BUG in __skb_gso_segment
- net/dccp: use-after-free in dccp_feat_activate_values
- net/kcm: GPF in kcm_sendmsg
- net/xfrm: stack out-of-bounds in xfrm_flowi_sport
- net/llc: BUG in llc_sap_state_process/skb_set_owner_r CVE-2017-6345
- net/llc: bug in llc_pdu_init_as_xid_cmd/skb_over_panic
- net/packet: use-after-free in packet_rcv_fanout
- net: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected in skb_array_produce
- net/ipv4: null-ptr-deref in udp_rmem_release/sk_memory_allocated_sub
- net/sctp: null-ptr-deref in sctp_put_port/sctp_endpoint_destroy
- net/ipv4: warning in nf_nat_ipv4_fn
- net/ipv6: double free in ipip6_dev_free
- sound: use-after-free in snd_seq_queue_alloc
- loop: divide error in transfer_xor
- net/xfrm: use of uninit spinlock in xfrm_policy_flush
- mm: double-free in cgwb_bdi_init
- packet: round up linear to header len
- net/icmp: null-ptr-deref in ping_v4_push_pending_frames
- net/kcm: WARNING in kcm_write_msgs
- tcp: avoid infinite loop in tcp_splice_read() CVE-2017-6214
- tun: read vnet_hdr_sz once
- macvtap: read vnet_hdr_size once
- udp: properly cope with csum errors
- ipv6: tcp: add a missing tcp_v6_restore_cb()
- ip6_gre: fix ip6gre_err() invalid reads CVE-2017-5897
- ipv4: keep skb->dst around in presence of IP options CVE-2017-5970
- net: use a work queue to defer net_disable_timestamp() work
- netlabel: out of bound access in cipso_v4_validate()
- ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
- net: heap out-of-bounds in ip6_fragment CVE-2017-9074
- tcp: fix 0 divide in __tcp_select_window()
- keys: GPF in request_key
- net/tcp: warning in tcp_try_coalesce/skb_try_coalesce
- crypto: NULL deref in sha512_mb_mgr_get_comp_job_avx2
- sound: unable to handle kernel paging request snd_seq_prioq_cell_out
- scsi: BUG in scsi_init_io
- mm: sleeping function called from invalid context shmem_undo_range
- timerfd: use-after-free in timerfd_remove_cancel
- scsi: use-after-free in sg_start_req
- mm: deadlock between get_online_cpus/pcpu_alloc
- BUG at net/sctp/socket.c:7425
- kvm: use-after-free in irq_bypass_register_consumer
- net: suspicious RCU usage in nf_hook
- kvm: fix page struct leak in handle_vmon CVE-2017-2596
- ipv6: fix ip6_tnl_parse_tlv_enc_lim()
- kvm: WARNING in mmu_spte_clear_track_bits
- perf: use-after-free in perf_event_for_each
- net: use-after-free in tw_timer_handler
- namespace: deadlock in dec_pid_namespaces
- sctp: kernel memory overwrite attempt detected in sctp_getsockopt_assoc_stats
- kvm: deadlock in kvm_vgic_map_resources
- net/atm: warning in alloc_tx/__might_sleep
- net/ipv6: use-after-free in sock_wfree
- kvm: kvm: BUG in loaded_vmcs_init
- kvm: NULL deref in vcpu_enter_guest
- kvm: use-after-free in complete_emulated_mmio CVE-2017-2584
- kvm: BUG in kvm_unload_vcpu_mmu
- x86: warning in unwind_get_return_address
- ipc: BUG: sem_unlock unlocks non-locked lock
- kvm: WARNING in mmu_spte_clear_track_bits
- sctp: suspicious rcu_dereference_check() usage in sctp_epaddr_lookup_transport
- kvm: use-after-free in process_srcu
- kvm: assorted bugs after OOMs
- kvm: deadlock between kvm_io_bus_register_dev/kvm_hv_set_msr_common
- netlink: GPF in netlink_dump
- fs, net: deadlock between bind/splice on af_unix
- net: use-after-free in worker_thread
- net: signed overflows in SO_{SND|RCV}BUFFORCE sockopts CVE-2016-9793 CVE-2012-6704
- net/can: warning in raw_setsockopt/__alloc_pages_slowpath
- net/ipv6: null-ptr-deref in ip6_rt_cache_alloc
- net/dccp: use-after-free in dccp_invalid_packet
- net/sctp: vmalloc allocation failure in sctp_setsockopt/xt_alloc_table_info
- net: BUG in unix_notinflight
- net: GPF in eth_header CVE-2016-9755
- net: deadlock on genl_mutex
- net: GPF in rt6_get_cookie
- netlink: GPF in sock_sndtimeo
- scsi: use-after-free in bio_copy_from_iter CVE-2016-9576
- net/udp: bug in skb_pull_rcsum
- net/icmp: null-ptr-deref in icmp6_send CVE-2016-9919
- net/can: use-after-free in bcm_rx_thr_flush
- kvm: slab-out-of-bounds write in __apic_accept_irq CVE-2016-9777
- mm: BUG in pgtable_pmd_page_dtor
- logfs: GPF in logfs_alloc_inode
- mm, floppy: unkillable task faulting on fd0
- kvm: deadlock between kvm_vm_ioctl_get_dirty_log/kvm_hv_set_msr_common/kvm_create_pit
- kvm: WARNING in em_jmp_far CVE-2016-9756
- kvm: WARNING in rtc_status_pending_eoi_check_valid
- kvm: GPF in kvm_ioapic_set_irq
- mm: BUG in munlock_vma_pages_range
- kvm: WARNING in kvm_arch_vcpu_ioctl_run
- kvm: use-after-free/GPF in kvm_irq_delivery_to_apic_fast
- kvm: out-of-bounds write in __rtc_irq_eoi_tracking_restore_one
- kvm: BUG in pte_list_remove
- kvm: recursive lock in kvm_clear_async_pf_completion_queue
- kvm: WARNING in em_ret_far
- kvm: GPF in irqfd_shutdown/eventfd_ctx_remove_wait_queue
- kvm: GPF in gfn_to_rmap
- kvm: paging fault in kvm_gfn_to_hva_cache_init
- kvm: suspicious RCU usage/missed lock in kvm_lapic_set_vapic_addr
- kvm: use-after-free in irq_bypass_register_consumer
- kvm: WARNING in kvm_load_guest_fpu
- kvm: GPF in kvm_pic_set_irq
- kvm: GPF in irq_bypass_unregister_consumer
- kvm: GPF in __get_kvmclock_ns
- kvm: WARNING In kvm_apic_accept_events
- kvm: WARNING in __x86_set_memory_region
- tcp: take care of truncations done by sk_filter()
- net/l2tp: use-after-free write in l2tp_ip6_close
- net/sctp: null-ptr-deref in sctp_inet_listen
- net/tcp: warning in tcp_recvmsg
- net/netlink: another global-out-of-bounds in genl_family_rcv_msg/validate_nla
- bpf: kernel BUG in htab_elem_free
- net/netlink: global-out-of-bounds in genl_family_rcv_msg/validate_nla
- net/ipv6: null-ptr-deref in inet6_bind
- net/dccp: null-ptr-deref in dccp_parse_options
- net/dccp: null-ptr-deref in dccp_v4_rcv/selinux_socket_sock_rcv_skb
- net/tcp: null-ptr-deref in __inet_lookup_listener/inet_exact_dif_match
- net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep
- net/can: warning in bcm_connect/proc_register
- net/ipv4: warning in inet_sock_destruct
- net/sctp: slab-out-of-bounds in sctp_sf_ootb CVE-2016-9555
- net/dccp: warning in dccp_set_state
- net/netlink: bad unlock balance in netlink_diag_dump
- net/netlink: null-ptr-deref in netlink_dump/lock_acquire
- net/ipx: null-ptr-deref in ipxrtr_route_packet
- net/sctp: use-after-free in __sctp_connect
- fs: WARNING in locks_unlink_lock_ctx (not holding proper lock)
- kernel BUG in dio_get_page
- drm: GPF in drm_getcap
- fs: GPF in bd_mount
- tty, fbcon: use-after-free in fbcon_invert_region
- drm: NULL pointer dereference in drm_mode_object_find()
- 6pack: stack-out-of-bounds in sixpack_receive_buf
- logfs: GPF in logfs_init_inode
- tty: use-after-free in n_tty_receive_buf_fast
- sound: divide by 0 in snd_hrtimer_callback (or hang)
- mm: GPF in __insert_vmap_area
- fs, tty: WARNING in devpts_get_priv
- fanotify: unkillable hanged processes
- drm: GPF in drm_context_switch_complete
- drm: GPF in drm_legacy_lock_free
- sound: division by 0 in snd_hrtimer_callback
- perf: WARNING in perf_event_read
- drm: WARNING in drm_irq_by_busid
- dri: WARNING in idr_remove
- mm: use-after-free in collapse_huge_page
- kcm: use-after-free in fput of kcm socket
- bdev: fix NULL pointer dereference in sync()/close() race
- bdev: fix NULL pointer dereference
- BUG: sleeping function called from invalid context at mm/mempolicy.c:553
- use-after-free in ppp_unregister_channel
- net/tipc: NULL-ptr dereference in tipc_nl_publ_dump
- HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
- mm: memory corruption on mmput
- perf: WARNING in perf_event_read
- 9p2000.L stat/unlink race (WARNING: fs/inode.c:280 drop_nlink)
- mm: page fault in __do_huge_pmd_anonymous_page
- usb: memory allocation WARNING in hcd_buffer_alloc
- dccp: potential deadlock in dccp_v4_ctl_send_reset
- mm: GPF in find_get_pages_tag
- mm: BUG in page_move_anon_rmap
- block: GPF in get_task_ioprio
- tty: stall in n_tty_ioctl/inq_canon
- random: negative entropy/overflow: pool input count -40000
- bpf: use after free in array_map_alloc CVE-2016-4794
- kvm: use-after-free in kvm_irqfd_release
- kvm: GPF in kvm_lapic_set_tpr
- sound: use-after-free in hrtimer_cancel
- sound: hang in snd_timer_interrupt
- sound: deadlock involving snd_hrtimer_callback
- fs: GPF in locked_inode_to_wb_and_lock_list
- x86: bad pte in pageattr_test
- tty: memory leak in tty_open
- net: memory leak due to CLONE_NEWNET
- lockdep WARNING in get_online_cpus
- mm: BUG in khugepaged_scan_mm_slot
- sound: use-after-free in snd_timer_interrupt
- scsi: machine hang due to write to /dev/sg0
- AMD newest ucode 0x06000832 for Piledriver-based CPUs seems to behave in a problematic way
- sound: uninterruptible hang in snd_seq_oss_writeq_sync
- fs: uninterruptible hang in handle_userfault
- net: memory leak in N_6PACK driver
- net: memory leak in lapb_register
- net: memory leak in mkiss_open
- sound: list corruption in delete_and_unsubscribe_port
- kvm: GPF in kvm_pic_clear_all
- kvm: GPF in kvm_irq_map_gsi
- tty: memory leak in tty_register_driver
- sound: memory leak in snd_seq_pool_init
- tty: deadlock between tty_buffer_flush/n_tracesink_open
- sound: heap out-of-bounds write in dummy_systimer_prepare
- fs: NULL deref in atime_needs_update
- sound: spinlock lockup in snd_seq_oss_write
- net: memory leak in ip_cmsg_send
- net/irda: BUG: looking up invalid subclass: 4294967295 CVE-2017-6348
- sound: use-after-free in snd_timer_start1
- tty: tty_struct memory leak
- gigaset: memory leak in gigaset_initcshw
- sound: out-of-bounds write in snd_rawmidi_kernel_write1
- mm: uninterruptable tasks hanged on mmap_sem
- sound: another WARNING in rawmidi_transmit_ack
- sound: use-after-free in snd_seq_deliver_single_event
- sound: WARNING in snd_rawmidi_kernel_write1
- sound: deadlock between snd_pcm_oss_write/snd_pcm_oss_mmap
- ata: BUG in ata_sff_hsm_move
- WARNING in set_restore_sigmask
- BUG: bad unlock balance detected in vma_unlock_anon_vma
- bluetooth: use-after-free in vhci_send_frame
- mm: another VM_BUG_ON_PAGE(PageTail(page))
- scsi: NULL deref in sg_start_req
- mm: BUG in expand_downwards
- sound: heap out-of-bounds write in dummy_systimer_prepare
- WARNING in do_jobctl_trap
- mm: VM_BUG_ON_PAGE(PageTail(page)) in mbind
- net/bluetooth: workqueue destruction WARNING in hci_unregister_dev
- gpu: kmalloc size WARNING in vga_arb_write
- net/rfkill: WARNING in rfkill_fop_read
- sound: use-after-free in _snd_timer_stop
- net/irda: use-after-free in ircomm_param_request
- net/sctp: out-of-bounds access in sctp_add_bind_addr
- ext4: BUG: scheduling while atomic in ext4_commit_super
- sound: WARNING in snd_rawmidi_transmit_ack
- floppy: GPF in floppy_rb0_cb
- tty: kmalloc size WARNING in vc_do_resize
- mm: WARNING in __delete_from_page_cache
- sound: WARNING in snd_seq_oss_synth_cleanup
- sound: deadlock between snd_rawmidi_kernel_open/snd_seq_port_connect
- net: GPF in netlink_getsockbyportid
- fs: use-after-free in link_path_walk
- fs: sandboxed process brings host down
- net: use-after-free in recvmmsg
- struct pid memory leak
- net: WARNING in dccp_set_state
- mm: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected in split_huge_page_to_list
- sound: BUG in snd_ctl_find_numid
- net: GPF in __netlink_ns_capable
- crypto: slab-out-of-bounds in skcipher_recvmsg
- net: hang in ip_finish_output
- kvm: access to invalid memory in mmu_zap_unsync_children
- kvm: using uninitialized var in tdp_page_fault
- sound: spinlock lockup in sound/core/timer.c
- sound: GPF in snd_timer_user_params
- sound: use-after-free in snd_timer_interrupt
- sound: use-after-free in snd_timer_user_ioctl
- crypto: use-after-free in skcipher_sock_destruct
- net/sctp: use-after-free in __sctp_connect
- net: WARNING in tcp_recvmsg
- sound: use-after-free in snd_timer_stop
- sound: GPF in snd_seq_fifo_clear
- crypto: ablk_decrypt causes BUG in scatterwalk
- kvm: GPF in native_set_debugreg
- kvm: GPF in kvm_lapic_latched_init
- kvm: WARNING in kvm_apic_accept_events
- kvm: vmalloc allocation failure in kvm_vm_ioctl
- kvm: vmalloc allocation failure in kvm_vcpu_ioctl_set_cpuid
- kvm: WARNING in __x86_set_memory_region
- kvm: WARNING in exception_type
- mm: possible deadlock in mm_take_all_locks
- net/nfc: GPF in llcp_sock_getname
- net/netlink: memory leak in netlink_sendmsg
- net/tipc: memory leak in tipc_release
- memory leak in lapb_create_cb
- net/sctp: sctp_datamsg memory leak
- net/sctp: sock memory leak
- net/nfc: user-controllable kmalloc size in nfc_llcp_send_ui_frame
- tty: deadlock between n_tracerouter_receivebuf and flush_to_ldisc
- crypto: use-after-free in alg_bind
- crypto: deadlock in alg_setsockopt
- crypto: use-after-free in rng_recvmsg
- use-after-free in skcipher_bind
- 9p: sleeping function called from invalid context in v9fs_vfs_atomic_open_dotl
- fs: WARNING in locks_free_lock_context
- net: user-controllable kmalloc size in __sctp_setsockopt_connectx
- GPF in gf128mul_64k_bbe
- use-after-free in hash_sock_destruct
- GPF in lrw_crypt
- bad page state due to PF_ALG socket
- use-after-free in skcipher_sock_destruct
- use-after-free in sixpack_close
- net: heap-out-of-bounds in sock_setsockopt
- BUG_ON(!PageLocked(page)) in munlock_vma_page
- perf: stalls in perf_install_in_context/perf_remove_from_context
- Information leak in sco_sock_bind CVE-2015-8575
- Information leak in llcp_sock_bind/llcp_raw_sock_bind
- Information leak in pptp_bind
- use-after-free in pptp_connect
- GPF in keyctl CVE-2015-7550
- another use-after-free in sctp_do_sm
- use-after-free in inet6_destroy_sock
- WARNING in crypto_wait_for_test
- int overflow in io_getevents
- use-after-free in ip6_xmit
- use-after-free in __perf_install_in_context
- undefined shift in __bpf_prog_run
- signed integer overflow in ktime_add_safe
- jump label: negative count!
- memory leak in alloc_huge_page
- memory leak in do_ipv6_setsockopt
- heap out-of-bounds access in array_map_update_elem
- deadlock in perf_ioctl
- user-controllable kmalloc size in bpf syscall
- net: use after free in ip6_make_skb
- user-controllable kmalloc size in sctp_getsockopt_local_addrs
- use-after-free in ip6_setup_cork
- gigaset: freeing an active object
- Freeing active kobject in pps_device_destruct
- GPF in process_one_work (flush_to_ldisc)
- use-after-free in tty_check_change
- WARNING in tcp_recvmsg
- use-after-free in irtty_open
- use-after-free in sock_wake_async
- WARNING in handle_mm_fault
- WARNING in gsm_cleanup_mux
- use-after-free in sctp_do_sm
- yet another uninterruptable hang in sendfile
- GPF in add_key
- another uninterruptable hang in sendfile
- deadlock during fuseblk shutdown
- tty,net: use-after-free in x25_asy_open_tty
- deadlock between tty_write and tty_send_xchar
- WARNING in shmem_evict_inode
- Deadlock between setsockopt/getsockopt
- Deadlock between bind and splice
- Use-after-free in ipv4_conntrack_defrag
- Use-after-free in selinux_ip_postroute_compat
- Use-after-free in unshare
- GPF in tcp_sk_init/icmp_sk_init
- lockdep warning in ip_mc_msfget
- WARNING in task_participate_group_stop
- Resource leak in unshare
- Paging fault with hard IRQs disabled in getsockopt
- Unkillable processes due to PTRACE_TRACEME
- Use-after-free in ep_remove_wait_queue CVE-2013-7446
- GPF in shm_lock
- GPF in rt6_uncached_list_flush_dev
- Infinite loop in ip6_fragment
- Uninterruptable hang in sendfile
- GPF in keyring_destroy CVE-2015-7872
原文链接: https://github.com/google/syzkaller/blob/master/docs/linux/found_bugs.md
选题: jxlpzqc
本文将由 HCTT 翻译团队 原创翻译,华中科技大学开放原子开源俱乐部荣誉推出。