Hello,
syzkaller hit the following crash on
d9e0e63d9a6f88440eb201e1491fcf730272c706
git://
git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x41a5/0x4770
kernel/locking/lockdep.c:3378
Read of size 8 at addr ffff8800277eba78 by task syz-executor5/4581
CPU: 1 PID: 4581 Comm: syz-executor5 Not tainted 4.14.0-rc8-next-20171110+
#12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__lock_acquire+0x41a5/0x4770 kernel/locking/lockdep.c:3378
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:159
destroy_async_on_interface+0x136/0x530 drivers/usb/core/devio.c:656
driver_disconnect+0xdd/0x140 drivers/usb/core/devio.c:702
usb_unbind_interface+0x229/0xb00 drivers/usb/core/driver.c:423
__device_release_driver drivers/base/dd.c:870 [inline]
device_release_driver_internal+0x52a/0x600 drivers/base/dd.c:903
device_release_driver+0x19/0x20 drivers/base/dd.c:928
usb_driver_release_interface+0x138/0x160 drivers/usb/core/driver.c:604
proc_disconnect_claim+0x221/0x380 drivers/usb/core/devio.c:2283
usbdev_do_ioctl+0x16a5/0x3670 drivers/usb/core/devio.c:2525
usbdev_ioctl+0x25/0x30 drivers/usb/core/devio.c:2553
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x447c99
RSP: 002b:00007f79b3b23bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f79b3b246cc RCX: 0000000000447c99
RDX: 000000002021c000 RSI: 000000008108551b RDI: 0000000000000013
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000008670 R14: 00000000006ec710 R15: 00007f79b3b24700
Allocated by task 4505:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3614
kmalloc include/linux/slab.h:514 [inline]
kzalloc include/linux/slab.h:703 [inline]
alloc_perf_context+0x4c/0xe0 kernel/events/core.c:3726
find_get_context.isra.83+0x16f/0x670 kernel/events/core.c:3815
SYSC_perf_event_open+0xd38/0x2f10 kernel/events/core.c:9991
SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9822
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 0:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3492 [inline]
kfree+0xca/0x250 mm/slab.c:3807
free_ctx+0x47/0x60 kernel/events/core.c:1160
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2676 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2935 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2902 [inline]
rcu_process_callbacks+0xd74/0x17d0 kernel/rcu/tree.c:2919
__do_softirq+0x29d/0xbb2 kernel/softirq.c:285
The buggy address belongs to the object at ffff8800277eba40
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 56 bytes inside of
512-byte region [ffff8800277eba40, ffff8800277ebc40)
The buggy address belongs to the page:
page:ffffea00009dfac0 count:1 mapcount:0 mapping:ffff8800277eb040
index:0xffff8800277ebcc0
flags: 0x100000000000100(slab)
raw: 0100000000000100 ffff8800277eb040 ffff8800277ebcc0 0000000100000004
raw: ffffea0000b59c60 ffffea0000b488e0 ffff88002dc00940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8800277eb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800277eb980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8800277eba00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8800277eba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800277ebb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See
https://goo.gl/tpsmEJ for details.
Direct all questions to
syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <
syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.