KASAN: use-after-free Read in shmem_fault
19 views
Skip to first unread message
syzbot
Apr 14, 2019, 5:33:10 AM4/14/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 605e2ec6 ANDROID: cpufreq: times: add /proc/uid_concurrent..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1211667d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=13f9a89fd206e10e
dashboard link: https://syzkaller.appspot.com/bug?extid=28f55cd2f08f3b885106
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+28f55c...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in trace_event_get_offsets_lock_acquire
include/trace/events/lock.h:12 [inline]
BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x458/0x530
include/trace/events/lock.h:12
Read of size 8 at addr ffff8801cdc7de28 by task syz-executor3/7584
CPU: 0 PID: 7584 Comm: syz-executor3 Not tainted 4.9.144+ #79
ffff8801a252f600 ffffffff81b43b89 ffffea0007371f00 ffff8801cdc7de28
0000000000000000 ffff8801cdc7de28 0000000000000000 ffff8801a252f638
ffffffff81500c38 ffff8801cdc7de28 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b43b89>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b43b89>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81500c38>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81501042>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81501042>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f32f4>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff811ff2c8>] trace_event_get_offsets_lock_acquire
include/trace/events/lock.h:12 [inline]
[<ffffffff811ff2c8>] perf_trace_lock_acquire+0x458/0x530
include/trace/events/lock.h:12
[<ffffffff8120cb99>] trace_lock_acquire include/trace/events/lock.h:12
[inline]
[<ffffffff8120cb99>] lock_acquire+0x299/0x3e0 kernel/locking/lockdep.c:3755
[<ffffffff82818086>] __raw_spin_lock include/linux/spinlock_api_smp.h:144
[inline]
[<ffffffff82818086>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
[<ffffffff81462c31>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff81462c31>] shmem_fault+0x4d1/0x6d0 mm/shmem.c:1952
[<ffffffff81493173>] __do_fault+0x223/0x500 mm/memory.c:2833
[<ffffffff814a3916>] do_read_fault mm/memory.c:3180 [inline]
[<ffffffff814a3916>] do_fault mm/memory.c:3315 [inline]
[<ffffffff814a3916>] handle_pte_fault mm/memory.c:3516 [inline]
[<ffffffff814a3916>] __handle_mm_fault mm/memory.c:3603 [inline]
[<ffffffff814a3916>] handle_mm_fault+0x1326/0x2350 mm/memory.c:3640
[<ffffffff81490686>] faultin_page mm/gup.c:386 [inline]
[<ffffffff81490686>] __get_user_pages+0x446/0xf80 mm/gup.c:588
[<ffffffff81491fea>] populate_vma_page_range+0x19a/0x230 mm/gup.c:1106
[<ffffffff81492257>] __mm_populate+0x1d7/0x320 mm/gup.c:1154
[<ffffffff8146a1d5>] mm_populate include/linux/mm.h:2041 [inline]
[<ffffffff8146a1d5>] vm_mmap_pgoff+0x195/0x1b0 mm/util.c:333
[<ffffffff814af842>] SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
[<ffffffff814af842>] SyS_mmap_pgoff+0x152/0x1b0 mm/mmap.c:1513
[<ffffffff8105d476>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
[<ffffffff8105d476>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82818cd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 7584:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
shmem_alloc_inode+0x1b/0x40 mm/shmem.c:3655
alloc_inode+0x63/0x180 fs/inode.c:207
new_inode_pseudo+0x17/0xe0 fs/inode.c:890
new_inode+0x1c/0x40 fs/inode.c:919
shmem_get_inode+0x6f/0x6c0 mm/shmem.c:2126
__shmem_file_setup.part.13+0x33a/0x420 mm/shmem.c:4033
__shmem_file_setup mm/shmem.c:4109 [inline]
shmem_zero_setup+0xb5/0x1d0 mm/shmem.c:4109
mmap_region+0xcad/0xf90 mm/mmap.c:1742
do_mmap+0x53d/0xbb0 mm/mmap.c:1505
do_mmap_pgoff include/linux/mm.h:2032 [inline]
vm_mmap_pgoff+0x168/0x1b0 mm/util.c:329
SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
SyS_mmap_pgoff+0x152/0x1b0 mm/mmap.c:1513
SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 7590:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xbe/0x310 mm/slub.c:2980
shmem_destroy_callback+0x5a/0xa0 mm/shmem.c:3666
__rcu_reclaim kernel/rcu/rcu.h:118 [inline]
rcu_do_batch kernel/rcu/tree.c:2789 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
__do_softirq+0x20e/0x964 kernel/softirq.c:288
The buggy address belongs to the object at ffff8801cdc7dcb0
which belongs to the cache shmem_inode_cache of size 1096
The buggy address is located 376 bytes inside of
1096-byte region [ffff8801cdc7dcb0, ffff8801cdc7e0f8)
The buggy address belongs to the page:
page:ffffea0007371f00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cdc7dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cdc7dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801cdc7de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cdc7de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cdc7df00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 605e2ec6 ANDROID: cpufreq: times: add /proc/uid_concurrent..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1211667d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=13f9a89fd206e10e
dashboard link: https://syzkaller.appspot.com/bug?extid=28f55cd2f08f3b885106
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+28f55c...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in trace_event_get_offsets_lock_acquire
include/trace/events/lock.h:12 [inline]
BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x458/0x530
include/trace/events/lock.h:12
Read of size 8 at addr ffff8801cdc7de28 by task syz-executor3/7584
CPU: 0 PID: 7584 Comm: syz-executor3 Not tainted 4.9.144+ #79
ffff8801a252f600 ffffffff81b43b89 ffffea0007371f00 ffff8801cdc7de28
0000000000000000 ffff8801cdc7de28 0000000000000000 ffff8801a252f638
ffffffff81500c38 ffff8801cdc7de28 0000000000000008 0000000000000000
Call Trace:
[<ffffffff81b43b89>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81b43b89>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81500c38>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81501042>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81501042>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff814f32f4>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:433
[<ffffffff811ff2c8>] trace_event_get_offsets_lock_acquire
include/trace/events/lock.h:12 [inline]
[<ffffffff811ff2c8>] perf_trace_lock_acquire+0x458/0x530
include/trace/events/lock.h:12
[<ffffffff8120cb99>] trace_lock_acquire include/trace/events/lock.h:12
[inline]
[<ffffffff8120cb99>] lock_acquire+0x299/0x3e0 kernel/locking/lockdep.c:3755
[<ffffffff82818086>] __raw_spin_lock include/linux/spinlock_api_smp.h:144
[inline]
[<ffffffff82818086>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
[<ffffffff81462c31>] spin_lock include/linux/spinlock.h:302 [inline]
[<ffffffff81462c31>] shmem_fault+0x4d1/0x6d0 mm/shmem.c:1952
[<ffffffff81493173>] __do_fault+0x223/0x500 mm/memory.c:2833
[<ffffffff814a3916>] do_read_fault mm/memory.c:3180 [inline]
[<ffffffff814a3916>] do_fault mm/memory.c:3315 [inline]
[<ffffffff814a3916>] handle_pte_fault mm/memory.c:3516 [inline]
[<ffffffff814a3916>] __handle_mm_fault mm/memory.c:3603 [inline]
[<ffffffff814a3916>] handle_mm_fault+0x1326/0x2350 mm/memory.c:3640
[<ffffffff81490686>] faultin_page mm/gup.c:386 [inline]
[<ffffffff81490686>] __get_user_pages+0x446/0xf80 mm/gup.c:588
[<ffffffff81491fea>] populate_vma_page_range+0x19a/0x230 mm/gup.c:1106
[<ffffffff81492257>] __mm_populate+0x1d7/0x320 mm/gup.c:1154
[<ffffffff8146a1d5>] mm_populate include/linux/mm.h:2041 [inline]
[<ffffffff8146a1d5>] vm_mmap_pgoff+0x195/0x1b0 mm/util.c:333
[<ffffffff814af842>] SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
[<ffffffff814af842>] SyS_mmap_pgoff+0x152/0x1b0 mm/mmap.c:1513
[<ffffffff8105d476>] SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
[<ffffffff8105d476>] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82818cd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Allocated by task 7584:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
shmem_alloc_inode+0x1b/0x40 mm/shmem.c:3655
alloc_inode+0x63/0x180 fs/inode.c:207
new_inode_pseudo+0x17/0xe0 fs/inode.c:890
new_inode+0x1c/0x40 fs/inode.c:919
shmem_get_inode+0x6f/0x6c0 mm/shmem.c:2126
__shmem_file_setup.part.13+0x33a/0x420 mm/shmem.c:4033
__shmem_file_setup mm/shmem.c:4109 [inline]
shmem_zero_setup+0xb5/0x1d0 mm/shmem.c:4109
mmap_region+0xcad/0xf90 mm/mmap.c:1742
do_mmap+0x53d/0xbb0 mm/mmap.c:1505
do_mmap_pgoff include/linux/mm.h:2032 [inline]
vm_mmap_pgoff+0x168/0x1b0 mm/util.c:329
SYSC_mmap_pgoff mm/mmap.c:1555 [inline]
SyS_mmap_pgoff+0x152/0x1b0 mm/mmap.c:1513
SYSC_mmap arch/x86/kernel/sys_x86_64.c:96 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:87
do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 7590:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack mm/kasan/kasan.c:505 [inline]
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xbe/0x310 mm/slub.c:2980
shmem_destroy_callback+0x5a/0xa0 mm/shmem.c:3666
__rcu_reclaim kernel/rcu/rcu.h:118 [inline]
rcu_do_batch kernel/rcu/tree.c:2789 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
__do_softirq+0x20e/0x964 kernel/softirq.c:288
The buggy address belongs to the object at ffff8801cdc7dcb0
which belongs to the cache shmem_inode_cache of size 1096
The buggy address is located 376 bytes inside of
1096-byte region [ffff8801cdc7dcb0, ffff8801cdc7e0f8)
The buggy address belongs to the page:
page:ffffea0007371f00 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x4000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cdc7dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cdc7dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8801cdc7de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cdc7de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cdc7df00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jun 10, 2019, 12:57:05 AM6/10/19
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages