KASAN: use-after-free Read in io_sq_wq_submit_work
12 views
Skip to first unread message
syzbot
Aug 30, 2020, 11:21:23 PM8/30/20
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e15cc541 Revert "binder: Prevent context manager from incr..
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=102a838e900000
kernel config: https://syzkaller.appspot.com/x/.config?x=b5e85a4a81932633
dashboard link: https://syzkaller.appspot.com/bug?extid=e0edd00a47204c0ba7eb
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e0edd0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0x98/0x100 lib/list_debug.c:54
Read of size 8 at addr ffff888192ce1f00 by task kworker/u4:2/165
CPU: 0 PID: 165 Comm: kworker/u4:2 Not tainted 5.4.61-syzkaller-00873-ge15cc541b749 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: io_ring-wq io_sq_wq_submit_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x14a/0x1ce lib/dump_stack.c:118
print_address_description+0x93/0x620 mm/kasan/report.c:374
__kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
kasan_report+0x36/0x60 mm/kasan/common.c:634
__list_del_entry_valid+0x98/0x100 lib/list_debug.c:54
__list_del_entry include/linux/list.h:131 [inline]
list_del_init include/linux/list.h:190 [inline]
io_sq_wq_submit_work+0x7f5/0x14a0 fs/io_uring.c:2272
process_one_work+0x777/0xf90 kernel/workqueue.c:2274
worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
kthread+0x317/0x340 kernel/kthread.c:268
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 28983:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
slab_post_alloc_hook mm/slab.h:584 [inline]
kmem_cache_alloc_bulk+0x1cf/0x250 mm/slub.c:3233
io_get_req+0x27f/0x850 fs/io_uring.c:650
io_submit_sqe+0x83/0xe90 fs/io_uring.c:2560
io_ring_submit fs/io_uring.c:2948 [inline]
__do_sys_io_uring_enter fs/io_uring.c:3825 [inline]
__se_sys_io_uring_enter+0x922/0x1ff0 fs/io_uring.c:3786
do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 546:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
slab_free_hook mm/slub.c:1443 [inline]
slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
slab_free mm/slub.c:3041 [inline]
kmem_cache_free+0xac/0x600 mm/slub.c:3057
io_put_req fs/io_uring.c:762 [inline]
io_poll_complete_work+0x737/0x940 fs/io_uring.c:1835
process_one_work+0x777/0xf90 kernel/workqueue.c:2274
worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
kthread+0x317/0x340 kernel/kthread.c:268
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff888192ce1e00
which belongs to the cache io_kiocb of size 264
The buggy address is located 256 bytes inside of
264-byte region [ffff888192ce1e00, ffff888192ce1f08)
The buggy address belongs to the page:
page:ffffea00064b3800 refcount:1 mapcount:0 mapping:ffff8881da1f6780 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da1f6780
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888192ce1e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888192ce1e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888192ce1f00: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888192ce1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888192ce2000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: e15cc541 Revert "binder: Prevent context manager from incr..
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=102a838e900000
kernel config: https://syzkaller.appspot.com/x/.config?x=b5e85a4a81932633
dashboard link: https://syzkaller.appspot.com/bug?extid=e0edd00a47204c0ba7eb
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e0edd0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0x98/0x100 lib/list_debug.c:54
Read of size 8 at addr ffff888192ce1f00 by task kworker/u4:2/165
CPU: 0 PID: 165 Comm: kworker/u4:2 Not tainted 5.4.61-syzkaller-00873-ge15cc541b749 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: io_ring-wq io_sq_wq_submit_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x14a/0x1ce lib/dump_stack.c:118
print_address_description+0x93/0x620 mm/kasan/report.c:374
__kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
kasan_report+0x36/0x60 mm/kasan/common.c:634
__list_del_entry_valid+0x98/0x100 lib/list_debug.c:54
__list_del_entry include/linux/list.h:131 [inline]
list_del_init include/linux/list.h:190 [inline]
io_sq_wq_submit_work+0x7f5/0x14a0 fs/io_uring.c:2272
process_one_work+0x777/0xf90 kernel/workqueue.c:2274
worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
kthread+0x317/0x340 kernel/kthread.c:268
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 28983:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
slab_post_alloc_hook mm/slab.h:584 [inline]
kmem_cache_alloc_bulk+0x1cf/0x250 mm/slub.c:3233
io_get_req+0x27f/0x850 fs/io_uring.c:650
io_submit_sqe+0x83/0xe90 fs/io_uring.c:2560
io_ring_submit fs/io_uring.c:2948 [inline]
__do_sys_io_uring_enter fs/io_uring.c:3825 [inline]
__se_sys_io_uring_enter+0x922/0x1ff0 fs/io_uring.c:3786
do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 546:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
slab_free_hook mm/slub.c:1443 [inline]
slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
slab_free mm/slub.c:3041 [inline]
kmem_cache_free+0xac/0x600 mm/slub.c:3057
io_put_req fs/io_uring.c:762 [inline]
io_poll_complete_work+0x737/0x940 fs/io_uring.c:1835
process_one_work+0x777/0xf90 kernel/workqueue.c:2274
worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
kthread+0x317/0x340 kernel/kthread.c:268
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff888192ce1e00
which belongs to the cache io_kiocb of size 264
The buggy address is located 256 bytes inside of
264-byte region [ffff888192ce1e00, ffff888192ce1f08)
The buggy address belongs to the page:
page:ffffea00064b3800 refcount:1 mapcount:0 mapping:ffff8881da1f6780 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da1f6780
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888192ce1e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888192ce1e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888192ce1f00: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888192ce1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888192ce2000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Aug 30, 2020, 11:39:17 PM8/30/20
to syzkaller-a...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: e15cc541 Revert "binder: Prevent context manager from incr..
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=11296615900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15713fd5900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e0edd0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0x98/0x100 lib/list_debug.c:54
Read of size 8 at addr ffff8881ce189780 by task kworker/u4:2/158
CPU: 1 PID: 158 Comm: kworker/u4:2 Not tainted 5.4.61-syzkaller-00873-ge15cc541b749 #0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881d99ba500
ffff8881ce189700: fb fb f
HEAD commit: e15cc541 Revert "binder: Prevent context manager from incr..
git tree: android-5.4
kernel config: https://syzkaller.appspot.com/x/.config?x=b5e85a4a81932633
dashboard link: https://syzkaller.appspot.com/bug?extid=e0edd00a47204c0ba7eb
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13b54d8e900000
dashboard link: https://syzkaller.appspot.com/bug?extid=e0edd00a47204c0ba7eb
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15713fd5900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e0edd0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0x98/0x100 lib/list_debug.c:54
CPU: 1 PID: 158 Comm: kworker/u4:2 Not tainted 5.4.61-syzkaller-00873-ge15cc541b749 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: io_ring-wq io_sq_wq_submit_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x14a/0x1ce lib/dump_stack.c:118
print_address_description+0x93/0x620 mm/kasan/report.c:374
__kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
kasan_report+0x36/0x60 mm/kasan/common.c:634
__list_del_entry_valid+0x98/0x100 lib/list_debug.c:54
__list_del_entry include/linux/list.h:131 [inline]
list_del_init include/linux/list.h:190 [inline]
io_sq_wq_submit_work+0x7f5/0x14a0 fs/io_uring.c:2272
process_one_work+0x777/0xf90 kernel/workqueue.c:2274
worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
kthread+0x317/0x340 kernel/kthread.c:268
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 329:
Workqueue: io_ring-wq io_sq_wq_submit_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x14a/0x1ce lib/dump_stack.c:118
print_address_description+0x93/0x620 mm/kasan/report.c:374
__kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
kasan_report+0x36/0x60 mm/kasan/common.c:634
__list_del_entry_valid+0x98/0x100 lib/list_debug.c:54
__list_del_entry include/linux/list.h:131 [inline]
list_del_init include/linux/list.h:190 [inline]
io_sq_wq_submit_work+0x7f5/0x14a0 fs/io_uring.c:2272
process_one_work+0x777/0xf90 kernel/workqueue.c:2274
worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
kthread+0x317/0x340 kernel/kthread.c:268
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
slab_post_alloc_hook mm/slab.h:584 [inline]
kmem_cache_alloc_bulk+0x1cf/0x250 mm/slub.c:3233
io_get_req+0x27f/0x850 fs/io_uring.c:650
io_submit_sqe+0x83/0xe90 fs/io_uring.c:2560
io_ring_submit fs/io_uring.c:2948 [inline]
__do_sys_io_uring_enter fs/io_uring.c:3825 [inline]
__se_sys_io_uring_enter+0x922/0x1ff0 fs/io_uring.c:3786
do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 158:
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
slab_post_alloc_hook mm/slab.h:584 [inline]
kmem_cache_alloc_bulk+0x1cf/0x250 mm/slub.c:3233
io_get_req+0x27f/0x850 fs/io_uring.c:650
io_submit_sqe+0x83/0xe90 fs/io_uring.c:2560
io_ring_submit fs/io_uring.c:2948 [inline]
__do_sys_io_uring_enter fs/io_uring.c:3825 [inline]
__se_sys_io_uring_enter+0x922/0x1ff0 fs/io_uring.c:3786
do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
slab_free_hook mm/slub.c:1443 [inline]
slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
slab_free mm/slub.c:3041 [inline]
kmem_cache_free+0xac/0x600 mm/slub.c:3057
io_put_req fs/io_uring.c:762 [inline]
io_poll_complete_work+0x737/0x940 fs/io_uring.c:1835
process_one_work+0x777/0xf90 kernel/workqueue.c:2274
worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
kthread+0x317/0x340 kernel/kthread.c:268
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
The buggy address belongs to the object at ffff8881ce189680
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
slab_free_hook mm/slub.c:1443 [inline]
slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
slab_free mm/slub.c:3041 [inline]
kmem_cache_free+0xac/0x600 mm/slub.c:3057
io_put_req fs/io_uring.c:762 [inline]
io_poll_complete_work+0x737/0x940 fs/io_uring.c:1835
process_one_work+0x777/0xf90 kernel/workqueue.c:2274
worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
kthread+0x317/0x340 kernel/kthread.c:268
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
which belongs to the cache io_kiocb of size 264
The buggy address is located 256 bytes inside of
264-byte region [ffff8881ce189680, ffff8881ce189788)
The buggy address is located 256 bytes inside of
The buggy address belongs to the page:
page:ffffea0007386200 refcount:1 mapcount:0 mapping:ffff8881d99ba500 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881d99ba500
raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ce189680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881ce189700: fb fb f
syzbot
Apr 16, 2023, 12:55:38 PM4/16/23
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages