KASAN: use-after-free Read in inet_shutdown
12 views
Skip to first unread message
syzbot
Apr 12, 2019, 8:00:36 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 9c3804bc UPSTREAM: tcp: fix a request socket leak
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=13cc5c69800000
kernel config: https://syzkaller.appspot.com/x/.config?x=12d05663835d3b08
dashboard link: https://syzkaller.appspot.com/bug?extid=8c35f79ef6a1f6f0a6da
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1444c8b9800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1162c229800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8c35f7...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in inet_shutdown+0x2d4/0x350
net/ipv4/af_inet.c:824
Read of size 4 at addr ffff8801c50a1980 by task syzkaller564537/3517
CPU: 1 PID: 3517 Comm: syzkaller564537 Not tainted 4.9.77-g9c3804b #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801c66afbc0 ffffffff81d941c9 ffffea0007142800 ffff8801c50a1980
0000000000000000 ffff8801c50a1980 ffff8801cb34ea58 ffff8801c66afbf8
ffffffff8153db93 ffff8801c50a1980 0000000000000004 0000000000000000
Call Trace:
[<ffffffff81d941c9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d941c9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8153db93>] print_address_description+0x73/0x280
mm/kasan/report.c:252
[<ffffffff8153e0b5>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff8153e0b5>] kasan_report+0x275/0x360 mm/kasan/report.c:408
[<ffffffff8153e1f4>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:428
[<ffffffff832e83c4>] inet_shutdown+0x2d4/0x350 net/ipv4/af_inet.c:824
[<ffffffff835896a0>] pppol2tp_session_close+0xa0/0xe0
net/l2tp/l2tp_ppp.c:441
[<ffffffff8358409f>] l2tp_tunnel_closeall+0x21f/0x3a0
net/l2tp/l2tp_core.c:1368
[<ffffffff83584ca7>] l2tp_udp_encap_destroy+0x87/0xe0
net/l2tp/l2tp_core.c:1394
[<ffffffff8348ab71>] udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1336
[<ffffffff82eeb5ab>] sk_common_release+0x6b/0x2f0 net/core/sock.c:2727
[<ffffffff83489b25>] udp_lib_close+0x15/0x20 include/net/udp.h:203
[<ffffffff832e853a>] inet_release+0xfa/0x1d0 net/ipv4/af_inet.c:434
[<ffffffff8340f0d0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:437
[<ffffffff82ed489d>] sock_release+0x8d/0x1e0 net/socket.c:599
[<ffffffff82ed4a06>] sock_close+0x16/0x20 net/socket.c:1046
[<ffffffff8157502c>] __fput+0x28c/0x6e0 fs/file_table.c:208
[<ffffffff81575505>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff81195795>] task_work_run+0x115/0x190 kernel/task_work.c:116
[<ffffffff81003a4c>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff81003a4c>] exit_to_usermode_loop+0xfc/0x120
arch/x86/entry/common.c:160
[<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190
[inline]
[<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0
arch/x86/entry/common.c:259
[<ffffffff838b2ceb>] entry_SYSCALL_64_fastpath+0xe6/0xe8
Allocated by task 3518:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
sock_alloc_inode+0x1d/0x250 net/socket.c:250
alloc_inode+0x65/0x180 fs/inode.c:207
new_inode_pseudo+0x17/0xe0 fs/inode.c:890
sock_alloc+0x41/0x270 net/socket.c:567
__sock_create+0xa5/0x640 net/socket.c:1146
sock_create net/socket.c:1222 [inline]
SYSC_socket net/socket.c:1252 [inline]
SyS_socket+0xf0/0x1b0 net/socket.c:1232
entry_SYSCALL_64_fastpath+0x29/0xe8
Freed by task 3518:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xc7/0x300 mm/slub.c:2980
sock_destroy_inode+0x56/0x70 net/socket.c:280
destroy_inode+0xc3/0x120 fs/inode.c:264
evict+0x329/0x4f0 fs/inode.c:570
iput_final fs/inode.c:1516 [inline]
iput+0x47b/0x900 fs/inode.c:1543
dentry_unlink_inode+0x470/0x570 fs/dcache.c:370
__dentry_kill+0x25b/0x480 fs/dcache.c:565
dentry_kill fs/dcache.c:606 [inline]
dput.part.23+0x680/0x7b0 fs/dcache.c:818
dput+0x1f/0x30 fs/dcache.c:780
__fput+0x46a/0x6e0 fs/file_table.c:226
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x115/0x190 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
entry_SYSCALL_64_fastpath+0xe6/0xe8
The buggy address belongs to the object at ffff8801c50a1980
which belongs to the cache sock_inode_cache of size 944
The buggy address is located 0 bytes inside of
944-byte region [ffff8801c50a1980, ffff8801c50a1d30)
The buggy address belongs to the page:
page:ffffea0007142800 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c50a1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
ffff8801c50a1900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c50a1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801c50a1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c50a1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 9c3804bc UPSTREAM: tcp: fix a request socket leak
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=13cc5c69800000
kernel config: https://syzkaller.appspot.com/x/.config?x=12d05663835d3b08
dashboard link: https://syzkaller.appspot.com/bug?extid=8c35f79ef6a1f6f0a6da
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1444c8b9800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1162c229800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8c35f7...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in inet_shutdown+0x2d4/0x350
net/ipv4/af_inet.c:824
Read of size 4 at addr ffff8801c50a1980 by task syzkaller564537/3517
CPU: 1 PID: 3517 Comm: syzkaller564537 Not tainted 4.9.77-g9c3804b #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
ffff8801c66afbc0 ffffffff81d941c9 ffffea0007142800 ffff8801c50a1980
0000000000000000 ffff8801c50a1980 ffff8801cb34ea58 ffff8801c66afbf8
ffffffff8153db93 ffff8801c50a1980 0000000000000004 0000000000000000
Call Trace:
[<ffffffff81d941c9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d941c9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8153db93>] print_address_description+0x73/0x280
mm/kasan/report.c:252
[<ffffffff8153e0b5>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff8153e0b5>] kasan_report+0x275/0x360 mm/kasan/report.c:408
[<ffffffff8153e1f4>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:428
[<ffffffff832e83c4>] inet_shutdown+0x2d4/0x350 net/ipv4/af_inet.c:824
[<ffffffff835896a0>] pppol2tp_session_close+0xa0/0xe0
net/l2tp/l2tp_ppp.c:441
[<ffffffff8358409f>] l2tp_tunnel_closeall+0x21f/0x3a0
net/l2tp/l2tp_core.c:1368
[<ffffffff83584ca7>] l2tp_udp_encap_destroy+0x87/0xe0
net/l2tp/l2tp_core.c:1394
[<ffffffff8348ab71>] udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1336
[<ffffffff82eeb5ab>] sk_common_release+0x6b/0x2f0 net/core/sock.c:2727
[<ffffffff83489b25>] udp_lib_close+0x15/0x20 include/net/udp.h:203
[<ffffffff832e853a>] inet_release+0xfa/0x1d0 net/ipv4/af_inet.c:434
[<ffffffff8340f0d0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:437
[<ffffffff82ed489d>] sock_release+0x8d/0x1e0 net/socket.c:599
[<ffffffff82ed4a06>] sock_close+0x16/0x20 net/socket.c:1046
[<ffffffff8157502c>] __fput+0x28c/0x6e0 fs/file_table.c:208
[<ffffffff81575505>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff81195795>] task_work_run+0x115/0x190 kernel/task_work.c:116
[<ffffffff81003a4c>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff81003a4c>] exit_to_usermode_loop+0xfc/0x120
arch/x86/entry/common.c:160
[<ffffffff81006340>] prepare_exit_to_usermode arch/x86/entry/common.c:190
[inline]
[<ffffffff81006340>] syscall_return_slowpath+0x1a0/0x1e0
arch/x86/entry/common.c:259
[<ffffffff838b2ceb>] entry_SYSCALL_64_fastpath+0xe6/0xe8
Allocated by task 3518:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
sock_alloc_inode+0x1d/0x250 net/socket.c:250
alloc_inode+0x65/0x180 fs/inode.c:207
new_inode_pseudo+0x17/0xe0 fs/inode.c:890
sock_alloc+0x41/0x270 net/socket.c:567
__sock_create+0xa5/0x640 net/socket.c:1146
sock_create net/socket.c:1222 [inline]
SYSC_socket net/socket.c:1252 [inline]
SyS_socket+0xf0/0x1b0 net/socket.c:1232
entry_SYSCALL_64_fastpath+0x29/0xe8
Freed by task 3518:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xc7/0x300 mm/slub.c:2980
sock_destroy_inode+0x56/0x70 net/socket.c:280
destroy_inode+0xc3/0x120 fs/inode.c:264
evict+0x329/0x4f0 fs/inode.c:570
iput_final fs/inode.c:1516 [inline]
iput+0x47b/0x900 fs/inode.c:1543
dentry_unlink_inode+0x470/0x570 fs/dcache.c:370
__dentry_kill+0x25b/0x480 fs/dcache.c:565
dentry_kill fs/dcache.c:606 [inline]
dput.part.23+0x680/0x7b0 fs/dcache.c:818
dput+0x1f/0x30 fs/dcache.c:780
__fput+0x46a/0x6e0 fs/file_table.c:226
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x115/0x190 kernel/task_work.c:116
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
entry_SYSCALL_64_fastpath+0xe6/0xe8
The buggy address belongs to the object at ffff8801c50a1980
which belongs to the cache sock_inode_cache of size 944
The buggy address is located 0 bytes inside of
944-byte region [ffff8801c50a1980, ffff8801c50a1d30)
The buggy address belongs to the page:
page:ffffea0007142800 count:1 mapcount:0 mapping: (null) index:0x0
compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c50a1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
ffff8801c50a1900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c50a1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801c50a1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c50a1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 13, 2019, 8:02:17 PM4/13/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: cf21a9ac ANDROID: Add kconfig to make dm-verity check_at_m..
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=1451f448400000
kernel config: https://syzkaller.appspot.com/x/.config?x=b6b946fc0167c90b
dashboard link: https://syzkaller.appspot.com/bug?extid=b907c7defb4d06b02b49
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1229d1cc400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
==================================================================
BUG: KASAN: use-after-free in inet_shutdown+0x2e9/0x370
net/ipv4/af_inet.c:809
Read of size 4 at addr ffff8801c7724440 by task syz-executor0/4224
CPU: 0 PID: 4224 Comm: syz-executor0 Not tainted 4.4.138-gcf21a9a #62
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
0000000000000000 42f239834f51da51 ffff8801d6e4fb58 ffffffff81e0ed0d
Google 01/01/2011
ffffea00071dc900 ffff8801c7724440 0000000000000000 ffff8801c7724440
ffff8801d98f5458 ffff8801d6e4fb90 ffffffff81515a16 ffff8801c7724440
Call Trace:
[<ffffffff81e0ed0d>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81e0ed0d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff81515a16>] print_address_description+0x6c/0x216
mm/kasan/report.c:252
[<ffffffff81515d35>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff81515d35>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
[<ffffffff814f9804>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:428
[<ffffffff832f8a69>] inet_shutdown+0x2e9/0x370 net/ipv4/af_inet.c:809
[<ffffffff835a6370>] pppol2tp_session_close+0xa0/0xe0
net/l2tp/l2tp_ppp.c:458
[<ffffffff8359f3e5>] l2tp_tunnel_closeall+0x205/0x350
net/l2tp/l2tp_core.c:1274
[<ffffffff8359ffab>] l2tp_udp_encap_destroy+0x8b/0xf0
net/l2tp/l2tp_core.c:1300
[<ffffffff83492431>] udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1421
[<ffffffff82f2fa5d>] sk_common_release+0x6d/0x300 net/core/sock.c:2680
[<ffffffff834910e5>] udp_lib_close+0x15/0x20 include/net/udp.h:190
[<ffffffff832f8bef>] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435
[<ffffffff8341b810>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:424
[<ffffffff82f1a186>] sock_release+0x96/0x1c0 net/socket.c:586
[<ffffffff82f1a2c6>] sock_close+0x16/0x20 net/socket.c:1037
[<ffffffff81522e05>] __fput+0x235/0x6f0 fs/file_table.c:208
[<ffffffff81523345>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8118bd7f>] task_work_run+0x10f/0x190 kernel/task_work.c:115
[<ffffffff8100362d>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
arch/x86/entry/common.c:252
[<ffffffff81007090>] prepare_exit_to_usermode arch/x86/entry/common.c:283
[inline]
[<ffffffff81007090>] syscall_return_slowpath arch/x86/entry/common.c:348
[inline]
[<ffffffff81007090>] do_syscall_32_irqs_on arch/x86/entry/common.c:398
[inline]
[<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
arch/x86/entry/common.c:459
[<ffffffff838c406a>] sysenter_flags_fixed+0xd/0x17
Allocated by task 4224:
[<ffffffff81033e46>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff814f88d3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
[<ffffffff814f8bb7>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff814f8bb7>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
[<ffffffff814f9182>] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554
[<ffffffff814f4c7e>] slab_post_alloc_hook mm/slub.c:1349 [inline]
[<ffffffff814f4c7e>] slab_alloc_node mm/slub.c:2615 [inline]
[<ffffffff814f4c7e>] slab_alloc mm/slub.c:2623 [inline]
[<ffffffff814f4c7e>] kmem_cache_alloc+0xbe/0x2a0 mm/slub.c:2628
[<ffffffff82f1c72d>] sock_alloc_inode+0x1d/0x260 net/socket.c:250
[<ffffffff8156f863>] alloc_inode+0x63/0x180 fs/inode.c:198
[<ffffffff815750f7>] new_inode_pseudo+0x17/0xe0 fs/inode.c:878
[<ffffffff82f1a9e1>] sock_alloc+0x41/0x280 net/socket.c:555
[<ffffffff82f2044d>] __sock_create+0x8d/0x5f0 net/socket.c:1141
[<ffffffff82f20be0>] sock_create net/socket.c:1217 [inline]
[<ffffffff82f20be0>] SYSC_socket net/socket.c:1247 [inline]
[<ffffffff82f20be0>] SyS_socket+0xf0/0x1b0 net/socket.c:1227
[<ffffffff81006d96>] do_syscall_32_irqs_on arch/x86/entry/common.c:392
[inline]
[<ffffffff81006d96>] do_fast_syscall_32+0x326/0x8b0
arch/x86/entry/common.c:459
[<ffffffff838c406a>] sysenter_flags_fixed+0xd/0x17
Freed by task 4226:
[<ffffffff81033e46>] save_stack_trace+0x26/0x50
arch/x86/kernel/stacktrace.c:63
[<ffffffff814f88d3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
[<ffffffff814f9202>] set_track mm/kasan/kasan.c:524 [inline]
[<ffffffff814f9202>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
[<ffffffff814f638e>] slab_free_hook mm/slub.c:1383 [inline]
[<ffffffff814f638e>] slab_free_freelist_hook mm/slub.c:1405 [inline]
[<ffffffff814f638e>] slab_free mm/slub.c:2859 [inline]
[<ffffffff814f638e>] kmem_cache_free+0xbe/0x340 mm/slub.c:2881
[<ffffffff82f1c6f6>] sock_destroy_inode+0x56/0x70 net/socket.c:280
[<ffffffff81571ff2>] destroy_inode+0xc2/0x120 fs/inode.c:255
[<ffffffff81572372>] evict+0x322/0x4f0 fs/inode.c:559
[<ffffffff815729c1>] iput_final fs/inode.c:1477 [inline]
[<ffffffff815729c1>] iput+0x391/0x980 fs/inode.c:1504
[<ffffffff81564232>] dentry_iput fs/dcache.c:372 [inline]
[<ffffffff81564232>] __dentry_kill+0x492/0x5f0 fs/dcache.c:559
[<ffffffff81567b27>] dentry_kill fs/dcache.c:603 [inline]
[<ffffffff81567b27>] dput.part.26+0x587/0x760 fs/dcache.c:818
[<ffffffff81567d1f>] dput+0x1f/0x30 fs/dcache.c:782
[<ffffffff81522fd1>] __fput+0x401/0x6f0 fs/file_table.c:226
[<ffffffff81523345>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8118bd7f>] task_work_run+0x10f/0x190 kernel/task_work.c:115
[<ffffffff8100362d>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160
arch/x86/entry/common.c:252
[<ffffffff81007090>] prepare_exit_to_usermode arch/x86/entry/common.c:283
[inline]
[<ffffffff81007090>] syscall_return_slowpath arch/x86/entry/common.c:348
[inline]
[<ffffffff81007090>] do_syscall_32_irqs_on arch/x86/entry/common.c:398
[inline]
[<ffffffff81007090>] do_fast_syscall_32+0x620/0x8b0
arch/x86/entry/common.c:459
[<ffffffff838c406a>] sysenter_flags_fixed+0xd/0x17
The buggy address belongs to the object at ffff8801c7724440
which belongs to the cache sock_inode_cache of size 936
The buggy address is located 0 bytes inside of
936-byte region [ffff8801c7724440, ffff8801c77247e8)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.138-gcf21a9a #62
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d9a41800 task.stack: ffff8801d9a50000
Google 01/01/2011
RIP: 0010:[<ffffffff81e2c678>] [<ffffffff81e2c678>]
timerqueue_add+0xb8/0x2b0 lib/timerqueue.c:51
RSP: 0018:ffff8801db307d30 EFLAGS: 00010007
RAX: ffffed003b66338b RBX: ffff8801db319c40 RCX: 0000000000000000
RDX: 000000001083e1e8 RSI: ffffffff81e2c65c RDI: 00000000841f0f46
RBP: ffff8801db307d70 R08: 0000000000000096 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801d9a41800 R12: dffffc0000000000
R13: 00000000841f0f2e R14: 0000000c8cb0bb00 R15: ffffffff8148cf87
FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f13f8436000 CR3: 00000000ad9a5000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801db319c58 ffff8801db319710 ffffed003b66338b ffff8801db319700
ffff8801db319c40 ffff8801db319640 0000000000000001 0000000000000000
ffff8801db307da8 ffffffff8129b35f ffff8801db319c40 0000000000000001
Call Trace:
<IRQ>
[<ffffffff8129b35f>] enqueue_hrtimer+0x15f/0x440 kernel/time/hrtimer.c:893
[<ffffffff8129e052>] __run_hrtimer kernel/time/hrtimer.c:1276 [inline]
[<ffffffff8129e052>] __hrtimer_run_queues+0x6b2/0x1000
kernel/time/hrtimer.c:1325
[<ffffffff8129f4c1>] hrtimer_interrupt+0x1b1/0x430
kernel/time/hrtimer.c:1359
[<ffffffff810ad284>] local_apic_timer_interrupt+0x74/0xa0
arch/x86/kernel/apic/apic.c:901
[<ffffffff838c534c>] smp_apic_timer_interrupt+0x7c/0xa0
arch/x86/kernel/apic/apic.c:925
[<ffffffff838c4290>] apic_timer_interrupt+0xa0/0xb0
arch/x86/entry/entry_64.S:741
<EOI>
[<ffffffff81025cf5>] arch_safe_halt arch/x86/include/asm/paravirt.h:117
[inline]
[<ffffffff81025cf5>] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:290
[<ffffffff81027240>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:281
[<ffffffff8121bc07>] default_idle_call+0x57/0x70 kernel/sched/idle.c:93
[<ffffffff8121c3af>] cpuidle_idle_call kernel/sched/idle.c:157 [inline]
[<ffffffff8121c3af>] cpu_idle_loop kernel/sched/idle.c:253 [inline]
[<ffffffff8121c3af>] cpu_startup_entry+0x6af/0x780 kernel/sched/idle.c:301
[<ffffffff810a9e54>] start_secondary+0x324/0x400
arch/x86/kernel/smpboot.c:242
Code: 00 00 4d 8b 2f 4d 85 ed 74 3d e8 54 4e 52 ff 48 8b 45 d0 80 38 00 0f
85 96 01 00 00 49 8d 7d 18 4c 8b 73 18 48 89 fa 48 c1 ea 03 <42> 80 3c 22
00 0f 85 8a 01 00 00 4d 3b 75 18 7c a3 e8 22 4e 52
RIP [<ffffffff81e2c678>] timerqueue_add+0xb8/0x2b0 lib/timerqueue.c:51
RSP <ffff8801db307d30>
---[ end trace f35182ce9c183740 ]---
Reply all
Reply to author
Forward
0 new messages