Hello,
syzbot found the following crash on:
HEAD commit: 03c70fea Merge 4.9.111 into android-4.9
git tree: android-4.9
console output:
https://syzkaller.appspot.com/x/log.txt?x=1607ca2c400000
kernel config:
https://syzkaller.appspot.com/x/.config?x=ca051f5c6a5ae8e0
dashboard link:
https://syzkaller.appspot.com/bug?extid=6204b7ad01377a376b47
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=143c7cc2400000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=14e12cc2400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+6204b7...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in p9_conn_cancel+0x3f3/0x4c0
net/9p/trans_fd.c:203
Read of size 4 at addr ffff8801cecf31a8 by task kworker/1:3/4134
CPU: 1 PID: 4134 Comm: kworker/1:3 Not tainted 4.9.111-g03c70fe #58
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events p9_poll_workfn
ffff8801d360faa0 ffffffff81eb2729 ffffea00073b3c80 ffff8801cecf31a8
0000000000000000 ffff8801cecf31a8 00000000ffffff87 ffff8801d360fad8
ffffffff81567b59 ffff8801cecf31a8 0000000000000004 0000000000000000
Call Trace:
[<ffffffff81eb2729>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81eb2729>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81567b59>] print_address_description+0x6c/0x234
mm/kasan/report.c:256
[<ffffffff81567f63>] kasan_report_error mm/kasan/report.c:355 [inline]
[<ffffffff81567f63>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
[<ffffffff8153bb94>] __asan_report_load4_noabort+0x14/0x20
mm/kasan/report.c:432
[<ffffffff839c1c23>] p9_conn_cancel+0x3f3/0x4c0 net/9p/trans_fd.c:203
[<ffffffff839c2242>] p9_poll_mux net/9p/trans_fd.c:630 [inline]
[<ffffffff839c2242>] p9_poll_workfn+0x222/0x330 net/9p/trans_fd.c:1097
[<ffffffff8118d131>] process_one_work+0x7e1/0x1500 kernel/workqueue.c:2092
[<ffffffff8118df26>] worker_thread+0xd6/0x10a0 kernel/workqueue.c:2226
[<ffffffff8119d05d>] kthread+0x26d/0x300 kernel/kthread.c:211
[<ffffffff839f8e9c>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373
Allocated by task 3932:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
kmem_cache_alloc_trace+0xfd/0x2b0 mm/slub.c:2742
kmalloc include/linux/slab.h:490 [inline]
kzalloc include/linux/slab.h:636 [inline]
p9_fd_open net/9p/trans_fd.c:792 [inline]
p9_fd_create+0xf3/0x330 net/9p/trans_fd.c:1029
p9_client_create+0x6ff/0x10a0 net/9p/client.c:1036
v9fs_session_init+0x333/0x13a0 fs/9p/v9fs.c:343
v9fs_mount+0x7d/0x810 fs/9p/vfs_super.c:130
mount_fs+0x28c/0x370 fs/super.c:1206
vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:991
vfs_kern_mount fs/namespace.c:973 [inline]
do_new_mount fs/namespace.c:2513 [inline]
do_mount+0x3c9/0x2740 fs/namespace.c:2835
SYSC_mount fs/namespace.c:3051 [inline]
SyS_mount+0xfe/0x110 fs/namespace.c:3028
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Freed by task 3932:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:505
set_track mm/kasan/kasan.c:517 [inline]
kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xfb/0x310 mm/slub.c:3878
p9_fd_close+0x298/0x330 net/9p/trans_fd.c:890
p9_client_destroy+0x73/0x570 net/9p/client.c:1070
v9fs_session_close+0x46/0x110 fs/9p/v9fs.c:434
v9fs_mount+0x442/0x810 fs/9p/vfs_super.c:194
mount_fs+0x28c/0x370 fs/super.c:1206
vfs_kern_mount.part.29+0xd1/0x3d0 fs/namespace.c:991
vfs_kern_mount fs/namespace.c:973 [inline]
do_new_mount fs/namespace.c:2513 [inline]
do_mount+0x3c9/0x2740 fs/namespace.c:2835
SYSC_mount fs/namespace.c:3051 [inline]
SyS_mount+0xfe/0x110 fs/namespace.c:3028
do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
entry_SYSCALL_64_after_swapgs+0x5d/0xdb
The buggy address belongs to the object at ffff8801cecf3180
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 40 bytes inside of
512-byte region [ffff8801cecf3180, ffff8801cecf3380)
The buggy address belongs to the page:
page:ffffea00073b3c80 count:1 mapcount:0 mapping: (null)
index:0xffff8801cecf3b80 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cecf3080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801cecf3100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801cecf3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cecf3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cecf3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches