KASAN: use-after-free Read in scatterwalk_copychunks
10 views
Skip to first unread message
syzbot
Apr 21, 2019, 3:18:06 AM4/21/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=126cd0ad200000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=920a7eb5795273e180f6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+920a7e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: use-after-free in memcpy_dir crypto/scatterwalk.c:28 [inline]
BUG: KASAN: use-after-free in scatterwalk_copychunks+0x260/0x6b0
crypto/scatterwalk.c:43
Read of size 4096 at addr ffff8880682c7000 by task syz-executor.0/8867
CPU: 1 PID: 8867 Comm: syz-executor.0 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
memcpy_dir crypto/scatterwalk.c:28 [inline]
scatterwalk_copychunks+0x260/0x6b0 crypto/scatterwalk.c:43
scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
scatterwalk_map_and_copy+0x12f/0x1d0 crypto/scatterwalk.c:60
gcmaes_encrypt.constprop.0+0x1d2/0xb90
arch/x86/crypto/aesni-intel_glue.c:778
generic_gcmaes_encrypt+0xf4/0x130 arch/x86/crypto/aesni-intel_glue.c:1111
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
gcmaes_wrapper_encrypt+0x101/0x170 arch/x86/crypto/aesni-intel_glue.c:945
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
tls_do_encryption net/tls/tls_sw.c:234 [inline]
tls_push_record+0x90b/0x1210 net/tls/tls_sw.c:270
tls_sw_sendpage+0x437/0xb50 net/tls/tls_sw.c:617
inet_sendpage+0x15a/0x580 net/ipv4/af_inet.c:779
kernel_sendpage+0x95/0xf0 net/socket.c:3415
sock_sendpage+0x8b/0xc0 net/socket.c:871
pipe_to_sendpage+0x244/0x340 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x351/0x790 fs/splice.c:626
splice_from_pipe+0xf0/0x150 fs/splice.c:661
generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x126/0x1a0 fs/splice.c:1018
splice_direct_to_actor+0x2a1/0x7b0 fs/splice.c:973
do_splice_direct+0x18d/0x230 fs/splice.c:1061
do_sendfile+0x4db/0xbd0 fs/read_write.c:1440
SYSC_sendfile64 fs/read_write.c:1501 [inline]
SyS_sendfile64+0x102/0x110 fs/read_write.c:1487
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007f905dd34c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f905dd34c90 RCX: 0000000000458c29
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000006785 R11: 0000000000000246 R12: 00007f905dd356d4
R13: 00000000004c5e10 R14: 00000000004da5c8 R15: 0000000000000005
Allocated by task 7041:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
dup_mmap kernel/fork.c:652 [inline]
dup_mm kernel/fork.c:1199 [inline]
copy_mm kernel/fork.c:1253 [inline]
copy_process.part.0+0x440d/0x6950 kernel/fork.c:1755
copy_process kernel/fork.c:1570 [inline]
_do_fork+0x19e/0xce0 kernel/fork.c:2058
SYSC_clone kernel/fork.c:2168 [inline]
SyS_clone+0x37/0x50 kernel/fork.c:2162
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 8107:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
remove_vma+0x164/0x1b0 mm/mmap.c:176
exit_mmap+0x314/0x4e0 mm/mmap.c:3068
__mmput kernel/fork.c:926 [inline]
mmput+0x114/0x440 kernel/fork.c:947
exec_mmap fs/exec.c:1039 [inline]
flush_old_exec+0x8c0/0x1b50 fs/exec.c:1271
load_elf_binary+0x88e/0x4ba0 fs/binfmt_elf.c:855
search_binary_handler fs/exec.c:1638 [inline]
search_binary_handler+0x14f/0x700 fs/exec.c:1616
exec_binprm fs/exec.c:1680 [inline]
do_execveat_common.isra.0+0xffd/0x1dd0 fs/exec.c:1802
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x39/0x50 fs/exec.c:1923
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880682c7000
which belongs to the cache vm_area_struct of size 200
The buggy address is located 0 bytes inside of
200-byte region [ffff8880682c7000, ffff8880682c70c8)
The buggy address belongs to the page:
page:ffffea0001a0b1c0 count:1 mapcount:0 mapping:ffff8880682c7000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880682c7000 0000000000000000 000000010000000f
raw: ffffea0002a2bde0 ffffea00026373e0 ffff88821f830c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880682c6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880682c6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880682c7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880682c7080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
ffff8880682c7100: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=126cd0ad200000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=920a7eb5795273e180f6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+920a7e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: use-after-free in memcpy_dir crypto/scatterwalk.c:28 [inline]
BUG: KASAN: use-after-free in scatterwalk_copychunks+0x260/0x6b0
crypto/scatterwalk.c:43
Read of size 4096 at addr ffff8880682c7000 by task syz-executor.0/8867
CPU: 1 PID: 8867 Comm: syz-executor.0 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
memcpy+0x24/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:347 [inline]
memcpy_dir crypto/scatterwalk.c:28 [inline]
scatterwalk_copychunks+0x260/0x6b0 crypto/scatterwalk.c:43
scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
scatterwalk_map_and_copy+0x12f/0x1d0 crypto/scatterwalk.c:60
gcmaes_encrypt.constprop.0+0x1d2/0xb90
arch/x86/crypto/aesni-intel_glue.c:778
generic_gcmaes_encrypt+0xf4/0x130 arch/x86/crypto/aesni-intel_glue.c:1111
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
gcmaes_wrapper_encrypt+0x101/0x170 arch/x86/crypto/aesni-intel_glue.c:945
crypto_aead_encrypt include/crypto/aead.h:330 [inline]
tls_do_encryption net/tls/tls_sw.c:234 [inline]
tls_push_record+0x90b/0x1210 net/tls/tls_sw.c:270
tls_sw_sendpage+0x437/0xb50 net/tls/tls_sw.c:617
inet_sendpage+0x15a/0x580 net/ipv4/af_inet.c:779
kernel_sendpage+0x95/0xf0 net/socket.c:3415
sock_sendpage+0x8b/0xc0 net/socket.c:871
pipe_to_sendpage+0x244/0x340 fs/splice.c:451
splice_from_pipe_feed fs/splice.c:502 [inline]
__splice_from_pipe+0x351/0x790 fs/splice.c:626
splice_from_pipe+0xf0/0x150 fs/splice.c:661
generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
do_splice_from fs/splice.c:851 [inline]
direct_splice_actor+0x126/0x1a0 fs/splice.c:1018
splice_direct_to_actor+0x2a1/0x7b0 fs/splice.c:973
do_splice_direct+0x18d/0x230 fs/splice.c:1061
do_sendfile+0x4db/0xbd0 fs/read_write.c:1440
SYSC_sendfile64 fs/read_write.c:1501 [inline]
SyS_sendfile64+0x102/0x110 fs/read_write.c:1487
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x458c29
RSP: 002b:00007f905dd34c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f905dd34c90 RCX: 0000000000458c29
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000006785 R11: 0000000000000246 R12: 00007f905dd356d4
R13: 00000000004c5e10 R14: 00000000004da5c8 R15: 0000000000000005
Allocated by task 7041:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
dup_mmap kernel/fork.c:652 [inline]
dup_mm kernel/fork.c:1199 [inline]
copy_mm kernel/fork.c:1253 [inline]
copy_process.part.0+0x440d/0x6950 kernel/fork.c:1755
copy_process kernel/fork.c:1570 [inline]
_do_fork+0x19e/0xce0 kernel/fork.c:2058
SYSC_clone kernel/fork.c:2168 [inline]
SyS_clone+0x37/0x50 kernel/fork.c:2162
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 8107:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
remove_vma+0x164/0x1b0 mm/mmap.c:176
exit_mmap+0x314/0x4e0 mm/mmap.c:3068
__mmput kernel/fork.c:926 [inline]
mmput+0x114/0x440 kernel/fork.c:947
exec_mmap fs/exec.c:1039 [inline]
flush_old_exec+0x8c0/0x1b50 fs/exec.c:1271
load_elf_binary+0x88e/0x4ba0 fs/binfmt_elf.c:855
search_binary_handler fs/exec.c:1638 [inline]
search_binary_handler+0x14f/0x700 fs/exec.c:1616
exec_binprm fs/exec.c:1680 [inline]
do_execveat_common.isra.0+0xffd/0x1dd0 fs/exec.c:1802
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x39/0x50 fs/exec.c:1923
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880682c7000
which belongs to the cache vm_area_struct of size 200
The buggy address is located 0 bytes inside of
200-byte region [ffff8880682c7000, ffff8880682c70c8)
The buggy address belongs to the page:
page:ffffea0001a0b1c0 count:1 mapcount:0 mapping:ffff8880682c7000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880682c7000 0000000000000000 000000010000000f
raw: ffffea0002a2bde0 ffffea00026373e0 ffff88821f830c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880682c6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880682c6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880682c7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880682c7080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
ffff8880682c7100: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 21, 2019, 3:23:06 AM4/21/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=100fb838a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117bbf30a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+920a7e...@syzkaller.appspotmail.com
cache_alloc_refill mm/slab.c:3043 [inline]
____cache_alloc mm/slab.c:3125 [inline]
____cache_alloc mm/slab.c:3108 [inline]
__do_cache_alloc mm/slab.c:3347 [inline]
slab_alloc mm/slab.c:3382 [inline]
kmem_cache_alloc_trace+0x6b5/0x790 mm/slab.c:3616
kmalloc include/linux/slab.h:488 [inline]
pagemap_read+0x23c/0x520 fs/proc/task_mmu.c:1500
==================================================================
do_loop_readv_writev fs/read_write.c:694 [inline]
do_loop_readv_writev fs/read_write.c:681 [inline]
do_iter_read+0x3e7/0x5b0 fs/read_write.c:918
vfs_readv+0xd3/0x130 fs/read_write.c:980
kernel_readv fs/splice.c:361 [inline]
default_file_splice_read+0x421/0x7b0 fs/splice.c:416
do_splice_to+0x108/0x170 fs/splice.c:880
splice_direct_to_actor+0x222/0x7b0 fs/splice.c:952
RSP: 002b:00007f9279b31d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446889
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006
RBP: 00000000006dbc30 R08: 0000000000000002 R09: 0000000000003931
R10: 0000000000006785 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007f9279b31d10 R14: 0000000000000008 R15: 0000000000000000
CPU: 0 PID: 6936 Comm: syz-executor953 Not tainted 4.14.113 #3
RIP: 0033:0x446889
RSP: 002b:00007f9279b52d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446889
R10: 0000000000006785 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 00007f9279b52d10 R14: 0000000000000005 R15: 0000000000000000
Allocated by task 6311:
get_empty_filp+0x8c/0x3b0 fs/file_table.c:123
path_openat+0x8f/0x3f70 fs/namei.c:3542
do_filp_open+0x18e/0x250 fs/namei.c:3600
do_open_execat+0xe7/0x4a0 fs/exec.c:849
do_execveat_common.isra.0+0x6d2/0x1dd0 fs/exec.c:1740
__rcu_reclaim kernel/rcu/rcu.h:195 [inline]
rcu_do_batch kernel/rcu/tree.c:2699 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
rcu_process_callbacks+0x7c0/0x12c0 kernel/rcu/tree.c:2946
__do_softirq+0x24e/0x9ae kernel/softirq.c:288
The buggy address belongs to the object at ffff888091def000
which belongs to the cache filp of size 456
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888091def000 0000000000000000 0000000100000006
raw: ffffea0002974a20 ffffea0002983460 ffff8880aa9e09c0 0000000000000000
ffff888091deef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff888091def000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888091def080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888091def100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 68d7a45e Linux 4.14.113
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=920a7eb5795273e180f6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d0ce28a00000
dashboard link: https://syzkaller.appspot.com/bug?extid=920a7eb5795273e180f6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117bbf30a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+920a7e...@syzkaller.appspotmail.com
____cache_alloc mm/slab.c:3125 [inline]
____cache_alloc mm/slab.c:3108 [inline]
__do_cache_alloc mm/slab.c:3347 [inline]
slab_alloc mm/slab.c:3382 [inline]
kmem_cache_alloc_trace+0x6b5/0x790 mm/slab.c:3616
kmalloc include/linux/slab.h:488 [inline]
pagemap_read+0x23c/0x520 fs/proc/task_mmu.c:1500
==================================================================
do_loop_readv_writev fs/read_write.c:694 [inline]
do_loop_readv_writev fs/read_write.c:681 [inline]
do_iter_read+0x3e7/0x5b0 fs/read_write.c:918
vfs_readv+0xd3/0x130 fs/read_write.c:980
BUG: KASAN: use-after-free in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: use-after-free in memcpy_dir crypto/scatterwalk.c:28 [inline]
BUG: KASAN: use-after-free in scatterwalk_copychunks+0x260/0x6b0
crypto/scatterwalk.c:43
Read of size 4096 at addr ffff888091def000 by task syz-executor953/6936
BUG: KASAN: use-after-free in memcpy_dir crypto/scatterwalk.c:28 [inline]
BUG: KASAN: use-after-free in scatterwalk_copychunks+0x260/0x6b0
crypto/scatterwalk.c:43
kernel_readv fs/splice.c:361 [inline]
default_file_splice_read+0x421/0x7b0 fs/splice.c:416
do_splice_to+0x108/0x170 fs/splice.c:880
splice_direct_to_actor+0x222/0x7b0 fs/splice.c:952
do_splice_direct+0x18d/0x230 fs/splice.c:1061
do_sendfile+0x4db/0xbd0 fs/read_write.c:1440
SYSC_sendfile64 fs/read_write.c:1501 [inline]
SyS_sendfile64+0x102/0x110 fs/read_write.c:1487
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446889
do_sendfile+0x4db/0xbd0 fs/read_write.c:1440
SYSC_sendfile64 fs/read_write.c:1501 [inline]
SyS_sendfile64+0x102/0x110 fs/read_write.c:1487
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RSP: 002b:00007f9279b31d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446889
RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006
RBP: 00000000006dbc30 R08: 0000000000000002 R09: 0000000000003931
R10: 0000000000006785 R11: 0000000000000246 R12: 00000000006dbc3c
R13: 00007f9279b31d10 R14: 0000000000000008 R15: 0000000000000000
CPU: 0 PID: 6936 Comm: syz-executor953 Not tainted 4.14.113 #3
RSP: 002b:00007f9279b52d08 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446889
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000000000002 R09: 65732f636f003931
R10: 0000000000006785 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 00007f9279b52d10 R14: 0000000000000005 R15: 0000000000000000
Allocated by task 6311:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
kmem_cache_zalloc include/linux/slab.h:651 [inline]
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
get_empty_filp+0x8c/0x3b0 fs/file_table.c:123
path_openat+0x8f/0x3f70 fs/namei.c:3542
do_filp_open+0x18e/0x250 fs/namei.c:3600
do_open_execat+0xe7/0x4a0 fs/exec.c:849
do_execveat_common.isra.0+0x6d2/0x1dd0 fs/exec.c:1740
do_execve fs/exec.c:1847 [inline]
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x39/0x50 fs/exec.c:1923
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 0:
SYSC_execve fs/exec.c:1928 [inline]
SyS_execve+0x39/0x50 fs/exec.c:1923
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
file_free_rcu+0x63/0xa0 fs/file_table.c:50
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
__rcu_reclaim kernel/rcu/rcu.h:195 [inline]
rcu_do_batch kernel/rcu/tree.c:2699 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
rcu_process_callbacks+0x7c0/0x12c0 kernel/rcu/tree.c:2946
__do_softirq+0x24e/0x9ae kernel/softirq.c:288
The buggy address belongs to the object at ffff888091def000
which belongs to the cache filp of size 456
The buggy address is located 0 bytes inside of
456-byte region [ffff888091def000, ffff888091def1c8)
The buggy address belongs to the page:
page:ffffea0002477bc0 count:1 mapcount:0 mapping:ffff888091def000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888091def000 0000000000000000 0000000100000006
raw: ffffea0002974a20 ffffea0002983460 ffff8880aa9e09c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888091deef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff888091deef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff888091def000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888091def080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888091def100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Reply all
Reply to author
Forward
0 new messages