KASAN: use-after-free Read in cdev_put
23 views
Skip to first unread message
syzbot
Nov 30, 2019, 1:54:11 AM11/30/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 14260788 Linux 4.19.86
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17cb5a96e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=713063ba2df50c01
dashboard link: https://syzkaller.appspot.com/bug?extid=b6e307e2fb59e07244c0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1532d0a6e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b6e307...@syzkaller.appspotmail.com
input: s as /devices/virtual/input/input77
input: s as /devices/virtual/input/input78
input: s as /devices/virtual/input/input79
input: s as /devices/virtual/input/input80
==================================================================
BUG: KASAN: use-after-free in cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
Read of size 8 at addr ffff8880a4c4efb0 by task syz-executor.0/8021
CPU: 1 PID: 8021 Comm: syz-executor.0 Not tainted 4.19.86-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
cdev_put fs/char_dev.c:372 [inline]
chrdev_open+0x2c1/0x6b0 fs/char_dev.c:431
do_dentry_open+0x4c3/0x1210 fs/open.c:796
vfs_open+0xa0/0xd0 fs/open.c:905
do_last fs/namei.c:3418 [inline]
path_openat+0x10d7/0x45e0 fs/namei.c:3534
do_filp_open+0x1a1/0x280 fs/namei.c:3564
do_sys_open+0x3fe/0x550 fs/open.c:1088
__do_sys_open fs/open.c:1106 [inline]
__se_sys_open fs/open.c:1101 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1101
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x414411
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f76b35597a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000414411
RDX: 0000000000000000 RSI: 0100000000000000 RDI: 00007f76b3559850
RBP: 000000000075bf20 R08: 000000000000000f R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f76b355a6d4
R13: 00000000004ca395 R14: 00000000004e2a10 R15: 00000000ffffffff
Allocated by task 8001:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
evdev_connect+0x83/0x4d0 drivers/input/evdev.c:1388
input_attach_handler+0x1a0/0x210 drivers/input/input.c:1004
input_register_device.cold+0xda/0x22b drivers/input/input.c:2159
uinput_create_device drivers/input/misc/uinput.c:373 [inline]
uinput_ioctl_handler.isra.0+0x1035/0x1c50 drivers/input/misc/uinput.c:878
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1049
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8019:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
evdev_free+0x5e/0x70 drivers/input/evdev.c:370
device_release+0x7b/0x210 drivers/base/core.c:892
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x289/0x2e6 lib/kobject.c:708
cdev_default_release+0x41/0x50 fs/char_dev.c:613
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x289/0x2e6 lib/kobject.c:708
cdev_put.part.0+0x39/0x50 fs/char_dev.c:374
cdev_put fs/char_dev.c:372 [inline]
chrdev_open+0x2c1/0x6b0 fs/char_dev.c:431
do_dentry_open+0x4c3/0x1210 fs/open.c:796
vfs_open+0xa0/0xd0 fs/open.c:905
do_last fs/namei.c:3418 [inline]
path_openat+0x10d7/0x45e0 fs/namei.c:3534
do_filp_open+0x1a1/0x280 fs/namei.c:3564
do_sys_open+0x3fe/0x550 fs/open.c:1088
__do_sys_open fs/open.c:1106 [inline]
__se_sys_open fs/open.c:1101 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1101
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a4c4e9c0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1520 bytes inside of
2048-byte region [ffff8880a4c4e9c0, ffff8880a4c4f1c0)
The buggy address belongs to the page:
page:ffffea0002931380 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0
compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0001fc7788 ffffea00029ab888 ffff88812c31cc40
raw: 0000000000000000 ffff8880a4c4e140 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4c4ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a4c4ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a4c4ef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a4c4f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a4c4f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
input: s as /devices/virtual/input/input82
input: s as /devices/virtual/input/input83
input: s as /devices/virtual/input/input84
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 14260788 Linux 4.19.86
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17cb5a96e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=713063ba2df50c01
dashboard link: https://syzkaller.appspot.com/bug?extid=b6e307e2fb59e07244c0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1532d0a6e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b6e307...@syzkaller.appspotmail.com
input: s as /devices/virtual/input/input77
input: s as /devices/virtual/input/input78
input: s as /devices/virtual/input/input79
input: s as /devices/virtual/input/input80
==================================================================
BUG: KASAN: use-after-free in cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
Read of size 8 at addr ffff8880a4c4efb0 by task syz-executor.0/8021
CPU: 1 PID: 8021 Comm: syz-executor.0 Not tainted 4.19.86-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
cdev_put fs/char_dev.c:372 [inline]
chrdev_open+0x2c1/0x6b0 fs/char_dev.c:431
do_dentry_open+0x4c3/0x1210 fs/open.c:796
vfs_open+0xa0/0xd0 fs/open.c:905
do_last fs/namei.c:3418 [inline]
path_openat+0x10d7/0x45e0 fs/namei.c:3534
do_filp_open+0x1a1/0x280 fs/namei.c:3564
do_sys_open+0x3fe/0x550 fs/open.c:1088
__do_sys_open fs/open.c:1106 [inline]
__se_sys_open fs/open.c:1101 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1101
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x414411
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 19 00 00 c3 48
83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f76b35597a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000414411
RDX: 0000000000000000 RSI: 0100000000000000 RDI: 00007f76b3559850
RBP: 000000000075bf20 R08: 000000000000000f R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f76b355a6d4
R13: 00000000004ca395 R14: 00000000004e2a10 R15: 00000000ffffffff
Allocated by task 8001:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
evdev_connect+0x83/0x4d0 drivers/input/evdev.c:1388
input_attach_handler+0x1a0/0x210 drivers/input/input.c:1004
input_register_device.cold+0xda/0x22b drivers/input/input.c:2159
uinput_create_device drivers/input/misc/uinput.c:373 [inline]
uinput_ioctl_handler.isra.0+0x1035/0x1c50 drivers/input/misc/uinput.c:878
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1049
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8019:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x220 mm/slab.c:3822
evdev_free+0x5e/0x70 drivers/input/evdev.c:370
device_release+0x7b/0x210 drivers/base/core.c:892
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x289/0x2e6 lib/kobject.c:708
cdev_default_release+0x41/0x50 fs/char_dev.c:613
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x289/0x2e6 lib/kobject.c:708
cdev_put.part.0+0x39/0x50 fs/char_dev.c:374
cdev_put fs/char_dev.c:372 [inline]
chrdev_open+0x2c1/0x6b0 fs/char_dev.c:431
do_dentry_open+0x4c3/0x1210 fs/open.c:796
vfs_open+0xa0/0xd0 fs/open.c:905
do_last fs/namei.c:3418 [inline]
path_openat+0x10d7/0x45e0 fs/namei.c:3534
do_filp_open+0x1a1/0x280 fs/namei.c:3564
do_sys_open+0x3fe/0x550 fs/open.c:1088
__do_sys_open fs/open.c:1106 [inline]
__se_sys_open fs/open.c:1101 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1101
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a4c4e9c0
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1520 bytes inside of
2048-byte region [ffff8880a4c4e9c0, ffff8880a4c4f1c0)
The buggy address belongs to the page:
page:ffffea0002931380 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0
compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0001fc7788 ffffea00029ab888 ffff88812c31cc40
raw: 0000000000000000 ffff8880a4c4e140 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4c4ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a4c4ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880a4c4ef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a4c4f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a4c4f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
input: s as /devices/virtual/input/input82
input: s as /devices/virtual/input/input83
input: s as /devices/virtual/input/input84
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Nov 30, 2019, 1:56:08 AM11/30/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 43598c57 Linux 4.14.156
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17805c41e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=20cdce6bea3c2570
dashboard link: https://syzkaller.appspot.com/bug?extid=de5ddcfa2e7edda50ff1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=102b5a96e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=110f98eae00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
input: s as /devices/virtual/input/input163
input: s as /devices/virtual/input/input164
input: s as /devices/virtual/input/input167
input: s as /devices/virtual/input/input168
==================================================================
BUG: KASAN: use-after-free in cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
Read of size 8 at addr ffff888088e890e8 by task syz-executor236/7670
BUG: KASAN: use-after-free in cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
CPU: 1 PID: 7670 Comm: syz-executor236 Not tainted 4.14.156-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x142/0x197 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
cdev_put fs/char_dev.c:372 [inline]
chrdev_open+0x266/0x590 fs/char_dev.c:431
cdev_put fs/char_dev.c:372 [inline]
do_dentry_open+0x73b/0xeb0 fs/open.c:777
vfs_open+0x105/0x220 fs/open.c:891
do_last fs/namei.c:3425 [inline]
path_openat+0x8bd/0x3f70 fs/namei.c:3566
do_filp_open+0x18e/0x250 fs/namei.c:3600
do_sys_open+0x2c5/0x430 fs/open.c:1084
SYSC_open fs/open.c:1102 [inline]
SyS_open+0x2d/0x40 fs/open.c:1097
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x406be1
RSP: 002b:00007f96010088b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000406be1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f96010088d0
RBP: 00000000006ddc20 R08: 000000000000000f R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000006ddc2c
R13: 00007ffe4c4d029f R14: 00007f96010099c0 R15: 0000000000000000
Allocated by task 7670:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
kmem_cache_alloc_trace+0x152/0x790 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
evdev_connect+0x76/0x4a0 drivers/input/evdev.c:1383
input_attach_handler+0x154/0x1a0 drivers/input/input.c:1004
input_register_device.cold+0xbf/0x202 drivers/input/input.c:2161
uinput_create_device drivers/input/misc/uinput.c:324 [inline]
uinput_ioctl_handler.isra.0+0xdc8/0x18a0 drivers/input/misc/uinput.c:839
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1010
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7ae/0x1060 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 7686:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
evdev_free+0x5e/0x70 drivers/input/evdev.c:364
device_release+0x7b/0x1a0 drivers/base/core.c:821
kobject_cleanup lib/kobject.c:646 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x269/0x2f9 lib/kobject.c:692
cdev_default_release+0x41/0x50 fs/char_dev.c:613
kobject_cleanup lib/kobject.c:646 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x269/0x2f9 lib/kobject.c:692
cdev_put.part.0+0x39/0x50 fs/char_dev.c:374
cdev_put fs/char_dev.c:372 [inline]
chrdev_open+0x266/0x590 fs/char_dev.c:431
cdev_put fs/char_dev.c:372 [inline]
do_dentry_open+0x73b/0xeb0 fs/open.c:777
vfs_open+0x105/0x220 fs/open.c:891
do_last fs/namei.c:3425 [inline]
path_openat+0x8bd/0x3f70 fs/namei.c:3566
do_filp_open+0x18e/0x250 fs/namei.c:3600
do_sys_open+0x2c5/0x430 fs/open.c:1084
SYSC_open fs/open.c:1102 [inline]
SyS_open+0x2d/0x40 fs/open.c:1097
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff888088e88b00
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1512 bytes inside of
2048-byte region [ffff888088e88b00, ffff888088e89300)
The buggy address belongs to the page:
page:ffffea000223a200 count:1 mapcount:0 mapping:ffff888088e88280 index:0x0
compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888088e88280 0000000000000000 0000000100000003
flags: 0xfffe0000008100(slab|head)
raw: ffffea00023a4820 ffffea0002233a20 ffff8880aa800c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888088e88f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff888088e89000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888088e89080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888088e89100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888088e89180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Dec 2, 2019, 12:04:09 AM12/2/19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following crash on:
HEAD commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fe2712e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5916f9ec2ab339c
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12041e7ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b6e307...@syzkaller.appspotmail.com
input: syz1 as /devices/virtual/input/input301
input: syz1 as /devices/virtual/input/input302
input: syz1 as /devices/virtual/input/input303
CPU: 1 PID: 9272 Comm: syz-executor250 Not tainted 4.19.87-syzkaller #0
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 18 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f3d43f61960 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405841
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f3d43f61970
RBP: 6666666666666667 R08: 000000000000000f R09: 00007f3d43f62700
R10: 00007f3d43f629d0 R11: 0000000000000293 R12: 00000000006dbc3c
R13: 0000000000000000 R14: 0000000000000000 R15: 00000000317a7973
Allocated by task 9246:
The buggy address belongs to the object at ffff88809ac84200
raw: 0000000000000000 ffff88809ac84200 0000000100000003 0000000000000000
ffff88809ac84700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809ac84780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809ac84800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809ac84880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 174651bd Linux 4.19.87
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fe2712e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5916f9ec2ab339c
dashboard link: https://syzkaller.appspot.com/bug?extid=b6e307e2fb59e07244c0
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=119542dae00000
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12041e7ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b6e307...@syzkaller.appspotmail.com
input: syz1 as /devices/virtual/input/input302
input: syz1 as /devices/virtual/input/input303
==================================================================
BUG: KASAN: use-after-free in cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
Read of size 8 at addr ffff88809ac847f0 by task syz-executor250/9272
BUG: KASAN: use-after-free in cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
CPU: 1 PID: 9272 Comm: syz-executor250 Not tainted 4.19.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
input: syz1 as /devices/virtual/input/input304
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
cdev_put fs/char_dev.c:372 [inline]
chrdev_open+0x2c1/0x6b0 fs/char_dev.c:431
do_dentry_open+0x4c3/0x1210 fs/open.c:796
vfs_open+0xa0/0xd0 fs/open.c:905
do_last fs/namei.c:3418 [inline]
path_openat+0x10d7/0x45e0 fs/namei.c:3534
do_filp_open+0x1a1/0x280 fs/namei.c:3564
do_sys_open+0x3fe/0x550 fs/open.c:1088
__do_sys_open fs/open.c:1106 [inline]
__se_sys_open fs/open.c:1101 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1101
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x405841
cdev_put.part.0+0x4c/0x50 fs/char_dev.c:373
cdev_put fs/char_dev.c:372 [inline]
chrdev_open+0x2c1/0x6b0 fs/char_dev.c:431
do_dentry_open+0x4c3/0x1210 fs/open.c:796
vfs_open+0xa0/0xd0 fs/open.c:905
do_last fs/namei.c:3418 [inline]
path_openat+0x10d7/0x45e0 fs/namei.c:3534
do_filp_open+0x1a1/0x280 fs/namei.c:3564
do_sys_open+0x3fe/0x550 fs/open.c:1088
__do_sys_open fs/open.c:1106 [inline]
__se_sys_open fs/open.c:1101 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1101
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 18 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f3d43f61960 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000405841
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f3d43f61970
RBP: 6666666666666667 R08: 000000000000000f R09: 00007f3d43f62700
R10: 00007f3d43f629d0 R11: 0000000000000293 R12: 00000000006dbc3c
R13: 0000000000000000 R14: 0000000000000000 R15: 00000000317a7973
Allocated by task 9246:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
evdev_connect+0x83/0x4d0 drivers/input/evdev.c:1388
input_attach_handler+0x1a0/0x210 drivers/input/input.c:1004
input_register_device.cold+0xda/0x22b drivers/input/input.c:2159
uinput_create_device drivers/input/misc/uinput.c:373 [inline]
uinput_ioctl_handler.isra.0+0x1035/0x1c50 drivers/input/misc/uinput.c:878
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1049
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9269:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
evdev_connect+0x83/0x4d0 drivers/input/evdev.c:1388
input_attach_handler+0x1a0/0x210 drivers/input/input.c:1004
input_register_device.cold+0xda/0x22b drivers/input/input.c:2159
uinput_create_device drivers/input/misc/uinput.c:373 [inline]
uinput_ioctl_handler.isra.0+0x1035/0x1c50 drivers/input/misc/uinput.c:878
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1049
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1520 bytes inside of
2048-byte region [ffff88809ac84200, ffff88809ac84a00)
The buggy address is located 1520 bytes inside of
The buggy address belongs to the page:
page:ffffea00026b2100 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0
compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea00026b1708 ffffea00026b2808 ffff88812c31cc40
flags: 0xfffe0000008100(slab|head)
raw: 0000000000000000 ffff88809ac84200 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809ac84680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff88809ac84700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88809ac84780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88809ac84800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88809ac84880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Feb 11, 2020, 4:05:03 PM2/11/20
to syzkaller...@googlegroups.com
syzbot suspects this bug was fixed by commit:
commit 0ce254bc68edf06f93d3c0271851c619ff729d31
Author: Paul Durrant <pdur...@amazon.com>
Date: Tue Dec 10 14:53:05 2019 +0000
xen-blkback: prevent premature module unload
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=123ae96ee00000
start commit: fbc5fe7a Linux 4.14.157
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=19f929d1ebe2b2d8
dashboard link: https://syzkaller.appspot.com/bug?extid=de5ddcfa2e7edda50ff1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=133f8736e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1565ef12e00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: xen-blkback: prevent premature module unload
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 0ce254bc68edf06f93d3c0271851c619ff729d31
Author: Paul Durrant <pdur...@amazon.com>
Date: Tue Dec 10 14:53:05 2019 +0000
xen-blkback: prevent premature module unload
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=123ae96ee00000
start commit: fbc5fe7a Linux 4.14.157
git tree: linux-4.14.y
kernel config: https://syzkaller.appspot.com/x/.config?x=19f929d1ebe2b2d8
dashboard link: https://syzkaller.appspot.com/bug?extid=de5ddcfa2e7edda50ff1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=133f8736e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1565ef12e00000
If the result looks correct, please mark the bug fixed by replying with:
#syz fix: xen-blkback: prevent premature module unload
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Aug 26, 2022, 7:08:27 PM8/26/22
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages