KASAN: use-after-free Read in string
16 views
Skip to first unread message
syzbot
Apr 18, 2019, 11:42:05 AM4/18/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 4b0e041c Linux 4.19.35
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=178bbbbf200000
kernel config: https://syzkaller.appspot.com/x/.config?x=bb1bcac868b1655e
dashboard link: https://syzkaller.appspot.com/bug?extid=e353ae815c9bbec69f81
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e353ae...@syzkaller.appspotmail.com
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f29ec0d36d4
R13: 00000000004c349c R14: 00000000004d6950 R15: 0000000000000006
==================================================================
BUG: KASAN: use-after-free in string+0x208/0x230 lib/vsprintf.c:604
Read of size 1 at addr ffff8880995d73c0 by task syz-executor.2/25894
CPU: 1 PID: 25894 Comm: syz-executor.2 Not tainted 4.19.35 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
string+0x208/0x230 lib/vsprintf.c:604
vsnprintf+0x980/0x19b0 lib/vsprintf.c:2293
add_uevent_var+0x14d/0x310 lib/kobject_uevent.c:659
input_dev_uevent+0x163/0x890 drivers/input/input.c:1594
dev_uevent+0x312/0x580 drivers/base/core.c:1008
kobject_uevent_env+0x487/0x1030 lib/kobject_uevent.c:547
kobject_uevent+0x20/0x26 lib/kobject_uevent.c:636
kobject_cleanup lib/kobject.c:649 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x177/0x2ec lib/kobject.c:708
put_device+0x20/0x30 drivers/base/core.c:2030
input_put_device include/linux/input.h:349 [inline]
evdev_free+0x51/0x70 drivers/input/evdev.c:369
device_release+0x7d/0x210 drivers/base/core.c:891
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x28f/0x2ec lib/kobject.c:708
cdev_default_release+0x41/0x50 fs/char_dev.c:607
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x28f/0x2ec lib/kobject.c:708
cdev_put.part.0+0x39/0x50 fs/char_dev.c:368
cdev_put+0x20/0x30 fs/char_dev.c:366
__fput+0x75d/0x8b0 fs/file_table.c:281
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x14a/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4129e1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd8bbf9160 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004129e1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 000000000073c900 R08: 00000000c37f9f6b R09: 000000000020fb87
R10: 00007ffd8bbf9230 R11: 0000000000000293 R12: 0000000000000001
R13: 000000000073c900 R14: 000000000020fbcc R15: 000000000073bf0c
Allocated by task 25895:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc_track_caller+0x159/0x750 mm/slab.c:3742
kstrndup+0x5f/0xf0 mm/util.c:98
uinput_dev_setup+0x1d4/0x310 drivers/input/misc/uinput.c:475
uinput_ioctl_handler.isra.0+0x493/0x1c60 drivers/input/misc/uinput.c:886
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1049
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 25895:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x230 mm/slab.c:3822
uinput_destroy_device+0xf8/0x250 drivers/input/misc/uinput.c:311
uinput_ioctl_handler.isra.0+0x15f/0x1c60 drivers/input/misc/uinput.c:882
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1049
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880995d73c0
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff8880995d73c0, ffff8880995d73e0)
The buggy address belongs to the page:
page:ffffea00026575c0 count:1 mapcount:0 mapping:ffff88812c3f01c0
index:0xffff8880995d7fc1
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea0002a1f008 ffffea000215f748 ffff88812c3f01c0
raw: ffff8880995d7fc1 ffff8880995d7000 000000010000003e 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880995d7280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8880995d7300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
> ffff8880995d7380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff8880995d7400: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
ffff8880995d7480: 06 fc fc fc fc fc fc fc 00 00 01 fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: 4b0e041c Linux 4.19.35
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=178bbbbf200000
kernel config: https://syzkaller.appspot.com/x/.config?x=bb1bcac868b1655e
dashboard link: https://syzkaller.appspot.com/bug?extid=e353ae815c9bbec69f81
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e353ae...@syzkaller.appspotmail.com
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f29ec0d36d4
R13: 00000000004c349c R14: 00000000004d6950 R15: 0000000000000006
==================================================================
BUG: KASAN: use-after-free in string+0x208/0x230 lib/vsprintf.c:604
Read of size 1 at addr ffff8880995d73c0 by task syz-executor.2/25894
CPU: 1 PID: 25894 Comm: syz-executor.2 Not tainted 4.19.35 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report mm/kasan/report.c:412 [inline]
kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
string+0x208/0x230 lib/vsprintf.c:604
vsnprintf+0x980/0x19b0 lib/vsprintf.c:2293
add_uevent_var+0x14d/0x310 lib/kobject_uevent.c:659
input_dev_uevent+0x163/0x890 drivers/input/input.c:1594
dev_uevent+0x312/0x580 drivers/base/core.c:1008
kobject_uevent_env+0x487/0x1030 lib/kobject_uevent.c:547
kobject_uevent+0x20/0x26 lib/kobject_uevent.c:636
kobject_cleanup lib/kobject.c:649 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x177/0x2ec lib/kobject.c:708
put_device+0x20/0x30 drivers/base/core.c:2030
input_put_device include/linux/input.h:349 [inline]
evdev_free+0x51/0x70 drivers/input/evdev.c:369
device_release+0x7d/0x210 drivers/base/core.c:891
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x28f/0x2ec lib/kobject.c:708
cdev_default_release+0x41/0x50 fs/char_dev.c:607
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x28f/0x2ec lib/kobject.c:708
cdev_put.part.0+0x39/0x50 fs/char_dev.c:368
cdev_put+0x20/0x30 fs/char_dev.c:366
__fput+0x75d/0x8b0 fs/file_table.c:281
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x14a/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4129e1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd8bbf9160 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 00000000004129e1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 000000000073c900 R08: 00000000c37f9f6b R09: 000000000020fb87
R10: 00007ffd8bbf9230 R11: 0000000000000293 R12: 0000000000000001
R13: 000000000073c900 R14: 000000000020fbcc R15: 000000000073bf0c
Allocated by task 25895:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc mm/kasan/kasan.c:553 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
__do_kmalloc mm/slab.c:3727 [inline]
__kmalloc_track_caller+0x159/0x750 mm/slab.c:3742
kstrndup+0x5f/0xf0 mm/util.c:98
uinput_dev_setup+0x1d4/0x310 drivers/input/misc/uinput.c:475
uinput_ioctl_handler.isra.0+0x493/0x1c60 drivers/input/misc/uinput.c:886
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1049
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 25895:
save_stack+0x45/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3503 [inline]
kfree+0xcf/0x230 mm/slab.c:3822
uinput_destroy_device+0xf8/0x250 drivers/input/misc/uinput.c:311
uinput_ioctl_handler.isra.0+0x15f/0x1c60 drivers/input/misc/uinput.c:882
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1049
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:501 [inline]
do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:688
ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
__do_sys_ioctl fs/ioctl.c:712 [inline]
__se_sys_ioctl fs/ioctl.c:710 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880995d73c0
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff8880995d73c0, ffff8880995d73e0)
The buggy address belongs to the page:
page:ffffea00026575c0 count:1 mapcount:0 mapping:ffff88812c3f01c0
index:0xffff8880995d7fc1
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea0002a1f008 ffffea000215f748 ffff88812c3f01c0
raw: ffff8880995d7fc1 ffff8880995d7000 000000010000003e 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880995d7280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8880995d7300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
> ffff8880995d7380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff8880995d7400: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc
ffff8880995d7480: 06 fc fc fc fc fc fc fc 00 00 01 fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Apr 26, 2019, 7:48:06 AM4/26/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 68d7a45e Linux 4.14.113
syzbot found the following crash on:
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=162586f4a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=dbf1fde4d7489e1c
dashboard link: https://syzkaller.appspot.com/bug?extid=6029a17962d7404ecd12
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6029a1...@syzkaller.appspotmail.com
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R13: 00000000004c362f R14: 00000000004d6ad0 R15: 0000000000000005
input: syz1 as /devices/virtual/input/input154
==================================================================
BUG: KASAN: use-after-free in string+0x1b1/0x1d0 lib/vsprintf.c:593
Read of size 1 at addr ffff8880a577f840 by task syz-executor.4/20889
CPU: 1 PID: 20889 Comm: syz-executor.4 Not tainted 4.14.113 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x138/0x19c lib/dump_stack.c:53
print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xaf/0x2b5 mm/kasan/report.c:393
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
string+0x1b1/0x1d0 lib/vsprintf.c:593
vsnprintf+0x75b/0x1570 lib/vsprintf.c:2181
add_uevent_var+0x126/0x290 lib/kobject_uevent.c:573
input_dev_uevent+0x159/0x750 drivers/input/input.c:1594
dev_uevent+0x2f5/0x540 drivers/base/core.c:932
kobject_uevent_env+0x45e/0xc41 lib/kobject_uevent.c:423
kobject_uevent+0x20/0x26 lib/kobject_uevent.c:550
kobject_cleanup lib/kobject.c:633 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x168/0x2ff lib/kobject.c:692
put_device+0x20/0x30 drivers/base/core.c:1954
input_put_device include/linux/input.h:349 [inline]
evdev_free+0x51/0x70 drivers/input/evdev.c:363
device_release+0x7d/0x1b0 drivers/base/core.c:820
kobject_cleanup lib/kobject.c:646 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x26f/0x2ff lib/kobject.c:692
cdev_default_release+0x41/0x50 fs/char_dev.c:607
kobject_cleanup lib/kobject.c:646 [inline]
kobject_release lib/kobject.c:675 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put.cold+0x26f/0x2ff lib/kobject.c:692
cdev_put.part.0+0x39/0x50 fs/char_dev.c:368
cdev_put+0x20/0x30 fs/char_dev.c:366
__fput+0x64c/0x7a0 fs/file_table.c:214
cdev_put+0x20/0x30 fs/char_dev.c:366
____fput+0x16/0x20 fs/file_table.c:244
task_work_run+0x119/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:163
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
do_syscall_64+0x4a9/0x630 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x412b61
RSP: 002b:00007ffd76fce290 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000412b61
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 0000000000000001 R08: 000000004c6c24a0 R09: 000000004c6c24a4
R10: 00007ffd76fce370 R11: 0000000000000293 R12: 000000000073c900
R13: 000000000073c900 R14: 0000000000095db0 R15: 000000000073bfac
Allocated by task 20892:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
__do_kmalloc mm/slab.c:3720 [inline]
__kmalloc_track_caller+0x159/0x790 mm/slab.c:3735
kstrndup+0x50/0xd0 mm/util.c:98
uinput_dev_setup+0x187/0x2a0 drivers/input/misc/uinput.c:438
uinput_ioctl_handler.isra.0+0x422/0x18a0 drivers/input/misc/uinput.c:847
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1010
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 20892:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x45/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
uinput_destroy_device+0xeb/0x220 drivers/input/misc/uinput.c:266
uinput_ioctl_handler.isra.0+0x12f/0x18a0 drivers/input/misc/uinput.c:843
uinput_ioctl+0x4a/0x60 drivers/input/misc/uinput.c:1010
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:500 [inline]
do_vfs_ioctl+0x7b9/0x1070 fs/ioctl.c:684
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a577f840
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff8880a577f840, ffff8880a577f860)
The buggy address is located 0 bytes inside of
The buggy address belongs to the page:
page:ffffea000295dfc0 count:1 mapcount:0 mapping:ffff8880a577f000
index:0xffff8880a577ffc1
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880a577f000 ffff8880a577ffc1 000000010000003d
raw: ffffea00024bc360 ffffea00022864e0 ffff8880aa8001c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a577f700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
Memory state around the buggy address:
ffff8880a577f780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
> ffff8880a577f800: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc
^
ffff8880a577f880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
ffff8880a577f900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
syzbot
Oct 23, 2019, 6:48:04 AM10/23/19
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
syzbot
Oct 24, 2019, 12:08:04 AM10/24/19
to syzkaller...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages