KASAN: use-after-free Read in snd_timer_interrupt
16 views
Skip to first unread message
syzbot
Oct 27, 2017, 3:24:03 AM10/27/17
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
720bbe532b7c8f5613b48dea627fc58ed9ace707
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
CC: [ak...@linux-foundation.org alsa-...@alsa-project.org
arvind....@gmail.com bro...@kernel.org dan.ca...@oracle.com
da...@davemloft.net gre...@linuxfoundation.org linux-...@vger.kernel.org
mch...@kernel.org mi...@kernel.org pe...@perex.cz ti...@suse.com]
BUG: KASAN: use-after-free in snd_timer_interrupt+0x1510/0x1520
sound/core/timer.c:810
Read of size 4 at addr ffff8801d11a2310 by task syz-executor5/9916
CPU: 0 PID: 9916 Comm: syz-executor5 Not tainted 4.13.0-mm1+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
snd_timer_interrupt+0x1510/0x1520 sound/core/timer.c:810
snd_timer_s_function+0xbd/0x120 sound/core/timer.c:1043
call_timer_fn+0x246/0x850 kernel/time/timer.c:1281
expire_timers kernel/time/timer.c:1320 [inline]
__run_timers+0x7fd/0xb90 kernel/time/timer.c:1620
run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1646
__do_softirq+0x2bb/0xbd0 kernel/softirq.c:284
invoke_softirq kernel/softirq.c:364 [inline]
irq_exit+0x1d3/0x210 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
smp_apic_timer_interrupt+0x177/0x710 arch/x86/kernel/apic/apic.c:1048
apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:770
</IRQ>
RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:787 [inline]
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168
[inline]
RIP: 0010:_raw_spin_unlock_irq+0x56/0x70 kernel/locking/spinlock.c:199
RSP: 0018:ffff8801d6917220 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10
RAX: dffffc0000000000 RBX: ffff8801db225c00 RCX: 0000000000000000
RDX: 1ffffffff0b592ff RSI: 0000000000000001 RDI: ffffffff85ac97f8
RBP: ffff8801d6917228 R08: ffff8801d6916ba8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801cf65c500
R13: 1ffff1003ad22e4d R14: ffff8801cff76300 R15: ffff8801cff76300
finish_lock_switch kernel/sched/sched.h:1335 [inline]
finish_task_switch+0x1d3/0x740 kernel/sched/core.c:2657
context_switch kernel/sched/core.c:2793 [inline]
__schedule+0x8f0/0x2070 kernel/sched/core.c:3366
schedule+0x108/0x440 kernel/sched/core.c:3425
freezable_schedule include/linux/freezer.h:171 [inline]
futex_wait_queue_me+0x3ed/0x7e0 kernel/futex.c:2459
futex_wait+0x357/0xa00 kernel/futex.c:2574
do_futex+0x10c6/0x2130 kernel/futex.c:3455
SYSC_futex kernel/futex.c:3515 [inline]
SyS_futex+0x260/0x390 kernel/futex.c:3483
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x451e59
RSP: 002b:0000000000a6f918 EFLAGS: 00000206 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00000000007180dc RCX: 0000000000451e59
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007180dc
RBP: 0000000000000082 R08: 00000000007180b0 R09: 000000030001dce9
R10: 0000000000a6f980 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000a6f7ef R14: 00007f78708069c0 R15: 0000000000000002
Allocated by task 9922:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:666 [inline]
snd_timer_instance_new+0xda/0x610 sound/core/timer.c:108
snd_timer_open+0x902/0x1790 sound/core/timer.c:291
snd_timer_user_tselect sound/core/timer.c:1655 [inline]
__snd_timer_user_ioctl sound/core/timer.c:1918 [inline]
snd_timer_user_ioctl+0x96f/0x32e0 sound/core/timer.c:1948
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 9935:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
snd_timer_close+0x888/0xf20 sound/core/timer.c:374
snd_timer_user_tselect sound/core/timer.c:1645 [inline]
__snd_timer_user_ioctl sound/core/timer.c:1918 [inline]
snd_timer_user_ioctl+0x80d/0x32e0 sound/core/timer.c:1948
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
The buggy address belongs to the object at ffff8801d11a2300
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 16 bytes inside of
256-byte region [ffff8801d11a2300, ffff8801d11a2400)
The buggy address belongs to the page:
page:ffffea0007446880 count:1 mapcount:0 mapping:ffff8801d11a2080 index:0x0
flags: 0x200000000000100(slab)
raw: 0200000000000100 ffff8801d11a2080 0000000000000000 000000010000000c
raw: ffffea000763b060 ffffea00074155a0 ffff8801dac007c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d11a2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d11a2280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8801d11a2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d11a2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d11a2400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
720bbe532b7c8f5613b48dea627fc58ed9ace707
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
CC: [ak...@linux-foundation.org alsa-...@alsa-project.org
arvind....@gmail.com bro...@kernel.org dan.ca...@oracle.com
da...@davemloft.net gre...@linuxfoundation.org linux-...@vger.kernel.org
mch...@kernel.org mi...@kernel.org pe...@perex.cz ti...@suse.com]
BUG: KASAN: use-after-free in snd_timer_interrupt+0x1510/0x1520
sound/core/timer.c:810
Read of size 4 at addr ffff8801d11a2310 by task syz-executor5/9916
CPU: 0 PID: 9916 Comm: syz-executor5 Not tainted 4.13.0-mm1+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
snd_timer_interrupt+0x1510/0x1520 sound/core/timer.c:810
snd_timer_s_function+0xbd/0x120 sound/core/timer.c:1043
call_timer_fn+0x246/0x850 kernel/time/timer.c:1281
expire_timers kernel/time/timer.c:1320 [inline]
__run_timers+0x7fd/0xb90 kernel/time/timer.c:1620
run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1646
__do_softirq+0x2bb/0xbd0 kernel/softirq.c:284
invoke_softirq kernel/softirq.c:364 [inline]
irq_exit+0x1d3/0x210 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
smp_apic_timer_interrupt+0x177/0x710 arch/x86/kernel/apic/apic.c:1048
apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:770
</IRQ>
RIP: 0010:arch_local_irq_enable arch/x86/include/asm/paravirt.h:787 [inline]
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168
[inline]
RIP: 0010:_raw_spin_unlock_irq+0x56/0x70 kernel/locking/spinlock.c:199
RSP: 0018:ffff8801d6917220 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10
RAX: dffffc0000000000 RBX: ffff8801db225c00 RCX: 0000000000000000
RDX: 1ffffffff0b592ff RSI: 0000000000000001 RDI: ffffffff85ac97f8
RBP: ffff8801d6917228 R08: ffff8801d6916ba8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801cf65c500
R13: 1ffff1003ad22e4d R14: ffff8801cff76300 R15: ffff8801cff76300
finish_lock_switch kernel/sched/sched.h:1335 [inline]
finish_task_switch+0x1d3/0x740 kernel/sched/core.c:2657
context_switch kernel/sched/core.c:2793 [inline]
__schedule+0x8f0/0x2070 kernel/sched/core.c:3366
schedule+0x108/0x440 kernel/sched/core.c:3425
freezable_schedule include/linux/freezer.h:171 [inline]
futex_wait_queue_me+0x3ed/0x7e0 kernel/futex.c:2459
futex_wait+0x357/0xa00 kernel/futex.c:2574
do_futex+0x10c6/0x2130 kernel/futex.c:3455
SYSC_futex kernel/futex.c:3515 [inline]
SyS_futex+0x260/0x390 kernel/futex.c:3483
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x451e59
RSP: 002b:0000000000a6f918 EFLAGS: 00000206 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00000000007180dc RCX: 0000000000451e59
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007180dc
RBP: 0000000000000082 R08: 00000000007180b0 R09: 000000030001dce9
R10: 0000000000a6f980 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000a6f7ef R14: 00007f78708069c0 R15: 0000000000000002
Allocated by task 9922:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:666 [inline]
snd_timer_instance_new+0xda/0x610 sound/core/timer.c:108
snd_timer_open+0x902/0x1790 sound/core/timer.c:291
snd_timer_user_tselect sound/core/timer.c:1655 [inline]
__snd_timer_user_ioctl sound/core/timer.c:1918 [inline]
snd_timer_user_ioctl+0x96f/0x32e0 sound/core/timer.c:1948
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 9935:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
snd_timer_close+0x888/0xf20 sound/core/timer.c:374
snd_timer_user_tselect sound/core/timer.c:1645 [inline]
__snd_timer_user_ioctl sound/core/timer.c:1918 [inline]
snd_timer_user_ioctl+0x80d/0x32e0 sound/core/timer.c:1948
vfs_ioctl fs/ioctl.c:45 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
SYSC_ioctl fs/ioctl.c:700 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
entry_SYSCALL_64_fastpath+0x1f/0xbe
The buggy address belongs to the object at ffff8801d11a2300
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 16 bytes inside of
256-byte region [ffff8801d11a2300, ffff8801d11a2400)
The buggy address belongs to the page:
page:ffffea0007446880 count:1 mapcount:0 mapping:ffff8801d11a2080 index:0x0
flags: 0x200000000000100(slab)
raw: 0200000000000100 ffff8801d11a2080 0000000000000000 000000010000000c
raw: ffffea000763b060 ffffea00074155a0 ffff8801dac007c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d11a2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d11a2280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8801d11a2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801d11a2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801d11a2400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Oct 27, 2017, 4:15:39 AM10/27/17
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Last happened on Sep 14, does not reproduce anymore.
#syz invalid
On Fri, Oct 27, 2017 at 9:24 AM, syzbot
<bot+468fb09240f7574b12...@syzkaller.appspotmail.com>
wrote:
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a1141f296523afc055c822cf8%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
On Fri, Oct 27, 2017 at 9:24 AM, syzbot
<bot+468fb09240f7574b12...@syzkaller.appspotmail.com>
wrote:
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a1141f296523afc055c822cf8%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages