KASAN: use-after-free Read in tick_sched_handle
19 views
Skip to first unread message
syzbot
Oct 31, 2017, 6:44:04 AM10/31/17
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
5d51332f20b270812376cf8751987e283f30de4a
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
CC: [fwei...@gmail.com tg...@linutronix.de mi...@kernel.org
linux-...@vger.kernel.org]
device syz7 left promiscuous mode
device syz7 entered promiscuous mode
==================================================================
BUG: KASAN: use-after-free in tick_sched_handle+0x149/0x160
kernel/time/tick-sched.c:152
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 1331 Comm: kworker/0:2 Not tainted 4.13.0-rc5-next-20170816+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d2a4c500 task.stack: ffff8801d29b0000
RIP: 0010:__switch_to+0x8f2/0x1310 arch/x86/kernel/process_64.c:520
RSP: 0018:ffff8801d29b76a0 EFLAGS: 00010092
RAX: ffff8801cde761c0 RBX: ffff8801d8734644 RCX: 0000000000000000
RDX: 1ffff10039bcec38 RSI: 0000000000000001 RDI: ffffed003a536ec8
RBP: ffff8801d8734648 R08: 0000000000000001 R09: 1ffff10033fe5efb
R10: 0000001650af8d63 R11: 0000000000000000 R12: ffff8801c8e9a240
R13: ffff8801c5bfd440 R14: 0000000000000000 R15: ffff8801d2a4c500
FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000130 CR3: 000000019fe90000 CR4: 00000000001426f0
Call Trace:
Code: c7 41 24 00 00 00 00 48 83 e7 f8 48 29 f9 83 c1 2c c1 e9 03 f3 48 ab
48 81 c4 98 01 00 00 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d <c3> e9 33 05
00 00 b8 2b 00 00 00 8e e0 41 8e e7 e9 74 fb ff ff
RIP: __switch_to+0x8f2/0x1310 arch/x86/kernel/process_64.c:520 RSP:
ffff8801d29b76a0
---[ end trace ce6b4ee8aca4852a ]---
Kernel panic - not syncing: Fatal exception
Read of size 8 at addr ffff8801d2959a00 by task syz-executor1/14182
CPU: 1 PID: 14182 Comm: syz-executor1 Tainted: G D
4.13.0-rc5-next-20170816+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
tick_sched_handle+0x149/0x160 kernel/time/tick-sched.c:152
tick_sched_timer+0x42/0x120 kernel/time/tick-sched.c:1190
__run_hrtimer kernel/time/hrtimer.c:1213 [inline]
__hrtimer_run_queues+0x349/0xe10 kernel/time/hrtimer.c:1277
hrtimer_interrupt+0x1c2/0x5e0 kernel/time/hrtimer.c:1311
local_apic_timer_interrupt+0x6b/0xa0 arch/x86/kernel/apic/apic.c:1019
smp_apic_timer_interrupt+0x71/0xa0 arch/x86/kernel/apic/apic.c:1043
apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:783
</IRQ>
The buggy address belongs to the page:
page:ffffea00074a5640 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x200000000000000()
raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d2959900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801d2959980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801d2959a00: ff ff ff ff ff ff ff ff ff f1 f1 f1 f1 f8 f2 f2
^
ffff8801d2959a80: f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2
ffff8801d2959b00: f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Shutting down cpus with NMI
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
5d51332f20b270812376cf8751987e283f30de4a
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
CC: [fwei...@gmail.com tg...@linutronix.de mi...@kernel.org
linux-...@vger.kernel.org]
device syz7 left promiscuous mode
device syz7 entered promiscuous mode
==================================================================
BUG: KASAN: use-after-free in tick_sched_handle+0x149/0x160
kernel/time/tick-sched.c:152
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 1331 Comm: kworker/0:2 Not tainted 4.13.0-rc5-next-20170816+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d2a4c500 task.stack: ffff8801d29b0000
RIP: 0010:__switch_to+0x8f2/0x1310 arch/x86/kernel/process_64.c:520
RSP: 0018:ffff8801d29b76a0 EFLAGS: 00010092
RAX: ffff8801cde761c0 RBX: ffff8801d8734644 RCX: 0000000000000000
RDX: 1ffff10039bcec38 RSI: 0000000000000001 RDI: ffffed003a536ec8
RBP: ffff8801d8734648 R08: 0000000000000001 R09: 1ffff10033fe5efb
R10: 0000001650af8d63 R11: 0000000000000000 R12: ffff8801c8e9a240
R13: ffff8801c5bfd440 R14: 0000000000000000 R15: ffff8801d2a4c500
FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000130 CR3: 000000019fe90000 CR4: 00000000001426f0
Call Trace:
Code: c7 41 24 00 00 00 00 48 83 e7 f8 48 29 f9 83 c1 2c c1 e9 03 f3 48 ab
48 81 c4 98 01 00 00 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d <c3> e9 33 05
00 00 b8 2b 00 00 00 8e e0 41 8e e7 e9 74 fb ff ff
RIP: __switch_to+0x8f2/0x1310 arch/x86/kernel/process_64.c:520 RSP:
ffff8801d29b76a0
---[ end trace ce6b4ee8aca4852a ]---
Kernel panic - not syncing: Fatal exception
Read of size 8 at addr ffff8801d2959a00 by task syz-executor1/14182
CPU: 1 PID: 14182 Comm: syz-executor1 Tainted: G D
4.13.0-rc5-next-20170816+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x24e/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
tick_sched_handle+0x149/0x160 kernel/time/tick-sched.c:152
tick_sched_timer+0x42/0x120 kernel/time/tick-sched.c:1190
__run_hrtimer kernel/time/hrtimer.c:1213 [inline]
__hrtimer_run_queues+0x349/0xe10 kernel/time/hrtimer.c:1277
hrtimer_interrupt+0x1c2/0x5e0 kernel/time/hrtimer.c:1311
local_apic_timer_interrupt+0x6b/0xa0 arch/x86/kernel/apic/apic.c:1019
smp_apic_timer_interrupt+0x71/0xa0 arch/x86/kernel/apic/apic.c:1043
apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:783
</IRQ>
The buggy address belongs to the page:
page:ffffea00074a5640 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x200000000000000()
raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d2959900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801d2959980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8801d2959a00: ff ff ff ff ff ff ff ff ff f1 f1 f1 f1 f8 f2 f2
^
ffff8801d2959a80: f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2
ffff8801d2959b00: f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Shutting down cpus with NMI
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Oct 31, 2017, 7:38:17 AM10/31/17
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
Happened once in August, no repro
#syz invalid
On Tue, Oct 31, 2017 at 1:44 PM, syzbot
<bot+f478ddeb77b4ff9ea5...@syzkaller.appspotmail.com>
wrote:
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a113ffe5af02ba6055cd56e99%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
On Tue, Oct 31, 2017 at 1:44 PM, syzbot
<bot+f478ddeb77b4ff9ea5...@syzkaller.appspotmail.com>
wrote:
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a113ffe5af02ba6055cd56e99%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages