KASAN: slab-use-after-free in nfc_alloc_send_skb
41 views
Skip to first unread message
Shuangpeng Bai
May 25, 2023, 3:01:55 PM5/25/23
to syzkaller, krzysztof...@linaro.org, da...@davemloft.net, edum...@google.com, ku...@kernel.org, pab...@redhat.com, net...@vger.kernel.org
Hi Kernel Maintainers,
Our tool found a new kernel bug KASAN: slab-use-after-free in nfc_alloc_send_skb. Please see the details below.
Kenrel commit: v6.3
Kernel config: see attachment
C/Syz reproducer: see attachment
Full log: see attachment
Best,
Shuangpeng Bai
Our tool found a new kernel bug KASAN: slab-use-after-free in nfc_alloc_send_skb. Please see the details below.
Kenrel commit: v6.3
Kernel config: see attachment
C/Syz reproducer: see attachment
Full log: see attachment
Best,
Shuangpeng Bai
[ 98.231331][ T8037] ==================================================================
[ 98.239909][ T8037] BUG: KASAN: slab-use-after-free in nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.240741][ T8037] Read of size 4 at addr ffff88804608f548 by task a.out/8037
[ 98.242313][ T8037]
[ 98.242859][ T8037] CPU: 0 PID: 8037 Comm: a.out Not tainted 6.3.0-dirty #8
[ 98.244257][ T8037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 98.246565][ T8037] Call Trace:
[ 98.247334][ T8037] <TASK>
[ 98.247932][ T8037] dump_stack_lvl (linux/lib/dump_stack.c:107)
[ 98.248966][ T8037] print_report (linux/mm/kasan/report.c:320 linux/mm/kasan/report.c:430)
[ 98.250113][ T8037] ? __virt_addr_valid (linux/arch/x86/mm/physaddr.c:66)
[ 98.252299][ T8037] ? __phys_addr (linux/arch/x86/mm/physaddr.c:32 (discriminator 4))
[ 98.254249][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.255322][ T8037] kasan_report (linux/mm/kasan/report.c:538)
[ 98.257417][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.258595][ T8037] nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.259689][ T8037] nfc_llcp_send_ui_frame (linux/net/nfc/llcp_commands.c:761)
[ 98.260828][ T8037] ? nfc_llcp_send_i_frame (linux/net/nfc/llcp_commands.c:724)
[ 98.262018][ T8037] ? llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.263166][ T8037] ? __local_bh_enable_ip (linux/./arch/x86/include/asm/irqflags.h:42 linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/softirq.c:401)
[ 98.264346][ T8037] llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.265469][ T8037] ? llcp_sock_bind (linux/net/nfc/llcp_sock.c:775)
[ 98.266783][ T8037] sock_sendmsg (linux/net/socket.c:727 linux/net/socket.c:747)
[ 98.267774][ T8037] ____sys_sendmsg (linux/net/socket.c:2506)
[ 98.268804][ T8037] ? kernel_sendmsg (linux/net/socket.c:2448)
[ 98.269827][ T8037] ? __copy_msghdr (linux/net/socket.c:2428)
[ 98.270837][ T8037] ___sys_sendmsg (linux/net/socket.c:2557)
[ 98.271834][ T8037] ? do_recvmmsg (linux/net/socket.c:2544)
[ 98.272717][ T8037] ? find_held_lock (linux/kernel/locking/lockdep.c:5159)
[ 98.273785][ T8037] ? page_ext_put (linux/./include/linux/rcupdate.h:805 linux/mm/page_ext.c:192)
[ 98.274675][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.275554][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.309854][ T8037] ? __fget_light (linux/fs/file.c:1027)
[ 98.310772][ T8037] ? sockfd_lookup_light (linux/net/socket.c:565)
[ 98.311774][ T8037] __sys_sendmmsg (linux/net/socket.c:2644)
[ 98.312695][ T8037] ? __ia32_sys_sendmsg (linux/net/socket.c:2602)
[ 98.313694][ T8037] ? __up_read (linux/./arch/x86/include/asm/preempt.h:104 linux/kernel/locking/rwsem.c:1354)
[ 98.314568][ T8037] ? up_write (linux/kernel/locking/rwsem.c:1339)
[ 98.315379][ T8037] ? handle_mm_fault (linux/mm/memory.c:5230)
[ 98.316306][ T8037] __x64_sys_sendmmsg (linux/net/socket.c:2667)
[ 98.317258][ T8037] ? syscall_enter_from_user_mode (linux/./arch/x86/include/asm/irqflags.h:42 linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/entry/common.c:111)
[ 98.318383][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50 linux/arch/x86/entry/common.c:80)
[ 98.319242][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.320425][ T8037] RIP: 0033:0x7fef082e4469
[ 98.321304][ T8037] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
All code
========
0: 00 f3 add %dh,%bl
2: c3 ret
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a39
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a0f
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 98.325023][ T8037] RSP: 002b:00007fff84a9f298 EFLAGS: 00000287 ORIG_RAX: 0000000000000133
[ 98.341308][ T8037] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fef082e4469
[ 98.342845][ T8037] RDX: 000000000000000a RSI: 0000000020008a80 RDI: 0000000000000004
[ 98.344299][ T8037] RBP: 00007fff84a9f2b0 R08: 00007fff84a9f390 R09: 00007fff84a9f390
[ 98.345876][ T8037] R10: 0000000000000004 R11: 0000000000000287 R12: 000055fee44005e0
[ 98.347400][ T8037] R13: 00007fff84a9f390 R14: 0000000000000000 R15: 0000000000000000
[ 98.348934][ T8037] </TASK>
[ 98.349545][ T8037]
[ 98.350010][ T8037] Allocated by task 8037:
[ 98.351087][ T8037] kasan_save_stack (linux/mm/kasan/common.c:46)
[ 98.352451][ T8037] kasan_set_track (linux/mm/kasan/common.c:52)
[ 98.353698][ T8037] __kasan_kmalloc (linux/mm/kasan/common.c:374 linux/mm/kasan/common.c:333 linux/mm/kasan/common.c:383)
[ 98.354588][ T8037] nfc_allocate_device (linux/net/nfc/core.c:1066 linux/net/nfc/core.c:1051)
[ 98.355946][ T8037] nci_allocate_device (linux/net/nfc/nci/core.c:1174)
[ 98.356925][ T8037] virtual_ncidev_open (linux/drivers/nfc/virtual_ncidev.c:136)
[ 98.358047][ T8037] misc_open (linux/drivers/char/misc.c:165)
[ 98.359104][ T8037] chrdev_open (linux/fs/char_dev.c:415)
[ 98.360001][ T8037] do_dentry_open (linux/fs/open.c:921)
[ 98.360951][ T8037] path_openat (linux/fs/namei.c:3561 linux/fs/namei.c:3715)
[ 98.361844][ T8037] do_filp_open (linux/fs/namei.c:3743)
[ 98.362757][ T8037] do_sys_openat2 (linux/fs/open.c:1349)
[ 98.378238][ T8037] __x64_sys_openat (linux/fs/open.c:1375)
[ 98.379246][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50 linux/arch/x86/entry/common.c:80)
[ 98.380140][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.381357][ T8037]
[ 98.381815][ T8037] Freed by task 8037:
[ 98.382613][ T8037] kasan_save_stack (linux/mm/kasan/common.c:46)
[ 98.383587][ T8037] kasan_set_track (linux/mm/kasan/common.c:52)
[ 98.384493][ T8037] kasan_save_free_info (linux/mm/kasan/generic.c:523)
[ 98.397617][ T8037] ____kasan_slab_free (linux/mm/kasan/common.c:238 linux/mm/kasan/common.c:200)
[ 98.398597][ T8037] __kmem_cache_free (linux/mm/slab.c:3390 linux/mm/slab.c:3577 linux/mm/slab.c:3584)
[ 98.399538][ T8037] device_release (linux/drivers/base/core.c:2440)
[ 98.400474][ T8037] kobject_put (linux/lib/kobject.c:685 linux/lib/kobject.c:712 linux/./include/linux/kref.h:65 linux/lib/kobject.c:729)
[ 98.401359][ T8037] put_device (linux/drivers/base/core.c:3698)
[ 98.402184][ T8037] nci_free_device (linux/net/nfc/nci/core.c:1205)
[ 98.403073][ T8037] virtual_ncidev_close (linux/drivers/nfc/virtual_ncidev.c:165)
[ 98.404022][ T8037] __fput (linux/fs/file_table.c:322)
[ 98.404798][ T8037] task_work_run (linux/kernel/task_work.c:181 (discriminator 1))
[ 98.405700][ T8037] exit_to_user_mode_prepare (linux/./include/linux/resume_user_mode.h:49 linux/kernel/entry/common.c:171 linux/kernel/entry/common.c:204)
[ 98.406698][ T8037] syscall_exit_to_user_mode (linux/kernel/entry/common.c:130 linux/kernel/entry/common.c:299)
[ 98.407625][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:87)
[ 98.408393][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.422429][ T8037]
[ 98.422904][ T8037] The buggy address belongs to the object at ffff88804608f000
[ 98.422904][ T8037] which belongs to the cache kmalloc-2k of size 2048
[ 98.425650][ T8037] The buggy address is located 1352 bytes inside of
[ 98.425650][ T8037] freed 2048-byte region [ffff88804608f000, ffff88804608f800)
[ 98.428327][ T8037]
[ 98.428804][ T8037] The buggy address belongs to the physical page:
[ 98.430062][ T8037] page:ffffea00011823c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4608f
[ 98.432017][ T8037] flags: 0x4fff00000000200(slab|node=1|zone=1|lastcpupid=0x7ff)
[ 98.433516][ T8037] raw: 04fff00000000200 ffff888012440800 ffffea0001236a90 ffffea00011617d0
[ 98.435224][ T8037] raw: 0000000000000000 ffff88804608f000 0000000100000001 0000000000000000
[ 98.436849][ T8037] page dumped because: kasan: bad access detected
[ 98.438104][ T8037] page_owner tracks the page as allocated
[ 98.439179][ T8037] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 8037, tgid 8037 (a.out), ts 98112854772, free_ts 98092146308
[ 98.442924][ T8037] post_alloc_hook (linux/./include/linux/page_owner.h:31 linux/mm/page_alloc.c:2546)
[ 98.443871][ T8037] get_page_from_freelist (linux/mm/page_alloc.c:2555 linux/mm/page_alloc.c:4326)
[ 98.444956][ T8037] __alloc_pages (linux/mm/page_alloc.c:5593)
[ 98.445902][ T8037] cache_grow_begin (linux/mm/slab.c:1361 linux/mm/slab.c:2570)
[ 98.446920][ T8037] cache_alloc_refill (linux/mm/slab.c:394 linux/mm/slab.c:2949)
[ 98.448635][ T8037] __kmem_cache_alloc_node (linux/mm/slab.c:3019 linux/mm/slab.c:3002 linux/mm/slab.c:3202 linux/mm/slab.c:3250 linux/mm/slab.c:3541)
[ 98.470085][ T8037] kmalloc_trace (linux/mm/slab_common.c:1064)
[ 98.471586][ T8037] nfc_allocate_device (linux/net/nfc/core.c:1066 linux/net/nfc/core.c:1051)
[ 98.473392][ T8037] nci_allocate_device (linux/net/nfc/nci/core.c:1174)
[ 98.475061][ T8037] virtual_ncidev_open (linux/drivers/nfc/virtual_ncidev.c:136)
[ 98.476718][ T8037] misc_open (linux/drivers/char/misc.c:165)
[ 98.478182][ T8037] chrdev_open (linux/fs/char_dev.c:415)
[ 98.479553][ T8037] do_dentry_open (linux/fs/open.c:921)
[ 98.481107][ T8037] path_openat (linux/fs/namei.c:3561 linux/fs/namei.c:3715)
[ 98.482591][ T8037] do_filp_open (linux/fs/namei.c:3743)
[ 98.484038][ T8037] do_sys_openat2 (linux/fs/open.c:1349)
[ 98.485512][ T8037] page last free stack trace:
[ 98.486996][ T8037] free_pcp_prepare (linux/./include/linux/page_owner.h:24 linux/mm/page_alloc.c:1454 linux/mm/page_alloc.c:1504)
[ 98.488490][ T8037] free_unref_page_list (linux/mm/page_alloc.c:3388 linux/mm/page_alloc.c:3529)
[ 98.490202][ T8037] release_pages (linux/mm/swap.c:961)
[ 98.492085][ T8037] tlb_batch_pages_flush (linux/mm/mmu_gather.c:98 (discriminator 1))
[ 98.494165][ T8037] tlb_finish_mmu (linux/mm/mmu_gather.c:111 linux/mm/mmu_gather.c:394)
[ 98.495963][ T8037] exit_mmap (linux/mm/mmap.c:3047)
[ 98.497493][ T8037] __mmput (linux/kernel/fork.c:1209)
[ 98.499017][ T8037] mmput (linux/kernel/fork.c:1231)
[ 98.500386][ T8037] begin_new_exec (linux/fs/exec.c:1297)
[ 98.502304][ T8037] load_elf_binary (linux/fs/binfmt_elf.c:1002)
[ 98.504152][ T8037] bprm_execve (linux/fs/exec.c:1738 linux/fs/exec.c:1778 linux/fs/exec.c:1853 linux/fs/exec.c:1809)
[ 98.505935][ T8037] do_execveat_common.isra.0 (linux/fs/exec.c:1960)
[ 98.508201][ T8037] __x64_sys_execve (linux/fs/exec.c:2105)
[ 98.510065][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50 linux/arch/x86/entry/common.c:80)
[ 98.511798][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.514060][ T8037]
[ 98.514970][ T8037] Memory state around the buggy address:
[ 98.517202][ T8037] ffff88804608f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.520174][ T8037] ffff88804608f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.523195][ T8037] >ffff88804608f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.525974][ T8037] ^
[ 98.528088][ T8037] ffff88804608f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.530832][ T8037] ffff88804608f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.533565][ T8037] ==================================================================
[ 98.679377][ T8037] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 98.695828][ T8037] CPU: 1 PID: 8037 Comm: a.out Not tainted 6.3.0-dirty #8
[ 98.698228][ T8037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 98.701149][ T8037] Call Trace:
[ 98.702263][ T8037] <TASK>
[ 98.703224][ T8037] dump_stack_lvl (linux/lib/dump_stack.c:107)
[ 98.704754][ T8037] panic (linux/kernel/panic.c:340)
[ 98.706148][ T8037] ? panic_smp_self_stop+0x90/0x90
[ 98.707896][ T8037] ? preempt_schedule_thunk (linux/arch/x86/entry/thunk_64.S:34)
[ 98.709633][ T8037] ? preempt_schedule_common (linux/./arch/x86/include/asm/preempt.h:85 linux/kernel/sched/core.c:6796)
[ 98.711356][ T8037] check_panic_on_warn (linux/kernel/panic.c:236)
[ 98.712944][ T8037] end_report (linux/mm/kasan/report.c:190)
[ 98.714313][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.716027][ T8037] kasan_report (linux/./arch/x86/include/asm/smap.h:56 linux/mm/kasan/report.c:541)
[ 98.717363][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.718990][ T8037] nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.720565][ T8037] nfc_llcp_send_ui_frame (linux/net/nfc/llcp_commands.c:761)
[ 98.722166][ T8037] ? nfc_llcp_send_i_frame (linux/net/nfc/llcp_commands.c:724)
[ 98.723719][ T8037] ? llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.725118][ T8037] ? __local_bh_enable_ip (linux/./arch/x86/include/asm/irqflags.h:42 linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/softirq.c:401)
[ 98.726592][ T8037] llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.727966][ T8037] ? llcp_sock_bind (linux/net/nfc/llcp_sock.c:775)
[ 98.729367][ T8037] sock_sendmsg (linux/net/socket.c:727 linux/net/socket.c:747)
[ 98.730861][ T8037] ____sys_sendmsg (linux/net/socket.c:2506)
[ 98.732436][ T8037] ? kernel_sendmsg (linux/net/socket.c:2448)
[ 98.734089][ T8037] ? __copy_msghdr (linux/net/socket.c:2428)
[ 98.735446][ T8037] ___sys_sendmsg (linux/net/socket.c:2557)
[ 98.736958][ T8037] ? do_recvmmsg (linux/net/socket.c:2544)
[ 98.738487][ T8037] ? find_held_lock (linux/kernel/locking/lockdep.c:5159)
[ 98.740067][ T8037] ? page_ext_put (linux/./include/linux/rcupdate.h:805 linux/mm/page_ext.c:192)
[ 98.741510][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.742935][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.744287][ T8037] ? __fget_light (linux/fs/file.c:1027)
[ 98.745587][ T8037] ? sockfd_lookup_light (linux/net/socket.c:565)
[ 98.747041][ T8037] __sys_sendmmsg (linux/net/socket.c:2644)
[ 98.748362][ T8037] ? __ia32_sys_sendmsg (linux/net/socket.c:2602)
[ 98.749825][ T8037] ? __up_read (linux/./arch/x86/include/asm/preempt.h:104 linux/kernel/locking/rwsem.c:1354)
[ 98.751091][ T8037] ? up_write (linux/kernel/locking/rwsem.c:1339)
[ 98.752314][ T8037] ? handle_mm_fault (linux/mm/memory.c:5230)
[ 98.753668][ T8037] __x64_sys_sendmmsg (linux/net/socket.c:2667)
[ 98.755021][ T8037] ? syscall_enter_from_user_mode (linux/./arch/x86/include/asm/irqflags.h:42 linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/entry/common.c:111)
[ 98.756678][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50 linux/arch/x86/entry/common.c:80)
[ 98.757957][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.759589][ T8037] RIP: 0033:0x7fef082e4469
[ 98.760853][ T8037] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
All code
========
0: 00 f3 add %dh,%bl
2: c3 ret
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a39
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a0f
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 98.766391][ T8037] RSP: 002b:00007fff84a9f298 EFLAGS: 00000287 ORIG_RAX: 0000000000000133
[ 98.768820][ T8037] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fef082e4469
[ 98.770744][ T8037] RDX: 000000000000000a RSI: 0000000020008a80 RDI: 0000000000000004
[ 98.772649][ T8037] RBP: 00007fff84a9f2b0 R08: 00007fff84a9f390 R09: 00007fff84a9f390
[ 98.774495][ T8037] R10: 0000000000000004 R11: 0000000000000287 R12: 000055fee44005e0
[ 98.776383][ T8037] R13: 00007fff84a9f390 R14: 0000000000000000 R15: 0000000000000000
[ 98.778258][ T8037] </TASK>
[ 98.779056][ T8037] Kernel Offset: disabled
[ 98.780043][ T8037] Rebooting in 86400 seconds..
[ 98.239909][ T8037] BUG: KASAN: slab-use-after-free in nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.240741][ T8037] Read of size 4 at addr ffff88804608f548 by task a.out/8037
[ 98.242313][ T8037]
[ 98.242859][ T8037] CPU: 0 PID: 8037 Comm: a.out Not tainted 6.3.0-dirty #8
[ 98.244257][ T8037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 98.246565][ T8037] Call Trace:
[ 98.247334][ T8037] <TASK>
[ 98.247932][ T8037] dump_stack_lvl (linux/lib/dump_stack.c:107)
[ 98.248966][ T8037] print_report (linux/mm/kasan/report.c:320 linux/mm/kasan/report.c:430)
[ 98.250113][ T8037] ? __virt_addr_valid (linux/arch/x86/mm/physaddr.c:66)
[ 98.252299][ T8037] ? __phys_addr (linux/arch/x86/mm/physaddr.c:32 (discriminator 4))
[ 98.254249][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.255322][ T8037] kasan_report (linux/mm/kasan/report.c:538)
[ 98.257417][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.258595][ T8037] nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.259689][ T8037] nfc_llcp_send_ui_frame (linux/net/nfc/llcp_commands.c:761)
[ 98.260828][ T8037] ? nfc_llcp_send_i_frame (linux/net/nfc/llcp_commands.c:724)
[ 98.262018][ T8037] ? llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.263166][ T8037] ? __local_bh_enable_ip (linux/./arch/x86/include/asm/irqflags.h:42 linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/softirq.c:401)
[ 98.264346][ T8037] llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.265469][ T8037] ? llcp_sock_bind (linux/net/nfc/llcp_sock.c:775)
[ 98.266783][ T8037] sock_sendmsg (linux/net/socket.c:727 linux/net/socket.c:747)
[ 98.267774][ T8037] ____sys_sendmsg (linux/net/socket.c:2506)
[ 98.268804][ T8037] ? kernel_sendmsg (linux/net/socket.c:2448)
[ 98.269827][ T8037] ? __copy_msghdr (linux/net/socket.c:2428)
[ 98.270837][ T8037] ___sys_sendmsg (linux/net/socket.c:2557)
[ 98.271834][ T8037] ? do_recvmmsg (linux/net/socket.c:2544)
[ 98.272717][ T8037] ? find_held_lock (linux/kernel/locking/lockdep.c:5159)
[ 98.273785][ T8037] ? page_ext_put (linux/./include/linux/rcupdate.h:805 linux/mm/page_ext.c:192)
[ 98.274675][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.275554][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.309854][ T8037] ? __fget_light (linux/fs/file.c:1027)
[ 98.310772][ T8037] ? sockfd_lookup_light (linux/net/socket.c:565)
[ 98.311774][ T8037] __sys_sendmmsg (linux/net/socket.c:2644)
[ 98.312695][ T8037] ? __ia32_sys_sendmsg (linux/net/socket.c:2602)
[ 98.313694][ T8037] ? __up_read (linux/./arch/x86/include/asm/preempt.h:104 linux/kernel/locking/rwsem.c:1354)
[ 98.314568][ T8037] ? up_write (linux/kernel/locking/rwsem.c:1339)
[ 98.315379][ T8037] ? handle_mm_fault (linux/mm/memory.c:5230)
[ 98.316306][ T8037] __x64_sys_sendmmsg (linux/net/socket.c:2667)
[ 98.317258][ T8037] ? syscall_enter_from_user_mode (linux/./arch/x86/include/asm/irqflags.h:42 linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/entry/common.c:111)
[ 98.318383][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50 linux/arch/x86/entry/common.c:80)
[ 98.319242][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.320425][ T8037] RIP: 0033:0x7fef082e4469
[ 98.321304][ T8037] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
All code
========
0: 00 f3 add %dh,%bl
2: c3 ret
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a39
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a0f
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 98.325023][ T8037] RSP: 002b:00007fff84a9f298 EFLAGS: 00000287 ORIG_RAX: 0000000000000133
[ 98.341308][ T8037] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fef082e4469
[ 98.342845][ T8037] RDX: 000000000000000a RSI: 0000000020008a80 RDI: 0000000000000004
[ 98.344299][ T8037] RBP: 00007fff84a9f2b0 R08: 00007fff84a9f390 R09: 00007fff84a9f390
[ 98.345876][ T8037] R10: 0000000000000004 R11: 0000000000000287 R12: 000055fee44005e0
[ 98.347400][ T8037] R13: 00007fff84a9f390 R14: 0000000000000000 R15: 0000000000000000
[ 98.348934][ T8037] </TASK>
[ 98.349545][ T8037]
[ 98.350010][ T8037] Allocated by task 8037:
[ 98.351087][ T8037] kasan_save_stack (linux/mm/kasan/common.c:46)
[ 98.352451][ T8037] kasan_set_track (linux/mm/kasan/common.c:52)
[ 98.353698][ T8037] __kasan_kmalloc (linux/mm/kasan/common.c:374 linux/mm/kasan/common.c:333 linux/mm/kasan/common.c:383)
[ 98.354588][ T8037] nfc_allocate_device (linux/net/nfc/core.c:1066 linux/net/nfc/core.c:1051)
[ 98.355946][ T8037] nci_allocate_device (linux/net/nfc/nci/core.c:1174)
[ 98.356925][ T8037] virtual_ncidev_open (linux/drivers/nfc/virtual_ncidev.c:136)
[ 98.358047][ T8037] misc_open (linux/drivers/char/misc.c:165)
[ 98.359104][ T8037] chrdev_open (linux/fs/char_dev.c:415)
[ 98.360001][ T8037] do_dentry_open (linux/fs/open.c:921)
[ 98.360951][ T8037] path_openat (linux/fs/namei.c:3561 linux/fs/namei.c:3715)
[ 98.361844][ T8037] do_filp_open (linux/fs/namei.c:3743)
[ 98.362757][ T8037] do_sys_openat2 (linux/fs/open.c:1349)
[ 98.378238][ T8037] __x64_sys_openat (linux/fs/open.c:1375)
[ 98.379246][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50 linux/arch/x86/entry/common.c:80)
[ 98.380140][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.381357][ T8037]
[ 98.381815][ T8037] Freed by task 8037:
[ 98.382613][ T8037] kasan_save_stack (linux/mm/kasan/common.c:46)
[ 98.383587][ T8037] kasan_set_track (linux/mm/kasan/common.c:52)
[ 98.384493][ T8037] kasan_save_free_info (linux/mm/kasan/generic.c:523)
[ 98.397617][ T8037] ____kasan_slab_free (linux/mm/kasan/common.c:238 linux/mm/kasan/common.c:200)
[ 98.398597][ T8037] __kmem_cache_free (linux/mm/slab.c:3390 linux/mm/slab.c:3577 linux/mm/slab.c:3584)
[ 98.399538][ T8037] device_release (linux/drivers/base/core.c:2440)
[ 98.400474][ T8037] kobject_put (linux/lib/kobject.c:685 linux/lib/kobject.c:712 linux/./include/linux/kref.h:65 linux/lib/kobject.c:729)
[ 98.401359][ T8037] put_device (linux/drivers/base/core.c:3698)
[ 98.402184][ T8037] nci_free_device (linux/net/nfc/nci/core.c:1205)
[ 98.403073][ T8037] virtual_ncidev_close (linux/drivers/nfc/virtual_ncidev.c:165)
[ 98.404022][ T8037] __fput (linux/fs/file_table.c:322)
[ 98.404798][ T8037] task_work_run (linux/kernel/task_work.c:181 (discriminator 1))
[ 98.405700][ T8037] exit_to_user_mode_prepare (linux/./include/linux/resume_user_mode.h:49 linux/kernel/entry/common.c:171 linux/kernel/entry/common.c:204)
[ 98.406698][ T8037] syscall_exit_to_user_mode (linux/kernel/entry/common.c:130 linux/kernel/entry/common.c:299)
[ 98.407625][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:87)
[ 98.408393][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.422429][ T8037]
[ 98.422904][ T8037] The buggy address belongs to the object at ffff88804608f000
[ 98.422904][ T8037] which belongs to the cache kmalloc-2k of size 2048
[ 98.425650][ T8037] The buggy address is located 1352 bytes inside of
[ 98.425650][ T8037] freed 2048-byte region [ffff88804608f000, ffff88804608f800)
[ 98.428327][ T8037]
[ 98.428804][ T8037] The buggy address belongs to the physical page:
[ 98.430062][ T8037] page:ffffea00011823c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4608f
[ 98.432017][ T8037] flags: 0x4fff00000000200(slab|node=1|zone=1|lastcpupid=0x7ff)
[ 98.433516][ T8037] raw: 04fff00000000200 ffff888012440800 ffffea0001236a90 ffffea00011617d0
[ 98.435224][ T8037] raw: 0000000000000000 ffff88804608f000 0000000100000001 0000000000000000
[ 98.436849][ T8037] page dumped because: kasan: bad access detected
[ 98.438104][ T8037] page_owner tracks the page as allocated
[ 98.439179][ T8037] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 8037, tgid 8037 (a.out), ts 98112854772, free_ts 98092146308
[ 98.442924][ T8037] post_alloc_hook (linux/./include/linux/page_owner.h:31 linux/mm/page_alloc.c:2546)
[ 98.443871][ T8037] get_page_from_freelist (linux/mm/page_alloc.c:2555 linux/mm/page_alloc.c:4326)
[ 98.444956][ T8037] __alloc_pages (linux/mm/page_alloc.c:5593)
[ 98.445902][ T8037] cache_grow_begin (linux/mm/slab.c:1361 linux/mm/slab.c:2570)
[ 98.446920][ T8037] cache_alloc_refill (linux/mm/slab.c:394 linux/mm/slab.c:2949)
[ 98.448635][ T8037] __kmem_cache_alloc_node (linux/mm/slab.c:3019 linux/mm/slab.c:3002 linux/mm/slab.c:3202 linux/mm/slab.c:3250 linux/mm/slab.c:3541)
[ 98.470085][ T8037] kmalloc_trace (linux/mm/slab_common.c:1064)
[ 98.471586][ T8037] nfc_allocate_device (linux/net/nfc/core.c:1066 linux/net/nfc/core.c:1051)
[ 98.473392][ T8037] nci_allocate_device (linux/net/nfc/nci/core.c:1174)
[ 98.475061][ T8037] virtual_ncidev_open (linux/drivers/nfc/virtual_ncidev.c:136)
[ 98.476718][ T8037] misc_open (linux/drivers/char/misc.c:165)
[ 98.478182][ T8037] chrdev_open (linux/fs/char_dev.c:415)
[ 98.479553][ T8037] do_dentry_open (linux/fs/open.c:921)
[ 98.481107][ T8037] path_openat (linux/fs/namei.c:3561 linux/fs/namei.c:3715)
[ 98.482591][ T8037] do_filp_open (linux/fs/namei.c:3743)
[ 98.484038][ T8037] do_sys_openat2 (linux/fs/open.c:1349)
[ 98.485512][ T8037] page last free stack trace:
[ 98.486996][ T8037] free_pcp_prepare (linux/./include/linux/page_owner.h:24 linux/mm/page_alloc.c:1454 linux/mm/page_alloc.c:1504)
[ 98.488490][ T8037] free_unref_page_list (linux/mm/page_alloc.c:3388 linux/mm/page_alloc.c:3529)
[ 98.490202][ T8037] release_pages (linux/mm/swap.c:961)
[ 98.492085][ T8037] tlb_batch_pages_flush (linux/mm/mmu_gather.c:98 (discriminator 1))
[ 98.494165][ T8037] tlb_finish_mmu (linux/mm/mmu_gather.c:111 linux/mm/mmu_gather.c:394)
[ 98.495963][ T8037] exit_mmap (linux/mm/mmap.c:3047)
[ 98.497493][ T8037] __mmput (linux/kernel/fork.c:1209)
[ 98.499017][ T8037] mmput (linux/kernel/fork.c:1231)
[ 98.500386][ T8037] begin_new_exec (linux/fs/exec.c:1297)
[ 98.502304][ T8037] load_elf_binary (linux/fs/binfmt_elf.c:1002)
[ 98.504152][ T8037] bprm_execve (linux/fs/exec.c:1738 linux/fs/exec.c:1778 linux/fs/exec.c:1853 linux/fs/exec.c:1809)
[ 98.505935][ T8037] do_execveat_common.isra.0 (linux/fs/exec.c:1960)
[ 98.508201][ T8037] __x64_sys_execve (linux/fs/exec.c:2105)
[ 98.510065][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50 linux/arch/x86/entry/common.c:80)
[ 98.511798][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.514060][ T8037]
[ 98.514970][ T8037] Memory state around the buggy address:
[ 98.517202][ T8037] ffff88804608f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.520174][ T8037] ffff88804608f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.523195][ T8037] >ffff88804608f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.525974][ T8037] ^
[ 98.528088][ T8037] ffff88804608f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.530832][ T8037] ffff88804608f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.533565][ T8037] ==================================================================
[ 98.679377][ T8037] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 98.695828][ T8037] CPU: 1 PID: 8037 Comm: a.out Not tainted 6.3.0-dirty #8
[ 98.698228][ T8037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 98.701149][ T8037] Call Trace:
[ 98.702263][ T8037] <TASK>
[ 98.703224][ T8037] dump_stack_lvl (linux/lib/dump_stack.c:107)
[ 98.704754][ T8037] panic (linux/kernel/panic.c:340)
[ 98.706148][ T8037] ? panic_smp_self_stop+0x90/0x90
[ 98.707896][ T8037] ? preempt_schedule_thunk (linux/arch/x86/entry/thunk_64.S:34)
[ 98.709633][ T8037] ? preempt_schedule_common (linux/./arch/x86/include/asm/preempt.h:85 linux/kernel/sched/core.c:6796)
[ 98.711356][ T8037] check_panic_on_warn (linux/kernel/panic.c:236)
[ 98.712944][ T8037] end_report (linux/mm/kasan/report.c:190)
[ 98.714313][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.716027][ T8037] kasan_report (linux/./arch/x86/include/asm/smap.h:56 linux/mm/kasan/report.c:541)
[ 98.717363][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.718990][ T8037] nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.720565][ T8037] nfc_llcp_send_ui_frame (linux/net/nfc/llcp_commands.c:761)
[ 98.722166][ T8037] ? nfc_llcp_send_i_frame (linux/net/nfc/llcp_commands.c:724)
[ 98.723719][ T8037] ? llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.725118][ T8037] ? __local_bh_enable_ip (linux/./arch/x86/include/asm/irqflags.h:42 linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/softirq.c:401)
[ 98.726592][ T8037] llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.727966][ T8037] ? llcp_sock_bind (linux/net/nfc/llcp_sock.c:775)
[ 98.729367][ T8037] sock_sendmsg (linux/net/socket.c:727 linux/net/socket.c:747)
[ 98.730861][ T8037] ____sys_sendmsg (linux/net/socket.c:2506)
[ 98.732436][ T8037] ? kernel_sendmsg (linux/net/socket.c:2448)
[ 98.734089][ T8037] ? __copy_msghdr (linux/net/socket.c:2428)
[ 98.735446][ T8037] ___sys_sendmsg (linux/net/socket.c:2557)
[ 98.736958][ T8037] ? do_recvmmsg (linux/net/socket.c:2544)
[ 98.738487][ T8037] ? find_held_lock (linux/kernel/locking/lockdep.c:5159)
[ 98.740067][ T8037] ? page_ext_put (linux/./include/linux/rcupdate.h:805 linux/mm/page_ext.c:192)
[ 98.741510][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.742935][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.744287][ T8037] ? __fget_light (linux/fs/file.c:1027)
[ 98.745587][ T8037] ? sockfd_lookup_light (linux/net/socket.c:565)
[ 98.747041][ T8037] __sys_sendmmsg (linux/net/socket.c:2644)
[ 98.748362][ T8037] ? __ia32_sys_sendmsg (linux/net/socket.c:2602)
[ 98.749825][ T8037] ? __up_read (linux/./arch/x86/include/asm/preempt.h:104 linux/kernel/locking/rwsem.c:1354)
[ 98.751091][ T8037] ? up_write (linux/kernel/locking/rwsem.c:1339)
[ 98.752314][ T8037] ? handle_mm_fault (linux/mm/memory.c:5230)
[ 98.753668][ T8037] __x64_sys_sendmmsg (linux/net/socket.c:2667)
[ 98.755021][ T8037] ? syscall_enter_from_user_mode (linux/./arch/x86/include/asm/irqflags.h:42 linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/entry/common.c:111)
[ 98.756678][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50 linux/arch/x86/entry/common.c:80)
[ 98.757957][ T8037] entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:120)
[ 98.759589][ T8037] RIP: 0033:0x7fef082e4469
[ 98.760853][ T8037] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
All code
========
0: 00 f3 add %dh,%bl
2: c3 ret
3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a39
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d ff 49 2b 00 mov 0x2b49ff(%rip),%rcx # 0x2b4a0f
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 98.766391][ T8037] RSP: 002b:00007fff84a9f298 EFLAGS: 00000287 ORIG_RAX: 0000000000000133
[ 98.768820][ T8037] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fef082e4469
[ 98.770744][ T8037] RDX: 000000000000000a RSI: 0000000020008a80 RDI: 0000000000000004
[ 98.772649][ T8037] RBP: 00007fff84a9f2b0 R08: 00007fff84a9f390 R09: 00007fff84a9f390
[ 98.774495][ T8037] R10: 0000000000000004 R11: 0000000000000287 R12: 000055fee44005e0
[ 98.776383][ T8037] R13: 00007fff84a9f390 R14: 0000000000000000 R15: 0000000000000000
[ 98.778258][ T8037] </TASK>
[ 98.779056][ T8037] Kernel Offset: disabled
[ 98.780043][ T8037] Rebooting in 86400 seconds..
Shuangpeng Bai
Mar 27, 2024, 3:49:28 PMMar 27
to syzkaller
Hi kernel maintainers,
It seems the bug KASAN: slab-use-after-free in nfc_alloc_send_skb has been fixed in commit nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local.
We will close this thread. Thank you!
Best,
Shuangpeng Bai
Reply all
Reply to author
Forward
0 new messages