Hello,
The following program causes use-after-free in n_tty_receive_buf_fast:
https://gist.githubusercontent.com/dvyukov/ac81bed0238f280ddf9067e6234cd8b0/raw/791c07ac0cdb27e2e399464d68fa0234d2aa8bd1/gistfile1.txt
BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x1ea9/0x24a0
at addr ffff88006555dcb0
Read of size 1 by task syz-executor/17003
CPU: 0 PID: 17003 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffffffff886b6fe0 ffff8800657af628 ffffffff82db38d9 ffffffff8a0e3200
fffffbfff10d6dfc ffff88003e800a00 ffff88006555dbc0 ffff88006555fbc0
000000000000000d dffffc0000000000 ffff8800657af650 ffffffff81809e7c
Call Trace:
[<ffffffff8180a3ee>] __asan_report_load1_noabort+0x3e/0x40
mm/kasan/report.c:319
[< inline >] n_tty_receive_buf_fast drivers/tty/n_tty.c:1575
[< inline >] __receive_buf drivers/tty/n_tty.c:1613
[<ffffffff83234cd9>] n_tty_receive_buf_common+0x1ea9/0x24a0
drivers/tty/n_tty.c:1711
[<ffffffff83235303>] n_tty_receive_buf2+0x33/0x40 drivers/tty/n_tty.c:1746
[<ffffffff8323b2a9>] tty_ldisc_receive_buf+0xa9/0x1b0
drivers/tty/tty_buffer.c:429
[<ffffffff832616de>] paste_selection+0x27e/0x3e0
[<ffffffff8327f286>] tioclinux+0x126/0x410 drivers/tty/vt/vt.c:2683
[<ffffffff8325c1ef>] vt_ioctl+0x13ef/0x2910 drivers/tty/vt/vt_ioctl.c:365
[<ffffffff832245cd>] tty_ioctl+0x69d/0x21e0 drivers/tty/tty_io.c:2983
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff818a1dfc>] do_vfs_ioctl+0x18c/0x1080 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[<ffffffff818a2d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:681
[<ffffffff810088ff>] do_syscall_64+0x1df/0x640 arch/x86/entry/common.c:288
[<ffffffff86e107c3>] entry_SYSCALL64_slow_path+0x25/0x25
Object at ffff88006555dbc0, in cache kmalloc-8192 size: 8192
Allocated:
PID = 17003
[<ffffffff8122fc96>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
[<ffffffff81809266>] save_stack+0x46/0xd0 mm/kasan/kasan.c:479
[< inline >] set_track mm/kasan/kasan.c:491
[<ffffffff818094dd>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:582
[< inline >] __do_kmalloc mm/slab.c:3742
[<ffffffff8180428e>] __kmalloc+0x15e/0x7a0 mm/slab.c:3751
[< inline >] kmalloc include/linux/slab.h:495
[<ffffffff83260b69>] set_selection+0x559/0xe50 drivers/tty/vt/selection.c:298
[<ffffffff8327f270>] tioclinux+0x110/0x410 drivers/tty/vt/vt.c:2679
[<ffffffff8325c1ef>] vt_ioctl+0x13ef/0x2910 drivers/tty/vt/vt_ioctl.c:365
[<ffffffff832245cd>] tty_ioctl+0x69d/0x21e0 drivers/tty/tty_io.c:2983
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff818a1dfc>] do_vfs_ioctl+0x18c/0x1080 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[<ffffffff818a2d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:681
[<ffffffff86e10700>] entry_SYSCALL_64_fastpath+0x23/0xc1
Freed:
PID = 17034
[<ffffffff8122fc96>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
[<ffffffff81809266>] save_stack+0x46/0xd0 mm/kasan/kasan.c:479
[< inline >] set_track mm/kasan/kasan.c:491
[<ffffffff81809a92>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:555
[< inline >] __cache_free mm/slab.c:3520
[<ffffffff81807813>] kfree+0xc3/0x2a0 mm/slab.c:3837
[<ffffffff83260b89>] set_selection+0x579/0xe50 drivers/tty/vt/selection.c:304
[<ffffffff8327f270>] tioclinux+0x110/0x410 drivers/tty/vt/vt.c:2679
[<ffffffff8325c1ef>] vt_ioctl+0x13ef/0x2910 drivers/tty/vt/vt_ioctl.c:365
[<ffffffff832245cd>] tty_ioctl+0x69d/0x21e0 drivers/tty/tty_io.c:2983
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff818a1dfc>] do_vfs_ioctl+0x18c/0x1080 fs/ioctl.c:675
[< inline >] SYSC_ioctl fs/ioctl.c:690
[<ffffffff818a2d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:681
[<ffffffff86e10700>] entry_SYSCALL_64_fastpath+0x23/0xc1
Memory state around the buggy address:
ffff88006555db80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff88006555dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88006555dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88006555dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88006555dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Program need to be run in a loop, seems to be a race.
On 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of linux-next.