syzbot


KASAN: use-after-free Write in release_tty

Status: fixed on 2020/05/10 10:41
Reported-by: syzbot+522643ab5729b0421998@syzkaller.appspotmail.com
Fix commit: ca4463bf8438 vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
First crash: 1029d, last: 907d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: general protection fault in release_tty (log)
Repro: C syz .config
duplicates (4):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: use-after-free Read in tty_buffer_cancel_work 4 961d 1009d 0/24 closed as dup on 2020/02/24 18:35
KASAN: use-after-free Read in get_work_pool (2) C done 2 934d 1023d 0/24 closed as dup on 2020/02/24 18:36
KASAN: use-after-free Read in get_work_pool_id C done 1 953d 949d 0/24 closed as dup on 2020/02/24 18:30
KASAN: use-after-free Write in tty_buffer_cancel_work C done 16 936d 1026d 0/24 closed as dup on 2020/03/07 20:06
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Write in release_tty C done 148 912d 1029d 1/1 fixed on 2020/04/28 10:48
linux-4.14 KASAN: use-after-free Write in release_tty C done 124 909d 1028d 1/1 fixed on 2020/05/01 20:49

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in con_shutdown+0x61/0x80 drivers/tty/vt/vt.c:3287
Write of size 8 at addr ffff888097055108 by task syz-executor653/7167

CPU: 1 PID: 7167 Comm: syz-executor653 Not tainted 5.6.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1e9/0x30e lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x25/0x50 mm/kasan/common.c:641
 con_shutdown+0x61/0x80 drivers/tty/vt/vt.c:3287
 release_tty+0xb9/0x530 drivers/tty/tty_io.c:1514
 tty_release_struct+0xb8/0xd0 drivers/tty/tty_io.c:1625
 tty_release+0xe23/0x1100 drivers/tty/tty_io.c:1785
 __fput+0x2d8/0x730 fs/file_table.c:280
 task_work_run+0x176/0x1b0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x5ef/0x1f80 kernel/exit.c:801
 do_group_exit+0x15e/0x2c0 kernel/exit.c:899
 __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
 __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
 __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43ff58
Code: 00 00 be 3c 00 00 00 eb 19 66 0f 1f 84 00 00 00 00 00 48 89 d7 89 f0 0f 05 48 3d 00 f0 ff ff 77 21 f4 48 89 d7 44 89 c0 0f 05 <48> 3d 00 f0 ff ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00
RSP: 002b:00007ffd9da660f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ff58
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004bf970 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 000000000000000e R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d2180 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 7167:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 vc_allocate+0x148/0x5b0 drivers/tty/vt/vt.c:1096
 con_install+0x48/0x460 drivers/tty/vt/vt.c:3238
 tty_driver_install_tty drivers/tty/tty_io.c:1228 [inline]
 tty_init_dev+0xc6/0x4c0 drivers/tty/tty_io.c:1341
 tty_open_by_driver drivers/tty/tty_io.c:1983 [inline]
 tty_open+0x7cd/0xca0 drivers/tty/tty_io.c:2031
 chrdev_open+0x498/0x580 fs/char_dev.c:414
 do_dentry_open+0x828/0x10a0 fs/open.c:797
 do_last fs/namei.c:3490 [inline]
 path_openat+0x13b5/0x40d0 fs/namei.c:3607
 do_filp_open+0x191/0x3a0 fs/namei.c:3637
 do_sys_openat2+0x448/0x6c0 fs/open.c:1146
 do_sys_open fs/open.c:1162 [inline]
 ksys_open include/linux/syscalls.h:1386 [inline]
 __do_sys_open fs/open.c:1168 [inline]
 __se_sys_open fs/open.c:1166 [inline]
 __x64_sys_open+0x1af/0x1e0 fs/open.c:1166
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7159:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 vt_disallocate_all drivers/tty/vt/vt_ioctl.c:323 [inline]
 vt_ioctl+0x229d/0x3a30 drivers/tty/vt/vt_ioctl.c:816
 tty_ioctl+0xee6/0x15c0 drivers/tty/tty_io.c:2656
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl fs/ioctl.c:763 [inline]
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl+0xf9/0x160 fs/ioctl.c:770
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888097055000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 264 bytes inside of
 2048-byte region [ffff888097055000, ffff888097055800)
The buggy address belongs to the page:
page:ffffea00025c1540 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00029947c8 ffffea00025c3708 ffff8880aa400e00
raw: 0000000000000000 ffff888097055000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888097055000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888097055080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888097055100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888097055180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888097055200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (591):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2020/03/30 18:34 upstream 7111951b8d49 c8d1cc20 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/03/30 07:09 upstream e595dd94515e 05736b29 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/03/29 21:55 upstream e595dd94515e 05736b29 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/03/29 14:14 upstream 906c40438bb6 05736b29 .config log report syz C
ci-upstream-kasan-gce-root 2020/03/29 04:28 upstream 906c40438bb6 05736b29 .config log report syz C
ci-upstream-kasan-gce 2020/03/28 17:12 upstream 69c5eea3128e f1ebdfba .config log report syz C
ci-upstream-kasan-gce 2020/03/28 02:52 upstream 527630fbf4f1 831e9a81 .config log report syz C
ci-upstream-kasan-gce-root 2020/03/28 02:46 upstream 527630fbf4f1 831e9a81 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/03/28 00:24 upstream 527630fbf4f1 831e9a81 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/03/27 21:01 upstream 527630fbf4f1 831e9a81 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/03/27 00:40 upstream 9420e8ade435 6d25c5a0 .config log report syz C
ci-upstream-kasan-gce-root 2020/03/26 00:58 upstream e2cf67f6689a 41f049cc .config log report syz C
ci-upstream-kasan-gce 2020/03/25 08:01 upstream 76ccd234269b 41f049cc .config log report syz C
ci-upstream-kasan-gce-root 2020/03/24 03:15 upstream 16fbf79b0f83 84f999d6 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/03/23 15:23 upstream 67d584e33e54 78267cec .config log report syz C
ci-upstream-kasan-gce-root 2020/03/23 12:19 upstream 67d584e33e54 78267cec .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/03/22 12:25 upstream b74b991fb8b9 78267cec .config log report syz C
ci-upstream-kasan-gce 2020/03/19 12:29 upstream 5076190daded 2c31c529 .config log report syz C
ci-upstream-kasan-gce-root 2020/03/19 00:57 upstream 5076190daded 0a96a13c .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/03/17 17:42 upstream fb33c6510d55 749688d2 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/03/16 06:45 upstream a42a7bb6f536 749688d2 .config log report syz C
ci-upstream-kasan-gce 2020/03/15 00:31 upstream 69a4d0baeeb1 749688d2 .config log report syz C
ci-upstream-kasan-gce 2020/03/14 09:39 upstream fffb08b37df9 749688d2 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/03/13 06:30 upstream 3cc6e2c599cd d850e9d0 .config log report syz C
ci-upstream-kasan-gce 2019/12/03 07:17 upstream 596cf45cbf6e ab342da3 .config log report syz C
ci-upstream-kasan-gce-386 2020/03/30 22:10 upstream 7111951b8d49 c8d1cc20 .config log report syz C
ci-upstream-kasan-gce-386 2020/03/28 03:22 upstream 527630fbf4f1 831e9a81 .config log report syz C
ci-upstream-kasan-gce-386 2020/03/19 16:05 upstream 5076190daded 2c31c529 .config log report syz C
ci-upstream-kasan-gce-386 2020/03/15 19:04 upstream d3dca69085e9 749688d2 .config log report syz C
ci-upstream-kasan-gce-386 2020/03/15 03:46 upstream 69a4d0baeeb1 749688d2 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/04/03 19:42 linux-next 770fbb32d34e 5ed396e6 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/04/03 00:16 linux-next 770fbb32d34e a34e2c33 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/04/02 11:22 linux-next 770fbb32d34e a34e2c33 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/29 19:14 linux-next 770fbb32d34e 05736b29 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/25 00:00 linux-next 770fbb32d34e 68660b21 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/23 05:17 linux-next 770fbb32d34e 78267cec .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/22 12:55 linux-next 770fbb32d34e 78267cec .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/22 11:38 linux-next 770fbb32d34e 78267cec .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/22 07:41 linux-next 770fbb32d34e 78267cec .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/20 00:37 linux-next 770fbb32d34e 2c31c529 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/19 22:49 linux-next 770fbb32d34e 2c31c529 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/17 05:07 linux-next 770fbb32d34e 749688d2 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/16 07:57 linux-next 770fbb32d34e 749688d2 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/15 15:29 linux-next 770fbb32d34e 749688d2 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/15 07:36 linux-next 770fbb32d34e 749688d2 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/03/13 17:06 linux-next 770fbb32d34e d850e9d0 .config log report syz C
ci-upstream-kasan-gce 2020/03/31 06:19 upstream 673b41e04a03 c8d1cc20 .config log report
ci-upstream-kasan-gce-smack-root 2020/03/29 23:17 upstream e595dd94515e 05736b29 .config log report
ci-upstream-kasan-gce-smack-root 2020/03/27 18:47 upstream 527630fbf4f1 831e9a81 .config log report
ci-upstream-kasan-gce-smack-root 2020/03/27 12:34 upstream f3e69428b5e2 7d95711b .config log report
ci-upstream-kasan-gce-root 2020/03/24 23:57 upstream 76ccd234269b 68660b21 .config log report
ci-upstream-kasan-gce-smack-root 2020/03/15 16:56 upstream d3dca69085e9 749688d2 .config log report
ci-upstream-kasan-gce-smack-root 2020/03/13 18:58 upstream 3cc6e2c599cd d850e9d0 .config log report
ci-upstream-kasan-gce-smack-root 2020/03/12 03:52 upstream f35111a94654 e7caca8e .config log report
ci-upstream-kasan-gce-root 2020/03/10 01:11 upstream 2c523b344dfa 35f53e45 .config log report
ci-upstream-kasan-gce-smack-root 2020/03/09 04:25 upstream 378fee2e6b12 2e9971bb .config log report
ci-upstream-kasan-gce-selinux-root 2020/03/03 03:18 upstream 63623fd44972 c88c7b75 .config log report
ci-upstream-kasan-gce-smack-root 2020/03/01 01:38 upstream f8788d86ab28 59b57593 .config log report
ci-upstream-kasan-gce-selinux-root 2020/02/29 17:28 upstream f8788d86ab28 59b57593 .config log report
ci-upstream-kasan-gce-root 2020/02/24 20:04 upstream f8788d86ab28 59b57593 .config log report
ci-upstream-kasan-gce 2020/02/22 16:56 upstream 54dedb5b571d 2c36e7a7 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/22 10:10 upstream b0dd1eb220c0 2ffa6679 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/21 21:52 upstream ca7e1fd1026c 2ffa6679 .config log report
ci-upstream-kasan-gce-root 2020/02/19 22:28 upstream 4b205766d8fc b690a6e3 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/19 04:17 upstream 0a44cac81050 135c18aa .config log report
ci-upstream-kasan-gce-root 2020/02/16 15:55 upstream db70e26e33ee cf914200 .config log report
ci-upstream-kasan-gce 2020/02/15 15:36 upstream 2019fc96af22 5d7b90f1 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/14 20:20 upstream b19e8c684703 5d7b90f1 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/14 11:04 upstream b19e8c684703 5d7b90f1 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/14 07:57 upstream b19e8c684703 5d7b90f1 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/12 12:46 upstream 359c92c02bfa a75b198c .config log report
ci-upstream-kasan-gce-selinux-root 2020/02/11 23:16 upstream 0a679e13ea30 4d1ab643 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/10 11:10 upstream d1ea35f4cdd4 35f5e45e .config log report
ci-upstream-kasan-gce-smack-root 2020/02/08 07:19 upstream 41dcd67e8868 06150bf1 .config log report
ci-upstream-kasan-gce-root 2020/02/08 05:03 upstream 41dcd67e8868 06150bf1 .config log report
ci-upstream-kasan-gce 2020/02/07 13:59 upstream 90568ecf5615 06150bf1 .config log report
ci-upstream-kasan-gce-root 2020/02/07 12:34 upstream 90568ecf5615 06150bf1 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/06 08:37 upstream 4c7d00ccf40d 662cf49a .config log report
ci-upstream-kasan-gce-selinux-root 2020/02/05 01:39 upstream 33b40134e5cf 93e5e335 .config log report
ci-upstream-kasan-gce-smack-root 2020/02/04 22:40 upstream 33b40134e5cf 93e5e335 .config log report
ci-qemu-upstream 2020/01/13 08:32 upstream b3a987b0264d 99565c1a .config log report
ci-upstream-kasan-gce-386 2020/02/28 03:16 upstream f8788d86ab28 59b57593 .config log report
ci-upstream-kasan-gce-386 2020/02/25 21:40 upstream f8788d86ab28 59b57593 .config log report
ci-qemu-upstream-386 2020/01/15 16:47 upstream 95e20af9fb9c 069a5a44 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/02/25 09:04 linux-next bdc5461b23ca 59b57593 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/02/21 12:02 linux-next bee46b309a13 bd2a74a3 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/02/15 12:17 linux-next 9f01828e9e16 5d7b90f1 .config log report
ci-upstream-linux-next-kasan-gce-root 2020/02/13 00:07 linux-next 129759899765 84f4fc8a .config log report
ci-upstream-linux-next-kasan-gce-root 2020/02/04 10:47 linux-next 2747d5fdab78 93e5e335 .config log report
* Struck through repros no longer work on HEAD.