KASAN: use-after-free Read in binder_release

Kernel	Title	Repro	Count	Last	Reported	Patched	Status
android-5-10	KASAN: use-after-free Read in binder_release_work	C	154	140d	174d	0/2	auto-obsoleted due to no activity on 2025/02/25 01:01
upstream	KASAN: use-after-free Read in binder_release_work kernel	C	6	2568d	2589d	5/28	fixed on 2018/05/08 18:30
android-49	KASAN: use-after-free Read in binder_release_work	C	132	2568d	2581d	3/3	fixed on 2018/05/22 16:58
android-5-15	KASAN: use-after-free Read in binder_release_work origin:upstream	C	97	140d	218d	0/2	auto-obsoleted due to no activity on 2025/02/24 12:00

binder: 3769:3770 IncRefs 0 refcount change on invalid ref 3 ret -22 binder: 3769:3770 BC_INCREFS_DONE u0000000000000000 node 6 cookie mismatch 0000000000000004 != 0000000000000000 binder: 3769:3770 BC_FREE_BUFFER u0000000000000000 no match binder: 3769:3770 got transaction to invalid handle binder: 3769:3770 transaction failed 29201/-22, size 0-0 line 3011 BUG: KASAN: use-after-free in __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 Read of size 8 at addr ffff8801d4fa5310 by task kworker/u4:3/404 CPU: 1 PID: 404 Comm: kworker/u4:3 Not tainted 4.4.125-g38f41ec #63 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: binder binder_deferred_func 0000000000000000 7476bc1b901d62ac ffff8800bb11fa58 ffffffff81d067bd ffffea000753e940 ffff8801d4fa5310 0000000000000000 ffff8801d4fa5310 ffffed0016b348f9 ffff8800bb11fa90 ffffffff814fea83 ffff8801d4fa5310 Call Trace: [<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [<ffffffff814fea83>] print_address_description+0x73/0x260 mm/kasan/report.c:252 [<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline] [<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408 [<ffffffff814ff0f4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [<ffffffff81d66b16>] __list_del_entry+0x196/0x1d0 lib/list_debug.c:60 [<ffffffff82c7c34e>] list_del_init include/linux/list.h:145 [inline] [<ffffffff82c7c34e>] binder_dequeue_work_head_ilocked drivers/android/binder.c:914 [inline] [<ffffffff82c7c34e>] binder_dequeue_work_head drivers/android/binder.c:934 [inline] [<ffffffff82c7c34e>] binder_release_work+0x6e/0x260 drivers/android/binder.c:4362 [<ffffffff82c7c965>] binder_thread_release+0x425/0x600 drivers/android/binder.c:4570 [<ffffffff82c815d8>] binder_deferred_release drivers/android/binder.c:5111 [inline] [<ffffffff82c815d8>] binder_deferred_func+0x438/0xd10 drivers/android/binder.c:5183 [<ffffffff811800f7>] process_one_work+0x7d7/0x16e0 kernel/workqueue.c:2064 [<ffffffff811810d9>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196 [<ffffffff81190b48>] kthread+0x268/0x300 kernel/kthread.c:211 [<ffffffff83779d95>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510 Allocated by task 3768: [<ffffffff81035d76>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [<ffffffff814fdaf3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [<ffffffff814fddbd>] set_track mm/kasan/kasan.c:524 [inline] [<ffffffff814fddbd>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [<ffffffff814f9d40>] kmem_cache_alloc_trace+0x100/0x2b0 mm/slub.c:2642 [<ffffffff82c8c72c>] kmalloc include/linux/slab.h:476 [inline] [<ffffffff82c8c72c>] kzalloc include/linux/slab.h:620 [inline] [<ffffffff82c8c72c>] binder_transaction+0x103c/0x7290 drivers/android/binder.c:3063 [<ffffffff82c9319f>] binder_thread_write+0x81f/0x33e0 drivers/android/binder.c:3686 [<ffffffff82c95f2f>] binder_ioctl_write_read.isra.55+0x1cf/0xbc0 drivers/android/binder.c:4625 [<ffffffff82c97570>] binder_ioctl+0xc50/0x12e0 drivers/android/binder.c:4764 [<ffffffff8155a71a>] vfs_ioctl fs/ioctl.c:43 [inline] [<ffffffff8155a71a>] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [<ffffffff8155aedf>] SYSC_ioctl fs/ioctl.c:622 [inline] [<ffffffff8155aedf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [<ffffffff83779965>] entry_SYSCALL_64_fastpath+0x22/0x9e Freed by task 404: [<ffffffff81035d76>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [<ffffffff814fdaf3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [<ffffffff814fe412>] set_track mm/kasan/kasan.c:524 [inline] [<ffffffff814fe412>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [<ffffffff814faeac>] slab_free_hook mm/slub.c:1383 [inline] [<ffffffff814faeac>] slab_free_freelist_hook mm/slub.c:1405 [inline] [<ffffffff814faeac>] slab_free mm/slub.c:2859 [inline] [<ffffffff814faeac>] kfree+0xfc/0x300 mm/slub.c:3749 [<ffffffff82c71aca>] binder_free_transaction+0x6a/0x90 drivers/android/binder.c:2123 [<ffffffff82c7bfe9>] binder_send_failed_reply+0x1c9/0x380 drivers/android/binder.c:2162 [<ffffffff82c7c953>] binder_thread_release+0x413/0x600 drivers/android/binder.c:4569 [<ffffffff82c815d8>] binder_deferred_release drivers/android/binder.c:5111 [inline] [<ffffffff82c815d8>] binder_deferred_func+0x438/0xd10 drivers/android/binder.c:5183 [<ffffffff811800f7>] process_one_work+0x7d7/0x16e0 kernel/workqueue.c:2064 [<ffffffff811810d9>] worker_thread+0xd9/0xfc0 kernel/workqueue.c:2196 [<ffffffff81190b48>] kthread+0x268/0x300 kernel/kthread.c:211 [<ffffffff83779d95>] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510 The buggy address belongs to the object at ffff8801d4fa5300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 16 bytes inside of 192-byte region [ffff8801d4fa5300, ffff8801d4fa53c0) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 3763 Comm: syzkaller363232 Not tainted 4.4.125-g38f41ec #63 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800adbc9800 task.stack: ffff8801d0f90000 RIP: 0010:[<ffffffff81d24038>] [<ffffffff81d24038>] timerqueue_add+0xb8/0x2a0 lib/timerqueue.c:51 RSP: 0018:ffff8801db207d70 EFLAGS: 00010806 RAX: ffffed003b64338b RBX: ffff8801db219c40 RCX: ffffffff81d2401c RDX: 1d1a89b13fffffe7 RSI: ffff8801db219c40 RDI: e8d44d89ffffff39 RBP: ffff8801db207db0 R08: ffffffff8580ef08 R09: 0000000000000001 R10: 0000000000000000 R11: 1ffff1003b640f62 R12: dffffc0000000000 R13: e8d44d89ffffff21 R14: 0000000768061480 R15: ffffffff81491309 FS: 000000000199e880(0063) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000006e0194 CR3: 00000001c812e000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8801db219c58 ffff8801db219710 ffffed003b64338b ffff8801db219700 ffff8801db219c40 ffff8801db219640 0000000000000001 0000000000000000 ffff8801db207de8 ffffffff812ac208 ffff8801db219c40 0000000000000001 Call Trace: <IRQ> [<ffffffff812ac208>] enqueue_hrtimer+0x168/0x450 kernel/time/hrtimer.c:892 [<ffffffff812ae2d2>] __run_hrtimer kernel/time/hrtimer.c:1275 [inline] [<ffffffff812ae2d2>] __hrtimer_run_queues+0x732/0xfe0 kernel/time/hrtimer.c:1324 [<ffffffff812b0386>] hrtimer_interrupt+0x1a6/0x440 kernel/time/hrtimer.c:1358 [<ffffffff810b0e5a>] local_apic_timer_interrupt+0x6a/0xb0 arch/x86/kernel/apic/apic.c:901 [<ffffffff8377c576>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:925 [<ffffffff8377b4d0>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 <EOI> [<ffffffff812e491d>] smp_call_function_many+0x47d/0x720 kernel/smp.c:435 [<ffffffff810eda3e>] native_flush_tlb_others+0xfe/0x710 arch/x86/mm/tlb.c:292 [<ffffffff810ee153>] flush_tlb_others arch/x86/include/asm/paravirt.h:338 [inline] [<ffffffff810ee153>] flush_tlb_mm_range+0x103/0x560 arch/x86/mm/tlb.c:358 [<ffffffff8112a836>] dup_mmap kernel/fork.c:528 [inline] [<ffffffff8112a836>] dup_mm kernel/fork.c:983 [inline] [<ffffffff8112a836>] copy_mm kernel/fork.c:1037 [inline] [<ffffffff8112a836>] copy_process+0x5266/0x6120 kernel/fork.c:1503 [<ffffffff8112bb11>] _do_fork+0x151/0xe00 kernel/fork.c:1784 [<ffffffff8112c897>] SYSC_clone kernel/fork.c:1893 [inline] [<ffffffff8112c897>] SyS_clone+0x37/0x50 kernel/fork.c:1887 [<ffffffff83779965>] entry_SYSCALL_64_fastpath+0x22/0x9e Code: ------------[ cut here ]------------ WARNING: CPU: 0 PID: -2125917439 at include/linux/uaccess.h:15 pagefault_disabled_dec include/linux/uaccess.h:15 [inline]() WARNING: CPU: 0 PID: -2125917439 at include/linux/uaccess.h:15 pagefault_enable include/linux/uaccess.h:42 [inline]() WARNING: CPU: 0 PID: -2125917439 at include/linux/uaccess.h:15 __probe_kernel_read+0x1b9/0x200 mm/maccess.c:35()

Crashes (5):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2018/04/11 18:21	https://android.googlesource.com/kernel/common android-4.4	38f41ec1cb31	8b8de427	.config	console log	report	syz	C	ci-android-44-kasan-gce
2018/04/13 18:55	https://android.googlesource.com/kernel/common android-4.4	38f41ec1cb31	0a0c5db6	.config	console log	report	syz		ci-android-44-kasan-gce-386
2018/04/11 18:14	https://android.googlesource.com/kernel/common android-4.4	38f41ec1cb31	8b8de427	.config	console log	report	syz		ci-android-44-kasan-gce-386
2018/04/25 02:50	https://android.googlesource.com/kernel/common android-4.4	bd23e3af1765	37e76fe2	.config	console log	report			ci-android-44-kasan-gce
2018/04/25 02:51	https://android.googlesource.com/kernel/common android-4.4	bd23e3af1765	37e76fe2	.config	console log	report			ci-android-44-kasan-gce-386

Crashes (5):

Assets (help?)