| Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported |
|---|---|---|---|---|---|---|
| upstream test error: KASAN: slab-use-after-free Write in binderfs_evict_inode kernel | 3 | 20h37m | 50d |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [kernel?] KASAN: slab-use-after-free Write in binder_add_device | 4 (8) | 2025/03/25 01:03 |
================================================================== BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0 drivers/android/binder.c:6932 Write of size 8 at addr ffff88801221a808 by task syz-executor/7263 CPU: 2 UID: 0 PID: 7263 Comm: syz-executor Not tainted 6.15.0-rc4-syzkaller-00147-gebd297a2affa #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 hlist_add_head include/linux/list.h:1026 [inline] binder_add_device+0xa4/0xb0 drivers/android/binder.c:6932 binderfs_binder_device_create.isra.0+0x95f/0xb70 drivers/android/binderfs.c:210 binderfs_fill_super+0x8d4/0x1360 drivers/android/binderfs.c:730 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xda/0x190 fs/super.c:1299 vfs_get_tree+0x8b/0x340 fs/super.c:1759 do_new_mount fs/namespace.c:3884 [inline] path_mount+0x14d4/0x1f20 fs/namespace.c:4211 do_mount fs/namespace.c:4224 [inline] __do_sys_mount fs/namespace.c:4435 [inline] __se_sys_mount fs/namespace.c:4412 [inline] __x64_sys_mount+0x28d/0x310 fs/namespace.c:4412 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff62999010a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff491dabc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ff629a10e74 RCX: 00007ff62999010a RDX: 00007ff629a208cb RSI: 00007ff629a10e74 RDI: 00007ff629a208cb RBP: 00007ff629a110bd R08: 0000000000000000 R09: 00007fff491dac70 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff6299ec1a8 R13: 00007ff6299ec180 R14: 0000000000000009 R15: 0000000000000000 </TASK> Allocated by task 6029: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] binderfs_binder_device_create.isra.0+0x17a/0xb70 drivers/android/binderfs.c:147 binderfs_fill_super+0x8d4/0x1360 drivers/android/binderfs.c:730 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xda/0x190 fs/super.c:1299 vfs_get_tree+0x8b/0x340 fs/super.c:1759 do_new_mount fs/namespace.c:3884 [inline] path_mount+0x14d4/0x1f20 fs/namespace.c:4211 do_mount fs/namespace.c:4224 [inline] __do_sys_mount fs/namespace.c:4435 [inline] __se_sys_mount fs/namespace.c:4412 [inline] __x64_sys_mount+0x28d/0x310 fs/namespace.c:4412 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6001: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2398 [inline] slab_free mm/slub.c:4656 [inline] kfree+0x2b6/0x4d0 mm/slub.c:4855 binder_free_proc drivers/android/binder.c:5248 [inline] binder_proc_dec_tmpref drivers/android/binder.c:1565 [inline] binder_proc_dec_tmpref+0x4c3/0x590 drivers/android/binder.c:1558 binder_deferred_release drivers/android/binder.c:6292 [inline] binder_deferred_func+0xe87/0x12c0 drivers/android/binder.c:6319 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff88801221a800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of freed 512-byte region [ffff88801221a800, ffff88801221aa00) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12218 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801b442c80 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88801b442c80 dead000000000100 dead000000000122 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 00fff00000000002 ffffea0000488601 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 84, tgid 84 (kworker/u32:4), ts 78209404876, free_ts 78069728256 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718 prep_new_page mm/page_alloc.c:1726 [inline] get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3688 __alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4970 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301 alloc_slab_page mm/slub.c:2468 [inline] allocate_slab mm/slub.c:2632 [inline] new_slab+0x244/0x340 mm/slub.c:2686 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3872 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3962 __slab_alloc_node mm/slub.c:4037 [inline] slab_alloc_node mm/slub.c:4198 [inline] __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mca_alloc net/ipv6/mcast.c:884 [inline] __ipv6_dev_mc_inc+0x2b9/0xc10 net/ipv6/mcast.c:975 addrconf_join_solict net/ipv6/addrconf.c:2242 [inline] addrconf_dad_begin net/ipv6/addrconf.c:4100 [inline] addrconf_dad_work+0x284/0x14e0 net/ipv6/addrconf.c:4228 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 page last free pid 5996 tgid 5996 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1262 [inline] __free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2725 discard_slab mm/slub.c:2730 [inline] __put_partials+0x16d/0x1c0 mm/slub.c:3199 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4161 [inline] slab_alloc_node mm/slub.c:4210 [inline] __kmalloc_cache_noprof+0x1f1/0x3e0 mm/slub.c:4367 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tomoyo_dump_page+0x472/0x6d0 security/tomoyo/domain.c:915 tomoyo_scan_bprm security/tomoyo/condition.c:130 [inline] tomoyo_condition+0x736/0x3bd0 security/tomoyo/condition.c:1120 tomoyo_check_acl+0x1b7/0x410 security/tomoyo/domain.c:177 tomoyo_execute_permission+0x176/0x4b0 security/tomoyo/file.c:615 tomoyo_find_next_domain+0x38d/0x20b0 security/tomoyo/domain.c:762 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline] tomoyo_bprm_check_security+0x12e/0x1d0 security/tomoyo/tomoyo.c:92 security_bprm_check+0x1b9/0x1e0 security/security.c:1302 search_binary_handler fs/exec.c:1768 [inline] exec_binprm fs/exec.c:1810 [inline] bprm_execve fs/exec.c:1862 [inline] bprm_execve+0x810/0x1650 fs/exec.c:1838 kernel_execve+0x2ef/0x3b0 fs/exec.c:2028 call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:109 Memory state around the buggy address: ffff88801221a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88801221a780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88801221a800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801221a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801221a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/05/02 13:17 | upstream | ebd297a2affa | d7f099d1 | .config | console log | report | syz / log | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 11:50 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | e0f4c8dd9d2d | ce7952f4 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 09:32 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | e0f4c8dd9d2d | ce7952f4 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 01:35 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | e0f4c8dd9d2d | ce7952f4 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 22:43 | upstream | 2bfcee565c3a | b0714e37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 21:25 | upstream | 2bfcee565c3a | b0714e37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 21:24 | upstream | 2bfcee565c3a | b0714e37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 16:53 | upstream | ebd297a2affa | b0714e37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 12:49 | upstream | ebd297a2affa | 2bfec9c0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 12:49 | upstream | ebd297a2affa | 2bfec9c0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 12:49 | upstream | ebd297a2affa | 2bfec9c0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 11:28 | upstream | ebd297a2affa | 51b137cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 05:07 | upstream | ebd297a2affa | 51b137cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 05:07 | upstream | ebd297a2affa | 51b137cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 18:51 | upstream | 4f79eaa2ceac | 51b137cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 18:41 | upstream | 4f79eaa2ceac | 51b137cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 15:43 | upstream | 4f79eaa2ceac | 51b137cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 15:43 | upstream | 4f79eaa2ceac | 51b137cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 11:46 | upstream | 4f79eaa2ceac | ce7952f4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 10:54 | upstream | 4f79eaa2ceac | ce7952f4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 01:45 | upstream | b6ea1680d0ac | ce7952f4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 01:40 | upstream | b6ea1680d0ac | ce7952f4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/03/13 13:14 | upstream | b7f94fcf5546 | 44be8b44 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/03/13 04:59 | upstream | 0fed89a961ea | 1a5d9317 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/03/13 04:25 | upstream | 0fed89a961ea | 1a5d9317 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/03/12 23:28 | upstream | 0fed89a961ea | 1a5d9317 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 12:11 | upstream | ebd297a2affa | d7f099d1 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 14:10 | upstream | 4f79eaa2ceac | 51b137cd | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/04/30 14:53 | upstream | b6ea1680d0ac | 937aafd7 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/03/13 11:21 | upstream | b7f94fcf5546 | 44be8b44 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/03/13 07:22 | upstream | b7f94fcf5546 | 44be8b44 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/03/13 04:00 | upstream | 0fed89a961ea | 1a5d9317 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/03/12 22:40 | upstream | 0fed89a961ea | 1a5d9317 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 04:15 | upstream | 7a13c14ee59d | ce7952f4 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 04:15 | upstream | 7a13c14ee59d | ce7952f4 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/02 14:23 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | e0f4c8dd9d2d | 2bfec9c0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Write in binder_add_device | ||
| 2025/05/01 11:02 | upstream | 7a13c14ee59d | ce7952f4 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu2-arm64-mte | KASAN: invalid-access Write in binder_add_device |