syzbot

 sign-in | mailing list | source | docs
🐞 Open [1252]
Subsystems
🐞 Fixed [5698]
🐞 Invalid [13880]
Missing Backports [97]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: slab-use-after-free Read in binder_release_work

Status: upstream: reported C repro on 2024/10/02 21:10
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+9ba7a8cdae0440edd57b@syzkaller.appspotmail.com
First crash: 6d21h, last: 10h58m
Cause bisection: introduced by (bisect log) :
commit de79583ffe794663c53b77f97be814522d4edc4f
Author: Nuno Sa <nuno.sa@analog.com>
Date: Tue Jul 2 16:02:33 2024 +0000

  iio: core: add accessors 'masklength'

Crash: invalid opcode in binder_inc_ref_for_node (log)
Repro: syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [kernel?] KASAN: slab-use-after-free Read in binder_release_work 1 (3) 2024/10/03 01:20
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: use-after-free Read in binder_release_work origin:upstream C 5 19h28m 5d13h 0/2 upstream: reported C repro on 2024/09/30 05:16
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/10/03 01:00 18m hdanton@sina.com patch upstream OK log

Sample crash report:
BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x14c/0x1c0 lib/list_debug.c:49
Read of size 8 at addr ffff8880241da108 by task kworker/2:1/69

CPU: 2 UID: 0 PID: 69 Comm: kworker/2:1 Not tainted 6.11.0-syzkaller-11728-gad46e8f95e93 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events binder_deferred_func
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 __list_del_entry_valid_or_report+0x14c/0x1c0 lib/list_debug.c:49
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del_init include/linux/list.h:287 [inline]
 binder_dequeue_work_head_ilocked drivers/android/binder.c:540 [inline]
 binder_release_work+0x9b/0x490 drivers/android/binder.c:5110
 binder_deferred_release drivers/android/binder.c:6261 [inline]
 binder_deferred_func+0xe6e/0x12e0 drivers/android/binder.c:6296
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5330:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:878 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 binder_request_freeze_notification drivers/android/binder.c:3855 [inline]
 binder_thread_write+0xe19/0x4c60 drivers/android/binder.c:4485
 binder_ioctl_write_read drivers/android/binder.c:5387 [inline]
 binder_ioctl+0x265b/0x6fa0 drivers/android/binder.c:5718
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl fs/ioctl.c:893 [inline]
 __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 69:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2343 [inline]
 slab_free mm/slub.c:4580 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4728
 binder_free_ref drivers/android/binder.c:1355 [inline]
 binder_deferred_release drivers/android/binder.c:6256 [inline]
 binder_deferred_func+0xdd7/0x12e0 drivers/android/binder.c:6296
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff8880241da100
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 8 bytes inside of
 freed 64-byte region [ffff8880241da100, ffff8880241da140)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x241da
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801b0428c0 ffffea00009e6c40 dead000000000003
raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 11, tgid 11 (kworker/u32:0), ts 6002017763, free_ts 5976749714
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x223/0x25c0 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
 alloc_slab_page mm/slub.c:2413 [inline]
 allocate_slab mm/slub.c:2579 [inline]
 new_slab+0x2ba/0x3f0 mm/slub.c:2632
 ___slab_alloc+0xdac/0x1880 mm/slub.c:3819
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3909
 __slab_alloc_node mm/slub.c:3962 [inline]
 slab_alloc_node mm/slub.c:4123 [inline]
 __kmalloc_cache_node_noprof+0xf1/0x350 mm/slub.c:4304
 kmalloc_node_noprof include/linux/slab.h:901 [inline]
 __get_vm_area_node+0xe1/0x2d0 mm/vmalloc.c:3106
 __vmalloc_node_range_noprof+0x26a/0x15a0 mm/vmalloc.c:3788
 alloc_thread_stack_node kernel/fork.c:314 [inline]
 dup_task_struct kernel/fork.c:1115 [inline]
 copy_process+0x2f12/0x8dc0 kernel/fork.c:2206
 kernel_clone+0xfd/0x960 kernel/fork.c:2787
 user_mode_thread+0xb4/0xf0 kernel/fork.c:2865
 call_usermodehelper_exec_work kernel/umh.c:172 [inline]
 call_usermodehelper_exec_work+0xcb/0x170 kernel/umh.c:158
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
page last free pid 9 tgid 9 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638
 vfree+0x17a/0x890 mm/vmalloc.c:3361
 delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3282
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff8880241da000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880241da080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8880241da100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                      ^
 ffff8880241da180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880241da200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (100):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/09/29 00:02 upstream ad46e8f95e93 ba29ff75 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in binder_release_work
2024/09/28 22:55 upstream 3efc57369a0c ba29ff75 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in binder_release_work
2024/10/04 20:04 upstream 360c1f1f24c6 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/04 13:04 upstream 0c559323bbaa d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/04 03:10 upstream 0c559323bbaa d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/03 23:36 upstream 8c245fe7dde3 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/03 20:00 upstream 7ec462100ef9 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/03 18:40 upstream 7ec462100ef9 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/03 18:40 upstream 7ec462100ef9 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/02 14:25 upstream e32cde8d2bd7 a4c7fd36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/01 15:32 upstream e32cde8d2bd7 ea2b66a6 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/01 05:33 upstream e32cde8d2bd7 bbd4e0a4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 16:05 upstream 9852d85ec9d4 bbd4e0a4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 15:03 upstream 9852d85ec9d4 bbd4e0a4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 11:39 upstream 9852d85ec9d4 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 08:03 upstream 9852d85ec9d4 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 07:03 upstream e7ed34365879 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:54 upstream e7ed34365879 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:54 upstream e7ed34365879 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/29 23:19 upstream e7ed34365879 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in binder_release_work
2024/09/29 21:42 upstream e7ed34365879 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in binder_release_work
2024/09/29 21:31 upstream e7ed34365879 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce KASAN: slab-use-after-free Read in binder_release_work
2024/10/04 17:32 upstream 0c559323bbaa d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in binder_release_work
2024/10/04 09:15 upstream 3840cbe24cf0 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in binder_release_work
2024/10/03 12:13 upstream 7ec462100ef9 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in binder_release_work
2024/10/03 08:22 upstream f23aa4c0761a a4c7fd36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in binder_release_work
2024/10/01 00:26 upstream e32cde8d2bd7 bbd4e0a4 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 09:25 upstream 9852d85ec9d4 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 05:49 upstream e7ed34365879 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/29 22:28 upstream e7ed34365879 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 KASAN: slab-use-after-free Read in binder_release_work
2024/10/05 07:25 upstream 27cc6fdf7201 d7906eff .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/05 02:58 upstream 0c559323bbaa d7906eff .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/04 14:41 upstream 0c559323bbaa d7906eff .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in binder_release_work
2024/10/03 16:05 upstream 7ec462100ef9 d7906eff .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in binder_release_work
2024/10/03 14:49 upstream 7ec462100ef9 d7906eff .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/01 01:27 upstream e32cde8d2bd7 bbd4e0a4 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 19:36 upstream 9852d85ec9d4 179f4029 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 07:27 upstream 9852d85ec9d4 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:42 upstream e7ed34365879 ba29ff75 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in binder_release_work
2024/10/04 08:07 upstream 3840cbe24cf0 d7906eff .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/10/04 00:53 upstream 3840cbe24cf0 d7906eff .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/10/02 23:07 upstream f23aa4c0761a a4c7fd36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/10/01 17:40 upstream e32cde8d2bd7 e9f6e118 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:37 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:37 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:36 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:36 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:36 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:35 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:34 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:34 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:34 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 02:34 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/29 23:08 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/29 22:37 upstream e7ed34365879 ba29ff75 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 13:27 linux-next cea5425829f7 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 07:20 linux-next cea5425829f7 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
2024/09/30 07:20 linux-next cea5425829f7 ba29ff75 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in binder_release_work
* Struck through repros no longer work on HEAD.