syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:542 [inline] BUG: KASAN: use-after-free in vma_put_file_ref+0x25/0x90 include/linux/mm.h:3397 Write of size 4 at addr ffff88811c41d1e8 by task syz-executor.2/16900 CPU: 0 PID: 16900 Comm: syz-executor.2 Not tainted 5.15.78-syzkaller-00911-gc73b4619ad86 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3d0 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:435 [inline] kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452 kasan_check_range+0x2aa/0x2e0 mm/kasan/generic.c:189 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:542 [inline] vma_put_file_ref+0x25/0x90 include/linux/mm.h:3397 do_user_addr_fault+0xb69/0x1220 arch/x86/mm/fault.c:1379 handle_page_fault arch/x86/mm/fault.c:1561 [inline] exc_page_fault+0x68/0x1a0 arch/x86/mm/fault.c:1617 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568 RIP: 0033:0x7f0f677ecc1f Code: 83 f8 04 0f 84 07 02 00 00 0f 87 9f 00 00 00 48 83 f8 01 75 49 48 8b 44 24 20 48 0b 44 24 28 0f 84 99 01 00 00 48 8b 44 24 10 <0f> b6 30 48 8b 04 24 48 85 c0 0f 84 6b 02 00 00 48 83 f8 01 0f 85 RSP: 002b:00007ffe192301b0 EFLAGS: 00010206 RAX: 0000000020000599 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 519bb7535d9ddbdc RSI: 0000000000000000 RDI: 00005555568812e8 RBP: 00007ffe192302a8 R08: 0000000000000000 R09: 0000000000000003 R10: 00007f0f673c5990 R11: 0000000000000246 R12: 00007f0f6796d12c R13: 00007f0f673c1608 R14: 00007f0f6796d120 R15: 0000000000000002 </TASK> Allocated by task 16901: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:433 [inline] __kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:466 kasan_slab_alloc include/linux/kasan.h:244 [inline] slab_post_alloc_hook mm/slab.h:550 [inline] slab_alloc_node mm/slub.c:3236 [inline] slab_alloc mm/slub.c:3244 [inline] kmem_cache_alloc+0x189/0x2f0 mm/slub.c:3249 vm_area_alloc+0x24/0x130 kernel/fork.c:359 mmap_region+0xb80/0x1af0 mm/mmap.c:1780 do_mmap+0x785/0xe40 mm/mmap.c:1584 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554 ksys_mmap_pgoff+0x15d/0x1e0 mm/mmap.c:1633 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb Freed by task 25: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x70 mm/kasan/common.c:45 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373 kasan_slab_free include/linux/kasan.h:220 [inline] slab_free_hook mm/slub.c:1721 [inline] slab_free_freelist_hook+0xc9/0x1a0 mm/slub.c:1747 slab_free mm/slub.c:3515 [inline] kmem_cache_free+0x11a/0x2e0 mm/slub.c:3531 ____vm_area_free kernel/fork.c:386 [inline] __vm_area_free+0x1c/0x20 kernel/fork.c:394 rcu_do_batch+0x55b/0xbe0 kernel/rcu/tree.c:2509 rcu_core+0x506/0x1000 kernel/rcu/tree.c:2749 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2762 __do_softirq+0x27e/0x5dc kernel/softirq.c:565 Last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38 __kasan_record_aux_stack+0xd3/0xf0 mm/kasan/generic.c:348 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358 __call_rcu kernel/rcu/tree.c:2993 [inline] call_rcu+0x140/0x1400 kernel/rcu/tree.c:3073 vm_area_free+0x1e7/0x230 kernel/fork.c:406 remove_vma mm/mmap.c:190 [inline] remove_vma_list mm/mmap.c:2638 [inline] __do_munmap+0x16ea/0x1ad0 mm/mmap.c:2914 do_munmap mm/mmap.c:2922 [inline] munmap_vma_range mm/mmap.c:605 [inline] mmap_region+0x9ec/0x1af0 mm/mmap.c:1755 do_mmap+0x785/0xe40 mm/mmap.c:1584 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554 ksys_mmap_pgoff+0x15d/0x1e0 mm/mmap.c:1633 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb Second to last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38 __kasan_record_aux_stack+0xd3/0xf0 mm/kasan/generic.c:348 kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358 __call_rcu kernel/rcu/tree.c:2993 [inline] call_rcu+0x140/0x1400 kernel/rcu/tree.c:3073 vm_area_free+0x1e7/0x230 kernel/fork.c:406 remove_vma mm/mmap.c:190 [inline] remove_vma_list mm/mmap.c:2638 [inline] __do_munmap+0x16ea/0x1ad0 mm/mmap.c:2914 do_munmap mm/mmap.c:2922 [inline] munmap_vma_range mm/mmap.c:605 [inline] mmap_region+0x9ec/0x1af0 mm/mmap.c:1755 do_mmap+0x785/0xe40 mm/mmap.c:1584 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554 ksys_mmap_pgoff+0x15d/0x1e0 mm/mmap.c:1633 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb The buggy address belongs to the object at ffff88811c41d128 which belongs to the cache vm_area_struct of size 232 The buggy address is located 192 bytes inside of 232-byte region [ffff88811c41d128, ffff88811c41d210) The buggy address belongs to the page: page:ffffea0004710740 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c41d flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 ffffea0004a4e540 0000000300000003 ffff888100274900 raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 318, ts 12946200565, free_ts 12946069531 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1ab/0x1b0 mm/page_alloc.c:2495 prep_new_page mm/page_alloc.c:2501 [inline] get_page_from_freelist+0x38b/0x400 mm/page_alloc.c:4281 __alloc_pages+0x3a8/0x7c0 mm/page_alloc.c:5548 allocate_slab+0x62/0x580 mm/slub.c:1928 new_slab mm/slub.c:1991 [inline] ___slab_alloc+0x2e2/0x6f0 mm/slub.c:3024 __slab_alloc+0x4a/0x90 mm/slub.c:3111 slab_alloc_node mm/slub.c:3202 [inline] slab_alloc mm/slub.c:3244 [inline] kmem_cache_alloc+0x205/0x2f0 mm/slub.c:3249 vm_area_alloc+0x24/0x130 kernel/fork.c:359 mmap_region+0xb80/0x1af0 mm/mmap.c:1780 do_mmap+0x785/0xe40 mm/mmap.c:1584 vm_mmap_pgoff+0x1d4/0x420 mm/util.c:554 ksys_mmap_pgoff+0xed/0x1e0 mm/mmap.c:1633 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:93 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline] __x64_sys_mmap+0x103/0x120 arch/x86/kernel/sys_x86_64.c:86 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1364 [inline] free_pcp_prepare+0x448/0x450 mm/page_alloc.c:1435 free_unref_page_prepare mm/page_alloc.c:3433 [inline] free_unref_page+0x9c/0x370 mm/page_alloc.c:3513 free_the_page mm/page_alloc.c:706 [inline] __free_pages+0xd8/0x100 mm/page_alloc.c:5621 free_pages+0x7c/0x90 mm/page_alloc.c:5632 tlb_batch_list_free mm/mmu_gather.c:61 [inline] tlb_finish_mmu+0x123/0x1f0 mm/mmu_gather.c:343 unmap_region+0x327/0x370 mm/mmap.c:2679 __do_munmap+0x1468/0x1ad0 mm/mmap.c:2911 __vm_munmap mm/mmap.c:2934 [inline] __do_sys_munmap+0x15e/0x280 mm/mmap.c:2960 __se_sys_munmap mm/mmap.c:2956 [inline] __x64_sys_munmap+0x5b/0x70 mm/mmap.c:2956 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb Memory state around the buggy address: ffff88811c41d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff88811c41d100: fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb >ffff88811c41d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88811c41d200: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb ffff88811c41d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2022/12/28 21:11 | android13-5.15-lts | c73b4619ad86 | 44712fbc | .config | console log | report | syz | [disk image] [vmlinux] [kernel image] | ci2-android-5-15 | KASAN: use-after-free Write in vma_put_file_ref | ||
2023/01/21 11:21 | android13-5.15-lts | 72d681a01da5 | cc0f9968 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-5-15 | KASAN: use-after-free Write in vma_put_file_ref |