syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: use-after-free in __crypto_xor+0x376/0x410 crypto/algapi.c:1001 Read of size 8 at addr ffff888073b7e725 by task kworker/u4:1/10 CPU: 1 PID: 10 Comm: kworker/u4:1 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: pencrypt_parallel padata_parallel_worker Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 __crypto_xor+0x376/0x410 crypto/algapi.c:1001 crypto_xor include/crypto/algapi.h:160 [inline] crypto_ctr_crypt_segment crypto/ctr.c:60 [inline] crypto_ctr_crypt+0x256/0x550 crypto/ctr.c:114 crypto_skcipher_encrypt+0xaa/0xf0 crypto/skcipher.c:630 crypto_gcm_encrypt+0x38f/0x4b0 crypto/gcm.c:461 crypto_aead_encrypt+0xaa/0xf0 crypto/aead.c:94 pcrypt_aead_enc+0x13/0x70 crypto/pcrypt.c:82 padata_parallel_worker+0x60/0xb0 kernel/padata.c:144 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 1: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] __kasan_slab_alloc+0x83/0xb0 mm/kasan/common.c:467 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2959 [inline] slab_alloc mm/slub.c:2967 [inline] kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972 kmem_cache_zalloc include/linux/slab.h:711 [inline] lsm_file_alloc security/security.c:572 [inline] security_file_alloc+0x34/0x170 security/security.c:1515 __alloc_file+0xd8/0x280 fs/file_table.c:106 alloc_empty_file+0x6d/0x170 fs/file_table.c:150 path_openat+0xe4/0x2740 fs/namei.c:3545 do_filp_open+0x1aa/0x400 fs/namei.c:3586 do_sys_openat2+0x16d/0x4d0 fs/open.c:1200 do_sys_open fs/open.c:1216 [inline] __do_sys_open fs/open.c:1224 [inline] __se_sys_open fs/open.c:1220 [inline] __x64_sys_open+0x119/0x1c0 fs/open.c:1220 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888073b7e700 which belongs to the cache lsm_file_cache of size 80 The buggy address is located 37 bytes inside of 80-byte region [ffff888073b7e700, ffff888073b7e750) The buggy address belongs to the page: page:ffffea0001cedf80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888073b7ef50 pfn:0x73b7e flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0001ce8c48 ffffea0001cb88c8 ffff888010dc6000 raw: ffff888073b7ef50 0000000000240005 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 64591664193, free_ts 64586178118 prep_new_page mm/page_alloc.c:2436 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4168 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5390 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2291 alloc_slab_page mm/slub.c:1691 [inline] allocate_slab+0x32e/0x4b0 mm/slub.c:1831 new_slab mm/slub.c:1894 [inline] new_slab_objects mm/slub.c:2640 [inline] ___slab_alloc+0x473/0x7b0 mm/slub.c:2803 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2843 slab_alloc_node mm/slub.c:2925 [inline] slab_alloc mm/slub.c:2967 [inline] kmem_cache_alloc+0x3e1/0x4a0 mm/slub.c:2972 kmem_cache_zalloc include/linux/slab.h:711 [inline] lsm_file_alloc security/security.c:572 [inline] security_file_alloc+0x34/0x170 security/security.c:1515 __alloc_file+0xd8/0x280 fs/file_table.c:106 alloc_empty_file+0x6d/0x170 fs/file_table.c:150 path_openat+0xe4/0x2740 fs/namei.c:3545 do_filp_open+0x1aa/0x400 fs/namei.c:3586 do_sys_openat2+0x16d/0x4d0 fs/open.c:1200 do_sys_open fs/open.c:1216 [inline] __do_sys_open fs/open.c:1224 [inline] __se_sys_open fs/open.c:1220 [inline] __x64_sys_open+0x119/0x1c0 fs/open.c:1220 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1346 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397 free_unref_page_prepare mm/page_alloc.c:3332 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3411 qlink_free mm/kasan/quarantine.c:146 [inline] qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 __kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2959 [inline] slab_alloc mm/slub.c:2967 [inline] kmem_cache_alloc+0x285/0x4a0 mm/slub.c:2972 getname_flags.part.0+0x50/0x4f0 fs/namei.c:138 getname_flags+0x9a/0xe0 include/linux/audit.h:319 user_path_at_empty+0x2b/0x90 fs/namei.c:2801 user_path_at include/linux/namei.h:57 [inline] vfs_statx+0x142/0x390 fs/stat.c:221 vfs_fstatat fs/stat.c:243 [inline] vfs_lstat include/linux/fs.h:3351 [inline] __do_sys_newlstat+0x91/0x110 fs/stat.c:398 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff888073b7e600: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fc fc ffff888073b7e680: fc fc fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff888073b7e700: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb ^ ffff888073b7e780: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ffff888073b7e800: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2021/09/04 05:01 | upstream | 7cca308cfdc0 | d236a457 | .config | console log | report | syz | C | ci-upstream-kasan-gce | KASAN: use-after-free Read in __crypto_xor | ||
2021/08/01 01:37 | net-next-old | 3e12361b6d23 | 6c236867 | .config | console log | report | syz | C | ci-upstream-net-kasan-gce | KASAN: use-after-free Read in __crypto_xor | ||
2021/08/12 12:08 | upstream | 1746f4db5135 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce-selinux-root | KASAN: use-after-free Read in __crypto_xor | |||
2021/08/07 15:12 | upstream | c9194f32bfd9 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce-selinux-root | KASAN: use-after-free Read in __crypto_xor | |||
2021/08/07 01:53 | upstream | 894d6f401b21 | 6972b106 | .config | console log | report | info | ci-upstream-kasan-gce-root | KASAN: use-after-free Read in __crypto_xor | |||
2021/08/05 21:34 | upstream | 902e7f373fff | d2d6e680 | .config | console log | report | info | ci-upstream-kasan-gce-selinux-root | KASAN: use-after-free Read in __crypto_xor | |||
2021/08/01 21:22 | upstream | d4affd6b6e81 | 6c236867 | .config | console log | report | info | ci-upstream-kasan-gce-root | KASAN: use-after-free Read in __crypto_xor | |||
2021/08/01 00:07 | upstream | f3438b4c4e69 | 6c236867 | .config | console log | report | info | ci-upstream-kasan-gce-root | KASAN: use-after-free Read in __crypto_xor | |||
2021/08/04 16:30 | linux-next | 8d4b477da1a8 | b97d64c9 | .config | console log | report | info | ci-upstream-linux-next-kasan-gce-root | KASAN: use-after-free Read in __crypto_xor |