syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: double-free or invalid-free in relay_open

Status: fixed on 2018/02/20 22:33
Fix commit: 91cebf98cd94 kernel/relay.c: revert "kernel/relay.c: fix potential memory leak"
First crash: 2521d, last: 2469d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: double-free or invalid-free in relay_open block trace C 106 2480d 2578d 4/28 fixed on 2018/02/12 17:26

Sample crash report:
==================================================================
BUG: KASAN: double-free or invalid-free in relay_open+0x603/0x860 kernel/relay.c:614

CPU: 1 PID: 3335 Comm: syzkaller992317 Not tainted 4.9.72-gcb7518e #114
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9b57988 ffffffff81d922b9 ffffea0007200300 ffff8801c800c280
 ffff8801da001280 ffffffff8137ba63 0000000000000282 ffff8801c9b579c0
 ffffffff8153bab3 ffff8801c800c280 ffffffff8137ba63 ffff8801da001280
Call Trace:
 [<ffffffff81d922b9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d922b9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153bab3>] print_address_description+0x73/0x280 mm/kasan/report.c:252
 [<ffffffff8153bd24>] kasan_report_double_free+0x64/0xa0 mm/kasan/report.c:333
 [<ffffffff8153b454>] kasan_slab_free+0xa4/0xc0 mm/kasan/kasan.c:572
 [<ffffffff81537fa3>] slab_free_hook mm/slub.c:1355 [inline]
 [<ffffffff81537fa3>] slab_free_freelist_hook mm/slub.c:1377 [inline]
 [<ffffffff81537fa3>] slab_free mm/slub.c:2958 [inline]
 [<ffffffff81537fa3>] kfree+0x103/0x300 mm/slub.c:3878
 [<ffffffff8137ba63>] relay_open+0x603/0x860 kernel/relay.c:614
 [<ffffffff813bd839>] do_blk_trace_setup+0x3e9/0x950 kernel/trace/blktrace.c:501
 [<ffffffff813bde80>] blk_trace_setup+0xe0/0x1a0 kernel/trace/blktrace.c:545
 [<ffffffff8266e770>] sg_ioctl+0xbe0/0x2c30 drivers/scsi/sg.c:1099
 [<ffffffff815abdda>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815abdda>] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 [<ffffffff815acdff>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815acdff>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838af585>] entry_SYSCALL_64_fastpath+0x23/0xc6

Allocated by task 3335:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 relay_open+0x91/0x860 kernel/relay.c:576
 do_blk_trace_setup+0x3e9/0x950 kernel/trace/blktrace.c:501
 blk_trace_setup+0xe0/0x1a0 kernel/trace/blktrace.c:545
 sg_ioctl+0xbe0/0x2c30 drivers/scsi/sg.c:1099
 vfs_ioctl fs/ioctl.c:43 [inline]
 do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 SYSC_ioctl fs/ioctl.c:694 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 entry_SYSCALL_64_fastpath+0x23/0xc6

Freed by task 3335:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0x103/0x300 mm/slub.c:3878
 relay_destroy_channel+0x16/0x20 kernel/relay.c:199
 kref_sub include/linux/kref.h:73 [inline]
 kref_put include/linux/kref.h:98 [inline]
 relay_open+0x5ea/0x860 kernel/relay.c:612
 do_blk_trace_setup+0x3e9/0x950 kernel/trace/blktrace.c:501
 blk_trace_setup+0xe0/0x1a0 kernel/trace/blktrace.c:545
 sg_ioctl+0xbe0/0x2c30 drivers/scsi/sg.c:1099
 vfs_ioctl fs/ioctl.c:43 [inline]
 do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 SYSC_ioctl fs/ioctl.c:694 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 entry_SYSCALL_64_fastpath+0x23/0xc6

The buggy address belongs to the object at ffff8801c800c280
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [ffff8801c800c280, ffff8801c800c480)
The buggy address belongs to the page:
page:ffffea0007200300 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c800c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c800c200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801c800c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8801c800c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c800c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (64):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/28 00:14 https://android.googlesource.com/kernel/common android-4.9 cb7518e6167c 7d240098 .config console log report syz C ci-android-49-kasan-gce
2018/02/17 07:19 https://android.googlesource.com/kernel/common android-4.9 a25ea24f7b7d c8b3f7c1 .config console log report ci-android-49-kasan-gce
2018/02/16 19:29 https://android.googlesource.com/kernel/common android-4.9 a25ea24f7b7d c8b3f7c1 .config console log report ci-android-49-kasan-gce
2018/02/15 18:50 https://android.googlesource.com/kernel/common android-4.9 d2c57b60569e c8b3f7c1 .config console log report ci-android-49-kasan-gce
2018/02/15 17:55 https://android.googlesource.com/kernel/common android-4.9 d2c57b60569e c8b3f7c1 .config console log report ci-android-49-kasan-gce
2018/02/15 13:18 https://android.googlesource.com/kernel/common android-4.9 d2c57b60569e 77ed06bf .config console log report ci-android-49-kasan-gce
2018/02/14 17:50 https://android.googlesource.com/kernel/common android-4.9 1a938310b8af 17061fc0 .config console log report ci-android-49-kasan-gce
2018/02/12 18:56 https://android.googlesource.com/kernel/common android-4.9 8a174b4749d3 88bc17df .config console log report ci-android-49-kasan-gce
2018/02/12 10:57 https://android.googlesource.com/kernel/common android-4.9 8a174b4749d3 88bc17df .config console log report ci-android-49-kasan-gce
2018/02/10 12:39 https://android.googlesource.com/kernel/common android-4.9 8a174b4749d3 e67d44e0 .config console log report ci-android-49-kasan-gce
2018/02/09 17:11 https://android.googlesource.com/kernel/common android-4.9 20c8a0089294 9fb5ec43 .config console log report ci-android-49-kasan-gce
2018/02/09 00:17 https://android.googlesource.com/kernel/common android-4.9 20c8a0089294 9fb5ec43 .config console log report ci-android-49-kasan-gce
2018/02/08 23:30 https://android.googlesource.com/kernel/common android-4.9 20c8a0089294 9fb5ec43 .config console log report ci-android-49-kasan-gce
2018/02/08 18:58 https://android.googlesource.com/kernel/common android-4.9 20c8a0089294 9fb5ec43 .config console log report ci-android-49-kasan-gce
2018/02/08 00:04 https://android.googlesource.com/kernel/common android-4.9 550c01d0e051 9fb5ec43 .config console log report ci-android-49-kasan-gce
2018/02/07 23:40 https://android.googlesource.com/kernel/common android-4.9 550c01d0e051 9fb5ec43 .config console log report ci-android-49-kasan-gce
2018/02/06 14:01 https://android.googlesource.com/kernel/common android-4.9 550c01d0e051 645ce5da .config console log report ci-android-49-kasan-gce
2018/02/04 12:13 https://android.googlesource.com/kernel/common android-4.9 b30d2b5deba5 a1bc9d40 .config console log report ci-android-49-kasan-gce
2018/02/04 12:04 https://android.googlesource.com/kernel/common android-4.9 b30d2b5deba5 a1bc9d40 .config console log report ci-android-49-kasan-gce
2018/02/04 11:53 https://android.googlesource.com/kernel/common android-4.9 b30d2b5deba5 a1bc9d40 .config console log report ci-android-49-kasan-gce
2018/02/03 05:37 https://android.googlesource.com/kernel/common android-4.9 47af77b1dced 632a8c2c .config console log report ci-android-49-kasan-gce
2018/02/02 19:25 https://android.googlesource.com/kernel/common android-4.9 71f146972231 632a8c2c .config console log report ci-android-49-kasan-gce
2018/02/02 17:36 https://android.googlesource.com/kernel/common android-4.9 71f146972231 632a8c2c .config console log report ci-android-49-kasan-gce
2018/02/02 16:11 https://android.googlesource.com/kernel/common android-4.9 71f146972231 826b35d6 .config console log report ci-android-49-kasan-gce
2018/02/02 04:49 https://android.googlesource.com/kernel/common android-4.9 71f146972231 826b35d6 .config console log report ci-android-49-kasan-gce
2018/02/02 04:42 https://android.googlesource.com/kernel/common android-4.9 71f146972231 826b35d6 .config console log report ci-android-49-kasan-gce
2018/02/02 01:40 https://android.googlesource.com/kernel/common android-4.9 71f146972231 67bd3383 .config console log report ci-android-49-kasan-gce
2018/02/01 16:37 https://android.googlesource.com/kernel/common android-4.9 71f146972231 67bd3383 .config console log report ci-android-49-kasan-gce
2018/02/01 16:23 https://android.googlesource.com/kernel/common android-4.9 71f146972231 67bd3383 .config console log report ci-android-49-kasan-gce
2018/01/31 08:13 https://android.googlesource.com/kernel/common android-4.9 7be198545491 02553e22 .config console log report ci-android-49-kasan-gce
2018/01/30 15:30 https://android.googlesource.com/kernel/common android-4.9 7be198545491 a899be78 .config console log report ci-android-49-kasan-gce
2018/01/29 23:27 https://android.googlesource.com/kernel/common android-4.9 7be198545491 08d47756 .config console log report ci-android-49-kasan-gce
2018/01/29 16:29 https://android.googlesource.com/kernel/common android-4.9 7be198545491 08d47756 .config console log report ci-android-49-kasan-gce
2018/01/29 16:15 https://android.googlesource.com/kernel/common android-4.9 7be198545491 08d47756 .config console log report ci-android-49-kasan-gce
2018/01/29 13:40 https://android.googlesource.com/kernel/common android-4.9 68d447c0a37b 08d47756 .config console log report ci-android-49-kasan-gce
2018/01/27 13:49 https://android.googlesource.com/kernel/common android-4.9 68d447c0a37b 1d18b112 .config console log report ci-android-49-kasan-gce
2018/01/27 01:38 https://android.googlesource.com/kernel/common android-4.9 f518fe49bbaa 1d18b112 .config console log report ci-android-49-kasan-gce
2018/01/26 00:49 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce
2018/01/26 00:48 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce
2018/01/25 21:29 https://android.googlesource.com/kernel/common android-4.9 e37256ce150d 1d18b112 .config console log report ci-android-49-kasan-gce
2018/01/25 05:50 https://android.googlesource.com/kernel/common android-4.9 29eadc4b5c13 866f1102 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.