syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in __do_page_fault

Status: closed as invalid on 2019/01/01 20:10
First crash: 2603d, last: 2547d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in __do_page_fault mm syz 679 2567d 2578d 4/28 fixed on 2018/02/14 17:52

Sample crash report:
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c8807a00
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c8807a00
BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801c8807a00
BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801c8807a00
BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801c8807a00
BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1439 at addr ffff8801c8807a00
Read of size 8 by task syz-executor7/6596
CPU: 0 PID: 6596 Comm: syz-executor7 Not tainted 4.9.53-g379e3b2 #59
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ca1d7d88 ffffffff81d93789 ffff8801da150140 ffff8801c88079b0
 ffff8801c8807a68 ffffed0039100f40 ffff8801c8807a00 ffff8801ca1d7db0
 ffffffff8153cfdc ffffed0039100f40 ffff8801da150140 0000000000000000
Call Trace:
 [<ffffffff81d93789>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93789>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153cfdc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153d29c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153d29c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153d29c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153d639>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153d639>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff810e0b00>] __read_once_size include/linux/compiler.h:243 [inline]
 [<ffffffff810e0b00>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<ffffffff810e0b00>] static_key_count include/linux/jump_label.h:174 [inline]
 [<ffffffff810e0b00>] static_key_false include/linux/jump_label.h:184 [inline]
 [<ffffffff810e0b00>] perf_sw_event include/linux/perf_event.h:1039 [inline]
 [<ffffffff810e0b00>] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1439
 [<ffffffff810e0c17>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1461
 [<ffffffff838aeb98>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
Object at ffff8801c88079b0, in cache vm_area_struct size: 184
Allocated:
PID = 6596
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
 kmem_cache_zalloc include/linux/slab.h:626 [inline]
 mmap_region+0x587/0xfd0 mm/mmap.c:1662
 do_mmap+0x57b/0xbe0 mm/mmap.c:1473
 do_mmap_pgoff include/linux/mm.h:2014 [inline]
 vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
 SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
 SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 6623
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980
 remove_vma+0x11d/0x160 mm/mmap.c:175
 remove_vma_list mm/mmap.c:2482 [inline]
 do_munmap+0x7ff/0xeb0 mm/mmap.c:2705
 mmap_region+0x14d/0xfd0 mm/mmap.c:1635
 do_mmap+0x57b/0xbe0 mm/mmap.c:1473
 do_mmap_pgoff include/linux/mm.h:2014 [inline]
 vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
 SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
 SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
 SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801c8807900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff8801c8807980: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
>ffff8801c8807a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
                   ^
 ffff8801c8807a80: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c8807b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================

Crashes (15719):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/10/06 04:02 https://android.googlesource.com/kernel/common android-4.9 379e3b2a6d51 c26ea367 .config console log report syz ci-android-49-kasan-gce
2017/11/22 14:38 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 14:35 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 14:25 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 14:18 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 14:08 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 14:05 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 13:54 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 13:53 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 13:46 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 13:38 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 13:37 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 13:36 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 13:18 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 12:52 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 12:31 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 12:26 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 12:25 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 12:25 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 12:22 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 11:57 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/22 10:15 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/21 22:40 https://android.googlesource.com/kernel/common android-4.9 fbb7468cbc28 cb27b030 .config console log report ci-android-49-kasan-gce
2017/11/18 23:54 https://android.googlesource.com/kernel/common android-4.9 44a3afcce10a eff27f33 .config console log report ci-android-49-kasan-gce
2017/11/16 18:56 https://android.googlesource.com/kernel/common android-4.9 f09daf140e6e bf820689 .config console log report ci-android-49-kasan-gce
2017/11/16 16:01 https://android.googlesource.com/kernel/common android-4.9 f09daf140e6e bf820689 .config console log report ci-android-49-kasan-gce
2017/11/14 00:44 https://android.googlesource.com/kernel/common android-4.9 d55e63001fc4 cf38de00 .config console log report ci-android-49-kasan-gce
2017/11/12 16:30 https://android.googlesource.com/kernel/common android-4.9 904c79c425ab e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/12 15:59 https://android.googlesource.com/kernel/common android-4.9 904c79c425ab e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/11 16:08 https://android.googlesource.com/kernel/common android-4.9 904c79c425ab e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/11 09:01 https://android.googlesource.com/kernel/common android-4.9 904c79c425ab e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/11 08:36 https://android.googlesource.com/kernel/common android-4.9 904c79c425ab e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/10 20:24 https://android.googlesource.com/kernel/common android-4.9 904c79c425ab e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/10 09:54 https://android.googlesource.com/kernel/common android-4.9 a93e3124db19 e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/10 04:42 https://android.googlesource.com/kernel/common android-4.9 a93e3124db19 e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/10 04:04 https://android.googlesource.com/kernel/common android-4.9 a93e3124db19 e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/09 23:55 https://android.googlesource.com/kernel/common android-4.9 a93e3124db19 e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/09 04:25 https://android.googlesource.com/kernel/common android-4.9 a93e3124db19 e0a2b195 .config console log report ci-android-49-kasan-gce
2017/11/09 00:24 https://android.googlesource.com/kernel/common android-4.9 c4789f87f6d0 9547ae3a .config console log report ci-android-49-kasan-gce
2017/11/08 19:48 https://android.googlesource.com/kernel/common android-4.9 c4789f87f6d0 9547ae3a .config console log report ci-android-49-kasan-gce
2017/11/08 13:05 https://android.googlesource.com/kernel/common android-4.9 4ca16e66434d 699e0a68 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.