syzbot


KASAN: use-after-free Read in blk_trace_startstop

Status: auto-closed as invalid on 2019/02/22 12:59
First crash: 2302d, last: 2302d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in blk_trace_startstop 1 1790d 1790d 0/1 auto-closed as invalid on 2020/04/26 10:55

Sample crash report:
binder: undelivered TRANSACTION_ERROR: 29189
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies.  Check SNMP counters.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=1564 sclass=netlink_route_socket pig=15384 comm=syz-executor6
netlink: 76 bytes leftover after parsing attributes in process `syz-executor7'.
==================================================================
BUG: KASAN: use-after-free in __list_add+0x183/0x1c0 lib/list_debug.c:26
Read of size 8 at addr ffff8801c00aba20 by task syz-executor6/15505

CPU: 0 PID: 15505 Comm: syz-executor6 Not tainted 4.9.116-g0137ea2 #70
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d7c07a00 ffffffff81eb46a9 ffffea0007002ac0 ffff8801c00aba20
 0000000000000000 ffff8801c00aba20 0000000000000001 ffff8801d7c07a38
 ffffffff81567d49 ffff8801c00aba20 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81eb46a9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eb46a9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81567d49>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81568153>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81568153>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff8153bcd4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff81f1c3e3>] __list_add+0x183/0x1c0 lib/list_debug.c:26
 [<ffffffff813b219c>] list_add include/linux/list.h:63 [inline]
 [<ffffffff813b219c>] blk_trace_startstop+0x24c/0x340 kernel/trace/blktrace.c:626
 [<ffffffff8277aa4d>] sg_ioctl+0x11ad/0x2940 drivers/scsi/sg.c:1135
 [<ffffffff815b2e5c>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815b2e5c>] file_ioctl fs/ioctl.c:493 [inline]
 [<ffffffff815b2e5c>] do_vfs_ioctl+0x1ac/0x11a0 fs/ioctl.c:677
 [<ffffffff815b3edf>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815b3edf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff839fbc13>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 3841:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 kmem_cache_alloc_trace+0xfd/0x2b0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 sock_alloc_inode+0x66/0x260 net/socket.c:253
 alloc_inode+0x63/0x180 fs/inode.c:207
 new_inode_pseudo+0x17/0xe0 fs/inode.c:890
 sock_alloc+0x41/0x280 net/socket.c:567
 __sock_create+0x8d/0x5f0 net/socket.c:1146
 sock_create net/socket.c:1222 [inline]
 SYSC_socket net/socket.c:1252 [inline]
 SyS_socket+0xf0/0x1b0 net/socket.c:1232
 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 17:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 __rcu_reclaim kernel/rcu/rcu.h:113 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x9d5/0x12b0 kernel/rcu/tree.c:3037
 __do_softirq+0x20b/0x937 kernel/softirq.c:284

The buggy address belongs to the object at ffff8801c00ab9c0
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 96 bytes inside of
 128-byte region [ffff8801c00ab9c0, ffff8801c00aba40)
The buggy address belongs to the page:
page:ffffea0007002ac0 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c00ab900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c00ab980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801c00aba00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                               ^
 ffff8801c00aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c00abb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/03 03:26 https://android.googlesource.com/kernel/common android-4.9 0137ea2134c0 5b7e23bb .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.