syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| android-44 | KASAN: use-after-free Read in selinux_inode_free_security | 1 | 2296d | 2295d | 0/2 | auto-closed as invalid on 2019/02/22 13:59 | |||
| upstream | KASAN: use-after-free Read in selinux_inode_free_security selinux | 1 | 2483d | 2472d | 0/28 | auto-closed as invalid on 2019/02/22 10:34 |
binder_alloc: binder_alloc_mmap_handler: 6256 20001000-20004000 already mapped failed -16 ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! binder: 6256:6264 got transaction to invalid handle binder: 6256:6264 transaction failed 29201/-22, size 0-0 line 3013 ================================================================== BUG: KASAN: use-after-free in inode_free_security security/selinux/hooks.c:330 [inline] BUG: KASAN: use-after-free in selinux_inode_free_security+0x219/0x2b0 security/selinux/hooks.c:2830 Read of size 8 at addr ffff8801875b55f8 by task syz-executor3/6255 CPU: 0 PID: 6255 Comm: syz-executor3 Not tainted 4.9.141+ #1 ffff8801ca7df870 ffffffff81b42e79 ffffea00061d6c00 ffff8801875b55f8 0000000000000000 ffff8801875b55f8 ffffffff82af3de0 ffff8801ca7df8a8 ffffffff815009b8 ffff8801875b55f8 0000000000000008 0000000000000000 Call Trace: [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff815009b8>] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline] [<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 [<ffffffff81a07049>] inode_free_security security/selinux/hooks.c:330 [inline] [<ffffffff81a07049>] selinux_inode_free_security+0x219/0x2b0 security/selinux/hooks.c:2830 [<ffffffff819e3c96>] security_inode_free+0x56/0x90 security/security.c:356 [<ffffffff8155ff6e>] __destroy_inode+0x2e/0x220 fs/inode.c:235 [<ffffffff8156236e>] destroy_inode+0x4e/0x120 fs/inode.c:262 [<ffffffff81562816>] evict+0x3d6/0x620 fs/inode.c:570 [<ffffffff81563a01>] iput_final fs/inode.c:1516 [inline] [<ffffffff81563a01>] iput+0x371/0x900 fs/inode.c:1543 [<ffffffff815e4868>] fsnotify_detach_mark+0x2c8/0x410 fs/notify/mark.c:170 [<ffffffff815e608c>] fsnotify_detach_group_marks+0x5c/0xd0 fs/notify/mark.c:506 [<ffffffff815e34f2>] fsnotify_destroy_group+0x62/0x120 fs/notify/group.c:70 [<ffffffff815e7967>] inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:282 [<ffffffff81510293>] __fput+0x263/0x700 fs/file_table.c:208 [<ffffffff815107b5>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff8113dc4c>] task_work_run+0x10c/0x180 kernel/task_work.c:116 [<ffffffff8110f6c2>] get_signal+0x1042/0x1460 kernel/signal.c:2151 [<ffffffff81052aa5>] do_signal+0x95/0x1b00 arch/x86/kernel/signal.c:807 [<ffffffff81003e2e>] exit_to_usermode_loop+0x10e/0x150 arch/x86/entry/common.c:158 [<ffffffff81005932>] prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] [<ffffffff81005932>] syscall_return_slowpath arch/x86/entry/common.c:263 [inline] [<ffffffff81005932>] do_syscall_64+0x3e2/0x550 arch/x86/entry/common.c:290 [<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 6254: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594 kmem_cache_alloc_trace+0x117/0x2e0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] alloc_super fs/super.c:187 [inline] sget_userns+0xf1/0xc40 fs/super.c:503 sget+0xd6/0x120 fs/super.c:559 mount_nodev+0x37/0x100 fs/super.c:1141 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:243 mount_fs+0x28c/0x370 fs/super.c:1206 vfs_kern_mount.part.8+0xd1/0x4b0 fs/namespace.c:1000 vfs_kern_mount fs/namespace.c:982 [inline] do_new_mount fs/namespace.c:2549 [inline] do_mount+0x3c9/0x28a0 fs/namespace.c:2871 SYSC_mount fs/namespace.c:3087 [inline] SyS_mount+0xea/0x100 fs/namespace.c:3064 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 27122: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xfb/0x310 mm/slub.c:3878 destroy_super_work+0x40/0x50 fs/super.c:147 process_one_work+0x831/0x15f0 kernel/workqueue.c:2092 worker_thread+0xd6/0x1140 kernel/workqueue.c:2226 kthread+0x26d/0x300 kernel/kthread.c:211 ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373 The buggy address belongs to the object at ffff8801875b5500 which belongs to the cache kmalloc-4096 of size 4096 The buggy address is located 248 bytes inside of 4096-byte region [ffff8801875b5500, ffff8801875b6500) The buggy address belongs to the page: page:ffffea00061d6c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801875b5480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801875b5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801875b5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801875b5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801875b5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/11/28 03:58 | https://android.googlesource.com/kernel/common android-4.9 | 8fe428403e30 | 4b6d14f2 | .config | console log | report | ci-android-49-kasan-gce |