syzbot


KASAN: use-after-free Write in register_lock_class

Status: auto-closed as invalid on 2019/02/22 14:37
First crash: 2328d, last: 2328d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in register_lock_class+0xf9c/0x1470 kernel/locking/lockdep.c:808
Write of size 8 at addr ffff8801cc92af68 by task syz-executor2/9916

CPU: 0 PID: 9916 Comm: syz-executor2 Not tainted 4.9.119-g9dc978d #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801db207910 ffffffff81eb4be9 ffffea0007324a80 ffff8801cc92af68
 0000000000000001 ffff8801cc92af68 0000000000000000 ffff8801db207948
 ffffffff81567f89 ffff8801cc92af68 0000000000000008 0000000000000001
Call Trace:
 <IRQ> [  168.317567]  [<ffffffff81eb4be9>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ> [  168.317567]  [<ffffffff81eb4be9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81567f89>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81568393>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81568393>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff8153bfb7>] __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:438
 [<ffffffff8123248c>] register_lock_class+0xf9c/0x1470 kernel/locking/lockdep.c:808
 [<ffffffff812362f9>] __lock_acquire+0x169/0x4070 kernel/locking/lockdep.c:3233
 [<ffffffff8123ac70>] lock_acquire+0x130/0x3e0 kernel/locking/lockdep.c:3756
 [<ffffffff839fc066>] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline]
 [<ffffffff839fc066>] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151
 [<ffffffff82ee482f>] spin_lock include/linux/spinlock.h:302 [inline]
 [<ffffffff82ee482f>] snd_timer_user_interrupt+0x4f/0x3c0 sound/core/timer.c:1201
 [<ffffffff82ee7150>] snd_timer_interrupt+0x5c0/0xc40 sound/core/timer.c:799
 [<ffffffff82eee140>] snd_hrtimer_callback+0x1f0/0x3c0 sound/core/hrtimer.c:64
 [<ffffffff812a4775>] __run_hrtimer kernel/time/hrtimer.c:1255 [inline]
 [<ffffffff812a4775>] __hrtimer_run_queues+0x375/0xe50 kernel/time/hrtimer.c:1319
 [<ffffffff812a5cb1>] hrtimer_interrupt+0x1b1/0x430 kernel/time/hrtimer.c:1353
 [<ffffffff810b2384>] local_apic_timer_interrupt+0x74/0xa0 arch/x86/kernel/apic/apic.c:935
 [<ffffffff83a0249c>] smp_apic_timer_interrupt+0x7c/0xa0 arch/x86/kernel/apic/apic.c:959
 [<ffffffff839fe630>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:648
 <EOI> [  168.511621]  [<ffffffff81ee2a47>] ? clear_page_c_e+0x7/0x10 arch/x86/lib/clear_page_64.S:53
 [<ffffffff81546737>] __do_huge_pmd_anonymous_page mm/huge_memory.c:559 [inline]
 [<ffffffff81546737>] do_huge_pmd_anonymous_page+0x3c7/0x10f0 mm/huge_memory.c:701
 [<ffffffff814d143e>] create_huge_pmd mm/memory.c:3423 [inline]
 [<ffffffff814d143e>] __handle_mm_fault mm/memory.c:3573 [inline]
 [<ffffffff814d143e>] handle_mm_fault+0x1a9e/0x28e0 mm/memory.c:3634
 [<ffffffff810dba1f>] __do_page_fault+0x5af/0xd50 arch/x86/mm/fault.c:1407
 [<ffffffff810dc1e7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1470
 [<ffffffff839fde48>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:951

Allocated by task 9921:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 kmem_cache_alloc_trace+0xfd/0x2b0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 snd_timer_user_open+0x68/0x220 sound/core/timer.c:1338
 snd_open+0x204/0x400 sound/core/sound.c:177
 chrdev_open+0x22d/0x4c0 fs/char_dev.c:392
 do_dentry_open+0x703/0xc80 fs/open.c:766
 vfs_open+0x11c/0x210 fs/open.c:879
 do_last fs/namei.c:3410 [inline]
 path_openat+0x758/0x3590 fs/namei.c:3534
 do_filp_open+0x197/0x270 fs/namei.c:3568
 do_sys_open+0x30d/0x5c0 fs/open.c:1072
 C_SYSC_open fs/compat.c:1081 [inline]
 compat_SyS_open+0x2a/0x40 fs/compat.c:1079
 do_syscall_32_irqs_on arch/x86/entry/common.c:325 [inline]
 do_fast_syscall_32+0x2f7/0x870 arch/x86/entry/common.c:387
 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

Freed by task 9920:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 snd_timer_user_release+0xf4/0x130 sound/core/timer.c:1369
 __fput+0x263/0x700 fs/file_table.c:208
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x10c/0x180 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161
 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 do_syscall_32_irqs_on arch/x86/entry/common.c:331 [inline]
 do_fast_syscall_32+0x5c3/0x870 arch/x86/entry/common.c:387
 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

The buggy address belongs to the object at ffff8801cc92af00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 104 bytes inside of
 512-byte region [ffff8801cc92af00, ffff8801cc92b100)
The buggy address belongs to the page:
page:ffffea0007324a80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cc92ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cc92ae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801cc92af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8801cc92af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cc92b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/08/12 16:26 https://android.googlesource.com/kernel/common android-4.9 9dc978d43ec7 7a88b141 .config console log report ci-android-49-kasan-gce-386
* Struck through repros no longer work on HEAD.