syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in remove_wait_queue

Status: fixed on 2018/03/05 12:02
Fix commit: b6c6212514fe ANDROID: binder: synchronize_rcu() when using POLLFREE.
First crash: 2821d, last: 2811d
Similar bugs (7)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in remove_wait_queue (3) kernfs 19 C inconclusive 123 1022d 1447d 22/29 fixed on 2023/02/24 13:50
linux-4.14 KASAN: use-after-free Read in remove_wait_queue (2) 19 C error 7 1340d 2036d 0/1 upstream: reported C repro on 2020/04/07 06:03
linux-5.15 KASAN: use-after-free Read in remove_wait_queue 19 C done 25 70d 92d 2/3 upstream: reported C repro on 2025/08/03 00:30
upstream KASAN: use-after-free Read in remove_wait_queue (2) fs 19 C 4 2794d 2804d 5/29 fixed on 2018/06/07 13:52
linux-6.1 KASAN: use-after-free Read in remove_wait_queue origin:lts-only 19 C inconclusive 24 70d 92d 0/3 upstream: reported C repro on 2025/08/03 01:02
linux-4.14 KASAN: use-after-free Read in remove_wait_queue 19 1 2260d 2260d 0/1 auto-closed as invalid on 2019/12/24 15:10
upstream KASAN: use-after-free Read in remove_wait_queue fs 19 C 7 2810d 2820d 4/29 fixed on 2018/02/26 20:04

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112
Read of size 4 at addr ffff8801c812eaa4 by task syzkaller113456/3973

CPU: 1 PID: 3973 Comm: syzkaller113456 Not tainted 4.9.82-gcdfc8df #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d8fcfc40 ffffffff81d94fc9 ffffea0007204b80 ffff8801c812eaa4
 0000000000000000 ffff8801c812eaa4 ffff8801c8e90340 ffff8801d8fcfc78
 ffffffff8153e213 ffff8801c812eaa4 0000000000000004 0000000000000000
Call Trace:
 [<ffffffff81d94fc9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94fc9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e213>] print_address_description+0x73/0x280 mm/kasan/report.c:252
 [<ffffffff8153e735>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8153e735>] kasan_report+0x275/0x360 mm/kasan/report.c:408
 [<ffffffff8153e874>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:428
 [<ffffffff81248e1c>] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 [<ffffffff81248e1c>] do_raw_spin_lock+0x1ac/0x1e0 kernel/locking/spinlock_debug.c:112
 [<ffffffff838b4ce6>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline]
 [<ffffffff838b4ce6>] _raw_spin_lock_irqsave+0x56/0x70 kernel/locking/spinlock.c:159
 [<ffffffff81224614>] remove_wait_queue+0x14/0x40 kernel/sched/wait.c:49
 [<ffffffff8165169f>] ep_remove_wait_queue fs/eventpoll.c:535 [inline]
 [<ffffffff8165169f>] ep_unregister_pollwait.isra.6+0xaf/0x240 fs/eventpoll.c:553
 [<ffffffff816523e6>] ep_free+0x96/0x1b0 fs/eventpoll.c:770
 [<ffffffff81652544>] ep_eventpoll_release+0x44/0x60 fs/eventpoll.c:802
 [<ffffffff8157580c>] __fput+0x28c/0x6e0 fs/file_table.c:208
 [<ffffffff81575ce5>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81195855>] task_work_run+0x115/0x190 kernel/task_work.c:116
 [<ffffffff81003a4c>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff81003a4c>] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161
 [<ffffffff810066d0>] prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 [<ffffffff810066d0>] syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 [<ffffffff810066d0>] do_syscall_64+0x370/0x490 arch/x86/entry/common.c:287
 [<ffffffff838b4e7d>] entry_SYSCALL_64_after_swapgs+0x47/0xc5

Allocated by task 3972:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 binder_get_thread+0x15d/0x750 drivers/android/binder.c:4451
 binder_poll+0x4a/0x210 drivers/android/binder.c:4566
 ep_item_poll fs/eventpoll.c:811 [inline]
 ep_insert fs/eventpoll.c:1347 [inline]
 SYSC_epoll_ctl fs/eventpoll.c:1975 [inline]
 SyS_epoll_ctl+0x11d7/0x2190 fs/eventpoll.c:1861
 do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x47/0xc5

Freed by task 3972:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0x103/0x300 mm/slub.c:3878
 binder_free_thread drivers/android/binder.c:4479 [inline]
 binder_thread_dec_tmpref+0x1cc/0x240 drivers/android/binder.c:2035
 binder_thread_release+0x3a7/0x5c0 drivers/android/binder.c:4555
 binder_ioctl+0x9c0/0x11b0 drivers/android/binder.c:4771
 vfs_ioctl fs/ioctl.c:43 [inline]
 do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 SYSC_ioctl fs/ioctl.c:694 [inline]
 SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 do_syscall_64+0x1a5/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x47/0xc5

The buggy address belongs to the object at ffff8801c812ea00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 164 bytes inside of
 512-byte region [ffff8801c812ea00, ffff8801c812ec00)
The buggy address belongs to the page:
page:ffffea0007204b80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c812e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801c812ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801c812ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff8801c812eb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c812eb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/02/21 14:24 https://android.googlesource.com/kernel/common android-4.9 cdfc8df1d262 04cbdbd1 .config console log report syz C ci-android-49-kasan-gce
2018/02/21 14:39 https://android.googlesource.com/kernel/common android-4.9 cdfc8df1d262 04cbdbd1 .config console log report syz ci-android-49-kasan-gce-386
2018/02/21 14:01 https://android.googlesource.com/kernel/common android-4.9 cdfc8df1d262 04cbdbd1 .config console log report ci-android-49-kasan-gce
2018/02/18 07:14 https://android.googlesource.com/kernel/common android-4.9 cdfc8df1d262 833f78c7 .config console log report ci-android-49-kasan-gce
2018/02/14 18:19 https://android.googlesource.com/kernel/common android-4.9 1a938310b8af 17061fc0 .config console log report ci-android-49-kasan-gce
2018/02/11 16:56 https://android.googlesource.com/kernel/common android-4.9 8a174b4749d3 4e9b726d .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.