KASAN: use-after-free Read in vgem_gem_dumb

Title	Replies (including bot)	Last reply
[PATCH 4.14 00/78] 4.14.278-rc1 review	81 (81)	2022/05/11 11:03
[PATCH 4.19 00/88] 4.19.242-rc1 review	97 (97)	2022/05/11 10:08
[PATCH 5.5 00/80] 5.5.5-stable review	89 (89)	2020/02/19 18:52
[PATCH 5.4 00/66] 5.4.21-stable review	71 (71)	2020/02/19 18:09
[PATCH] drm/vgem: Close use-after-free race in vgem_gem_create	4 (4)	2020/02/06 18:05
KASAN: use-after-free Read in vgem_gem_dumb_create	4 (6)	2020/02/03 15:08
Re: KASAN: use-after-free Read in vgem_gem_dumb_create	5 (5)	2020/02/02 13:17

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	KASAN: use-after-free Read in vgem_gem_dumb_create	C		error	192	594d	1540d	0/1	upstream: reported C repro on 2020/01/31 14:46
linux-4.19	KASAN: use-after-free Read in vgem_gem_dumb_create	C			292	410d	1540d	0/1	upstream: reported C repro on 2020/01/31 21:57

linux-4.14

KASAN: use-after-free Read in vgem_gem_dumb_create

error

192

594d

1540d

0/1

upstream: reported C repro on 2020/01/31 14:46

linux-4.19

KASAN: use-after-free Read in vgem_gem_dumb_create

292

410d

1540d

0/1

upstream: reported C repro on 2020/01/31 21:57

================================================================== BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x238/0x250 drivers/gpu/drm/vgem/vgem_drv.c:221 Read of size 8 at addr ffff88809a2ee908 by task syz-executor815/10244 CPU: 1 PID: 10244 Comm: syz-executor815 Not tainted 5.5.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 vgem_gem_dumb_create+0x238/0x250 drivers/gpu/drm/vgem/vgem_drv.c:221 drm_mode_create_dumb+0x282/0x310 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_mode_create_dumb_ioctl+0x26/0x30 drivers/gpu/drm/drm_dumb_buffers.c:100 drm_ioctl_kernel+0x244/0x300 drivers/gpu/drm/drm_ioctl.c:786 drm_ioctl+0x54e/0xa60 drivers/gpu/drm/drm_ioctl.c:886 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0x123/0x180 fs/ioctl.c:747 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x44c3e9 Code: e8 8c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f40263e9db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000006ddc58 RCX: 000000000044c3e9 RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000004 RBP: 00000000006ddc50 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc5c R13: 00007ffed0d4362f R14: 00007f40263ea9c0 R15: 00000000006ddc5c Allocated by task 10244: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 kmem_cache_alloc_trace+0x158/0x790 mm/slab.c:3551 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:670 [inline] __vgem_gem_create+0x49/0x100 drivers/gpu/drm/vgem/vgem_drv.c:165 vgem_gem_create drivers/gpu/drm/vgem/vgem_drv.c:194 [inline] vgem_gem_dumb_create+0xd7/0x250 drivers/gpu/drm/vgem/vgem_drv.c:217 drm_mode_create_dumb+0x282/0x310 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_mode_create_dumb_ioctl+0x26/0x30 drivers/gpu/drm/drm_dumb_buffers.c:100 drm_ioctl_kernel+0x244/0x300 drivers/gpu/drm/drm_ioctl.c:786 drm_ioctl+0x54e/0xa60 drivers/gpu/drm/drm_ioctl.c:886 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0x123/0x180 fs/ioctl.c:747 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 10244: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 vgem_gem_free_object+0xbe/0xe0 drivers/gpu/drm/vgem/vgem_drv.c:68 drm_gem_object_free+0x100/0x220 drivers/gpu/drm/drm_gem.c:983 kref_put include/linux/kref.h:65 [inline] drm_gem_object_put_unlocked drivers/gpu/drm/drm_gem.c:1017 [inline] drm_gem_object_put_unlocked+0x196/0x1c0 drivers/gpu/drm/drm_gem.c:1002 vgem_gem_create drivers/gpu/drm/vgem/vgem_drv.c:199 [inline] vgem_gem_dumb_create+0x115/0x250 drivers/gpu/drm/vgem/vgem_drv.c:217 drm_mode_create_dumb+0x282/0x310 drivers/gpu/drm/drm_dumb_buffers.c:94 drm_mode_create_dumb_ioctl+0x26/0x30 drivers/gpu/drm/drm_dumb_buffers.c:100 drm_ioctl_kernel+0x244/0x300 drivers/gpu/drm/drm_ioctl.c:786 drm_ioctl+0x54e/0xa60 drivers/gpu/drm/drm_ioctl.c:886 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0x123/0x180 fs/ioctl.c:747 __do_sys_ioctl fs/ioctl.c:756 [inline] __se_sys_ioctl fs/ioctl.c:754 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88809a2ee800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 264 bytes inside of 1024-byte region [ffff88809a2ee800, ffff88809a2eec00) The buggy address belongs to the page: page:ffffea000268bb80 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002816448 ffffea0002551bc8 ffff8880aa400c40 raw: 0000000000000000 ffff88809a2ee000 0000000100000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809a2ee800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809a2ee880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88809a2ee900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88809a2ee980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809a2eea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (15):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2020/02/02 04:37	upstream	94f2630b1897	2274ad39	.config	console log	report	syz	C	ci-upstream-kasan-gce-root
2020/02/12 10:19	upstream	359c92c02bfa	a75b198c	.config	console log	report	syz		ci-upstream-kasan-gce-root
2020/02/11 07:22	upstream	0a679e13ea30	084454ae	.config	console log	report	syz		ci-upstream-kasan-gce-smack-root
2020/02/10 08:39	upstream	d1ea35f4cdd4	35f5e45e	.config	console log	report	syz		ci-upstream-kasan-gce-root
2020/02/08 21:24	upstream	f757165705e9	06150bf1	.config	console log	report	syz		ci-upstream-kasan-gce-smack-root
2020/02/08 04:27	upstream	41dcd67e8868	06150bf1	.config	console log	report	syz		ci-upstream-kasan-gce-smack-root
2020/02/07 13:42	upstream	90568ecf5615	06150bf1	.config	console log	report	syz		ci-upstream-kasan-gce-root
2020/02/06 03:25	upstream	6992ca0dd017	662cf49a	.config	console log	report	syz		ci-upstream-kasan-gce-smack-root
2020/02/04 00:12	upstream	754beeec1d90	93e5e335	.config	console log	report	syz		ci-upstream-kasan-gce-root
2020/02/03 06:43	upstream	46d6b7becb1d	93e5e335	.config	console log	report	syz		ci-upstream-kasan-gce-selinux-root
2020/02/02 11:36	upstream	94f2630b1897	2274ad39	.config	console log	report	syz		ci-upstream-kasan-gce-selinux-root
2020/02/01 00:35	upstream	ccaaaf6fe5a5	c30117b2	.config	console log	report	syz		ci-upstream-kasan-gce-smack-root
2020/01/30 17:45	upstream	39bed42de2e7	5ed23f9a	.config	console log	report	syz		ci-upstream-kasan-gce
2020/02/12 18:41	upstream	359c92c02bfa	84f4fc8a	.config	console log	report			ci-upstream-kasan-gce-smack-root
2020/01/30 17:13	upstream	39bed42de2e7	5ed23f9a	.config	console log	report			ci-upstream-kasan-gce

Crashes (15):

Assets (help?)

2020/02/02 04:37

upstream