syzbot

 sign-in | mailing list | source | docs
🐞 Open [82] 🐞 Fixed [21] 🐞 Invalid [285] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in tun_chr_write_iter

Status: auto-closed as invalid on 2020/05/21 06:02
Reported-by: syzbot+c2e6be80aec7f92d0890@syzkaller.appspotmail.com
First crash: 1570d, last: 1570d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:605 [inline]
BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:649 [inline]
BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:959 [inline]
BUG: KASAN: use-after-free in __mutex_lock+0x2de/0xc40 kernel/locking/mutex.c:1103
Read of size 4 at addr ffff8881a417ac78 by task syz-executor.2/9867

CPU: 0 PID: 9867 Comm: syz-executor.2 Tainted: G        W         5.4.13-syzkaller-00773-g4e16a227acbd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b0/0x228 lib/dump_stack.c:118
 print_address_description+0x96/0x5d0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 mutex_can_spin_on_owner kernel/locking/mutex.c:605 [inline]
 mutex_optimistic_spin kernel/locking/mutex.c:649 [inline]
 __mutex_lock_common kernel/locking/mutex.c:959 [inline]
 __mutex_lock+0x2de/0xc40 kernel/locking/mutex.c:1103
 __mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1364
 mutex_lock+0x106/0x110 kernel/locking/mutex.c:284
 tun_get_user+0xbca/0x3cd0 drivers/net/tun.c:1835
 tun_chr_write_iter+0x134/0x1c0 drivers/net/tun.c:2022
 do_iter_readv_writev+0x5fa/0x890 include/linux/fs.h:1909
 do_iter_write+0x180/0x590 fs/read_write.c:973
 vfs_writev fs/read_write.c:1018 [inline]
 do_writev+0x2cd/0x560 fs/read_write.c:1061
 __do_sys_writev fs/read_write.c:1134 [inline]
 __se_sys_writev fs/read_write.c:1131 [inline]
 __x64_sys_writev+0x7d/0x90 fs/read_write.c:1131
 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45b201
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b7 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fb08fecdba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00000000200001fe RCX: 000000000045b201
RDX: 0000000000000002 RSI: 00007fb08fecdc00 RDI: 00000000000000f0
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007fb08fece9d0 R11: 0000000000000293 R12: 00000000ffffffff
R13: 0000000000000b4c R14: 00000000004cc318 R15: 000000000075bf2c

Allocated by task 17486:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
 kasan_slab_alloc+0xe/0x10 mm/kasan/common.c:518
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2758 [inline]
 slab_alloc mm/slub.c:2766 [inline]
 kmem_cache_alloc+0x120/0x2b0 mm/slub.c:2771
 kmem_cache_alloc_node include/linux/slab.h:427 [inline]
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct kernel/fork.c:872 [inline]
 copy_process+0x59b/0x52d0 kernel/fork.c:1858
 _do_fork+0x185/0x950 kernel/fork.c:2369
 __do_sys_clone kernel/fork.c:2526 [inline]
 __se_sys_clone kernel/fork.c:2507 [inline]
 __x64_sys_clone+0x247/0x2b0 kernel/fork.c:2507
 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 16:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x168/0x220 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 slab_free_hook mm/slub.c:1424 [inline]
 slab_free_freelist_hook mm/slub.c:1457 [inline]
 slab_free mm/slub.c:3004 [inline]
 kmem_cache_free+0x181/0x7a0 mm/slub.c:3020
 free_task_struct kernel/fork.c:176 [inline]
 free_task+0xc0/0x110 kernel/fork.c:478
 __put_task_struct+0x1fd/0x380 kernel/fork.c:753
 put_task_struct include/linux/sched/task.h:119 [inline]
 delayed_put_task_struct+0x1c2/0x200 kernel/exit.c:182
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2157 [inline]
 rcu_core+0xba0/0x1330 kernel/rcu/tree.c:2377
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386
 __do_softirq+0x235/0x57e kernel/softirq.c:292

The buggy address belongs to the object at ffff8881a417ac40
 which belongs to the cache task_struct(43:syz2) of size 3648
The buggy address is located 56 bytes inside of
 3648-byte region [ffff8881a417ac40, ffff8881a417ba80)
The buggy address belongs to the page:
page:ffffea0006905e00 refcount:1 mapcount:0 mapping:ffff8881d6c40800 index:0xffff8881a417d880 compound_mapcount: 0
raw: 8000000000010200 ffffea00066b3208 ffffea000665d608 ffff8881d6c40800
raw: ffff8881a417d880 0000000000080005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881a417ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881a417ab80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881a417ac00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881a417ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881a417ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/22 06:01 https://android.googlesource.com/kernel/common android-5.4 4e16a227acbd 8eda0b95 .config console log report ci2-android-5-4-kasan
* Struck through repros no longer work on HEAD.