syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: use-after-free in mutex_can_spin_on_owner kernel/locking/mutex.c:605 [inline] BUG: KASAN: use-after-free in mutex_optimistic_spin kernel/locking/mutex.c:649 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:959 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x2de/0xc40 kernel/locking/mutex.c:1103 Read of size 4 at addr ffff8881a417ac78 by task syz-executor.2/9867 CPU: 0 PID: 9867 Comm: syz-executor.2 Tainted: G W 5.4.13-syzkaller-00773-g4e16a227acbd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b0/0x228 lib/dump_stack.c:118 print_address_description+0x96/0x5d0 mm/kasan/report.c:374 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:634 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 mutex_can_spin_on_owner kernel/locking/mutex.c:605 [inline] mutex_optimistic_spin kernel/locking/mutex.c:649 [inline] __mutex_lock_common kernel/locking/mutex.c:959 [inline] __mutex_lock+0x2de/0xc40 kernel/locking/mutex.c:1103 __mutex_lock_slowpath+0xe/0x10 kernel/locking/mutex.c:1364 mutex_lock+0x106/0x110 kernel/locking/mutex.c:284 tun_get_user+0xbca/0x3cd0 drivers/net/tun.c:1835 tun_chr_write_iter+0x134/0x1c0 drivers/net/tun.c:2022 do_iter_readv_writev+0x5fa/0x890 include/linux/fs.h:1909 do_iter_write+0x180/0x590 fs/read_write.c:973 vfs_writev fs/read_write.c:1018 [inline] do_writev+0x2cd/0x560 fs/read_write.c:1061 __do_sys_writev fs/read_write.c:1134 [inline] __se_sys_writev fs/read_write.c:1131 [inline] __x64_sys_writev+0x7d/0x90 fs/read_write.c:1131 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45b201 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b7 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fb08fecdba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00000000200001fe RCX: 000000000045b201 RDX: 0000000000000002 RSI: 00007fb08fecdc00 RDI: 00000000000000f0 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 00007fb08fece9d0 R11: 0000000000000293 R12: 00000000ffffffff R13: 0000000000000b4c R14: 00000000004cc318 R15: 000000000075bf2c Allocated by task 17486: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510 kasan_slab_alloc+0xe/0x10 mm/kasan/common.c:518 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2758 [inline] slab_alloc mm/slub.c:2766 [inline] kmem_cache_alloc+0x120/0x2b0 mm/slub.c:2771 kmem_cache_alloc_node include/linux/slab.h:427 [inline] alloc_task_struct_node kernel/fork.c:171 [inline] dup_task_struct kernel/fork.c:872 [inline] copy_process+0x59b/0x52d0 kernel/fork.c:1858 _do_fork+0x185/0x950 kernel/fork.c:2369 __do_sys_clone kernel/fork.c:2526 [inline] __se_sys_clone kernel/fork.c:2507 [inline] __x64_sys_clone+0x247/0x2b0 kernel/fork.c:2507 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 16: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x168/0x220 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 slab_free_hook mm/slub.c:1424 [inline] slab_free_freelist_hook mm/slub.c:1457 [inline] slab_free mm/slub.c:3004 [inline] kmem_cache_free+0x181/0x7a0 mm/slub.c:3020 free_task_struct kernel/fork.c:176 [inline] free_task+0xc0/0x110 kernel/fork.c:478 __put_task_struct+0x1fd/0x380 kernel/fork.c:753 put_task_struct include/linux/sched/task.h:119 [inline] delayed_put_task_struct+0x1c2/0x200 kernel/exit.c:182 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2157 [inline] rcu_core+0xba0/0x1330 kernel/rcu/tree.c:2377 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2386 __do_softirq+0x235/0x57e kernel/softirq.c:292 The buggy address belongs to the object at ffff8881a417ac40 which belongs to the cache task_struct(43:syz2) of size 3648 The buggy address is located 56 bytes inside of 3648-byte region [ffff8881a417ac40, ffff8881a417ba80) The buggy address belongs to the page: page:ffffea0006905e00 refcount:1 mapcount:0 mapping:ffff8881d6c40800 index:0xffff8881a417d880 compound_mapcount: 0 raw: 8000000000010200 ffffea00066b3208 ffffea000665d608 ffff8881d6c40800 raw: ffff8881a417d880 0000000000080005 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881a417ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881a417ab80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8881a417ac00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8881a417ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881a417ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2020/01/22 06:01 | https://android.googlesource.com/kernel/common android-5.4 | 4e16a227acbd | 8eda0b95 | .config | console log | report | ci2-android-5-4-kasan |