binder: 5327:5338 ioctl 541a 200ce000 returned -22 ================================================================== BUG: KASAN: use-after-free in rcu_read_unlock_sched /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/rcupdate.h:1010 [inline] at addr ffff880194596b40 BUG: KASAN: use-after-free in percpu_ref_tryget_live /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/percpu-refcount.h:252 [inline] at addr ffff880194596b40 BUG: KASAN: use-after-free in css_tryget_online /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:342 [inline] at addr ffff880194596b40 BUG: KASAN: use-after-free in task_get_css /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:475 [inline] at addr ffff880194596b40 BUG: KASAN: use-after-free in bio_copy_user_iov+0xe61/0xea0 /syzkaller/managers/android-49-kasan-gce/kernel/block/bio.c:1998 at addr ffff880194596b40 Read of size 8 by task syz-executor2/5368 CPU: 0 PID: 5368 Comm: syz-executor2 Not tainted 4.9.41-gdb02484 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801947e74c0 ffffffff81d92609 ffff8801da0013c0 ffff880194596b40 ffff880194596c40 ffffed00328b2d68 ffff880194596b40 ffff8801947e74e8 ffffffff8153c1bc ffffed00328b2d68 ffff8801da0013c0 0000000000000000 Call Trace: [] dump_stack+0xc1/0x128 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-integrity.c:49 [] kasan_object_err+0x1c/0x70 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:4539 [] kasan_report.part.1+0x21c/0x500 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:2320 [] __get_order /syzkaller/managers/android-49-kasan-gce/kernel/./include/asm-generic/getorder.h:18 [inline] [] slab_order /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3213 [inline] [] calculate_order /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3251 [inline] [] __asan_report_load8_noabort+0x29/0x30 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3506 [] rcu_read_unlock_sched /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/rcupdate.h:1010 [inline] [] percpu_ref_tryget_live /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/percpu-refcount.h:252 [inline] [] css_tryget_online /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:342 [inline] [] task_get_css /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:475 [inline] [] bio_copy_user_iov+0xe61/0xea0 /syzkaller/managers/android-49-kasan-gce/kernel/block/bio.c:1998 [] queue_limit_discard_alignment /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/blkdev.h:1324 [inline] [] blk_rq_map_user_iov+0x237/0x790 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:611 [] get_start_sect /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/genhd.h:445 [inline] [] bdev_stack_limits /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:653 [inline] [] blk_rq_map_user+0x111/0x1a0 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:674 [] sg_common_write.isra.24+0xc1a/0x17c0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1498 [] sg_write+0x688/0xad0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1110 [] SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] [] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 [] vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 [] SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff880194596b40, in cache kmalloc-256 size: 256 Allocated: PID = 5368 save_stack_trace+0x16/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/kernel/stacktrace.c:57 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] virt_to_head_page /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/mm.h:557 [inline] build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3055 [inline] save_stack+0x43/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085 kasan_kmalloc+0xad/0xe0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3868 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] __SetPageSlab /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:265 [inline] allocate_slab /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1583 [inline] __kmalloc+0x11d/0x310 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1635 sg_build_indirect.isra.23+0x8b/0x550 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:439 sg_read_oxfer /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1939 [inline] sg_build_reserve+0x8d/0xb0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:520 __read_once_size /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/compiler.h:243 [inline] atomic_read /syzkaller/managers/android-49-kasan-gce/kernel/./arch/x86/include/asm/atomic.h:26 [inline] sg_open+0x946/0x15a0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:2553 hlist_add_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/list.h:649 [inline] chrdev_open+0x22b/0x4c0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/super.c:519 __mcopy_atomic /syzkaller/managers/android-49-kasan-gce/kernel/mm/userfaultfd.c:158 [inline] do_dentry_open+0x607/0xc60 /syzkaller/managers/android-49-kasan-gce/kernel/mm/userfaultfd.c:306 inode_lock /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/fs.h:746 [inline] vfs_open+0x105/0x220 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:61 path_connected /syzkaller/managers/android-49-kasan-gce/kernel/fs/namei.c:598 [inline] path_openat+0x64c/0x2a60 /syzkaller/managers/android-49-kasan-gce/kernel/fs/namei.c:1346 do_filp_open+0x197/0x290 /syzkaller/managers/android-49-kasan-gce/kernel/fs/namei.c:217 do_sys_open+0x352/0x4c0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:193 SyS_open+0x2d/0x40 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:196 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 5372 save_stack_trace+0x16/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/kernel/stacktrace.c:57 compound_head /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/page-flags.h:146 [inline] virt_to_head_page /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/mm.h:557 [inline] build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3055 [inline] save_stack+0x43/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085 create_unique_id /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5553 [inline] kasan_slab_free+0x73/0xc0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:5590 trace /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:972 [inline] kfree+0xf0/0x2f0 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:1085 sg_remove_scat.isra.20+0x212/0x2d0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sr_vendor.c:159 sg_start_req /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1670 [inline] sg_ioctl+0x12d0/0x29f0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:775 rcu_read_unlock /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/rcupdate.h:927 [inline] sigio_perm /syzkaller/managers/android-49-kasan-gce/kernel/fs/fcntl.c:445 [inline] do_vfs_ioctl+0x1aa/0x10c0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/fcntl.c:459 __read_once_size /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/compiler.h:243 [inline] SyS_ioctl+0x8f/0xc0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/fcntl.c:511 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff880194596a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880194596a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff880194596b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff880194596b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880194596c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: wild-memory-access on address ffe70865a0a0b000 Write of size 38 by task syz-executor2/5368 CPU: 0 PID: 5368 Comm: syz-executor2 Tainted: G B 4.9.41-gdb02484 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801947e7448 ffffffff81d92609 ffff8801947e7618 0000000000000026 0000000000000001 ffff8801947e7840 ffe70865a0a0b000 ffff8801947e74d0 ffffffff8153c66f 0000000000000000 0000000000000001 ffffffff81ddbec4 Call Trace: [] dump_stack+0xc1/0x128 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-integrity.c:49 [] kasan_report.part.1+0x40f/0x500 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3502 [] kasan_report+0x20/0x30 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3509 [] check_memory_region+0x137/0x190 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3079 [] set_freepointer /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:262 [inline] [] build_detached_freelist /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3043 [inline] [] kasan_check_write+0x14/0x20 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3085 [] copy_page_from_iter+0x1a4/0x5d0 /syzkaller/managers/android-49-kasan-gce/kernel/lib/iov_iter.c:1080 [] css_tryget_online /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:341 [inline] [] task_get_css /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:475 [inline] [] bio_copy_user_iov+0xb05/0xea0 /syzkaller/managers/android-49-kasan-gce/kernel/block/bio.c:1998 [] queue_limit_discard_alignment /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/blkdev.h:1324 [inline] [] blk_rq_map_user_iov+0x237/0x790 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:611 [] get_start_sect /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/genhd.h:445 [inline] [] bdev_stack_limits /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:653 [inline] [] blk_rq_map_user+0x111/0x1a0 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:674 [] sg_common_write.isra.24+0xc1a/0x17c0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1498 [] sg_write+0x688/0xad0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1110 [] SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] [] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 [] vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 [] SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== ================================================================== BUG: KASAN: wild-memory-access on address ffe70865a0a0b000 Write of size 38 by task syz-executor2/5368 CPU: 0 PID: 5368 Comm: syz-executor2 Tainted: G B 4.9.41-gdb02484 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801947e73f8 ffffffff81d92609 ffe70865a0a0b000 0000000000000026 0000000000000001 0000000020006fdb ffe70865a0a0b000 ffff8801947e7480 ffffffff8153c66f ffffc90001137000 0000000000010000 ffffffff81dc5d14 Call Trace: [] dump_stack+0xc1/0x128 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-integrity.c:49 [] kasan_report.part.1+0x40f/0x500 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3502 [] kasan_report+0x20/0x30 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3509 [] check_memory_region+0x137/0x190 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3079 [] do_slab_free /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:2930 [inline] [] slab_free /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:2965 [inline] [] memset+0x23/0x40 /syzkaller/managers/android-49-kasan-gce/kernel/mm/slub.c:3878 [] copy_user_handle_tail+0xb4/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/lib/insn.c:400 [] copy_page_from_iter+0x1c0/0x5d0 /syzkaller/managers/android-49-kasan-gce/kernel/lib/iov_iter.c:1080 [] css_tryget_online /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:341 [inline] [] task_get_css /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:475 [inline] [] bio_copy_user_iov+0xb05/0xea0 /syzkaller/managers/android-49-kasan-gce/kernel/block/bio.c:1998 [] queue_limit_discard_alignment /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/blkdev.h:1324 [inline] [] blk_rq_map_user_iov+0x237/0x790 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:611 [] get_start_sect /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/genhd.h:445 [inline] [] bdev_stack_limits /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:653 [inline] [] blk_rq_map_user+0x111/0x1a0 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:674 [] sg_common_write.isra.24+0xc1a/0x17c0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1498 [] sg_write+0x688/0xad0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1110 [] SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] [] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 [] vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 [] SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 [] entry_SYSCALL_64_fastpath+0x23/0xc6 ================================================================== kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 5368 Comm: syz-executor2 Tainted: G B 4.9.41-gdb02484 #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff880195308000 task.stack: ffff8801947e0000 RIP: 0010:[] [] insn_is_avx /syzkaller/managers/android-49-kasan-gce/kernel/./arch/x86/include/asm/insn.h:134 [inline] RIP: 0010:[] [] insn_last_prefix_id /syzkaller/managers/android-49-kasan-gce/kernel/./arch/x86/include/asm/insn.h:172 [inline] RIP: 0010:[] [] memset_erms+0x9/0x10 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/lib/insn.c:280 RSP: 0018:ffff8801947e74b8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffe70865a0a0b000 RCX: 0000000000000026 RDX: 0000000000000026 RSI: 0000000000000000 RDI: ffe70865a0a0b000 RBP: ffff8801947e74d8 R08: 0000000000000001 R09: ffe70865a0a0b000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000026 R13: 0000000000000000 R14: 0000000020006fdb R15: 0000000020006f00 FS: 00007fe407fdd700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000f6acd8 CR3: 00000001953c7000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8153b801 ffff880195308000 0000000000000026 ffe70865a0a0b000 ffff8801947e7510 ffffffff81dc5d14 ffff8801947e7618 0000000000000026 0000000000000026 ffff8801947e7840 ffe70865a0a0b000 ffff8801947e7580 Call Trace: [] copy_user_handle_tail+0xb4/0xd0 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/lib/insn.c:400 [] copy_page_from_iter+0x1c0/0x5d0 /syzkaller/managers/android-49-kasan-gce/kernel/lib/iov_iter.c:1080 [] css_tryget_online /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:341 [inline] [] task_get_css /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/cgroup.h:475 [inline] [] bio_copy_user_iov+0xb05/0xea0 /syzkaller/managers/android-49-kasan-gce/kernel/block/bio.c:1998 [] queue_limit_discard_alignment /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/blkdev.h:1324 [inline] [] blk_rq_map_user_iov+0x237/0x790 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:611 [] get_start_sect /syzkaller/managers/android-49-kasan-gce/kernel/./include/linux/genhd.h:445 [inline] [] bdev_stack_limits /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:653 [inline] [] blk_rq_map_user+0x111/0x1a0 /syzkaller/managers/android-49-kasan-gce/kernel/block/blk-settings.c:674 [] sg_common_write.isra.24+0xc1a/0x17c0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1498 [] sg_write+0x688/0xad0 /syzkaller/managers/android-49-kasan-gce/kernel/drivers/scsi/sg.c:1110 [] SYSC_faccessat /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:385 [inline] [] __vfs_write+0x103/0x680 /syzkaller/managers/android-49-kasan-gce/kernel/fs/open.c:363 [] vfs_write+0x170/0x4e0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:1765 [] SyS_write+0xd9/0x1b0 /syzkaller/managers/android-49-kasan-gce/kernel/fs/read_write.c:898 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Code: 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 RIP [] insn_is_avx /syzkaller/managers/android-49-kasan-gce/kernel/./arch/x86/include/asm/insn.h:134 [inline] RIP [] insn_last_prefix_id /syzkaller/managers/android-49-kasan-gce/kernel/./arch/x86/include/asm/insn.h:172 [inline] RIP [] memset_erms+0x9/0x10 /syzkaller/managers/android-49-kasan-gce/kernel/arch/x86/lib/insn.c:280 RSP ---[ end trace 8ef88055ce0d7f36 ]---