Re: BUG: KASAN: use-after-free in udp_lib_get_port
fb fb fb fb fb fb fb 88002f163d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ====== Best Regards, Baozeng Ding On 2016/10/17 3:53, Cong Wang wrote: > On Sun, Oct 16, 2016 at 6:46 AM, Baozeng Ding <splovi...@gmail.com> wrote: >> Hello all, >> While running syzkaller fuzzer I have got the following use-after-free >> bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit >> d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a >> reproducer for it. >> >> BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr >> 88000804cb60 >> Write of size 8 by task syz-executor/31190 >> CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 >> 880015ac7a48 829f835b 880032b531c0 88000804cb40 >> 88000804d250 880017415a4a 880015ac7a70 8174d3cc >> 880015ac7b00 88000804cb00 880032b531c0 880015ac7af0 >> Call Trace: >> [] dump_stack+0xb3/0x118 lib/dump_stack.c:15 >> [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 >> [< inline >] print_address_description mm/kasan/report.c:194 >> [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 >> [< inline >] kasan_report mm/kasan/report.c:303 >> [] __asan_report_store8_noabort+0x3e/0x40 >> mm/kasan/report.c:329 >> [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487 >> [] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345 >> [] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106 >> [] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384 >> [] SYSC_bind+0x1ea/0x250 net/socket.c:1367 >> [] SyS_bind+0x24/0x30 net/socket.c:1353 >> [] entry_SYSCALL_64_fastpath+0x23/0xc6 > > > We should have a reference to this sock via fd and its sock->sk too, > so I fail to see why it could be freed while we holding this reference. > Maybe a VFS layer bug? > >> Object at 88000804cb40, in cache UDPv6 size: 1496 >> Allocated: >> PID = 30789 >> [ 378.305168] [] save_stack_trace+0x16/0x20 >> [ 378.305168] [] save_stack+0x46/0xd0 >> [ 378.305168] [] kasan_kmalloc+0xad/0xe0 >> [ 378.305168] [] kasan_slab_alloc+0x12/0x20 >> [ 378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417 >> [ 378.305168] [< inline >] slab_alloc_node mm/slub.c:2708 >> [ 378.305168] [< inline >] slab_alloc mm/slub.c:2716 >> [ 378.305168] [] kmem_cache_alloc+0xc8/0x2b0 >> mm/slub.c:2721 >> [ 378.305168] [] sk_prot_alloc+0x69/0x2b0 >> net/core/sock.c:1326 >> [ 378.305168] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388 >> [ 378.305168] [] inet6_create+0x2d7/0x1000 >> net/ipv6/af_inet6.c:182 >> [ 378.305168] [] __sock_create+0x37b/0x640 >> net/socket.c:1153 >> [ 378.305168] [< inline >] sock_create net/socket.c:1193 >> [ 378.305168] [< inline >] SYSC_socket net/socket.c:1223 >> [ 378.305168] [] SyS_socket+0xef/0x1b0 net/socket.c:1203 >> [ 378.305168] [] entry_SYSCALL_64_fastpath+0x23/0xc6 >> Freed: >> PID = 30789 >> [ 378.305168] [] save_stack_trace+0x16/0x20 >> [ 378.305168] [] save_stack+0x46/0xd0 >> [ 378.305168] [] kasan_slab_free+0x71/0xb0 >> [ 378.305168] [< inline >] slab_free_hook mm/slub.c:1352 >> [ 378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374 >> [ 378.305168] [< inline >] slab_free mm/slub.c:2951 >> [ 378.305168] [] kmem_cache_free+0xc8/0x330 >> mm/slub.c:2973 >> [ 378.305168] [< inline >] sk_prot_free net/core/sock.c:1369 >> [ 378.305168] [] __sk_destruct+0x32b/0x4f0 >> net/core/sock.c:1444 >> [ 378.305168] [] sk_destruct+0x44/0x80 >> net/core/sock.c:1452 >> [ 378.305168] [] __sk_free+0x53/0x220 >> net/core/sock.c:1460 >> [ 378.305168] [] sk_free+0x23/0x30 net/core/sock.c:1471 >> [ 378.305168] [] sk_common_release+0x28c/0x3e0 >> ./include/net/sock.h:1589 >> [ 378.305168] [] udp_lib_close+0x15/0x20 >> ./include/net/udp.h:203 >> [ 378.305168] [] inet_release+0xed/0x1c0 >> net/ipv4/af_inet.c:415 >> [ 378.305168] [] inet6_release+0x50/0x70 >> net/ipv6/af_inet6.c:422 >> [ 378.305168] [] sock_release+0x8d/0x1d0 net/socket.c:570 >> [ 378.305168] [] sock_close+0x16/0x20 net/socket.c:1017 >> [ 378.305168] [] __fput+0x28c/0x780 fs/file_table.c
Re: BUG: KASAN: use-after-free in udp_lib_get_port
fb fb fb fb fb fb fb 88002f163d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ====== Best Regards, Baozeng Ding On 2016/10/17 3:53, Cong Wang wrote: > On Sun, Oct 16, 2016 at 6:46 AM, Baozeng Ding wrote: >> Hello all, >> While running syzkaller fuzzer I have got the following use-after-free >> bug in udp_lib_get_port. The kernel version is 4.8.0+ (on Oct 7 commit >> d1f5323370fceaed43a7ee38f4c7bfc7e70f28d0). Unfortunately I failed to find a >> reproducer for it. >> >> BUG: KASAN: use-after-free in udp_lib_get_port+0x1573/0x1860 at addr >> 88000804cb60 >> Write of size 8 by task syz-executor/31190 >> CPU: 0 PID: 31190 Comm: syz-executor Not tainted 4.8.0+ #39 >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS >> rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 >> 880015ac7a48 829f835b 880032b531c0 88000804cb40 >> 88000804d250 880017415a4a 880015ac7a70 8174d3cc >> 880015ac7b00 88000804cb00 880032b531c0 880015ac7af0 >> Call Trace: >> [] dump_stack+0xb3/0x118 lib/dump_stack.c:15 >> [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 >> [< inline >] print_address_description mm/kasan/report.c:194 >> [] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 >> [< inline >] kasan_report mm/kasan/report.c:303 >> [] __asan_report_store8_noabort+0x3e/0x40 >> mm/kasan/report.c:329 >> [< inline >] hlist_add_head_rcu ./include/linux/rculist.h:487 >> [] udp_lib_get_port+0x1573/0x1860 net/ipv4/udp.c:345 >> [] udp_v6_get_port+0xa7/0xd0 net/ipv6/udp.c:106 >> [] inet6_bind+0x89c/0xfb0 net/ipv6/af_inet6.c:384 >> [] SYSC_bind+0x1ea/0x250 net/socket.c:1367 >> [] SyS_bind+0x24/0x30 net/socket.c:1353 >> [] entry_SYSCALL_64_fastpath+0x23/0xc6 > > > We should have a reference to this sock via fd and its sock->sk too, > so I fail to see why it could be freed while we holding this reference. > Maybe a VFS layer bug? > >> Object at 88000804cb40, in cache UDPv6 size: 1496 >> Allocated: >> PID = 30789 >> [ 378.305168] [] save_stack_trace+0x16/0x20 >> [ 378.305168] [] save_stack+0x46/0xd0 >> [ 378.305168] [] kasan_kmalloc+0xad/0xe0 >> [ 378.305168] [] kasan_slab_alloc+0x12/0x20 >> [ 378.305168] [< inline >] slab_post_alloc_hook mm/slab.h:417 >> [ 378.305168] [< inline >] slab_alloc_node mm/slub.c:2708 >> [ 378.305168] [< inline >] slab_alloc mm/slub.c:2716 >> [ 378.305168] [] kmem_cache_alloc+0xc8/0x2b0 >> mm/slub.c:2721 >> [ 378.305168] [] sk_prot_alloc+0x69/0x2b0 >> net/core/sock.c:1326 >> [ 378.305168] [] sk_alloc+0x38/0xae0 net/core/sock.c:1388 >> [ 378.305168] [] inet6_create+0x2d7/0x1000 >> net/ipv6/af_inet6.c:182 >> [ 378.305168] [] __sock_create+0x37b/0x640 >> net/socket.c:1153 >> [ 378.305168] [< inline >] sock_create net/socket.c:1193 >> [ 378.305168] [< inline >] SYSC_socket net/socket.c:1223 >> [ 378.305168] [] SyS_socket+0xef/0x1b0 net/socket.c:1203 >> [ 378.305168] [] entry_SYSCALL_64_fastpath+0x23/0xc6 >> Freed: >> PID = 30789 >> [ 378.305168] [] save_stack_trace+0x16/0x20 >> [ 378.305168] [] save_stack+0x46/0xd0 >> [ 378.305168] [] kasan_slab_free+0x71/0xb0 >> [ 378.305168] [< inline >] slab_free_hook mm/slub.c:1352 >> [ 378.305168] [< inline >] slab_free_freelist_hook mm/slub.c:1374 >> [ 378.305168] [< inline >] slab_free mm/slub.c:2951 >> [ 378.305168] [] kmem_cache_free+0xc8/0x330 >> mm/slub.c:2973 >> [ 378.305168] [< inline >] sk_prot_free net/core/sock.c:1369 >> [ 378.305168] [] __sk_destruct+0x32b/0x4f0 >> net/core/sock.c:1444 >> [ 378.305168] [] sk_destruct+0x44/0x80 >> net/core/sock.c:1452 >> [ 378.305168] [] __sk_free+0x53/0x220 >> net/core/sock.c:1460 >> [ 378.305168] [] sk_free+0x23/0x30 net/core/sock.c:1471 >> [ 378.305168] [] sk_common_release+0x28c/0x3e0 >> ./include/net/sock.h:1589 >> [ 378.305168] [] udp_lib_close+0x15/0x20 >> ./include/net/udp.h:203 >> [ 378.305168] [] inet_release+0xed/0x1c0 >> net/ipv4/af_inet.c:415 >> [ 378.305168] [] inet6_release+0x50/0x70 >> net/ipv6/af_inet6.c:422 >> [ 378.305168] [] sock_release+0x8d/0x1d0 net/socket.c:570 >> [ 378.305168] [] sock_close+0x16/0x20 net/socket.c:1017 >> [ 378.305168] [] __fput+0x28c/0x780 fs/file_table.c:208 >> [ 378.305168] [
BUG: slab-out-of-bounds in bio_alloc_bioset
ock_irqrestore /include/linux/spinlock.h:362 [] ? finish_wait+0xfd/0x180 /kernel/sched/wait.c:253 [] __kernel_write+0xe7/0x320 /fs/read_write.c:551 [] ? __might_sleep+0x90/0x1a0 /kernel/sched/core.c:7426 [] write_pipe_buf+0x159/0x1e0 /fs/splice.c:1071 [] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339 [] ? splice_from_pipe_next+0x2f0/0x3c0 /fs/splice.c:818 [< inline >] splice_from_pipe_feed /fs/splice.c:773 [] __splice_from_pipe+0x254/0x710 /fs/splice.c:898 [] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339 [] splice_from_pipe+0xf7/0x140 /fs/splice.c:933 [] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339 [] ? splice_shrink_spd+0x60/0x60 /fs/splice.c:299 [] ? security_file_permission+0x89/0x1e0 /security/security.c:733 [] default_file_splice_write+0x40/0x90 /fs/splice.c:1083 [< inline >] do_splice_from /fs/splice.c:1125 [< inline >] do_splice /fs/splice.c:1404 [< inline >] SYSC_splice /fs/splice.c:1707 [] SyS_splice+0x7fa/0x1670 /fs/splice.c:1690 [< inline >] ? SYSC_futex /kernel/futex.c:3237 [] ? SyS_futex+0x13f/0x2b0 /kernel/futex.c:3205 [] ? generic_splice_sendpage+0x50/0x50 /fs/splice.c:1107 [] ? compat_SyS_vmsplice+0x250/0x250 /fs/splice.c:1658 [] ? trace_hardirqs_on_thunk+0x1b/0x1d /arch/x86/entry/thunk_64.S:42 [] entry_SYSCALL_64_fastpath+0x23/0xc1 /arch/x86/entry/entry_64.S:207 Memory state around the buggy address: 8800187a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8800187a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8800187aa000: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc ^ 8800187aa080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8800187aa100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc == == Best Regards, Baozeng Ding
BUG: slab-out-of-bounds in bio_alloc_bioset
ock_irqrestore /include/linux/spinlock.h:362 [] ? finish_wait+0xfd/0x180 /kernel/sched/wait.c:253 [] __kernel_write+0xe7/0x320 /fs/read_write.c:551 [] ? __might_sleep+0x90/0x1a0 /kernel/sched/core.c:7426 [] write_pipe_buf+0x159/0x1e0 /fs/splice.c:1071 [] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339 [] ? splice_from_pipe_next+0x2f0/0x3c0 /fs/splice.c:818 [< inline >] splice_from_pipe_feed /fs/splice.c:773 [] __splice_from_pipe+0x254/0x710 /fs/splice.c:898 [] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339 [] splice_from_pipe+0xf7/0x140 /fs/splice.c:933 [] ? do_splice_direct+0x250/0x250 /fs/splice.c:1339 [] ? splice_shrink_spd+0x60/0x60 /fs/splice.c:299 [] ? security_file_permission+0x89/0x1e0 /security/security.c:733 [] default_file_splice_write+0x40/0x90 /fs/splice.c:1083 [< inline >] do_splice_from /fs/splice.c:1125 [< inline >] do_splice /fs/splice.c:1404 [< inline >] SYSC_splice /fs/splice.c:1707 [] SyS_splice+0x7fa/0x1670 /fs/splice.c:1690 [< inline >] ? SYSC_futex /kernel/futex.c:3237 [] ? SyS_futex+0x13f/0x2b0 /kernel/futex.c:3205 [] ? generic_splice_sendpage+0x50/0x50 /fs/splice.c:1107 [] ? compat_SyS_vmsplice+0x250/0x250 /fs/splice.c:1658 [] ? trace_hardirqs_on_thunk+0x1b/0x1d /arch/x86/entry/thunk_64.S:42 [] entry_SYSCALL_64_fastpath+0x23/0xc1 /arch/x86/entry/entry_64.S:207 Memory state around the buggy address: 8800187a9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8800187a9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >8800187aa000: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc ^ 8800187aa080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 8800187aa100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc == == Best Regards, Baozeng Ding
BUG: net/ipv4: KASAN: use-after-free in tcp_v4_rcv
x1b5/0x390 net/core/dev.c:4226 [< inline >] ? __net_timestamp include/linux/skbuff.h:3099 [] ? netif_receive_skb_internal+0x14a/0x390 net/core/dev.c:4207 [] ? dev_cpu_callback+0x690/0x690 net/core/dev.c:7755 [] ? dev_gro_receive+0x1d9/0x16f0 net/core/dev.c:4514 [< inline >] ? skb_is_gso include/linux/skbuff.h:3648 [] ? dev_gro_receive+0x665/0x16f0 net/core/dev.c:4426 [] ? kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:482 [< inline >] ? trace_kmem_cache_alloc include/trace/events/kmem.h:53 [] ? kmem_cache_alloc+0x1f9/0x2f0 mm/slub.c:2587 [] ? eth_type_trans+0x2a0/0x5b0 net/ethernet/eth.c:186 [< inline >] napi_skb_finish net/core/dev.c:4553 [] napi_gro_receive+0x2c2/0x480 net/core/dev.c:4585 [< inline >] e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4035 [] e1000_clean_rx_irq+0x440/0x1110 drivers/net/ethernet/intel/e1000/e1000_main.c:4491 [] ? e1000_enter_82542_rst+0x260/0x260 drivers/net/ethernet/intel/e1000/e1000_main.c:2148 [] e1000_clean+0xa08/0x24a0 drivers/net/ethernet/intel/e1000/e1000_main.c:3836 [] ? check_preempt_wakeup+0x3c9/0xa70 kernel/sched/fair.c:5411 [] ? e1000_unmap_and_free_tx_resource.isra.46+0x3e0/0x3e0 drivers/net/ethernet/intel/e1000/e1000_main.c:1972 [] ? trace_hardirqs_off+0xd/0x10 kernel/locking/lockdep.c:2772 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/locking/lockdep.c:4212 [< inline >] napi_poll net/core/dev.c:5087 [] net_rx_action+0x751/0xd80 net/core/dev.c:5152 [] ? add_interrupt_randomness+0x2bc/0x570 drivers/char/random.c:922 [] ? sk_busy_loop+0x1130/0x1130 include/trace/events/napi.h:13 [] ? handle_irq_event+0xb2/0x140 kernel/irq/handle.c:194 [< inline >] ? apic_eoi ./arch/x86/include/asm/apic.h:402 [< inline >] ? ack_APIC_irq ./arch/x86/include/asm/apic.h:446 [] ? ioapic_ack_level+0x165/0x450 arch/x86/kernel/apic/io_apic.c:1814 [< inline >] ? invoke_softirq kernel/softirq.c:350 [] ? irq_exit+0x15d/0x190 kernel/softirq.c:391 [] __do_softirq+0x22b/0x8da kernel/softirq.c:273 [< inline >] invoke_softirq kernel/softirq.c:350 [] irq_exit+0x15d/0x190 kernel/softirq.c:391 [< inline >] exiting_irq ./arch/x86/include/asm/apic.h:658 [] do_IRQ+0x86/0x1a0 arch/x86/kernel/irq.c:252 [] common_interrupt+0x8c/0x8c arch/x86/entry/entry_64.S:454 [< inline >] ? copy_pte_range mm/memory.c:945 [< inline >] ? copy_pmd_range mm/memory.c:1003 [< inline >] ? copy_pud_range mm/memory.c:1025 [] ? copy_page_range+0xa69/0x19d0 mm/memory.c:1087 [< inline >] ? copy_pte_range mm/memory.c:945 [< inline >] ? copy_pmd_range mm/memory.c:1003 [< inline >] ? copy_pud_range mm/memory.c:1025 [] ? copy_page_range+0xa4a/0x19d0 mm/memory.c:1087 [< inline >] ? rb_insert_augmented include/linux/rbtree_augmented.h:60 [< inline >] ? __anon_vma_interval_tree_insert mm/interval_tree.c:72 [] ? anon_vma_interval_tree_insert+0x233/0x2d0 mm/interval_tree.c:83 [] ? vm_iomap_memory+0x130/0x130 mm/memory.c:1836 [< inline >] ? vma_rb_insert include/linux/rbtree_augmented.h:60 [] ? __vma_link_rb+0x445/0x5d0 mm/mmap.c:531 [< inline >] dup_mmap kernel/fork.c:513 [< inline >] dup_mm kernel/fork.c:937 [< inline >] copy_mm kernel/fork.c:991 [] copy_process.part.37+0x468d/0x5a50 kernel/fork.c:1456 [] ? __cleanup_sighand+0x50/0x50 kernel/fork.c:1105 [< inline >] copy_process kernel/fork.c:1282 [] _do_fork+0x1a9/0xcd0 kernel/fork.c:1731 [] ? fork_idle+0x110/0x110 include/linux/list.h:601 [] ? __fsnotify_parent+0x5e/0x2b0 fs/notify/fsnotify.c:98 [< inline >] ? inc_syscr include/linux/sched.h:3178 [] ? vfs_read+0x223/0x310 fs/read_write.c:499 [< inline >] SYSC_clone kernel/fork.c:1840 [] SyS_clone+0x37/0x50 kernel/fork.c:1834 [] ? ptregs_sys_rt_sigreturn+0x10/0x10 arch/x86/include/generated/asm/syscalls_64.h:16 [] do_syscall_64+0x1ad/0x4b0 arch/x86/entry/common.c:350 [] ? sys_vfork+0x30/0x30 kernel/fork.c:1813 [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:248 Memory state around the buggy address: 880038027880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 880038027900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 880038027980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 880038027a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880038027a80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc == Best Regards, Baozeng Ding
BUG: net/ipv4: KASAN: use-after-free in tcp_v4_rcv
x1b5/0x390 net/core/dev.c:4226 [< inline >] ? __net_timestamp include/linux/skbuff.h:3099 [] ? netif_receive_skb_internal+0x14a/0x390 net/core/dev.c:4207 [] ? dev_cpu_callback+0x690/0x690 net/core/dev.c:7755 [] ? dev_gro_receive+0x1d9/0x16f0 net/core/dev.c:4514 [< inline >] ? skb_is_gso include/linux/skbuff.h:3648 [] ? dev_gro_receive+0x665/0x16f0 net/core/dev.c:4426 [] ? kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:482 [< inline >] ? trace_kmem_cache_alloc include/trace/events/kmem.h:53 [] ? kmem_cache_alloc+0x1f9/0x2f0 mm/slub.c:2587 [] ? eth_type_trans+0x2a0/0x5b0 net/ethernet/eth.c:186 [< inline >] napi_skb_finish net/core/dev.c:4553 [] napi_gro_receive+0x2c2/0x480 net/core/dev.c:4585 [< inline >] e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4035 [] e1000_clean_rx_irq+0x440/0x1110 drivers/net/ethernet/intel/e1000/e1000_main.c:4491 [] ? e1000_enter_82542_rst+0x260/0x260 drivers/net/ethernet/intel/e1000/e1000_main.c:2148 [] e1000_clean+0xa08/0x24a0 drivers/net/ethernet/intel/e1000/e1000_main.c:3836 [] ? check_preempt_wakeup+0x3c9/0xa70 kernel/sched/fair.c:5411 [] ? e1000_unmap_and_free_tx_resource.isra.46+0x3e0/0x3e0 drivers/net/ethernet/intel/e1000/e1000_main.c:1972 [] ? trace_hardirqs_off+0xd/0x10 kernel/locking/lockdep.c:2772 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/locking/lockdep.c:4212 [< inline >] napi_poll net/core/dev.c:5087 [] net_rx_action+0x751/0xd80 net/core/dev.c:5152 [] ? add_interrupt_randomness+0x2bc/0x570 drivers/char/random.c:922 [] ? sk_busy_loop+0x1130/0x1130 include/trace/events/napi.h:13 [] ? handle_irq_event+0xb2/0x140 kernel/irq/handle.c:194 [< inline >] ? apic_eoi ./arch/x86/include/asm/apic.h:402 [< inline >] ? ack_APIC_irq ./arch/x86/include/asm/apic.h:446 [] ? ioapic_ack_level+0x165/0x450 arch/x86/kernel/apic/io_apic.c:1814 [< inline >] ? invoke_softirq kernel/softirq.c:350 [] ? irq_exit+0x15d/0x190 kernel/softirq.c:391 [] __do_softirq+0x22b/0x8da kernel/softirq.c:273 [< inline >] invoke_softirq kernel/softirq.c:350 [] irq_exit+0x15d/0x190 kernel/softirq.c:391 [< inline >] exiting_irq ./arch/x86/include/asm/apic.h:658 [] do_IRQ+0x86/0x1a0 arch/x86/kernel/irq.c:252 [] common_interrupt+0x8c/0x8c arch/x86/entry/entry_64.S:454 [< inline >] ? copy_pte_range mm/memory.c:945 [< inline >] ? copy_pmd_range mm/memory.c:1003 [< inline >] ? copy_pud_range mm/memory.c:1025 [] ? copy_page_range+0xa69/0x19d0 mm/memory.c:1087 [< inline >] ? copy_pte_range mm/memory.c:945 [< inline >] ? copy_pmd_range mm/memory.c:1003 [< inline >] ? copy_pud_range mm/memory.c:1025 [] ? copy_page_range+0xa4a/0x19d0 mm/memory.c:1087 [< inline >] ? rb_insert_augmented include/linux/rbtree_augmented.h:60 [< inline >] ? __anon_vma_interval_tree_insert mm/interval_tree.c:72 [] ? anon_vma_interval_tree_insert+0x233/0x2d0 mm/interval_tree.c:83 [] ? vm_iomap_memory+0x130/0x130 mm/memory.c:1836 [< inline >] ? vma_rb_insert include/linux/rbtree_augmented.h:60 [] ? __vma_link_rb+0x445/0x5d0 mm/mmap.c:531 [< inline >] dup_mmap kernel/fork.c:513 [< inline >] dup_mm kernel/fork.c:937 [< inline >] copy_mm kernel/fork.c:991 [] copy_process.part.37+0x468d/0x5a50 kernel/fork.c:1456 [] ? __cleanup_sighand+0x50/0x50 kernel/fork.c:1105 [< inline >] copy_process kernel/fork.c:1282 [] _do_fork+0x1a9/0xcd0 kernel/fork.c:1731 [] ? fork_idle+0x110/0x110 include/linux/list.h:601 [] ? __fsnotify_parent+0x5e/0x2b0 fs/notify/fsnotify.c:98 [< inline >] ? inc_syscr include/linux/sched.h:3178 [] ? vfs_read+0x223/0x310 fs/read_write.c:499 [< inline >] SYSC_clone kernel/fork.c:1840 [] SyS_clone+0x37/0x50 kernel/fork.c:1834 [] ? ptregs_sys_rt_sigreturn+0x10/0x10 arch/x86/include/generated/asm/syscalls_64.h:16 [] do_syscall_64+0x1ad/0x4b0 arch/x86/entry/common.c:350 [] ? sys_vfork+0x30/0x30 kernel/fork.c:1813 [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:248 Memory state around the buggy address: 880038027880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 880038027900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 880038027980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ 880038027a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880038027a80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc == Best Regards, Baozeng Ding
BUG: mm/slub NULL-ptr deref in get_freepointer
Hi all, I've got the following report NULL-ptr deref in get_freepointer (mm/slub.c) while running syzkaller. Unfortunately no reproducer.The kernel version is 4.6.0-rc2+. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: [#1] SMP KASAN Modules linked in: CPU: 0 PID: 14637 Comm: syz-executor Tainted: GB 4.6.0-rc2+ #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 task: 880067c71780 ti: 88006745 task.ti: 88006745 RIP: 0010:[] [] deactivate_slab+0x99/0x710 RSP: 0018:880067457b40 EFLAGS: 00010002 RAX: RBX: eadab800 RCX: 000180180018 RDX: RSI: eadab800 RDI: 00010400 RBP: 880067457bf8 R08: 8018 R09: 8000 R10: R11: R12: 05fffc04004c R13: ea0001843640 R14: 88003e800c40 R15: 88003e806f00 FS: 7ff2eec2e700() GS:88003ec0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20008ff8 CR3: 378cf000 CR4: 06f0 Stack: 880067457b90 8177f632 880067c71780 8177f632 8177f632 000f67457b80 811cf3e6 880036ae7d88 880067457bc0 8170ef8f 0018 880036ae7d90 Call Trace: [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [] ? save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] ? set_track+0x6f/0x120 mm/slub.c:541 [] ? init_object+0x64/0xa0 mm/slub.c:704 [] ? alloc_debug_processing+0x6e/0x1b0 mm/slub.c:1085 [] ___slab_alloc+0x167/0x500 mm/slub.c:2449 [] ? lockdep_init_map+0xf0/0x13e0 kernel/locking/lockdep.c:3120 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [] ? lockdep_init_map+0xf0/0x13e0 kernel/locking/lockdep.c:3120 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [] __slab_alloc+0x4c/0x90 mm/slub.c:2475 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [< inline >] slab_alloc_node mm/slub.c:2538 [< inline >] slab_alloc mm/slub.c:2580 [] __kmalloc+0x297/0x360 mm/slub.c:3561 [< inline >] kmalloc include/linux/slab.h:483 [< inline >] kzalloc include/linux/slab.h:622 [] alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [< inline >] get_pipe_inode fs/pipe.c:683 [] create_pipe_files+0xd4/0x8f0 fs/pipe.c:716 [] ? up_write+0x1a/0x60 kernel/locking/rwsem.c:91 [] ? fifo_open+0x9f0/0x9f0 fs/pipe.c:884 [] ? vma_is_stack_for_task+0xa0/0xa0 mm/util.c:235 [] __do_pipe_flags+0x39/0x210 fs/pipe.c:774 [< inline >] SYSC_pipe2 fs/pipe.c:822 [] SyS_pipe2+0x8c/0x170 fs/pipe.c:816 [] ? do_pipe_flags+0x140/0x140 fs/pipe.c:807 [] ? find_mergeable_anon_vma+0xd0/0xd0 mm/mmap.c:1090 [] ? trace_hardirqs_off+0xd/0x10 kernel/locking/lockdep.c:2772 [] ? trace_hardirqs_on_thunk+0x1b/0x1d arch/x86/entry/thunk_64.S:42 [] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 Code: 89 54 05 00 4d 89 e8 49 8b 7f 08 48 89 de 48 89 4c 24 68 66 83 6c 24 68 01 4c 8b 4c 24 68 e8 7f fe ff ff 84 c0 74 cc 49 63 47 20 <49> 8b 0c 04 48 85 c9 74 0c 4d 89 e5 48 8b 53 10 49 89 cc eb bb RIP [< inline >] get_freepointer mm/slub.c:245 RIP [] deactivate_slab+0x99/0x710 mm/slub.c:1893 RSP ---[ end trace b34379b339f95a27 ]--- Best Regards, Baozeng Ding
BUG: mm/slub NULL-ptr deref in get_freepointer
Hi all, I've got the following report NULL-ptr deref in get_freepointer (mm/slub.c) while running syzkaller. Unfortunately no reproducer.The kernel version is 4.6.0-rc2+. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: [#1] SMP KASAN Modules linked in: CPU: 0 PID: 14637 Comm: syz-executor Tainted: GB 4.6.0-rc2+ #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 task: 880067c71780 ti: 88006745 task.ti: 88006745 RIP: 0010:[] [] deactivate_slab+0x99/0x710 RSP: 0018:880067457b40 EFLAGS: 00010002 RAX: RBX: eadab800 RCX: 000180180018 RDX: RSI: eadab800 RDI: 00010400 RBP: 880067457bf8 R08: 8018 R09: 8000 R10: R11: R12: 05fffc04004c R13: ea0001843640 R14: 88003e800c40 R15: 88003e806f00 FS: 7ff2eec2e700() GS:88003ec0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 20008ff8 CR3: 378cf000 CR4: 06f0 Stack: 880067457b90 8177f632 880067c71780 8177f632 8177f632 000f67457b80 811cf3e6 880036ae7d88 880067457bc0 8170ef8f 0018 880036ae7d90 Call Trace: [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [] ? save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] ? set_track+0x6f/0x120 mm/slub.c:541 [] ? init_object+0x64/0xa0 mm/slub.c:704 [] ? alloc_debug_processing+0x6e/0x1b0 mm/slub.c:1085 [] ___slab_alloc+0x167/0x500 mm/slub.c:2449 [] ? lockdep_init_map+0xf0/0x13e0 kernel/locking/lockdep.c:3120 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [] ? lockdep_init_map+0xf0/0x13e0 kernel/locking/lockdep.c:3120 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [] __slab_alloc+0x4c/0x90 mm/slub.c:2475 [< inline >] ? kmalloc include/linux/slab.h:483 [< inline >] ? kzalloc include/linux/slab.h:622 [] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [< inline >] slab_alloc_node mm/slub.c:2538 [< inline >] slab_alloc mm/slub.c:2580 [] __kmalloc+0x297/0x360 mm/slub.c:3561 [< inline >] kmalloc include/linux/slab.h:483 [< inline >] kzalloc include/linux/slab.h:622 [] alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622 [< inline >] get_pipe_inode fs/pipe.c:683 [] create_pipe_files+0xd4/0x8f0 fs/pipe.c:716 [] ? up_write+0x1a/0x60 kernel/locking/rwsem.c:91 [] ? fifo_open+0x9f0/0x9f0 fs/pipe.c:884 [] ? vma_is_stack_for_task+0xa0/0xa0 mm/util.c:235 [] __do_pipe_flags+0x39/0x210 fs/pipe.c:774 [< inline >] SYSC_pipe2 fs/pipe.c:822 [] SyS_pipe2+0x8c/0x170 fs/pipe.c:816 [] ? do_pipe_flags+0x140/0x140 fs/pipe.c:807 [] ? find_mergeable_anon_vma+0xd0/0xd0 mm/mmap.c:1090 [] ? trace_hardirqs_off+0xd/0x10 kernel/locking/lockdep.c:2772 [] ? trace_hardirqs_on_thunk+0x1b/0x1d arch/x86/entry/thunk_64.S:42 [] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 Code: 89 54 05 00 4d 89 e8 49 8b 7f 08 48 89 de 48 89 4c 24 68 66 83 6c 24 68 01 4c 8b 4c 24 68 e8 7f fe ff ff 84 c0 74 cc 49 63 47 20 <49> 8b 0c 04 48 85 c9 74 0c 4d 89 e5 48 8b 53 10 49 89 cc eb bb RIP [< inline >] get_freepointer mm/slub.c:245 RIP [] deactivate_slab+0x99/0x710 mm/slub.c:1893 RSP ---[ end trace b34379b339f95a27 ]--- Best Regards, Baozeng Ding
Re: Sound: BUG: KASAN: use-after-free in kill_fasync
On 2016/4/6 19:37, Baozeng Ding wrote: On 2016/4/5 22:18, Takashi Iwai wrote: On Tue, 05 Apr 2016 15:51:30 +0200, Baozeng Ding wrote: Hi all, I've got the following report (use-after-free in kill_fasync) while running syzkaller. Unfortunately no reproducer.The kernel version is 4.5 (on Mar 16 commit 09fd671ccb2475436bd5f597f751ca4a7d177aea). == BUG: KASAN: use-after-free in kill_fasync+0x3fb/0x420 at addr 880067691d88 Read of size 8 by task swapper/2/0 = BUG kmalloc-2048 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Allocated in 0x age=18446678412249576073 cpu=2245704320 pid=-1 [< inline >] kmalloc /kernel/include/linux/slab.h:472 [< inline >] kzalloc /kernel/include/linux/slab.h:616 [< none >] snd_pcm_attach_substream+0x3b4/0xb10 /kernel/sound/core/pcm.c:966 [< none >] ___slab_alloc+0x4c7/0x500 /kernel/mm/slub.c:2446 [< none >] __slab_alloc+0x4c/0x90 /kernel/mm/slub.c:2475 [< inline >] slab_alloc_node /kernel/mm/slub.c:2538 [< inline >] slab_alloc /kernel/mm/slub.c:2580 [< none >] kmem_cache_alloc_trace+0x262/0x300 /kernel/mm/slub.c:2597 [< inline >] kmalloc /kernel/include/linux/slab.h:472 [< inline >] kzalloc /kernel/include/linux/slab.h:616 [< none >] snd_pcm_attach_substream+0x3b4/0xb10 /kernel/sound/core/pcm.c:966 [< none >] snd_pcm_open_substream+0x84/0x450 /kernel/sound/core/pcm_native.c:2262 [< inline >] snd_pcm_oss_open_file /kernel/sound/core/oss/pcm_oss.c:2346 [< none >] snd_pcm_oss_open.part.17+0x5a4/0x1100 /kernel/sound/core/oss/pcm_oss.c:2428 [< none >] snd_pcm_oss_open+0x35/0x50 /kernel/sound/core/oss/pcm_oss.c:2392 [< none >] soundcore_open+0x30f/0x640 /kernel/sound/sound_core.c:639 [< none >] chrdev_open+0x22a/0x4c0 /kernel/fs/char_dev.c:388 [< none >] do_dentry_open+0x6a2/0xcb0 /kernel/fs/open.c:736 [< none >] vfs_open+0x17b/0x1f0 /kernel/fs/open.c:853 [< inline >] do_last /kernel/fs/namei.c:3258 [< none >] path_openat+0x4837/0x5830 /kernel/fs/namei.c:3394 [< none >] do_filp_open+0x18e/0x250 /kernel/fs/namei.c:3429 [< none >] do_sys_open+0x201/0x420 /kernel/fs/open.c:1022 [< inline >] SYSC_open /kernel/fs/open.c:1040 [< none >] SyS_open+0x2d/0x40 /kernel/fs/open.c:1035 INFO: Freed in 0x1b076 age=18446678416544543380 cpu=0 pid=0 [< none >] snd_pcm_detach_substream+0x134/0x280 /kernel/sound/core/pcm.c:1017 [< none >] __slab_free+0x1e8/0x300 /kernel/mm/slub.c:2657 [< inline >] slab_free /kernel/mm/slub.c:2810 [< none >] kfree+0x24e/0x2d0 /kernel/mm/slub.c:3661 [< none >] snd_pcm_detach_substream+0x134/0x280 /kernel/sound/core/pcm.c:1017 [< none >] snd_pcm_release_substream.part.38+0x219/0x2f0 /kernel/sound/core/pcm_native.c:2250 [< none >] snd_pcm_release_substream+0x59/0x70 /kernel/sound/core/pcm_native.c:2251 [< none >] snd_pcm_oss_release_file+0x45/0xb0 /kernel/sound/core/oss/pcm_oss.c:2305 [< none >] snd_pcm_oss_release+0xfa/0x250 /kernel/sound/core/oss/pcm_oss.c:2485 [< none >] __fput+0x236/0x780 /kernel/fs/file_table.c:208 [< none >] fput+0x15/0x20 /kernel/fs/file_table.c:244 [< none >] task_work_run+0x16b/0x200 /kernel/kernel/task_work.c:115 [< inline >] exit_task_work /kernel/include/linux/task_work.h:21 [< none >] do_exit+0x87f/0x2c90 /kernel/kernel/exit.c:748 [< none >] do_group_exit+0x108/0x330 /kernel/kernel/exit.c:878 [< inline >] SYSC_exit_group /kernel/kernel/exit.c:889 [< none >] SyS_exit_group+0x1d/0x20 /kernel/kernel/exit.c:887 [< none >] entry_SYSCALL_64_fastpath+0x23/0xc1 /kernel/arch/x86/entry/entry_64.S:207 INFO: Slab 0xea00019da400 objects=13 used=8 fp=0x880067691be0 flags=0x5fffc004080 INFO: Object 0x880067691bd8 @offset=7128 fp=0x Call Trace: [< inline >] __dump_stack /kernel/lib/dump_stack.c:15 [] dump_stack+0xb3/0x112 /kernel/lib/dump_stack.c:51 [] print_trailer+0x10d/0x190 /kernel/mm/slub.c:668 [] object_err+0x2f/0x40 /kernel/mm/slub.c:675 [< inline >] print_address_description /kernel/mm/kasan/report.c:138 [] kasan_report_error+0x215/0x530 /kernel/mm/kasan/report.c:236 [< inline >] ? spin_lock /kernel/
Re: Sound: BUG: KASAN: use-after-free in kill_fasync
On 2016/4/6 19:37, Baozeng Ding wrote: On 2016/4/5 22:18, Takashi Iwai wrote: On Tue, 05 Apr 2016 15:51:30 +0200, Baozeng Ding wrote: Hi all, I've got the following report (use-after-free in kill_fasync) while running syzkaller. Unfortunately no reproducer.The kernel version is 4.5 (on Mar 16 commit 09fd671ccb2475436bd5f597f751ca4a7d177aea). == BUG: KASAN: use-after-free in kill_fasync+0x3fb/0x420 at addr 880067691d88 Read of size 8 by task swapper/2/0 = BUG kmalloc-2048 (Not tainted): kasan: bad access detected - Disabling lock debugging due to kernel taint INFO: Allocated in 0x age=18446678412249576073 cpu=2245704320 pid=-1 [< inline >] kmalloc /kernel/include/linux/slab.h:472 [< inline >] kzalloc /kernel/include/linux/slab.h:616 [< none >] snd_pcm_attach_substream+0x3b4/0xb10 /kernel/sound/core/pcm.c:966 [< none >] ___slab_alloc+0x4c7/0x500 /kernel/mm/slub.c:2446 [< none >] __slab_alloc+0x4c/0x90 /kernel/mm/slub.c:2475 [< inline >] slab_alloc_node /kernel/mm/slub.c:2538 [< inline >] slab_alloc /kernel/mm/slub.c:2580 [< none >] kmem_cache_alloc_trace+0x262/0x300 /kernel/mm/slub.c:2597 [< inline >] kmalloc /kernel/include/linux/slab.h:472 [< inline >] kzalloc /kernel/include/linux/slab.h:616 [< none >] snd_pcm_attach_substream+0x3b4/0xb10 /kernel/sound/core/pcm.c:966 [< none >] snd_pcm_open_substream+0x84/0x450 /kernel/sound/core/pcm_native.c:2262 [< inline >] snd_pcm_oss_open_file /kernel/sound/core/oss/pcm_oss.c:2346 [< none >] snd_pcm_oss_open.part.17+0x5a4/0x1100 /kernel/sound/core/oss/pcm_oss.c:2428 [< none >] snd_pcm_oss_open+0x35/0x50 /kernel/sound/core/oss/pcm_oss.c:2392 [< none >] soundcore_open+0x30f/0x640 /kernel/sound/sound_core.c:639 [< none >] chrdev_open+0x22a/0x4c0 /kernel/fs/char_dev.c:388 [< none >] do_dentry_open+0x6a2/0xcb0 /kernel/fs/open.c:736 [< none >] vfs_open+0x17b/0x1f0 /kernel/fs/open.c:853 [< inline >] do_last /kernel/fs/namei.c:3258 [< none >] path_openat+0x4837/0x5830 /kernel/fs/namei.c:3394 [< none >] do_filp_open+0x18e/0x250 /kernel/fs/namei.c:3429 [< none >] do_sys_open+0x201/0x420 /kernel/fs/open.c:1022 [< inline >] SYSC_open /kernel/fs/open.c:1040 [< none >] SyS_open+0x2d/0x40 /kernel/fs/open.c:1035 INFO: Freed in 0x1b076 age=18446678416544543380 cpu=0 pid=0 [< none >] snd_pcm_detach_substream+0x134/0x280 /kernel/sound/core/pcm.c:1017 [< none >] __slab_free+0x1e8/0x300 /kernel/mm/slub.c:2657 [< inline >] slab_free /kernel/mm/slub.c:2810 [< none >] kfree+0x24e/0x2d0 /kernel/mm/slub.c:3661 [< none >] snd_pcm_detach_substream+0x134/0x280 /kernel/sound/core/pcm.c:1017 [< none >] snd_pcm_release_substream.part.38+0x219/0x2f0 /kernel/sound/core/pcm_native.c:2250 [< none >] snd_pcm_release_substream+0x59/0x70 /kernel/sound/core/pcm_native.c:2251 [< none >] snd_pcm_oss_release_file+0x45/0xb0 /kernel/sound/core/oss/pcm_oss.c:2305 [< none >] snd_pcm_oss_release+0xfa/0x250 /kernel/sound/core/oss/pcm_oss.c:2485 [< none >] __fput+0x236/0x780 /kernel/fs/file_table.c:208 [< none >] fput+0x15/0x20 /kernel/fs/file_table.c:244 [< none >] task_work_run+0x16b/0x200 /kernel/kernel/task_work.c:115 [< inline >] exit_task_work /kernel/include/linux/task_work.h:21 [< none >] do_exit+0x87f/0x2c90 /kernel/kernel/exit.c:748 [< none >] do_group_exit+0x108/0x330 /kernel/kernel/exit.c:878 [< inline >] SYSC_exit_group /kernel/kernel/exit.c:889 [< none >] SyS_exit_group+0x1d/0x20 /kernel/kernel/exit.c:887 [< none >] entry_SYSCALL_64_fastpath+0x23/0xc1 /kernel/arch/x86/entry/entry_64.S:207 INFO: Slab 0xea00019da400 objects=13 used=8 fp=0x880067691be0 flags=0x5fffc004080 INFO: Object 0x880067691bd8 @offset=7128 fp=0x Call Trace: [< inline >] __dump_stack /kernel/lib/dump_stack.c:15 [] dump_stack+0xb3/0x112 /kernel/lib/dump_stack.c:51 [] print_trailer+0x10d/0x190 /kernel/mm/slub.c:668 [] object_err+0x2f/0x40 /kernel/mm/slub.c:675 [< inline >] print_address_description /kernel/mm/kasan/report.c:138 [] kasan_report_error+0x215/0x530 /kernel/mm/kasan/report.c:236 [< inline >] ? spin_lock /kernel/
net/sctp: stack-out-of-bounds in sctp_getsockopt
d4\x3a\x64\x51\x68\x13\x2d\x25\xba\x6d\x3f\x74\x68\x84\x89\x04\xd1\xa6\xe2\x7d\xaf\xfa\xd9\xce\x52\xbe\x6f\xb6\xe3\xff\x92\x35\xa1\x88\x4a\x68\x27\xaa\x25\xf8\xc1\xd5\x3b\xe5\x69\x11\x4f\x75\x4c\xe9\xff\x8b\x86\x53\x20\xb7\x10\xa2\x62\xcc\xc3\x06\x85\xde\x3e\x1c\x5a\x62\x3a\x2d\x0d\x0b\x0c\xb2\xac\x75\x42\x4d\x82\x3f\x7b\xf7\x28\xea\x2d\xff\x42\xa8\xdf\xb3\x49\x1a\xfd\xae\x2c\xd4\x35\x8e\x96\xb3\xe1\x0a\x92\x56\xb7\xde\xe8\x9e\xc3\x9e\x88\x79\xc4\x71\x46\x27\xf4\x9e\x85\xf4\x8f\x1f\x9a\xe5\x7e\x02\x09\x34\x80\x1e\x87\xa8\x9a\xce\xac\xfb\x43\x07\xdf\x15\xe8\x71\x9a\xa3\x80\x18\x1b\x15\xbd\x57\xb6\xc1\x73\x6e\xb1\x28\x3a\x01\xd5\x8e\x15\x85\xbd\x52\xdf\xfa\x64\xaa\x13\x0e\x2f\x64\x05\x11\xce\x79\x8b\xa8\x02\x29\x7f\x72\x0f\x37\x89\xb4\x54\x0b\x09\x02\x75\xc2\x8e\xd7\xcd\x7e\xfb\x4f\x72\xf1\x47\xea\xa2\x2a\xc3\xc4\xe9\x70\xfe\xa5\x80\x88\x21\x33\xcf\x13\x66\x98\x23\x10\x5c\xa4\xbd\xee\xc0\xb4\xdd\xfb\xff\xf2\x38\xab\xca\x36\x62\x35\x84\xe4\x73\x5c\xc7\x3e\x72\x2e\x17\x43\x6f\x85\x45\x4f\x82\x62\x0d\x77\xae\xcb\xe1\x8f\xe8\xf0\x84\x3e\x62\x8b\x70\x2b\x55\xb5\xa7\x13\xcf\xa1\x78\x77\x82\xe2\xb7\x1c\x65\x7f\xb5\x79\x73\x01\x07\xd1\x9f\x45\x6a\xbb\x3d\xbf\xc8\x71\x5b\x9f\x30\xc7\xb9\xb8\x53\x9f\xe1\xba\xb6\x78\x9e\x05\x75\xa3\x55\xb1\x26\x96\xa9\xb2\x82\xce\x81\x5c\x8a\x18\xb3\x4b\x0c\x18\x8c\xf2\x7c\x09\xde\xcb\xcf\x78\x22\x58\xf6\x15\xf6\xf7\x48\xda\x08\x75\xd4\xc1\x20\xc3\x18\x2e\x89\xe8\x5b\x48\xd9\xbc\x1f\xbb\xed\x31\xaf\x12\x4d\xcd\x46\x60\xa0\xef\x0e\x2e\x21\x1d\x2b\x68\x75\xb9\x42\x5e\xd7\xae\x35\x46\xe9\x06\x63\x1d\x3c\xd6\x9c\x14\x3b\x09\x29\x49\x70\xb9\xe1\xe0\x09\x45\x41\x62\x0c\xff\x5a\x77\xbe\x31\xa6\x03\x94\x92\xde\x41\x99\xfa\x68\x99\x74\xbb\x0a\x3d\xac\x9c\x7e\x00\x6b\xcd\xc1\x83\xa7\xc5\x63\xdd\x10\xea\x59\x27\xdc\x02\x98\xd6\x43\x20\x24\x4e\xc0\xdc\xa2\x98\xdf\x3e\xaf\x61\x35\xa0\x95\x3f\x9a\xaa\x7d\xe9\xe9\x0d\xe5\x97\x66\x1a\x9f\xbf\x56\xc8\x37\x84\x18\x2b\xd2\xcd\xd6\xb3\x19\xd8\x4a\x30\x6e\xcb\x99\x1c\xe9\x0f\xdb\xca\x30\xe1\xe2\x90\xba\xb9\x61\x00\xbf\xeb\xad\x6a\xc8\x52\xea\x1a\x92\x05\x0c\x3b\x78\x82\x01\xac\xfd\x88\x6c\xca\xe2\xfb\xe7\x0f\xcc\x75\x9c\x98\x12\x26\xcf\xa6\x80\x02\x35\xdf\x6e\xe1\x11\x1d\xa7\x30\x17\x38\x41\xd9\x81\x55\x1a\x1e\xd1\xfe\x60\xbf\xef\x09\x25\xc0\xdb\x9f\xc4\xc6\x54\x1a\x85\x36\x85\x05\xb3\x9f\x2c\xc5\xcd\x12\x51\xef\xbe\x10\x79\xbf\x11\x00\x47\x0d\x9c\x14\x43\x1a\x46\xea\xd1\x34\x2e\x10\x6b\xa4\x3c\x25\x21\xe3\xb9\x15\x78\x6c\x40\x87\x90\xf7\x93\x5a\x66\x5f\x0a\x76\xff\xc2\xe2\x14\x35\x88\x47\xa1\x33\x5b\x8f\x3d\xc5\x89\xb7\xf9\x8a\x40\xf0\x1e\xc9\x30\xcd\xd8\x96\x41\x78\x58\x97\x49\xc8\x50\x61\x36\x8f\x7e\x44\x41\xc0\x84\xbb\x35\xf0\x63\xa9\xc2\x2a\xbd\xcc\x4b\xab\x8b\x16\x33\xc0\x66\xbf\x47\x62\x9b\xc4\x47\x2d\x68\x83\xca\xe3\x52\x79\xd7\xe0\x61\x80\x15\xf1\x90\x83\xa2\xbb\x4c\xe5\x8b\x50\xc8\x1b\x68\x7b\xee\x57\xdc\x54\xfa\x90\xf1\xf5\xec\x7d\x93\xe0\x80\x74\x06\xbe\xac\xc8\x85\x4d\xe8\xbf\xd3\xdd\x34\x55\xc4\xbf\x2f\x24\x19\xad\x86\x1e\x69\x2b\x6c\x3f\x00\xe8\x4b\xbb\x99\xcf\x17\x99\x00\x9d\x6c\x70\x57\xcc\x35\xee\x07\x87\x25\x8c\x0c\x8b\x9b\x38\x15\xcc\x05\x6f\xf8\x16\x78\x0b\x41\xfa\x23\x96\xc0\x79\xf8\xb7\xf0\x2b\x60\x7e\x98\xe3\x7b\xab\x80\x1f\x0d\xbf\xf6\x7e\x37\x06\xf1\x11\x42\x38\x2a\x70\xdf\xa4\xca\xf5\xf3\xf4\x7d\xca\x10\x0c\xd5\xe2\x90\xa0\x15\xde\xc2\x61\xa2\x88\xea\x32\x37\x97\x83\xd0\x4c\xad\xe2\xae\x9b\x53\xa2\xc2\x54\x0c\xbd\xe1\x50\x3b\x15\xd4\xb1\xa9\x41\x6e\x18\x2e\x30\x3f\x91\x03\x81\x86\x8c\x5c\x1f\x76\x51\x92\xf5\xb5\xb2\xc3\x16\x01\xef\xe3\x9e\xb1\x92\x0e\x0e\xcb\x20\x7f\x10\x29\x08\x6e\x15\x3d\x1e\x7c\x70\xf5\xb5\x3c\x56\x15\x3c\x59\xe6\xe7\x9e\x16\xcd\xfc\x8e\xfa\x12\x99\xbb\x07\xaa\xd7\x1c\xd0\xae\x93\x4c\xba\x16\x5d\x0c\xed\x1d\x02\x87\xcd\x38\x31\xc6\x10\x42\xe1\x46\x4e\xa3\xae\xb6\xda\xb6\xb0\x49\x55\x89\x57\xe6\xac\xe3\xbf\xb5\x5c\x59\x93\x0d\x21\x35\xdd\x57\x8c\x04\x15\x91\x05\x69\x4a\xdb\x5e\xcb\x4d\xa3\x5d\xa8\x7e\x95\x9e\x9d\x95\x61\xc9\x1c\xdd\x66\x0a\x76\x18\xbb\x59\x6a\xa5\xc0\xf2\xb8\x2f\xa9\x4c\xa8\xb3\x2b\xa3\x8a\xbf\x5c\xe8\x18\x3d\x7f\x0e\x2f\xe9\x06\xf9\xb6\xcc\x60\xcc\x38\x6c\x9a\x78\xa7\x7c\x61", 1037); getsockopt(sock_dup, IPPROTO_IP, 0x81, (void *)0x2bf3ul, (socklen_t *)0x20003000ul); return 0; } Best Regards, Baozeng Ding
net/sctp: stack-out-of-bounds in sctp_getsockopt
d4\x3a\x64\x51\x68\x13\x2d\x25\xba\x6d\x3f\x74\x68\x84\x89\x04\xd1\xa6\xe2\x7d\xaf\xfa\xd9\xce\x52\xbe\x6f\xb6\xe3\xff\x92\x35\xa1\x88\x4a\x68\x27\xaa\x25\xf8\xc1\xd5\x3b\xe5\x69\x11\x4f\x75\x4c\xe9\xff\x8b\x86\x53\x20\xb7\x10\xa2\x62\xcc\xc3\x06\x85\xde\x3e\x1c\x5a\x62\x3a\x2d\x0d\x0b\x0c\xb2\xac\x75\x42\x4d\x82\x3f\x7b\xf7\x28\xea\x2d\xff\x42\xa8\xdf\xb3\x49\x1a\xfd\xae\x2c\xd4\x35\x8e\x96\xb3\xe1\x0a\x92\x56\xb7\xde\xe8\x9e\xc3\x9e\x88\x79\xc4\x71\x46\x27\xf4\x9e\x85\xf4\x8f\x1f\x9a\xe5\x7e\x02\x09\x34\x80\x1e\x87\xa8\x9a\xce\xac\xfb\x43\x07\xdf\x15\xe8\x71\x9a\xa3\x80\x18\x1b\x15\xbd\x57\xb6\xc1\x73\x6e\xb1\x28\x3a\x01\xd5\x8e\x15\x85\xbd\x52\xdf\xfa\x64\xaa\x13\x0e\x2f\x64\x05\x11\xce\x79\x8b\xa8\x02\x29\x7f\x72\x0f\x37\x89\xb4\x54\x0b\x09\x02\x75\xc2\x8e\xd7\xcd\x7e\xfb\x4f\x72\xf1\x47\xea\xa2\x2a\xc3\xc4\xe9\x70\xfe\xa5\x80\x88\x21\x33\xcf\x13\x66\x98\x23\x10\x5c\xa4\xbd\xee\xc0\xb4\xdd\xfb\xff\xf2\x38\xab\xca\x36\x62\x35\x84\xe4\x73\x5c\xc7\x3e\x72\x2e\x17\x43\x6f\x85\x45\x4f\x82\x62\x0d\x77\xae\xcb\xe1\x8f\xe8\xf0\x84\x3e\x62\x8b\x70\x2b\x55\xb5\xa7\x13\xcf\xa1\x78\x77\x82\xe2\xb7\x1c\x65\x7f\xb5\x79\x73\x01\x07\xd1\x9f\x45\x6a\xbb\x3d\xbf\xc8\x71\x5b\x9f\x30\xc7\xb9\xb8\x53\x9f\xe1\xba\xb6\x78\x9e\x05\x75\xa3\x55\xb1\x26\x96\xa9\xb2\x82\xce\x81\x5c\x8a\x18\xb3\x4b\x0c\x18\x8c\xf2\x7c\x09\xde\xcb\xcf\x78\x22\x58\xf6\x15\xf6\xf7\x48\xda\x08\x75\xd4\xc1\x20\xc3\x18\x2e\x89\xe8\x5b\x48\xd9\xbc\x1f\xbb\xed\x31\xaf\x12\x4d\xcd\x46\x60\xa0\xef\x0e\x2e\x21\x1d\x2b\x68\x75\xb9\x42\x5e\xd7\xae\x35\x46\xe9\x06\x63\x1d\x3c\xd6\x9c\x14\x3b\x09\x29\x49\x70\xb9\xe1\xe0\x09\x45\x41\x62\x0c\xff\x5a\x77\xbe\x31\xa6\x03\x94\x92\xde\x41\x99\xfa\x68\x99\x74\xbb\x0a\x3d\xac\x9c\x7e\x00\x6b\xcd\xc1\x83\xa7\xc5\x63\xdd\x10\xea\x59\x27\xdc\x02\x98\xd6\x43\x20\x24\x4e\xc0\xdc\xa2\x98\xdf\x3e\xaf\x61\x35\xa0\x95\x3f\x9a\xaa\x7d\xe9\xe9\x0d\xe5\x97\x66\x1a\x9f\xbf\x56\xc8\x37\x84\x18\x2b\xd2\xcd\xd6\xb3\x19\xd8\x4a\x30\x6e\xcb\x99\x1c\xe9\x0f\xdb\xca\x30\xe1\xe2\x90\xba\xb9\x61\x00\xbf\xeb\xad\x6a\xc8\x52\xea\x1a\x92\x05\x0c\x3b\x78\x82\x01\xac\xfd\x88\x6c\xca\xe2\xfb\xe7\x0f\xcc\x75\x9c\x98\x12\x26\xcf\xa6\x80\x02\x35\xdf\x6e\xe1\x11\x1d\xa7\x30\x17\x38\x41\xd9\x81\x55\x1a\x1e\xd1\xfe\x60\xbf\xef\x09\x25\xc0\xdb\x9f\xc4\xc6\x54\x1a\x85\x36\x85\x05\xb3\x9f\x2c\xc5\xcd\x12\x51\xef\xbe\x10\x79\xbf\x11\x00\x47\x0d\x9c\x14\x43\x1a\x46\xea\xd1\x34\x2e\x10\x6b\xa4\x3c\x25\x21\xe3\xb9\x15\x78\x6c\x40\x87\x90\xf7\x93\x5a\x66\x5f\x0a\x76\xff\xc2\xe2\x14\x35\x88\x47\xa1\x33\x5b\x8f\x3d\xc5\x89\xb7\xf9\x8a\x40\xf0\x1e\xc9\x30\xcd\xd8\x96\x41\x78\x58\x97\x49\xc8\x50\x61\x36\x8f\x7e\x44\x41\xc0\x84\xbb\x35\xf0\x63\xa9\xc2\x2a\xbd\xcc\x4b\xab\x8b\x16\x33\xc0\x66\xbf\x47\x62\x9b\xc4\x47\x2d\x68\x83\xca\xe3\x52\x79\xd7\xe0\x61\x80\x15\xf1\x90\x83\xa2\xbb\x4c\xe5\x8b\x50\xc8\x1b\x68\x7b\xee\x57\xdc\x54\xfa\x90\xf1\xf5\xec\x7d\x93\xe0\x80\x74\x06\xbe\xac\xc8\x85\x4d\xe8\xbf\xd3\xdd\x34\x55\xc4\xbf\x2f\x24\x19\xad\x86\x1e\x69\x2b\x6c\x3f\x00\xe8\x4b\xbb\x99\xcf\x17\x99\x00\x9d\x6c\x70\x57\xcc\x35\xee\x07\x87\x25\x8c\x0c\x8b\x9b\x38\x15\xcc\x05\x6f\xf8\x16\x78\x0b\x41\xfa\x23\x96\xc0\x79\xf8\xb7\xf0\x2b\x60\x7e\x98\xe3\x7b\xab\x80\x1f\x0d\xbf\xf6\x7e\x37\x06\xf1\x11\x42\x38\x2a\x70\xdf\xa4\xca\xf5\xf3\xf4\x7d\xca\x10\x0c\xd5\xe2\x90\xa0\x15\xde\xc2\x61\xa2\x88\xea\x32\x37\x97\x83\xd0\x4c\xad\xe2\xae\x9b\x53\xa2\xc2\x54\x0c\xbd\xe1\x50\x3b\x15\xd4\xb1\xa9\x41\x6e\x18\x2e\x30\x3f\x91\x03\x81\x86\x8c\x5c\x1f\x76\x51\x92\xf5\xb5\xb2\xc3\x16\x01\xef\xe3\x9e\xb1\x92\x0e\x0e\xcb\x20\x7f\x10\x29\x08\x6e\x15\x3d\x1e\x7c\x70\xf5\xb5\x3c\x56\x15\x3c\x59\xe6\xe7\x9e\x16\xcd\xfc\x8e\xfa\x12\x99\xbb\x07\xaa\xd7\x1c\xd0\xae\x93\x4c\xba\x16\x5d\x0c\xed\x1d\x02\x87\xcd\x38\x31\xc6\x10\x42\xe1\x46\x4e\xa3\xae\xb6\xda\xb6\xb0\x49\x55\x89\x57\xe6\xac\xe3\xbf\xb5\x5c\x59\x93\x0d\x21\x35\xdd\x57\x8c\x04\x15\x91\x05\x69\x4a\xdb\x5e\xcb\x4d\xa3\x5d\xa8\x7e\x95\x9e\x9d\x95\x61\xc9\x1c\xdd\x66\x0a\x76\x18\xbb\x59\x6a\xa5\xc0\xf2\xb8\x2f\xa9\x4c\xa8\xb3\x2b\xa3\x8a\xbf\x5c\xe8\x18\x3d\x7f\x0e\x2f\xe9\x06\xf9\xb6\xcc\x60\xcc\x38\x6c\x9a\x78\xa7\x7c\x61", 1037); getsockopt(sock_dup, IPPROTO_IP, 0x81, (void *)0x2bf3ul, (socklen_t *)0x20003000ul); return 0; } Best Regards, Baozeng Ding
net/bluetooth: use-after-free in hci_event_packet
/fs/read_write.c:530 [< none >] vfs_write+0x167/0x4a0 kernel/fs/read_write.c:577 [< inline >] SYSC_write kernel/fs/read_write.c:624 [< none >] SyS_write+0x111/0x220 kernel/fs/read_write.c:616 INFO: Slab 0xea0010fbdb00 objects=20 used=19 fp=0x88043ef6e310 flags=0x2fffc004080 INFO: Object 0x88043ef6e310 @offset=8976 fp=0x (null) CPU: 1 PID: 9348 Comm: kworker/u17:11 Tainted: GB 4.4.0+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 Workqueue: hci4 hci_rx_work 880433b8f6b0 8292049d 88048a004b40 88043ef6e310 88043ef6c000 880433b8f6e0 816f2054 88048a004b40 ea0010fbdb00 88043ef6e310 88043ef6e318 Call Trace: [< inline >] __dump_stack kernel/lib/dump_stack.c:15 [] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50 [] print_trailer+0xf4/0x150 kernel/mm/slub.c:654 [] object_err+0x2f/0x40 kernel/mm/slub.c:661 [< inline >] print_address_description kernel/mm/kasan/report.c:138 [] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236 [< inline >] kasan_report kernel/mm/kasan/report.c:259 [] __asan_report_load1_noabort+0x3e/0x40 kernel/mm/kasan/report.c:277 [< inline >] ? hci_inquiry_result_with_rssi_evt kernel/net/bluetooth/hci_event.c:3616 [] ? hci_event_packet+0x8d45/0x9f90 kernel/net/bluetooth/hci_event.c:5323 [< inline >] hci_inquiry_result_with_rssi_evt kernel/net/bluetooth/hci_event.c:3616 [] hci_event_packet+0x8d45/0x9f90 kernel/net/bluetooth/hci_event.c:5323 [< inline >] ? spin_lock kernel/include/linux/spinlock.h:302 [] ? deactivate_slab+0x212/0x710 kernel/mm/slub.c:1949 [< inline >] ? hci_cc_read_local_amp_info kernel/net/bluetooth/hci_event.c:833 [] ? hci_cmd_complete_evt+0xcfb0/0xcfb0 kernel/net/bluetooth/hci_event.c:2905 [< inline >] ? spin_unlock kernel/include/linux/spinlock.h:347 [] ? deactivate_slab+0x408/0x710 kernel/mm/slub.c:1995 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [< inline >] ? rcu_read_unlock kernel/include/linux/rcupdate.h:926 [] ? cpuacct_charge+0x1a7/0x380 kernel/kernel/sched/cpuacct.c:255 [< inline >] ? rcu_lock_release kernel/include/linux/rcupdate.h:495 [< inline >] ? rcu_read_unlock kernel/include/linux/rcupdate.h:930 [] ? cpuacct_charge+0x1c6/0x380 kernel/kernel/sched/cpuacct.c:255 [< inline >] ? task_cpu kernel/include/linux/sched.h:3111 [] ? cpuacct_charge+0x60/0x380 kernel/kernel/sched/cpuacct.c:240 [] ? rcu_read_unlock+0x16/0x70 kernel/include/linux/rcupdate.h:926 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? __compute_runnable_contrib+0x54/0x70 kernel/kernel/sched/fair.c:2549 [< inline >] ? __update_load_avg kernel/kernel/sched/fair.c:2668 [] ? update_cfs_rq_load_avg+0x513/0x1160 kernel/kernel/sched/fair.c:2795 [] ? skb_dequeue+0x22/0x180 kernel/net/core/skbuff.c:2333 [] ? trace_hardirqs_on+0xd/0x10 kernel/kernel/locking/lockdep.c:2619 [] ? hci_send_to_monitor+0x296/0x3e0 kernel/net/bluetooth/hci_sock.c:305 [] hci_rx_work+0x6f2/0xc00 kernel/net/bluetooth/hci_core.c:4157 [] ? process_one_work+0x6ca/0x1440 kernel/kernel/workqueue.c:2033 [] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036 [] ? process_one_work+0x6ca/0x1440 kernel/kernel/workqueue.c:2033 [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 kernel/include/linux/compiler.h:218 [] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807 [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283 [] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303 [] ? process_one_work+0x1440/0x1440 kernel/include/linux/list.h:655 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 [] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 Memory state around the buggy address: 88043ef6e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88043ef6e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >88043ef6e300: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 88043ef6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 88043ef6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Best Regards, Baozeng Ding
net/bluetooth: use-after-free in hci_event_packet
/fs/read_write.c:530 [< none >] vfs_write+0x167/0x4a0 kernel/fs/read_write.c:577 [< inline >] SYSC_write kernel/fs/read_write.c:624 [< none >] SyS_write+0x111/0x220 kernel/fs/read_write.c:616 INFO: Slab 0xea0010fbdb00 objects=20 used=19 fp=0x88043ef6e310 flags=0x2fffc004080 INFO: Object 0x88043ef6e310 @offset=8976 fp=0x (null) CPU: 1 PID: 9348 Comm: kworker/u17:11 Tainted: GB 4.4.0+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 Workqueue: hci4 hci_rx_work 880433b8f6b0 8292049d 88048a004b40 88043ef6e310 88043ef6c000 880433b8f6e0 816f2054 88048a004b40 ea0010fbdb00 88043ef6e310 88043ef6e318 Call Trace: [< inline >] __dump_stack kernel/lib/dump_stack.c:15 [] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50 [] print_trailer+0xf4/0x150 kernel/mm/slub.c:654 [] object_err+0x2f/0x40 kernel/mm/slub.c:661 [< inline >] print_address_description kernel/mm/kasan/report.c:138 [] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236 [< inline >] kasan_report kernel/mm/kasan/report.c:259 [] __asan_report_load1_noabort+0x3e/0x40 kernel/mm/kasan/report.c:277 [< inline >] ? hci_inquiry_result_with_rssi_evt kernel/net/bluetooth/hci_event.c:3616 [] ? hci_event_packet+0x8d45/0x9f90 kernel/net/bluetooth/hci_event.c:5323 [< inline >] hci_inquiry_result_with_rssi_evt kernel/net/bluetooth/hci_event.c:3616 [] hci_event_packet+0x8d45/0x9f90 kernel/net/bluetooth/hci_event.c:5323 [< inline >] ? spin_lock kernel/include/linux/spinlock.h:302 [] ? deactivate_slab+0x212/0x710 kernel/mm/slub.c:1949 [< inline >] ? hci_cc_read_local_amp_info kernel/net/bluetooth/hci_event.c:833 [] ? hci_cmd_complete_evt+0xcfb0/0xcfb0 kernel/net/bluetooth/hci_event.c:2905 [< inline >] ? spin_unlock kernel/include/linux/spinlock.h:347 [] ? deactivate_slab+0x408/0x710 kernel/mm/slub.c:1995 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [< inline >] ? rcu_read_unlock kernel/include/linux/rcupdate.h:926 [] ? cpuacct_charge+0x1a7/0x380 kernel/kernel/sched/cpuacct.c:255 [< inline >] ? rcu_lock_release kernel/include/linux/rcupdate.h:495 [< inline >] ? rcu_read_unlock kernel/include/linux/rcupdate.h:930 [] ? cpuacct_charge+0x1c6/0x380 kernel/kernel/sched/cpuacct.c:255 [< inline >] ? task_cpu kernel/include/linux/sched.h:3111 [] ? cpuacct_charge+0x60/0x380 kernel/kernel/sched/cpuacct.c:240 [] ? rcu_read_unlock+0x16/0x70 kernel/include/linux/rcupdate.h:926 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? __compute_runnable_contrib+0x54/0x70 kernel/kernel/sched/fair.c:2549 [< inline >] ? __update_load_avg kernel/kernel/sched/fair.c:2668 [] ? update_cfs_rq_load_avg+0x513/0x1160 kernel/kernel/sched/fair.c:2795 [] ? skb_dequeue+0x22/0x180 kernel/net/core/skbuff.c:2333 [] ? trace_hardirqs_on+0xd/0x10 kernel/kernel/locking/lockdep.c:2619 [] ? hci_send_to_monitor+0x296/0x3e0 kernel/net/bluetooth/hci_sock.c:305 [] hci_rx_work+0x6f2/0xc00 kernel/net/bluetooth/hci_core.c:4157 [] ? process_one_work+0x6ca/0x1440 kernel/kernel/workqueue.c:2033 [] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036 [] ? process_one_work+0x6ca/0x1440 kernel/kernel/workqueue.c:2033 [] ? pwq_dec_nr_in_flight+0x2e0/0x2e0 kernel/include/linux/compiler.h:218 [] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807 [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283 [] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303 [] ? process_one_work+0x1440/0x1440 kernel/include/linux/list.h:655 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 [] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468 [] ? kthread_create_on_node+0x3b0/0x3b0 kernel/kernel/kthread.c:285 Memory state around the buggy address: 88043ef6e200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 88043ef6e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >88043ef6e300: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 88043ef6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 88043ef6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Best Regards, Baozeng Ding
kernel/irq: Null-ptr deref on handle_irq_event_percpu function
+linux-kernel and irq maitainer.
Best Regards,
Baozeng Ding
On Thu, Feb 25, 2016 at 04:16:10AM -0500, Red Hat Product Security wrote:
> On Wed Feb 24 08:44:30 2016, splovi...@gmail.com wrote:
> > Dear all,
> >
> > I hit the following bug when fuzzing kernel using
> > syzkaller:
> >
> > kasan: CONFIG_KASAN_INLINE enabled
> > kasan: GPF could be caused by NULL-ptr deref or user memory
> > accessgeneral protection fault: [#1] SMP KASAN
> > Modules linked in:
> > CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.4.0+ #5
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
> > task: 88002eb09700 ti: 88002eb88000 task.ti: 88002eb88000
> > RIP: 0010:[] []
> > handle_irq_event_percpu+0xcd/0x6d0
> > RSP: 0018:880053307e20 EFLAGS: 00010082
> > RAX: RBX: dc00 RCX: 0001
> > RDX: 0001 RSI: 88002eb09f18 RDI: 0046
> > RBP: 880053307e70 R08: 0001 R09: 0001
> > R10: R11: 0001 R12:
> > R13: 88002f1706b0 R14: ed0005e2e0de R15: 88002f1706b0
> > FS: () GS:88005330()
> > knlGS:
> > CS: 0010 DS: ES: CR0: 8005003b
> > CR2: 2000c000 CR3: 00a82000 CR4: 06e0
> > Stack:
> > 88002f170680 2eb09700 10f464b2 fbfff0f464ba
> > 0004 88002f170680 88002f170720 88002f1706b0
> > ed0005e2e0de 88002f1706b0 880053307ea0 81433bd7
> > Call Trace:
> > Call Trace:
> >
> > [] handle_irq_event+0xa7/0x140
> > kernel/irq/handle.c:193
> > [] handle_edge_irq+0x1e1/0x8d0
> > kernel/irq/chip.c:623
> > [< inline >] generic_handle_irq_desc
> > kernel/include/linux/irqdesc.h:146
> > [] handle_irq+0x109/0x2a0
> > kernel/arch/x86/kernel/irq_64.c:78
> > [< inline >] ? rcu_lock_release
> > kernel/include/linux/rcupdate.h:495
> > [< inline >] ? rcu_read_unlock
> > kernel/include/linux/rcupdate.h:930
> > [< inline >] ? __atomic_notifier_call_chain
> > kernel/kernel/notifier.c:184
> > [] ? atomic_notifier_call_chain+0xbf/0x140
> > kernel/kernel/notifier.c:193
> > [] ? __atomic_notifier_call_chain+0x150/0x150
> > kernel/include/linux/rcupdate.h:926
> > [] do_IRQ+0x7d/0x1a0
> > kernel/arch/x86/kernel/irq.c:240
> > [] common_interrupt+0x8c/0x8c
> > kernel/arch/x86/entry/entry_64.S:520
> > [] ? native_safe_halt+0x6/0x10
> > kernel/arch/x86/include/asm/irqflags.h:49
> > [< inline >] arch_safe_halt
> > kernel/arch/x86/include/asm/paravirt.h:117
> > [] default_idle+0x22/0x2a0
> > kernel/arch/x86/kernel/process.c:304
> > [] arch_cpu_idle+0xa/0x10
> > kernel/arch/x86/kernel/process.c:295
> > [] default_idle_call+0x48/0x70
> > kernel/kernel/sched/idle.c:92
> > [< inline >] cpuidle_idle_call
> > kernel/kernel/sched/idle.c:156
> > [< inline >] cpu_idle_loop kernel/kernel/sched/idle.c:252
> > [] cpu_startup_entry+0x4bf/0x610
> > kernel/kernel/sched/idle.c:300
> > [] start_secondary+0x2a8/0x380
> > kernel/arch/x86/kernel/smpboot.c:251
> > [] ? set_cpu_sibling_map+0x1890/0x1890
> > kernel/include/linux/topology.h:80
> > Code: 48 89 45 c8 48 c7 c0 90 25 a3 87 48 c1 e8 03 48 89 45 c0 e9 4f
> > 01 00 00 e8 31 8e 0e 00 4c 89 e0 48 c1 e8 03 65 ff 0d 23 0a be 7e <80>
> > 3c 18 00 0f 85 8c 05 00 00 49 8d 7c 24 08 4d 8b 34 24 48 89
> > RIP [< inline >] __preempt_count_sub
> > kernel/arch/x86/include/asm/preempt.h:74
> > RIP [< inline >] rcu_read_unlock_sched_notrace
> > kernel/include/linux/rcupdate.h:1020
> > RIP [< inline >] trace_irq_handler_entry
> > kernel/include/trace/events/irq.h:52
> > RIP [] handle_irq_event_percpu+0xcd/0x6d0
> > kernel/kernel/irq/handle.c:144
> > RSP
> > ---[ end trace 0984a7cc502bc978 ]---
> > Kernel panic - not syncing: Fatal exception in interrupt
> > Kernel Offset: disabled
> > ---[ end Kernel panic - not syncing: Fatal exception in interrupt
> >
> >
> > I cannot produce the bug, but by taking a look at the
> > code(irq/handle.c line176), it may
> > casue a null pointer deref:
> >
> > http://lxr.free-electrons.com/source/kernel/irq/handle.c#L176
> >
> > 141 do {
> > 142 irqreturn_t res;
> > 143
> > 144 trace_irq_handler_entry(irq, action);
> > 145 res = action->handler(irq, action->dev_id);
kernel/irq: Null-ptr deref on handle_irq_event_percpu function
+linux-kernel and irq maitainer.
Best Regards,
Baozeng Ding
On Thu, Feb 25, 2016 at 04:16:10AM -0500, Red Hat Product Security wrote:
> On Wed Feb 24 08:44:30 2016, splovi...@gmail.com wrote:
> > Dear all,
> >
> > I hit the following bug when fuzzing kernel using
> > syzkaller:
> >
> > kasan: CONFIG_KASAN_INLINE enabled
> > kasan: GPF could be caused by NULL-ptr deref or user memory
> > accessgeneral protection fault: [#1] SMP KASAN
> > Modules linked in:
> > CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.4.0+ #5
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
> > task: 88002eb09700 ti: 88002eb88000 task.ti: 88002eb88000
> > RIP: 0010:[] []
> > handle_irq_event_percpu+0xcd/0x6d0
> > RSP: 0018:880053307e20 EFLAGS: 00010082
> > RAX: RBX: dc00 RCX: 0001
> > RDX: 0001 RSI: 88002eb09f18 RDI: 0046
> > RBP: 880053307e70 R08: 0001 R09: 0001
> > R10: R11: 0001 R12:
> > R13: 88002f1706b0 R14: ed0005e2e0de R15: 88002f1706b0
> > FS: () GS:88005330()
> > knlGS:
> > CS: 0010 DS: ES: CR0: 8005003b
> > CR2: 2000c000 CR3: 00a82000 CR4: 06e0
> > Stack:
> > 88002f170680 2eb09700 10f464b2 fbfff0f464ba
> > 0004 88002f170680 88002f170720 88002f1706b0
> > ed0005e2e0de 88002f1706b0 880053307ea0 81433bd7
> > Call Trace:
> > Call Trace:
> >
> > [] handle_irq_event+0xa7/0x140
> > kernel/irq/handle.c:193
> > [] handle_edge_irq+0x1e1/0x8d0
> > kernel/irq/chip.c:623
> > [< inline >] generic_handle_irq_desc
> > kernel/include/linux/irqdesc.h:146
> > [] handle_irq+0x109/0x2a0
> > kernel/arch/x86/kernel/irq_64.c:78
> > [< inline >] ? rcu_lock_release
> > kernel/include/linux/rcupdate.h:495
> > [< inline >] ? rcu_read_unlock
> > kernel/include/linux/rcupdate.h:930
> > [< inline >] ? __atomic_notifier_call_chain
> > kernel/kernel/notifier.c:184
> > [] ? atomic_notifier_call_chain+0xbf/0x140
> > kernel/kernel/notifier.c:193
> > [] ? __atomic_notifier_call_chain+0x150/0x150
> > kernel/include/linux/rcupdate.h:926
> > [] do_IRQ+0x7d/0x1a0
> > kernel/arch/x86/kernel/irq.c:240
> > [] common_interrupt+0x8c/0x8c
> > kernel/arch/x86/entry/entry_64.S:520
> > [] ? native_safe_halt+0x6/0x10
> > kernel/arch/x86/include/asm/irqflags.h:49
> > [< inline >] arch_safe_halt
> > kernel/arch/x86/include/asm/paravirt.h:117
> > [] default_idle+0x22/0x2a0
> > kernel/arch/x86/kernel/process.c:304
> > [] arch_cpu_idle+0xa/0x10
> > kernel/arch/x86/kernel/process.c:295
> > [] default_idle_call+0x48/0x70
> > kernel/kernel/sched/idle.c:92
> > [< inline >] cpuidle_idle_call
> > kernel/kernel/sched/idle.c:156
> > [< inline >] cpu_idle_loop kernel/kernel/sched/idle.c:252
> > [] cpu_startup_entry+0x4bf/0x610
> > kernel/kernel/sched/idle.c:300
> > [] start_secondary+0x2a8/0x380
> > kernel/arch/x86/kernel/smpboot.c:251
> > [] ? set_cpu_sibling_map+0x1890/0x1890
> > kernel/include/linux/topology.h:80
> > Code: 48 89 45 c8 48 c7 c0 90 25 a3 87 48 c1 e8 03 48 89 45 c0 e9 4f
> > 01 00 00 e8 31 8e 0e 00 4c 89 e0 48 c1 e8 03 65 ff 0d 23 0a be 7e <80>
> > 3c 18 00 0f 85 8c 05 00 00 49 8d 7c 24 08 4d 8b 34 24 48 89
> > RIP [< inline >] __preempt_count_sub
> > kernel/arch/x86/include/asm/preempt.h:74
> > RIP [< inline >] rcu_read_unlock_sched_notrace
> > kernel/include/linux/rcupdate.h:1020
> > RIP [< inline >] trace_irq_handler_entry
> > kernel/include/trace/events/irq.h:52
> > RIP [] handle_irq_event_percpu+0xcd/0x6d0
> > kernel/kernel/irq/handle.c:144
> > RSP
> > ---[ end trace 0984a7cc502bc978 ]---
> > Kernel panic - not syncing: Fatal exception in interrupt
> > Kernel Offset: disabled
> > ---[ end Kernel panic - not syncing: Fatal exception in interrupt
> >
> >
> > I cannot produce the bug, but by taking a look at the
> > code(irq/handle.c line176), it may
> > casue a null pointer deref:
> >
> > http://lxr.free-electrons.com/source/kernel/irq/handle.c#L176
> >
> > 141 do {
> > 142 irqreturn_t res;
> > 143
> > 144 trace_irq_handler_entry(irq, action);
> > 145 res = action->handler(irq, action->dev_id);
net/ppp: use-after-free in ppp_unregister_channel
l/kernel/task_work.c:115 [< inline >] exit_task_work kernel/include/linux/task_work.h:21 [] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357 [] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550 [] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145 [] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880 [] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307 [< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113 [] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158 [] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712 [] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655 [] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165 [] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692 [< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099 [] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807 [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283 [] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247 [< inline >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282 [] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344 [] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281 Memory state around the buggy address: 880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == Best Regards, Baozeng Ding
net/ppp: use-after-free in ppp_unregister_channel
l/kernel/task_work.c:115 [< inline >] exit_task_work kernel/include/linux/task_work.h:21 [] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750 [] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123 [] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357 [] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550 [] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145 [] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880 [] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307 [< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113 [] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158 [] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712 [] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655 [] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165 [] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692 [< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099 [] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678 [< inline >] ? context_switch kernel/kernel/sched/core.c:2807 [] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283 [] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247 [< inline >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282 [] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344 [] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281 Memory state around the buggy address: 880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb 880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb == Best Regards, Baozeng Ding
