New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 628314 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
dvyukov@chromium.org
kcc@chromium.org
drinkcat@chromium.org
dtor@chromium.org
edumazet@chromium.org
edumazet@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

KASAN reports a use-after-free in tty_hung_up_p

Project Member Reported by glider@chromium.org, Jul 14 2016 
This bug has been found with syzkaller on an amd64-generic 3.18 Chrome OS kernel running within QEMU.
Unfortunately there's no stable reproducer, because the crash happens in agetty.

[  356.902319] ==================================================================
[  356.903016] BUG: KASAN: use-after-free in tty_hung_up_p+0x1c/0x2d at addr ffff88003523ee28
[  356.903016] Read of size 8 by task agetty/29812
CPU: 3 PID: 29812 Comm: agetty Tainted: G        W      3.18.0 #24
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88003523ef38 00000000f870f8cb ffff8800337e7a38 ffffffff81b59ebc
 0000000000007474 fffffffff0567211 ffff88005184b640 ffffed0006a47dc5
 ffff8800337e7ab8 ffffffff811c84ee 0000000000000096 1ffff10006a47dc5
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81b59ebc>] dump_stack+0x74/0xb3 lib/dump_stack.c:50
 [<     inline     >] object_err mm/kasan/report.c:139
 [<     inline     >] print_address_description mm/kasan/report.c:179
 [<     inline     >] kasan_report_error mm/kasan/report.c:276
 [<ffffffff811c84ee>] kasan_report+0x30f/0x56a mm/kasan/report.c:299
 [<     inline     >] check_memory_region mm/kasan/kasan.c:285
 [<ffffffff811c7689>] __asan_load8+0x23/0x65 mm/kasan/kasan.c:673
 [<ffffffff814c1cf5>] tty_hung_up_p+0x1c/0x2d drivers/tty/tty_io.c:790
 [<ffffffff814d2994>] tty_port_close_start+0x3f/0x28a drivers/tty/tty_port.c:477
 [<ffffffff814dbe14>] uart_close+0x81/0x299 drivers/tty/serial/serial_core.c:1345
 [<     inline     >] ? debug_spin_unlock kernel/locking/spinlock_debug.c:103
 [<ffffffff810bfebe>] ? do_raw_spin_unlock+0xbb/0xcd kernel/locking/spinlock_debug.c:158
 [<ffffffff814c4e41>] __tty_hangup+0x5d5/0x650 drivers/tty/tty_io.c:675
 [<     inline     >] tty_vhangup_session drivers/tty/tty_io.c:777
 [<ffffffff814c633b>] disassociate_ctty+0xaa/0x3f4 drivers/tty/tty_io.c:838
 [<ffffffff810658ea>] do_exit+0x692/0x11f6 kernel/exit.c:760
 [<ffffffff810a5f65>] ? task_fits_max+0x6f/0xd0 kernel/sched/fair.c:4907
 [<ffffffff81072b79>] ? recalc_sigpending_tsk+0xa4/0xae kernel/signal.c:145
 [<ffffffff81067f33>] do_group_exit+0x9d/0x184 kernel/exit.c:892
 [<     inline     >] ? debug_spin_unlock kernel/locking/spinlock_debug.c:103
 [<ffffffff810bfebe>] ? do_raw_spin_unlock+0xbb/0xcd kernel/locking/spinlock_debug.c:158
 [<ffffffff81078bd2>] get_signal+0x8f8/0x950 kernel/signal.c:2350
 [<ffffffff8100320b>] do_signal+0x37/0x8a4 arch/x86/kernel/signal.c:703
 [<ffffffff811a247c>] ? might_fault+0x60/0x64 mm/memory.c:3722
 [<ffffffff810e0546>] ? update_rmtp+0x98/0xb9 kernel/time/alarmtimer.c:712
 [<ffffffff810e1bad>] ? hrtimer_nanosleep+0x1d0/0x223 kernel/time/hrtimer.c:1603
 [<ffffffff810dfc0e>] ? hrtimer_get_res+0x69/0x69 kernel/time/hrtimer.c:1194
 [<ffffffff81003aa4>] do_notify_resume+0x2c/0x6d arch/x86/kernel/signal.c:754
 [<ffffffff81b61dac>] int_signal+0x12/0x17 arch/x86/kernel/entry_64.S:620
Object at ffff88003523ee00, in cache filp
Object freed, allocated with size 312 bytes
Allocation:
PID = 29779
 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64
 [<ffffffff811c72bf>] save_stack+0x46/0xce mm/kasan/kasan.c:450
 [<     inline     >] set_track mm/kasan/kasan.c:462
 [<ffffffff811c7b19>] kasan_kmalloc+0xa6/0xb8 mm/kasan/kasan.c:532
 [<ffffffff811c7ea9>] kasan_slab_alloc+0x12/0x14 mm/kasan/kasan.c:482
 [<ffffffff811c5bb4>] kmem_cache_alloc+0x87/0xee mm/slab.c:3385
 [<     inline     >] kmem_cache_zalloc include/linux/slab.h:585
 [<ffffffff811d0ee9>] get_empty_filp+0x66/0x278 fs/file_table.c:122
 [<ffffffff811e3745>] path_openat+0x54/0x88c fs/namei.c:3190
 [<ffffffff811e6403>] do_filp_open+0x5d/0xf1 fs/namei.c:3260
 [<ffffffff811cd4bc>] do_sys_open+0xa0/0x214 fs/open.c:1001
 [<     inline     >] SYSC_open fs/open.c:1020
 [<ffffffff811cd663>] SyS_open+0x33/0x3b fs/open.c:1015
 [<ffffffff81b61b5c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436
Deallocation:
PID = 5604
 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64
 [<ffffffff811c72bf>] save_stack+0x46/0xce mm/kasan/kasan.c:450
 [<     inline     >] set_track mm/kasan/kasan.c:462
 [<ffffffff811c7f0d>] kasan_slab_free+0x62/0x7e mm/kasan/kasan.c:501
 [<ffffffff811c5e9e>] __cache_free.isra.51+0x37/0x138 mm/slab.c:3345
 [<ffffffff811c5fd9>] kmem_cache_free+0x3a/0x81 mm/slab.c:3537
 [<ffffffff811d09ae>] file_free_rcu+0x71/0x85 fs/file_table.c:49
 [<     inline     >] __rcu_reclaim kernel/rcu/rcu.h:118
 [<     inline     >] rcu_do_batch kernel/rcu/tree.c:2332
 [<     inline     >] invoke_rcu_callbacks kernel/rcu/tree.c:2592
 [<     inline     >] __rcu_process_callbacks kernel/rcu/tree.c:2559
 [<ffffffff810d6a4a>] rcu_process_callbacks+0x554/0x6c1 kernel/rcu/tree.c:2576
 [<ffffffff81b643f5>] __do_softirq+0x125/0x33b kernel/softirq.c:270
Memory state around the buggy address:
 ffff88003523ed00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88003523ed80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff88003523ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff88003523ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88003523ef00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
==================================================================

Comment 1 by kavvaru@chromium.org, Aug 10 2016

Components: OS>Kernel

Sign in to add a comment