Issue 643628 link

Starred by 1 user
Issue metadata

Status:	Untriaged
Owner:	----
Cc:	█ dvyukov@chromium.org bleung@chromium.org █ dtor@chromium.org
Components:	OS>Kernel
EstimatedDays:	----
NextAction:	----
OS:	Android
Pri:	3
Type:	Bug
Kernel-3.18 Stability-Memory-KernelAddressSanitizer Stability-Syzkaller
KASAN reports a use-after-free in get_task_ioprio() on Pixel C

Project Member Reported by glider@chromium.org, Sep 2 2016
Issue description

I've found the following report with syzkaller on a Pixel C device. No repro so far:

BUG: KASAN: use-after-free in get_task_ioprio+0x48/0x64 at addr ffffffc022d31520
Read of size 2 by task syz-executor/22304
CPU: 2 PID: 22304 Comm: syz-executor Tainted: G     U         3.18.0 #89
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) 
Call trace:
[<ffffffc00020b064>] dump_backtrace+0x0/0x17c /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/traps.c:91
[<ffffffc00020b1f8>] show_stack+0x18/0x24 /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/traps.c:173
[<     inline     >] __dump_stack /mnt/host/source/src/third_party/kernel/v3.18/lib/dump_stack.c:15
[<ffffffc00118b540>] dump_stack+0x94/0x100 /mnt/host/source/src/third_party/kernel/v3.18/lib/dump_stack.c:50
[<     inline     >] object_err /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/report.c:136
[<     inline     >] print_address_description /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/report.c:180
[<     inline     >] kasan_report_error /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/report.c:277
[<ffffffc0003cf854>] kasan_report+0x308/0x554 /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/report.c:300
[<     inline     >] check_memory_region_inline /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:292
[<ffffffc0003cf12c>] __asan_load2+0x74/0x80 /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:728
[<ffffffc00064c558>] get_task_ioprio+0x44/0x64 /mnt/host/source/src/third_party/kernel/v3.18/block/ioprio.c:153
[<     inline     >] SYSC_ioprio_get /mnt/host/source/src/third_party/kernel/v3.18/block/ioprio.c:225
[<ffffffc00064d41c>] SyS_ioprio_get+0x4f8/0x620 /mnt/host/source/src/third_party/kernel/v3.18/block/ioprio.c:178
Object at ffffffc022d314d8, in cache blkdev_ioc
nouveau  [     DRM] waiting for kernel channels to go idle...
nouveau  [     DRM] waiting for client channels to go idle...
nouveau  [     DRM] suspending client object trees...
nouveau  [     DRM] suspending kernel object tree...
nouveau  [     DRM] nouveau suspended
Object freed, allocated with size 184 bytes
Allocation:
PID = 22270
 [<ffffffc00020acac>] save_stack_trace_tsk+0x0/0x128 /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/stacktrace.c:69
 [<ffffffc00020ae00>] save_stack_trace+0x2c/0x3c /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/stacktrace.c:127
 [<     inline     >] save_stack /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:476
 [<     inline     >] set_track /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:488
 [<ffffffc0003ce450>] kasan_kmalloc.part.4+0x68/0x118 /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:586
 [<ffffffc0003cec48>] kasan_kmalloc+0x90/0xa8 /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:580
 [<ffffffc0003cec70>] kasan_slab_alloc+0x10/0x1c /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:508
 [<ffffffc0003cb5b4>] kmem_cache_alloc+0x10c/0x350 /mnt/host/source/src/third_party/kernel/v3.18/mm/slab.c:3393
 [<     inline     >] kmem_cache_alloc_node /mnt/host/source/src/third_party/kernel/v3.18/include/linux/slab.h:311
 [<ffffffc000634d10>] create_task_io_context+0x34/0x1d8 /mnt/host/source/src/third_party/kernel/v3.18/block/blk-ioc.c:239
 [<ffffffc000634f50>] get_task_io_context+0x9c/0xc8 /mnt/host/source/src/third_party/kernel/v3.18/block/blk-ioc.c:303
 [<     inline     >] copy_io /mnt/host/source/src/third_party/kernel/v3.18/kernel/fork.c:1013
 [<ffffffc000229e08>] copy_process.part.51+0x1918/0x2668 /mnt/host/source/src/third_party/kernel/v3.18/kernel/fork.c:1414
 [<     inline     >] copy_process /mnt/host/source/src/third_party/kernel/v3.18/kernel/fork.c:1230
 [<ffffffc00022ad90>] do_fork+0x124/0xa48 /mnt/host/source/src/third_party/kernel/v3.18/kernel/fork.c:1672
 [<     inline     >] SYSC_clone /mnt/host/source/src/third_party/kernel/v3.18/kernel/fork.c:1767
 [<ffffffc00022b788>] SyS_clone+0x30/0x3c /mnt/host/source/src/third_party/kernel/v3.18/kernel/fork.c:1745
 [<ffffffc00020446c>] el0_svc_naked+0x20/0x28 /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/entry.S:690
Deallocation:
PID = 22296
 [<ffffffc00020acac>] save_stack_trace_tsk+0x0/0x128 /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/stacktrace.c:69
 [<ffffffc00020ae00>] save_stack_trace+0x2c/0x3c /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/stacktrace.c:127
 [<     inline     >] save_stack /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:476
 [<     inline     >] set_track /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:488
 [<ffffffc0003cead8>] kasan_slab_free+0xb4/0x194 /mnt/host/source/src/third_party/kernel/v3.18/mm/kasan/kasan.c:540
 [<     inline     >] __cache_free /mnt/host/source/src/third_party/kernel/v3.18/mm/slab.c:3344
 [<ffffffc0003cc910>] kmem_cache_free+0x9c/0x2e4 /mnt/host/source/src/third_party/kernel/v3.18/mm/slab.c:3545
 [<ffffffc000634a50>] put_io_context+0xf8/0x110 /mnt/host/source/src/third_party/kernel/v3.18/block/blk-ioc.c:154
 [<ffffffc000634b8c>] put_io_context_active+0x124/0x140 /mnt/host/source/src/third_party/kernel/v3.18/block/blk-ioc.c:171
 [<ffffffc000634c00>] exit_io_context+0x58/0x6c /mnt/host/source/src/third_party/kernel/v3.18/block/blk-ioc.c:210
 [<ffffffc000231dc0>] do_exit+0x1050/0x12f0 /mnt/host/source/src/third_party/kernel/v3.18/kernel/exit.c:807
 [<ffffffc000232188>] do_group_exit+0xcc/0x188 /mnt/host/source/src/third_party/kernel/v3.18/kernel/exit.c:892
 [<ffffffc0002450f4>] get_signal+0xb28/0xccc /mnt/host/source/src/third_party/kernel/v3.18/kernel/signal.c:2350
 [<ffffffc000209f78>] do_signal+0xf8/0x80c /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/signal.c:377
 [<ffffffc00020a9a8>] do_notify_resume+0x24/0x94 /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/signal.c:413
 [<ffffffc000204350>] work_pending+0x18/0x20 /mnt/host/source/src/third_party/kernel/v3.18/arch/arm64/kernel/entry.S:635
Memory state around the buggy address:
 ffffffc022d31400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffffffc022d31480: fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb
>ffffffc022d31500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffffffc022d31580: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb
 ffffffc022d31600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Comment 1 by dtapu...@chromium.org, Jan 8 2018

Components: OS>Kernel
►
Issue 643628 link

Issue metadata

KASAN reports a use-after-free in get_task_ioprio() on Pixel C

Issue description

Comment 1 by dtapu...@chromium.org, Jan 8 2018

Comment 1 Deleted

Sign in to add a comment
