pkg/report/testdata/linux/report/149 - platform/external/syzkaller - Git at Google

 TITLE: KASAN: use-after-free Read in __queue_work

 [ 1140.689311] ==================================================================
 [ 1140.696784] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40
 [ 1140.703711] Read of size 8 at addr ffff8801beca5788 by task syz-executor2/12922
 [ 1140.711147]
 [ 1140.712770] CPU: 0 PID: 12922 Comm: syz-executor2 Not tainted 4.15.0-rc5+ #178
 [ 1140.720123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 [ 1140.729462] Call Trace:
 [ 1140.732034]  dump_stack+0x194/0x257
 [ 1140.735659]  ? arch_local_irq_restore+0x53/0x53
 [ 1140.740300]  ? show_regs_print_info+0x18/0x18
 [ 1140.744769]  ? lock_release+0xa40/0xa40
 [ 1140.748714]  ? debug_check_no_locks_freed+0x3c0/0x3c0
 [ 1140.753877]  ? work_is_static_object+0x39/0x40
 [ 1140.758436]  print_address_description+0x73/0x250
 [ 1140.763254]  ? work_is_static_object+0x39/0x40
 [ 1140.767810]  kasan_report+0x25b/0x340
 [ 1140.771589]  __asan_report_load8_noabort+0x14/0x20
 [ 1140.776492]  work_is_static_object+0x39/0x40
 [ 1140.780875]  debug_object_activate+0x36f/0x730
 [ 1140.785434]  ? debug_object_assert_init+0x570/0x570
 [ 1140.790424]  ? trace_hardirqs_on+0xd/0x10
 [ 1140.794550]  ? __debug_object_init+0x235/0x1040
 [ 1140.799193]  ? save_stack+0x43/0xd0
 [ 1140.802802]  __queue_work+0x163/0x1230
 [ 1140.806661]  ? __queue_work+0x163/0x1230
 [ 1140.810704]  ? retint_kernel+0x10/0x10
 [ 1140.814578]  ? insert_work+0x5f0/0x5f0
 [ 1140.818702]  ? retint_kernel+0x10/0x10
 [ 1140.823880]  ? find_held_lock+0x35/0x1d0
 [ 1140.829619]  ? kcm_ioctl+0x823/0x1690
 [ 1140.833394]  ? lock_downgrade+0x980/0x980
 [ 1140.837514]  ? kcm_rcv_strparser+0x9a0/0x9a0
 [ 1140.841894]  ? lock_release+0xa40/0xa40
 [ 1140.845842]  ? strp_check_rcv+0x30/0x30
 [ 1140.849789]  ? __local_bh_enable_ip+0x121/0x230
 [ 1140.854435]  queue_work_on+0x16a/0x1c0
 [ 1140.858299]  strp_check_rcv+0x25/0x30
 [ 1140.862071]  kcm_ioctl+0x82f/0x1690
 [ 1140.865676]  ? kcm_unattach+0x1510/0x1510
 [ 1140.869796]  ? avc_ss_reset+0x110/0x110
 [ 1140.873740]  ? lock_downgrade+0x980/0x980
 [ 1140.877863]  ? lock_release+0xa40/0xa40
 [ 1140.881811]  ? __lock_is_held+0xb6/0x140
 [ 1140.885871]  sock_do_ioctl+0x65/0xb0
 [ 1140.889563]  sock_ioctl+0x2c2/0x440
 [ 1140.893163]  ? dlci_ioctl_set+0x40/0x40
 [ 1140.897110]  do_vfs_ioctl+0x1b1/0x1520
 [ 1140.900970]  ? _cond_resched+0x14/0x30
 [ 1140.904848]  ? ioctl_preallocate+0x2b0/0x2b0
 [ 1140.909231]  ? selinux_capable+0x40/0x40
 [ 1140.913278]  ? SyS_futex+0x269/0x390
 [ 1140.916980]  ? security_file_ioctl+0x89/0xb0
 [ 1140.921364]  SyS_ioctl+0x8f/0xc0
 [ 1140.924708]  entry_SYSCALL_64_fastpath+0x23/0x9a
 [ 1140.929431] RIP: 0033:0x452ac9
 [ 1140.932591] RSP: 002b:00007f1bbd860c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
 [ 1140.940270] RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
 [ 1140.947516] RDX: 0000000020954ff8 RSI: 00000000000089e0 RDI: 0000000000000017
 [ 1140.954760] RBP: 000000000000057b R08: 0000000000000000 R09: 0000000000000000
 [ 1140.962002] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6428
 [ 1140.969251] R13: 00000000ffffffff R14: 00007f1bbd8616d4 R15: 0000000000000000
 [ 1140.976508]
 [ 1140.978108] Allocated by task 12922:
 [ 1140.981797]  save_stack+0x43/0xd0
 [ 1140.985220]  kasan_kmalloc+0xad/0xe0
 [ 1140.988907]  kasan_slab_alloc+0x12/0x20
 [ 1140.992851]  kmem_cache_alloc+0x12e/0x760
 [ 1140.996968]  kcm_ioctl+0x2d2/0x1690
 [ 1141.000566]  sock_do_ioctl+0x65/0xb0
 [ 1141.004248]  sock_ioctl+0x2c2/0x440
 [ 1141.007846]  do_vfs_ioctl+0x1b1/0x1520
 [ 1141.011707]  SyS_ioctl+0x8f/0xc0
 [ 1141.015054]  entry_SYSCALL_64_fastpath+0x23/0x9a
 [ 1141.019779]
 [ 1141.021376] Freed by task 12929:
 [ 1141.024714]  save_stack+0x43/0xd0
 [ 1141.028135]  kasan_slab_free+0x71/0xc0
 [ 1141.031991]  kmem_cache_free+0x83/0x2a0
 [ 1141.035941]  kcm_unattach+0xe53/0x1510
 [ 1141.039797]  kcm_ioctl+0xe54/0x1690
 [ 1141.043393]  sock_do_ioctl+0x65/0xb0
 [ 1141.047078]  sock_ioctl+0x2c2/0x440
 [ 1141.050673]  do_vfs_ioctl+0x1b1/0x1520
 [ 1141.054529]  SyS_ioctl+0x8f/0xc0
 [ 1141.057866]  entry_SYSCALL_64_fastpath+0x23/0x9a
 [ 1141.062586]
 [ 1141.064186] The buggy address belongs to the object at ffff8801beca56c0
 [ 1141.064186]  which belongs to the cache kcm_psock_cache of size 544
 [ 1141.077163] The buggy address is located 200 bytes inside of
 [ 1141.077163]  544-byte region [ffff8801beca56c0, ffff8801beca58e0)
 [ 1141.089015] The buggy address belongs to the page:
 [ 1141.093923] page:000000005180a80a count:1 mapcount:0 mapping:0000000058aa9a5c index:0x0 compound_mapcount: 0
 [ 1141.103862] flags: 0x2fffc0000008100(slab|head)
 [ 1141.108503] raw: 02fffc0000008100 ffff8801beca40c0 0000000000000000 000000010000000b
 [ 1141.116357] raw: ffff8801d31e8a48 ffff8801d31e8a48 ffff8801d3f6a380 0000000000000000
 [ 1141.124206] page dumped because: kasan: bad access detected
 [ 1141.129888]
 [ 1141.131492] Memory state around the buggy address:
 [ 1141.136397]  ffff8801beca5680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 [ 1141.143734]  ffff8801beca5700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [ 1141.151076] >ffff8801beca5780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [ 1141.158418]                       ^
 [ 1141.162028]  ffff8801beca5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [ 1141.169364]  ffff8801beca5880: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 [ 1141.176691] ==================================================================
	TITLE: KASAN: use-after-free Read in __queue_work

	[ 1140.689311] ==================================================================
	[ 1140.696784] BUG: KASAN: use-after-free in work_is_static_object+0x39/0x40
	[ 1140.703711] Read of size 8 at addr ffff8801beca5788 by task syz-executor2/12922
	[ 1140.711147]
	[ 1140.712770] CPU: 0 PID: 12922 Comm: syz-executor2 Not tainted 4.15.0-rc5+ #178
	[ 1140.720123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	[ 1140.729462] Call Trace:
	[ 1140.732034] dump_stack+0x194/0x257
	[ 1140.735659] ? arch_local_irq_restore+0x53/0x53
	[ 1140.740300] ? show_regs_print_info+0x18/0x18
	[ 1140.744769] ? lock_release+0xa40/0xa40
	[ 1140.748714] ? debug_check_no_locks_freed+0x3c0/0x3c0
	[ 1140.753877] ? work_is_static_object+0x39/0x40
	[ 1140.758436] print_address_description+0x73/0x250
	[ 1140.763254] ? work_is_static_object+0x39/0x40
	[ 1140.767810] kasan_report+0x25b/0x340
	[ 1140.771589] __asan_report_load8_noabort+0x14/0x20
	[ 1140.776492] work_is_static_object+0x39/0x40
	[ 1140.780875] debug_object_activate+0x36f/0x730
	[ 1140.785434] ? debug_object_assert_init+0x570/0x570
	[ 1140.790424] ? trace_hardirqs_on+0xd/0x10
	[ 1140.794550] ? __debug_object_init+0x235/0x1040
	[ 1140.799193] ? save_stack+0x43/0xd0
	[ 1140.802802] __queue_work+0x163/0x1230
	[ 1140.806661] ? __queue_work+0x163/0x1230
	[ 1140.810704] ? retint_kernel+0x10/0x10
	[ 1140.814578] ? insert_work+0x5f0/0x5f0
	[ 1140.818702] ? retint_kernel+0x10/0x10
	[ 1140.823880] ? find_held_lock+0x35/0x1d0
	[ 1140.829619] ? kcm_ioctl+0x823/0x1690
	[ 1140.833394] ? lock_downgrade+0x980/0x980
	[ 1140.837514] ? kcm_rcv_strparser+0x9a0/0x9a0
	[ 1140.841894] ? lock_release+0xa40/0xa40
	[ 1140.845842] ? strp_check_rcv+0x30/0x30
	[ 1140.849789] ? __local_bh_enable_ip+0x121/0x230
	[ 1140.854435] queue_work_on+0x16a/0x1c0
	[ 1140.858299] strp_check_rcv+0x25/0x30
	[ 1140.862071] kcm_ioctl+0x82f/0x1690
	[ 1140.865676] ? kcm_unattach+0x1510/0x1510
	[ 1140.869796] ? avc_ss_reset+0x110/0x110
	[ 1140.873740] ? lock_downgrade+0x980/0x980
	[ 1140.877863] ? lock_release+0xa40/0xa40
	[ 1140.881811] ? __lock_is_held+0xb6/0x140
	[ 1140.885871] sock_do_ioctl+0x65/0xb0
	[ 1140.889563] sock_ioctl+0x2c2/0x440
	[ 1140.893163] ? dlci_ioctl_set+0x40/0x40
	[ 1140.897110] do_vfs_ioctl+0x1b1/0x1520
	[ 1140.900970] ? _cond_resched+0x14/0x30
	[ 1140.904848] ? ioctl_preallocate+0x2b0/0x2b0
	[ 1140.909231] ? selinux_capable+0x40/0x40
	[ 1140.913278] ? SyS_futex+0x269/0x390
	[ 1140.916980] ? security_file_ioctl+0x89/0xb0
	[ 1140.921364] SyS_ioctl+0x8f/0xc0
	[ 1140.924708] entry_SYSCALL_64_fastpath+0x23/0x9a
	[ 1140.929431] RIP: 0033:0x452ac9
	[ 1140.932591] RSP: 002b:00007f1bbd860c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
	[ 1140.940270] RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
	[ 1140.947516] RDX: 0000000020954ff8 RSI: 00000000000089e0 RDI: 0000000000000017
	[ 1140.954760] RBP: 000000000000057b R08: 0000000000000000 R09: 0000000000000000
	[ 1140.962002] R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6428
	[ 1140.969251] R13: 00000000ffffffff R14: 00007f1bbd8616d4 R15: 0000000000000000
	[ 1140.976508]
	[ 1140.978108] Allocated by task 12922:
	[ 1140.981797] save_stack+0x43/0xd0
	[ 1140.985220] kasan_kmalloc+0xad/0xe0
	[ 1140.988907] kasan_slab_alloc+0x12/0x20
	[ 1140.992851] kmem_cache_alloc+0x12e/0x760
	[ 1140.996968] kcm_ioctl+0x2d2/0x1690
	[ 1141.000566] sock_do_ioctl+0x65/0xb0
	[ 1141.004248] sock_ioctl+0x2c2/0x440
	[ 1141.007846] do_vfs_ioctl+0x1b1/0x1520
	[ 1141.011707] SyS_ioctl+0x8f/0xc0
	[ 1141.015054] entry_SYSCALL_64_fastpath+0x23/0x9a
	[ 1141.019779]
	[ 1141.021376] Freed by task 12929:
	[ 1141.024714] save_stack+0x43/0xd0
	[ 1141.028135] kasan_slab_free+0x71/0xc0
	[ 1141.031991] kmem_cache_free+0x83/0x2a0
	[ 1141.035941] kcm_unattach+0xe53/0x1510
	[ 1141.039797] kcm_ioctl+0xe54/0x1690
	[ 1141.043393] sock_do_ioctl+0x65/0xb0
	[ 1141.047078] sock_ioctl+0x2c2/0x440
	[ 1141.050673] do_vfs_ioctl+0x1b1/0x1520
	[ 1141.054529] SyS_ioctl+0x8f/0xc0
	[ 1141.057866] entry_SYSCALL_64_fastpath+0x23/0x9a
	[ 1141.062586]
	[ 1141.064186] The buggy address belongs to the object at ffff8801beca56c0
	[ 1141.064186] which belongs to the cache kcm_psock_cache of size 544
	[ 1141.077163] The buggy address is located 200 bytes inside of
	[ 1141.077163] 544-byte region [ffff8801beca56c0, ffff8801beca58e0)
	[ 1141.089015] The buggy address belongs to the page:
	[ 1141.093923] page:000000005180a80a count:1 mapcount:0 mapping:0000000058aa9a5c index:0x0 compound_mapcount: 0
	[ 1141.103862] flags: 0x2fffc0000008100(slab\|head)
	[ 1141.108503] raw: 02fffc0000008100 ffff8801beca40c0 0000000000000000 000000010000000b
	[ 1141.116357] raw: ffff8801d31e8a48 ffff8801d31e8a48 ffff8801d3f6a380 0000000000000000
	[ 1141.124206] page dumped because: kasan: bad access detected
	[ 1141.129888]
	[ 1141.131492] Memory state around the buggy address:
	[ 1141.136397] ffff8801beca5680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
	[ 1141.143734] ffff8801beca5700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 1141.151076] >ffff8801beca5780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 1141.158418] ^
	[ 1141.162028] ffff8801beca5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 1141.169364] ffff8801beca5880: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	[ 1141.176691] ==================================================================