pkg/report/testdata/linux/report/391 - platform/external/syzkaller - Git at Google

 TITLE: KASAN: use-after-free Read in nr_release

 [  334.230640][T12837] ==================================================================
 [  334.239022][T12837] BUG: KASAN: use-after-free in refcount_inc_not_zero_checked+0x81/0x200
 [  334.247436][T12837] Read of size 4 at addr ffff88808bb14200 by task syz-executor.5/12837
 [  334.255675][T12837]
 [  334.258012][T12837] CPU: 1 PID: 12837 Comm: syz-executor.5 Not tainted 5.1.0-rc5+ #72
 [  334.265985][T12837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 [  334.276036][T12837] Call Trace:
 [  334.279336][T12837]  dump_stack+0x172/0x1f0
 [  334.283672][T12837]  ? refcount_inc_not_zero_checked+0x81/0x200
 [  334.289746][T12837]  print_address_description.cold+0x7c/0x20d
 [  334.295757][T12837]  ? refcount_inc_not_zero_checked+0x81/0x200
 [  334.301828][T12837]  ? refcount_inc_not_zero_checked+0x81/0x200
 [  334.307919][T12837]  kasan_report.cold+0x1b/0x40
 [  334.312691][T12837]  ? refcount_inc_not_zero_checked+0x81/0x200
 [  334.318765][T12837]  check_memory_region+0x123/0x190
 [  334.323883][T12837]  kasan_check_read+0x11/0x20
 [  334.328562][T12837]  refcount_inc_not_zero_checked+0x81/0x200
 [  334.334487][T12837]  ? refcount_dec_and_mutex_lock+0x90/0x90
 [  334.340298][T12837]  ? lock_acquire+0x16f/0x3f0
 [  334.344979][T12837]  refcount_inc_checked+0x17/0x70
 [  334.350042][T12837]  nr_release+0x62/0x3c0
 [  334.354311][T12837]  __sock_release+0xd3/0x2b0
 [  334.358903][T12837]  ? __sock_release+0x2b0/0x2b0
 [  334.363756][T12837]  sock_close+0x1b/0x30
 [  334.367915][T12837]  __fput+0x2e5/0x8d0
 [  334.371901][T12837]  ____fput+0x16/0x20
 [  334.375888][T12837]  task_work_run+0x14a/0x1c0
 [  334.380502][T12837]  exit_to_usermode_loop+0x273/0x2c0
 [  334.385795][T12837]  do_syscall_64+0x52d/0x610
 [  334.390397][T12837]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
 [  334.396381][T12837] RIP: 0033:0x4129e1
 [  334.400278][T12837] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
 [  334.420308][T12837] RSP: 002b:00007ffc18cd87a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
 [  334.428897][T12837] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 00000000004129e1
 [  334.436898][T12837] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
 [  334.444876][T12837] RBP: 000000000073c900 R08: ffffffff8132caba R09: 00000000dd5371a4
 [  334.452853][T12837] R10: 00007ffc18cd8870 R11: 0000000000000293 R12: 0000000000000001
 [  334.460826][T12837] R13: 000000000073c900 R14: 0000000000051747 R15: 000000000073c0ec
 [  334.468837][T12837]  ? __phys_addr+0x1a/0x120
 [  334.473346][T12837]
 [  334.475694][T12837] Allocated by task 12840:
 [  334.480117][T12837]  save_stack+0x45/0xd0
 [  334.488181][T12837]  __kasan_kmalloc.constprop.0+0xcf/0xe0
 [  334.493809][T12837]  kasan_kmalloc+0x9/0x10
 [  334.498129][T12837]  __kmalloc+0x15c/0x740
 [  334.502364][T12837]  sk_prot_alloc+0x19c/0x2e0
 [  334.506949][T12837]  sk_alloc+0x39/0xf70
 [  334.511032][T12837]  nr_create+0xb9/0x5e0
 [  334.515196][T12837]  __sock_create+0x3e6/0x750
 [  334.519786][T12837]  __sys_socket+0x103/0x220
 [  334.524281][T12837]  __x64_sys_socket+0x73/0xb0
 [  334.528955][T12837]  do_syscall_64+0x103/0x610
 [  334.533541][T12837]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
 [  334.539416][T12837]
 [  334.541732][T12837] Freed by task 12837:
 [  334.545794][T12837]  save_stack+0x45/0xd0
 [  334.549954][T12837]  __kasan_slab_free+0x102/0x150
 [  334.554886][T12837]  kasan_slab_free+0xe/0x10
 [  334.559480][T12837]  kfree+0xcf/0x230
 [  334.563284][T12837]  __sk_destruct+0x4f1/0x6d0
 [  334.567868][T12837]  sk_destruct+0x7b/0x90
 [  334.572103][T12837]  __sk_free+0xce/0x300
 [  334.576255][T12837]  sk_free+0x42/0x50
 [  334.580159][T12837]  nr_release+0x337/0x3c0
 [  334.584485][T12837]  __sock_release+0xd3/0x2b0
 [  334.589069][T12837]  sock_close+0x1b/0x30
 [  334.593215][T12837]  __fput+0x2e5/0x8d0
 [  334.597649][T12837]  ____fput+0x16/0x20
 [  334.601626][T12837]  task_work_run+0x14a/0x1c0
 [  334.606208][T12837]  exit_to_usermode_loop+0x273/0x2c0
 [  334.611491][T12837]  do_syscall_64+0x52d/0x610
 [  334.616080][T12837]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
 [  334.621956][T12837]
 [  334.624279][T12837] The buggy address belongs to the object at ffff88808bb14180
 [  334.624279][T12837]  which belongs to the cache kmalloc-2k of size 2048
 [  334.638437][T12837] The buggy address is located 128 bytes inside of
 [  334.638437][T12837]  2048-byte region [ffff88808bb14180, ffff88808bb14980)
 [  334.651811][T12837] The buggy address belongs to the page:
 [  334.657467][T12837] page:ffffea00022ec500 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0xffff88808bb15280 compound_mapcount: 0
 [  334.669439][T12837] flags: 0x1fffc0000010200(slab|head)
 [  334.674830][T12837] raw: 01fffc0000010200 ffffea00022b2908 ffffea00025fea08 ffff88812c3f0c40
 [  334.683422][T12837] raw: ffff88808bb15280 ffff88808bb14180 0000000100000001 0000000000000000
 [  334.692002][T12837] page dumped because: kasan: bad access detected
 [  334.698404][T12837]
 [  334.701072][T12837] Memory state around the buggy address:
 [  334.706695][T12837]  ffff88808bb14100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 [  334.714749][T12837]  ffff88808bb14180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [  334.723020][T12837] >ffff88808bb14200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [  334.731589][T12837]                    ^
 [  334.735652][T12837]  ffff88808bb14280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [  334.743892][T12837]  ffff88808bb14300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 [  334.751942][T12837] ==================================================================
 [  334.759990][T12837] Disabling lock debugging due to kernel taint
 [  334.795319][T12837] Kernel panic - not syncing: panic_on_warn set ...
 [  334.801951][T12837] CPU: 1 PID: 12837 Comm: syz-executor.5 Tainted: G    B             5.1.0-rc5+ #72
 [  334.811310][T12837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 [  334.821358][T12837] Call Trace:
 [  334.824661][T12837]  dump_stack+0x172/0x1f0
 [  334.829024][T12837]  panic+0x2cb/0x65c
 [  334.832913][T12837]  ? __warn_printk+0xf3/0xf3
 [  334.837498][T12837]  ? refcount_inc_not_zero_checked+0x81/0x200
 [  334.843559][T12837]  ? preempt_schedule+0x4b/0x60
 [  334.848403][T12837]  ? ___preempt_schedule+0x16/0x18
 [  334.853520][T12837]  ? trace_hardirqs_on+0x5e/0x230
 [  334.858546][T12837]  ? refcount_inc_not_zero_checked+0x81/0x200
 [  334.864600][T12837]  end_report+0x47/0x4f
 [  334.868748][T12837]  ? refcount_inc_not_zero_checked+0x81/0x200
 [  334.874806][T12837]  kasan_report.cold+0xe/0x40
 [  334.879481][T12837]  ? refcount_inc_not_zero_checked+0x81/0x200
 [  334.885538][T12837]  check_memory_region+0x123/0x190
 [  334.890643][T12837]  kasan_check_read+0x11/0x20
 [  334.895308][T12837]  refcount_inc_not_zero_checked+0x81/0x200
 [  334.901189][T12837]  ? refcount_dec_and_mutex_lock+0x90/0x90
 [  334.906985][T12837]  ? lock_acquire+0x16f/0x3f0
 [  334.911652][T12837]  refcount_inc_checked+0x17/0x70
 [  334.916670][T12837]  nr_release+0x62/0x3c0
 [  334.920911][T12837]  __sock_release+0xd3/0x2b0
 [  334.925491][T12837]  ? __sock_release+0x2b0/0x2b0
 [  334.930352][T12837]  sock_close+0x1b/0x30
 [  334.934501][T12837]  __fput+0x2e5/0x8d0
 [  334.938499][T12837]  ____fput+0x16/0x20
 [  334.942479][T12837]  task_work_run+0x14a/0x1c0
 [  334.947693][T12837]  exit_to_usermode_loop+0x273/0x2c0
 [  334.952991][T12837]  do_syscall_64+0x52d/0x610
 [  334.957580][T12837]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
 [  334.963472][T12837] RIP: 0033:0x4129e1
 [  334.967366][T12837] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
 [  334.986969][T12837] RSP: 002b:00007ffc18cd87a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
 [  334.995374][T12837] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 00000000004129e1
 [  335.003342][T12837] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
 [  335.011302][T12837] RBP: 000000000073c900 R08: ffffffff8132caba R09: 00000000dd5371a4
 [  335.019268][T12837] R10: 00007ffc18cd8870 R11: 0000000000000293 R12: 0000000000000001
 [  335.027246][T12837] R13: 000000000073c900 R14: 0000000000051747 R15: 000000000073c0ec
 [  335.035229][T12837]  ? __phys_addr+0x1a/0x120
 [  335.040476][T12837] Kernel Offset: disabled
 [  335.044832][T12837] Rebooting in 86400 seconds..
	TITLE: KASAN: use-after-free Read in nr_release

	[ 334.230640][T12837] ==================================================================
	[ 334.239022][T12837] BUG: KASAN: use-after-free in refcount_inc_not_zero_checked+0x81/0x200
	[ 334.247436][T12837] Read of size 4 at addr ffff88808bb14200 by task syz-executor.5/12837
	[ 334.255675][T12837]
	[ 334.258012][T12837] CPU: 1 PID: 12837 Comm: syz-executor.5 Not tainted 5.1.0-rc5+ #72
	[ 334.265985][T12837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	[ 334.276036][T12837] Call Trace:
	[ 334.279336][T12837] dump_stack+0x172/0x1f0
	[ 334.283672][T12837] ? refcount_inc_not_zero_checked+0x81/0x200
	[ 334.289746][T12837] print_address_description.cold+0x7c/0x20d
	[ 334.295757][T12837] ? refcount_inc_not_zero_checked+0x81/0x200
	[ 334.301828][T12837] ? refcount_inc_not_zero_checked+0x81/0x200
	[ 334.307919][T12837] kasan_report.cold+0x1b/0x40
	[ 334.312691][T12837] ? refcount_inc_not_zero_checked+0x81/0x200
	[ 334.318765][T12837] check_memory_region+0x123/0x190
	[ 334.323883][T12837] kasan_check_read+0x11/0x20
	[ 334.328562][T12837] refcount_inc_not_zero_checked+0x81/0x200
	[ 334.334487][T12837] ? refcount_dec_and_mutex_lock+0x90/0x90
	[ 334.340298][T12837] ? lock_acquire+0x16f/0x3f0
	[ 334.344979][T12837] refcount_inc_checked+0x17/0x70
	[ 334.350042][T12837] nr_release+0x62/0x3c0
	[ 334.354311][T12837] __sock_release+0xd3/0x2b0
	[ 334.358903][T12837] ? __sock_release+0x2b0/0x2b0
	[ 334.363756][T12837] sock_close+0x1b/0x30
	[ 334.367915][T12837] __fput+0x2e5/0x8d0
	[ 334.371901][T12837] ____fput+0x16/0x20
	[ 334.375888][T12837] task_work_run+0x14a/0x1c0
	[ 334.380502][T12837] exit_to_usermode_loop+0x273/0x2c0
	[ 334.385795][T12837] do_syscall_64+0x52d/0x610
	[ 334.390397][T12837] entry_SYSCALL_64_after_hwframe+0x49/0xbe
	[ 334.396381][T12837] RIP: 0033:0x4129e1
	[ 334.400278][T12837] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
	[ 334.420308][T12837] RSP: 002b:00007ffc18cd87a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
	[ 334.428897][T12837] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 00000000004129e1
	[ 334.436898][T12837] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
	[ 334.444876][T12837] RBP: 000000000073c900 R08: ffffffff8132caba R09: 00000000dd5371a4
	[ 334.452853][T12837] R10: 00007ffc18cd8870 R11: 0000000000000293 R12: 0000000000000001
	[ 334.460826][T12837] R13: 000000000073c900 R14: 0000000000051747 R15: 000000000073c0ec
	[ 334.468837][T12837] ? __phys_addr+0x1a/0x120
	[ 334.473346][T12837]
	[ 334.475694][T12837] Allocated by task 12840:
	[ 334.480117][T12837] save_stack+0x45/0xd0
	[ 334.488181][T12837] __kasan_kmalloc.constprop.0+0xcf/0xe0
	[ 334.493809][T12837] kasan_kmalloc+0x9/0x10
	[ 334.498129][T12837] __kmalloc+0x15c/0x740
	[ 334.502364][T12837] sk_prot_alloc+0x19c/0x2e0
	[ 334.506949][T12837] sk_alloc+0x39/0xf70
	[ 334.511032][T12837] nr_create+0xb9/0x5e0
	[ 334.515196][T12837] __sock_create+0x3e6/0x750
	[ 334.519786][T12837] __sys_socket+0x103/0x220
	[ 334.524281][T12837] __x64_sys_socket+0x73/0xb0
	[ 334.528955][T12837] do_syscall_64+0x103/0x610
	[ 334.533541][T12837] entry_SYSCALL_64_after_hwframe+0x49/0xbe
	[ 334.539416][T12837]
	[ 334.541732][T12837] Freed by task 12837:
	[ 334.545794][T12837] save_stack+0x45/0xd0
	[ 334.549954][T12837] __kasan_slab_free+0x102/0x150
	[ 334.554886][T12837] kasan_slab_free+0xe/0x10
	[ 334.559480][T12837] kfree+0xcf/0x230
	[ 334.563284][T12837] __sk_destruct+0x4f1/0x6d0
	[ 334.567868][T12837] sk_destruct+0x7b/0x90
	[ 334.572103][T12837] __sk_free+0xce/0x300
	[ 334.576255][T12837] sk_free+0x42/0x50
	[ 334.580159][T12837] nr_release+0x337/0x3c0
	[ 334.584485][T12837] __sock_release+0xd3/0x2b0
	[ 334.589069][T12837] sock_close+0x1b/0x30
	[ 334.593215][T12837] __fput+0x2e5/0x8d0
	[ 334.597649][T12837] ____fput+0x16/0x20
	[ 334.601626][T12837] task_work_run+0x14a/0x1c0
	[ 334.606208][T12837] exit_to_usermode_loop+0x273/0x2c0
	[ 334.611491][T12837] do_syscall_64+0x52d/0x610
	[ 334.616080][T12837] entry_SYSCALL_64_after_hwframe+0x49/0xbe
	[ 334.621956][T12837]
	[ 334.624279][T12837] The buggy address belongs to the object at ffff88808bb14180
	[ 334.624279][T12837] which belongs to the cache kmalloc-2k of size 2048
	[ 334.638437][T12837] The buggy address is located 128 bytes inside of
	[ 334.638437][T12837] 2048-byte region [ffff88808bb14180, ffff88808bb14980)
	[ 334.651811][T12837] The buggy address belongs to the page:
	[ 334.657467][T12837] page:ffffea00022ec500 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0xffff88808bb15280 compound_mapcount: 0
	[ 334.669439][T12837] flags: 0x1fffc0000010200(slab\|head)
	[ 334.674830][T12837] raw: 01fffc0000010200 ffffea00022b2908 ffffea00025fea08 ffff88812c3f0c40
	[ 334.683422][T12837] raw: ffff88808bb15280 ffff88808bb14180 0000000100000001 0000000000000000
	[ 334.692002][T12837] page dumped because: kasan: bad access detected
	[ 334.698404][T12837]
	[ 334.701072][T12837] Memory state around the buggy address:
	[ 334.706695][T12837] ffff88808bb14100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 334.714749][T12837] ffff88808bb14180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 334.723020][T12837] >ffff88808bb14200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 334.731589][T12837] ^
	[ 334.735652][T12837] ffff88808bb14280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 334.743892][T12837] ffff88808bb14300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 334.751942][T12837] ==================================================================
	[ 334.759990][T12837] Disabling lock debugging due to kernel taint
	[ 334.795319][T12837] Kernel panic - not syncing: panic_on_warn set ...
	[ 334.801951][T12837] CPU: 1 PID: 12837 Comm: syz-executor.5 Tainted: G B 5.1.0-rc5+ #72
	[ 334.811310][T12837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	[ 334.821358][T12837] Call Trace:
	[ 334.824661][T12837] dump_stack+0x172/0x1f0
	[ 334.829024][T12837] panic+0x2cb/0x65c
	[ 334.832913][T12837] ? __warn_printk+0xf3/0xf3
	[ 334.837498][T12837] ? refcount_inc_not_zero_checked+0x81/0x200
	[ 334.843559][T12837] ? preempt_schedule+0x4b/0x60
	[ 334.848403][T12837] ? ___preempt_schedule+0x16/0x18
	[ 334.853520][T12837] ? trace_hardirqs_on+0x5e/0x230
	[ 334.858546][T12837] ? refcount_inc_not_zero_checked+0x81/0x200
	[ 334.864600][T12837] end_report+0x47/0x4f
	[ 334.868748][T12837] ? refcount_inc_not_zero_checked+0x81/0x200
	[ 334.874806][T12837] kasan_report.cold+0xe/0x40
	[ 334.879481][T12837] ? refcount_inc_not_zero_checked+0x81/0x200
	[ 334.885538][T12837] check_memory_region+0x123/0x190
	[ 334.890643][T12837] kasan_check_read+0x11/0x20
	[ 334.895308][T12837] refcount_inc_not_zero_checked+0x81/0x200
	[ 334.901189][T12837] ? refcount_dec_and_mutex_lock+0x90/0x90
	[ 334.906985][T12837] ? lock_acquire+0x16f/0x3f0
	[ 334.911652][T12837] refcount_inc_checked+0x17/0x70
	[ 334.916670][T12837] nr_release+0x62/0x3c0
	[ 334.920911][T12837] __sock_release+0xd3/0x2b0
	[ 334.925491][T12837] ? __sock_release+0x2b0/0x2b0
	[ 334.930352][T12837] sock_close+0x1b/0x30
	[ 334.934501][T12837] __fput+0x2e5/0x8d0
	[ 334.938499][T12837] ____fput+0x16/0x20
	[ 334.942479][T12837] task_work_run+0x14a/0x1c0
	[ 334.947693][T12837] exit_to_usermode_loop+0x273/0x2c0
	[ 334.952991][T12837] do_syscall_64+0x52d/0x610
	[ 334.957580][T12837] entry_SYSCALL_64_after_hwframe+0x49/0xbe
	[ 334.963472][T12837] RIP: 0033:0x4129e1
	[ 334.967366][T12837] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
	[ 334.986969][T12837] RSP: 002b:00007ffc18cd87a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
	[ 334.995374][T12837] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 00000000004129e1
	[ 335.003342][T12837] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
	[ 335.011302][T12837] RBP: 000000000073c900 R08: ffffffff8132caba R09: 00000000dd5371a4
	[ 335.019268][T12837] R10: 00007ffc18cd8870 R11: 0000000000000293 R12: 0000000000000001
	[ 335.027246][T12837] R13: 000000000073c900 R14: 0000000000051747 R15: 000000000073c0ec
	[ 335.035229][T12837] ? __phys_addr+0x1a/0x120
	[ 335.040476][T12837] Kernel Offset: disabled
	[ 335.044832][T12837] Rebooting in 86400 seconds..