[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171213000404.GA62138@gmail.com>
Date: Tue, 12 Dec 2017 16:04:04 -0800
From: Eric Biggers <ebiggers3@...il.com>
To: syzbot
<bot+f2a32269c7d88a3653ef36f3d516f19ece83fdb5@...kaller.appspotmail.com>
Cc: dan.carpenter@...cle.com, gregkh@...uxfoundation.org,
hdegoede@...hat.com, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org, mateuszb@...tmail.fm, mingo@...nel.org,
mingo@...hat.com, peterz@...radead.org, stern@...land.harvard.edu,
syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk,
vskrishn@...eaurora.org, yamada.masahiro@...ionext.com
Subject: Re: KASAN: use-after-free Read in __lock_acquire (2)
On Sat, Dec 02, 2017 at 08:08:01AM -0800, syzbot wrote:
> Allocated by task 3086:
> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
> set_track mm/kasan/kasan.c:459 [inline]
> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
> kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613
> kmalloc include/linux/slab.h:499 [inline]
> kzalloc include/linux/slab.h:688 [inline]
> binder_get_thread+0x1cf/0x870 drivers/android/binder.c:4184
> binder_poll+0x8c/0x390 drivers/android/binder.c:4286
> ep_item_poll.isra.10+0xec/0x320 fs/eventpoll.c:884
> ep_insert+0x6a3/0x1b10 fs/eventpoll.c:1455
> SYSC_epoll_ctl fs/eventpoll.c:2106 [inline]
> SyS_epoll_ctl+0x12e4/0x1ab0 fs/eventpoll.c:1992
> do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
> do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
> entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
>
> Freed by task 3086:
> save_stack+0x43/0xd0 mm/kasan/kasan.c:447
> set_track mm/kasan/kasan.c:459 [inline]
> kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
> __cache_free mm/slab.c:3491 [inline]
> kfree+0xca/0x250 mm/slab.c:3806
> binder_free_thread drivers/android/binder.c:4211 [inline]
> binder_thread_dec_tmpref+0x27f/0x310 drivers/android/binder.c:1808
> binder_thread_release+0x27d/0x540 drivers/android/binder.c:4275
> binder_ioctl+0xc05/0x141a drivers/android/binder.c:4492
> C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline]
> compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419
> do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
> do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
> entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
>
This is a bug in the "binder" driver: binder_poll() tells the poll system to use
a waitqueue which can be freed before the file is closed. I'll send this to the
binder maintainers and take lockdep maintainers, USB maintainers, etc. off Cc.
Eric
Powered by blists - more mailing lists