From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932087AbcFNWBm (ORCPT ); Tue, 14 Jun 2016 18:01:42 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:35593 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752181AbcFNWBk (ORCPT ); Tue, 14 Jun 2016 18:01:40 -0400 To: Michel Lespinasse , LKML , "linux-mm@kvack.org" From: Sasha Levin Subject: mm: BUG: KASAN: use-after-free in unmapped_area_topdown Message-ID: <57607EBF.60005@oracle.com> Date: Tue, 14 Jun 2016 18:01:35 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all, I've hit the following while fuzzing with syzkaller inside a KVM tools guest running the latest -next kernel: [ 1292.662270] BUG: KASAN: use-after-free in unmapped_area_topdown+0x402/0x5a0 at addr ffff8801c58b7038 [ 1292.662285] Read of size 8 by task syz-executor/23061 [ 1292.662312] CPU: 4 PID: 23061 Comm: syz-executor Not tainted 4.7.0-rc3-next-20160614-sasha-00032-g8e3c1a2-dirty #3105 [ 1292.662336] 1ffff10016b04f32 0000000081187c24 ffff8800b5827a18 ffffffffa402fb57 [ 1292.662347] ffffffff00000004 fffffbfff5e30bac 0000000041b58ab3 ffffffffaeafca90 [ 1292.662357] ffffffffa402f9e8 ffff8800b58279e0 ffffffffa2697745 0000000081187c24 [ 1292.662360] Call Trace: [ 1292.662406] dump_stack (lib/dump_stack.c:53) [ 1292.662463] kasan_report_error (mm/kasan/report.c:139 mm/kasan/report.c:178 mm/kasan/report.c:274) [ 1292.662489] __asan_report_load8_noabort (mm/kasan/report.c:317) [ 1292.662515] unmapped_area_topdown (mm/mmap.c:1750) [ 1292.662542] arch_get_unmapped_area_topdown (include/linux/mm.h:2077 arch/x86/kernel/sys_x86_64.c:203) [ 1292.662603] get_unmapped_area (mm/mmap.c:1915) [ 1292.662615] do_mmap (mm/mmap.c:1184) [ 1292.662626] vm_mmap_pgoff (mm/util.c:304) [ 1292.662674] SyS_mmap_pgoff (mm/mmap.c:1337 mm/mmap.c:1295) [ 1292.662752] SyS_mmap (arch/x86/kernel/sys_x86_64.c:86) [ 1292.662772] do_syscall_64 (arch/x86/entry/common.c:350) [ 1292.662833] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251) [ 1292.662841] Object at ffff8801c58b7000, in cache vm_area_struct [ 1292.662844] Object allocated with size 192 bytes. [ 1292.662846] Allocation: [ 1292.662849] PID = 10741 [ 1292.662869] save_stack_trace (arch/x86/kernel/stacktrace.c:68) [ 1292.662882] save_stack (mm/kasan/kasan.c:478 mm/kasan/kasan.c:499) [ 1292.662893] kasan_kmalloc (mm/kasan/kasan.c:510 mm/kasan/kasan.c:616) [ 1292.662905] kasan_slab_alloc (mm/kasan/kasan.c:534) [ 1292.662917] kmem_cache_alloc (mm/slab.h:419 include/linux/memcontrol.h:781 mm/slab.h:422 mm/slub.c:2696 mm/slub.c:2704 mm/slub.c:2709) [ 1292.662933] copy_process (kernel/fork.c:463 kernel/fork.c:970 kernel/fork.c:1024 kernel/fork.c:1490) [ 1292.662945] _do_fork (kernel/fork.c:1775) [ 1292.662956] SyS_clone (kernel/fork.c:1872) [ 1292.662967] do_syscall_64 (arch/x86/entry/common.c:350) [ 1292.662981] return_from_SYSCALL_64 (arch/x86/entry/entry_64.S:251) [ 1292.662983] Memory state around the buggy address: [ 1292.663000] ffff8801c58b6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1292.663008] ffff8801c58b6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1292.663016] >ffff8801c58b7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1292.663020] ^ [ 1292.663028] ffff8801c58b7080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1292.663035] ffff8801c58b7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb