On Tue, Oct 17, 2017 at 5:38 PM, Chase Bertke <ceb2817@xxxxxxxxx> wrote: > Hello, > > I would like to report a bug found via syzkaller on version 4.13.0-rc4. I > have searched the syzkaller mailing list and did not see any other reports > for this bug. > > Please see below: > > ================================================================== > BUG: KASAN: use-after-free in do_get_mempolicy+0x1d4/0x740 > Read of size 8 at addr ffff88006d32fb28 by task syz-executor0/1422 > > CPU: 0 PID: 1422 Comm: syz-executor0 Not tainted 4.13.0-rc4+ #0 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > Ubuntu-1.8.2-1ubuntu1 04/01/2014 > Call Trace: > dump_stack+0x83/0xb7 > print_address_description+0x6b/0x280 > kasan_report+0x260/0x340 > __asan_load8+0x54/0x90 > do_get_mempolicy+0x1d4/0x740 > SyS_get_mempolicy+0xcf/0x180 > entry_SYSCALL_64_fastpath+0x1a/0xa5 > RIP: 0033:0x4512e9 > RSP: 002b:00007f17246b4c08 EFLAGS: 00000216 ORIG_RAX: 00000000000000ef > RAX: ffffffffffffffda RBX: 0000000000000012 RCX: 00000000004512e9 > RDX: 0000000049ee0985 RSI: 0000000020006ff8 RDI: 0000000020002ffc > RBP: 0000000000ebaca0 R08: 0000000000000003 R09: 0000000000000000 > R10: 0000000020004000 R11: 0000000000000216 R12: 0000000000000012 > R13: 0000000000000001 R14: 00000000006f1340 R15: 0000000000000002 > > Allocated by task 1421: > save_stack_trace+0x16/0x20 > save_stack+0x46/0xd0 > kasan_kmalloc+0xad/0xe0 > kasan_slab_alloc+0x12/0x20 > kmem_cache_alloc+0xa8/0x170 > __mpol_dup+0x78/0x1e0 > do_mbind+0x591/0x7d0 > SyS_mbind+0x13d/0x150 > entry_SYSCALL_64_fastpath+0x1a/0xa5 > > Freed by task 1421: > save_stack_trace+0x16/0x20 > save_stack+0x46/0xd0 > kasan_slab_free+0x70/0xc0 > kmem_cache_free+0x69/0x1a0 > __mpol_put+0x33/0x40 > do_mbind+0x639/0x7d0 > SyS_mbind+0x13d/0x150 > entry_SYSCALL_64_fastpath+0x1a/0xa5 > > The buggy address belongs to the object at ffff88006d32fb18 > which belongs to the cache numa_policy of size 24 > The buggy address is located 16 bytes inside of > 24-byte region [ffff88006d32fb18, ffff88006d32fb30) > The buggy address belongs to the page: > page:ffffea0001b4cbc0 count:1 mapcount:0 mapping: (null) > index:0xffff88006d32f1e0 > flags: 0x500000000000100(slab) > raw: 0500000000000100 0000000000000000 ffff88006d32f1e0 000000018066005a > raw: dead000000000100 dead000000000200 ffff88003e80ea00 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff88006d32fa00: 00 00 00 fc fc fb fb fb fc fc fb fb fb fc fc 00 > ffff88006d32fa80: 00 00 fc fc 00 00 00 fc fc 00 00 00 fc fc fb fb >>ffff88006d32fb00: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb > ^ > ffff88006d32fb80: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc > ffff88006d32fc00: fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc > ================================================================== > > Report and log attached. > > Thank you, > Chase +mm mailing list and maintainers Chase, you can find some info on how to find right kernel maintainers here: https://github.com/google/syzkaller/blob/master/docs/linux_kernel_reporting_bugs.md -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
