From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752860AbdLMAEO (ORCPT ); Tue, 12 Dec 2017 19:04:14 -0500 Received: from mail-io0-f180.google.com ([209.85.223.180]:34808 "EHLO mail-io0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752779AbdLMAEJ (ORCPT ); Tue, 12 Dec 2017 19:04:09 -0500 X-Google-Smtp-Source: ACJfBov5mLopAIwHj7NPRz69+/Bb0ezQcPJExMQIDIINnrvRGFNTW7hFjsvY+aQMwzeJjc2jXxBB2A== Date: Tue, 12 Dec 2017 16:04:04 -0800 From: Eric Biggers To: syzbot Cc: dan.carpenter@oracle.com, gregkh@linuxfoundation.org, hdegoede@redhat.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, mateuszb@fastmail.fm, mingo@kernel.org, mingo@redhat.com, peterz@infradead.org, stern@rowland.harvard.edu, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, vskrishn@codeaurora.org, yamada.masahiro@socionext.com Subject: Re: KASAN: use-after-free Read in __lock_acquire (2) Message-ID: <20171213000404.GA62138@gmail.com> References: <001a1147c73265e0a2055e43711e@google.com> <001a1149750a83b8db055f5db0d2@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001a1149750a83b8db055f5db0d2@google.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Dec 02, 2017 at 08:08:01AM -0800, syzbot wrote: > Allocated by task 3086: > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > set_track mm/kasan/kasan.c:459 [inline] > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 > kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613 > kmalloc include/linux/slab.h:499 [inline] > kzalloc include/linux/slab.h:688 [inline] > binder_get_thread+0x1cf/0x870 drivers/android/binder.c:4184 > binder_poll+0x8c/0x390 drivers/android/binder.c:4286 > ep_item_poll.isra.10+0xec/0x320 fs/eventpoll.c:884 > ep_insert+0x6a3/0x1b10 fs/eventpoll.c:1455 > SYSC_epoll_ctl fs/eventpoll.c:2106 [inline] > SyS_epoll_ctl+0x12e4/0x1ab0 fs/eventpoll.c:1992 > do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] > do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 > entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125 > > Freed by task 3086: > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > set_track mm/kasan/kasan.c:459 [inline] > kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 > __cache_free mm/slab.c:3491 [inline] > kfree+0xca/0x250 mm/slab.c:3806 > binder_free_thread drivers/android/binder.c:4211 [inline] > binder_thread_dec_tmpref+0x27f/0x310 drivers/android/binder.c:1808 > binder_thread_release+0x27d/0x540 drivers/android/binder.c:4275 > binder_ioctl+0xc05/0x141a drivers/android/binder.c:4492 > C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline] > compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419 > do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline] > do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389 > entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125 > This is a bug in the "binder" driver: binder_poll() tells the poll system to use a waitqueue which can be freed before the file is closed. I'll send this to the binder maintainers and take lockdep maintainers, USB maintainers, etc. off Cc. Eric