forked from google/syzkaller
-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pkg/report: improve invalid-free format and ignore more mutex-related…
… functions
- Loading branch information
Showing
3 changed files
with
178 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| TITLE: general protection fault in drain_workqueue | ||
|
|
||
| [ 52.099632] kasan: GPF could be caused by NULL-ptr deref or user memory access | ||
| [ 52.106982] general protection fault: 0000 [#1] SMP KASAN | ||
| [ 52.112852] Modules linked in: | ||
| [ 52.116130] CPU: 1 PID: 4672 Comm: syzkaller354295 Not tainted 4.3.5+ #21 | ||
| [ 52.123024] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 | ||
| [ 52.132353] task: ffff8801d5e522c0 ti: ffff8801d6fb0000 task.ti: ffff8801d6fb0000 | ||
| [ 52.139937] RIP: 0010:[<ffffffff8143d030>] [<ffffffff8143d030>] __lock_acquire+0xc00/0x4e80 | ||
| [ 52.148604] RSP: 0018:ffff8801d6fb3420 EFLAGS: 00010002 | ||
| [ 52.154021] RAX: dffffc0000000000 RBX: ffff8801d5e522c0 RCX: 0000000000000000 | ||
| [ 52.161261] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000080 | ||
| [ 52.168498] RBP: ffff8801d6fb35c0 R08: 0000000000000001 R09: 0000000000000000 | ||
| [ 52.175735] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000080 | ||
| [ 52.182974] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 | ||
| [ 52.190213] FS: 0000000000000000(0000) GS:ffff8801dab00000(0000) knlGS:0000000000000000 | ||
| [ 52.198407] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 | ||
| [ 52.204256] CR2: 0000000020000340 CR3: 00000000bac51000 CR4: 00000000001626f0 | ||
| [ 52.211498] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 | ||
| [ 52.218734] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 | ||
| [ 52.225972] Stack: | ||
| [ 52.228089] 0000000041b58ab3 ffffffff83c6ee98 ffffffff8143c430 ffff8801d5e522c0 | ||
| [ 52.236058] ffff8801d5e52b82 ffff8801d5e522c0 ffff8801d6fb3460 ffffffff81474b47 | ||
| [ 52.244029] ffff8801d6fb3608 ffffffff8143dbe8 0000000000000000 ffff8801d6fb3488 | ||
| [ 52.251988] Call Trace: | ||
| [ 52.254551] [<ffffffff8143c430>] ? debug_check_no_locks_freed+0x2b0/0x2b0 | ||
| [ 52.261534] [<ffffffff81474b47>] ? debug_lockdep_rcu_enabled+0x77/0x90 | ||
| [ 52.268254] [<ffffffff8143dbe8>] ? __lock_acquire+0x17b8/0x4e80 | ||
| [ 52.274381] [<ffffffff81474b47>] ? debug_lockdep_rcu_enabled+0x77/0x90 | ||
| [ 52.281128] [<ffffffff8143c430>] ? debug_check_no_locks_freed+0x2b0/0x2b0 | ||
| [ 52.288129] [<ffffffff8143d423>] ? __lock_acquire+0xff3/0x4e80 | ||
| [ 52.294169] [<ffffffff81582cc4>] ? is_ftrace_trampoline+0xc4/0x120 | ||
| [ 52.300556] [<ffffffff8143d423>] ? __lock_acquire+0xff3/0x4e80 | ||
| [ 52.306602] [<ffffffff81474b47>] ? debug_lockdep_rcu_enabled+0x77/0x90 | ||
| [ 52.313342] [<ffffffff81442e2b>] lock_acquire+0x13b/0x350 | ||
| [ 52.318953] [<ffffffff8136e3c0>] ? drain_workqueue+0x90/0x4d0 | ||
| [ 52.324905] [<ffffffff81009544>] mutex_lock_nested+0xc4/0x950 | ||
| [ 52.330845] [<ffffffff8136e3c0>] ? drain_workqueue+0x90/0x4d0 | ||
| [ 52.336785] [<ffffffff8143c430>] ? debug_check_no_locks_freed+0x2b0/0x2b0 | ||
| [ 52.343777] [<ffffffff81225bc1>] ? dump_trace+0x171/0x330 | ||
| [ 52.349371] [<ffffffff81009480>] ? _mutex_lock_nest_lock+0x950/0x950 | ||
| [ 52.355927] [<ffffffff81e60209>] ? depot_save_stack+0x1c9/0x600 | ||
| [ 52.362047] [<ffffffff8136e3c0>] drain_workqueue+0x90/0x4d0 | ||
| [ 52.367814] [<ffffffff8143b79c>] ? mark_held_locks+0xcc/0x160 | ||
| [ 52.373757] [<ffffffff8136e330>] ? flush_workqueue+0x1750/0x1750 | ||
| [ 52.379960] [<ffffffff8100b6ee>] ? mutex_unlock+0xe/0x10 | ||
| [ 52.385467] [<ffffffff8143bdcd>] ? trace_hardirqs_on+0xd/0x10 | ||
| [ 52.391409] [<ffffffff82903760>] ? ucma_free_ctx+0xb40/0xb40 | ||
| [ 52.397264] [<ffffffff8137493c>] destroy_workqueue+0x7c/0x700 | ||
| [ 52.403214] [<ffffffff8100b668>] ? __mutex_unlock_slowpath+0x2c8/0x340 | ||
| [ 52.409945] [<ffffffff813748c0>] ? wq_sysfs_prep_attrs+0x2b0/0x2b0 | ||
| [ 52.416320] [<ffffffff8143bdcd>] ? trace_hardirqs_on+0xd/0x10 | ||
| [ 52.422260] [<ffffffff82903760>] ? ucma_free_ctx+0xb40/0xb40 | ||
| [ 52.428117] [<ffffffff8290399c>] ucma_close+0x23c/0x2e0 | ||
| [ 52.433543] [<ffffffff813a3a25>] ? __might_sleep+0x95/0x1a0 | ||
| [ 52.439307] [<ffffffff82903760>] ? ucma_free_ctx+0xb40/0xb40 | ||
| [ 52.445162] [<ffffffff81851948>] __fput+0x238/0x6f0 | ||
| [ 52.450234] [<ffffffff81851e8a>] ____fput+0x1a/0x20 | ||
| [ 52.455311] [<ffffffff8137ffd0>] task_work_run+0x1a0/0x240 | ||
| [ 52.460996] [<ffffffff81321b5d>] do_exit+0xc2d/0x29a0 | ||
| [ 52.466246] [<ffffffff81320f30>] ? release_task+0x20/0x20 | ||
| [ 52.471837] [<ffffffff813801e8>] ? __kernel_text_address+0x88/0xc0 | ||
| [ 52.478210] [<ffffffff81436840>] ? check_noncircular+0x20/0x20 | ||
| [ 52.484242] [<ffffffff8134e4e7>] ? get_signal+0x6a7/0x1600 | ||
| [ 52.489925] [<ffffffff81323a56>] do_group_exit+0x116/0x340 | ||
| [ 52.495605] [<ffffffff8134e4d4>] get_signal+0x694/0x1600 | ||
| [ 52.501113] [<ffffffff8121921e>] do_signal+0x7e/0x400 | ||
| [ 52.506363] [<ffffffff81e363f0>] ? debug_object_active_state+0x3b0/0x3b0 | ||
| [ 52.513258] [<ffffffff812191a0>] ? __handle_signal+0x18b0/0x18b0 | ||
| [ 52.519459] [<ffffffff8187fbc0>] ? putname+0xe0/0x120 | ||
| [ 52.524705] [<ffffffff81474d58>] ? rcu_read_lock_sched_held+0x108/0x120 | ||
| [ 52.531511] [<ffffffff817e64c3>] ? kmem_cache_free+0x243/0x2b0 | ||
| [ 52.537537] [<ffffffff8187fbc5>] ? putname+0xe5/0x120 | ||
| [ 52.542782] [<ffffffff8101a4da>] ? prepare_exit_to_usermode+0x11a/0x390 | ||
| [ 52.549590] [<ffffffff8101a539>] prepare_exit_to_usermode+0x179/0x390 | ||
| [ 52.556225] [<ffffffff8101a817>] syscall_return_slowpath+0xc7/0x5c0 | ||
| [ 52.562687] [<ffffffff8316a4e3>] int_ret_from_sys_call+0x25/0xba |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| TITLE: KASAN: invalid-free in xt_free_table_info | ||
|
|
||
| [ 368.542732] ================================================================== | ||
| [ 368.550228] BUG: KASAN: double-free or invalid-free in kvfree+0x36/0x60 | ||
| [ 368.556946] | ||
| [ 368.558547] CPU: 1 PID: 4260 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #254 | ||
| [ 368.565787] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 | ||
| [ 368.575111] Call Trace: | ||
| [ 368.577669] dump_stack+0x194/0x24d | ||
| [ 368.581271] ? arch_local_irq_restore+0x53/0x53 | ||
| [ 368.585910] ? show_regs_print_info+0x18/0x18 | ||
| [ 368.590383] ? find_next_bit+0xcc/0x100 | ||
| [ 368.594331] ? kvfree+0x36/0x60 | ||
| [ 368.597583] print_address_description+0x73/0x250 | ||
| [ 368.602394] ? kvfree+0x36/0x60 | ||
| [ 368.605641] ? kvfree+0x36/0x60 | ||
| [ 368.608891] kasan_report_invalid_free+0x55/0x80 | ||
| [ 368.613620] __kasan_slab_free+0x145/0x170 | ||
| [ 368.617827] ? kvfree+0x36/0x60 | ||
| [ 368.621077] kasan_slab_free+0xe/0x10 | ||
| [ 368.624851] kfree+0xd9/0x260 | ||
| [ 368.627930] kvfree+0x36/0x60 | ||
| [ 368.631009] xt_free_table_info+0xaf/0x170 | ||
| [ 368.635228] __do_replace+0x810/0xa70 | ||
| [ 368.639016] ? compat_table_info+0x4a0/0x4a0 | ||
| [ 368.643404] ? kasan_check_write+0x14/0x20 | ||
| [ 368.647610] ? _copy_from_user+0x99/0x110 | ||
| [ 368.651731] do_ip6t_set_ctl+0x40f/0x5f0 | ||
| [ 368.655765] ? translate_compat_table+0x1c50/0x1c50 | ||
| [ 368.660762] ? mutex_unlock+0xd/0x10 | ||
| [ 368.664444] ? nf_sockopt_find.constprop.0+0x1a7/0x220 | ||
| [ 368.669692] nf_setsockopt+0x67/0xc0 | ||
| [ 368.673380] ipv6_setsockopt+0x10b/0x130 | ||
| [ 368.677416] tcp_setsockopt+0x82/0xd0 | ||
| [ 368.681194] sock_common_setsockopt+0x95/0xd0 | ||
| [ 368.685664] SyS_setsockopt+0x189/0x360 | ||
| [ 368.689615] ? SyS_recv+0x40/0x40 | ||
| [ 368.693044] ? mm_fault_error+0x2c0/0x2c0 | ||
| [ 368.697163] ? move_addr_to_kernel+0x60/0x60 | ||
| [ 368.701544] ? do_syscall_64+0xb7/0x940 | ||
| [ 368.705490] ? SyS_recv+0x40/0x40 | ||
| [ 368.708916] do_syscall_64+0x281/0x940 | ||
| [ 368.712774] ? __do_page_fault+0xc90/0xc90 | ||
| [ 368.716982] ? trace_event_raw_event_sys_exit+0x260/0x260 | ||
| [ 368.722489] ? syscall_return_slowpath+0x550/0x550 | ||
| [ 368.727397] ? retint_user+0x18/0x18 | ||
| [ 368.731089] ? trace_hardirqs_off_thunk+0x1a/0x1c | ||
| [ 368.735910] entry_SYSCALL_64_after_hwframe+0x42/0xb7 | ||
| [ 368.741079] RIP: 0033:0x45697a | ||
| [ 368.744246] RSP: 002b:0000000000a3e3b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000036 | ||
| [ 368.751927] RAX: ffffffffffffffda RBX: 0000000000a3e3e0 RCX: 000000000045697a | ||
| [ 368.759168] RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000013 | ||
| [ 368.766407] RBP: 00000000006fd900 R08: 00000000000003b8 R09: 0000000000004000 | ||
| [ 368.773647] R10: 00000000006fb6e0 R11: 0000000000000206 R12: 0000000000000000 | ||
| [ 368.780886] R13: 0000000000000013 R14: 0000000000000029 R15: 00000000006fb740 | ||
| [ 368.788140] | ||
| [ 368.789739] Allocated by task 7667: | ||
| [ 368.793338] save_stack+0x43/0xd0 | ||
| [ 368.796763] kasan_kmalloc+0xad/0xe0 | ||
| [ 368.800448] __kmalloc_track_caller+0x15e/0x760 | ||
| [ 368.805090] kmemdup+0x24/0x50 | ||
| [ 368.808255] selinux_cred_prepare+0x43/0xa0 | ||
| [ 368.812547] security_prepare_creds+0x7d/0xb0 | ||
| [ 368.817015] prepare_creds+0x2b1/0x360 | ||
| [ 368.820883] SyS_access+0x8f/0x6a0 | ||
| [ 368.824399] do_syscall_64+0x281/0x940 | ||
| [ 368.828256] entry_SYSCALL_64_after_hwframe+0x42/0xb7 | ||
| [ 368.833413] | ||
| [ 368.835015] Freed by task 7667: | ||
| [ 368.838269] save_stack+0x43/0xd0 | ||
| [ 368.841698] __kasan_slab_free+0x11a/0x170 | ||
| [ 368.845913] kasan_slab_free+0xe/0x10 | ||
| [ 368.849682] kfree+0xd9/0x260 | ||
| [ 368.852757] selinux_cred_free+0x48/0x70 | ||
| [ 368.856789] security_cred_free+0x48/0x80 | ||
| [ 368.860906] put_cred_rcu+0x106/0x400 | ||
| [ 368.864678] rcu_process_callbacks+0xd6c/0x17f0 | ||
| [ 368.869315] __do_softirq+0x2d7/0xb85 | ||
| [ 368.873084] | ||
| [ 368.874686] The buggy address belongs to the object at ffff8801c95e2880 | ||
| [ 368.874686] which belongs to the cache kmalloc-32 of size 32 | ||
| [ 368.887135] The buggy address is located 0 bytes inside of | ||
| [ 368.887135] 32-byte region [ffff8801c95e2880, ffff8801c95e28a0) | ||
| [ 368.898715] The buggy address belongs to the page: | ||
| [ 368.903616] page:ffffea0007257880 count:1 mapcount:0 mapping:ffff8801c95e2000 index:0xffff8801c95e2fc1 | ||
| [ 368.913035] flags: 0x2fffc0000000100(slab) | ||
| [ 368.917246] raw: 02fffc0000000100 ffff8801c95e2000 ffff8801c95e2fc1 000000010000000f | ||
| [ 368.925100] raw: ffffea0006eae820 ffffea0006bb8b20 ffff8801dac001c0 0000000000000000 | ||
| [ 368.932954] page dumped because: kasan: bad access detected | ||
| [ 368.938630] | ||
| [ 368.940228] Memory state around the buggy address: | ||
| [ 368.945126] ffff8801c95e2780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc | ||
| [ 368.952455] ffff8801c95e2800: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc | ||
| [ 368.959793] >ffff8801c95e2880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc | ||
| [ 368.967127] ^ | ||
| [ 368.970461] ffff8801c95e2900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc | ||
| [ 368.977790] ffff8801c95e2980: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc | ||
| [ 368.985119] ================================================================== |