Re: 4.7-rc7: use-after-free in proc_map_files_readdir

From: Alexey Dobriyan
Date: Tue Jul 19 2016 - 15:28:30 EST

Next message: David Rientjes: "Re: [PATCH] sh-DWARF: Delete unnecessary checks before the function call "mempool_destroy""
Previous message: Brian Norris: "Re: [PATCH] arm64: dts: rockchip: add spiX aliases for rk3399"
In reply to: Dave Jones: "Re: 4.7-rc7: use-after-free in proc_map_files_readdir"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote:
> On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote:
> > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
> >
> > Just in case can you addr2line this address or post disassembly?
>
> http://codemonkey.org.uk/junk/fs_proc_base.dis.txt
>
> Which by my math, looks to be..
>
> 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax
> info.len = snprintf(info.name,
>
> inlined from dir_emit_dots()

For those on dialup connections :^)

RIP is ffffffff813f38d3

ffffffff813f35f0 <proc_map_files_readdir>:
ffffffff813f35f0: e8 3b c1 97 00 callq ffffffff81d6f730 <__fentry__>
ffffffff813f35f1: R_X86_64_PC32 __fentry__-0x4
ffffffff813f35f5: 55 push %rbp
ffffffff813f35f6: 48 89 e5 mov %rsp,%rbp
ffffffff813f35f9: 41 57 push %r15
ffffffff813f35fb: 48 8d 85 58 ff ff ff lea -0xa8(%rbp),%rax
ffffffff813f3602: 41 56 push %r14
ffffffff813f3604: 48 c1 e8 03 shr $0x3,%rax
ffffffff813f3608: 41 55 push %r13
ffffffff813f360a: 49 89 fd mov %rdi,%r13
ffffffff813f360d: 48 83 c7 20 add $0x20,%rdi
ffffffff813f3611: 41 54 push %r12
ffffffff813f3613: 48 89 c1 mov %rax,%rcx
ffffffff813f3616: 53 push %rbx
ffffffff813f3617: 48 89 f3 mov %rsi,%rbx
ffffffff813f361a: 48 81 ec d8 00 00 00 sub $0xd8,%rsp
ffffffff813f3621: 48 89 85 50 ff ff ff mov %rax,-0xb0(%rbp)
ffffffff813f3628: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff813f362f: fc ff df
ffffffff813f3632: 48 c7 85 58 ff ff ff movq $0x41b58ab3,-0xa8(%rbp)
ffffffff813f3639: b3 8a b5 41
ffffffff813f363d: 48 01 c8 add %rcx,%rax
ffffffff813f3640: 48 c7 85 60 ff ff ff movq $0xffffffff82361fc9,-0xa0(%rbp)
ffffffff813f3647: c9 1f 36 82
ffffffff813f3647: R_X86_64_32S .rodata+0x561fc9
ffffffff813f364b: 48 c7 85 68 ff ff ff movq $0xffffffff813f35f0,-0x98(%rbp)
ffffffff813f3652: f0 35 3f 81
ffffffff813f3652: R_X86_64_32S .text+0x3f35f0
ffffffff813f3656: c7 00 f1 f1 f1 f1 movl $0xf1f1f1f1,(%rax)
ffffffff813f365c: c7 40 08 00 00 00 f4 movl $0xf4000000,0x8(%rax)
ffffffff813f3663: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
ffffffff813f366a: 00 00
ffffffff813f366c: 48 89 45 d0 mov %rax,-0x30(%rbp)
ffffffff813f3670: 31 c0 xor %eax,%eax
ffffffff813f3672: e8 c9 f8 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3673: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3677: 4d 8b 65 20 mov 0x20(%r13),%r12
ffffffff813f367b: 49 8d 7c 24 c8 lea -0x38(%r12),%rdi
ffffffff813f3680: e8 bb f8 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3681: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3685: 49 8b 7c 24 c8 mov -0x38(%r12),%rdi
ffffffff813f368a: 31 f6 xor %esi,%esi
ffffffff813f368c: e8 0f 5e cf ff callq ffffffff810e94a0 <get_pid_task>
ffffffff813f368d: R_X86_64_PC32 get_pid_task-0x4
ffffffff813f3691: 48 85 c0 test %rax,%rax
ffffffff813f3694: 0f 84 29 04 00 00 je ffffffff813f3ac3 <proc_map_files_readdir+0x4d3>
ffffffff813f369a: be 09 00 00 00 mov $0x9,%esi
ffffffff813f369f: 48 89 c7 mov %rax,%rdi
ffffffff813f36a2: 49 89 c4 mov %rax,%r12
ffffffff813f36a5: e8 76 42 cd ff callq ffffffff810c7920 <ptrace_may_access>
ffffffff813f36a6: R_X86_64_PC32 ptrace_may_access-0x4
ffffffff813f36aa: 84 c0 test %al,%al
ffffffff813f36ac: 75 56 jne ffffffff813f3704 <proc_map_files_readdir+0x114>
ffffffff813f36ae: bb f3 ff ff ff mov $0xfffffff3,%ebx
ffffffff813f36b3: f0 41 ff 4c 24 10 lock decl 0x10(%r12)
ffffffff813f36b9: 0f 84 89 02 00 00 je ffffffff813f3948 <proc_map_files_readdir+0x358>
ffffffff813f36bf: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
ffffffff813f36c6: fc ff df
ffffffff813f36c9: 89 d8 mov %ebx,%eax
ffffffff813f36cb: 48 03 95 50 ff ff ff add -0xb0(%rbp),%rdx
ffffffff813f36d2: c7 02 00 00 00 00 movl $0x0,(%rdx)
ffffffff813f36d8: c7 42 08 00 00 00 00 movl $0x0,0x8(%rdx)
ffffffff813f36df: 48 8b 75 d0 mov -0x30(%rbp),%rsi
ffffffff813f36e3: 65 48 33 34 25 28 00 xor %gs:0x28,%rsi
ffffffff813f36ea: 00 00
ffffffff813f36ec: 0f 85 80 04 00 00 jne ffffffff813f3b72 <proc_map_files_readdir+0x582>
ffffffff813f36f2: 48 81 c4 d8 00 00 00 add $0xd8,%rsp
ffffffff813f36f9: 5b pop %rbx
ffffffff813f36fa: 41 5c pop %r12
ffffffff813f36fc: 41 5d pop %r13
ffffffff813f36fe: 41 5e pop %r14
ffffffff813f3700: 41 5f pop %r15
ffffffff813f3702: 5d pop %rbp
ffffffff813f3703: c3 retq
ffffffff813f3704: 48 8d 43 08 lea 0x8(%rbx),%rax
ffffffff813f3708: 48 89 c7 mov %rax,%rdi
ffffffff813f370b: 48 89 85 48 ff ff ff mov %rax,-0xb8(%rbp)
ffffffff813f3712: e8 29 f8 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3713: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3717: 48 8b 43 08 mov 0x8(%rbx),%rax
ffffffff813f371b: 48 85 c0 test %rax,%rax
ffffffff813f371e: 0f 84 50 02 00 00 je ffffffff813f3974 <proc_map_files_readdir+0x384>
ffffffff813f3724: 48 83 f8 01 cmp $0x1,%rax
ffffffff813f3728: 0f 84 4b 04 00 00 je ffffffff813f3b79 <proc_map_files_readdir+0x589>
ffffffff813f372e: 4c 89 e7 mov %r12,%rdi
ffffffff813f3731: e8 5a a4 cb ff callq ffffffff810adb90 <get_task_mm>
ffffffff813f3732: R_X86_64_PC32 get_task_mm-0x4
ffffffff813f3736: 48 85 c0 test %rax,%rax
ffffffff813f3739: 48 89 85 28 ff ff ff mov %rax,-0xd8(%rbp)
ffffffff813f3740: 0f 84 27 02 00 00 je ffffffff813f396d <proc_map_files_readdir+0x37d>
ffffffff813f3746: 4c 8b bd 28 ff ff ff mov -0xd8(%rbp),%r15
ffffffff813f374d: 4c 89 f8 mov %r15,%rax
ffffffff813f3750: 48 05 b0 00 00 00 add $0xb0,%rax
ffffffff813f3756: 48 89 c7 mov %rax,%rdi
ffffffff813f3759: 48 89 85 30 ff ff ff mov %rax,-0xd0(%rbp)
ffffffff813f3760: e8 bb 62 97 00 callq ffffffff81d69a20 <down_read>
ffffffff813f3761: R_X86_64_PC32 down_read-0x4
ffffffff813f3765: 4c 89 ff mov %r15,%rdi
ffffffff813f3768: e8 d3 f7 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3769: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f376d: 4d 8b 3f mov (%r15),%r15
ffffffff813f3770: 4d 85 ff test %r15,%r15
ffffffff813f3773: 0f 84 dc 01 00 00 je ffffffff813f3955 <proc_map_files_readdir+0x365>
ffffffff813f3779: 4c 89 a5 40 ff ff ff mov %r12,-0xc0(%rbp)
ffffffff813f3780: 4c 8b a5 48 ff ff ff mov -0xb8(%rbp),%r12
ffffffff813f3787: 31 c0 xor %eax,%eax
ffffffff813f3789: 41 be 02 00 00 00 mov $0x2,%r14d
ffffffff813f378f: 4c 89 ad 20 ff ff ff mov %r13,-0xe0(%rbp)
ffffffff813f3796: 4d 89 fd mov %r15,%r13
ffffffff813f3799: 49 89 c7 mov %rax,%r15
ffffffff813f379c: 49 8d bd a0 00 00 00 lea 0xa0(%r13),%rdi
ffffffff813f37a3: e8 98 f7 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f37a4: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f37a8: 49 83 bd a0 00 00 00 cmpq $0x0,0xa0(%r13)
ffffffff813f37af: 00
ffffffff813f37b0: 74 14 je ffffffff813f37c6 <proc_map_files_readdir+0x1d6>
ffffffff813f37b2: 4c 89 e7 mov %r12,%rdi
ffffffff813f37b5: 49 83 c6 01 add $0x1,%r14
ffffffff813f37b9: e8 82 f7 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f37ba: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f37be: 4c 39 73 08 cmp %r14,0x8(%rbx)
ffffffff813f37c2: 49 83 d7 00 adc $0x0,%r15
ffffffff813f37c6: 49 8d 7d 10 lea 0x10(%r13),%rdi
ffffffff813f37ca: e8 71 f7 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f37cb: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f37cf: 4d 8b 6d 10 mov 0x10(%r13),%r13
ffffffff813f37d3: 4d 85 ed test %r13,%r13
ffffffff813f37d6: 75 c4 jne ffffffff813f379c <proc_map_files_readdir+0x1ac>
ffffffff813f37d8: 4d 85 ff test %r15,%r15
ffffffff813f37db: 4c 89 bd 38 ff ff ff mov %r15,-0xc8(%rbp)
ffffffff813f37e2: 4c 8b a5 40 ff ff ff mov -0xc0(%rbp),%r12
ffffffff813f37e9: 4c 8b ad 20 ff ff ff mov -0xe0(%rbp),%r13
ffffffff813f37f0: 0f 84 5f 01 00 00 je ffffffff813f3955 <proc_map_files_readdir+0x365>
ffffffff813f37f6: ba c0 00 40 02 mov $0x24000c0,%edx
ffffffff813f37fb: 44 89 fe mov %r15d,%esi
ffffffff813f37fe: bf 38 00 00 00 mov $0x38,%edi
ffffffff813f3803: e8 a8 52 1b 00 callq ffffffff815a8ab0 <flex_array_alloc>
ffffffff813f3804: R_X86_64_PC32 flex_array_alloc-0x4
ffffffff813f3808: 48 85 c0 test %rax,%rax
ffffffff813f380b: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp)
ffffffff813f3812: 0f 84 89 02 00 00 je ffffffff813f3aa1 <proc_map_files_readdir+0x4b1>
ffffffff813f3818: 31 f6 xor %esi,%esi
ffffffff813f381a: b9 c0 00 40 02 mov $0x24000c0,%ecx
ffffffff813f381f: 44 89 fa mov %r15d,%edx
ffffffff813f3822: 48 89 c7 mov %rax,%rdi
ffffffff813f3825: e8 06 50 1b 00 callq ffffffff815a8830 <flex_array_prealloc>
ffffffff813f3826: R_X86_64_PC32 flex_array_prealloc-0x4
ffffffff813f382a: 85 c0 test %eax,%eax
ffffffff813f382c: 0f 85 63 02 00 00 jne ffffffff813f3a95 <proc_map_files_readdir+0x4a5>
ffffffff813f3832: 4c 8b bd 28 ff ff ff mov -0xd8(%rbp),%r15
ffffffff813f3839: 4c 89 ff mov %r15,%rdi
ffffffff813f383c: e8 ff f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f383d: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3841: 4d 8b 37 mov (%r15),%r14
ffffffff813f3844: 4d 85 f6 test %r14,%r14
ffffffff813f3847: 0f 84 8e 02 00 00 je ffffffff813f3adb <proc_map_files_readdir+0x4eb>
ffffffff813f384d: 48 8d 85 78 ff ff ff lea -0x88(%rbp),%rax
ffffffff813f3854: 31 d2 xor %edx,%edx
ffffffff813f3856: be 02 00 00 00 mov $0x2,%esi
ffffffff813f385b: 4c 89 a5 10 ff ff ff mov %r12,-0xf0(%rbp)
ffffffff813f3862: 48 89 85 20 ff ff ff mov %rax,-0xe0(%rbp)
ffffffff813f3869: 48 83 c0 10 add $0x10,%rax
ffffffff813f386d: 49 89 f4 mov %rsi,%r12
ffffffff813f3870: 4c 89 ad 08 ff ff ff mov %r13,-0xf8(%rbp)
ffffffff813f3877: 49 89 d5 mov %rdx,%r13
ffffffff813f387a: 48 89 85 18 ff ff ff mov %rax,-0xe8(%rbp)
ffffffff813f3881: eb 16 jmp ffffffff813f3899 <proc_map_files_readdir+0x2a9>
ffffffff813f3883: 49 8d 7e 10 lea 0x10(%r14),%rdi
ffffffff813f3887: e8 b4 f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3888: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f388c: 4d 8b 76 10 mov 0x10(%r14),%r14
ffffffff813f3890: 4d 85 f6 test %r14,%r14
ffffffff813f3893: 0f 84 34 02 00 00 je ffffffff813f3acd <proc_map_files_readdir+0x4dd>
ffffffff813f3899: 49 8d be a0 00 00 00 lea 0xa0(%r14),%rdi
ffffffff813f38a0: e8 9b f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f38a1: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f38a5: 4d 8b be a0 00 00 00 mov 0xa0(%r14),%r15
ffffffff813f38ac: 4d 85 ff test %r15,%r15
ffffffff813f38af: 74 d2 je ffffffff813f3883 <proc_map_files_readdir+0x293>
ffffffff813f38b1: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi
ffffffff813f38b8: 49 83 c4 01 add $0x1,%r12
ffffffff813f38bc: e8 7f f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f38bd: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f38c1: 4c 3b 63 08 cmp 0x8(%rbx),%r12
ffffffff813f38c5: 76 bc jbe ffffffff813f3883 <proc_map_files_readdir+0x293>
ffffffff813f38c7: 49 8d bf 84 00 00 00 lea 0x84(%r15),%rdi
ffffffff813f38ce: e8 6d f5 f1 ff callq ffffffff81312e40 <__asan_load4>
ffffffff813f38cf: R_X86_64_PC32 __asan_load4_noabort-0x4
ffffffff813f38d3: ***** 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax
ffffffff813f38da: 49 8d 7e 08 lea 0x8(%r14),%rdi
ffffffff813f38de: 89 85 78 ff ff ff mov %eax,-0x88(%rbp)
ffffffff813f38e4: e8 57 f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f38e5: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f38e9: 4d 8b 7e 08 mov 0x8(%r14),%r15
ffffffff813f38ed: 4c 89 f7 mov %r14,%rdi
ffffffff813f38f0: e8 4b f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f38f1: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f38f5: 49 8b 0e mov (%r14),%rcx
ffffffff813f38f8: be 22 00 00 00 mov $0x22,%esi
ffffffff813f38fd: 48 c7 c2 00 72 f1 81 mov $0xffffffff81f17200,%rdx
ffffffff813f3900: R_X86_64_32S .rodata+0x117200
ffffffff813f3904: 48 8b bd 18 ff ff ff mov -0xe8(%rbp),%rdi
ffffffff813f390b: 4d 89 f8 mov %r15,%r8
ffffffff813f390e: 4d 8d 7d 01 lea 0x1(%r13),%r15
ffffffff813f3912: e8 79 c4 1a 00 callq ffffffff8159fd90 <snprintf>
ffffffff813f3913: R_X86_64_PC32 snprintf-0x4
ffffffff813f3917: 48 8b 95 20 ff ff ff mov -0xe0(%rbp),%rdx
ffffffff813f391e: b9 c0 00 40 02 mov $0x24000c0,%ecx
ffffffff813f3923: 44 89 ee mov %r13d,%esi
ffffffff813f3926: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi
ffffffff813f392d: 48 98 cltq
ffffffff813f392f: 48 89 45 80 mov %rax,-0x80(%rbp)
ffffffff813f3933: e8 a8 4d 1b 00 callq ffffffff815a86e0 <flex_array_put>
ffffffff813f3934: R_X86_64_PC32 flex_array_put-0x4
ffffffff813f3938: 85 c0 test %eax,%eax
ffffffff813f393a: 0f 85 37 02 00 00 jne ffffffff813f3b77 <proc_map_files_readdir+0x587>
ffffffff813f3940: 4d 89 fd mov %r15,%r13
ffffffff813f3943: e9 3b ff ff ff jmpq ffffffff813f3883 <proc_map_files_readdir+0x293>
ffffffff813f3948: 4c 89 e7 mov %r12,%rdi
ffffffff813f394b: e8 20 ba cb ff callq ffffffff810af370 <__put_task_struct>
ffffffff813f394c: R_X86_64_PC32 __put_task_struct-0x4
ffffffff813f3950: e9 6a fd ff ff jmpq ffffffff813f36bf <proc_map_files_readdir+0xcf>
ffffffff813f3955: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi
ffffffff813f395c: e8 4f 63 d4 ff callq ffffffff81139cb0 <up_read>
ffffffff813f395d: R_X86_64_PC32 up_read-0x4
ffffffff813f3961: 48 8b bd 28 ff ff ff mov -0xd8(%rbp),%rdi
ffffffff813f3968: e8 b3 b3 cb ff callq ffffffff810aed20 <mmput>
ffffffff813f3969: R_X86_64_PC32 mmput-0x4
ffffffff813f396d: 31 db xor %ebx,%ebx
ffffffff813f396f: e9 3f fd ff ff jmpq ffffffff813f36b3 <proc_map_files_readdir+0xc3>
ffffffff813f3974: 4d 8d 7d 18 lea 0x18(%r13),%r15
ffffffff813f3978: 4c 89 ff mov %r15,%rdi
ffffffff813f397b: e8 c0 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f397c: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3980: 4d 8b 75 18 mov 0x18(%r13),%r14
ffffffff813f3984: 48 89 df mov %rbx,%rdi
ffffffff813f3987: e8 b4 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3988: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f398c: 48 8b 03 mov (%rbx),%rax
ffffffff813f398f: 49 8d 7e 68 lea 0x68(%r14),%rdi
ffffffff813f3993: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp)
ffffffff813f399a: e8 a1 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f399b: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f399f: 4d 8b 76 68 mov 0x68(%r14),%r14
ffffffff813f39a3: 49 8d 7e 38 lea 0x38(%r14),%rdi
ffffffff813f39a7: e8 94 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f39a8: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f39ac: 31 c9 xor %ecx,%ecx
ffffffff813f39ae: 41 b9 04 00 00 00 mov $0x4,%r9d
ffffffff813f39b4: 48 89 df mov %rbx,%rdi
ffffffff813f39b7: 4d 8b 46 38 mov 0x38(%r14),%r8
ffffffff813f39bb: ba 01 00 00 00 mov $0x1,%edx
ffffffff813f39c0: 48 c7 c6 40 74 f1 81 mov $0xffffffff81f17440,%rsi
ffffffff813f39c3: R_X86_64_32S .rodata+0x117440
ffffffff813f39c7: 48 8b 85 40 ff ff ff mov -0xc0(%rbp),%rax
ffffffff813f39ce: ff d0 callq *%rax
ffffffff813f39d0: 85 c0 test %eax,%eax
ffffffff813f39d2: 75 99 jne ffffffff813f396d <proc_map_files_readdir+0x37d>
ffffffff813f39d4: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi
ffffffff813f39db: e8 d0 f5 f1 ff callq ffffffff81312fb0 <__asan_store8>
ffffffff813f39dc: R_X86_64_PC32 __asan_store8_noabort-0x4
ffffffff813f39e0: 48 c7 43 08 01 00 00 movq $0x1,0x8(%rbx)
ffffffff813f39e7: 00
ffffffff813f39e8: 4c 89 ff mov %r15,%rdi
ffffffff813f39eb: e8 50 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f39ec: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f39f0: 4d 8b 75 18 mov 0x18(%r13),%r14
ffffffff813f39f4: 48 89 df mov %rbx,%rdi
ffffffff813f39f7: e8 44 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f39f8: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f39fc: 48 8b 03 mov (%rbx),%rax
ffffffff813f39ff: 4d 8d be 90 00 00 00 lea 0x90(%r14),%r15
ffffffff813f3a06: 4c 89 ff mov %r15,%rdi
ffffffff813f3a09: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp)
ffffffff813f3a10: e8 1b 8c 97 00 callq ffffffff81d6c630 <_raw_spin_lock>
ffffffff813f3a11: R_X86_64_PC32 _raw_spin_lock-0x4
ffffffff813f3a15: 49 8d 7e 50 lea 0x50(%r14),%rdi
ffffffff813f3a19: e8 22 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3a1a: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3a1e: 4d 8b 76 50 mov 0x50(%r14),%r14
ffffffff813f3a22: 49 8d 7e 68 lea 0x68(%r14),%rdi
ffffffff813f3a26: e8 15 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3a27: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3a2b: 4d 8b 76 68 mov 0x68(%r14),%r14
ffffffff813f3a2f: 49 8d 7e 38 lea 0x38(%r14),%rdi
ffffffff813f3a33: e8 08 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3a34: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3a38: 4c 89 ff mov %r15,%rdi
ffffffff813f3a3b: 4d 8b 76 38 mov 0x38(%r14),%r14
ffffffff813f3a3f: e8 1c 91 97 00 callq ffffffff81d6cb60 <_raw_spin_unlock>
ffffffff813f3a40: R_X86_64_PC32 _raw_spin_unlock-0x4
ffffffff813f3a44: 4c 8b bd 48 ff ff ff mov -0xb8(%rbp),%r15
ffffffff813f3a4b: 4c 89 ff mov %r15,%rdi
ffffffff813f3a4e: e8 ed f4 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3a4f: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3a53: 48 8b 4b 08 mov 0x8(%rbx),%rcx
ffffffff813f3a57: 4d 89 f0 mov %r14,%r8
ffffffff813f3a5a: 48 89 df mov %rbx,%rdi
ffffffff813f3a5d: 41 b9 04 00 00 00 mov $0x4,%r9d
ffffffff813f3a63: ba 02 00 00 00 mov $0x2,%edx
ffffffff813f3a68: 48 c7 c6 80 74 f1 81 mov $0xffffffff81f17480,%rsi
ffffffff813f3a6b: R_X86_64_32S .rodata+0x117480
ffffffff813f3a6f: 48 8b 85 40 ff ff ff mov -0xc0(%rbp),%rax
ffffffff813f3a76: ff d0 callq *%rax
ffffffff813f3a78: 85 c0 test %eax,%eax
ffffffff813f3a7a: 0f 85 ed fe ff ff jne ffffffff813f396d <proc_map_files_readdir+0x37d>
ffffffff813f3a80: 4c 89 ff mov %r15,%rdi
ffffffff813f3a83: e8 28 f5 f1 ff callq ffffffff81312fb0 <__asan_store8>
ffffffff813f3a84: R_X86_64_PC32 __asan_store8_noabort-0x4
ffffffff813f3a88: 48 c7 43 08 02 00 00 movq $0x2,0x8(%rbx)
ffffffff813f3a8f: 00
ffffffff813f3a90: e9 99 fc ff ff jmpq ffffffff813f372e <proc_map_files_readdir+0x13e>
ffffffff813f3a95: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi
ffffffff813f3a9c: e8 cf 4e 1b 00 callq ffffffff815a8970 <flex_array_free>
ffffffff813f3a9d: R_X86_64_PC32 flex_array_free-0x4
ffffffff813f3aa1: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi
ffffffff813f3aa8: bb f4 ff ff ff mov $0xfffffff4,%ebx
ffffffff813f3aad: e8 fe 61 d4 ff callq ffffffff81139cb0 <up_read>
ffffffff813f3aae: R_X86_64_PC32 up_read-0x4
ffffffff813f3ab2: 48 8b bd 28 ff ff ff mov -0xd8(%rbp),%rdi
ffffffff813f3ab9: e8 62 b2 cb ff callq ffffffff810aed20 <mmput>
ffffffff813f3aba: R_X86_64_PC32 mmput-0x4
ffffffff813f3abe: e9 f0 fb ff ff jmpq ffffffff813f36b3 <proc_map_files_readdir+0xc3>
ffffffff813f3ac3: bb fe ff ff ff mov $0xfffffffe,%ebx
ffffffff813f3ac8: e9 f2 fb ff ff jmpq ffffffff813f36bf <proc_map_files_readdir+0xcf>
ffffffff813f3acd: 4c 8b a5 10 ff ff ff mov -0xf0(%rbp),%r12
ffffffff813f3ad4: 4c 8b ad 08 ff ff ff mov -0xf8(%rbp),%r13
ffffffff813f3adb: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi
ffffffff813f3ae2: 45 31 f6 xor %r14d,%r14d
ffffffff813f3ae5: e8 c6 61 d4 ff callq ffffffff81139cb0 <up_read>
ffffffff813f3ae6: R_X86_64_PC32 up_read-0x4
ffffffff813f3aea: 4c 89 ad 30 ff ff ff mov %r13,-0xd0(%rbp)
ffffffff813f3af1: eb 1e jmp ffffffff813f3b11 <proc_map_files_readdir+0x521>
ffffffff813f3af3: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi
ffffffff813f3afa: 49 83 c6 01 add $0x1,%r14
ffffffff813f3afe: e8 3d f4 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3aff: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3b03: 48 83 43 08 01 addq $0x1,0x8(%rbx)
ffffffff813f3b08: 4c 39 b5 38 ff ff ff cmp %r14,-0xc8(%rbp)
ffffffff813f3b0f: 74 50 je ffffffff813f3b61 <proc_map_files_readdir+0x571>
ffffffff813f3b11: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi
ffffffff813f3b18: 44 89 f6 mov %r14d,%esi
ffffffff813f3b1b: e8 f0 48 1b 00 callq ffffffff815a8410 <flex_array_get>
ffffffff813f3b1c: R_X86_64_PC32 flex_array_get-0x4
ffffffff813f3b20: 49 89 c5 mov %rax,%r13
ffffffff813f3b23: 48 89 c7 mov %rax,%rdi
ffffffff813f3b26: e8 15 f3 f1 ff callq ffffffff81312e40 <__asan_load4>
ffffffff813f3b27: R_X86_64_PC32 __asan_load4_noabort-0x4
ffffffff813f3b2b: 45 8b 7d 00 mov 0x0(%r13),%r15d
ffffffff813f3b2f: 49 8d 7d 08 lea 0x8(%r13),%rdi
ffffffff813f3b33: e8 08 f4 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3b34: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3b38: 49 8b 4d 08 mov 0x8(%r13),%rcx
ffffffff813f3b3c: 49 8d 55 10 lea 0x10(%r13),%rdx
ffffffff813f3b40: 4d 89 e1 mov %r12,%r9
ffffffff813f3b43: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi
ffffffff813f3b4a: 49 c7 c0 20 29 3f 81 mov $0xffffffff813f2920,%r8
ffffffff813f3b4d: R_X86_64_32S .text+0x3f2920
ffffffff813f3b51: 48 89 de mov %rbx,%rsi
ffffffff813f3b54: 4c 89 3c 24 mov %r15,(%rsp)
ffffffff813f3b58: e8 43 f7 ff ff callq ffffffff813f32a0 <proc_fill_cache>
ffffffff813f3b59: R_X86_64_PC32 proc_fill_cache-0x4
ffffffff813f3b5d: 84 c0 test %al,%al
ffffffff813f3b5f: 75 92 jne ffffffff813f3af3 <proc_map_files_readdir+0x503>
ffffffff813f3b61: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi
ffffffff813f3b68: e8 03 4e 1b 00 callq ffffffff815a8970 <flex_array_free>
ffffffff813f3b69: R_X86_64_PC32 flex_array_free-0x4
ffffffff813f3b6d: e9 ef fd ff ff jmpq ffffffff813f3961 <proc_map_files_readdir+0x371>
ffffffff813f3b72: e8 89 03 cc ff callq ffffffff810b3f00 <__stack_chk_fail>
ffffffff813f3b73: R_X86_64_PC32 __stack_chk_fail-0x4
ffffffff813f3b77: 0f 0b ud2
ffffffff813f3b79: 4d 8d 7d 18 lea 0x18(%r13),%r15
ffffffff813f3b7d: e9 66 fe ff ff jmpq ffffffff813f39e8 <proc_map_files_readdir+0x3f8>

Next message: David Rientjes: "Re: [PATCH] sh-DWARF: Delete unnecessary checks before the function call "mempool_destroy""
Previous message: Brian Norris: "Re: [PATCH] arm64: dts: rockchip: add spiX aliases for rk3399"
In reply to: Dave Jones: "Re: 4.7-rc7: use-after-free in proc_map_files_readdir"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]