KASAN: use-after-free Read in __fsnotify_parent
8 views
Skip to first unread message
syzbot
Aug 28, 2020, 2:24:16 AM8/28/20
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1bd2e4c1 UPSTREAM: media: v4l2-dv-timings.c: fix format st..
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=16f33c99900000
kernel config: https://syzkaller.appspot.com/x/.config?x=b5e85a4a81932633
dashboard link: https://syzkaller.appspot.com/bug?extid=9516be3e5742f57ecda3
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114eff41900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9516be...@syzkaller.appspotmail.com
BUG: KASAN: use-after-free in __fsnotify_parent+0x2e7/0x310 fs/notify/fsnotify.c:155
Read of size 4 at addr ffff8881c2201990 by task syz-executor.0/2234
CPU: 0 PID: 2234 Comm: syz-executor.0 Not tainted 5.4.61-syzkaller-00801-g1bd2e4c18e44 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x14a/0x1ce lib/dump_stack.c:118
print_address_description+0x93/0x620 mm/kasan/report.c:374
__kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
kasan_report+0x36/0x60 mm/kasan/common.c:634
__fsnotify_parent+0x2e7/0x310 fs/notify/fsnotify.c:155
fsnotify_parent include/linux/fsnotify.h:40 [inline]
fsnotify_path include/linux/fsnotify.h:50 [inline]
fsnotify_close include/linux/fsnotify.h:297 [inline]
__fput+0x15a/0x6c0 fs/file_table.c:266
task_work_run+0x176/0x1a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd6d0833d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190340 R09: 0000000000000000
R10: 00007ffd6d0834b0 R11: 0000000000000293 R12: 0000000001190348
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Allocated by task 2235:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2793 [inline]
slab_alloc mm/slub.c:2801 [inline]
kmem_cache_alloc+0x1d5/0x260 mm/slub.c:2806
__d_alloc+0x2a/0x6b0 fs/dcache.c:1688
d_alloc_pseudo+0x19/0x70 fs/dcache.c:1817
alloc_file_pseudo+0x15b/0x340 fs/file_table.c:225
sock_alloc_file+0xb4/0x230 net/socket.c:398
sock_map_fd net/socket.c:421 [inline]
__sys_socket+0x19b/0x370 net/socket.c:1516
__do_sys_socket net/socket.c:1521 [inline]
__se_sys_socket net/socket.c:1519 [inline]
__x64_sys_socket+0x76/0x80 net/socket.c:1519
do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 2235:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
slab_free_hook mm/slub.c:1443 [inline]
slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
slab_free mm/slub.c:3041 [inline]
kmem_cache_free+0xac/0x600 mm/slub.c:3057
dentry_kill fs/dcache.c:673 [inline]
dput+0x2e1/0x5e0 fs/dcache.c:859
__fput+0x46b/0x6c0 fs/file_table.c:293
task_work_run+0x176/0x1a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8881c2201990
which belongs to the cache dentry of size 208
The buggy address is located 0 bytes inside of
208-byte region [ffff8881c2201990, ffff8881c2201a60)
The buggy address belongs to the page:
page:ffffea0007088040 refcount:1 mapcount:0 mapping:ffff8881da8eec80 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881da8eec80
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c2201880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c2201900: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
>ffff8881c2201980: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c2201a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8881c2201a80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
CPU: 0 PID: 2234 Comm: syz-executor.0 Tainted: G B 5.4.61-syzkaller-00801-g1bd2e4c18e44 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:fsnotify_inode_watches_children include/linux/fsnotify_backend.h:364 [inline]
RIP: 0010:__fsnotify_parent+0x140/0x310 fs/notify/fsnotify.c:161
Code: 00 00 00 fc ff df 42 80 3c 20 00 74 08 48 89 df e8 15 19 eb ff 48 8b 03 48 89 04 24 48 8d 98 54 02 00 00 48 89 d8 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 a0 01 00 00 8b 1b 89 de 81 e6 00 00 00 08
RSP: 0018:ffff8881cd9b7d60 EFLAGS: 00010203
RAX: 000000000000004a RBX: 0000000000000254 RCX: ffffffff8185289b
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c22019c0
RBP: ffff8881cd9b7e50 R08: ffffffff817a52d1 R09: 0000000000000003
R10: ffffed1039b36f95 R11: 0000000000000004 R12: dffffc0000000000
R13: 00000000cf495d80 R14: ffff8881c2201990 R15: 1ffff11039b36fb0
FS: 0000000001dc9940(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa01167edb8 CR3: 00000001cb9c9003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
fsnotify_parent include/linux/fsnotify.h:40 [inline]
fsnotify_path include/linux/fsnotify.h:50 [inline]
fsnotify_close include/linux/fsnotify.h:297 [inline]
__fput+0x15a/0x6c0 fs/file_table.c:266
task_work_run+0x176/0x1a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd6d0833d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190340 R09: 0000000000000000
R10: 00007ffd6d0834b0 R11: 0000000000000293 R12: 0000000001190348
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Modules linked in:
RSP: 0018:ffff8881cd9b7d60 EFLAGS: 00010203
RAX: 000000000000004a RBX: 0000000000000254 RCX: ffffffff8185289b
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c22019c0
RBP: ffff8881cd9b7e50 R08: ffffffff817a52d1 R09: 0000000000000003
R10: ffffed1039b36f95 R11: 0000000000000004 R12: dffffc0000000000
R13: 00000000cf495d80 R14: ffff8881c2201990 R15: 1ffff11039b36fb0
FS: 0000000001dc9940(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2cc0037068 CR3: 00000001cb9c9003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 1bd2e4c1 UPSTREAM: media: v4l2-dv-timings.c: fix format st..
git tree: android-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=16f33c99900000
kernel config: https://syzkaller.appspot.com/x/.config?x=b5e85a4a81932633
dashboard link: https://syzkaller.appspot.com/bug?extid=9516be3e5742f57ecda3
compiler: Android (6032204 based on r370808) clang version 10.0.1 (https://android.googlesource.com/toolchain/llvm-project 6e765c10313d15c02ab29977a82938f66742c3a9)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114eff41900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9516be...@syzkaller.appspotmail.com
BUG: KASAN: use-after-free in __fsnotify_parent+0x2e7/0x310 fs/notify/fsnotify.c:155
Read of size 4 at addr ffff8881c2201990 by task syz-executor.0/2234
CPU: 0 PID: 2234 Comm: syz-executor.0 Not tainted 5.4.61-syzkaller-00801-g1bd2e4c18e44 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x14a/0x1ce lib/dump_stack.c:118
print_address_description+0x93/0x620 mm/kasan/report.c:374
__kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
kasan_report+0x36/0x60 mm/kasan/common.c:634
__fsnotify_parent+0x2e7/0x310 fs/notify/fsnotify.c:155
fsnotify_parent include/linux/fsnotify.h:40 [inline]
fsnotify_path include/linux/fsnotify.h:50 [inline]
fsnotify_close include/linux/fsnotify.h:297 [inline]
__fput+0x15a/0x6c0 fs/file_table.c:266
task_work_run+0x176/0x1a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd6d0833d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190340 R09: 0000000000000000
R10: 00007ffd6d0834b0 R11: 0000000000000293 R12: 0000000001190348
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Allocated by task 2235:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
__kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2793 [inline]
slab_alloc mm/slub.c:2801 [inline]
kmem_cache_alloc+0x1d5/0x260 mm/slub.c:2806
__d_alloc+0x2a/0x6b0 fs/dcache.c:1688
d_alloc_pseudo+0x19/0x70 fs/dcache.c:1817
alloc_file_pseudo+0x15b/0x340 fs/file_table.c:225
sock_alloc_file+0xb4/0x230 net/socket.c:398
sock_map_fd net/socket.c:421 [inline]
__sys_socket+0x19b/0x370 net/socket.c:1516
__do_sys_socket net/socket.c:1521 [inline]
__se_sys_socket net/socket.c:1519 [inline]
__x64_sys_socket+0x76/0x80 net/socket.c:1519
do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 2235:
save_stack mm/kasan/common.c:69 [inline]
set_track mm/kasan/common.c:77 [inline]
kasan_set_free_info mm/kasan/common.c:332 [inline]
__kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
slab_free_hook mm/slub.c:1443 [inline]
slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
slab_free mm/slub.c:3041 [inline]
kmem_cache_free+0xac/0x600 mm/slub.c:3057
dentry_kill fs/dcache.c:673 [inline]
dput+0x2e1/0x5e0 fs/dcache.c:859
__fput+0x46b/0x6c0 fs/file_table.c:293
task_work_run+0x176/0x1a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8881c2201990
which belongs to the cache dentry of size 208
The buggy address is located 0 bytes inside of
208-byte region [ffff8881c2201990, ffff8881c2201a60)
The buggy address belongs to the page:
page:ffffea0007088040 refcount:1 mapcount:0 mapping:ffff8881da8eec80 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881da8eec80
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881c2201880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881c2201900: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
>ffff8881c2201980: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881c2201a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8881c2201a80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
CPU: 0 PID: 2234 Comm: syz-executor.0 Tainted: G B 5.4.61-syzkaller-00801-g1bd2e4c18e44 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:fsnotify_inode_watches_children include/linux/fsnotify_backend.h:364 [inline]
RIP: 0010:__fsnotify_parent+0x140/0x310 fs/notify/fsnotify.c:161
Code: 00 00 00 fc ff df 42 80 3c 20 00 74 08 48 89 df e8 15 19 eb ff 48 8b 03 48 89 04 24 48 8d 98 54 02 00 00 48 89 d8 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 a0 01 00 00 8b 1b 89 de 81 e6 00 00 00 08
RSP: 0018:ffff8881cd9b7d60 EFLAGS: 00010203
RAX: 000000000000004a RBX: 0000000000000254 RCX: ffffffff8185289b
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c22019c0
RBP: ffff8881cd9b7e50 R08: ffffffff817a52d1 R09: 0000000000000003
R10: ffffed1039b36f95 R11: 0000000000000004 R12: dffffc0000000000
R13: 00000000cf495d80 R14: ffff8881c2201990 R15: 1ffff11039b36fb0
FS: 0000000001dc9940(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa01167edb8 CR3: 00000001cb9c9003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
fsnotify_parent include/linux/fsnotify.h:40 [inline]
fsnotify_path include/linux/fsnotify.h:50 [inline]
fsnotify_close include/linux/fsnotify.h:297 [inline]
__fput+0x15a/0x6c0 fs/file_table.c:266
task_work_run+0x176/0x1a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd6d0833d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190340 R09: 0000000000000000
R10: 00007ffd6d0834b0 R11: 0000000000000293 R12: 0000000001190348
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Modules linked in:
RSP: 0018:ffff8881cd9b7d60 EFLAGS: 00010203
RAX: 000000000000004a RBX: 0000000000000254 RCX: ffffffff8185289b
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c22019c0
RBP: ffff8881cd9b7e50 R08: ffffffff817a52d1 R09: 0000000000000003
R10: ffffed1039b36f95 R11: 0000000000000004 R12: dffffc0000000000
R13: 00000000cf495d80 R14: ffff8881c2201990 R15: 1ffff11039b36fb0
FS: 0000000001dc9940(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2cc0037068 CR3: 00000001cb9c9003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 14, 2023, 6:17:32 AM4/14/23
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages