KASAN: use-after-free Read in uif_close

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: c11d28ab Add linux-next specific files for 20200522
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1089b706100000
kernel config: https://syzkaller.appspot.com/x/.config?x=3f6dbdea4159fb66
dashboard link: https://syzkaller.appspot.com/bug?extid=0ce97ea45b008ba3b8bd
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15044ee2100000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0ce97e...@syzkaller.appspotmail.com

ubi0: attaching mtd0
ubi0: scanning is finished
ubi0: empty MTD device detected
ubi0 error: ubi_attach_mtd_dev: cannot spawn "ubi_bgt0d", error -4
==================================================================
BUG: KASAN: use-after-free in uif_close+0x15e/0x190 drivers/mtd/ubi/build.c:502
Read of size 4 at addr ffff888097fe49e8 by task syz-executor.0/7033

CPU: 0 PID: 7033 Comm: syz-executor.0 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
uif_close+0x15e/0x190 drivers/mtd/ubi/build.c:502
ubi_attach_mtd_dev+0x157e/0x27c0 drivers/mtd/ubi/build.c:1036
ctrl_cdev_ioctl+0x229/0x2b0 drivers/mtd/ubi/cdev.c:1043
vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl fs/ioctl.c:760 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca29
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fd94dd97c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004e1080 RCX: 000000000045ca29
RDX: 0000000000742508 RSI: 0000000040186f40 RDI: 0000000000000003
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000209 R14: 00000000004c44c1 R15: 00007fd94dd986d4

Allocated by task 7033:
save_stack+0x1b/0x40 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc mm/kasan/common.c:494 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467
kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ubi_attach_mtd_dev+0x2e7/0x27c0 drivers/mtd/ubi/build.c:901
ctrl_cdev_ioctl+0x229/0x2b0 drivers/mtd/ubi/cdev.c:1043
vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl fs/ioctl.c:760 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 7033:
save_stack+0x1b/0x40 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757
device_release+0x71/0x200 drivers/base/core.c:1541
kobject_cleanup lib/kobject.c:701 [inline]
kobject_release lib/kobject.c:732 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1c8/0x2f0 lib/kobject.c:749
cdev_device_del+0x69/0x80 fs/char_dev.c:575
uif_close+0xea/0x190 drivers/mtd/ubi/build.c:501
ubi_attach_mtd_dev+0x157e/0x27c0 drivers/mtd/ubi/build.c:1036
ctrl_cdev_ioctl+0x229/0x2b0 drivers/mtd/ubi/cdev.c:1043
vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl fs/ioctl.c:760 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff888097fe4000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2536 bytes inside of
8192-byte region [ffff888097fe4000, ffff888097fe6000)
The buggy address belongs to the page:
page:ffffea00025ff900 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00025ff900 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea000267f108 ffffea0002460708 ffff8880aa0021c0
raw: 0000000000000000 ffff888097fe4000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888097fe4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888097fe4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888097fe4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888097fe4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888097fe4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit: c11d28ab Add linux-next specific files for 20200522
git tree: linux-next

console output: https://syzkaller.appspot.com/x/log.txt?x=158d1baa100000

kernel config: https://syzkaller.appspot.com/x/.config?x=3f6dbdea4159fb66
dashboard link: https://syzkaller.appspot.com/bug?extid=0ce97ea45b008ba3b8bd
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b23f06100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=111b0172100000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0ce97e...@syzkaller.appspotmail.com

ubi0: detaching mtd0

==================================================================
BUG: KASAN: use-after-free in uif_close+0x15e/0x190 drivers/mtd/ubi/build.c:502

Read of size 4 at addr ffff8880a6ff09e8 by task syz-executor247/8078

CPU: 1 PID: 8078 Comm: syz-executor247 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18f/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
uif_close+0x15e/0x190 drivers/mtd/ubi/build.c:502

ubi_detach_mtd_dev+0x226/0x432 drivers/mtd/ubi/build.c:1110
ctrl_cdev_ioctl+0x1bf/0x2b0 drivers/mtd/ubi/cdev.c:1068

vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl fs/ioctl.c:760 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3

RIP: 0033:0x44af69
Code: e8 7c e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 05 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f48c29a8ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006e7a08 RCX: 000000000044af69
RDX: 000000000076006e RSI: 0000000040046f41 RDI: 0000000000000003
RBP: 00000000006e7a00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e7a0c
R13: 00007ffe9ed2c70f R14: 00007f48c29a99c0 R15: 20c49ba5e353f7cf

Allocated by task 8070:

save_stack+0x1b/0x40 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc mm/kasan/common.c:494 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467
kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
kmalloc include/linux/slab.h:555 [inline]
kzalloc include/linux/slab.h:669 [inline]
ubi_attach_mtd_dev+0x2e7/0x27c0 drivers/mtd/ubi/build.c:901
ctrl_cdev_ioctl+0x229/0x2b0 drivers/mtd/ubi/cdev.c:1043
vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl fs/ioctl.c:760 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 8078:

save_stack+0x1b/0x40 mm/kasan/common.c:48
set_track mm/kasan/common.c:56 [inline]
kasan_set_free_info mm/kasan/common.c:316 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757
device_release+0x71/0x200 drivers/base/core.c:1541
kobject_cleanup lib/kobject.c:701 [inline]
kobject_release lib/kobject.c:732 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1c8/0x2f0 lib/kobject.c:749
cdev_device_del+0x69/0x80 fs/char_dev.c:575
uif_close+0xea/0x190 drivers/mtd/ubi/build.c:501

ubi_detach_mtd_dev+0x226/0x432 drivers/mtd/ubi/build.c:1110
ctrl_cdev_ioctl+0x1bf/0x2b0 drivers/mtd/ubi/cdev.c:1068

vfs_ioctl fs/ioctl.c:48 [inline]
ksys_ioctl+0x11a/0x180 fs/ioctl.c:753
__do_sys_ioctl fs/ioctl.c:762 [inline]
__se_sys_ioctl fs/ioctl.c:760 [inline]
__x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff8880a6ff0000

which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2536 bytes inside of

8192-byte region [ffff8880a6ff0000, ffff8880a6ff2000)

The buggy address belongs to the page:

page:ffffea00029bfc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00029bfc00 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0002382708 ffffea00028eb008 ffff8880aa0021c0
raw: 0000000000000000 ffff8880a6ff0000 0000000100000001 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8880a6ff0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a6ff0900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a6ff0980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a6ff0a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a6ff0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[syzbot]

syzbot has bisected this bug to:

commit 32ec783ae19d48084b893cc54747fed37b07eb0c
Author: Arnd Bergmann <ar...@arndb.de>
Date: Wed Apr 8 19:02:57 2020 +0000

firmware: imx: fix compile-testing

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15b22972100000
start commit: c11d28ab Add linux-next specific files for 20200522
git tree: linux-next
final crash: https://syzkaller.appspot.com/x/report.txt?x=17b22972100000
console output: https://syzkaller.appspot.com/x/log.txt?x=13b22972100000

kernel config: https://syzkaller.appspot.com/x/.config?x=3f6dbdea4159fb66
dashboard link: https://syzkaller.appspot.com/bug?extid=0ce97ea45b008ba3b8bd

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b23f06100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=111b0172100000

Reported-by: syzbot+0ce97e...@syzkaller.appspotmail.com
Fixes: 32ec783ae19d ("firmware: imx: fix compile-testing")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Richard Weinberger]

----- Ursprüngliche Mail -----
> Von: "syzbot" <syzbot+0ce97e...@syzkaller.appspotmail.com>
> An: "Arnd Bergmann" <ar...@arndb.de>, "daniel baluta" <daniel...@nxp.com>, "festevam" <fest...@gmail.com>, "Greg
> Kroah-Hartman" <gre...@linuxfoundation.org>, "kernel" <ker...@pengutronix.de>, "linux-arm-kernel"
> <linux-ar...@lists.infradead.org>, "linux-imx" <linu...@nxp.com>, "linux-kernel" <linux-...@vger.kernel.org>,
> "linux-mtd" <linu...@lists.infradead.org>, li...@rempel-privat.de, "Miquel Raynal" <miquel...@bootlin.com>,
> "richard" <ric...@nod.at>, "Sascha Hauer" <s.h...@pengutronix.de>, "shawnguo" <shaw...@kernel.org>,
> syzkall...@googlegroups.com, "Vignesh Raghavendra" <vign...@ti.com>
> Gesendet: Sonntag, 24. Mai 2020 08:03:03
> Betreff: Re: KASAN: use-after-free Read in uif_close

> syzbot has bisected this bug to:
>
> commit 32ec783ae19d48084b893cc54747fed37b07eb0c
> Author: Arnd Bergmann <ar...@arndb.de>
> Date: Wed Apr 8 19:02:57 2020 +0000
>
> firmware: imx: fix compile-testing

Hmm, from a quick check I don't see how this is related.
Arnd?

Thanks,
//richard

[Arnd Bergmann]

I suppose this was a randconfig build for a configuration that did not build
until I fixed the build stage, and then it failed at runtime, so the bug would
have been in earlier releases as well, it was just not observed.

Arnd

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.