[syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 551acdc3c3d2 Merge tag 'net-5.17-final' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=131b279d700000
kernel config: https://syzkaller.appspot.com/x/.config?x=d35f9bc6884af6c9
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11dbf961700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17f5b119700000

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1163699d700000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1363699d700000
console output: https://syzkaller.appspot.com/x/log.txt?x=1563699d700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c70d87...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3f2f/0x56c0 kernel/locking/lockdep.c:4897
Read of size 8 at addr ffff88807bc048a8 by task syz-executor399/3618

CPU: 1 PID: 3618 Comm: syz-executor399 Not tainted 5.17.0-rc8-syzkaller-00045-g551acdc3c3d2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
__lock_acquire+0x3f2f/0x56c0 kernel/locking/lockdep.c:4897
lock_acquire kernel/locking/lockdep.c:5639 [inline]
lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0x32/0x50 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:374 [inline]
post_one_notification.isra.0+0x59/0x830 kernel/watch_queue.c:86
__post_watch_notification kernel/watch_queue.c:206 [inline]
__post_watch_notification+0x561/0x840 kernel/watch_queue.c:176
post_watch_notification include/linux/watch_queue.h:109 [inline]
notify_key security/keys/internal.h:199 [inline]
__key_update security/keys/key.c:775 [inline]
key_create_or_update+0xdbf/0xde0 security/keys/key.c:979
__do_sys_add_key+0x215/0x430 security/keys/keyctl.c:134
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f53132c8a89
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f531327a2f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007f5313350428 RCX: 00007f53132c8a89
RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000040
RBP: 0000000000000000 R08: 00000000fffffffc R09: 0000000000000000
R10: 0000000000000048 R11: 0000000000000246 R12: 00007f5313350420
R13: 00007f531335042c R14: 00007f531331e074 R15: 3a74707972637366
</TASK>

Allocated by task 3615:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:714 [inline]
alloc_pipe_info+0x105/0x590 fs/pipe.c:790
get_pipe_inode fs/pipe.c:881 [inline]
create_pipe_files+0x8d/0x880 fs/pipe.c:913
__do_pipe_flags fs/pipe.c:962 [inline]
do_pipe2+0x96/0x1b0 fs/pipe.c:1010
__do_sys_pipe2 fs/pipe.c:1028 [inline]
__se_sys_pipe2 fs/pipe.c:1026 [inline]
__x64_sys_pipe2+0x50/0x70 fs/pipe.c:1026
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3616:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
slab_free mm/slub.c:3509 [inline]
kfree+0xd0/0x390 mm/slub.c:4562
put_pipe_info fs/pipe.c:711 [inline]
pipe_release+0x2bf/0x320 fs/pipe.c:734
__fput+0x286/0x9f0 fs/file_table.c:317
task_work_run+0xdd/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
__syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88807bc04800
which belongs to the cache kmalloc-cg-512 of size 512
The buggy address is located 168 bytes inside of
512-byte region [ffff88807bc04800, ffff88807bc04a00)
The buggy address belongs to the page:
page:ffffea0001ef0100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bc04
head:ffffea0001ef0100 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c42dc0
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3609, ts 50514720858, free_ts 25116018184
prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
alloc_slab_page mm/slub.c:1799 [inline]
allocate_slab+0x27f/0x3c0 mm/slub.c:1944
new_slab mm/slub.c:2004 [inline]
___slab_alloc+0xbe1/0x12b0 mm/slub.c:3018
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
slab_alloc_node mm/slub.c:3196 [inline]
slab_alloc mm/slub.c:3238 [inline]
kmem_cache_alloc_trace+0x2f8/0x3d0 mm/slub.c:3255
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:714 [inline]
alloc_pipe_info+0x105/0x590 fs/pipe.c:790
get_pipe_inode fs/pipe.c:881 [inline]
create_pipe_files+0x8d/0x880 fs/pipe.c:913
__do_pipe_flags fs/pipe.c:962 [inline]
do_pipe2+0x96/0x1b0 fs/pipe.c:1010
__do_sys_pipe2 fs/pipe.c:1028 [inline]
__se_sys_pipe2 fs/pipe.c:1026 [inline]
__x64_sys_pipe2+0x50/0x70 fs/pipe.c:1026
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404
__unfreeze_partials+0x320/0x340 mm/slub.c:2536
qlink_free mm/kasan/quarantine.c:157 [inline]
qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
kasan_slab_alloc include/linux/kasan.h:260 [inline]
slab_post_alloc_hook mm/slab.h:732 [inline]
slab_alloc_node mm/slub.c:3230 [inline]
slab_alloc mm/slub.c:3238 [inline]
kmem_cache_alloc_trace+0x258/0x3d0 mm/slub.c:3255
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:714 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0xc6a/0x1ee0 security/tomoyo/audit.c:264
tomoyo_supervisor+0x34d/0xf00 security/tomoyo/common.c:2097
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x17f/0x1f0 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x13ce/0x1f80 security/tomoyo/domain.c:879
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline]
tomoyo_bprm_check_security+0x121/0x1a0 security/tomoyo/tomoyo.c:91
security_bprm_check+0x45/0xa0 security/security.c:866
search_binary_handler fs/exec.c:1715 [inline]
exec_binprm fs/exec.c:1768 [inline]
bprm_execve fs/exec.c:1837 [inline]
bprm_execve+0x732/0x19b0 fs/exec.c:1799
do_execveat_common+0x5e3/0x780 fs/exec.c:1926
do_execve fs/exec.c:1994 [inline]
__do_sys_execve fs/exec.c:2070 [inline]
__se_sys_execve fs/exec.c:2065 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:2065

Memory state around the buggy address:
ffff88807bc04780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807bc04800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807bc04880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807bc04900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807bc04980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[David Howells]

> memcpy((void*)0x20000280, "/dev/adsp1\000", 11);

Is that significant to the test?! I presume it's some sort of sound device?

David

[Dmitry Vyukov]

On Mon, 21 Mar 2022 at 16:40, David Howells <dhow...@redhat.com> wrote:
>
> > memcpy((void*)0x20000280, "/dev/adsp1\000", 11);
>
> Is that significant to the test?! I presume it's some sort of sound device?

Hi David,

syzkaller tries to minimize reproducers and remove anything that's not
necessary to reproduce the crash.
However, this is done mechanically. Things may have some secondary
effects that prevent removal, or a crash may be simply flaky and then
removing just anything may lead to no crash.

[Siddh Raman Pant]

#syz test: g...@github.com:siddhpant/linux.git post_one_notification

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo g...@github.com:siddhpant/linux.git/post_one_notification: failed to run ["git" "fetch" "--force" "219a8dc7158a7de03b74c244ef07dcd062b9b3f7" "post_one_notification"]: exit status 128
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.



Tested on:

commit: [unknown
git tree: g...@github.com:siddhpant/linux.git post_one_notification

dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler:

Note: no patches were applied.

[Siddh Raman Pant]

#syz test: https://github.com/siddhpant/linux.git post_one_notification

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87...@syzkaller.appspotmail.com

Tested on:

commit: 778e6ace kernel/watch_queue: Make pipe NULL while clea..
git tree: https://github.com/siddhpant/linux.git post_one_notification
console output: https://syzkaller.appspot.com/x/log.txt?x=13049d52080000
kernel config: https://syzkaller.appspot.com/x/.config?x=95c061eee05f8e15
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058

compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

Note: testing is done by a robot and is best-effort only.

[Hillf Danton]

On Mon, 21 Mar 2022 06:25:22 -0700

> syzbot found the following issue on:
>
> HEAD commit: 551acdc3c3d2 Merge tag 'net-5.17-final' of git://git.kerne..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=131b279d700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d35f9bc6884af6c9
> dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11dbf961700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17f5b119700000

Serialize the post and clear pathes with wqueue->defunct.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 551acdc3c3d2

--- y/kernel/watch_queue.c
+++ w/kernel/watch_queue.c
@@ -83,10 +83,10 @@ static bool post_one_notification(struct
if (!pipe)
return false;

- spin_lock_irq(&pipe->rd_wait.lock);
-
+ spin_lock_bh(&wqueue->lock);
if (wqueue->defunct)
- goto out;
+ goto unlock;
+ spin_lock_irq(&pipe->rd_wait.lock);

mask = pipe->ring_size - 1;
head = pipe->head;
@@ -126,6 +126,8 @@ out:
spin_unlock_irq(&pipe->rd_wait.lock);
if (done)
kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
+unlock:
+ spin_unlock_bh(&wqueue->lock);
return done;

lost:
--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87...@syzkaller.appspotmail.com

Tested on:

commit: 551acdc3 Merge tag 'net-5.17-final' of git://git.kerne..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=133a814a080000
kernel config: https://syzkaller.appspot.com/x/.config?x=e006319d4b3bc11a

dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=13b8c83c080000

[Siddh Raman Pant]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87...@syzkaller.appspotmail.com

Tested on:

commit: fa4c07d9 kernel/watch_queue: Make pipe NULL while clea..

git tree: https://github.com/siddhpant/linux.git post_one_notification

console output: https://syzkaller.appspot.com/x/log.txt?x=17f5cf52080000
kernel config: https://syzkaller.appspot.com/x/.config?x=95c061eee05f8e15

dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.

[Siddh Raman Pant]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87...@syzkaller.appspotmail.com

Tested on:

commit: 16007670 kernel/watch_queue: Make pipe NULL while clea..

git tree: https://github.com/siddhpant/linux.git post_one_notification

console output: https://syzkaller.appspot.com/x/log.txt?x=11a6eade080000

[Hillf Danton]

On Mon, 21 Mar 2022 06:25:22 -0700

> syzbot found the following issue on:
>
> HEAD commit: 551acdc3c3d2 Merge tag 'net-5.17-final' of git://git.kerne..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=131b279d700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d35f9bc6884af6c9
> dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11dbf961700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17f5b119700000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87...@syzkaller.appspotmail.com

Tested on:

commit: 3d7cb6b0 Linux 5.19
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14066d7a080000
kernel config: https://syzkaller.appspot.com/x/.config?x=70dd99d568a89e0

dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

[Eric Biggers]

It appears this was already fixed, so no need for any more activity on this bug:

#syz fix: watchqueue: make sure to serialize 'wqueue->defunct' properly

- Eric

[Siddh Raman Pant]

On Wed, 03 Aug 2022 03:57:19 +0530 Eric Biggers <ebig...@kernel.org> wrote:
> It appears this was already fixed, so no need for any more activity on this bug:
>
> #syz fix: watchqueue: make sure to serialize 'wqueue->defunct' properly
>
> - Eric

It doesn't address the dangling pointer remaining in the watch_queue,
which was the root cause of this crash. The use-after-free happened
because the pipe was freed but a dangling pointer of it remained in
a watch_queue, and an attempt to dereference it was there.

Thanks,
Siddh

[Eric Biggers]

I don't think that's true; the pointer doesn't get dereferenced after
watch_queue::defunct is set. See my message on the other thread where I
explained this: https://lore.kernel.org/lkml/YunKlJCD...@sol.localdomain

Of course, if you actually have a reproducer, or a KASAN report, or anything at
all that shows there is still a problem, then please post it.

- Eric

[Siddh Raman Pant]

On Wed, 03 Aug 2022 09:39:34 +0530 Eric Biggers <ebig...@kernel.org> wrote:
> I don't think that's true; the pointer doesn't get dereferenced after
> watch_queue::defunct is set. See my message on the other thread where I
> explained this: https://lore.kernel.org/lkml/YunKlJCD...@sol.localdomain
>
> Of course, if you actually have a reproducer, or a KASAN report, or anything at
> all that shows there is still a problem, then please post it.
>
> - Eric

Replying to the other thread.

Thanks,
Siddh