KASAN: use-after-free Read in refcount_inc_not_zero
47 views
Skip to first unread message
syzbot
Nov 2, 2017, 1:35:03 PM11/2/17
to da...@davemloft.net, linux-...@vger.kernel.org, linux...@vger.kernel.org, net...@vger.kernel.org, nho...@tuxdriver.com, syzkall...@googlegroups.com, vyas...@gmail.com
Hello,
syzkaller hit the following crash on
73d3393ada4f70fa3df5639c8d438f2f034c0ecb
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor4'.
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:276
[inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26
[inline]
BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180
lib/refcount.c:119
Read of size 4 at addr ffff8801c9de8ad8 by task syz-executor6/8757
CPU: 0 PID: 8757 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #138
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
__read_once_size include/linux/compiler.h:276 [inline]
atomic_read arch/x86/include/asm/atomic.h:26 [inline]
refcount_inc_not_zero+0x16e/0x180 lib/refcount.c:119
refcount_inc+0x15/0x50 lib/refcount.c:152
sctp_association_hold+0x16/0x20 net/sctp/associola.c:875
sctp_generate_timeout_event+0x2b0/0x330 net/sctp/sm_sideeffect.c:297
sctp_generate_t1_init_event+0x1a/0x20 net/sctp/sm_sideeffect.c:330
call_timer_fn+0x233/0x830 kernel/time/timer.c:1281
expire_timers kernel/time/timer.c:1320 [inline]
__run_timers+0x7fd/0xb90 kernel/time/timer.c:1620
run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1646
__do_softirq+0x2d7/0xb85 kernel/softirq.c:284
invoke_softirq kernel/softirq.c:364 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
smp_apic_timer_interrupt+0x177/0x710 arch/x86/kernel/apic/apic.c:1059
apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:770
</IRQ>
RIP: 0010:copy_page+0x7/0x10 arch/x86/lib/copy_page_64.S:17
RSP: 0018:ffff8801d2656e48 EFLAGS: 00010286 ORIG_RAX: ffffffffffffff10
RAX: ffff8801905c0100 RBX: 0000000006290080 RCX: 0000000000000140
RDX: 0000000000000000 RSI: ffff88018a402600 RDI: ffff880172c02600
RBP: ffff8801d2656f98 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000002
R13: ffff880000000000 R14: dffffc0000000000 R15: ffffffffffa20000
migrate_page+0x149/0x1f0 mm/migrate.c:751
move_to_new_page+0x3e1/0x8c0 mm/migrate.c:916
__unmap_and_move+0xad2/0x1190 mm/migrate.c:1087
unmap_and_move mm/migrate.c:1170 [inline]
migrate_pages+0x956/0x2610 mm/migrate.c:1404
do_mbind+0xa98/0xce0 mm/mempolicy.c:1239
SYSC_mbind mm/mempolicy.c:1341 [inline]
SyS_mbind+0x13b/0x150 mm/mempolicy.c:1323
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007f37fadc7be8 EFLAGS: 00000212 ORIG_RAX: 00000000000000ed
RAX: ffffffffffffffda RBX: 00000000007580d8 RCX: 0000000000452719
RDX: 0000000000000000 RSI: 0000000000800000 RDI: 00000000203b5000
RBP: 0000000000000082 R08: 0000000000000001 R09: 0000000000000002
R10: 0000000020001ff8 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007f37fadc89c0 R15: 0000000000000011
Allocated by task 8763:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:666 [inline]
sctp_association_new+0x114/0x21e0 net/sctp/associola.c:309
sctp_sendmsg+0x128c/0x31f0 net/sctp/socket.c:1838
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
SYSC_sendto+0x352/0x5a0 net/socket.c:1750
SyS_sendto+0x40/0x50 net/socket.c:1718
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 8776:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
sctp_association_destroy net/sctp/associola.c:435 [inline]
sctp_association_put+0x21c/0x2f0 net/sctp/associola.c:884
sctp_association_free+0x688/0x930 net/sctp/associola.c:413
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:919 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1333 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1200 [inline]
sctp_do_sm+0x28e7/0x6dd0 net/sctp/sm_sideeffect.c:1171
sctp_primitive_SHUTDOWN+0xa0/0xd0 net/sctp/primitive.c:104
sctp_close+0x3c6/0x980 net/sctp/socket.c:1532
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:433
sock_release+0x8d/0x1e0 net/socket.c:597
sock_close+0x16/0x20 net/socket.c:1126
__fput+0x327/0x7e0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:112
exit_task_work include/linux/task_work.h:21 [inline]
do_exit+0x9b5/0x1ad0 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
get_signal+0x73f/0x16d0 kernel/signal.c:2334
do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath+0x42f/0x510 arch/x86/entry/common.c:266
entry_SYSCALL_64_fastpath+0xbc/0xbe
The buggy address belongs to the object at ffff8801c9de8ac0
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 24 bytes inside of
4096-byte region [ffff8801c9de8ac0, ffff8801c9de9ac0)
The buggy address belongs to the page:
page:ffffea0007277a00 count:1 mapcount:0 mapping:ffff8801c9de8ac0 index:0x0
compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 ffff8801c9de8ac0 0000000000000000 0000000100000001
raw: ffffea000727c9a0 ffffea0007290d20 ffff8801dac00dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c9de8980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c9de8a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c9de8a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8801c9de8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c9de8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
syzkaller hit the following crash on
73d3393ada4f70fa3df5639c8d438f2f034c0ecb
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
netlink: 1 bytes leftover after parsing attributes in process
`syz-executor4'.
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:276
[inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26
[inline]
BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180
lib/refcount.c:119
Read of size 4 at addr ffff8801c9de8ad8 by task syz-executor6/8757
CPU: 0 PID: 8757 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #138
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
__read_once_size include/linux/compiler.h:276 [inline]
atomic_read arch/x86/include/asm/atomic.h:26 [inline]
refcount_inc_not_zero+0x16e/0x180 lib/refcount.c:119
refcount_inc+0x15/0x50 lib/refcount.c:152
sctp_association_hold+0x16/0x20 net/sctp/associola.c:875
sctp_generate_timeout_event+0x2b0/0x330 net/sctp/sm_sideeffect.c:297
sctp_generate_t1_init_event+0x1a/0x20 net/sctp/sm_sideeffect.c:330
call_timer_fn+0x233/0x830 kernel/time/timer.c:1281
expire_timers kernel/time/timer.c:1320 [inline]
__run_timers+0x7fd/0xb90 kernel/time/timer.c:1620
run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1646
__do_softirq+0x2d7/0xb85 kernel/softirq.c:284
invoke_softirq kernel/softirq.c:364 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
smp_apic_timer_interrupt+0x177/0x710 arch/x86/kernel/apic/apic.c:1059
apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:770
</IRQ>
RIP: 0010:copy_page+0x7/0x10 arch/x86/lib/copy_page_64.S:17
RSP: 0018:ffff8801d2656e48 EFLAGS: 00010286 ORIG_RAX: ffffffffffffff10
RAX: ffff8801905c0100 RBX: 0000000006290080 RCX: 0000000000000140
RDX: 0000000000000000 RSI: ffff88018a402600 RDI: ffff880172c02600
RBP: ffff8801d2656f98 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000002
R13: ffff880000000000 R14: dffffc0000000000 R15: ffffffffffa20000
migrate_page+0x149/0x1f0 mm/migrate.c:751
move_to_new_page+0x3e1/0x8c0 mm/migrate.c:916
__unmap_and_move+0xad2/0x1190 mm/migrate.c:1087
unmap_and_move mm/migrate.c:1170 [inline]
migrate_pages+0x956/0x2610 mm/migrate.c:1404
do_mbind+0xa98/0xce0 mm/mempolicy.c:1239
SYSC_mbind mm/mempolicy.c:1341 [inline]
SyS_mbind+0x13b/0x150 mm/mempolicy.c:1323
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x452719
RSP: 002b:00007f37fadc7be8 EFLAGS: 00000212 ORIG_RAX: 00000000000000ed
RAX: ffffffffffffffda RBX: 00000000007580d8 RCX: 0000000000452719
RDX: 0000000000000000 RSI: 0000000000800000 RDI: 00000000203b5000
RBP: 0000000000000082 R08: 0000000000000001 R09: 0000000000000002
R10: 0000000020001ff8 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007f37fadc89c0 R15: 0000000000000011
Allocated by task 8763:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
kmalloc include/linux/slab.h:493 [inline]
kzalloc include/linux/slab.h:666 [inline]
sctp_association_new+0x114/0x21e0 net/sctp/associola.c:309
sctp_sendmsg+0x128c/0x31f0 net/sctp/socket.c:1838
inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
SYSC_sendto+0x352/0x5a0 net/socket.c:1750
SyS_sendto+0x40/0x50 net/socket.c:1718
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 8776:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3503 [inline]
kfree+0xca/0x250 mm/slab.c:3820
sctp_association_destroy net/sctp/associola.c:435 [inline]
sctp_association_put+0x21c/0x2f0 net/sctp/associola.c:884
sctp_association_free+0x688/0x930 net/sctp/associola.c:413
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:919 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1333 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1200 [inline]
sctp_do_sm+0x28e7/0x6dd0 net/sctp/sm_sideeffect.c:1171
sctp_primitive_SHUTDOWN+0xa0/0xd0 net/sctp/primitive.c:104
sctp_close+0x3c6/0x980 net/sctp/socket.c:1532
inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:433
sock_release+0x8d/0x1e0 net/socket.c:597
sock_close+0x16/0x20 net/socket.c:1126
__fput+0x327/0x7e0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:112
exit_task_work include/linux/task_work.h:21 [inline]
do_exit+0x9b5/0x1ad0 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
get_signal+0x73f/0x16d0 kernel/signal.c:2334
do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath+0x42f/0x510 arch/x86/entry/common.c:266
entry_SYSCALL_64_fastpath+0xbc/0xbe
The buggy address belongs to the object at ffff8801c9de8ac0
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 24 bytes inside of
4096-byte region [ffff8801c9de8ac0, ffff8801c9de9ac0)
The buggy address belongs to the page:
page:ffffea0007277a00 count:1 mapcount:0 mapping:ffff8801c9de8ac0 index:0x0
compound_mapcount: 0
flags: 0x200000000008100(slab|head)
raw: 0200000000008100 ffff8801c9de8ac0 0000000000000000 0000000100000001
raw: ffffea000727c9a0 ffffea0007290d20 ffff8801dac00dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c9de8980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801c9de8a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c9de8a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8801c9de8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c9de8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line.
Xin Long
Nov 3, 2017, 7:27:42 AM11/3/17
to syzbot, davem, LKML, linux...@vger.kernel.org, network dev, Neil Horman, syzkall...@googlegroups.com, Vlad Yasevich
On Fri, Nov 3, 2017 at 1:35 AM, syzbot
<bot+9e3011b5e961675e73...@syzkaller.appspotmail.com>
wrote:
to make it shorter.
otherwise, let's see if it still exists after fixing the last use-after-free
issue, I feel they are relevant.
thanks.
<bot+9e3011b5e961675e73...@syzkaller.appspotmail.com>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 73d3393ada4f70fa3df5639c8d438f2f034c0ecb
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
the log is too log to identify the issue. not sure if it's possible
>
> syzkaller hit the following crash on
> 73d3393ada4f70fa3df5639c8d438f2f034c0ecb
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
to make it shorter.
otherwise, let's see if it still exists after fixing the last use-after-free
issue, I feel they are relevant.
thanks.
syzbot
Dec 14, 2017, 1:23:03 PM12/14/17
to ak...@linux-foundation.org, alexande...@amd.com, bro...@kernel.org, ch...@chris-wilson.co.uk, da...@davemloft.net, deepa....@gmail.com, gre...@linuxfoundation.org, gscr...@redhat.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, luc.vano...@gmail.com, lucie...@gmail.com, mi...@kernel.org, net...@vger.kernel.org, nho...@tuxdriver.com, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, vyas...@gmail.com, xiyou.w...@gmail.com
syzkaller has found reproducer for the following crash on
82bcf1def3b5f1251177ad47c44f7e17af039b4b
git://git.cmpxchg.org/linux-mmots.git/master
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183
[inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:27
Read of size 4 at addr ffff8801c51bb200 by task syzkaller711981/3156
CPU: 1 PID: 3156 Comm: syzkaller711981 Not tainted 4.15.0-rc2-mm1+ #39
dump_stack+0x194/0x257 lib/dump_stack.c:53
atomic_read arch/x86/include/asm/atomic.h:27 [inline]
refcount_inc_not_zero+0x16e/0x180 lib/refcount.c:120
refcount_inc+0x15/0x50 lib/refcount.c:153
get_ipc_ns include/linux/ipc_namespace.h:129 [inline]
__get_ns_from_inode ipc/mqueue.c:110 [inline]
get_ns_from_inode ipc/mqueue.c:118 [inline]
mqueue_evict_inode+0x137/0x9c0 ipc/mqueue.c:402
evict+0x481/0x920 fs/inode.c:552
iput_final fs/inode.c:1514 [inline]
iput+0x7b9/0xaf0 fs/inode.c:1541
dentry_unlink_inode+0x4b0/0x5e0 fs/dcache.c:376
__dentry_kill+0x3b7/0x6d0 fs/dcache.c:573
shrink_dentry_list+0x3c5/0xcf0 fs/dcache.c:1020
shrink_dcache_parent+0xba/0x230 fs/dcache.c:1454
do_one_tree+0x15/0x50 fs/dcache.c:1485
shrink_dcache_for_umount+0xbb/0x290 fs/dcache.c:1502
generic_shutdown_super+0xcd/0x540 fs/super.c:424
kill_anon_super fs/super.c:987 [inline]
kill_litter_super+0x72/0x90 fs/super.c:997
deactivate_locked_super+0x88/0xd0 fs/super.c:312
deactivate_super+0x141/0x1b0 fs/super.c:343
cleanup_mnt+0xb2/0x150 fs/namespace.c:1173
__cleanup_mnt+0x16/0x20 fs/namespace.c:1180
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ae0 kernel/exit.c:869
do_group_exit+0x149/0x400 kernel/exit.c:972
SYSC_exit_group kernel/exit.c:983 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:981
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x440729
RSP: 002b:00007ffd090ef228 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440729
RDX: 0000000000440729 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401bf0
R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 3156:
kmalloc include/linux/slab.h:516 [inline]
create_ipc_ns ipc/namespace.c:45 [inline]
copy_ipcs+0x1b3/0x520 ipc/namespace.c:96
create_new_namespaces+0x278/0x880 kernel/nsproxy.c:87
unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:206
SYSC_unshare kernel/fork.c:2421 [inline]
SyS_unshare+0x653/0xfa0 kernel/fork.c:2371
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 3156:
kfree+0xca/0x250 mm/slab.c:3807
free_ipc_ns ipc/namespace.c:139 [inline]
put_ipc_ns+0x112/0x150 ipc/namespace.c:164
free_nsproxy+0xc0/0x1f0 kernel/nsproxy.c:180
switch_task_namespaces+0x9d/0xc0 kernel/nsproxy.c:229
exit_task_namespaces+0x17/0x20 kernel/nsproxy.c:234
do_exit+0x9b6/0x1ae0 kernel/exit.c:868
do_group_exit+0x149/0x400 kernel/exit.c:972
SYSC_exit_group kernel/exit.c:983 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:981
entry_SYSCALL_64_fastpath+0x1f/0x96
The buggy address belongs to the object at ffff8801c51bb200
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 0 bytes inside of
2048-byte region [ffff8801c51bb200, ffff8801c51bba00)
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c51ba100 0000000000000000 0000000100000003
raw: ffffea000715d320 ffff8801dac01950 ffff8801dac00c40 0000000000000000
ffff8801c51bb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c51bb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801c51bb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c51bb300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
82bcf1def3b5f1251177ad47c44f7e17af039b4b
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183
[inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:27
[inline]
BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180
lib/refcount.c:120
BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180
Read of size 4 at addr ffff8801c51bb200 by task syzkaller711981/3156
CPU: 1 PID: 3156 Comm: syzkaller711981 Not tainted 4.15.0-rc2-mm1+ #39
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Google 01/01/2011
Call Trace:
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
__read_once_size include/linux/compiler.h:183 [inline]
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
atomic_read arch/x86/include/asm/atomic.h:27 [inline]
refcount_inc_not_zero+0x16e/0x180 lib/refcount.c:120
refcount_inc+0x15/0x50 lib/refcount.c:153
get_ipc_ns include/linux/ipc_namespace.h:129 [inline]
__get_ns_from_inode ipc/mqueue.c:110 [inline]
get_ns_from_inode ipc/mqueue.c:118 [inline]
mqueue_evict_inode+0x137/0x9c0 ipc/mqueue.c:402
evict+0x481/0x920 fs/inode.c:552
iput_final fs/inode.c:1514 [inline]
iput+0x7b9/0xaf0 fs/inode.c:1541
dentry_unlink_inode+0x4b0/0x5e0 fs/dcache.c:376
__dentry_kill+0x3b7/0x6d0 fs/dcache.c:573
shrink_dentry_list+0x3c5/0xcf0 fs/dcache.c:1020
shrink_dcache_parent+0xba/0x230 fs/dcache.c:1454
do_one_tree+0x15/0x50 fs/dcache.c:1485
shrink_dcache_for_umount+0xbb/0x290 fs/dcache.c:1502
generic_shutdown_super+0xcd/0x540 fs/super.c:424
kill_anon_super fs/super.c:987 [inline]
kill_litter_super+0x72/0x90 fs/super.c:997
deactivate_locked_super+0x88/0xd0 fs/super.c:312
deactivate_super+0x141/0x1b0 fs/super.c:343
cleanup_mnt+0xb2/0x150 fs/namespace.c:1173
__cleanup_mnt+0x16/0x20 fs/namespace.c:1180
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ae0 kernel/exit.c:869
do_group_exit+0x149/0x400 kernel/exit.c:972
SYSC_exit_group kernel/exit.c:983 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:981
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x440729
RSP: 002b:00007ffd090ef228 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 0000000000440729
RDX: 0000000000440729 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000401bf0
R13: 0000000000401c80 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 3156:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3614
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmalloc include/linux/slab.h:516 [inline]
create_ipc_ns ipc/namespace.c:45 [inline]
copy_ipcs+0x1b3/0x520 ipc/namespace.c:96
create_new_namespaces+0x278/0x880 kernel/nsproxy.c:87
unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:206
SYSC_unshare kernel/fork.c:2421 [inline]
SyS_unshare+0x653/0xfa0 kernel/fork.c:2371
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 3156:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3492 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
kfree+0xca/0x250 mm/slab.c:3807
free_ipc_ns ipc/namespace.c:139 [inline]
put_ipc_ns+0x112/0x150 ipc/namespace.c:164
free_nsproxy+0xc0/0x1f0 kernel/nsproxy.c:180
switch_task_namespaces+0x9d/0xc0 kernel/nsproxy.c:229
exit_task_namespaces+0x17/0x20 kernel/nsproxy.c:234
do_exit+0x9b6/0x1ae0 kernel/exit.c:868
do_group_exit+0x149/0x400 kernel/exit.c:972
SYSC_exit_group kernel/exit.c:983 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:981
entry_SYSCALL_64_fastpath+0x1f/0x96
The buggy address belongs to the object at ffff8801c51bb200
which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 0 bytes inside of
2048-byte region [ffff8801c51bb200, ffff8801c51bba00)
The buggy address belongs to the page:
page:000000007764ba6d count:1 mapcount:0 mapping:000000002c36623f index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c51ba100 0000000000000000 0000000100000003
raw: ffffea000715d320 ffff8801dac01950 ffff8801dac00c40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c51bb100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff8801c51bb180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801c51bb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801c51bb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c51bb300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Cong Wang
Dec 14, 2017, 2:08:07 PM12/14/17
to syzbot, Andrew Morton, alexande...@amd.com, bro...@kernel.org, ch...@chris-wilson.co.uk, David Miller, deepa....@gmail.com, Greg KH, gscr...@redhat.com, LKML, linux...@vger.kernel.org, luc.vano...@gmail.com, lucien xin, Ingo Molnar, Linux Kernel Network Developers, Neil Horman, syzkall...@googlegroups.com, Al Viro, Vladislav Yasevich
On Thu, Dec 14, 2017 at 10:23 AM, syzbot
<bot+9e3011b5e961675e73...@syzkaller.appspotmail.com>
wrote:
Seems we can simply fix it by swapping exit_task_work()
with exit_task_namespaces() in do_exit()...
<bot+9e3011b5e961675e73...@syzkaller.appspotmail.com>
wrote:
with exit_task_namespaces() in do_exit()...
Eric Biggers
Jan 31, 2018, 1:12:27 AM1/31/18
to syzbot, ak...@linux-foundation.org, alexande...@amd.com, bro...@kernel.org, ch...@chris-wilson.co.uk, da...@davemloft.net, deepa....@gmail.com, gre...@linuxfoundation.org, gscr...@redhat.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, luc.vano...@gmail.com, lucie...@gmail.com, mi...@kernel.org, net...@vger.kernel.org, nho...@tuxdriver.com, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, vyas...@gmail.com, xiyou.w...@gmail.com
caused by the patch "ipc, mqueue: lazy call kern_mount_data in new namespaces"
which was dropped and replaced by "mqueue: switch to on-demand creation of
internal mount" (thanks Al!). So, invalidating this bug so that syzbot can
report crashes here again if they occur.
#syz invalid
- Eric
Reply all
Reply to author
Forward
0 new messages