KASAN: use-after-free Read in eventfd_release
6 views
Skip to first unread message
syzbot
Aug 29, 2020, 5:18:24 AM8/29/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: f6d5cb9e Linux 4.19.142
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12bb6eb6900000
kernel config: https://syzkaller.appspot.com/x/.config?x=30067df04d3254aa
dashboard link: https://syzkaller.appspot.com/bug?extid=70b090638bce35fc29b3
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13131e69900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+70b090...@syzkaller.appspotmail.com
Bluetooth: hci0: command 0x041b tx timeout
Bluetooth: hci0: command 0x040f tx timeout
Bluetooth: hci0: command 0x0419 tx timeout
==================================================================
BUG: KASAN: use-after-free in __wake_up_common+0x607/0x650 kernel/sched/wait.c:80
Read of size 8 at addr ffff88808e47b3c0 by task syz-executor.0/8907
CPU: 1 PID: 8907 Comm: syz-executor.0 Not tainted 4.19.142-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__wake_up_common+0x607/0x650 kernel/sched/wait.c:80
__wake_up_common_lock+0xcd/0x170 kernel/sched/wait.c:121
eventfd_release+0x47/0x60 fs/eventfd.c:114
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd336ebb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190538 R09: 0000000000000000
R10: 00007ffd336ebc50 R11: 0000000000000293 R12: 0000000001190540
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Allocated by task 8908:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
do_eventfd+0x61/0x1a0 fs/eventfd.c:410
__do_sys_eventfd2 fs/eventfd.c:429 [inline]
__se_sys_eventfd2 fs/eventfd.c:427 [inline]
__x64_sys_eventfd2+0x50/0x70 fs/eventfd.c:427
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8908:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
eventfd_free_ctx fs/eventfd.c:87 [inline]
eventfd_free fs/eventfd.c:94 [inline]
kref_put include/linux/kref.h:70 [inline]
eventfd_ctx_put+0x31/0x40 fs/eventfd.c:106
eventfd_release+0x4f/0x60 fs/eventfd.c:115
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88808e47b380
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
96-byte region [ffff88808e47b380, ffff88808e47b3e0)
The buggy address belongs to the page:
page:ffffea0002391ec0 count:1 mapcount:0 mapping:ffff88812c39c4c0 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00024425c8 ffffea0002414908 ffff88812c39c4c0
raw: 0000000000000000 ffff88808e47b000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808e47b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808e47b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808e47b380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff88808e47b400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88808e47b480: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: f6d5cb9e Linux 4.19.142
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12bb6eb6900000
kernel config: https://syzkaller.appspot.com/x/.config?x=30067df04d3254aa
dashboard link: https://syzkaller.appspot.com/bug?extid=70b090638bce35fc29b3
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13131e69900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+70b090...@syzkaller.appspotmail.com
Bluetooth: hci0: command 0x041b tx timeout
Bluetooth: hci0: command 0x040f tx timeout
Bluetooth: hci0: command 0x0419 tx timeout
==================================================================
BUG: KASAN: use-after-free in __wake_up_common+0x607/0x650 kernel/sched/wait.c:80
Read of size 8 at addr ffff88808e47b3c0 by task syz-executor.0/8907
CPU: 1 PID: 8907 Comm: syz-executor.0 Not tainted 4.19.142-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__wake_up_common+0x607/0x650 kernel/sched/wait.c:80
__wake_up_common_lock+0xcd/0x170 kernel/sched/wait.c:121
eventfd_release+0x47/0x60 fs/eventfd.c:114
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd336ebb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190538 R09: 0000000000000000
R10: 00007ffd336ebc50 R11: 0000000000000293 R12: 0000000001190540
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Allocated by task 8908:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
do_eventfd+0x61/0x1a0 fs/eventfd.c:410
__do_sys_eventfd2 fs/eventfd.c:429 [inline]
__se_sys_eventfd2 fs/eventfd.c:427 [inline]
__x64_sys_eventfd2+0x50/0x70 fs/eventfd.c:427
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8908:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
eventfd_free_ctx fs/eventfd.c:87 [inline]
eventfd_free fs/eventfd.c:94 [inline]
kref_put include/linux/kref.h:70 [inline]
eventfd_ctx_put+0x31/0x40 fs/eventfd.c:106
eventfd_release+0x4f/0x60 fs/eventfd.c:115
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88808e47b380
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 64 bytes inside of
96-byte region [ffff88808e47b380, ffff88808e47b3e0)
The buggy address belongs to the page:
page:ffffea0002391ec0 count:1 mapcount:0 mapping:ffff88812c39c4c0 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00024425c8 ffffea0002414908 ffff88812c39c4c0
raw: 0000000000000000 ffff88808e47b000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808e47b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808e47b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808e47b380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff88808e47b400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88808e47b480: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Sep 28, 2020, 8:40:07 AM9/28/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 37d933e8b41b83bb8278815e366aec5a542b7e31
Author: Al Viro <vi...@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000
fix regression in "epoll: Keep a reference on files added to the check list"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=128d78f3900000
start commit: f6d5cb9e Linux 4.19.142
git tree: linux-4.19.y
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fix regression in "epoll: Keep a reference on files added to the check list"
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 37d933e8b41b83bb8278815e366aec5a542b7e31
Author: Al Viro <vi...@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000
fix regression in "epoll: Keep a reference on files added to the check list"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=128d78f3900000
start commit: f6d5cb9e Linux 4.19.142
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=30067df04d3254aa
dashboard link: https://syzkaller.appspot.com/bug?extid=70b090638bce35fc29b3
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13131e69900000
dashboard link: https://syzkaller.appspot.com/bug?extid=70b090638bce35fc29b3
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fix regression in "epoll: Keep a reference on files added to the check list"
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages