KASAN: use-after-free Read in locks_remove_file
7 views
Skip to first unread message
syzbot
Aug 26, 2020, 9:58:16 PM8/26/20
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: f6d5cb9e Linux 4.19.142
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13dc2fee900000
kernel config: https://syzkaller.appspot.com/x/.config?x=30067df04d3254aa
dashboard link: https://syzkaller.appspot.com/bug?extid=c584305f4382b089f77d
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105e41d5900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c58430...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193 [inline]
BUG: KASAN: use-after-free in locks_remove_file+0x40b/0x450 fs/locks.c:2552
Read of size 8 at addr ffff88807fdd2d30 by task syz-executor.1/25449
CPU: 0 PID: 25449 Comm: syz-executor.1 Not tainted 4.19.142-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__read_once_size include/linux/compiler.h:193 [inline]
locks_remove_file+0x40b/0x450 fs/locks.c:2552
__fput+0x220/0x890 fs/file_table.c:270
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fffbddb08b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000416f01
RDX: 0000000000000000 RSI: 0000000001190a38 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 00007fffbddb09a0 R11: 0000000000000293 R12: 0000000001190a38
R13: 00000000001d8e17 R14: ffffffffffffffff R15: 000000000118d12c
Allocated by task 25461:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
sock_alloc_inode+0x19/0x250 net/socket.c:244
alloc_inode+0x5d/0x180 fs/inode.c:211
new_inode_pseudo+0x14/0xe0 fs/inode.c:911
sock_alloc+0x3c/0x260 net/socket.c:547
__sock_create+0xba/0x740 net/socket.c:1240
sock_create net/socket.c:1316 [inline]
__sys_socket+0xef/0x200 net/socket.c:1346
__do_sys_socket net/socket.c:1355 [inline]
__se_sys_socket net/socket.c:1353 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1353
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 25462:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
destroy_inode+0xb9/0x110 fs/inode.c:268
iput_final fs/inode.c:1555 [inline]
iput+0x4f1/0x860 fs/inode.c:1581
dentry_unlink_inode+0x265/0x320 fs/dcache.c:374
__dentry_kill+0x3c0/0x640 fs/dcache.c:566
dentry_kill+0xc4/0x510 fs/dcache.c:685
dput+0x55f/0x640 fs/dcache.c:846
__fput+0x415/0x890 fs/file_table.c:291
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88807fdd2b00
which belongs to the cache sock_inode_cache of size 992
The buggy address is located 560 bytes inside of
992-byte region [ffff88807fdd2b00, ffff88807fdd2ee0)
The buggy address belongs to the page:
page:ffffea0001ff7480 count:1 mapcount:0 mapping:ffff88821b718000 index:0xffff88807fdd2ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0001d74cc8 ffffea0001dcc108 ffff88821b718000
raw: ffff88807fdd2ffd ffff88807fdd2200 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88807fdd2c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807fdd2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807fdd2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807fdd2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807fdd2e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: f6d5cb9e Linux 4.19.142
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13dc2fee900000
kernel config: https://syzkaller.appspot.com/x/.config?x=30067df04d3254aa
dashboard link: https://syzkaller.appspot.com/bug?extid=c584305f4382b089f77d
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105e41d5900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c58430...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193 [inline]
BUG: KASAN: use-after-free in locks_remove_file+0x40b/0x450 fs/locks.c:2552
Read of size 8 at addr ffff88807fdd2d30 by task syz-executor.1/25449
CPU: 0 PID: 25449 Comm: syz-executor.1 Not tainted 4.19.142-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
__read_once_size include/linux/compiler.h:193 [inline]
locks_remove_file+0x40b/0x450 fs/locks.c:2552
__fput+0x220/0x890 fs/file_table.c:270
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fffbddb08b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000416f01
RDX: 0000000000000000 RSI: 0000000001190a38 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 00007fffbddb09a0 R11: 0000000000000293 R12: 0000000001190a38
R13: 00000000001d8e17 R14: ffffffffffffffff R15: 000000000118d12c
Allocated by task 25461:
kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
sock_alloc_inode+0x19/0x250 net/socket.c:244
alloc_inode+0x5d/0x180 fs/inode.c:211
new_inode_pseudo+0x14/0xe0 fs/inode.c:911
sock_alloc+0x3c/0x260 net/socket.c:547
__sock_create+0xba/0x740 net/socket.c:1240
sock_create net/socket.c:1316 [inline]
__sys_socket+0xef/0x200 net/socket.c:1346
__do_sys_socket net/socket.c:1355 [inline]
__se_sys_socket net/socket.c:1353 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1353
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 25462:
__cache_free mm/slab.c:3503 [inline]
kmem_cache_free+0x7f/0x260 mm/slab.c:3765
destroy_inode+0xb9/0x110 fs/inode.c:268
iput_final fs/inode.c:1555 [inline]
iput+0x4f1/0x860 fs/inode.c:1581
dentry_unlink_inode+0x265/0x320 fs/dcache.c:374
__dentry_kill+0x3c0/0x640 fs/dcache.c:566
dentry_kill+0xc4/0x510 fs/dcache.c:685
dput+0x55f/0x640 fs/dcache.c:846
__fput+0x415/0x890 fs/file_table.c:291
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88807fdd2b00
which belongs to the cache sock_inode_cache of size 992
The buggy address is located 560 bytes inside of
992-byte region [ffff88807fdd2b00, ffff88807fdd2ee0)
The buggy address belongs to the page:
page:ffffea0001ff7480 count:1 mapcount:0 mapping:ffff88821b718000 index:0xffff88807fdd2ffd
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0001d74cc8 ffffea0001dcc108 ffff88821b718000
raw: ffff88807fdd2ffd ffff88807fdd2200 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88807fdd2c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807fdd2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807fdd2d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807fdd2d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807fdd2e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Oct 4, 2020, 4:14:10 AM10/4/20
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 37d933e8b41b83bb8278815e366aec5a542b7e31
Author: Al Viro <vi...@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000
fix regression in "epoll: Keep a reference on files added to the check list"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1149777b900000
start commit: c37da90e Linux 4.19.143
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=d162ec57805c4e4d
dashboard link: https://syzkaller.appspot.com/bug?extid=c584305f4382b089f77d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10069695900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fix regression in "epoll: Keep a reference on files added to the check list"
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 37d933e8b41b83bb8278815e366aec5a542b7e31
Author: Al Viro <vi...@zeniv.linux.org.uk>
Date: Wed Sep 2 15:30:48 2020 +0000
fix regression in "epoll: Keep a reference on files added to the check list"
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1149777b900000
start commit: c37da90e Linux 4.19.143
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=d162ec57805c4e4d
dashboard link: https://syzkaller.appspot.com/bug?extid=c584305f4382b089f77d
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10069695900000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fix regression in "epoll: Keep a reference on files added to the check list"
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages