KASAN: use-after-free Read in __lock_acquire (2)

[syzbot]

Hello,

syzkaller hit the following crash on
d9e0e63d9a6f88440eb201e1491fcf730272c706
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.

Unfortunately, I don't have any reproducer for this bug yet.


==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x41a5/0x4770
kernel/locking/lockdep.c:3378
Read of size 8 at addr ffff8800277eba78 by task syz-executor5/4581

CPU: 1 PID: 4581 Comm: syz-executor5 Not tainted 4.14.0-rc8-next-20171110+
#12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
__lock_acquire+0x41a5/0x4770 kernel/locking/lockdep.c:3378
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:159
destroy_async_on_interface+0x136/0x530 drivers/usb/core/devio.c:656
driver_disconnect+0xdd/0x140 drivers/usb/core/devio.c:702
usb_unbind_interface+0x229/0xb00 drivers/usb/core/driver.c:423
__device_release_driver drivers/base/dd.c:870 [inline]
device_release_driver_internal+0x52a/0x600 drivers/base/dd.c:903
device_release_driver+0x19/0x20 drivers/base/dd.c:928
usb_driver_release_interface+0x138/0x160 drivers/usb/core/driver.c:604
proc_disconnect_claim+0x221/0x380 drivers/usb/core/devio.c:2283
usbdev_do_ioctl+0x16a5/0x3670 drivers/usb/core/devio.c:2525
usbdev_ioctl+0x25/0x30 drivers/usb/core/devio.c:2553
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x447c99
RSP: 002b:00007f79b3b23bd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f79b3b246cc RCX: 0000000000447c99
RDX: 000000002021c000 RSI: 000000008108551b RDI: 0000000000000013
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000008670 R14: 00000000006ec710 R15: 00007f79b3b24700

Allocated by task 4505:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3614
kmalloc include/linux/slab.h:514 [inline]
kzalloc include/linux/slab.h:703 [inline]
alloc_perf_context+0x4c/0xe0 kernel/events/core.c:3726
find_get_context.isra.83+0x16f/0x670 kernel/events/core.c:3815
SYSC_perf_event_open+0xd38/0x2f10 kernel/events/core.c:9991
SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9822
entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 0:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3492 [inline]
kfree+0xca/0x250 mm/slab.c:3807
free_ctx+0x47/0x60 kernel/events/core.c:1160
__rcu_reclaim kernel/rcu/rcu.h:172 [inline]
rcu_do_batch kernel/rcu/tree.c:2676 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2935 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2902 [inline]
rcu_process_callbacks+0xd74/0x17d0 kernel/rcu/tree.c:2919
__do_softirq+0x29d/0xbb2 kernel/softirq.c:285

The buggy address belongs to the object at ffff8800277eba40
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 56 bytes inside of
512-byte region [ffff8800277eba40, ffff8800277ebc40)
The buggy address belongs to the page:
page:ffffea00009dfac0 count:1 mapcount:0 mapping:ffff8800277eb040
index:0xffff8800277ebcc0
flags: 0x100000000000100(slab)
raw: 0100000000000100 ffff8800277eb040 ffff8800277ebcc0 0000000100000004
raw: ffffea0000b59c60 ffffea0000b488e0 ffff88002dc00940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8800277eb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800277eb980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff8800277eba00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8800277eba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800277ebb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>

syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.

[syzbot]

syzkaller has found reproducer for the following crash on
2db767d9889cef087149a5eaa35c1497671fa40f
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master

compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.

C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x465e/0x47f0
kernel/locking/lockdep.c:3378
Read of size 8 at addr ffff8801cd8e13f0 by task syzkaller236979/3086

CPU: 1 PID: 3086 Comm: syzkaller236979 Not tainted 4.15.0-rc1+ #115
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011

Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430

__lock_acquire+0x465e/0x47f0 kernel/locking/lockdep.c:3378

lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x96/0xc0 kernel/locking/spinlock.c:159

remove_wait_queue+0x81/0x350 kernel/sched/wait.c:50
ep_remove_wait_queue fs/eventpoll.c:595 [inline]
ep_unregister_pollwait.isra.7+0x18c/0x590 fs/eventpoll.c:613
ep_free+0x13f/0x320 fs/eventpoll.c:830
ep_eventpoll_release+0x44/0x60 fs/eventpoll.c:862
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x9bb/0x1ae0 kernel/exit.c:865
do_group_exit+0x149/0x400 kernel/exit.c:968
SYSC_exit_group kernel/exit.c:979 [inline]
SyS_exit_group+0x1d/0x20 kernel/exit.c:977
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
RIP: 0023:0xf7f97c79
RSP: 002b:00000000ffcb51bc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080f0298
RDX: 0000000000000000 RSI: 00000000080d9b18 RDI: 00000000080f02a0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3086:

save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551

kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613
kmalloc include/linux/slab.h:499 [inline]
kzalloc include/linux/slab.h:688 [inline]
binder_get_thread+0x1cf/0x870 drivers/android/binder.c:4184
binder_poll+0x8c/0x390 drivers/android/binder.c:4286
ep_item_poll.isra.10+0xec/0x320 fs/eventpoll.c:884
ep_insert+0x6a3/0x1b10 fs/eventpoll.c:1455
SYSC_epoll_ctl fs/eventpoll.c:2106 [inline]
SyS_epoll_ctl+0x12e4/0x1ab0 fs/eventpoll.c:1992
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125

Freed by task 3086:

save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524

__cache_free mm/slab.c:3491 [inline]
kfree+0xca/0x250 mm/slab.c:3806
binder_free_thread drivers/android/binder.c:4211 [inline]
binder_thread_dec_tmpref+0x27f/0x310 drivers/android/binder.c:1808
binder_thread_release+0x27d/0x540 drivers/android/binder.c:4275
binder_ioctl+0xc05/0x141a drivers/android/binder.c:4492
C_SYSC_ioctl fs/compat_ioctl.c:1473 [inline]
compat_SyS_ioctl+0x151/0x2a30 fs/compat_ioctl.c:1419
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125

The buggy address belongs to the object at ffff8801cd8e1340

which belongs to the cache kmalloc-512 of size 512

The buggy address is located 176 bytes inside of
512-byte region [ffff8801cd8e1340, ffff8801cd8e1540)

The buggy address belongs to the page:

page:000000005245354e count:1 mapcount:0 mapping:000000001b93048b
index:0xffff8801cd8e1840
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801cd8e10c0 ffff8801cd8e1840 0000000100000005
raw: ffffea00073404e0 ffffea0007340920 ffff8801db000940 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff8801cd8e1280: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801cd8e1300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> ffff8801cd8e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801cd8e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801cd8e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

[Eric Biggers]

This is a bug in the "binder" driver: binder_poll() tells the poll system to use
a waitqueue which can be freed before the file is closed. I'll send this to the
binder maintainers and take lockdep maintainers, USB maintainers, etc. off Cc.

Eric

[Eric Biggers]

[+Cc binder maintainers and list]
[-Cc lockdep maintainers, USB maintainers, and other random people]

On Sat, Dec 02, 2017 at 08:08:01AM -0800, syzbot wrote:

This is a bug in the binder driver. binder_poll() tells the poll system to use
the wait queue embedded in the 'struct binder_thread', but then the
BINDER_THREAD_EXIT ioctl will free the 'struct binder_thread' out from under it.

Perhaps either the waitqueue should be associated with the 'struct binder_proc'
rather than the 'struct binder_thread', or binder_poll() should take a reference
to the 'struct binder_thread'. But I'm not too familiar with binder or epoll,
so I don't know which solution is best.

Here is a program which reproduces the bug, assuming /dev/binder0 exists:

#include <fcntl.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <unistd.h>

#define BINDER_THREAD_EXIT 0x40046208ul

int main()
{
int fd, epfd;
struct epoll_event event = { .events = EPOLLIN };

fd = open("/dev/binder0", O_RDONLY);
epfd = epoll_create(1000);
epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
ioctl(fd, BINDER_THREAD_EXIT, NULL);
}

[Eric Biggers]

No longer occurring on linux-next, probably fixed by the following commit:

#syz fix: ANDROID: binder: remove waitqueue when thread exits.