Hello,
syzbot found the following issue on:
HEAD commit: 3dbdb38e2869 Merge branch 'for-5.14' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11f4b9d8300000
kernel config: https://syzkaller.appspot.com/x/.config?x=1700b0b2b41cd52c
dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
compiler: Debian clang version 11.0.1-2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:272
Write of size 8 at addr ffff888021498d80 by task syz-executor.1/32612
CPU: 0 PID: 32612 Comm: syz-executor.1 Not tainted 5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:96
print_address_description+0x66/0x3b0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x163/0x210 mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:135 [inline]
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:272
release_task+0x323/0x15a0 kernel/exit.c:191
exit_notify kernel/exit.c:699 [inline]
do_exit+0x1aa2/0x2510 kernel/exit.c:845
do_group_exit+0x168/0x2d0 kernel/exit.c:922
get_signal+0x16c0/0x20d0 kernel/signal.c:2796
arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:789
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.
RSP: 002b:00007fa6e68ec218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 000000000056bf88 RCX: 00000000004665d9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000056bf8c
RBP: 000000000056bf80 R08: 000000000000000d R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000056bf8c
R13: 00007fff105041ff R14: 00007fa6e68ec300 R15: 0000000000022000
Allocated by task 32600:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:263 [inline]
kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2997
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
alloc_ucounts+0x176/0x420 kernel/ucount.c:169
set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
__sys_setuid+0x355/0x4a0 kernel/sys.c:623
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 32580:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
kasan_slab_free include/linux/kasan.h:229 [inline]
slab_free_hook mm/slub.c:1639 [inline]
slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1664
slab_free mm/slub.c:3224 [inline]
kfree+0xcf/0x2d0 mm/slub.c:4268
put_cred_rcu+0x221/0x400 kernel/cred.c:124
rcu_do_batch kernel/rcu/tree.c:2558 [inline]
rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2793
__do_softirq+0x372/0x783 kernel/softirq.c:558
The buggy address belongs to the object at ffff888021498d00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 128 bytes inside of
192-byte region [ffff888021498d00, ffff888021498dc0)
The buggy address belongs to the page:
page:ffffea0000852600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21498
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001c8ac80 0000000400000004 ffff888011841a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 32273, ts 862400369934, free_ts 857108006622
prep_new_page mm/page_alloc.c:2445 [inline]
get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4178
__alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5386
alloc_slab_page mm/slub.c:1702 [inline]
allocate_slab+0xf1/0x540 mm/slub.c:1842
new_slab mm/slub.c:1905 [inline]
new_slab_objects mm/slub.c:2651 [inline]
___slab_alloc+0x1cf/0x350 mm/slub.c:2814
__slab_alloc mm/slub.c:2854 [inline]
slab_alloc_node mm/slub.c:2936 [inline]
slab_alloc mm/slub.c:2978 [inline]
kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2995
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
push_stack+0x86/0x710 kernel/bpf/verifier.c:1019
check_cond_jmp_op kernel/bpf/verifier.c:8815 [inline]
do_check+0x18d54/0x218b0 kernel/bpf/verifier.c:10882
do_check_common+0xc01/0x21a0 kernel/bpf/verifier.c:12865
do_check_main kernel/bpf/verifier.c:12931 [inline]
bpf_check+0x112e2/0x14720 kernel/bpf/verifier.c:13498
bpf_prog_load kernel/bpf/syscall.c:2274 [inline]
__sys_bpf+0x10923/0x11d80 kernel/bpf/syscall.c:4469
__do_sys_bpf kernel/bpf/syscall.c:4573 [inline]
__se_sys_bpf kernel/bpf/syscall.c:4571 [inline]
__x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4571
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1355 [inline]
free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1406
free_unref_page_prepare mm/page_alloc.c:3341 [inline]
free_unref_page_list+0x118/0xad0 mm/page_alloc.c:3457
release_pages+0x18bb/0x1af0 mm/swap.c:972
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249
tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:340
exit_mmap+0x404/0x7a0 mm/mmap.c:3204
__mmput+0x111/0x370 kernel/fork.c:1101
exit_mm+0x60a/0x770 kernel/exit.c:501
do_exit+0x6ae/0x2510 kernel/exit.c:812
do_group_exit+0x168/0x2d0 kernel/exit.c:922
__do_sys_exit_group+0x13/0x20 kernel/exit.c:933
__ia32_sys_exit_group+0x0/0x40 kernel/exit.c:931
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:931
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Memory state around the buggy address:
ffff888021498c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888021498d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888021498d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff888021498e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888021498e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot has found a reproducer for the following issue on:
HEAD commit: d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
kernel config: https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1516c341300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707
CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
print_address_description+0x66/0x3b0 mm/kasan/report.c:233
__kasan_report mm/kasan/report.c:419 [inline]
kasan_report+0x163/0x210 mm/kasan/report.c:436
check_region_inline mm/kasan/generic.c:135 [inline]
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
release_task+0x2d3/0x1590 kernel/exit.c:191
exit_notify kernel/exit.c:699 [inline]
do_exit+0x1aa2/0x2510 kernel/exit.c:845
do_group_exit+0x168/0x2d0 kernel/exit.c:922
get_signal+0x16b0/0x2080 kernel/signal.c:2808
arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
handle_signal_work kernel/entry/common.c:148 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x445a69
Code: Unable to access opcode bytes at RIP 0x445a3f.
RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffff2 RBX: 00000000004ca4c8 RCX: 0000000000445a69
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
Allocated by task 8441:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2986
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
alloc_ucounts+0x1b1/0x5d0 kernel/ucount.c:173
set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
__sys_setresuid+0x6d5/0x920 kernel/sys.c:702
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 13:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1628 [inline]
slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653
slab_free mm/slub.c:3213 [inline]
kfree+0xcf/0x2e0 mm/slub.c:4267
put_ucounts+0x15c/0x1a0 kernel/ucount.c:207
put_cred_rcu+0x221/0x400 kernel/cred.c:124
rcu_do_batch kernel/rcu/tree.c:2550 [inline]
rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785
__do_softirq+0x372/0x783 kernel/softirq.c:558
Last potentially related work creation:
kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
insert_work+0x54/0x400 kernel/workqueue.c:1332
__queue_work+0x928/0xc60 kernel/workqueue.c:1498
queue_work_on+0x111/0x200 kernel/workqueue.c:1525
queue_work include/linux/workqueue.h:507 [inline]
call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
device_add+0x1073/0x1790 drivers/base/core.c:3336
device_create_groups_vargs drivers/base/core.c:4014 [inline]
device_create+0x241/0x2d0 drivers/base/core.c:4056
vc_allocate+0x66a/0x780 drivers/tty/vt/vt.c:1157
con_install+0x9f/0x880 drivers/tty/vt/vt.c:3342
tty_driver_install_tty drivers/tty/tty_io.c:1315 [inline]
tty_init_dev+0xc6/0x4c0 drivers/tty/tty_io.c:1429
tty_open_by_driver drivers/tty/tty_io.c:2098 [inline]
tty_open+0x89a/0xdd0 drivers/tty/tty_io.c:2146
chrdev_open+0x53b/0x5f0 fs/char_dev.c:414
do_dentry_open+0x7cb/0x1020 fs/open.c:826
do_open fs/namei.c:3374 [inline]
path_openat+0x27e7/0x36b0 fs/namei.c:3507
do_filp_open+0x253/0x4d0 fs/namei.c:3534
do_sys_openat2+0x124/0x460 fs/open.c:1204
do_sys_open fs/open.c:1220 [inline]
__do_sys_open fs/open.c:1228 [inline]
__se_sys_open fs/open.c:1224 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1224
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Second to last potentially related work creation:
kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
insert_work+0x54/0x400 kernel/workqueue.c:1332
__queue_work+0x928/0xc60 kernel/workqueue.c:1498
queue_work_on+0x111/0x200 kernel/workqueue.c:1525
queue_work include/linux/workqueue.h:507 [inline]
call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
uevent_store+0x20/0x60 drivers/base/core.c:2372
kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
call_write_iter include/linux/fs.h:2114 [inline]
new_sync_write fs/read_write.c:518 [inline]
vfs_write+0xa39/0xc90 fs/read_write.c:605
ksys_write+0x171/0x2a0 fs/read_write.c:658
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888025b8ef00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 128 bytes inside of
192-byte region [ffff888025b8ef00, ffff888025b8efc0)
The buggy address belongs to the page:
page:ffffea000096e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b8e
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00005dac80 0000000c0000000c ffff888011041a00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 9979944008, free_ts 0
prep_new_page mm/page_alloc.c:2436 [inline]
get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
__alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
alloc_slab_page mm/slub.c:1691 [inline]
allocate_slab+0xf1/0x540 mm/slub.c:1831
new_slab mm/slub.c:1894 [inline]
new_slab_objects mm/slub.c:2640 [inline]
___slab_alloc+0x1cf/0x350 mm/slub.c:2803
__slab_alloc mm/slub.c:2843 [inline]
slab_alloc_node mm/slub.c:2925 [inline]
slab_alloc mm/slub.c:2967 [inline]
kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2984
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
kobject_uevent_env+0x1311/0x1700 lib/kobject_uevent.c:614
device_add+0x1073/0x1790 drivers/base/core.c:3336
__video_register_device+0x37fc/0x4580 drivers/media/v4l2-core/v4l2-dev.c:1036
video_register_device include/media/v4l2-dev.h:384 [inline]
vivid_create_devnodes drivers/media/test-drivers/vivid/vivid-core.c:1585 [inline]
vivid_create_instance+0x85df/0xac90 drivers/media/test-drivers/vivid/vivid-core.c:1946
vivid_probe+0x9a/0x140 drivers/media/test-drivers/vivid/vivid-core.c:2001
platform_probe+0x130/0x1b0 drivers/base/platform.c:1427
call_driver_probe+0x96/0x250 drivers/base/dd.c:517
really_probe+0x223/0x9b0 drivers/base/dd.c:595
__driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
page_owner free stack trace missing
Memory state around the buggy address:
ffff888025b8ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888025b8ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888025b8ef80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff888025b8f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888025b8f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
==================================================================
On Thu, Aug 19, 2021 at 01:32:22PM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
> dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
> compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1516c341300000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
> ==================================================================
> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
> BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
> BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
> Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707
>
> CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
> print_address_description+0x66/0x3b0 mm/kasan/report.c:233
> __kasan_report mm/kasan/report.c:419 [inline]
> kasan_report+0x163/0x210 mm/kasan/report.c:436
> check_region_inline mm/kasan/generic.c:135 [inline]
> kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
> instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
> atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
> dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
> release_task+0x2d3/0x1590 kernel/exit.c:191
void release_task(struct task_struct *p)
{
...
/* don't need to get the RCU readlock here - the process is dead and
* can't be modifying its own credentials. But shut RCU-lockdep up */
rcu_read_lock();
dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
rcu_read_unlock();
...
}
It looks like the ucounts have been released before this in the put_cred_rcu().
> exit_notify kernel/exit.c:699 [inline]
> do_exit+0x1aa2/0x2510 kernel/exit.c:845
> do_group_exit+0x168/0x2d0 kernel/exit.c:922
> get_signal+0x16b0/0x2080 kernel/signal.c:2808
> arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
> handle_signal_work kernel/entry/common.c:148 [inline]
> exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
> exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
> __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
> syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
> do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x445a69
> Code: Unable to access opcode bytes at RIP 0x445a3f.
> RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffff2 RBX: 00000000004ca4c8 RCX: 0000000000445a69
> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
>
> Allocated by task 8441:
> kasan_save_stack mm/kasan/common.c:38 [inline]
> kasan_set_track mm/kasan/common.c:46 [inline]
> set_alloc_info mm/kasan/common.c:434 [inline]
> ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
> kasan_kmalloc include/linux/kasan.h:264 [inline]
> kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2986
> kmalloc include/linux/slab.h:591 [inline]
> kzalloc include/linux/slab.h:721 [inline]
> alloc_ucounts+0x1b1/0x5d0 kernel/ucount.c:173
> set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
> __sys_setresuid+0x6d5/0x920 kernel/sys.c:702
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Freed by task 13:
> kasan_save_stack mm/kasan/common.c:38 [inline]
> kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
> kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
> ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
> kasan_slab_free include/linux/kasan.h:230 [inline]
> slab_free_hook mm/slub.c:1628 [inline]
> slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653
> slab_free mm/slub.c:3213 [inline]
> kfree+0xcf/0x2e0 mm/slub.c:4267
> put_ucounts+0x15c/0x1a0 kernel/ucount.c:207
> put_cred_rcu+0x221/0x400 kernel/cred.c:124
> rcu_do_batch kernel/rcu/tree.c:2550 [inline]
> rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785
> __do_softirq+0x372/0x783 kernel/softirq.c:558
>
> Last potentially related work creation:
> kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
> kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
> insert_work+0x54/0x400 kernel/workqueue.c:1332
> __queue_work+0x928/0xc60 kernel/workqueue.c:1498
> queue_work_on+0x111/0x200 kernel/workqueue.c:1525
> queue_work include/linux/workqueue.h:507 [inline]
> call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
> kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
> device_add+0x1073/0x1790 drivers/base/core.c:3336
> device_create_groups_vargs drivers/base/core.c:4014 [inline]
> device_create+0x241/0x2d0 drivers/base/core.c:4056
> vc_allocate+0x66a/0x780 drivers/tty/vt/vt.c:1157
> con_install+0x9f/0x880 drivers/tty/vt/vt.c:3342
> tty_driver_install_tty drivers/tty/tty_io.c:1315 [inline]
> tty_init_dev+0xc6/0x4c0 drivers/tty/tty_io.c:1429
> tty_open_by_driver drivers/tty/tty_io.c:2098 [inline]
> tty_open+0x89a/0xdd0 drivers/tty/tty_io.c:2146
> chrdev_open+0x53b/0x5f0 fs/char_dev.c:414
> do_dentry_open+0x7cb/0x1020 fs/open.c:826
> do_open fs/namei.c:3374 [inline]
> path_openat+0x27e7/0x36b0 fs/namei.c:3507
> do_filp_open+0x253/0x4d0 fs/namei.c:3534
> do_sys_openat2+0x124/0x460 fs/open.c:1204
> do_sys_open fs/open.c:1220 [inline]
> __do_sys_open fs/open.c:1228 [inline]
> __se_sys_open fs/open.c:1224 [inline]
> __x64_sys_open+0x221/0x270 fs/open.c:1224
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Second to last potentially related work creation:
> kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
> kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
> insert_work+0x54/0x400 kernel/workqueue.c:1332
> __queue_work+0x928/0xc60 kernel/workqueue.c:1498
> queue_work_on+0x111/0x200 kernel/workqueue.c:1525
> queue_work include/linux/workqueue.h:507 [inline]
> call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
> kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
> kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
> uevent_store+0x20/0x60 drivers/base/core.c:2372
> kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
> call_write_iter include/linux/fs.h:2114 [inline]
> new_sync_write fs/read_write.c:518 [inline]
> vfs_write+0xa39/0xc90 fs/read_write.c:605
> ksys_write+0x171/0x2a0 fs/read_write.c:658
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> The buggy address belongs to the object at ffff888025b8ef00
> which belongs to the cache kmalloc-192 of size 192
> The buggy address is located 128 bytes inside of
> 192-byte region [ffff888025b8ef00, ffff888025b8efc0)
> The buggy address belongs to the page:
> page:ffffea000096e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b8e
> flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
> raw: 00fff00000000200 ffffea00005dac80 0000000c0000000c ffff888011041a00
> raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 9979944008, free_ts 0
> prep_new_page mm/page_alloc.c:2436 [inline]
> get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
> __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
> alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
> alloc_slab_page mm/slub.c:1691 [inline]
> allocate_slab+0xf1/0x540 mm/slub.c:1831
> new_slab mm/slub.c:1894 [inline]
> new_slab_objects mm/slub.c:2640 [inline]
> ___slab_alloc+0x1cf/0x350 mm/slub.c:2803
> __slab_alloc mm/slub.c:2843 [inline]
> slab_alloc_node mm/slub.c:2925 [inline]
> slab_alloc mm/slub.c:2967 [inline]
> kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2984
> kmalloc include/linux/slab.h:591 [inline]
> kzalloc include/linux/slab.h:721 [inline]
> call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
> kobject_uevent_env+0x1311/0x1700 lib/kobject_uevent.c:614
> device_add+0x1073/0x1790 drivers/base/core.c:3336
> __video_register_device+0x37fc/0x4580 drivers/media/v4l2-core/v4l2-dev.c:1036
> video_register_device include/media/v4l2-dev.h:384 [inline]
> vivid_create_devnodes drivers/media/test-drivers/vivid/vivid-core.c:1585 [inline]
> vivid_create_instance+0x85df/0xac90 drivers/media/test-drivers/vivid/vivid-core.c:1946
> vivid_probe+0x9a/0x140 drivers/media/test-drivers/vivid/vivid-core.c:2001
> platform_probe+0x130/0x1b0 drivers/base/platform.c:1427
> call_driver_probe+0x96/0x250 drivers/base/dd.c:517
> really_probe+0x223/0x9b0 drivers/base/dd.c:595
> __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
> page_owner free stack trace missing
>
> Memory state around the buggy address:
> ffff888025b8ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ffff888025b8ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff888025b8ef80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> ^
> ffff888025b8f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff888025b8f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
> ==================================================================
>
--
Rgrds, legion
Alexey Gladkov <[email protected]> writes:
> On Thu, Aug 19, 2021 at 01:32:22PM -0700, syzbot wrote:
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit: d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
>> dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
>> compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1516c341300000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: [email protected]
>>
>> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
>> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
>> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
>> ==================================================================
>> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
>> BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
>> BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
>> BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
>> Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707
>>
>> CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:88 [inline]
>> dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
>> print_address_description+0x66/0x3b0 mm/kasan/report.c:233
>> __kasan_report mm/kasan/report.c:419 [inline]
>> kasan_report+0x163/0x210 mm/kasan/report.c:436
>> check_region_inline mm/kasan/generic.c:135 [inline]
>> kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
>> instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
>> atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
>> atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
>> dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
>> release_task+0x2d3/0x1590 kernel/exit.c:191
>
> void release_task(struct task_struct *p)
> {
> ...
> /* don't need to get the RCU readlock here - the process is dead and
> * can't be modifying its own credentials. But shut RCU-lockdep up */
> rcu_read_lock();
> dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
> rcu_read_unlock();
> ...
> }
>
> It looks like the ucounts have been released before this in the put_cred_rcu().
That should not be.
After that in release_task there is:
put_task_struct_rcu_user
delayed_put_task_struct
put_task_struct
__put_task_struct
exit_creds
put_cred
__put_cred
put_cred_rcu
put_ucounts
So there very much should be a valid cred reference at that point.
>> exit_notify kernel/exit.c:699 [inline]
>> do_exit+0x1aa2/0x2510 kernel/exit.c:845
>> do_group_exit+0x168/0x2d0 kernel/exit.c:922
>> get_signal+0x16b0/0x2080 kernel/signal.c:2808
>> arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
>> handle_signal_work kernel/entry/common.c:148 [inline]
>> exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
>> exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
>> __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
>> syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
>> do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
>> entry_SYSCALL_64_after_hwframe+0x44/0xae
>> RIP: 0033:0x445a69
>> Code: Unable to access opcode bytes at RIP 0x445a3f.
>> RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
>> RAX: fffffffffffffff2 RBX: 00000000004ca4c8 RCX: 0000000000445a69
>> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
>> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
>> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
>>
>> Allocated by task 8441:
>> kasan_save_stack mm/kasan/common.c:38 [inline]
>> kasan_set_track mm/kasan/common.c:46 [inline]
>> set_alloc_info mm/kasan/common.c:434 [inline]
>> ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
>> kasan_kmalloc include/linux/kasan.h:264 [inline]
>> kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2986
>> kmalloc include/linux/slab.h:591 [inline]
>> kzalloc include/linux/slab.h:721 [inline]
>> alloc_ucounts+0x1b1/0x5d0 kernel/ucount.c:173
>> set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
>> __sys_setresuid+0x6d5/0x920 kernel/sys.c:702
>> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>> entry_SYSCALL_64_after_hwframe+0x44/0xae
>>
>> Freed by task 13:
>> kasan_save_stack mm/kasan/common.c:38 [inline]
>> kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
>> kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
>> ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
>> kasan_slab_free include/linux/kasan.h:230 [inline]
>> slab_free_hook mm/slub.c:1628 [inline]
>> slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653
>> slab_free mm/slub.c:3213 [inline]
>> kfree+0xcf/0x2e0 mm/slub.c:4267
>> put_ucounts+0x15c/0x1a0 kernel/ucount.c:207
>> put_cred_rcu+0x221/0x400 kernel/cred.c:124
>> rcu_do_batch kernel/rcu/tree.c:2550 [inline]
>> rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785
>> __do_softirq+0x372/0x783 kernel/softirq.c:558
>>
>> Last potentially related work creation:
>> kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>> kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
>> insert_work+0x54/0x400 kernel/workqueue.c:1332
>> __queue_work+0x928/0xc60 kernel/workqueue.c:1498
>> queue_work_on+0x111/0x200 kernel/workqueue.c:1525
>> queue_work include/linux/workqueue.h:507 [inline]
>> call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
>> kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
>> device_add+0x1073/0x1790 drivers/base/core.c:3336
>> device_create_groups_vargs drivers/base/core.c:4014 [inline]
>> device_create+0x241/0x2d0 drivers/base/core.c:4056
>> vc_allocate+0x66a/0x780 drivers/tty/vt/vt.c:1157
>> con_install+0x9f/0x880 drivers/tty/vt/vt.c:3342
>> tty_driver_install_tty drivers/tty/tty_io.c:1315 [inline]
>> tty_init_dev+0xc6/0x4c0 drivers/tty/tty_io.c:1429
>> tty_open_by_driver drivers/tty/tty_io.c:2098 [inline]
>> tty_open+0x89a/0xdd0 drivers/tty/tty_io.c:2146
>> chrdev_open+0x53b/0x5f0 fs/char_dev.c:414
>> do_dentry_open+0x7cb/0x1020 fs/open.c:826
>> do_open fs/namei.c:3374 [inline]
>> path_openat+0x27e7/0x36b0 fs/namei.c:3507
>> do_filp_open+0x253/0x4d0 fs/namei.c:3534
>> do_sys_openat2+0x124/0x460 fs/open.c:1204
>> do_sys_open fs/open.c:1220 [inline]
>> __do_sys_open fs/open.c:1228 [inline]
>> __se_sys_open fs/open.c:1224 [inline]
>> __x64_sys_open+0x221/0x270 fs/open.c:1224
>> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>> entry_SYSCALL_64_after_hwframe+0x44/0xae
>>
>> Second to last potentially related work creation:
>> kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>> kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
>> insert_work+0x54/0x400 kernel/workqueue.c:1332
>> __queue_work+0x928/0xc60 kernel/workqueue.c:1498
>> queue_work_on+0x111/0x200 kernel/workqueue.c:1525
>> queue_work include/linux/workqueue.h:507 [inline]
>> call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
>> kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
>> kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
>> uevent_store+0x20/0x60 drivers/base/core.c:2372
>> kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
>> call_write_iter include/linux/fs.h:2114 [inline]
>> new_sync_write fs/read_write.c:518 [inline]
>> vfs_write+0xa39/0xc90 fs/read_write.c:605
>> ksys_write+0x171/0x2a0 fs/read_write.c:658
>> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>> entry_SYSCALL_64_after_hwframe+0x44/0xae
>>
>> The buggy address belongs to the object at ffff888025b8ef00
>> which belongs to the cache kmalloc-192 of size 192
>> The buggy address is located 128 bytes inside of
>> 192-byte region [ffff888025b8ef00, ffff888025b8efc0)
>> The buggy address belongs to the page:
>> page:ffffea000096e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b8e
>> flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
>> raw: 00fff00000000200 ffffea00005dac80 0000000c0000000c ffff888011041a00
>> raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
>> page dumped because: kasan: bad access detected
>> page_owner tracks the page as allocated
>> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 9979944008, free_ts 0
>> prep_new_page mm/page_alloc.c:2436 [inline]
>> get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
>> __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
>> alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
>> alloc_slab_page mm/slub.c:1691 [inline]
>> allocate_slab+0xf1/0x540 mm/slub.c:1831
>> new_slab mm/slub.c:1894 [inline]
>> new_slab_objects mm/slub.c:2640 [inline]
>> ___slab_alloc+0x1cf/0x350 mm/slub.c:2803
>> __slab_alloc mm/slub.c:2843 [inline]
>> slab_alloc_node mm/slub.c:2925 [inline]
>> slab_alloc mm/slub.c:2967 [inline]
>> kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2984
>> kmalloc include/linux/slab.h:591 [inline]
>> kzalloc include/linux/slab.h:721 [inline]
>> call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
>> kobject_uevent_env+0x1311/0x1700 lib/kobject_uevent.c:614
>> device_add+0x1073/0x1790 drivers/base/core.c:3336
>> __video_register_device+0x37fc/0x4580 drivers/media/v4l2-core/v4l2-dev.c:1036
>> video_register_device include/media/v4l2-dev.h:384 [inline]
>> vivid_create_devnodes drivers/media/test-drivers/vivid/vivid-core.c:1585 [inline]
>> vivid_create_instance+0x85df/0xac90 drivers/media/test-drivers/vivid/vivid-core.c:1946
>> vivid_probe+0x9a/0x140 drivers/media/test-drivers/vivid/vivid-core.c:2001
>> platform_probe+0x130/0x1b0 drivers/base/platform.c:1427
>> call_driver_probe+0x96/0x250 drivers/base/dd.c:517
>> really_probe+0x223/0x9b0 drivers/base/dd.c:595
>> __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
>> page_owner free stack trace missing
>>
>> Memory state around the buggy address:
>> ffff888025b8ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>> ffff888025b8ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> >ffff888025b8ef80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>> ^
>> ffff888025b8f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ffff888025b8f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
>> ==================================================================
>>
We need to increment the ucounts reference counter befor security_prepare_creds()
because this function may fail and abort_creds() will try to decrement
this reference.
[ 96.465056][ T8641] FAULT_INJECTION: forcing a failure.
[ 96.465056][ T8641] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 96.478453][ T8641] CPU: 1 PID: 8641 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
[ 96.487215][ T8641] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 96.497254][ T8641] Call Trace:
[ 96.500517][ T8641] dump_stack_lvl+0x1d3/0x29f
[ 96.505758][ T8641] ? show_regs_print_info+0x12/0x12
[ 96.510944][ T8641] ? log_buf_vmcoreinfo_setup+0x498/0x498
[ 96.516652][ T8641] should_fail+0x384/0x4b0
[ 96.521141][ T8641] prepare_alloc_pages+0x1d1/0x5a0
[ 96.526236][ T8641] __alloc_pages+0x14d/0x5f0
[ 96.530808][ T8641] ? __rmqueue_pcplist+0x2030/0x2030
[ 96.536073][ T8641] ? lockdep_hardirqs_on_prepare+0x3e2/0x750
[ 96.542056][ T8641] ? alloc_pages+0x3f3/0x500
[ 96.546635][ T8641] allocate_slab+0xf1/0x540
[ 96.551120][ T8641] ___slab_alloc+0x1cf/0x350
[ 96.555689][ T8641] ? kzalloc+0x1d/0x30
[ 96.559740][ T8641] __kmalloc+0x2e7/0x390
[ 96.563980][ T8641] ? kzalloc+0x1d/0x30
[ 96.568029][ T8641] kzalloc+0x1d/0x30
[ 96.571903][ T8641] security_prepare_creds+0x46/0x220
[ 96.577174][ T8641] prepare_creds+0x411/0x640
[ 96.581747][ T8641] __sys_setfsuid+0xe2/0x3a0
[ 96.586333][ T8641] do_syscall_64+0x3d/0xb0
[ 96.590739][ T8641] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 96.596611][ T8641] RIP: 0033:0x445a69
[ 96.600483][ T8641] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 96.620152][ T8641] RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 000000000000007a
[ 96.628543][ T8641] RAX: ffffffffffffffda RBX: 00000000004ca4c8 RCX: 0000000000445a69
[ 96.636600][ T8641] RDX: 0000000000000010 RSI: 00007f10541732f0 RDI: 0000000000000000
[ 96.644550][ T8641] RBP: 00000000004ca4c0 R08: 0000000000000001 R09: 0000000000000000
[ 96.652500][ T8641] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca4cc
[ 96.660631][ T8641] R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred")
Reported-by: [email protected]
Signed-off-by: Alexey Gladkov <[email protected]>
---
kernel/cred.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/kernel/cred.c b/kernel/cred.c
index e6fd2b3fc31f..f784e08c2fbd 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -286,13 +286,13 @@ struct cred *prepare_creds(void)
new->security = NULL;
#endif
- if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
- goto error;
-
new->ucounts = get_ucounts(new->ucounts);
if (!new->ucounts)
goto error;
+ if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
+ goto error;
+
validate_creds(new);
return new;
@@ -753,13 +753,13 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
#ifdef CONFIG_SECURITY
new->security = NULL;
#endif
- if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
- goto error;
-
new->ucounts = get_ucounts(new->ucounts);
if (!new->ucounts)
goto error;
+ if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
+ goto error;
+
put_cred(old);
validate_creds(new);
return new;
--
2.32.0
On Fri, Aug 20, 2021 at 08:44:32AM -0500, Eric W. Biederman wrote:
> Alexey Gladkov <[email protected]> writes:
>
> > On Thu, Aug 19, 2021 at 01:32:22PM -0700, syzbot wrote:
> >> syzbot has found a reproducer for the following issue on:
> >>
> >> HEAD commit: d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
> >> git tree: upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
> >> compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
> >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1516c341300000
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: [email protected]
> >>
> >> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
> >> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
> >> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
> >> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
> >> ==================================================================
> >> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> >> BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
> >> BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
> >> BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
> >> Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707
> >>
> >> CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >> Call Trace:
> >> __dump_stack lib/dump_stack.c:88 [inline]
> >> dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
> >> print_address_description+0x66/0x3b0 mm/kasan/report.c:233
> >> __kasan_report mm/kasan/report.c:419 [inline]
> >> kasan_report+0x163/0x210 mm/kasan/report.c:436
> >> check_region_inline mm/kasan/generic.c:135 [inline]
> >> kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
> >> instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> >> atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
> >> atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
> >> dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
> >> release_task+0x2d3/0x1590 kernel/exit.c:191
> >
> > void release_task(struct task_struct *p)
> > {
> > ...
> > /* don't need to get the RCU readlock here - the process is dead and
> > * can't be modifying its own credentials. But shut RCU-lockdep up */
> > rcu_read_lock();
> > dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
> > rcu_read_unlock();
> > ...
> > }
> >
> > It looks like the ucounts have been released before this in the put_cred_rcu().
>
> That should not be.
>
> After that in release_task there is:
>
> put_task_struct_rcu_user
> delayed_put_task_struct
> put_task_struct
> __put_task_struct
> exit_creds
> put_cred
> __put_cred
> put_cred_rcu
> put_ucounts
>
> So there very much should be a valid cred reference at that point.
I found the problem. This is a different problem and the fact that
syzkaller combined them in one thread misled me.
--
Rgrds, legion
Alexey Gladkov <[email protected]> writes:
> We need to increment the ucounts reference counter befor security_prepare_creds()
> because this function may fail and abort_creds() will try to decrement
> this reference.
>
> [ 96.465056][ T8641] FAULT_INJECTION: forcing a failure.
> [ 96.465056][ T8641] name fail_page_alloc, interval 1, probability 0, space 0, times 0
> [ 96.478453][ T8641] CPU: 1 PID: 8641 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
> [ 96.487215][ T8641] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> [ 96.497254][ T8641] Call Trace:
> [ 96.500517][ T8641] dump_stack_lvl+0x1d3/0x29f
> [ 96.505758][ T8641] ? show_regs_print_info+0x12/0x12
> [ 96.510944][ T8641] ? log_buf_vmcoreinfo_setup+0x498/0x498
> [ 96.516652][ T8641] should_fail+0x384/0x4b0
> [ 96.521141][ T8641] prepare_alloc_pages+0x1d1/0x5a0
> [ 96.526236][ T8641] __alloc_pages+0x14d/0x5f0
> [ 96.530808][ T8641] ? __rmqueue_pcplist+0x2030/0x2030
> [ 96.536073][ T8641] ? lockdep_hardirqs_on_prepare+0x3e2/0x750
> [ 96.542056][ T8641] ? alloc_pages+0x3f3/0x500
> [ 96.546635][ T8641] allocate_slab+0xf1/0x540
> [ 96.551120][ T8641] ___slab_alloc+0x1cf/0x350
> [ 96.555689][ T8641] ? kzalloc+0x1d/0x30
> [ 96.559740][ T8641] __kmalloc+0x2e7/0x390
> [ 96.563980][ T8641] ? kzalloc+0x1d/0x30
> [ 96.568029][ T8641] kzalloc+0x1d/0x30
> [ 96.571903][ T8641] security_prepare_creds+0x46/0x220
> [ 96.577174][ T8641] prepare_creds+0x411/0x640
> [ 96.581747][ T8641] __sys_setfsuid+0xe2/0x3a0
> [ 96.586333][ T8641] do_syscall_64+0x3d/0xb0
> [ 96.590739][ T8641] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 96.596611][ T8641] RIP: 0033:0x445a69
> [ 96.600483][ T8641] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> [ 96.620152][ T8641] RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 000000000000007a
> [ 96.628543][ T8641] RAX: ffffffffffffffda RBX: 00000000004ca4c8 RCX: 0000000000445a69
> [ 96.636600][ T8641] RDX: 0000000000000010 RSI: 00007f10541732f0 RDI: 0000000000000000
> [ 96.644550][ T8641] RBP: 00000000004ca4c0 R08: 0000000000000001 R09: 0000000000000000
> [ 96.652500][ T8641] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca4cc
> [ 96.660631][ T8641] R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
>
> Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred")
> Reported-by: [email protected]
> Signed-off-by: Alexey Gladkov <[email protected]>
Applied.
It is obvious how a failure of security_prepare_creds calling
abort_creds could result a decrement without an increment.
So it looks like the fault injection did it's job.
Eric
> ---
> kernel/cred.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index e6fd2b3fc31f..f784e08c2fbd 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -286,13 +286,13 @@ struct cred *prepare_creds(void)
> new->security = NULL;
> #endif
>
> - if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> - goto error;
> -
> new->ucounts = get_ucounts(new->ucounts);
> if (!new->ucounts)
> goto error;
>
> + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> + goto error;
> +
> validate_creds(new);
> return new;
>
> @@ -753,13 +753,13 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
> #ifdef CONFIG_SECURITY
> new->security = NULL;
> #endif
> - if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> - goto error;
> -
> new->ucounts = get_ucounts(new->ucounts);
> if (!new->ucounts)
> goto error;
>
> + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> + goto error;
> +
> put_cred(old);
> validate_creds(new);
> return new;