Received: by 10.223.185.116 with SMTP id b49csp701581wrg;
        Wed, 14 Feb 2018 05:47:31 -0800 (PST)
X-Google-Smtp-Source: AH8x225QQwiyzSRZWBFk2JSA5T0EQAKRcdaT6hk/3VglD9TxQxRAdG38oo7nc9RRdOTQVJV2LFWu
X-Received: by 2002:a17:902:d203:: with SMTP id t3-v6mr4552093ply.70.1518616051212;
        Wed, 14 Feb 2018 05:47:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518616051; cv=none;
        d=google.com; s=arc-20160816;
        b=NYYPULmn+e3efbh85c3vVmBjJz+q+0x1Nzin2p4a1ORhRjqsd8lgN7JvdIxU3KJZvJ
         +yl4s7udtOXtn5p/fFji49u6hoFiOJ+jyd5q2DSCg8JY67Or/t4M+Y+eYaimB+yLJUEf
         FmqBT9ccUH9MAXyZ+Ni5qkIqTQnnxx37B2p8dfxqIdzXksMjExH0eq9aDa/E2KlOL0O5
         HSVIWOrHKd6eYDKKSnu9drWgwWrXDw2h3U8/0vuIuiOS3faH+b5Yhdl8MaogSDCtvqKV
         fbXCd5x74ZD5cgGq2PjNO7p0MKm+g5Tb5U65MVDfntYDQVRsoy2R8C5uGpyciRmFbgNS
         E+zA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=Ejvxx390AhUUomKHFfNW71BQOBr7YneVVDFbvsKhFXk=;
        b=e+YrXopo5XZr+Y5CN9ckJ2LbedCfA67tgY/hp7dwoZYt+wORnJ8SuBt+BNc2aWbiQz
         E9uBDV7MCzs8aUoVNMno2ovNAv6F9VCxjpck/QHiuhZU1SaPLXcTHZzb+C1psBLg0kue
         XL/EV6zE8y3rAHd8SU71Ad11Nghkr7taYyOYfBe7nLMLtMBqbtTpqrv0IzzlIc6xPZMj
         sdOrNNCxYrVl2YIu7tv1NHF8x4nMXnwXLZC0HsKXGtNEKgcxX+tIJQ2WiuIHM3bfuX7k
         MtnMHhOawMHgFlovKlcWJMtLtGSe5YUwul2UbNnf0LTPmqb/oXji0549dgsjIbJVsAux
         2lJw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=qPmtn3Tb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o12si1338981pfg.286.2018.02.14.05.47.16;
        Wed, 14 Feb 2018 05:47:31 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=qPmtn3Tb;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1030544AbeBNNph (ORCPT <rfc822;rmelvin.vger@gmail.com>
        + 99 others); Wed, 14 Feb 2018 08:45:37 -0500
Received: from mail-pg0-f66.google.com ([74.125.83.66]:44881 "EHLO
        mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1030411AbeBNNp0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Feb 2018 08:45:26 -0500
Received: by mail-pg0-f66.google.com with SMTP id j9so1940042pgp.11
        for <linux-kernel@vger.kernel.org>; Wed, 14 Feb 2018 05:45:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=Ejvxx390AhUUomKHFfNW71BQOBr7YneVVDFbvsKhFXk=;
        b=qPmtn3TbvrLPFuN5oi6MN61tQ7/ovGDhReLhcsV02bV03P1MSSXM+kS/G2W/MdhcHM
         QaSdNyvFT2L/YwrEDY7EXRMQ1Q/JNf55hQ7y9jYimR+uy8uMsuSt+HsvukIod8njwx33
         UQFRegoF5Iqa/IqlkvXMPzmMUASjBgBV3LH8yCrx6FsGvGw87xDi+iX+BPmJxEyxaoDD
         9QfP1t6thAAgZCPkfuSbaFsbcHnlxwjVIngHuxbxSE6D/P0Gf6GMQe0cAWrqMw3/Yjb9
         ZHLExUDWWUx6Rt3NDT+ooFPQSXOnK5P0YgVa/itPFs7zjUmLYAmAGfCIHhrvFSyoYgf5
         Z0Cw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=Ejvxx390AhUUomKHFfNW71BQOBr7YneVVDFbvsKhFXk=;
        b=uFMMmr7WV8X1Tafp4y3VEdDvGLx6yTmoEt9wgRSq790K/vvCDVk7OvO6qupxFg/2rW
         DAjwnXfrsXogdxFUD3HHzS+D5HkdqbCEO2ongFBtcMsIsdx99FoNXPqmnCMdquLRJbQZ
         wW/qb2CSqCeaP+CwYwuGhWu5E2N6Amd6pHaR8gUuLr4j2wDjesXQI6xcNXfZ20OBe7ik
         p+NOa9kEq5U7xOwCiNyWiTJ8XsGWYCSke8wDIXURw45QyMt4a4+WWf5zPYLe4PUCADr5
         cYYOkylEqGWcQwcC7FKUwlqi78cVmeqLKV8A1XPYmF1fpNUviVCPx6orwFjL7bnaY2XY
         Zr4Q==
X-Gm-Message-State: APf1xPAzy0povTWnNez3yXBKcCTLCW+JtxbxswKgBzzWIBMhNmsURpzW
        kHyhUEEASNcBaI+l0sC9UMt+fyhYSh5jbNzpQf12uA==
X-Received: by 10.99.122.74 with SMTP id j10mr3845546pgn.84.1518615925901;
 Wed, 14 Feb 2018 05:45:25 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.140.151 with HTTP; Wed, 14 Feb 2018 05:45:05 -0800 (PST)
In-Reply-To: <CACT4Y+ab1RyHGJrD_KQQrh7bTbFTDx71RZ9H_QSNtAagtB1V8A@mail.gmail.com>
References: <089e0825d42484310b055c75c3f6@google.com> <20171026175847.GH59538@devbig577.frc2.facebook.com>
 <CACT4Y+Y9cEkLwg54qXvDtgp2rbEcw-MUiLik8THtL3yWWH0-Ow@mail.gmail.com>
 <CAM_iQpU0XFuj_Qc_Usug5=ymRWGU0nhQyPso6O=VbhPKAMa91Q@mail.gmail.com> <CACT4Y+ab1RyHGJrD_KQQrh7bTbFTDx71RZ9H_QSNtAagtB1V8A@mail.gmail.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Wed, 14 Feb 2018 14:45:05 +0100
Message-ID: <CACT4Y+Z0hLxC1GeSSpWm1YzUZYuDOG7+d407RJ=ffZ=8d5_vbw@mail.gmail.com>
Subject: Re: KASAN: use-after-free Read in get_work_pool
To:     Cong Wang <xiyou.wangcong@gmail.com>
Cc:     Tejun Heo <tj@kernel.org>,
        syzbot 
        <bot+ea75c0ffcd353d32515f064aaebefc5279e6161e@syzkaller.appspotmail.com>,
        Lai Jiangshan <jiangshanlai@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com,
        David Miller <davem@davemloft.net>,
        Tom Herbert <tom@quantonium.net>,
        Eric Dumazet <edumazet@google.com>,
        Eric Biggers <ebiggers@google.com>,
        netdev <netdev@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Dec 6, 2017 at 1:50 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Fri, Oct 27, 2017 at 11:18 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
>> On Thu, Oct 26, 2017 at 11:00 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>> On Thu, Oct 26, 2017 at 7:58 PM, Tejun Heo <tj@kernel.org> wrote:
>>>> Hello,
>>>>
>>>> On Thu, Oct 26, 2017 at 09:35:44AM -0700, syzbot wrote:
>>>>> BUG: KASAN: use-after-free in __read_once_size
>>>>> include/linux/compiler.h:276 [inline]
>>>>> BUG: KASAN: use-after-free in atomic64_read
>>>>> arch/x86/include/asm/atomic64_64.h:21 [inline]
>>>>> BUG: KASAN: use-after-free in atomic_long_read
>>>>> include/asm-generic/atomic-long.h:44 [inline]
>>>>> BUG: KASAN: use-after-free in get_work_pool+0x1c2/0x1e0
>>>>> kernel/workqueue.c:709
>>>>> Read of size 8 at addr ffff8801cc58c378 by task syz-executor5/21326
>>>>>
>>>>> CPU: 1 PID: 21326 Comm: syz-executor5 Not tainted 4.13.0+ #43
>>>>> Hardware name: Google Google Compute Engine/Google Compute Engine,
>>>>> BIOS Google 01/01/2011
>>>>> Call Trace:
>>>>>  __dump_stack lib/dump_stack.c:16 [inline]
>>>>>  dump_stack+0x194/0x257 lib/dump_stack.c:52
>>>>>  print_address_description+0x73/0x250 mm/kasan/report.c:252
>>>>>  kasan_report_error mm/kasan/report.c:351 [inline]
>>>>>  kasan_report+0x24e/0x340 mm/kasan/report.c:409
>>>>>  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
>>>>>  __read_once_size include/linux/compiler.h:276 [inline]
>>>>>  atomic64_read arch/x86/include/asm/atomic64_64.h:21 [inline]
>>>>>  atomic_long_read include/asm-generic/atomic-long.h:44 [inline]
>>>>>  get_work_pool+0x1c2/0x1e0 kernel/workqueue.c:709
>>>>>  __queue_work+0x235/0x1150 kernel/workqueue.c:1401
>>>>>  queue_work_on+0x16a/0x1c0 kernel/workqueue.c:1486
>>>>>  queue_work include/linux/workqueue.h:489 [inline]
>>>>>  strp_check_rcv+0x25/0x30 net/strparser/strparser.c:553
>>>>>  kcm_attach net/kcm/kcmsock.c:1439 [inline]
>>>>>  kcm_attach_ioctl net/kcm/kcmsock.c:1460 [inline]
>>>>>  kcm_ioctl+0x826/0x1610 net/kcm/kcmsock.c:1695
>>>>>  sock_do_ioctl+0x65/0xb0 net/socket.c:961
>>>>>  sock_ioctl+0x2c2/0x440 net/socket.c:1058
>>>>>  vfs_ioctl fs/ioctl.c:45 [inline]
>>>>>  do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685
>>>>>  SYSC_ioctl fs/ioctl.c:700 [inline]
>>>>>  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691
>>>>>  entry_SYSCALL_64_fastpath+0x1f/0xbe
>>>>
>>>> Looks like kcm is trying to reuse a work item whose last workqueue has
>>>> been destroyed without re-initing it.  A work item needs to be
>>>> reinit'd.
>>>
>>> +kcm maintainers
>>
>> Can you try the fix below? There is no C reproducer so I can't verify it.
>
>
> Hi Cong,
>
> syzbot can now test proposed patches, see
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#communication-with-syzbot
> for details. Please give it a try.
>
>> diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
>> index af4e76ac88ff..7816f44c576a 100644
>> --- a/net/kcm/kcmsock.c
>> +++ b/net/kcm/kcmsock.c
>> @@ -1433,11 +1433,12 @@ static int kcm_attach(struct socket *sock,
>> struct socket *csock,
>>         KCM_STATS_INCR(mux->stats.psock_attach);
>>         mux->psocks_cnt++;
>>         psock_now_avail(psock);
>> -       spin_unlock_bh(&mux->lock);
>>
>>         /* Schedule RX work in case there are already bytes queued */
>>         strp_check_rcv(&psock->strp);
>>
>> +       spin_unlock_bh(&mux->lock);
>> +
>>         return 0;
>>  }


Hi Cong,

Was this ever merged? Is it still necessary?