Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp257788imm; Tue, 5 Jun 2018 19:19:50 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIsK0eSCclt/iWm5plvhPlunkPqHdaky1FohUhEcfnTmqpz+xczgPCnP7ejeaTgzgTs5rtx X-Received: by 2002:a17:902:7048:: with SMTP id h8-v6mr1169425plt.269.1528251590710; Tue, 05 Jun 2018 19:19:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528251590; cv=none; d=google.com; s=arc-20160816; b=sc/Uw64x01uEXT38zj3cXTgDiiaa8ps/S914PKmIb7CEee4RTNht/niAjOGM6x5ftm IB0Q3/WBDAlhEME/+eIEFpXxNLfpIfNHY0dbNmxjjNtP/fCAroDS1jvZG4UGi2mOT+HW Pgf0f1OYNkQboODSkppvJb6H2l9oeqJG0b8gDpQb5SVp6UfVWfjajW0T+iA+qmQUfZSr D6PDYMFpOndPzIn62bDqaKv9ZeKQBAVGiB08UKWJuW9118JjfwIwmqW0LwpbEfmiXlAw LsQE9y00mJrEFw5m3S2Uhp4qvUTPw1zwppfbFk7sL6Kq+SxOdGocJ6Rz3cq9/8t7NhGf +iDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=zlxyNrpX0vBC/2NI8RGXbC/TjhEIUaWzhFuksjOkCcg=; b=wxzwWhlfWQwnkN2fOZasL+3dNOGnrRaW6YzAiBEuyHSw7SaIhmDTF2ETdOAa/3meLh D4auBr6/sFz88b6gBZVHv3G5cTo26GkvqnKP1ubr8EuRKGCbS+h84zfRErLC4xckyLMm LZk9dFJaof/emIHOEgozZ7xISetlMOCM3l9TIoe/LLnpnPdG9bbdNpmB9aWAI/KcMtoU ASH9cQe/iTLjjqojfv0Vxnt7bewkxTQUFXxzROcPFQcoCENCygH5++O3uDJRGWuDOlYk yHmmsJgTAvxCAS7j+HzGO375cpms7Z606c87r7fkjc9pmVvODUt8N9mXcTR2ViH5LYOj UaSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=HtPvDQf0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si12991641pli.45.2018.06.05.19.19.35; Tue, 05 Jun 2018 19:19:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=HtPvDQf0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752735AbeFFCTL (ORCPT + 99 others); Tue, 5 Jun 2018 22:19:11 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:40378 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752424AbeFFCTK (ORCPT ); Tue, 5 Jun 2018 22:19:10 -0400 Received: by mail-lf0-f65.google.com with SMTP id q11-v6so6616079lfc.7; Tue, 05 Jun 2018 19:19:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zlxyNrpX0vBC/2NI8RGXbC/TjhEIUaWzhFuksjOkCcg=; b=HtPvDQf0oArFAY553LBSkFerEi+gZIr/mZsLl30Hcr7jE6tEi7nX/R/bJJZaoDFoBU WRfqJYNpHYLF/jSFKKBEgCNVnYKr3xr5MnbK4zYx9FInTYgwS9SoFuBRdd3SKbhgaTph VwCdmRqKVNNKm0uwISmq9ydMh1WH5e0mUuaxYTDhLuuUiybiPr8BaTBd4aM9zpTF7Phu flhjS32wV14+grO4MigwRhE8Wb7gUR3uk7OE2NX3ZTK2RRsfs7iQgNUR/SMu9Dq+3cWO 94dD1f2b8iau0l7bVBFQFHFUTmVFdlhLZVIuUR9rF/VNXg0j07VhsodWW9BzL3R6S0xS I0cA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zlxyNrpX0vBC/2NI8RGXbC/TjhEIUaWzhFuksjOkCcg=; b=kH1dy/1SRa9yHUPXxLiGvOZMjn4Cg97zmgYAStSsp8u9QSLqhyaGSTys2u9Y4c5V2a k8tiNnEOAt5lUhAeAp0QyYNivn1R4+CHahwD1VpsUp93Tl92x0cQb21oDouAMULqbvTe QaEjeZNJKZ7vEXgM1LsRDdLwwhgQPRcdjkqXeGyKFiMunRdD715u8esT5CWivJu2pS8d METllJ2pLuPv5QklEyPTrk6S9MT2fBlgHPySp7UrWt5vg6k+2Dsq90Pm9/DfqHZdbAfC n1zssnUicTgWbe5yXTD35eU7wzw05Sroabjc+1pHWH6P8HYiChZ97vvIFJpz91w7Lzbx UjFA== X-Gm-Message-State: APt69E1LbmO7vCy+8VvM+CNfjk1oUVI8TwQO5KaqyDKAHvcDMp3rbCPy mQGKKFNs5lHzltmP/xyr2phrem9Q9udsjiXhGRk= X-Received: by 2002:a19:14ca:: with SMTP id 71-v6mr592990lfu.126.1528251548505; Tue, 05 Jun 2018 19:19:08 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:5119:0:0:0:0:0 with HTTP; Tue, 5 Jun 2018 19:19:08 -0700 (PDT) In-Reply-To: References: From: shankarapailoor Date: Tue, 5 Jun 2018 19:19:08 -0700 Message-ID: Subject: Re: general protection fault in sockfs_setattr To: Cong Wang Cc: David Miller , LKML , syzkaller , Linux Kernel Network Developers Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Cong, I added that check and it seems to stop the crash. Like you said, I don't see where the reference count for the file is increased. The inode lock also seems to be held during this call. Regards, Shankara On Tue, Jun 5, 2018 at 12:14 PM, Cong Wang wrote: > On Mon, Jun 4, 2018 at 9:53 PM, shankarapailoor > wrote: >> Hi, >> >> I have been fuzzing Linux 4.17-rc7 with Syzkaller and found the >> following crash: https://pastebin.com/ixX3RB9j >> >> Syzkaller isolated the cause of the bug to the following program: >> >> socketpair$unix(0x1, 0x1, 0x0, >> &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) >> getresuid(&(0x7f0000000080)=0x0, &(0x7f00000000c0), >> &(0x7f0000000700))r3 = getegid() >> fchownat(r0, &(0x7f0000000040)='\x00', r2, r3, 0x1000) >> dup3(r1, r0, 0x80000) >> >> >> The problematic area appears to be here: >> >> static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr) >> { >> int err = simple_setattr(dentry, iattr); >> >> if (!err && (iattr->ia_valid & ATTR_UID)) { >> struct socket *sock = SOCKET_I(d_inode(dentry)); >> >> sock->sk->sk_uid = iattr->ia_uid; //KASAN GPF >> } >> return err; >> } >> >> If dup3 is called concurrently with fchownat then can sock->sk be NULL? > > Although dup3() implies a close(), fd is refcnt'ted, if dup3() runs > concurrently with fchownat() it should not be closed until whoever > the last closes it. > > Or maybe fchownat() doesn't even hold refcnt of fd, since it aims > to change the file backed. > > > Not sure if the following is sufficient, inode might need to be protected > with some lock... > > diff --git a/net/socket.c b/net/socket.c > index f10f1d947c78..6294b4b3132e 100644 > --- a/net/socket.c > +++ b/net/socket.c > @@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry *dentry, > struct iattr *iattr) > if (!err && (iattr->ia_valid & ATTR_UID)) { > struct socket *sock = SOCKET_I(d_inode(dentry)); > > - sock->sk->sk_uid = iattr->ia_uid; > + if (sock->sk) > + sock->sk->sk_uid = iattr->ia_uid; > + else > + err = -ENOENT; > } > > return err; -- Regards, Shankara Pailoor