Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2523062imm;
        Thu, 7 Jun 2018 12:05:14 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKIr+vjbGyini2xfeS366Bh309gJ84usba7/18RfbTVHXtm9V7Ffsp8rv0nGzdBFHNHLet14
X-Received: by 2002:a17:902:d90f:: with SMTP id c15-v6mr3216565plz.65.1528398314903;
        Thu, 07 Jun 2018 12:05:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528398314; cv=none;
        d=google.com; s=arc-20160816;
        b=L0pT+WgvLJowKk9PFw45tHTqS8/rsvkTkCzZOdVWZ8V/dxzk6RjGyESrtJbRau9nec
         TRTKn7Ow2rW/Nc0Q2hC/YFz7a/7VMqT3SQ301RljkK9XAFJ+W+W5VCvxBbd2eWgRdLT6
         unXt6fhgQjTy8HD2yqc5A0cRDeiT/SzXNRZFkazsYO33ICv5/SJ19W9k+TXZ2QefhscN
         IbjIlNx7/S97VdusTMNhDXSRpwqHf4TLlhCFNRH7hV8VrQ55snZ6iurGHWVkY4rl3cSm
         uJr8lbY0t93DHGFwtTb+ahDA8o6qBeSitYURToKW5wdLIOyZvNPii3kfhD5BFK8bcDCm
         ByYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject
         :smtp-origin-cluster:cc:to:smtp-origin-hostname:from
         :smtp-origin-hostprefix:arc-authentication-results;
        bh=NzsMc5rjBSC+hhiy+upodpJBS94xSPTJ+FIEQUp7Xzg=;
        b=APeDt6dfNwjddenzvBPmctLyA3/x3qqB+XkD2INeDsmuwYMNiv7Ue5lDF/QUWjL+lt
         FmkhzgNUOc9UawEBuED9ZqtZ8rP0XJUat7JnjitrnltQIwjPuo3bvw1hbw5h2r3K0QZx
         A3x0Z2FYvxlvZzxOx74BsMMwAAPrfFiJhM1yFATbj2Fw9PfP0LP9wj4oVquQay6hX+7l
         1NoUEZc2Z6aWSX//sjPzbhpvqo+bNpz6DCc4wgWB7Gx+5K2IgS/xEggjZdeSq2VhnZBv
         Of3OC67I4BzrD1Gm1XhoBcfXMNjOgzPMf3jJo4pvq5ZSk9YQ6g2ujYzMCHPlzuSFB9bC
         w4OA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z7-v6si30212538pfn.247.2018.06.07.12.05.00;
        Thu, 07 Jun 2018 12:05:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933556AbeFGRXN (ORCPT <rfc822;chenhe.dev@gmail.com> + 99 others);
        Thu, 7 Jun 2018 13:23:13 -0400
Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:42338 "EHLO
        mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S932591AbeFGRXM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 7 Jun 2018 13:23:12 -0400
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1])
        by mx0a-00082601.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w57HKlrH018065
        for <linux-kernel@vger.kernel.org>; Thu, 7 Jun 2018 10:23:11 -0700
Received: from mail.thefacebook.com ([199.201.64.23])
        by mx0a-00082601.pphosted.com with ESMTP id 2jf896056m-1
        (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 07 Jun 2018 10:23:11 -0700
Received: from mx-out.facebook.com (192.168.52.123) by mail.thefacebook.com
 (192.168.16.20) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 7 Jun
 2018 10:23:10 -0700
Received: by devbig007.ftw2.facebook.com (Postfix, from userid 572438)  id
 51FC07605DB; Thu,  7 Jun 2018 10:23:10 -0700 (PDT)
Smtp-Origin-Hostprefix: devbig
From:   Alexei Starovoitov <ast@kernel.org>
Smtp-Origin-Hostname: devbig007.ftw2.facebook.com
To:     "David S . Miller" <davem@davemloft.net>
CC:     <daniel@iogearbox.net>, <mcgrof@kernel.org>,
        <netdev@vger.kernel.org>, <dvyukov@google.com>,
        <linux-kernel@vger.kernel.org>, <kernel-team@fb.com>
Smtp-Origin-Cluster: ftw2c04
Subject: [PATCH net-next] umh: fix race condition
Date:   Thu, 7 Jun 2018 10:23:10 -0700
Message-ID: <20180607172310.3121039-1-ast@kernel.org>
X-Mailer: git-send-email 2.9.5
X-FB-Internal: Safe
MIME-Version: 1.0
Content-Type: text/plain
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-06-07_06:,,
 signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

kasan reported use-after-free:
BUG: KASAN: use-after-free in call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195
Write of size 4 at addr ffff8801d9202370 by task kworker/u4:2/50
Workqueue: events_unbound call_usermodehelper_exec_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437
 call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195
 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

The reason is that 'sub_info' cannot be accessed out of parent task
context, since it will be freed by the child.
Instead remember the pid in the child task.

Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper")
Reported-by: syzbot+2c73319c406f1987d156@syzkaller.appspotmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
 kernel/umh.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/kernel/umh.c b/kernel/umh.c
index 30db93fd7e39..c449858946af 100644
--- a/kernel/umh.c
+++ b/kernel/umh.c
@@ -99,6 +99,7 @@ static int call_usermodehelper_exec_async(void *data)
 
 	commit_creds(new);
 
+	sub_info->pid = task_pid_nr(current);
 	if (sub_info->file)
 		retval = do_execve_file(sub_info->file,
 					sub_info->argv, sub_info->envp);
@@ -191,8 +192,6 @@ static void call_usermodehelper_exec_work(struct work_struct *work)
 		if (pid < 0) {
 			sub_info->retval = pid;
 			umh_complete(sub_info);
-		} else {
-			sub_info->pid = pid;
 		}
 	}
 }
-- 
2.9.5