Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp67869imm; Thu, 7 Jun 2018 13:59:28 -0700 (PDT) X-Google-Smtp-Source: ADUXVKK2iG5hp0qIWfSgOilmHJHWNJLH/hQQlaXVpHG2zs36z5jhlyHdc1zhj7GvZGGrENYBsJ7T X-Received: by 2002:a62:a38d:: with SMTP id q13-v6mr3184743pfl.49.1528405168017; Thu, 07 Jun 2018 13:59:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528405167; cv=none; d=google.com; s=arc-20160816; b=nOZMSTeMRac2xsp95eXHGl7N7XY8eG3HPtHXu7moe2xydydOAoF4haem+qOLZ8/kDU 5/8OFcIrclsn3YzQi/ApDuP9rbzuB4J6n52WLVexjd6T9OA6+lceyZlHDDGCWwZH8pOK TTnUmVurjDl3jyX+4HKM8i+jnAS/FwBJOstDQo/O1WAcLcz/uc59lCowj4WOVkit5JcB 62HY8nxWnu21NUZ6rYmFCkRk+vQ1HYotBenfgGo3Pwo6gfibcUHW9rQANznHLQe24AYZ Ilr97G6ko07mp/l2qE9V1ZLVjAGPOmGhYeNViHGORjzyyeMqZ9s31a5l8Ef6Pcd+lzq7 cgrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=5gnGT7OQiYl9g2WzInu8DHIetEhGThIAiDuNgYf2BSc=; b=nE9YyfbgRFr4MKqG1mYr7B01n74uZKfY2ywLLRhrvTXUQcRFDA0pSybj5ELSKw/pKH +t5tKyQZxkvzEor85RY9COPevTTPDWtjFA8YXEZgfAtF/ZjVG8LSJkWgcfDMLLZ/B4fB pivuvUFlOIAUOUCL1peTFOkX2hPIqtxs0ar7XLQa2TfyFWy/RFPd70dwn0c2sWk5t9Q3 F8E4VZ101J7UPfz7XelQG0Q2N1068WyT65YxnxyVzm6/0tH+n8evd1f73IK+lIrZ5N+S k3HgystHWQDbmIP2V1MTvPFxK3du/qFk4eeTgeDdLyDiFcq2YQKHQbLQ+t/QgOsyGlmt chaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o3-v6si7328880pgc.381.2018.06.07.13.59.14; Thu, 07 Jun 2018 13:59:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933216AbeFGU5e (ORCPT + 99 others); Thu, 7 Jun 2018 16:57:34 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:34422 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933067AbeFGU5b (ORCPT ); Thu, 7 Jun 2018 16:57:31 -0400 Received: from localhost (unknown [66.187.232.66]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 967781086A89D; Thu, 7 Jun 2018 13:57:29 -0700 (PDT) Date: Thu, 07 Jun 2018 16:57:27 -0400 (EDT) Message-Id: <20180607.165727.864700268719773969.davem@davemloft.net> To: ast@kernel.org Cc: daniel@iogearbox.net, mcgrof@kernel.org, netdev@vger.kernel.org, dvyukov@google.com, linux-kernel@vger.kernel.org, kernel-team@fb.com Subject: Re: [PATCH net-next] umh: fix race condition From: David Miller In-Reply-To: <20180607172310.3121039-1-ast@kernel.org> References: <20180607172310.3121039-1-ast@kernel.org> X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 07 Jun 2018 13:57:31 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexei Starovoitov Date: Thu, 7 Jun 2018 10:23:10 -0700 > kasan reported use-after-free: > BUG: KASAN: use-after-free in call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195 > Write of size 4 at addr ffff8801d9202370 by task kworker/u4:2/50 > Workqueue: events_unbound call_usermodehelper_exec_work > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x1b9/0x294 lib/dump_stack.c:113 > print_address_description+0x6c/0x20b mm/kasan/report.c:256 > kasan_report_error mm/kasan/report.c:354 [inline] > kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 > __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437 > call_usermodehelper_exec_work+0x2d3/0x310 kernel/umh.c:195 > process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 > worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 > kthread+0x345/0x410 kernel/kthread.c:240 > ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 > > The reason is that 'sub_info' cannot be accessed out of parent task > context, since it will be freed by the child. > Instead remember the pid in the child task. > > Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper") > Reported-by: syzbot+2c73319c406f1987d156@syzkaller.appspotmail.com > Signed-off-by: Alexei Starovoitov Applied.