Received: by 2002:a9a:4c47:0:b029:116:c383:538 with SMTP id u7csp868704lko; Tue, 13 Jul 2021 11:50:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZwuJ/GWwPkcLGeS7vAULiMOi5Q+wBVAaIBnVmW7OLdA8a8ydOF+K66K20YQHJ4uBfwYQR X-Received: by 2002:a05:6402:22aa:: with SMTP id cx10mr7559203edb.0.1626202256659; Tue, 13 Jul 2021 11:50:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626202256; cv=none; d=google.com; s=arc-20160816; b=xjTK+fytXPrPYP110uWgguXuIJs93zZlh4qztCWpPUe/sNiZhOEo/GfMpTaK+HXlsQ uolPc04fszOrSY67a01Snq/CCqte/sfREVKtOJ6BHl4QGtSkUIeMvfQdOAxZXKK55T+9 7c573e0qhTw5Ynwof7VHHAXnnbN+Wt15FGkZiRQsWMfpdvCV5OIJ2d6peLrSHiX/6REF m7VF6dUXLOmLfuQJ15LYGhofEFxuwKtslBAJVrhhNMu+/6lF4eLJTQhThOcJ7h89Vn9v /KWDx4zvR1YiNydKHUlb6ySYWwQcpOdW5bs5INOYuK9gmgYr8T5jV4bTFQP4l58QkADj XcGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=wRjP314M1GpUJgRSbgMGoaSYR4Jg4jHqUSa68YgJXO4=; b=XMWcjUdHUK3vT6z5AX1p3yUWQQ99TARVkXUq9ArNQymBjB19nhkHSreyH0jX6zkwzk EDmwiYkQVlJZ3QV4D5WoQ79jYTXBh8egs23pdY9yAzHnYQYMaVkpi1/yD46jLW/8BqeD i9VkEObdaF15oqTVJ9QrBLMFcW4c4jCA/14VJsyOg2GTLa09g59R1SuLSJTBKB9ITB1q oItZd8eACrt/DKsHWUXgVWTbUbZ1ZOITDNjXxg7pFQI0YRXSp/qBO925XNEXBigJL3Bu hLQywAW8C07bYqYZx5QdwmeY6wft3KdWBJEN5vFFGEEGoCRq5fweiN47pRO6ctbaTT/d xbug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="e4sNa/Sg"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j3si21722685ejj.516.2021.07.13.11.50.33; Tue, 13 Jul 2021 11:50:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="e4sNa/Sg"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229500AbhGMSwY (ORCPT + 99 others); Tue, 13 Jul 2021 14:52:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47932 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229697AbhGMSwY (ORCPT ); Tue, 13 Jul 2021 14:52:24 -0400 Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2AC3C0613E9 for ; Tue, 13 Jul 2021 11:49:33 -0700 (PDT) Received: by mail-lf1-x12e.google.com with SMTP id y42so52136426lfa.3 for ; Tue, 13 Jul 2021 11:49:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wRjP314M1GpUJgRSbgMGoaSYR4Jg4jHqUSa68YgJXO4=; b=e4sNa/Sg9kxdAqw8spcbO5TswTuu+YuZY4qDNyyT4dhSXDPimR6bb2lWnbbuTInGqB vYUg38sUbSqtZrcvWZKELF4PIlu5pb7g5GNPYB2a3PjVTtamIQpdhfHkcPbrrm/2URQS WJcBQQ/7EzRD+zl/dWIaXSSXiQFQ87HU4XNVI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wRjP314M1GpUJgRSbgMGoaSYR4Jg4jHqUSa68YgJXO4=; b=A7ca+OMpiBhpwCZBH9PfzY7xjjKAzaRrCtzahR4ACCP4qxX8ga901/fFR0ttqpG/gR bLVyAcLK2BfTHk17CaRYYWJWd0XbWEZBZp4aXTuh+xD6BOou8LaX/r4LFq9hbb4798YL JwIOkkHvcr4K5OpKIJkIHvUqCRh9MZZ5bz9XNZVfgx9qA7nrDqJ7x24by7B7v++biqMm kqQzqnbYkFjU0boLAVz39AP7dUCgoGqizJ8w7n5GfXjnJTtXjWxvdjUR/EWzfdvaa3tT e6YibTt4lSCd10ZFCIGa6lANMyK279/WTNu0EYCFsEPd4NWAmrSl3dhC3coqpn5s5U64 FhhA== X-Gm-Message-State: AOAM531x52d1hUiigiKILn0OejLaVocUwMX+Q/8Ba2zSWwmXrHGiDpmh IBiSEcs3P9rhwZiXeYJgYm6OKRUF8zRFAhe8iNw= X-Received: by 2002:ac2:4f82:: with SMTP id z2mr4423748lfs.39.1626202171851; Tue, 13 Jul 2021 11:49:31 -0700 (PDT) Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com. [209.85.208.169]) by smtp.gmail.com with ESMTPSA id i15sm2122956lja.135.2021.07.13.11.49.30 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 13 Jul 2021 11:49:31 -0700 (PDT) Received: by mail-lj1-f169.google.com with SMTP id e20so31459348ljn.8 for ; Tue, 13 Jul 2021 11:49:30 -0700 (PDT) X-Received: by 2002:a2e:a276:: with SMTP id k22mr5215151ljm.465.1626202170413; Tue, 13 Jul 2021 11:49:30 -0700 (PDT) MIME-Version: 1.0 References: <00000000000069c40405be6bdad4@google.com> <000000000000b00c1105c6f971b2@google.com> In-Reply-To: <000000000000b00c1105c6f971b2@google.com> From: Linus Torvalds Date: Tue, 13 Jul 2021 11:49:14 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [syzbot] KASAN: null-ptr-deref Read in filp_close (2) To: syzbot Cc: brauner@kernel.org, Christian Brauner , Dmitry Vyukov , Greg Kroah-Hartman , gscrivan@redhat.com, Christoph Hellwig , linux-fsdevel , Linux Kernel Mailing List , stable-commits@vger.kernel.org, stable , syzkaller-bugs , Al Viro Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 12, 2021 at 9:12 PM syzbot wrote: > > syzbot has found a reproducer for the following issue on: Hmm. This issue is reported to have been already fixed: Fix commit: 9b5b8722 file: fix close_range() for unshare+cloexec and that fix is already in the reported HEAD commit: > HEAD commit: 7fef2edf sd: don't mess with SD_MINORS for CONFIG_DEBUG_BL.. and the oops report clearly is from that: > CPU: 1 PID: 8445 Comm: syz-executor493 Not tainted 5.14.0-rc1-syzkaller #0 so the alleged fix is already there. So clearly commit 9b5b872215fe ("file: fix close_range() for unshare+cloexec") does *NOT* fix the issue. This was originally bisected to that 582f1fb6b721 ("fs, close_range: add flag CLOSE_RANGE_CLOEXEC") in https://syzkaller.appspot.com/bug?id=1bef50bdd9622a1969608d1090b2b4a588d0c6ac which is where the "fix" is from. It would probably be good if sysbot made this kind of "hey, it was reported fixed, but it's not" very clear. The KASAN report looks like a use-after-free, and that "use" is actually the sanity check that the file count is non-zero, so it's really a "struct file *" that has already been free'd. That bogus free is a regular close() system call > filp_close+0x22/0x170 fs/open.c:1306 > close_fd+0x5c/0x80 fs/file.c:628 > __do_sys_close fs/open.c:1331 [inline] > __se_sys_close fs/open.c:1329 [inline] And it was opened by a "creat()" system call: > Allocated by task 8445: > __alloc_file+0x21/0x280 fs/file_table.c:101 > alloc_empty_file+0x6d/0x170 fs/file_table.c:150 > path_openat+0xde/0x27f0 fs/namei.c:3493 > do_filp_open+0x1aa/0x400 fs/namei.c:3534 > do_sys_openat2+0x16d/0x420 fs/open.c:1204 > do_sys_open fs/open.c:1220 [inline] > __do_sys_creat fs/open.c:1294 [inline] > __se_sys_creat fs/open.c:1288 [inline] > __x64_sys_creat+0xc9/0x120 fs/open.c:1288 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae But it has apparently already been closed from a workqueue: > Freed by task 8445: > __fput+0x288/0x920 fs/file_table.c:280 > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 So it's some kind of confusion and re-use of a struct file pointer. Which is certainly consistent with the "fix" in 9b5b872215fe ("file: fix close_range() for unshare+cloexec"), but it very much looks like that fix was incomplete and not the full story. Some fdtable got re-allocated? The fix that wasn't a fix ends up re-checking the maximum file number under the file_lock, but there's clearly something else going on too. Christian? Linus