Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp10731150rwp; Fri, 21 Jul 2023 04:13:26 -0700 (PDT) X-Google-Smtp-Source: APBJJlFKc6DWbxUJrOMPja1BZDD6Nn8Lap9NSX/PxssS+kjZ6yhviM7Zh9DA6VFM2UHATPDCTydw X-Received: by 2002:a17:90b:4d83:b0:259:466:940f with SMTP id oj3-20020a17090b4d8300b002590466940fmr1041335pjb.22.1689938006524; Fri, 21 Jul 2023 04:13:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689938006; cv=none; d=google.com; s=arc-20160816; b=JWqZKjySWSJtzicj+693Iu7lHRG+omWx6PKQrPcOFUsBjBTqf36bxJFfT02Q8vrMSj gVTMvbnojTvIOZGEE7+nCsxR8ycE9szzhLuYdsCVhCBBeQVwxqn0XahpGHi4kg6/zFOi Np8JDj+bdcKWMIib/kpITzLnBokfwRXQftvvl33K65sULun92hpVfX1DkViexxJ0IWuT 987TUkztKP0TyQp5Vqub/TuherCb2L7Ci4GJGrlHJr3N74NdBdfEMN1DEYmF+2+a4OKA foxGe6CppT3iU1tJJ2kSeK0HqkO1Dmp5Y7B2Ftw9fZD7PATp01qVPFR2HZI3FpOaVTff g3Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:to:from :subject:message-id:dkim-signature; bh=pjKE+ZbXL1puvs6xgELJKlUdxWXD4zkVgBWZWf94/8s=; fh=+Ybb1xzGse/nTzuAzH8DlMDLyz88rgR830BBXeOu87k=; b=Cu0/1rmIe0m1bBs1fwQ9KF9Ki+QXFD/c6VlMV0GjHKxVpHTP5DCt7CnW4F2uVBmnEG emKCsgqmQW3CfwJYczzYLT+RMxXQlFfPOY4foEQlIhTuyOXL2X+CgJ1Xrqqt7jLKhdFa av/H3argmc6kZ+634n4wCECpFrWwgTxY1RCvh/STjNoL2vc7FnVVayGr3S5Gdv6jDmKZ ukiZVlc5JJ0ESgzN5TbVVdikB0voHGxeeEVobPP8Emx9W7HgXdAwcQ717OP4wcgXtxi/ MNP6GpBkXi1pTcGBbrZoWbLozJ+Wuf6j0QRW0aJARswsUd6sFjf3BVk+5wyNzW2tpljS DqAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=il8M+HwF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f35-20020a17090a702600b00262ad7b2341si5445104pjk.127.2023.07.21.04.13.14; Fri, 21 Jul 2023 04:13:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=il8M+HwF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231976AbjGUKfB (ORCPT + 99 others); Fri, 21 Jul 2023 06:35:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37660 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231771AbjGUKe7 (ORCPT ); Fri, 21 Jul 2023 06:34:59 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11A171BC6; Fri, 21 Jul 2023 03:34:44 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 94E9460916; Fri, 21 Jul 2023 10:34:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D8651C433C8; Fri, 21 Jul 2023 10:34:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689935682; bh=WJzJxCInUKPeiWu8BOjg9n0XyseJhFEbFfzut3tCW84=; h=Subject:From:To:Date:In-Reply-To:References:From; b=il8M+HwFbc0/nsctZmOVaHVk0eX+KeRZfVGVo8UVI63eDXS1q6wOCuTyL7wAjcEwW wdv/dTEC8rcBatvW7Fco1o7YLdLQ+0wCj8ZfaPBjeC2DrI0vIeE9nNdLmGVMhOZeXc vsVi+Wh1NP+uUJOpI1k8elTNdF33rlqORUmSRvqAIzhyzHHVqIWLdONhcABS4ZmkQ2 ZyaPTiwlnlvTF1CwluBT27SIUMD/KwAVSfiTiJ5k/+bZZMaI52RnXv8pFAwp4PC2ld 6zMPtQfClT6f17TDEeURPwcaA83ivhx3Nz43vCxhHfHTTn/x4LaU8ipSm4b3n00ynt JIGZi07H/13fQ== Message-ID: Subject: Re: [PATCH] Fix BUG: KASAN: use-after-free in trace_event_raw_event_filelock_lock From: Jeff Layton To: Will Shiu , Chuck Lever , Alexander Viro , Christian Brauner , Matthias Brugger , AngeloGioacchino Del Regno , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Date: Fri, 21 Jul 2023 06:34:40 -0400 In-Reply-To: <20230721051904.9317-1-Will.Shiu@mediatek.com> References: <20230721051904.9317-1-Will.Shiu@mediatek.com> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) MIME-Version: 1.0 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2023-07-21 at 13:19 +0800, Will Shiu wrote: > As following backtrace, the struct file_lock request , in posix_lock_inod= e > is free before ftrace function using. > Replace the ftrace function ahead free flow could fix the use-after-free > issue. >=20 > [name:report&]=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > BUG:KASAN: use-after-free in trace_event_raw_event_filelock_lock+0x80/0x1= 2c > [name:report&]Read at addr f6ffff8025622620 by task NativeThread/16753 > [name:report_hw_tags&]Pointer tag: [f6], memory tag: [fe] > [name:report&] > BT: > Hardware name: MT6897 (DT) > Call trace: > dump_backtrace+0xf8/0x148 > show_stack+0x18/0x24 > dump_stack_lvl+0x60/0x7c > print_report+0x2c8/0xa08 > kasan_report+0xb0/0x120 > __do_kernel_fault+0xc8/0x248 > do_bad_area+0x30/0xdc > do_tag_check_fault+0x1c/0x30 > do_mem_abort+0x58/0xbc > el1_abort+0x3c/0x5c > el1h_64_sync_handler+0x54/0x90 > el1h_64_sync+0x68/0x6c > trace_event_raw_event_filelock_lock+0x80/0x12c > posix_lock_inode+0xd0c/0xd60 > do_lock_file_wait+0xb8/0x190 > fcntl_setlk+0x2d8/0x440 > ... > [name:report&] > [name:report&]Allocated by task 16752: > ... > slab_post_alloc_hook+0x74/0x340 > kmem_cache_alloc+0x1b0/0x2f0 > posix_lock_inode+0xb0/0xd60 > ... > [name:report&] > [name:report&]Freed by task 16752: > ... > kmem_cache_free+0x274/0x5b0 > locks_dispose_list+0x3c/0x148 > posix_lock_inode+0xc40/0xd60 > do_lock_file_wait+0xb8/0x190 > fcntl_setlk+0x2d8/0x440 > do_fcntl+0x150/0xc18 > ... >=20 > Signed-off-by: Will Shiu > --- > fs/locks.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/fs/locks.c b/fs/locks.c > index df8b26a42524..a552bdb6badc 100644 > --- a/fs/locks.c > +++ b/fs/locks.c > @@ -1301,6 +1301,7 @@ static int posix_lock_inode(struct inode *inode, st= ruct file_lock *request, > out: > spin_unlock(&ctx->flc_lock); > percpu_up_read(&file_rwsem); > + trace_posix_lock_inode(inode, request, error); > /* > * Free any unused locks. > */ > @@ -1309,7 +1310,6 @@ static int posix_lock_inode(struct inode *inode, st= ruct file_lock *request, > if (new_fl2) > locks_free_lock(new_fl2); > locks_dispose_list(&dispose); > - trace_posix_lock_inode(inode, request, error); > =20 > return error; > } Could you send along the entire KASAN log message? I'm not sure I see how this is being tripped. The lock we're passing in here is "request" and that shouldn't be freed since it's allocated and owned by the caller. --=20 Jeff Layton