syzbot


KASAN: use-after-free Read in put_pid_ns

Status: upstream: reported C repro on 2019/08/15 04:16
Reported-by: syzbot+8a0fd0335e646510c363@syzkaller.appspotmail.com
First crash: 1773d, last: 1177d
Fix bisection: failed (error log, bisect log)
  
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/02/06 19:32 15m retest repro linux-4.14.y report log
2022/09/16 04:29 9m retest repro linux-4.14.y report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2020/04/28 16:25 21m bisect fix linux-4.14.y error job log (0)
2020/01/21 21:31 24m bisect fix linux-4.14.y job log (0) log

Sample crash report:
RBP: 000000000000d341 R08: 00000000ffffffff R09: 0000000100000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402360
R13: 00000000004023f0 R14: 0000000000000000 R15: 0000000000000000
proc_fill_super: allocate dentry failed
==================================================================
BUG: KASAN: use-after-free in put_pid_ns+0x100/0x110 kernel/pid_namespace.c:202
Read of size 8 at addr ffff88809977b510 by task syz-executor316/7239

CPU: 1 PID: 7239 Comm: syz-executor316 Not tainted 4.14.138 #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x19c lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 put_pid_ns+0x100/0x110 kernel/pid_namespace.c:202
 free_nsproxy+0x103/0x200 kernel/nsproxy.c:182
 switch_task_namespaces+0x98/0xb0 kernel/nsproxy.c:229
 exit_task_namespaces+0x18/0x20 kernel/nsproxy.c:234
 copy_process.part.0+0x3b59/0x6a00 kernel/fork.c:1986
 copy_process kernel/fork.c:1595 [inline]
 _do_fork+0x19e/0xce0 kernel/fork.c:2085
 SYSC_clone kernel/fork.c:2195 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2189
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441549
RSP: 002b:00007ffc71bf82a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441549
RDX: 9999999999999999 RSI: 0000000000000000 RDI: 88bd14a7b286b957
RBP: 000000000000d337 R08: 00000000ffffffff R09: 0000000100000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402360
R13: 00000000004023f0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 7239:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
 kmem_cache_zalloc include/linux/slab.h:651 [inline]
 create_pid_namespace kernel/pid_namespace.c:116 [inline]
 copy_pid_ns+0x1ae/0xa40 kernel/pid_namespace.c:186
 create_new_namespaces+0x267/0x720 kernel/nsproxy.c:94
 copy_namespaces+0x284/0x310 kernel/nsproxy.c:165
 copy_process.part.0+0x2603/0x6a00 kernel/fork.c:1783
 copy_process kernel/fork.c:1595 [inline]
 _do_fork+0x19e/0xce0 kernel/fork.c:2085
 SYSC_clone kernel/fork.c:2195 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2189
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 delayed_free_pidns+0x89/0xb0 kernel/pid_namespace.c:166
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x7b8/0x12b0 kernel/rcu/tree.c:2946
 __do_softirq+0x244/0x9a0 kernel/softirq.c:288

The buggy address belongs to the object at ffff88809977acd8
 which belongs to the cache pid_namespace of size 2264
The buggy address is located 2104 bytes inside of
 2264-byte region [ffff88809977acd8, ffff88809977b5b0)
The buggy address belongs to the page:
page:ffffea000265de80 count:1 mapcount:0 mapping:ffff88809977a380 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000008100(slab|head)
raw: 01fffc0000008100 ffff88809977a380 0000000000000000 0000000100000003
raw: ffffea000264f220 ffffea0002647aa0 ffff8880a87f2640 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809977b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88809977b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88809977b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88809977b580: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff88809977b600: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (30):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/08/15 03:35 linux-4.14.y 3ffe1e79c174 0d298d6b .config console log report syz C ci2-linux-4-14
2021/04/01 22:07 linux-4.14.y bd634aa64163 6a81331a .config console log report info ci2-linux-4-14 KASAN: use-after-free Read in put_pid_ns
2020/07/17 13:18 linux-4.14.y b850307b279c 54b3c45e .config console log report ci2-linux-4-14
2020/07/08 09:39 linux-4.14.y b850307b279c 5962a2dc .config console log report ci2-linux-4-14
2020/05/30 13:39 linux-4.14.y 4f68020fef1c 954bd312 .config console log report ci2-linux-4-14
2020/05/14 17:45 linux-4.14.y ab9dfda23248 2d572622 .config console log report ci2-linux-4-14
2020/05/06 11:02 linux-4.14.y d71f695ce745 35b8eb30 .config console log report ci2-linux-4-14
2020/03/29 16:25 linux-4.14.y 01364dad1d45 05736b29 .config console log report ci2-linux-4-14
2020/03/08 04:45 linux-4.14.y 78d697fc93f9 2e9971bb .config console log report ci2-linux-4-14
2020/02/22 03:04 linux-4.14.y 98db2bf27b9e 2ffa6679 .config console log report ci2-linux-4-14
2020/02/10 10:25 linux-4.14.y e0f8b8a65a47 35f5e45e .config console log report ci2-linux-4-14
2019/12/22 21:31 linux-4.14.y e1f7d50ae3a3 8b967267 .config console log report ci2-linux-4-14
2019/12/21 09:39 linux-4.14.y bfb9e5c03076 bc586918 .config console log report ci2-linux-4-14
2019/12/21 04:44 linux-4.14.y bfb9e5c03076 bc586918 .config console log report ci2-linux-4-14
2019/12/14 17:28 linux-4.14.y a844dc4c5442 eef6e580 .config console log report ci2-linux-4-14
2019/12/07 22:56 linux-4.14.y a844dc4c5442 1508f453 .config console log report ci2-linux-4-14
2019/12/06 23:25 linux-4.14.y a844dc4c5442 85f26751 .config console log report ci2-linux-4-14
2019/12/06 23:03 linux-4.14.y a844dc4c5442 85f26751 .config console log report ci2-linux-4-14
2019/11/25 04:43 linux-4.14.y 43598c571e7e 598ca6c8 .config console log report ci2-linux-4-14
2019/11/14 17:05 linux-4.14.y 775d01b65b5d 048f2d49 .config console log report ci2-linux-4-14
2019/10/24 10:44 linux-4.14.y b98aebd29824 d01bb02a .config console log report ci2-linux-4-14
2019/10/19 03:51 linux-4.14.y b98aebd29824 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/16 21:20 linux-4.14.y e132c8d7b58d 8c88c9c1 .config console log report ci2-linux-4-14
2019/10/12 17:47 linux-4.14.y e132c8d7b58d 426631dd .config console log report ci2-linux-4-14
2019/09/24 12:45 linux-4.14.y f6e27dbb1afa f8368f99 .config console log report ci2-linux-4-14
2019/09/24 08:47 linux-4.14.y f6e27dbb1afa c68252d2 .config console log report ci2-linux-4-14
2019/09/05 21:34 linux-4.14.y 01fd1694b93c bf6bcce4 .config console log report ci2-linux-4-14
2019/09/03 13:18 linux-4.14.y 01fd1694b93c 48448e71 .config console log report ci2-linux-4-14
2019/08/29 03:38 linux-4.14.y b5260801526c 40203c15 .config console log report ci2-linux-4-14
2019/08/15 03:15 linux-4.14.y 3ffe1e79c174 0d298d6b .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.