syzbot


KASAN: use-after-free Read in get_mem_cgroup_from_mm

Status: fixed on 2019/06/14 18:22
Reported-by: syzbot+cbb52e396df3e565ab02@syzkaller.appspotmail.com
Fix commit: c3f3ce049f7d userfaultfd: use RCU to free the task struct when fork fails
First crash: 1430d, last: 1254d

Cause bisection: the cause commit could be any of (bisect log):
  2c43838c99d9 sched/isolation: Enable CONFIG_CPU_ISOLATION=y by default
  bf29cb238dc0 sched/isolation: Make CONFIG_NO_HZ_FULL select CONFIG_CPU_ISOLATION
  d94d105329e4 sched/isolation: Document boot parameters dependency on CONFIG_CPU_ISOLATION=y
  4c470317f91e Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in get_mem_cgroup_from_mm C done 6 1254d 1268d 1/1 fixed on 2019/11/30 01:15

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193 [inline]
BUG: KASAN: use-after-free in task_css include/linux/cgroup.h:480 [inline]
BUG: KASAN: use-after-free in mem_cgroup_from_task mm/memcontrol.c:822 [inline]
BUG: KASAN: use-after-free in get_mem_cgroup_from_mm mm/memcontrol.c:851 [inline]
BUG: KASAN: use-after-free in get_mem_cgroup_from_mm+0x28f/0x2b0 mm/memcontrol.c:834
Read of size 8 at addr ffff888092ddb798 by task syz-executor297/7798

CPU: 0 PID: 7798 Comm: syz-executor297 Not tainted 5.1.0-rc5+ #70
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 __read_once_size include/linux/compiler.h:193 [inline]
 task_css include/linux/cgroup.h:480 [inline]
 mem_cgroup_from_task mm/memcontrol.c:822 [inline]
 get_mem_cgroup_from_mm mm/memcontrol.c:851 [inline]
 get_mem_cgroup_from_mm+0x28f/0x2b0 mm/memcontrol.c:834
 mem_cgroup_try_charge+0x238/0x5e0 mm/memcontrol.c:5932
 mcopy_atomic_pte mm/userfaultfd.c:71 [inline]
 mfill_atomic_pte mm/userfaultfd.c:418 [inline]
 __mcopy_atomic mm/userfaultfd.c:559 [inline]
 mcopy_atomic+0x893/0x2600 mm/userfaultfd.c:609
 userfaultfd_copy fs/userfaultfd.c:1713 [inline]
 userfaultfd_ioctl+0x4d8/0x3aa0 fs/userfaultfd.c:1859
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0xd6e/0x1390 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4471a9
Code: e8 4c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f38c1852db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 00000000004471a9
RDX: 0000000020000100 RSI: 00000000c028aa03 RDI: 0000000000000004
RBP: 00000000006dcc30 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
R13: 00007ffc17c2d00f R14: 00007f38c18539c0 R15: 0000000000000001

Allocated by task 7797:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_kmalloc mm/kasan/common.c:497 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
 slab_post_alloc_hook mm/slab.h:437 [inline]
 slab_alloc_node mm/slab.c:3337 [inline]
 kmem_cache_alloc_node+0x131/0x710 mm/slab.c:3647
 alloc_task_struct_node kernel/fork.c:157 [inline]
 dup_task_struct kernel/fork.c:844 [inline]
 copy_process.part.0+0x1d08/0x7980 kernel/fork.c:1752
 copy_process kernel/fork.c:1709 [inline]
 _do_fork+0x257/0xfd0 kernel/fork.c:2226
 __do_sys_clone kernel/fork.c:2333 [inline]
 __se_sys_clone kernel/fork.c:2327 [inline]
 __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7797:
 save_stack+0x45/0xd0 mm/kasan/common.c:75
 set_track mm/kasan/common.c:87 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
 __cache_free mm/slab.c:3500 [inline]
 kmem_cache_free+0x86/0x260 mm/slab.c:3766
 free_task_struct kernel/fork.c:162 [inline]
 free_task+0xdd/0x120 kernel/fork.c:457
 copy_process.part.0+0x1a3a/0x7980 kernel/fork.c:2158
 copy_process kernel/fork.c:1709 [inline]
 _do_fork+0x257/0xfd0 kernel/fork.c:2226
 __do_sys_clone kernel/fork.c:2333 [inline]
 __se_sys_clone kernel/fork.c:2327 [inline]
 __x64_sys_clone+0xbf/0x150 kernel/fork.c:2327
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888092dda6c0
 which belongs to the cache task_struct(17:syz0) of size 6080
The buggy address is located 4312 bytes inside of
 6080-byte region [ffff888092dda6c0, ffff888092ddbe80)
The buggy address belongs to the page:
page:ffffea00024b7680 count:1 mapcount:0 mapping:ffff88808d1a2480 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00024b7608 ffffea000250c608 ffff88808d1a2480
raw: 0000000000000000 ffff888092dda6c0 0000000100000001 ffff888096d0c180
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff888096d0c180

Memory state around the buggy address:
 ffff888092ddb680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888092ddb700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888092ddb780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888092ddb800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888092ddb880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (375):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2019/04/16 09:50 upstream 618d919cae2f 505ab413 .config log report syz C
ci-upstream-kasan-gce 2019/04/16 07:35 upstream 5512320c9f6f 505ab413 .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/04/16 07:24 upstream 5512320c9f6f 505ab413 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2018/12/04 15:42 upstream 0072a0c14d5b 6ad0ae61 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/02/23 19:22 linux-next 94a47529a645 18107ce0 .config log report syz C
ci-upstream-kasan-gce-root 2018/12/04 16:31 upstream 0072a0c14d5b 6ad0ae61 .config log report syz
ci-upstream-kasan-gce-smack-root 2018/12/04 16:19 upstream 0072a0c14d5b 6ad0ae61 .config log report syz
ci-upstream-linux-next-kasan-gce-root 2018/12/04 17:22 linux-next 442b8cea2477 6ad0ae61 .config log report syz
ci-upstream-kasan-gce-smack-root 2019/04/29 18:17 upstream 37624b58542f b617407b .config log report
ci-upstream-kasan-gce 2019/04/27 20:57 upstream baf76f0c58ae b617407b .config log report
ci-upstream-kasan-gce 2019/04/27 01:30 upstream d0473f978e61 b617407b .config log report
ci-upstream-kasan-gce-root 2019/04/25 19:56 upstream f6f3e747454f f46aabc8 .config log report
ci-upstream-kasan-gce-smack-root 2019/04/18 11:50 upstream e53f31bffe1d b0e8efcb .config log report
ci-upstream-kasan-gce-smack-root 2019/04/18 06:15 upstream fe5cdef29e41 b0e8efcb .config log report
ci-upstream-kasan-gce-smack-root 2019/04/16 01:21 upstream 5512320c9f6f 505ab413 .config log report
ci-upstream-kasan-gce-root 2019/03/04 00:52 upstream 1c163f4c7b3f 1c0e457a .config log report
ci-upstream-kasan-gce-smack-root 2019/02/22 21:42 upstream 6ee2846cb4e7 6a5fcca4 .config log report
ci-upstream-kasan-gce-smack-root 2019/02/22 12:39 upstream 8a61716ff2ab 6a5fcca4 .config log report
ci-upstream-kasan-gce-root 2019/02/21 09:56 upstream f6163d67cc31 3133098b .config log report
ci-upstream-kasan-gce-root 2019/02/20 19:45 upstream 2137397c92ae c95f0707 .config log report
ci-upstream-kasan-gce-root 2019/02/18 01:42 upstream 8d33316d5205 3e98cc30 .config log report
ci-upstream-kasan-gce-root 2019/02/17 13:52 upstream 64c0133eb88a f42dee6d .config log report
ci-upstream-kasan-gce-root 2019/02/08 12:51 upstream 74e96711e337 aa4feb03 .config log report
ci-upstream-kasan-gce-root 2019/02/06 11:13 upstream 8834f5600cf3 d672172c .config log report
ci-upstream-kasan-gce-root 2019/02/06 07:52 upstream 8834f5600cf3 d672172c .config log report
ci-upstream-kasan-gce-root 2019/02/05 17:06 upstream 8834f5600cf3 d672172c .config log report
ci-upstream-kasan-gce-root 2019/02/05 15:52 upstream 8834f5600cf3 d672172c .config log report
ci-upstream-kasan-gce-root 2019/02/04 05:15 upstream 24b888d8d598 c198d5dd .config log report
ci-upstream-kasan-gce-selinux-root 2019/01/22 21:21 upstream 787a3b432276 b1ff06b2 .config log report
ci-upstream-kasan-gce-root 2018/11/04 06:32 upstream 83650fd58a93 8bd6bd63 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/28 03:32 linux-next a392ee45bae7 f94f56fe .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/19 00:07 linux-next b99981945914 46264c32 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/17 11:28 linux-next cf08baa29613 ba18afea .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/17 08:25 linux-next cf08baa29613 bab43553 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/12 14:02 linux-next cf08baa29613 a71bfb62 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/10 22:10 linux-next cf08baa29613 12365b99 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/09 22:36 linux-next cf08baa29613 12365b99 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/09 02:37 linux-next cf08baa29613 12365b99 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/06 09:12 linux-next cf08baa29613 05cf83bf .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/06 06:05 linux-next baf5a9d1f9b9 16559f86 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/04 16:28 linux-next 5d57915a1c8b 7c693b52 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/04 07:35 linux-next c63e9e91a254 7c693b52 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/03/03 17:30 linux-next c63e9e91a254 1c0e457a .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/24 15:44 linux-next 94a47529a645 7a06e792 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/24 14:43 linux-next 94a47529a645 7a06e792 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/23 08:47 linux-next 94a47529a645 18107ce0 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/22 08:47 linux-next 94a47529a645 7ff74a98 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/21 08:55 linux-next 550f4769c7c4 3133098b .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/21 07:20 linux-next abf446c90405 c95f0707 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/16 17:40 linux-next 7a92eb7cc1dc f42dee6d .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/12 23:26 linux-next b5829453d81a 6ecc6d0f .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/11 07:44 linux-next a46228f6598a b4f792e4 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/08 11:25 linux-next a46228f6598a aa4feb03 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/08 01:32 linux-next 1bd831d68d55 aa4feb03 .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/04 11:54 linux-next dc4c89997735 d672172c .config log report
ci-upstream-linux-next-kasan-gce-root 2019/02/04 04:12 linux-next dc4c89997735 c198d5dd .config log report
* Struck through repros no longer work on HEAD.