KASAN: use-after-free Read in link_path

Kernel	Title	Repro	Cause bisect	Count	Last	Reported	Patched	Status
android-414	KASAN: use-after-free Read in link_path_walk	syz		2	2106d	2049d	0/1	public: reported syz repro on 2019/04/13 00:01
upstream	KASAN: use-after-free Read in link_path_walk fs	syz	done	5	2169d	2184d	12/28	fixed on 2019/04/12 08:05
android-49	KASAN: use-after-free Read in link_path_walk	C		56	2301d	2051d	0/3	public: reported C repro on 2019/04/11 08:44

================================================================== BUG: KASAN: use-after-free in d_can_lookup include/linux/dcache.h:432 [inline] BUG: KASAN: use-after-free in link_path_walk+0x149c/0x1710 fs/namei.c:2005 Read of size 4 at addr ffff88009f80f340 by task syz-executor4/13604 CPU: 1 PID: 13604 Comm: syz-executor4 Not tainted 4.4.138-gcf21a9a #64 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 2b0414f65b69be3d ffff8800b2e4fa98 ffffffff81e0ed0d ffffea00027e0380 ffff88009f80f340 0000000000000000 ffff88009f80f340 ffff8800b2e4fc80 ffff8800b2e4fad0 ffffffff81515a16 ffff88009f80f340 Call Trace: [<ffffffff81e0ed0d>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81e0ed0d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [<ffffffff81515a16>] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [<ffffffff81515d35>] kasan_report_error mm/kasan/report.c:351 [inline] [<ffffffff81515d35>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [<ffffffff814f9804>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:428 [<ffffffff8154ad0c>] d_can_lookup include/linux/dcache.h:432 [inline] [<ffffffff8154ad0c>] link_path_walk+0x149c/0x1710 fs/namei.c:2005 [<ffffffff8154afce>] path_parentat.isra.35+0x4e/0x140 fs/namei.c:2209 [<ffffffff81550283>] filename_parentat.isra.51.part.52+0x173/0x3d0 fs/namei.c:2231 [<ffffffff81550e7e>] filename_parentat fs/namei.c:3445 [inline] [<ffffffff81550e7e>] filename_create+0xce/0x490 fs/namei.c:3447 [<ffffffff815533b1>] user_path_create fs/namei.c:3522 [inline] [<ffffffff815533b1>] SYSC_mkdirat fs/namei.c:3664 [inline] [<ffffffff815533b1>] SyS_mkdirat fs/namei.c:3656 [inline] [<ffffffff815533b1>] SYSC_mkdir fs/namei.c:3683 [inline] [<ffffffff815533b1>] SyS_mkdir+0xb1/0x260 fs/namei.c:3681 [<ffffffff838c2725>] entry_SYSCALL_64_fastpath+0x22/0x9e Allocated by task 13562: [<ffffffff81033e46>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [<ffffffff814f88d3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [<ffffffff814f8bb7>] set_track mm/kasan/kasan.c:524 [inline] [<ffffffff814f8bb7>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [<ffffffff814f9182>] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [<ffffffff814f4c7e>] slab_post_alloc_hook mm/slub.c:1349 [inline] [<ffffffff814f4c7e>] slab_alloc_node mm/slub.c:2615 [inline] [<ffffffff814f4c7e>] slab_alloc mm/slub.c:2623 [inline] [<ffffffff814f4c7e>] kmem_cache_alloc+0xbe/0x2a0 mm/slub.c:2628 [<ffffffff8156aa8e>] __d_alloc+0x2e/0x7b0 fs/dcache.c:1589 [<ffffffff8156b4b7>] d_make_root+0x47/0x90 fs/dcache.c:1956 [<ffffffff8184268d>] ramfs_fill_super+0x35d/0x490 fs/ramfs/inode.c:232 [<ffffffff81526adb>] mount_nodev+0x5b/0x100 fs/super.c:1086 [<ffffffff81841b2c>] ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:242 [<ffffffff81528b0c>] mount_fs+0x28c/0x370 fs/super.c:1146 [<ffffffff81580aa1>] vfs_kern_mount.part.30+0xd1/0x3d0 fs/namespace.c:991 [<ffffffff815880ee>] vfs_kern_mount fs/namespace.c:973 [inline] [<ffffffff815880ee>] do_new_mount fs/namespace.c:2517 [inline] [<ffffffff815880ee>] do_mount+0x4ee/0x2860 fs/namespace.c:2833 [<ffffffff8158ae70>] SYSC_mount fs/namespace.c:3027 [inline] [<ffffffff8158ae70>] SyS_mount+0x130/0x1d0 fs/namespace.c:3005 [<ffffffff838c2725>] entry_SYSCALL_64_fastpath+0x22/0x9e Freed by task 13562: [<ffffffff81033e46>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [<ffffffff814f88d3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [<ffffffff814f9202>] set_track mm/kasan/kasan.c:524 [inline] [<ffffffff814f9202>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [<ffffffff814f638e>] slab_free_hook mm/slub.c:1383 [inline] [<ffffffff814f638e>] slab_free_freelist_hook mm/slub.c:1405 [inline] [<ffffffff814f638e>] slab_free mm/slub.c:2859 [inline] [<ffffffff814f638e>] kmem_cache_free+0xbe/0x340 mm/slub.c:2881 [<ffffffff81562085>] __d_free fs/dcache.c:257 [inline] [<ffffffff81562085>] dentry_free+0xd5/0x150 fs/dcache.c:333 [<ffffffff8156424c>] __dentry_kill+0x4ac/0x5f0 fs/dcache.c:576 [<ffffffff81567b27>] dentry_kill fs/dcache.c:603 [inline] [<ffffffff81567b27>] dput.part.26+0x587/0x760 fs/dcache.c:818 [<ffffffff81569b73>] dput fs/dcache.c:782 [inline] [<ffffffff81569b73>] do_one_tree+0x43/0x50 fs/dcache.c:1473 [<ffffffff8156a992>] shrink_dcache_for_umount+0x62/0x130 fs/dcache.c:1487 [<ffffffff8152412d>] generic_shutdown_super+0x6d/0x300 fs/super.c:413 [<ffffffff815249b2>] kill_anon_super fs/super.c:914 [inline] [<ffffffff815249b2>] kill_litter_super+0x72/0x90 fs/super.c:924 [<ffffffff81841aef>] ramfs_kill_sb+0x3f/0x50 fs/ramfs/inode.c:248 [<ffffffff81524e8d>] deactivate_locked_super+0x8d/0xd0 fs/super.c:301 [<ffffffff815257d1>] deactivate_super+0x91/0xd0 fs/super.c:332 [<ffffffff8157fd52>] cleanup_mnt+0xb2/0x160 fs/namespace.c:1119 [<ffffffff8157fe86>] __cleanup_mnt+0x16/0x20 fs/namespace.c:1126 [<ffffffff8118bd7f>] task_work_run+0x10f/0x190 kernel/task_work.c:115 [<ffffffff8100362d>] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [<ffffffff8100362d>] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:252 [<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:283 [inline] [<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:348 [<ffffffff838c28b5>] int_ret_from_sys_call+0x25/0xa3 The buggy address belongs to the object at ffff88009f80f340 which belongs to the cache dentry of size 288 The buggy address is located 0 bytes inside of 288-byte region [ffff88009f80f340, ffff88009f80f460) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.138-gcf21a9a #64 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffffffff84417840 task.stack: ffffffff84400000 RIP: 0010:[<ffffffff81e70801>] [<ffffffff81e70801>] lookup_object lib/debugobjects.c:120 [inline] RIP: 0010:[<ffffffff81e70801>] [<ffffffff81e70801>] debug_object_deactivate+0x191/0x340 lib/debugobjects.c:465 RSP: 0018:ffff8801db207cf0 EFLAGS: 00010002 RAX: dffffc0000000000 RBX: 4000000000004080 RCX: 0800000000000813 RDX: 1ffffffff0b42daf RSI: ffffffff844c6720 RDI: 4000000000004098 RBP: ffff8801db207da8 R08: ffffffff853317f0 R09: 0000000000000001 R10: 0000000000000001 R11: ffffffff84417840 R12: 1ffff1003b640fa0 R13: ffffffff85a16d68 R14: ffff8800ac18fdf8 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdd836fd000 CR3: 00000001bf114000 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000092 ffffffff844c6720 0000000041b58ab3 ffffffff842092d7 ffffffff81e70670 ffffffff84417840 fffffbfff0883023 ffffffff84418120 ffff8801db219658 0000000000000000 ffff8801db207d80 ffffffff81229682 Call Trace: <IRQ> [<ffffffff8129dbc2>] debug_hrtimer_deactivate kernel/time/hrtimer.c:415 [inline] [<ffffffff8129dbc2>] debug_deactivate kernel/time/hrtimer.c:462 [inline] [<ffffffff8129dbc2>] __run_hrtimer kernel/time/hrtimer.c:1230 [inline] [<ffffffff8129dbc2>] __hrtimer_run_queues+0x222/0x1000 kernel/time/hrtimer.c:1325 [<ffffffff8129f4c1>] hrtimer_interrupt+0x1b1/0x430 kernel/time/hrtimer.c:1359 [<ffffffff810ad284>] local_apic_timer_interrupt+0x74/0xa0 arch/x86/kernel/apic/apic.c:901 [<ffffffff838c534c>] smp_apic_timer_interrupt+0x7c/0xa0 arch/x86/kernel/apic/apic.c:925 [<ffffffff838c4290>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 <EOI> [<ffffffff81025cf5>] arch_safe_halt arch/x86/include/asm/paravirt.h:117 [inline] [<ffffffff81025cf5>] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:290 [<ffffffff81027240>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:281 [<ffffffff8121bc07>] default_idle_call+0x57/0x70 kernel/sched/idle.c:93 [<ffffffff8121c3af>] cpuidle_idle_call kernel/sched/idle.c:157 [inline] [<ffffffff8121c3af>] cpu_idle_loop kernel/sched/idle.c:253 [inline] [<ffffffff8121c3af>] cpu_startup_entry+0x6af/0x780 kernel/sched/idle.c:301 [<ffffffff838af851>] rest_init+0x188/0x18e init/main.c:410 [<ffffffff84a4b8a1>] start_kernel+0x6b3/0x6e7 init/main.c:682 [<ffffffff84a4a30f>] x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:196 [<ffffffff84a4a450>] x86_64_start_kernel+0x13f/0x162 arch/x86/kernel/head64.c:185 Code: a9 01 00 00 48 8b 1b 41 bf 01 00 00 00 48 85 db 74 42 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 18 41 83 c7 01 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 0c 01 00 00 4c 3b 73 18 74 7d 48 89 d9 48 c1 RIP [<ffffffff81e70801>] lookup_object lib/debugobjects.c:120 [inline] RIP [<ffffffff81e70801>] debug_object_deactivate+0x191/0x340 lib/debugobjects.c:465 RSP <ffff8801db207cf0> ---[ end trace 090d0a19ca964836 ]---

Crashes (17):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Manager
2018/06/27 01:39	https://android.googlesource.com/kernel/common android-4.4	cf21a9ac5ee4	b0294c53	.config	console log	report	ci-android-44-kasan-gce
2018/06/15 15:42	https://android.googlesource.com/kernel/common android-4.4	a2e2217bd824	27c5f59f	.config	console log	report	ci-android-44-kasan-gce
2018/05/23 09:59	https://android.googlesource.com/kernel/common android-4.4	ecf86ddd92cf	f48c20b8	.config	console log	report	ci-android-44-kasan-gce
2018/08/04 18:44	https://android.googlesource.com/kernel/common android-4.4	2241aa98c9aa	3476a2df	.config	console log	report	ci-android-44-kasan-gce-386
2018/06/15 01:11	https://android.googlesource.com/kernel/common android-4.4	a2e2217bd824	27c5f59f	.config	console log	report	ci-android-44-kasan-gce-386
2018/06/10 23:32	https://android.googlesource.com/kernel/common android-4.4	fb7e31963455	866118af	.config	console log	report	ci-android-44-kasan-gce-386
2018/06/06 13:46	https://android.googlesource.com/kernel/common android-4.4	98b6097d0f14	41f9540d	.config	console log	report	ci-android-44-kasan-gce-386
2018/06/03 02:33	https://android.googlesource.com/kernel/common android-4.4	e75204cc0ad5	2f93b54f	.config	console log	report	ci-android-44-kasan-gce-386
2018/05/30 09:59	https://android.googlesource.com/kernel/common android-4.4	54f36eadd123	2f93b54f	.config	console log	report	ci-android-44-kasan-gce-386
2018/05/29 00:46	https://android.googlesource.com/kernel/common android-4.4	3f51ea2db97d	f48c20b8	.config	console log	report	ci-android-44-kasan-gce-386
2018/05/26 17:19	https://android.googlesource.com/kernel/common android-4.4	3f51ea2db97d	f48c20b8	.config	console log	report	ci-android-44-kasan-gce-386
2018/05/16 07:27	https://android.googlesource.com/kernel/common android-4.4	aa3863d27614	68ce85f1	.config	console log	report	ci-android-44-kasan-gce-386
2018/04/23 02:50	https://android.googlesource.com/kernel/common android-4.4	38f41ec1cb31	d23fcf6c	.config	console log	report	ci-android-44-kasan-gce-386
2018/04/19 02:40	https://android.googlesource.com/kernel/common android-4.4	38f41ec1cb31	829f0234	.config	console log	report	ci-android-44-kasan-gce-386
2018/03/13 07:00	https://android.googlesource.com/kernel/common android-4.4	d63fdf61a4dc	f505ca4b	.config	console log	report	ci-android-44-kasan-gce-386
2018/01/21 05:13	https://android.googlesource.com/kernel/common android-4.4	3fc4284df70b	fbbdcd92	.config	console log	report	ci-android-44-kasan-gce-386
2018/01/20 12:42	https://android.googlesource.com/kernel/common android-4.4	3fc4284df70b	fbbdcd92	.config	console log	report	ci-android-44-kasan-gce-386

Crashes (17):

Assets (help?)

2018/06/27 01:39

https://android.googlesource.com/kernel/common android-4.4