syzbot


KASAN: use-after-free Read in p9_fd_poll

Status: fixed on 2019/11/20 22:01
Subsystems: v9fs
[Documentation on labels]
Reported-by: syzbot+0442e6e2f7e1e33b1037@syzkaller.appspotmail.com
Fix commit: 430ac66eb4c5 net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()
First crash: 2103d, last: 2070d
Fix bisection: fixed by (bisect log) :
commit 430ac66eb4c5b5c4eb846b78ebf65747510b30f1
Author: Tomas Bortoli <tomasbortoli@gmail.com>
Date: Fri Jul 20 09:27:30 2018 +0000

  net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree()

  
Discussions (3)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in p9_fd_poll 0 (3) 2019/11/07 13:42
Reminder: 18 open syzbot bugs in "fs/9p" subsystem 1 (1) 2019/07/24 01:46
Reminder: 18 open syzbot bugs in "fs/9p" subsystem 1 (1) 2019/07/02 06:29
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in p9_fd_poll 3 2054d 2070d 0/3 auto-closed as invalid on 2019/02/24 05:39

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: use-after-free in p9_fd_poll+0x280/0x2b0 net/9p/trans_fd.c:238
Read of size 8 at addr ffff8801d6ddf340 by task kworker/0:2/26

CPU: 0 PID: 26 Comm: kworker/0:2 Not tainted 4.18.0-rc6+ #160
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events p9_poll_workfn
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 p9_fd_poll+0x280/0x2b0 net/9p/trans_fd.c:238
 p9_poll_mux net/9p/trans_fd.c:617 [inline]
 p9_poll_workfn+0x463/0x6d0 net/9p/trans_fd.c:1107
 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
 kthread+0x345/0x410 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

Allocated by task 4581:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 p9_fd_open net/9p/trans_fd.c:796 [inline]
 p9_fd_create+0x1a7/0x3f0 net/9p/trans_fd.c:1036
 p9_client_create+0x8ed/0x1770 net/9p/client.c:1063
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 4581:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 p9_fd_close+0x416/0x5b0 net/9p/trans_fd.c:893
 p9_client_create+0xa9a/0x1770 net/9p/client.c:1077
 v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
 v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
 mount_fs+0xae/0x328 fs/super.c:1277
 vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:1027 [inline]
 do_new_mount fs/namespace.c:2518 [inline]
 do_mount+0x581/0x30e0 fs/namespace.c:2848
 ksys_mount+0x12d/0x140 fs/namespace.c:3064
 __do_sys_mount fs/namespace.c:3078 [inline]
 __se_sys_mount fs/namespace.c:3075 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801d6ddf340
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 512-byte region [ffff8801d6ddf340, ffff8801d6ddf540)
The buggy address belongs to the page:
page:ffffea00075b77c0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0007398548 ffffea0006c59188 ffff8801da800940
raw: 0000000000000000 ffff8801d6ddf0c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d6ddf200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d6ddf280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8801d6ddf300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff8801d6ddf380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801d6ddf400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/23 19:40 upstream d72e90f33aa4 f69c5fcd .config console log report syz C ci-upstream-kasan-gce-root
2018/08/13 01:26 upstream d6dd6431591b 7a88b141 .config console log report ci-upstream-kasan-gce-root
2018/08/10 18:34 upstream f313b43be461 1fb62d58 .config console log report ci-upstream-kasan-gce-root
2018/08/03 16:26 upstream 0585df468e8f cc4f6d0a .config console log report ci-upstream-kasan-gce-root
2018/08/02 11:00 upstream 6b4703768268 0a7cf4ec .config console log report ci-upstream-kasan-gce-root
2018/08/01 16:31 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce-root
2018/07/10 23:04 upstream 30c2c32d7f70 2e0e3130 .config console log report ci-upstream-kasan-gce-root
2018/07/23 04:27 linux-next 89cf55353308 8cc079c3 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.