syzbot


KASAN: use-after-free Read in do_raw_spin_lock

Status: closed as invalid on 2018/02/14 14:29
Subsystems: selinux
[Documentation on labels]
Reported-by: syzbot+23f79c6532ceddb959aaea30dd5e3c752b93bf21@syzkaller.appspotmail.com
First crash: 2451d, last: 2311d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in do_raw_spin_lock C 14 2308d 2448d 0/3 closed as invalid on 2018/04/25 22:29

Sample crash report:
capability: warning: `syz-executor3' uses 32-bit capabilities (legacy support in use)
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x1aa/0x1e0 kernel/locking/spinlock_debug.c:112
Read of size 4 at addr ffff8801c5b1ddec by task syz-executor6/3887

CPU: 1 PID: 3887 Comm: syz-executor6 Not tainted 4.14.0-rc5+ #136
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 do_raw_spin_lock+0x1aa/0x1e0 kernel/locking/spinlock_debug.c:112
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x32/0x40 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:316 [inline]
 inode_free_security security/selinux/hooks.c:346 [inline]
 selinux_inode_free_security+0x12a/0x410 security/selinux/hooks.c:2873
 security_inode_free+0x50/0x90 security/security.c:442
 __destroy_inode+0x287/0x650 fs/inode.c:236
 destroy_inode+0xe7/0x200 fs/inode.c:263
 evict+0x57e/0x920 fs/inode.c:570
 iput_final fs/inode.c:1515 [inline]
 iput+0x7b9/0xaf0 fs/inode.c:1542
 fsnotify_put_mark+0x4d0/0x730 fs/notify/mark.c:237
 fsnotify_clear_marks_by_group+0x19a/0x5f0 fs/notify/mark.c:691
 fsnotify_destroy_group+0xde/0x3f0 fs/notify/group.c:70
 inotify_release+0x37/0x50 fs/notify/inotify/inotify_user.c:280
 __fput+0x327/0x7e0 fs/file_table.c:210
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x199/0x270 kernel/task_work.c:112
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x9b5/0x1ad0 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x73f/0x16d0 kernel/signal.c:2334
 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath+0x42f/0x510 arch/x86/entry/common.c:266
 entry_SYSCALL_64_fastpath+0xbc/0xbe
RIP: 0033:0x452779
RSP: 002b:00007f6815b25ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00000000007581a0 RCX: 0000000000452779
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007581a0
RBP: 00000000007581a0 R08: 000000000000018e R09: 0000000000758180
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007f6815b269c0 R15: 000000000000001e

Allocated by task 3873:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627
 kmalloc include/linux/slab.h:493 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 superblock_alloc_security security/selinux/hooks.c:390 [inline]
 selinux_sb_alloc_security+0x93/0x2e0 security/selinux/hooks.c:2630
 security_sb_alloc+0x6d/0xa0 security/security.c:356
 alloc_super fs/super.c:196 [inline]
 sget_userns+0x36a/0xe20 fs/super.c:505
 sget+0xd2/0x120 fs/super.c:557
 mount_nodev+0x37/0x100 fs/super.c:1160
 ramfs_mount+0x2c/0x40 fs/ramfs/inode.c:253
 mount_fs+0x66/0x2d0 fs/super.c:1222
 vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0xea1/0x2bb0 fs/namespace.c:2840
 SYSC_mount fs/namespace.c:3056 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3033
 entry_SYSCALL_64_fastpath+0x1f/0xbe

Freed by task 3873:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xca/0x250 mm/slab.c:3820
 superblock_free_security security/selinux/hooks.c:410 [inline]
 selinux_sb_free_security+0x42/0x50 security/selinux/hooks.c:2635
 security_sb_free+0x48/0x80 security/security.c:361
 destroy_super+0x93/0x200 fs/super.c:167
 __put_super.part.6+0x1a4/0x2a0 fs/super.c:272
 __put_super fs/super.c:270 [inline]
 put_super+0x53/0x70 fs/super.c:286
 deactivate_locked_super+0xb0/0xd0 fs/super.c:319
 deactivate_super+0x141/0x1b0 fs/super.c:339
 cleanup_mnt+0xb2/0x150 fs/namespace.c:1173
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1180
 task_work_run+0x199/0x270 kernel/task_work.c:112
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x9b5/0x1ad0 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x73f/0x16d0 kernel/signal.c:2334
 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath+0x42f/0x510 arch/x86/entry/common.c:266
 entry_SYSCALL_64_fastpath+0xbc/0xbe

The buggy address belongs to the object at ffff8801c5b1dd40
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 172 bytes inside of
 256-byte region [ffff8801c5b1dd40, ffff8801c5b1de40)
The buggy address belongs to the page:
page:ffffea000716c740 count:1 mapcount:0 mapping:ffff8801c5b1d0c0 index:0x0
flags: 0x200000000000100(slab)
raw: 0200000000000100 ffff8801c5b1d0c0 0000000000000000 000000010000000c
raw: ffffea0007155de0 ffffea0007130ae0 ffff8801dac007c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c5b1dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c5b1dd00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801c5b1dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff8801c5b1de00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801c5b1de80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/10/18 09:57 upstream ebe6e90ccc66 f8929476 .config console log report ci-upstream-kasan-gce-386
2018/01/18 21:34 linux-next a362f6d2cdbd 161c1d64 .config console log report ci-upstream-next-kasan-gce
2018/01/13 20:43 linux-next 3e53c7415294 c9e7aeae .config console log report ci-upstream-next-kasan-gce
2017/09/29 15:24 mmots 8fd0520d9cec c26ea367 .config console log report ci-upstream-mmots-kasan-gce
2017/09/01 07:07 linux-next 1d53d908b79d a54dce00 .config console log report skylake-linux-next-kasan-qemu
* Struck through repros no longer work on HEAD.