KASAN: use-after-free Read in debugfs

KASAN: use-after-free Read in debugfs_remove
Status: upstream: reported C repro on 2019/06/23 14:51
Reported-by: syzbot+5d709bb1673168a5ada8@syzkaller.appspotmail.com
First crash: 418d, last: 13d

similar bugs (4):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in debugfs_remove (2)			1	846d	844d	6/17	fixed on 2018/05/17 10:02
upstream	KASAN: use-after-free Read in debugfs_remove (3)	C	cause+fix	88	207d	674d	0/17	closed as dup on 2020/06/28 17:08
upstream	KASAN: use-after-free Read in debugfs_remove			1	867d	866d	0/17	closed as invalid on 2018/04/10 15:18
linux-4.14	KASAN: use-after-free Read in debugfs_remove	C	fix	12	56d	485d	0/1	upstream: reported C repro on 2019/04/17 06:08

Sample crash report:

audit: type=1400 audit(1583333048.398:36): avc:  denied  { map } for  pid=8373 comm="syz-executor135" path="/root/syz-executor135196009" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in debugfs_remove+0xfd/0x120 fs/debugfs/inode.c:687
Read of size 8 at addr ffff88807ed329e0 by task kworker/1:0/19

CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.19.107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events __blk_release_queue
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
 debugfs_remove+0xfd/0x120 fs/debugfs/inode.c:687
 blk_trace_free+0x31/0x130 kernel/trace/blktrace.c:312
 blk_trace_cleanup kernel/trace/blktrace.c:339 [inline]
 __blk_trace_remove+0x71/0xa0 kernel/trace/blktrace.c:352
 blk_trace_shutdown+0x5f/0x80 kernel/trace/blktrace.c:752
 __blk_release_queue+0x250/0x510 block/blk-sysfs.c:855
 process_one_work+0x91f/0x1640 kernel/workqueue.c:2153
 worker_thread+0x96/0xe20 kernel/workqueue.c:2296
 kthread+0x34a/0x420 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 8386:
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
 kmem_cache_alloc+0x127/0x710 mm/slab.c:3559
 __d_alloc+0x2b/0x9e0 fs/dcache.c:1610
 d_alloc+0x4a/0x240 fs/dcache.c:1694
 d_alloc_parallel+0xe8/0x1ad0 fs/dcache.c:2441
 __lookup_slow+0x18d/0x4b0 fs/namei.c:1655
 lookup_one_len+0x163/0x190 fs/namei.c:2544
 start_creating fs/debugfs/inode.c:313 [inline]
 start_creating+0xba/0x1f0 fs/debugfs/inode.c:289
 __debugfs_create_file+0x62/0x400 fs/debugfs/inode.c:352
 do_blk_trace_setup+0x361/0xb60 kernel/trace/blktrace.c:528
 __blk_trace_setup+0xca/0x180 kernel/trace/blktrace.c:577
 blk_trace_ioctl+0x15e/0x2e0 kernel/trace/blktrace.c:716
 blkdev_ioctl+0x112/0x1a1c block/ioctl.c:587
 block_ioctl+0xe9/0x130 fs/block_dev.c:1894
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcda/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/kasan.c:521
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x7f/0x260 mm/slab.c:3765
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0xb2d/0x17f0 kernel/rcu/tree.c:2881
 __do_softirq+0x26c/0x93c kernel/softirq.c:292

The buggy address belongs to the object at ffff88807ed329a0
 which belongs to the cache dentry of size 288
The buggy address is located 64 bytes inside of
 288-byte region [ffff88807ed329a0, ffff88807ed32ac0)
The buggy address belongs to the page:
page:ffffea0001fb4c80 count:1 mapcount:0 mapping:ffff88812c2b76c0 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0001fb4c48 ffffea0001fb4d08 ffff88812c2b76c0
raw: 0000000000000000 ffff88807ed32000 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88807ed32880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807ed32900: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff88807ed32980: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff88807ed32a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807ed32a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Fix bisection attempts:
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro
ci2-linux-4-19	2020/06/16 21:42	linux-4.19.y	3fc89857	712198ac	.config	log	report	syz	C
ci2-linux-4-19	2020/05/17 21:13	linux-4.19.y	258f0cf7	712198ac	.config	log	report	syz	C
ci2-linux-4-19	2020/04/17 20:42	linux-4.19.y	8488c3f3	712198ac	.config	log	report	syz	C
ci2-linux-4-19	2020/02/17 13:53	linux-4.19.y	9b15f7fa	af5c522d	.config	log	report	syz	C
ci2-linux-4-19	2020/01/13 11:57	linux-4.19.y	dcd88898	af5c522d	.config	log	report	syz	C
ci2-linux-4-19	2019/12/14 10:39	linux-4.19.y	312017a4	af5c522d	.config	log	report	syz	C

Crashes (13):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci2-linux-4-19	2020/03/04 14:47	linux-4.19.y	a083db76	712198ac	.config	log	report	syz	C	gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2019/11/05 20:37	linux-4.19.y	ef244c30	af5c522d	.config	log	report	syz	C	gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2019/07/22 04:47	linux-4.19.y	be9b6782	1656845f	.config	log	report	syz	C
ci2-linux-4-19	2019/06/23 17:43	linux-4.19.y	78778071	3efccdd2	.config	log	report	syz	C	gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2020/07/31 18:57	linux-4.19.y	13af6c74	8df85ed9	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2020/07/06 08:13	linux-4.19.y	399849e4	ac5a135b	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2020/03/18 18:15	linux-4.19.y	93556fb2	0a96a13c	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2020/01/18 13:29	linux-4.19.y	dc4ba5be	3de7aabb	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2020/01/14 11:14	linux-4.19.y	dcd88898	32881205	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2019/09/16 11:11	linux-4.19.y	db2d0b7c	55c50e70	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2019/08/16 09:22	linux-4.19.y	a5aa8058	8fd428a1	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2019/07/26 01:41	linux-4.19.y	be9b6782	732bc5a0	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org
ci2-linux-4-19	2019/06/23 13:50	linux-4.19.y	78778071	3efccdd2	.config	log	report			gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, rafael@kernel.org