syzbot


KASAN: use-after-free Read in debugfs_remove

Status: fixed on 2020/12/01 11:25
Reported-by: syzbot+5d709bb1673168a5ada8@syzkaller.appspotmail.com
Fix commit: 8a78b4c0d629 blktrace: fix debugfs use after free
First crash: 1152d, last: 656d

Fix bisection: fixed by (bisect log) :
commit 8a78b4c0d6292d32d76b4268b5a33ae089a5d791
Author: Luis Chamberlain <mcgrof@kernel.org>
Date: Fri Jun 19 20:47:28 2020 +0000

  blktrace: fix debugfs use after free

similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in debugfs_remove (2) 1 1580d 1578d 6/23 fixed on 2018/05/17 10:02
upstream KASAN: use-after-free Read in debugfs_remove (3) C done error 88 942d 1408d 0/23 closed as dup on 2020/06/28 17:08
upstream KASAN: use-after-free Read in debugfs_remove 1 1602d 1601d 0/23 closed as invalid on 2018/04/10 15:18
linux-4.14 KASAN: use-after-free Read in debugfs_remove C inconclusive 14 664d 1219d 0/1 upstream: reported C repro on 2019/04/17 06:08

Sample crash report:
audit: type=1400 audit(1599002331.610:8): avc:  denied  { execmem } for  pid=6460 comm="syz-executor843" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
blktrace: Concurrent blktraces are not allowed on loop0
==================================================================
BUG: KASAN: use-after-free in debugfs_remove+0x1c1/0x210 fs/debugfs/inode.c:687
Read of size 8 at addr ffff88808379c900 by task kworker/0:1/14

CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.142-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events __blk_release_queue
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 debugfs_remove+0x1c1/0x210 fs/debugfs/inode.c:687
 blk_trace_free+0x31/0x130 kernel/trace/blktrace.c:315
 blk_trace_cleanup kernel/trace/blktrace.c:343 [inline]
 __blk_trace_remove+0x8b/0x100 kernel/trace/blktrace.c:356
 blk_trace_shutdown+0x92/0x100 kernel/trace/blktrace.c:768
 __blk_release_queue+0x235/0x4e0 block/blk-sysfs.c:855
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 6470:
 kmem_cache_alloc+0x122/0x370 mm/slab.c:3559
 __d_alloc+0x2b/0xa10 fs/dcache.c:1610
 d_alloc+0x4a/0x230 fs/dcache.c:1694
 d_alloc_parallel+0xeb/0x19e0 fs/dcache.c:2441
 __lookup_slow+0x18d/0x4a0 fs/namei.c:1655
 lookup_one_len+0x163/0x190 fs/namei.c:2544
 start_creating.part.0+0x62/0x160 fs/tracefs/inode.c:336
 start_creating fs/debugfs/inode.c:301 [inline]
 __debugfs_create_file+0xb8/0x4e0 fs/debugfs/inode.c:352
 do_blk_trace_setup+0x3a5/0xc30 kernel/trace/blktrace.c:542
 __blk_trace_setup+0xca/0x180 kernel/trace/blktrace.c:591
 blk_trace_ioctl+0x155/0x290 kernel/trace/blktrace.c:732
 blkdev_ioctl+0x112/0x1a7e block/ioctl.c:587
 block_ioctl+0xe9/0x130 fs/block_dev.c:1896
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 18:
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x7f/0x260 mm/slab.c:3765
 __rcu_reclaim kernel/rcu/rcu.h:236 [inline]
 rcu_do_batch kernel/rcu/tree.c:2584 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
 rcu_process_callbacks+0x8ff/0x18b0 kernel/rcu/tree.c:2881
 __do_softirq+0x26c/0x9a0 kernel/softirq.c:292

The buggy address belongs to the object at ffff88808379c8c0
 which belongs to the cache dentry of size 288
The buggy address is located 64 bytes inside of
 288-byte region [ffff88808379c8c0, ffff88808379c9e0)
The buggy address belongs to the page:
page:ffffea00020de700 count:1 mapcount:0 mapping:ffff88821bc44c80 index:0xffff88808379c4a0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea00020de748 ffffea00020bf248 ffff88821bc44c80
raw: ffff88808379c4a0 ffff88808379c080 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808379c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808379c880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff88808379c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88808379c980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88808379ca00: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
blktrace: Concurrent blktraces are not allowed on loop0

Crashes (15):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2020/09/01 23:20 linux-4.19.y f6d5cb9e2c06 abf9ba4f .config log report syz C
ci2-linux-4-19 2020/09/01 10:09 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config log report syz C
ci2-linux-4-19 2020/03/04 14:47 linux-4.19.y a083db76118d 712198ac .config log report syz C
ci2-linux-4-19 2019/11/05 20:37 linux-4.19.y ef244c308885 af5c522d .config log report syz C
ci2-linux-4-19 2019/07/22 04:47 linux-4.19.y be9b6782a9eb 1656845f .config log report syz C
ci2-linux-4-19 2019/06/23 17:43 linux-4.19.y 78778071092e 3efccdd2 .config log report syz C
ci2-linux-4-19 2020/07/31 18:57 linux-4.19.y 13af6c74b14a 8df85ed9 .config log report
ci2-linux-4-19 2020/07/06 08:13 linux-4.19.y 399849e4654e ac5a135b .config log report
ci2-linux-4-19 2020/03/18 18:15 linux-4.19.y 93556fb211fa 0a96a13c .config log report
ci2-linux-4-19 2020/01/18 13:29 linux-4.19.y dc4ba5be1bab 3de7aabb .config log report
ci2-linux-4-19 2020/01/14 11:14 linux-4.19.y dcd888983542 32881205 .config log report
ci2-linux-4-19 2019/09/16 11:11 linux-4.19.y db2d0b7c1dde 55c50e70 .config log report
ci2-linux-4-19 2019/08/16 09:22 linux-4.19.y a5aa80588fcd 8fd428a1 .config log report
ci2-linux-4-19 2019/07/26 01:41 linux-4.19.y be9b6782a9eb 732bc5a0 .config log report
ci2-linux-4-19 2019/06/23 13:50 linux-4.19.y 78778071092e 3efccdd2 .config log report