syzbot


KASAN: use-after-free Read in __fsnotify_parent

Status: upstream: reported syz repro on 2020/08/28 06:24
Reported-by: syzbot+9516be3e5742f57ecda3@syzkaller.appspotmail.com
First crash: 833d, last: 833d
Patch testing requests:
Created Duration User Patch Repo Result
2022/08/27 10:27 0m retest repro https://android.googlesource.com/kernel/common android-5.4 error

Sample crash report:
BUG: KASAN: use-after-free in __fsnotify_parent+0x2e7/0x310 fs/notify/fsnotify.c:155
Read of size 4 at addr ffff8881c2201990 by task syz-executor.0/2234

CPU: 0 PID: 2234 Comm: syz-executor.0 Not tainted 5.4.61-syzkaller-00801-g1bd2e4c18e44 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x14a/0x1ce lib/dump_stack.c:118
 print_address_description+0x93/0x620 mm/kasan/report.c:374
 __kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
 kasan_report+0x36/0x60 mm/kasan/common.c:634
 __fsnotify_parent+0x2e7/0x310 fs/notify/fsnotify.c:155
 fsnotify_parent include/linux/fsnotify.h:40 [inline]
 fsnotify_path include/linux/fsnotify.h:50 [inline]
 fsnotify_close include/linux/fsnotify.h:297 [inline]
 __fput+0x15a/0x6c0 fs/file_table.c:266
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd6d0833d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190340 R09: 0000000000000000
R10: 00007ffd6d0834b0 R11: 0000000000000293 R12: 0000000001190348
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c

Allocated by task 2235:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2793 [inline]
 slab_alloc mm/slub.c:2801 [inline]
 kmem_cache_alloc+0x1d5/0x260 mm/slub.c:2806
 __d_alloc+0x2a/0x6b0 fs/dcache.c:1688
 d_alloc_pseudo+0x19/0x70 fs/dcache.c:1817
 alloc_file_pseudo+0x15b/0x340 fs/file_table.c:225
 sock_alloc_file+0xb4/0x230 net/socket.c:398
 sock_map_fd net/socket.c:421 [inline]
 __sys_socket+0x19b/0x370 net/socket.c:1516
 __do_sys_socket net/socket.c:1521 [inline]
 __se_sys_socket net/socket.c:1519 [inline]
 __x64_sys_socket+0x76/0x80 net/socket.c:1519
 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 2235:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
 slab_free_hook mm/slub.c:1443 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
 slab_free mm/slub.c:3041 [inline]
 kmem_cache_free+0xac/0x600 mm/slub.c:3057
 dentry_kill fs/dcache.c:673 [inline]
 dput+0x2e1/0x5e0 fs/dcache.c:859
 __fput+0x46b/0x6c0 fs/file_table.c:293
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8881c2201990
 which belongs to the cache dentry of size 208
The buggy address is located 0 bytes inside of
 208-byte region [ffff8881c2201990, ffff8881c2201a60)
The buggy address belongs to the page:
page:ffffea0007088040 refcount:1 mapcount:0 mapping:ffff8881da8eec80 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881da8eec80
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881c2201880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881c2201900: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
>ffff8881c2201980: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff8881c2201a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8881c2201a80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
CPU: 0 PID: 2234 Comm: syz-executor.0 Tainted: G    B             5.4.61-syzkaller-00801-g1bd2e4c18e44 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:fsnotify_inode_watches_children include/linux/fsnotify_backend.h:364 [inline]
RIP: 0010:__fsnotify_parent+0x140/0x310 fs/notify/fsnotify.c:161
Code: 00 00 00 fc ff df 42 80 3c 20 00 74 08 48 89 df e8 15 19 eb ff 48 8b 03 48 89 04 24 48 8d 98 54 02 00 00 48 89 d8 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 a0 01 00 00 8b 1b 89 de 81 e6 00 00 00 08
RSP: 0018:ffff8881cd9b7d60 EFLAGS: 00010203
RAX: 000000000000004a RBX: 0000000000000254 RCX: ffffffff8185289b
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c22019c0
RBP: ffff8881cd9b7e50 R08: ffffffff817a52d1 R09: 0000000000000003
R10: ffffed1039b36f95 R11: 0000000000000004 R12: dffffc0000000000
R13: 00000000cf495d80 R14: ffff8881c2201990 R15: 1ffff11039b36fb0
FS:  0000000001dc9940(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa01167edb8 CR3: 00000001cb9c9003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 fsnotify_parent include/linux/fsnotify.h:40 [inline]
 fsnotify_path include/linux/fsnotify.h:50 [inline]
 fsnotify_close include/linux/fsnotify.h:297 [inline]
 __fput+0x15a/0x6c0 fs/file_table.c:266
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffd6d0833d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190340 R09: 0000000000000000
R10: 00007ffd6d0834b0 R11: 0000000000000293 R12: 0000000001190348
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c
Modules linked in:
RSP: 0018:ffff8881cd9b7d60 EFLAGS: 00010203
RAX: 000000000000004a RBX: 0000000000000254 RCX: ffffffff8185289b
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c22019c0
RBP: ffff8881cd9b7e50 R08: ffffffff817a52d1 R09: 0000000000000003
R10: ffffed1039b36f95 R11: 0000000000000004 R12: dffffc0000000000
R13: 00000000cf495d80 R14: ffff8881c2201990 R15: 1ffff11039b36fb0
FS:  0000000001dc9940(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2cc0037068 CR3: 00000001cb9c9003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-android-5-4-kasan 2020/08/28 06:23 https://android.googlesource.com/kernel/common android-5.4 1bd2e4c18e44 816e0689 .config log report syz
* Struck through repros no longer work on HEAD.