KASAN: use-after-free Read in __fsnotify


Created	Duration	User	Patch	Repo	Result
2023/04/14 09:52	22m	retest repro		android12-5.4	OK log
2022/08/27 10:27	0m	retest repro		https://android.googlesource.com/kernel/common android-5.4	error OK

BUG: KASAN: use-after-free in __fsnotify_parent+0x2e7/0x310 fs/notify/fsnotify.c:155 Read of size 4 at addr ffff8881c2201990 by task syz-executor.0/2234 CPU: 0 PID: 2234 Comm: syz-executor.0 Not tainted 5.4.61-syzkaller-00801-g1bd2e4c18e44 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x14a/0x1ce lib/dump_stack.c:118 print_address_description+0x93/0x620 mm/kasan/report.c:374 __kasan_report+0x16d/0x1e0 mm/kasan/report.c:506 kasan_report+0x36/0x60 mm/kasan/common.c:634 __fsnotify_parent+0x2e7/0x310 fs/notify/fsnotify.c:155 fsnotify_parent include/linux/fsnotify.h:40 [inline] fsnotify_path include/linux/fsnotify.h:50 [inline] fsnotify_close include/linux/fsnotify.h:297 [inline] __fput+0x15a/0x6c0 fs/file_table.c:266 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x416f01 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffd6d0833d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000001190340 R09: 0000000000000000 R10: 00007ffd6d0834b0 R11: 0000000000000293 R12: 0000000001190348 R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c Allocated by task 2235: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2793 [inline] slab_alloc mm/slub.c:2801 [inline] kmem_cache_alloc+0x1d5/0x260 mm/slub.c:2806 __d_alloc+0x2a/0x6b0 fs/dcache.c:1688 d_alloc_pseudo+0x19/0x70 fs/dcache.c:1817 alloc_file_pseudo+0x15b/0x340 fs/file_table.c:225 sock_alloc_file+0xb4/0x230 net/socket.c:398 sock_map_fd net/socket.c:421 [inline] __sys_socket+0x19b/0x370 net/socket.c:1516 __do_sys_socket net/socket.c:1521 [inline] __se_sys_socket net/socket.c:1519 [inline] __x64_sys_socket+0x76/0x80 net/socket.c:1519 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 2235: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x181/0x230 mm/kasan/common.c:471 slab_free_hook mm/slub.c:1443 [inline] slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476 slab_free mm/slub.c:3041 [inline] kmem_cache_free+0xac/0x600 mm/slub.c:3057 dentry_kill fs/dcache.c:673 [inline] dput+0x2e1/0x5e0 fs/dcache.c:859 __fput+0x46b/0x6c0 fs/file_table.c:293 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8881c2201990 which belongs to the cache dentry of size 208 The buggy address is located 0 bytes inside of 208-byte region [ffff8881c2201990, ffff8881c2201a60) The buggy address belongs to the page: page:ffffea0007088040 refcount:1 mapcount:0 mapping:ffff8881da8eec80 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881da8eec80 raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881c2201880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881c2201900: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc >ffff8881c2201980: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881c2201a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8881c2201a80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== CPU: 0 PID: 2234 Comm: syz-executor.0 Tainted: G B 5.4.61-syzkaller-00801-g1bd2e4c18e44 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:fsnotify_inode_watches_children include/linux/fsnotify_backend.h:364 [inline] RIP: 0010:__fsnotify_parent+0x140/0x310 fs/notify/fsnotify.c:161 Code: 00 00 00 fc ff df 42 80 3c 20 00 74 08 48 89 df e8 15 19 eb ff 48 8b 03 48 89 04 24 48 8d 98 54 02 00 00 48 89 d8 48 c1 e8 03 <42> 8a 04 20 84 c0 0f 85 a0 01 00 00 8b 1b 89 de 81 e6 00 00 00 08 RSP: 0018:ffff8881cd9b7d60 EFLAGS: 00010203 RAX: 000000000000004a RBX: 0000000000000254 RCX: ffffffff8185289b RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c22019c0 RBP: ffff8881cd9b7e50 R08: ffffffff817a52d1 R09: 0000000000000003 R10: ffffed1039b36f95 R11: 0000000000000004 R12: dffffc0000000000 R13: 00000000cf495d80 R14: ffff8881c2201990 R15: 1ffff11039b36fb0 FS: 0000000001dc9940(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa01167edb8 CR3: 00000001cb9c9003 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: fsnotify_parent include/linux/fsnotify.h:40 [inline] fsnotify_path include/linux/fsnotify.h:50 [inline] fsnotify_close include/linux/fsnotify.h:297 [inline] __fput+0x15a/0x6c0 fs/file_table.c:266 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x416f01 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffd6d0833d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000001190340 R09: 0000000000000000 R10: 00007ffd6d0834b0 R11: 0000000000000293 R12: 0000000001190348 R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c Modules linked in: RSP: 0018:ffff8881cd9b7d60 EFLAGS: 00010203 RAX: 000000000000004a RBX: 0000000000000254 RCX: ffffffff8185289b RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8881c22019c0 RBP: ffff8881cd9b7e50 R08: ffffffff817a52d1 R09: 0000000000000003 R10: ffffed1039b36f95 R11: 0000000000000004 R12: dffffc0000000000 R13: 00000000cf495d80 R14: ffff8881c2201990 R15: 1ffff11039b36fb0 FS: 0000000001dc9940(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2cc0037068 CR3: 00000001cb9c9003 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400