KASAN: use-after-free Read in dput (2)

Title	Replies (including bot)	Last reply
[GIT PULL] Please pull proc fixes for v5.7-rc2	2 (2)	2020/04/17 19:15
[PATCH] proc: Handle umounts cleanly	4 (4)	2020/04/15 21:20
KASAN: use-after-free Read in dput (2)	0 (1)	2020/04/15 15:44

Title

Replies (including bot)

Last reply

[GIT PULL] Please pull proc fixes for v5.7-rc2

2 (2)

2020/04/17 19:15

[PATCH] proc: Handle umounts cleanly

4 (4)

2020/04/15 21:20

KASAN: use-after-free Read in dput (2)

0 (1)

2020/04/15 15:44

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: use-after-free Read in dput fs	C			24	2086d	2119d	0/26	closed as invalid on 2019/06/10 23:01
android-54	KASAN: use-after-free Read in dput	syz			1	1336d	1336d	0/2	auto-obsoleted due to no activity on 2023/04/14 10:36

proc_fill_super: allocate dentry failed ================================================================== BUG: KASAN: use-after-free in fast_dput fs/dcache.c:727 [inline] BUG: KASAN: use-after-free in dput+0x53e/0xdf0 fs/dcache.c:846 Read of size 4 at addr ffff88808a618cf0 by task syz-executor.0/8426 CPU: 0 PID: 8426 Comm: syz-executor.0 Not tainted 5.6.0-next-20200412-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 fast_dput fs/dcache.c:727 [inline] dput+0x53e/0xdf0 fs/dcache.c:846 proc_kill_sb+0x73/0xf0 fs/proc/root.c:195 deactivate_locked_super+0x8c/0xf0 fs/super.c:335 vfs_get_super+0x258/0x2d0 fs/super.c:1212 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 do_new_mount fs/namespace.c:2813 [inline] do_mount+0x1306/0x1b30 fs/namespace.c:3138 __do_sys_mount fs/namespace.c:3347 [inline] __se_sys_mount fs/namespace.c:3324 [inline] __x64_sys_mount+0x18f/0x230 fs/namespace.c:3324 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45c889 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffc1930ec48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000001324914 RCX: 000000000045c889 RDX: 0000000020000140 RSI: 0000000020000040 RDI: 0000000000000000 RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 0000000000000749 R14: 00000000004ca15a R15: 0000000000000013 Allocated by task 8404: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 slab_post_alloc_hook mm/slab.h:586 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x11b/0x740 mm/slab.c:3484 __d_alloc+0x2b/0x8e0 fs/dcache.c:1690 d_alloc+0x4a/0x240 fs/dcache.c:1769 d_alloc_name+0x80/0xb0 fs/dcache.c:1831 proc_setup_self+0xe4/0x3c0 fs/proc/self.c:44 proc_fill_super+0x3fb/0x660 fs/proc/root.c:133 vfs_get_super+0x12e/0x2d0 fs/super.c:1191 vfs_get_tree+0x89/0x2f0 fs/super.c:1547 do_new_mount fs/namespace.c:2813 [inline] do_mount+0x1306/0x1b30 fs/namespace.c:3138 __do_sys_mount fs/namespace.c:3347 [inline] __se_sys_mount fs/namespace.c:3324 [inline] __x64_sys_mount+0x18f/0x230 fs/namespace.c:3324 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 9: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kmem_cache_free+0x7f/0x320 mm/slab.c:3694 rcu_do_batch kernel/rcu/tree.c:2206 [inline] rcu_core+0x59f/0x1370 kernel/rcu/tree.c:2433 __do_softirq+0x26c/0x9f7 kernel/softirq.c:292 The buggy address belongs to the object at ffff88808a618cf0 which belongs to the cache dentry of size 304 The buggy address is located 0 bytes inside of 304-byte region [ffff88808a618cf0, ffff88808a618e20) The buggy address belongs to the page: page:ffffea0002298600 refcount:1 mapcount:0 mapping:000000001a027ea8 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00022985c8 ffffea0002298648 ffff88821bc50540 raw: 0000000000000000 ffff88808a618000 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808a618b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88808a618c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88808a618c80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fb fb ^ ffff88808a618d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88808a618d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	Manager
2020/04/13 02:16	linux-next	d2a22790db70	36b0b050	.config	console log	report	syz	ci-upstream-linux-next-kasan-gce-root
2020/04/15 10:53	upstream	8632e9b5645b	3f3c5574	.config	console log	report		ci-upstream-kasan-gce-selinux-root
2020/04/13 01:12	linux-next	d2a22790db70	36b0b050	.config	console log	report		ci-upstream-linux-next-kasan-gce-root
2020/04/11 15:38	linux-next	11ecafc691e1	a8c6a3f8	.config	console log	report		ci-upstream-linux-next-kasan-gce-root

Crashes (4):

Assets (help?)