syzbot

 sign-in | mailing list | source | docs
🐞 Open [984] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12500] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in refcount_inc_not_zero

Status: closed as invalid on 2018/01/31 06:12
Subsystems: kernel
[Documentation on labels]
Reported-by: syzbot+9e3011b5e961675e736b38d6fd82ad12723a3fa3@syzkaller.appspotmail.com
First crash: 2379d, last: 2304d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in refcount_inc_not_zero C error 17 1427d 1840d 0/1 upstream: reported C repro on 2019/04/11 23:45

Sample crash report:
audit: type=1400 audit(1514170046.791:7): avc:  denied  { map } for  pid=3145 comm="syzkaller126474" path="/root/syzkaller126474306" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:27 [inline]
BUG: KASAN: use-after-free in refcount_inc_not_zero+0x16e/0x180 lib/refcount.c:120
Read of size 4 at addr ffff8801c8cfce00 by task syzkaller126474/3146

CPU: 0 PID: 3146 Comm: syzkaller126474 Not tainted 4.15.0-rc4-next-20171221+ #78
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 __read_once_size include/linux/compiler.h:183 [inline]
 atomic_read arch/x86/include/asm/atomic.h:27 [inline]
 refcount_inc_not_zero+0x16e/0x180 lib/refcount.c:120
 refcount_inc+0x15/0x50 lib/refcount.c:153
 get_ipc_ns include/linux/ipc_namespace.h:129 [inline]
 __get_ns_from_inode ipc/mqueue.c:110 [inline]
 get_ns_from_inode ipc/mqueue.c:118 [inline]
 mqueue_evict_inode+0x137/0x9c0 ipc/mqueue.c:402
 evict+0x481/0x920 fs/inode.c:552
 iput_final fs/inode.c:1514 [inline]
 iput+0x7b9/0xaf0 fs/inode.c:1541
 dentry_unlink_inode+0x4b0/0x5e0 fs/dcache.c:375
 __dentry_kill+0x3b7/0x6d0 fs/dcache.c:572
 shrink_dentry_list+0x3c5/0xcf0 fs/dcache.c:1019
 shrink_dcache_parent+0xba/0x230 fs/dcache.c:1453
 do_one_tree+0x15/0x50 fs/dcache.c:1484
 shrink_dcache_for_umount+0xbb/0x290 fs/dcache.c:1501
 generic_shutdown_super+0xcd/0x540 fs/super.c:424
 kill_anon_super fs/super.c:991 [inline]
 kill_litter_super+0x72/0x90 fs/super.c:1001
 deactivate_locked_super+0x88/0xd0 fs/super.c:312
 deactivate_super+0x141/0x1b0 fs/super.c:343
 cleanup_mnt+0xb2/0x150 fs/namespace.c:1173
 __cleanup_mnt+0x16/0x20 fs/namespace.c:1180
 task_work_run+0x199/0x270 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9bb/0x1ad0 kernel/exit.c:869
 do_group_exit+0x149/0x400 kernel/exit.c:972
 SYSC_exit_group kernel/exit.c:983 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:981
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4406f9
RSP: 002b:00007ffca4a8ec78 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00000000004406f9
RDX: 00000000004406f9 RSI: 00000000004406f9 RDI: 0000000000000001
RBP: 00000000006cb018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000401bc0
R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3146:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3611
 kmalloc include/linux/slab.h:516 [inline]
 create_ipc_ns ipc/namespace.c:45 [inline]
 copy_ipcs+0x1b3/0x520 ipc/namespace.c:96
 create_new_namespaces+0x278/0x880 kernel/nsproxy.c:87
 unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:206
 SYSC_unshare kernel/fork.c:2414 [inline]
 SyS_unshare+0x653/0xfa0 kernel/fork.c:2364
 entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 3146:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3489 [inline]
 kfree+0xd6/0x260 mm/slab.c:3804
 free_ipc_ns ipc/namespace.c:139 [inline]
 put_ipc_ns+0x112/0x150 ipc/namespace.c:164
 free_nsproxy+0xc0/0x1f0 kernel/nsproxy.c:180
 switch_task_namespaces+0x9d/0xc0 kernel/nsproxy.c:229
 exit_task_namespaces+0x17/0x20 kernel/nsproxy.c:234
 do_exit+0x9b6/0x1ad0 kernel/exit.c:868
 do_group_exit+0x149/0x400 kernel/exit.c:972
 SYSC_exit_group kernel/exit.c:983 [inline]
 SyS_exit_group+0x1d/0x20 kernel/exit.c:981
 entry_SYSCALL_64_fastpath+0x1f/0x96

The buggy address belongs to the object at ffff8801c8cfce00
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [ffff8801c8cfce00, ffff8801c8cfd600)
The buggy address belongs to the page:
page:000000001d1dab07 count:1 mapcount:0 mapping:00000000b255226f index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c8cfc580 0000000000000000 0000000100000003
raw: ffffea0007289d20 ffff8801dac01948 ffff8801dac00c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c8cfcd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801c8cfcd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801c8cfce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8801c8cfce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801c8cfcf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (34):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/25 02:49 linux-next 0e08c463db38 73aba437 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/24 16:04 mmots 37759fa6d0fa 73aba437 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/20 19:44 mmots 82bcf1def3b5 90a46995 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/14 18:22 mmots 82bcf1def3b5 ac20b98c .config console log report syz C ci-upstream-mmots-kasan-gce
2017/10/19 20:21 upstream 73d3393ada4f 3704c601 .config console log report ci-upstream-kasan-gce
2017/11/30 09:32 upstream ef0010a30935 29b0fd90 .config console log report ci-upstream-kasan-gce-386
2018/01/02 17:47 mmots 37759fa6d0fa 00193447 .config console log report ci-upstream-mmots-kasan-gce
2018/01/02 08:19 mmots 37759fa6d0fa 00193447 .config console log report ci-upstream-mmots-kasan-gce
2018/01/02 01:22 linux-next 0e08c463db38 00193447 .config console log report ci-upstream-next-kasan-gce
2018/01/01 07:18 mmots 37759fa6d0fa 00193447 .config console log report ci-upstream-mmots-kasan-gce
2018/01/01 03:58 mmots 37759fa6d0fa 00193447 .config console log report ci-upstream-mmots-kasan-gce
2017/12/31 19:44 linux-next 0e08c463db38 00193447 .config console log report ci-upstream-next-kasan-gce
2017/12/31 10:51 mmots 37759fa6d0fa bb6384b8 .config console log report ci-upstream-mmots-kasan-gce
2017/12/31 01:17 mmots 37759fa6d0fa bb6384b8 .config console log report ci-upstream-mmots-kasan-gce
2017/12/30 20:47 linux-next 0e08c463db38 bb6384b8 .config console log report ci-upstream-next-kasan-gce
2017/12/30 09:29 linux-next 0e08c463db38 bb6384b8 .config console log report ci-upstream-next-kasan-gce
2017/12/29 23:11 mmots 37759fa6d0fa bb6384b8 .config console log report ci-upstream-mmots-kasan-gce
2017/12/29 13:49 linux-next 0e08c463db38 7d240098 .config console log report ci-upstream-next-kasan-gce
2017/12/29 12:40 mmots 37759fa6d0fa 7d240098 .config console log report ci-upstream-mmots-kasan-gce
2017/12/29 12:40 linux-next 0e08c463db38 7d240098 .config console log report ci-upstream-next-kasan-gce
2017/12/29 10:20 linux-next 0e08c463db38 7d240098 .config console log report ci-upstream-next-kasan-gce
2017/12/28 23:37 mmots 37759fa6d0fa 7d240098 .config console log report ci-upstream-mmots-kasan-gce
2017/12/28 20:35 mmots 37759fa6d0fa 7d240098 .config console log report ci-upstream-mmots-kasan-gce
2017/12/26 03:03 mmots 37759fa6d0fa 73aba437 .config console log report ci-upstream-mmots-kasan-gce
2017/12/25 15:55 mmots 37759fa6d0fa 73aba437 .config console log report ci-upstream-mmots-kasan-gce
2017/12/24 16:26 linux-next 0e08c463db38 73aba437 .config console log report ci-upstream-next-kasan-gce
2017/12/24 11:24 mmots 37759fa6d0fa 73aba437 .config console log report ci-upstream-mmots-kasan-gce
2017/12/24 11:24 linux-next 0e08c463db38 73aba437 .config console log report ci-upstream-next-kasan-gce
2017/12/24 05:23 linux-next 0e08c463db38 73aba437 .config console log report ci-upstream-next-kasan-gce
2017/12/22 06:38 mmots 37759fa6d0fa 81fe66b4 .config console log report ci-upstream-mmots-kasan-gce
2017/12/17 03:43 mmots 82bcf1def3b5 b6f0c91b .config console log report ci-upstream-mmots-kasan-gce
2017/12/16 08:57 mmots 82bcf1def3b5 b6f0c91b .config console log report ci-upstream-mmots-kasan-gce
2017/12/14 17:56 mmots 82bcf1def3b5 ac20b98c .config console log report ci-upstream-mmots-kasan-gce
2017/12/09 09:45 mmots 82bcf1def3b5 5ad0ce95 .config console log report ci-upstream-mmots-kasan-gce
* Struck through repros no longer work on HEAD.