KASAN: use-after-free Write in eventfd


Created	Duration	User	Patch	Repo	Result
2023/04/15 09:40	13m	retest repro		android12-5.4	OK log
2022/08/28 23:27	0m	retest repro		https://android.googlesource.com/kernel/common android-5.4	error OK

BUG: KASAN: use-after-free in atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline] BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:78 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock_flags include/linux/spinlock.h:193 [inline] BUG: KASAN: use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline] BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0xcd/0x1c0 kernel/locking/spinlock.c:159 Write of size 4 at addr ffff8881d4f91d88 by task syz-executor.4/3445 CPU: 1 PID: 3445 Comm: syz-executor.4 Not tainted 5.4.63-syzkaller-01128-g0ef1db7b69dd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b0/0x21e lib/dump_stack.c:118 print_address_description+0x96/0x5d0 mm/kasan/report.c:374 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506 kasan_report+0x27/0x50 mm/kasan/common.c:634 check_memory_region_inline mm/kasan/generic.c:181 [inline] check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:191 atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline] queued_spin_lock include/asm-generic/qspinlock.h:78 [inline] do_raw_spin_lock_flags include/linux/spinlock.h:193 [inline] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline] _raw_spin_lock_irqsave+0xcd/0x1c0 kernel/locking/spinlock.c:159 __wake_up_common_lock kernel/sched/wait.c:122 [inline] __wake_up+0x128/0x210 kernel/sched/wait.c:142 eventfd_release+0x4f/0xe0 fs/eventfd.c:121 __fput+0x27d/0x6c0 fs/file_table.c:280 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x416f01 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffe7e7f98f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000001190378 R09: 0000000000000000 R10: 00007ffe7e7f99d0 R11: 0000000000000293 R12: 0000000001190380 R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c Allocated by task 3449: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510 kmem_cache_alloc_trace+0xc3/0x270 mm/slub.c:2820 kmalloc include/linux/slab.h:556 [inline] do_eventfd+0x81/0x250 fs/eventfd.c:418 __do_sys_eventfd fs/eventfd.c:443 [inline] __se_sys_eventfd fs/eventfd.c:441 [inline] __x64_sys_eventfd+0x35/0x40 fs/eventfd.c:441 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 3454: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x168/0x220 mm/kasan/common.c:471 slab_free_hook mm/slub.c:1443 [inline] slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476 slab_free mm/slub.c:3041 [inline] kfree+0x12b/0x5d0 mm/slub.c:4002 eventfd_free_ctx fs/eventfd.c:94 [inline] eventfd_free fs/eventfd.c:101 [inline] kref_put include/linux/kref.h:65 [inline] eventfd_ctx_put fs/eventfd.c:113 [inline] eventfd_release+0xbb/0xe0 fs/eventfd.c:122 __fput+0x27d/0x6c0 fs/file_table.c:280 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8881d4f91d80 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 8 bytes inside of 64-byte region [ffff8881d4f91d80, ffff8881d4f91dc0) The buggy address belongs to the page: page:ffffea000753e440 refcount:1 mapcount:0 mapping:ffff8881da803180 index:0xffff8881d4f91b80 flags: 0x8000000000000200(slab) raw: 8000000000000200 ffffea0007493100 0000000b0000000b ffff8881da803180 raw: ffff8881d4f91b80 000000008020000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d4f91c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881d4f91d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8881d4f91d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8881d4f91e00: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc ffff8881d4f91e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3041 [inline] BUG: KASAN: double-free or invalid-free in kmem_cache_free+0xac/0x5c0 mm/slub.c:3057 CPU: 1 PID: 3445 Comm: syz-executor.4 Tainted: G B 5.4.63-syzkaller-01128-g0ef1db7b69dd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b0/0x21e lib/dump_stack.c:118 print_address_description+0x96/0x5d0 mm/kasan/report.c:374 kasan_report_invalid_free+0x54/0xc0 mm/kasan/report.c:468 __kasan_slab_free+0x102/0x220 mm/kasan/common.c:459 slab_free_hook mm/slub.c:1443 [inline] slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476 slab_free mm/slub.c:3041 [inline] kmem_cache_free+0xac/0x5c0 mm/slub.c:3057 dentry_kill fs/dcache.c:673 [inline] dput+0x2e1/0x5e0 fs/dcache.c:859 __fput+0x46b/0x6c0 fs/file_table.c:293 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x416f01 Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007ffe7e7f98f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000001190378 R09: 0000000000000000 R10: 00007ffe7e7f99d0 R11: 0000000000000293 R12: 0000000001190380 R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c Allocated by task 3449: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2793 [inline] slab_alloc mm/slub.c:2801 [inline] kmem_cache_alloc+0x1d5/0x250 mm/slub.c:2806 __d_alloc+0x2a/0x6b0 fs/dcache.c:1688 d_alloc_pseudo+0x19/0x70 fs/dcache.c:1817 alloc_file_pseudo+0x128/0x310 fs/file_table.c:225 anon_inode_getfile+0xa7/0x170 fs/anon_inodes.c:91 anon_inode_getfd+0x3e/0x80 fs/anon_inodes.c:136 do_eventfd+0x16b/0x250 fs/eventfd.c:428 __do_sys_eventfd fs/eventfd.c:443 [inline] __se_sys_eventfd fs/eventfd.c:441 [inline] __x64_sys_eventfd+0x35/0x40 fs/eventfd.c:441 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 3454: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x168/0x220 mm/kasan/common.c:471 slab_free_hook mm/slub.c:1443 [inline] slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476 slab_free mm/slub.c:3041 [inline] kmem_cache_free+0xac/0x5c0 mm/slub.c:3057 dentry_kill fs/dcache.c:673 [inline] dput+0x2e1/0x5e0 fs/dcache.c:859 __fput+0x46b/0x6c0 fs/file_table.c:293 task_work_run+0x176/0x1a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:163 [inline] prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8881d3bdfcc0 which belongs to the cache dentry of size 208 The buggy address is located 0 bytes inside of 208-byte region [ffff8881d3bdfcc0, ffff8881d3bdfd90) The buggy address belongs to the page: page:ffffea00074ef7c0 refcount:1 mapcount:0 mapping:ffff8881da8ef900 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 ffffea00074ef300 0000000b00000002 ffff8881da8ef900 raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d3bdfb80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb ffff8881d3bdfc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881d3bdfc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8881d3bdfd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881d3bdfd80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb ==================================================================