syzbot


KASAN: use-after-free Write in eventfd_release

Status: upstream: reported syz repro on 2020/09/07 01:18
Reported-by: syzbot+e3d3d1af7530ef98444d@syzkaller.appspotmail.com
First crash: 814d, last: 814d
Patch testing requests:
Created Duration User Patch Repo Result
2022/08/28 23:27 0m https://android.googlesource.com/kernel/common android-5.4 error

Sample crash report:
BUG: KASAN: use-after-free in atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock_flags include/linux/spinlock.h:193 [inline]
BUG: KASAN: use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline]
BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0xcd/0x1c0 kernel/locking/spinlock.c:159
Write of size 4 at addr ffff8881d4f91d88 by task syz-executor.4/3445

CPU: 1 PID: 3445 Comm: syz-executor.4 Not tainted 5.4.63-syzkaller-01128-g0ef1db7b69dd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b0/0x21e lib/dump_stack.c:118
 print_address_description+0x96/0x5d0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x27/0x50 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:181 [inline]
 check_memory_region+0x2b5/0x2f0 mm/kasan/generic.c:191
 atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:693 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:78 [inline]
 do_raw_spin_lock_flags include/linux/spinlock.h:193 [inline]
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:119 [inline]
 _raw_spin_lock_irqsave+0xcd/0x1c0 kernel/locking/spinlock.c:159
 __wake_up_common_lock kernel/sched/wait.c:122 [inline]
 __wake_up+0x128/0x210 kernel/sched/wait.c:142
 eventfd_release+0x4f/0xe0 fs/eventfd.c:121
 __fput+0x27d/0x6c0 fs/file_table.c:280
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe7e7f98f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190378 R09: 0000000000000000
R10: 00007ffe7e7f99d0 R11: 0000000000000293 R12: 0000000001190380
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c

Allocated by task 3449:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
 kmem_cache_alloc_trace+0xc3/0x270 mm/slub.c:2820
 kmalloc include/linux/slab.h:556 [inline]
 do_eventfd+0x81/0x250 fs/eventfd.c:418
 __do_sys_eventfd fs/eventfd.c:443 [inline]
 __se_sys_eventfd fs/eventfd.c:441 [inline]
 __x64_sys_eventfd+0x35/0x40 fs/eventfd.c:441
 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 3454:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x168/0x220 mm/kasan/common.c:471
 slab_free_hook mm/slub.c:1443 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
 slab_free mm/slub.c:3041 [inline]
 kfree+0x12b/0x5d0 mm/slub.c:4002
 eventfd_free_ctx fs/eventfd.c:94 [inline]
 eventfd_free fs/eventfd.c:101 [inline]
 kref_put include/linux/kref.h:65 [inline]
 eventfd_ctx_put fs/eventfd.c:113 [inline]
 eventfd_release+0xbb/0xe0 fs/eventfd.c:122
 __fput+0x27d/0x6c0 fs/file_table.c:280
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8881d4f91d80
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 8 bytes inside of
 64-byte region [ffff8881d4f91d80, ffff8881d4f91dc0)
The buggy address belongs to the page:
page:ffffea000753e440 refcount:1 mapcount:0 mapping:ffff8881da803180 index:0xffff8881d4f91b80
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea0007493100 0000000b0000000b ffff8881da803180
raw: ffff8881d4f91b80 000000008020000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d4f91c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8881d4f91d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8881d4f91d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                      ^
 ffff8881d4f91e00: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc
 ffff8881d4f91e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3041 [inline]
BUG: KASAN: double-free or invalid-free in kmem_cache_free+0xac/0x5c0 mm/slub.c:3057

CPU: 1 PID: 3445 Comm: syz-executor.4 Tainted: G    B             5.4.63-syzkaller-01128-g0ef1db7b69dd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b0/0x21e lib/dump_stack.c:118
 print_address_description+0x96/0x5d0 mm/kasan/report.c:374
 kasan_report_invalid_free+0x54/0xc0 mm/kasan/report.c:468
 __kasan_slab_free+0x102/0x220 mm/kasan/common.c:459
 slab_free_hook mm/slub.c:1443 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
 slab_free mm/slub.c:3041 [inline]
 kmem_cache_free+0xac/0x5c0 mm/slub.c:3057
 dentry_kill fs/dcache.c:673 [inline]
 dput+0x2e1/0x5e0 fs/dcache.c:859
 __fput+0x46b/0x6c0 fs/file_table.c:293
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416f01
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe7e7f98f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000001190378 R09: 0000000000000000
R10: 00007ffe7e7f99d0 R11: 0000000000000293 R12: 0000000001190380
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c

Allocated by task 3449:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2793 [inline]
 slab_alloc mm/slub.c:2801 [inline]
 kmem_cache_alloc+0x1d5/0x250 mm/slub.c:2806
 __d_alloc+0x2a/0x6b0 fs/dcache.c:1688
 d_alloc_pseudo+0x19/0x70 fs/dcache.c:1817
 alloc_file_pseudo+0x128/0x310 fs/file_table.c:225
 anon_inode_getfile+0xa7/0x170 fs/anon_inodes.c:91
 anon_inode_getfd+0x3e/0x80 fs/anon_inodes.c:136
 do_eventfd+0x16b/0x250 fs/eventfd.c:428
 __do_sys_eventfd fs/eventfd.c:443 [inline]
 __se_sys_eventfd fs/eventfd.c:441 [inline]
 __x64_sys_eventfd+0x35/0x40 fs/eventfd.c:441
 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 3454:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x168/0x220 mm/kasan/common.c:471
 slab_free_hook mm/slub.c:1443 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1476
 slab_free mm/slub.c:3041 [inline]
 kmem_cache_free+0xac/0x5c0 mm/slub.c:3057
 dentry_kill fs/dcache.c:673 [inline]
 dput+0x2e1/0x5e0 fs/dcache.c:859
 __fput+0x46b/0x6c0 fs/file_table.c:293
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8881d3bdfcc0
 which belongs to the cache dentry of size 208
The buggy address is located 0 bytes inside of
 208-byte region [ffff8881d3bdfcc0, ffff8881d3bdfd90)
The buggy address belongs to the page:
page:ffffea00074ef7c0 refcount:1 mapcount:0 mapping:ffff8881da8ef900 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea00074ef300 0000000b00000002 ffff8881da8ef900
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d3bdfb80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
 ffff8881d3bdfc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d3bdfc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff8881d3bdfd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881d3bdfd80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb
==================================================================

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-android-5-4-kasan 2020/09/07 01:17 https://android.googlesource.com/kernel/common android-5.4 0ef1db7b69dd abf9ba4f .config log report syz
* Struck through repros no longer work on HEAD.