syzbot


KASAN: use-after-free Read in dentry_free

Status: auto-closed as invalid on 2020/09/04 17:23
Reported-by: syzbot+9b3161212d9e251fa6d4@syzkaller.appspotmail.com
First crash: 1660d, last: 1660d

Sample crash report:
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416421
RDX: 0000000000000000 RSI: 0000000000001f5d RDI: 0000000000000005
RBP: 0000000000000001 R08: 00000000d383bf61 R09: 0000000000000000
R10: 00007ffef907b6f0 R11: 0000000000000293 R12: 0000000000790360
R13: 000000000004dcf0 R14: ffffffffffffffff R15: 000000000078c04c
---[ end trace 80c129b4782c14a8 ]---
==================================================================
BUG: KASAN: use-after-free in dname_external fs/dcache.c:283 [inline]
BUG: KASAN: use-after-free in dentry_free+0x5d/0x150 fs/dcache.c:339
Read of size 8 at addr ffff8881d38108a8 by task syz-executor.2/16200

CPU: 0 PID: 16200 Comm: syz-executor.2 Tainted: G        W         5.4.39-syzkaller-00066-g8c464aedacd3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x14a/0x1ce lib/dump_stack.c:118
 print_address_description+0x93/0x620 mm/kasan/report.c:374
 __kasan_report+0x16d/0x1e0 mm/kasan/report.c:506
 kasan_report+0x34/0x60 mm/kasan/common.c:634
 dname_external fs/dcache.c:283 [inline]
 dentry_free+0x5d/0x150 fs/dcache.c:339
 dentry_kill fs/dcache.c:673 [inline]
 dput+0x2e1/0x5e0 fs/dcache.c:859
 put_fs_context+0x6c/0x6b0 fs/fs_context.c:495
 fscontext_release+0x61/0x80 fs/fsopen.c:73
 __fput+0x27d/0x6c0 fs/file_table.c:280
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416421
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffef907b600 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416421
RDX: 0000000000000000 RSI: 0000000000001f5d RDI: 0000000000000005
RBP: 0000000000000001 R08: 00000000d383bf61 R09: 0000000000000000
R10: 00007ffef907b6f0 R11: 0000000000000293 R12: 0000000000790360
R13: 000000000004dcf0 R14: ffffffffffffffff R15: 000000000078c04c

Allocated by task 16201:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2766 [inline]
 slab_alloc mm/slub.c:2774 [inline]
 kmem_cache_alloc+0x1d5/0x260 mm/slub.c:2779
 __d_alloc+0x2a/0x6b0 fs/dcache.c:1688
 d_alloc_anon fs/dcache.c:1786 [inline]
 d_make_root+0x46/0xd0 fs/dcache.c:1987
 kernfs_fill_super fs/kernfs/mount.c:244 [inline]
 kernfs_get_tree+0x45e/0x690 fs/kernfs/mount.c:317
 cgroup_do_get_tree+0xef/0x5a0 kernel/cgroup/cgroup.c:2101
 cgroup1_get_tree+0x81a/0x9c0 kernel/cgroup/cgroup-v1.c:1221
 vfs_get_tree+0x85/0x260 fs/super.c:1547
 vfs_fsconfig_locked fs/fsopen.c:232 [inline]
 __do_sys_fsconfig fs/fsopen.c:445 [inline]
 __se_sys_fsconfig+0xcd1/0x1140 fs/fsopen.c:314
 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 9:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
 slab_free_hook mm/slub.c:1424 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1457
 slab_free mm/slub.c:3014 [inline]
 kmem_cache_free+0xac/0x600 mm/slub.c:3030
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2158 [inline]
 rcu_core+0xbf0/0x1360 kernel/rcu/tree.c:2378
 __do_softirq+0x2d5/0x725 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881d3810880
 which belongs to the cache dentry of size 208
The buggy address is located 40 bytes inside of
 208-byte region [ffff8881d3810880, ffff8881d3810950)
The buggy address belongs to the page:
page:ffffea00074e0400 refcount:1 mapcount:0 mapping:ffff8881da8ee500 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea00072e2240 0000000600000006 ffff8881da8ee500
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d3810780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d3810800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881d3810880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8881d3810900: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
 ffff8881d3810980: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3014 [inline]
BUG: KASAN: double-free or invalid-free in kmem_cache_free+0xac/0x600 mm/slub.c:3030

CPU: 1 PID: 16200 Comm: syz-executor.2 Tainted: G    B   W         5.4.39-syzkaller-00066-g8c464aedacd3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x14a/0x1ce lib/dump_stack.c:118
 print_address_description+0x93/0x620 mm/kasan/report.c:374
 kasan_report_invalid_free+0x54/0xc0 mm/kasan/report.c:468
 __kasan_slab_free+0x102/0x230 mm/kasan/common.c:459
 slab_free_hook mm/slub.c:1424 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1457
 slab_free mm/slub.c:3014 [inline]
 kmem_cache_free+0xac/0x600 mm/slub.c:3030
 dentry_kill fs/dcache.c:673 [inline]
 dput+0x2e1/0x5e0 fs/dcache.c:859
 put_fs_context+0x6c/0x6b0 fs/fs_context.c:495
 fscontext_release+0x61/0x80 fs/fsopen.c:73
 __fput+0x27d/0x6c0 fs/file_table.c:280
 task_work_run+0x176/0x1a0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x286/0x2e0 arch/x86/entry/common.c:194
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x416421
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffef907b600 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416421
RDX: 0000000000000000 RSI: 0000000000001f5d RDI: 0000000000000005
RBP: 0000000000000001 R08: 00000000d383bf61 R09: 0000000000000000
R10: 00007ffef907b6f0 R11: 0000000000000293 R12: 0000000000790360
R13: 000000000004dcf0 R14: ffffffffffffffff R15: 000000000078c04c

Allocated by task 16201:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x12c/0x1c0 mm/kasan/common.c:510
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2766 [inline]
 slab_alloc mm/slub.c:2774 [inline]
 kmem_cache_alloc+0x1d5/0x260 mm/slub.c:2779
 __d_alloc+0x2a/0x6b0 fs/dcache.c:1688
 d_alloc_anon fs/dcache.c:1786 [inline]
 d_make_root+0x46/0xd0 fs/dcache.c:1987
 kernfs_fill_super fs/kernfs/mount.c:244 [inline]
 kernfs_get_tree+0x45e/0x690 fs/kernfs/mount.c:317
 cgroup_do_get_tree+0xef/0x5a0 kernel/cgroup/cgroup.c:2101
 cgroup1_get_tree+0x81a/0x9c0 kernel/cgroup/cgroup-v1.c:1221
 vfs_get_tree+0x85/0x260 fs/super.c:1547
 vfs_fsconfig_locked fs/fsopen.c:232 [inline]
 __do_sys_fsconfig fs/fsopen.c:445 [inline]
 __se_sys_fsconfig+0xcd1/0x1140 fs/fsopen.c:314
 do_syscall_64+0xcb/0x150 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 9:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x181/0x230 mm/kasan/common.c:471
 slab_free_hook mm/slub.c:1424 [inline]
 slab_free_freelist_hook+0xd0/0x150 mm/slub.c:1457
 slab_free mm/slub.c:3014 [inline]
 kmem_cache_free+0xac/0x600 mm/slub.c:3030
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2158 [inline]
 rcu_core+0xbf0/0x1360 kernel/rcu/tree.c:2378
 __do_softirq+0x2d5/0x725 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881d3810880
 which belongs to the cache dentry of size 208
The buggy address is located 0 bytes inside of
 208-byte region [ffff8881d3810880, ffff8881d3810950)
The buggy address belongs to the page:
page:ffffea00074e0400 refcount:1 mapcount:0 mapping:ffff8881da8ee500 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea00072e2240 0000000600000006 ffff8881da8ee500
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d3810780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881d3810800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff8881d3810880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8881d3810900: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
 ffff8881d3810980: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/05/07 17:22 https://android.googlesource.com/kernel/common android-5.4 8c464aedacd3 98cbd87b .config console log report ci2-android-5-4-kasan
* Struck through repros no longer work on HEAD.