bisecting cause commit starting from 9c0c4d24ac000e52d55348961d3a3ba42065e0cf building syzkaller on 282f03fbbd76ae15c1ed5e934873fbbc47735176 testing commit 9c0c4d24ac000e52d55348961d3a3ba42065e0cf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 00453a6dc3f46581e848d1cdec7a53df6fdb2cd531d89eafe635281cd7e7e940 all runs: crashed: WARNING: refcount bug in sys_memfd_secret testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 299648a482fed26dd2696bc4fcb2c36c6acae408a78761d7dbb2b7d0f2934d2d all runs: OK # git bisect start 9c0c4d24ac000e52d55348961d3a3ba42065e0cf 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 6410 revisions left to test after this (roughly 13 steps) [477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6] Merge tag 'drm-next-2021-08-31-1' of git://anongit.freedesktop.org/drm/drm testing commit 477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: db51ba869f9f46cb43c5fbb35d7f7f33f02d8400770571f0246f9aed58e9bfa2 run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: boot failed: possible deadlock in blktrans_open # git bisect good 477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6 Bisecting: 3136 revisions left to test after this (roughly 12 steps) [192ad3c27a4895ee4b2fa31c5b54a932f5bb08c1] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 192ad3c27a4895ee4b2fa31c5b54a932f5bb08c1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9c49d0ae6eb0bbeaae54661a3c79e9ed3c1b3306a4e1ff6f7fa0707e8be1b55f all runs: OK # git bisect good 192ad3c27a4895ee4b2fa31c5b54a932f5bb08c1 Bisecting: 1569 revisions left to test after this (roughly 11 steps) [831c9bd3dafc811bd5f740777fd1ef92b08bb0e4] Merge tag 'selinux-pr-20210923' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux testing commit 831c9bd3dafc811bd5f740777fd1ef92b08bb0e4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9aaef3bee14cf1ed6561d46c9936187e7473f79f76c7f25685d4c3b4501efaa8 all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 831c9bd3dafc811bd5f740777fd1ef92b08bb0e4 Bisecting: 787 revisions left to test after this (roughly 10 steps) [17a99e521f67743a5d3405cba0aacd8a10f9ff7d] tools headers UAPI: Update tools's copy of drm.h headers testing commit 17a99e521f67743a5d3405cba0aacd8a10f9ff7d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 231d94879869e8c08748151fe3b30019e53ce113e0e81fa5b21112d494d7e5ba all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 17a99e521f67743a5d3405cba0aacd8a10f9ff7d Bisecting: 383 revisions left to test after this (roughly 9 steps) [2d338201d5311bcd79d42f66df4cecbcbc5f4f2c] Merge branch 'akpm' (patches from Andrew) testing commit 2d338201d5311bcd79d42f66df4cecbcbc5f4f2c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cc8150f216e6039b84b81def4f1609527a13917869d12adb99ef13314f4f3186 all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 2d338201d5311bcd79d42f66df4cecbcbc5f4f2c Bisecting: 233 revisions left to test after this (roughly 8 steps) [742a4c49a82a8fe1369e4ec2af4a9bf69123cb88] Merge branch 'remotes/lorenzo/pci/tools' testing commit 742a4c49a82a8fe1369e4ec2af4a9bf69123cb88 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9c685dd0d3fe38bf393d449cec1c23bed3fb06f6cda1d5dc94bc25e15f70e837 all runs: OK # git bisect good 742a4c49a82a8fe1369e4ec2af4a9bf69123cb88 Bisecting: 128 revisions left to test after this (roughly 7 steps) [49832c819ab85b33b7a2a1429c8d067e82be2977] Makefile: use -Wno-main in the full kernel tree testing commit 49832c819ab85b33b7a2a1429c8d067e82be2977 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e5b5d373dbda0e0ae2c8be9a528ebc6175166b9c89dcda99288ef14fc950d13d all runs: OK # git bisect good 49832c819ab85b33b7a2a1429c8d067e82be2977 Bisecting: 64 revisions left to test after this (roughly 6 steps) [1c3493bb290bc654d13063a88660c070ad4eabcd] Documentation/llvm: update IRC location testing commit 1c3493bb290bc654d13063a88660c070ad4eabcd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f20b80120a961cf3db231e2da84b5148880e9df4b4c170b9362cb275211ff82a run #0: crashed: WARNING: refcount bug in sys_memfd_secret run #1: crashed: WARNING: refcount bug in corrupted run #2: crashed: WARNING: refcount bug in sys_memfd_secret run #3: crashed: WARNING: refcount bug in sys_memfd_secret run #4: crashed: WARNING: refcount bug in sys_memfd_secret run #5: crashed: WARNING: refcount bug in sys_memfd_secret run #6: crashed: WARNING: refcount bug in sys_memfd_secret run #7: crashed: WARNING: refcount bug in sys_memfd_secret run #8: crashed: WARNING: refcount bug in sys_memfd_secret run #9: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 1c3493bb290bc654d13063a88660c070ad4eabcd Bisecting: 31 revisions left to test after this (roughly 5 steps) [b9a6ac4e4ede4172d165c133398b93e3233b0ba7] mm/damon: adaptively adjust regions testing commit b9a6ac4e4ede4172d165c133398b93e3233b0ba7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 77259476473b3c1ee9c0c42f3fdbba727087ddd65aa98f5aa78e3ac0e7178975 all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad b9a6ac4e4ede4172d165c133398b93e3233b0ba7 Bisecting: 15 revisions left to test after this (roughly 4 steps) [445fcf7c721450dd1d4ec6c217b3c6a932602a44] mm/memory_hotplug: memory group aware "auto-movable" online policy testing commit 445fcf7c721450dd1d4ec6c217b3c6a932602a44 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c1e5489492f7e5728e0d5b6281b1cd548a58f7971395f3cfab4e815ccdc95d15 all runs: OK # git bisect good 445fcf7c721450dd1d4ec6c217b3c6a932602a44 Bisecting: 7 revisions left to test after this (roughly 3 steps) [513861202d1259e35934e206b79cd54f523d79b5] highmem: don't disable preemption on RT in kmap_atomic() testing commit 513861202d1259e35934e206b79cd54f523d79b5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3c96465c3b324476e5fc6a4b670a6bcc3191d36e19fc914ff8037eadf2f2edcd all runs: OK # git bisect good 513861202d1259e35934e206b79cd54f523d79b5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [4bbf04aa9aa88ae41205e387d35743a9bf5e933d] kfence: show cpu and timestamp in alloc/free info testing commit 4bbf04aa9aa88ae41205e387d35743a9bf5e933d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 378c671f6b345acb87a5b4296d23a1e67c0c7c724effbac08cc0cd151293a4b2 all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 4bbf04aa9aa88ae41205e387d35743a9bf5e933d Bisecting: 1 revision left to test after this (roughly 1 step) [41c961b9013ee9b6d0491f6926df546e37964b1f] mm: introduce PAGEFLAGS_MASK to replace ((1UL << NR_PAGEFLAGS) - 1) testing commit 41c961b9013ee9b6d0491f6926df546e37964b1f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e5d6eb7c65f99990ae9be63473c1542795b2b88df6c12f7ee690cad73e7077f3 all runs: OK # git bisect good 41c961b9013ee9b6d0491f6926df546e37964b1f Bisecting: 0 revisions left to test after this (roughly 0 steps) [110860541f443f950c1274f217a1a3e298670a33] mm/secretmem: use refcount_t instead of atomic_t testing commit 110860541f443f950c1274f217a1a3e298670a33 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a4a1e26f8b68b74dc236f295593a8cdafd047847c54cddbda0ad863cabb2c0b0 all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 110860541f443f950c1274f217a1a3e298670a33 110860541f443f950c1274f217a1a3e298670a33 is the first bad commit commit 110860541f443f950c1274f217a1a3e298670a33 Author: Jordy Zomer Date: Tue Sep 7 19:56:18 2021 -0700 mm/secretmem: use refcount_t instead of atomic_t When a secret memory region is active, memfd_secret disables hibernation. One of the goals is to keep the secret data from being written to persistent-storage. It accomplishes this by maintaining a reference count to `secretmem_users`. Once this reference is held your system can not be hibernated due to the check in `hibernation_available()`. However, because `secretmem_users` is of type `atomic_t`, reference counter overflows are possible. As you can see there's an `atomic_inc` for each `memfd` that is opened in the `memfd_secret` syscall. If a local attacker succeeds to open 2^32 memfd's, the counter will wrap around to 0. This implies that you may hibernate again, even though there are still regions of this secret memory, thereby bypassing the security check. In an attempt to fix this I have used `refcount_t` instead of `atomic_t` which prevents reference counter overflows. Link: https://lkml.kernel.org/r/20210820043339.2151352-1-jordy@pwning.systems Signed-off-by: Jordy Zomer Cc: Kees Cook , Cc: Jordy Zomer Cc: James Bottomley Cc: Mike Rapoport Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/secretmem.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) culprit signature: a4a1e26f8b68b74dc236f295593a8cdafd047847c54cddbda0ad863cabb2c0b0 parent signature: e5d6eb7c65f99990ae9be63473c1542795b2b88df6c12f7ee690cad73e7077f3 revisions tested: 16, total time: 3h31m37.507381534s (build: 1h46m41.662225578s, test: 1h43m11.266699287s) first bad commit: 110860541f443f950c1274f217a1a3e298670a33 mm/secretmem: use refcount_t instead of atomic_t recipients (to): ["akpm@linux-foundation.org" "jordy@jordyzomer.github.io" "jordy@pwning.systems" "torvalds@linux-foundation.org"] recipients (cc): [] crash: WARNING: refcount bug in sys_memfd_secret ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 10194 at lib/refcount.c:25 refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25 Modules linked in: CPU: 0 PID: 10194 Comm: syz-executor.0 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25 Code: f3 2a e4 08 01 e8 7f f1 9b 04 0f 0b eb 9d 80 3d e2 2a e4 08 00 75 94 48 c7 c7 c0 22 1f 89 c6 05 d2 2a e4 08 01 e8 5f f1 9b 04 <0f> 0b e9 7a ff ff ff 80 3d bc 2a e4 08 00 0f 85 6d ff ff ff 48 c7 RSP: 0018:ffffc9000a7bff10 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffffff8f38fd80 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000004 RDI: fffff520014f7fd4 RBP: 0000000000000002 R08: 0000000000000001 R09: ffff8880b9e1fa9b R10: ffffed10173c3f53 R11: 746e756f63666572 R12: ffffc9000a7bff58 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fc5e54d6700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f87a7a27000 CR3: 000000004da48000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] __do_sys_memfd_secret mm/secretmem.c:221 [inline] __se_sys_memfd_secret mm/secretmem.c:194 [inline] __x64_sys_memfd_secret+0xe1/0x140 mm/secretmem.c:194 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fc5e5d60a39 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc5e54d6188 EFLAGS: 00000246 ORIG_RAX: 00000000000001bf RAX: ffffffffffffffda RBX: 00007fc5e5e63f60 RCX: 00007fc5e5d60a39 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fc5e5dbae8f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffca597c8af R14: 00007fc5e54d6300 R15: 0000000000022000