bisecting cause commit starting from 9c0c4d24ac000e52d55348961d3a3ba42065e0cf building syzkaller on 282f03fbbd76ae15c1ed5e934873fbbc47735176 testing commit 9c0c4d24ac000e52d55348961d3a3ba42065e0cf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a90fc323b5b6e8474cb62004f8c73e5882734e8335c43731faec23e6564756e9 run #0: crashed: WARNING: refcount bug in sys_memfd_secret run #1: crashed: WARNING: refcount bug in sys_memfd_secret run #2: crashed: WARNING: refcount bug in sys_memfd_secret run #3: crashed: WARNING: refcount bug in sys_memfd_secret run #4: crashed: WARNING: refcount bug in sys_memfd_secret run #5: crashed: WARNING: refcount bug in sys_memfd_secret run #6: crashed: WARNING: refcount bug in sys_memfd_secret run #7: crashed: WARNING: refcount bug in sys_memfd_secret run #8: crashed: WARNING: refcount bug in sys_memfd_secret run #9: crashed: WARNING: refcount bug in sys_memfd_secret run #10: crashed: WARNING: refcount bug in sys_memfd_secret run #11: crashed: WARNING: refcount bug in sys_memfd_secret run #12: crashed: WARNING: refcount bug in corrupted run #13: crashed: WARNING: refcount bug in sys_memfd_secret run #14: crashed: WARNING: refcount bug in sys_memfd_secret run #15: crashed: WARNING: refcount bug in sys_memfd_secret run #16: crashed: WARNING: refcount bug in sys_memfd_secret run #17: crashed: WARNING: refcount bug in sys_memfd_secret run #18: crashed: WARNING: refcount bug in sys_memfd_secret run #19: crashed: WARNING: refcount bug in sys_memfd_secret testing release v5.14 testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e7f82353780f7353f2b9831acf2c3b929072ab7502510d2c9ec919816098867b all runs: OK # git bisect start 9c0c4d24ac000e52d55348961d3a3ba42065e0cf 7d2a07b769330c34b4deabeed939325c77a7ec2f Bisecting: 6410 revisions left to test after this (roughly 13 steps) [477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6] Merge tag 'drm-next-2021-08-31-1' of git://anongit.freedesktop.org/drm/drm testing commit 477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 041caf1a772a9f20fd4bd491511214fae8a8868c2b3440a0a2fe39faf2aa24a2 all runs: OK # git bisect good 477f70cd2a67904e04c2c2b9bd0fa2e95222f2f6 Bisecting: 3136 revisions left to test after this (roughly 12 steps) [192ad3c27a4895ee4b2fa31c5b54a932f5bb08c1] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 192ad3c27a4895ee4b2fa31c5b54a932f5bb08c1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 33808b288fc62bff8b2348ba8646124f0fa6bc57216904f3b1feabab0751eb55 all runs: OK # git bisect good 192ad3c27a4895ee4b2fa31c5b54a932f5bb08c1 Bisecting: 1569 revisions left to test after this (roughly 11 steps) [831c9bd3dafc811bd5f740777fd1ef92b08bb0e4] Merge tag 'selinux-pr-20210923' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux testing commit 831c9bd3dafc811bd5f740777fd1ef92b08bb0e4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 257d3032d06901dc98acd203741da7d2761d59049ee3b83dc6a1f4a3dc829b6e all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 831c9bd3dafc811bd5f740777fd1ef92b08bb0e4 Bisecting: 787 revisions left to test after this (roughly 10 steps) [17a99e521f67743a5d3405cba0aacd8a10f9ff7d] tools headers UAPI: Update tools's copy of drm.h headers testing commit 17a99e521f67743a5d3405cba0aacd8a10f9ff7d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 544921ed69f51887a377abbcb2ad785ea24203a5021a2a3b1b485972ab893ddd all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 17a99e521f67743a5d3405cba0aacd8a10f9ff7d Bisecting: 383 revisions left to test after this (roughly 9 steps) [2d338201d5311bcd79d42f66df4cecbcbc5f4f2c] Merge branch 'akpm' (patches from Andrew) testing commit 2d338201d5311bcd79d42f66df4cecbcbc5f4f2c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 940fbf754de6e3113944f52ddd34385b6eceed03defbc3e397920f83deb32661 run #0: basic kernel testing failed: KFENCE: use-after-free in kvm_fastop_exception run #1: crashed: WARNING: refcount bug in sys_memfd_secret run #2: crashed: WARNING: refcount bug in sys_memfd_secret run #3: crashed: WARNING: refcount bug in sys_memfd_secret run #4: crashed: WARNING: refcount bug in sys_memfd_secret run #5: crashed: WARNING: refcount bug in sys_memfd_secret run #6: crashed: WARNING: refcount bug in sys_memfd_secret run #7: crashed: WARNING: refcount bug in sys_memfd_secret run #8: crashed: WARNING: refcount bug in sys_memfd_secret run #9: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 2d338201d5311bcd79d42f66df4cecbcbc5f4f2c Bisecting: 233 revisions left to test after this (roughly 8 steps) [742a4c49a82a8fe1369e4ec2af4a9bf69123cb88] Merge branch 'remotes/lorenzo/pci/tools' testing commit 742a4c49a82a8fe1369e4ec2af4a9bf69123cb88 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6fcebfffe0ae545575946743d6d18824d0811a9c916de4f4078ed0051bbb648f all runs: OK # git bisect good 742a4c49a82a8fe1369e4ec2af4a9bf69123cb88 Bisecting: 128 revisions left to test after this (roughly 7 steps) [49832c819ab85b33b7a2a1429c8d067e82be2977] Makefile: use -Wno-main in the full kernel tree testing commit 49832c819ab85b33b7a2a1429c8d067e82be2977 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e1225f32307e92fa9ecb82c917fd64a94fde90c25e1843e0399d77e51af675f8 all runs: OK # git bisect good 49832c819ab85b33b7a2a1429c8d067e82be2977 Bisecting: 64 revisions left to test after this (roughly 6 steps) [1c3493bb290bc654d13063a88660c070ad4eabcd] Documentation/llvm: update IRC location testing commit 1c3493bb290bc654d13063a88660c070ad4eabcd compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d541c03f12a7a0dc34a59418616ab4640644cb18c277b61c8cb932807e81848e all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 1c3493bb290bc654d13063a88660c070ad4eabcd Bisecting: 31 revisions left to test after this (roughly 5 steps) [b9a6ac4e4ede4172d165c133398b93e3233b0ba7] mm/damon: adaptively adjust regions testing commit b9a6ac4e4ede4172d165c133398b93e3233b0ba7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8f0673211eb2c3e7081a272cd9e74dee446095c5057ace0fee1a9b39d73b76e2 run #0: crashed: WARNING: refcount bug in sys_memfd_secret run #1: crashed: WARNING: refcount bug in sys_memfd_secret run #2: crashed: WARNING: refcount bug in sys_memfd_secret run #3: crashed: WARNING: refcount bug in sys_memfd_secret run #4: crashed: WARNING: refcount bug in sys_memfd_secret run #5: crashed: WARNING: refcount bug in sys_memfd_secret run #6: crashed: WARNING: refcount bug in sys_memfd_secret run #7: crashed: WARNING: refcount bug in sys_memfd_secret run #8: crashed: WARNING: refcount bug in sys_memfd_secret run #9: crashed: WARNING: refcount bug in corrupted # git bisect bad b9a6ac4e4ede4172d165c133398b93e3233b0ba7 Bisecting: 15 revisions left to test after this (roughly 4 steps) [445fcf7c721450dd1d4ec6c217b3c6a932602a44] mm/memory_hotplug: memory group aware "auto-movable" online policy testing commit 445fcf7c721450dd1d4ec6c217b3c6a932602a44 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8ff5a7d3878f30c70e541a38c4a2f957bd35d9795b2010668148bdb778a572ec all runs: OK # git bisect good 445fcf7c721450dd1d4ec6c217b3c6a932602a44 Bisecting: 7 revisions left to test after this (roughly 3 steps) [513861202d1259e35934e206b79cd54f523d79b5] highmem: don't disable preemption on RT in kmap_atomic() testing commit 513861202d1259e35934e206b79cd54f523d79b5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 56f17ea082aefaac98467a18b3744f6de0ea2ba30299934a33be6eb8fca6dabb all runs: OK # git bisect good 513861202d1259e35934e206b79cd54f523d79b5 Bisecting: 3 revisions left to test after this (roughly 2 steps) [4bbf04aa9aa88ae41205e387d35743a9bf5e933d] kfence: show cpu and timestamp in alloc/free info testing commit 4bbf04aa9aa88ae41205e387d35743a9bf5e933d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c6d93a819db9ce8722096ae10ada1d21311a5b2d29b2afc78a2c2de6305b931a all runs: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 4bbf04aa9aa88ae41205e387d35743a9bf5e933d Bisecting: 1 revision left to test after this (roughly 1 step) [41c961b9013ee9b6d0491f6926df546e37964b1f] mm: introduce PAGEFLAGS_MASK to replace ((1UL << NR_PAGEFLAGS) - 1) testing commit 41c961b9013ee9b6d0491f6926df546e37964b1f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b2f469e01e654209e8f02c3fd7e2773c9c4971b4fb6b53127d09201582bb5028 all runs: OK # git bisect good 41c961b9013ee9b6d0491f6926df546e37964b1f Bisecting: 0 revisions left to test after this (roughly 0 steps) [110860541f443f950c1274f217a1a3e298670a33] mm/secretmem: use refcount_t instead of atomic_t testing commit 110860541f443f950c1274f217a1a3e298670a33 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 43220e353f03a45140c6eaea3443a15e315bf3453cbee400a9504ba8b8afbe12 run #0: crashed: WARNING: refcount bug in sys_memfd_secret run #1: crashed: WARNING: refcount bug in sys_memfd_secret run #2: crashed: WARNING: refcount bug in sys_memfd_secret run #3: crashed: WARNING: refcount bug in sys_memfd_secret run #4: crashed: WARNING: refcount bug in sys_memfd_secret run #5: crashed: WARNING: refcount bug in sys_memfd_secret run #6: crashed: WARNING: refcount bug in corrupted run #7: crashed: WARNING: refcount bug in sys_memfd_secret run #8: crashed: WARNING: refcount bug in sys_memfd_secret run #9: crashed: WARNING: refcount bug in sys_memfd_secret # git bisect bad 110860541f443f950c1274f217a1a3e298670a33 110860541f443f950c1274f217a1a3e298670a33 is the first bad commit commit 110860541f443f950c1274f217a1a3e298670a33 Author: Jordy Zomer Date: Tue Sep 7 19:56:18 2021 -0700 mm/secretmem: use refcount_t instead of atomic_t When a secret memory region is active, memfd_secret disables hibernation. One of the goals is to keep the secret data from being written to persistent-storage. It accomplishes this by maintaining a reference count to `secretmem_users`. Once this reference is held your system can not be hibernated due to the check in `hibernation_available()`. However, because `secretmem_users` is of type `atomic_t`, reference counter overflows are possible. As you can see there's an `atomic_inc` for each `memfd` that is opened in the `memfd_secret` syscall. If a local attacker succeeds to open 2^32 memfd's, the counter will wrap around to 0. This implies that you may hibernate again, even though there are still regions of this secret memory, thereby bypassing the security check. In an attempt to fix this I have used `refcount_t` instead of `atomic_t` which prevents reference counter overflows. Link: https://lkml.kernel.org/r/20210820043339.2151352-1-jordy@pwning.systems Signed-off-by: Jordy Zomer Cc: Kees Cook , Cc: Jordy Zomer Cc: James Bottomley Cc: Mike Rapoport Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/secretmem.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) culprit signature: 43220e353f03a45140c6eaea3443a15e315bf3453cbee400a9504ba8b8afbe12 parent signature: b2f469e01e654209e8f02c3fd7e2773c9c4971b4fb6b53127d09201582bb5028 revisions tested: 16, total time: 3h26m46.89765841s (build: 1h46m23.43119575s, test: 1h38m51.101366702s) first bad commit: 110860541f443f950c1274f217a1a3e298670a33 mm/secretmem: use refcount_t instead of atomic_t recipients (to): ["akpm@linux-foundation.org" "jordy@jordyzomer.github.io" "jordy@pwning.systems" "torvalds@linux-foundation.org"] recipients (cc): [] crash: WARNING: refcount bug in sys_memfd_secret ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 10180 at lib/refcount.c:25 refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25 Modules linked in: CPU: 0 PID: 10180 Comm: syz-executor.0 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0xdd/0x140 lib/refcount.c:25 Code: ea 52 c6 08 01 e8 8a 3e 9e 04 0f 0b eb 9d 80 3d d9 52 c6 08 00 75 94 48 c7 c7 00 44 fe 88 c6 05 c9 52 c6 08 01 e8 6a 3e 9e 04 <0f> 0b e9 7a ff ff ff 80 3d b3 52 c6 08 00 0f 85 6d ff ff ff 48 c7 RSP: 0000:ffffc9000b247f10 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffffffff8f0ff0a0 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff88fe8140 RDI: fffff52001648fd4 RBP: 0000000000000002 R08: 0000000000000001 R09: ffff8880b9e4bfc7 R10: ffffed10173c97f8 R11: 746e756f63666572 R12: ffffc9000b247f58 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fd7fb57d700(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa311984008 CR3: 0000000045b9d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] __do_sys_memfd_secret mm/secretmem.c:221 [inline] __se_sys_memfd_secret mm/secretmem.c:194 [inline] __x64_sys_memfd_secret+0xe1/0x140 mm/secretmem.c:194 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd7fbe07a39 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd7fb57d188 EFLAGS: 00000246 ORIG_RAX: 00000000000001bf RAX: ffffffffffffffda RBX: 00007fd7fbf0af60 RCX: 00007fd7fbe07a39 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fd7fbe61e8f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff971c67ef R14: 00007fd7fb57d300 R15: 0000000000022000