From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Biggers Date: Thu, 17 Oct 2019 16:00:28 +0000 Subject: Re: WARNING: refcount bug in find_key_to_update Message-Id: <20191017160028.GA726@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset="maccentraleurope" Content-Transfer-Encoding: base64 List-Id: References: <000000000000830fe50595115344@google.com> <00000000000071e2fc05951229ad@google.com> In-Reply-To: To: Linus Torvalds Cc: aou@eecs.berkeley.edu, syzbot , Palmer Dabbelt , syzkaller-bugs , James Morris James Morris , Jarkko Sakkinen , Linux Kernel Mailing List , David Howells , LSM List , keyrings@vger.kernel.org, linux-riscv@lists.infradead.org, "Serge E. Hallyn" T24gVGh1LCBPY3QgMTcsIDIwMTkgYXQgMDg6NTM6MDZBTSAtMDcwMCwgTGludXMgVG9ydmFsZHMg d3JvdGU6Cj4gT24gV2VkLCBPY3QgMTYsIDIwMTkgYXQgNzo0MiBQTSBzeXpib3QKPiA8c3l6Ym90 KzY0NTU2NDhhYmMyOGRiZGQxZTdmQHN5emthbGxlci5hcHBzcG90bWFpbC5jb20+IHdyb3RlOgo+ ID4KPiA+IHN5emJvdCBoYXMgYmlzZWN0ZWQgdGhpcyBidWcgdG8gMDU3MGJjOGI3YzliICgiTWVy Z2UgdGFnCj4gPiAgJ3Jpc2N2L2Zvci12NS4zLXJjMScgLi4uIikKPiAKPiBZZWFoLCB0aGF0IGxv b2tzIHVubGlrZWx5LiBUaGUgb25seSBub24tcmlzY3YgY2hhbmdlcyBhcmUgZnJvbQo+IGRvY3Vt ZW50YXRpb24gdXBkYXRlcyBhbmQgbW92aW5nIGEgY29uZmlnIHZhcmlhYmxlIGFyb3VuZC4KPiAK PiBMb29rcyBsaWtlIHRoZSBjcmFzaCBpcyBxdWl0ZSB1bmxpa2VseSwgYW5kIG9ubHkgaGFwcGVu cyBpbiBvbmUgb3V0IG9mCj4gdGVuIHJ1bnMgZm9yIHRoZSBvbmVzIGl0IGhhcyBoYXBwZW5lZCB0 by4KPiAKPiBUaGUgYmFja3RyYWNlIGxvb2tzIHNpbXBsZSBlbm91Z2gsIHRob3VnaDoKPiAKPiAg IFJJUDogMDAxMDpyZWZjb3VudF9pbmNfY2hlY2tlZCsweDJiLzB4MzAgbGliL3JlZmNvdW50LmM6 MTU2Cj4gICAgX19rZXlfZ2V0IGluY2x1ZGUvbGludXgva2V5Lmg6MjgxIFtpbmxpbmVdCj4gICAg ZmluZF9rZXlfdG9fdXBkYXRlKzB4NjcvMHg4MCBzZWN1cml0eS9rZXlzL2tleXJpbmcuYzoxMTI3 Cj4gICAga2V5X2NyZWF0ZV9vcl91cGRhdGUrMHg0ZTUvMHhiMjAgc2VjdXJpdHkva2V5cy9rZXku Yzo5MDUKPiAgICBfX2RvX3N5c19hZGRfa2V5IHNlY3VyaXR5L2tleXMva2V5Y3RsLmM6MTMyIFtp bmxpbmVdCj4gICAgX19zZV9zeXNfYWRkX2tleSBzZWN1cml0eS9rZXlzL2tleWN0bC5jOjcyIFtp bmxpbmVdCj4gICAgX194NjRfc3lzX2FkZF9rZXkrMHgyMTkvMHgzZjAgc2VjdXJpdHkva2V5cy9r ZXljdGwuYzo3Mgo+ICAgIGRvX3N5c2NhbGxfNjQrMHhkMC8weDU0MCBhcmNoL3g4Ni9lbnRyeS9j b21tb24uYzoyOTYKPiAgICBlbnRyeV9TWVNDQUxMXzY0X2FmdGVyX2h3ZnJhbWUrMHg0OS8weGJl Cj4gCj4gd2hpY2ggdG8gbWUgaW1wbGllcyB0aGF0IHRoZXJlJ3Mgc29tZSBsb2NraW5nIGJ1Zywg YW5kIHNvbWVib2R5Cj4gcmVsZWFzZWQgdGhlIGtleSB3aXRob3V0IGhvbGRpbmcgYSBsb2NrLgo+ IAo+IFRoYXQgY29kZSBsb29rcyBhIGJpdCBjb25mdXNlZCB0byBtZS4gUmVsZWFzaW5nIGEga2V5 IHdpdGhvdXQgaG9sZGluZwo+IGEgbG9jayBsb29rcyBwZXJtaXR0ZWQsIGJ1dCBpZiB0aGF0J3Mg dGhlIGNhc2UgdGhlbiBfX2tleV9nZXQoKSBpcwo+IGNvbXBsZXRlIGdhcmJhZ2UuIEl0IHdvdWxk IG5lZWQgdG8gdXNlICdyZWZjb3VudF9pbmNfbm90X3plcm8oKScgYW5kCj4gZmFpbHVyZSB3b3Vs ZCByZXF1aXJlIGZhaWxpbmcgdGhlIGNhbGxlci4KPiAKPiBCdXQgSSBoYXZlbid0IGZvbGxvd2Vk IHRoZSBrZXkgbG9ja2luZyBydWxlcywgc28gd2hvIGtub3dzLiBUaGF0ICJwdXQKPiB3aXRob3V0 IGxvY2siIHNjZW5hcmlvIHdvdWxkIGV4cGxhaW4gdGhlIGNyYXNoLCB0aG91Z2guCj4gCj4gRGF2 aWQ/Cj4gCgpZZXMgdGhpcyBpcyBhIGJvZ3VzIGJpc2VjdGlvbi4KClRoZSBrZXkgaXMgc3VwcG9z ZWQgdG8gaGF2ZSByZWZjb3VudCA+PSAxIHNpbmNlIGl0J3MgaW4gYSBrZXlyaW5nLgpTbyBzb21l IGJ1ZyBpcyBjYXVzaW5nIGl0IHRvIGhhdmUgcmVmY291bnQgMC4gIFBlcmhhcHMgc29tZSBwbGFj ZSBjYWxsaW5nCmtleV9wdXQoKSB0b28gbWFueSB0aW1lcy4KClVuZm9ydHVuYXRlbHkgSSBjYW4n dCBnZXQgdGhlIHJlcHJvZHVjZXIgdG8gd29yayBsb2NhbGx5LgoKTm90ZSB0aGF0IHRoZXJlIGFy ZSAyIG90aGVyIHN5emJvdCByZXBvcnRzIHRoYXQgbG9vayByZWxhdGVkLgpObyByZXByb2R1Y2Vy cyBmb3IgdGhlbSwgdGhvdWdoOgoKVGl0bGU6ICAgICAgICAgICAgICBLQVNBTjogdXNlLWFmdGVy LWZyZWUgUmVhZCBpbiBrZXlfcHV0Ckxhc3Qgb2NjdXJyZWQ6ICAgICAgMSBkYXkgYWdvClJlcG9y dGVkOiAgICAgICAgICAgMjggZGF5cyBhZ28KQnJhbmNoZXM6ICAgICAgICAgICBNYWlubGluZQpE YXNoYm9hcmQgbGluazogICAgIGh0dHBzOi8vc3l6a2FsbGVyLmFwcHNwb3QuY29tL2J1Zz9pZPEz NzUwYjExMjRlMDExOTEyNTBjZjkzMDA4NmRjYzQwNzQwZmEzMApPcmlnaW5hbCB0aHJlYWQ6ICAg IGh0dHBzOi8vbG9yZS5rZXJuZWwub3JnL2xrbWwvMDAwMDAwMDAwMDAwOGMzZTU5MDU5MmNmNGI3 ZkBnb29nbGUuY29tL1QvI3UKClRpdGxlOiAgICAgICAgICAgICAgS0FTQU46IHVzZS1hZnRlci1m cmVlIFJlYWQgaW4ga2V5cmluZ19jb21wYXJlX29iamVjdApMYXN0IG9jY3VycmVkOiAgICAgIDQ5 IGRheXMgYWdvClJlcG9ydGVkOiAgICAgICAgICAgODQgZGF5cyBhZ28KQnJhbmNoZXM6ICAgICAg ICAgICBNYWlubGluZQpEYXNoYm9hcmQgbGluazogICAgIGh0dHBzOi8vc3l6a2FsbGVyLmFwcHNw b3QuY29tL2J1Zz9pZFI5YWI2YTk4Mjg2YzJhOTdjNDQ1OTg4YTYyNzYwYTU4ZDRhMWQ0YgpPcmln aW5hbCB0aHJlYWQ6ICAgIGh0dHBzOi8vbG9yZS5rZXJuZWwub3JnL2xrbWwvMDAwMDAwMDAwMDAw MDM4ZWY2MDU4ZTZmMzU5MkBnb29nbGUuY29tL1QvI3UKCi0gRXJpYw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBA50FA372A for ; Thu, 17 Oct 2019 16:00:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B593A21848 for ; Thu, 17 Oct 2019 16:00:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571328033; bh=MJNtM0gGXpObzCT2JelP1fq2yMAZ27mOcUIIpChX9qY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=rppj6YVOKyZDCTR/fv/xttmEhVCmwJ8V+XEMfEb4T6hW07KNt8gm84gtWGMof3qI5 6hDIvXlmOycyzAAsbMu8sU9hWEwD9Rpc6UgW1ynl8pA7ZnYCaleiGAZfYX/1Zn9JZA AKrVeYQ59r/0kaHkZKJoKmuKoLQAERrxq1TLXrD0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2438990AbfJQQAc (ORCPT ); Thu, 17 Oct 2019 12:00:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:45618 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2436715AbfJQQAb (ORCPT ); Thu, 17 Oct 2019 12:00:31 -0400 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D29D521835; Thu, 17 Oct 2019 16:00:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571328030; bh=MJNtM0gGXpObzCT2JelP1fq2yMAZ27mOcUIIpChX9qY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bPI16PNPk8Rfcbn3KXIe6pk14cZKallPkfJI/6Wj+wbb1o1Dj5QouFruB4yslOdVd JNLwbbPX4hkwgQYi0KCZNgI7jR+Tymds3yHFyHwKm1/a8Ux2CndwxhuEcDyL5Mj4K9 bRarDWPQIkzz7EIfrgXF76q9tVdEb4YT17uVSbgc= Date: Thu, 17 Oct 2019 09:00:28 -0700 From: Eric Biggers To: Linus Torvalds Cc: syzbot , aou@eecs.berkeley.edu, David Howells , Jarkko Sakkinen , James Morris James Morris , keyrings@vger.kernel.org, Linux Kernel Mailing List , linux-riscv@lists.infradead.org, LSM List , Palmer Dabbelt , "Serge E. Hallyn" , syzkaller-bugs Subject: Re: WARNING: refcount bug in find_key_to_update Message-ID: <20191017160028.GA726@sol.localdomain> Mail-Followup-To: Linus Torvalds , syzbot , aou@eecs.berkeley.edu, David Howells , Jarkko Sakkinen , James Morris James Morris , keyrings@vger.kernel.org, Linux Kernel Mailing List , linux-riscv@lists.infradead.org, LSM List , Palmer Dabbelt , "Serge E. Hallyn" , syzkaller-bugs References: <000000000000830fe50595115344@google.com> <00000000000071e2fc05951229ad@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.2 (2019-09-21) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 17, 2019 at 08:53:06AM -0700, Linus Torvalds wrote: > On Wed, Oct 16, 2019 at 7:42 PM syzbot > wrote: > > > > syzbot has bisected this bug to 0570bc8b7c9b ("Merge tag > > 'riscv/for-v5.3-rc1' ...") > > Yeah, that looks unlikely. The only non-riscv changes are from > documentation updates and moving a config variable around. > > Looks like the crash is quite unlikely, and only happens in one out of > ten runs for the ones it has happened to. > > The backtrace looks simple enough, though: > > RIP: 0010:refcount_inc_checked+0x2b/0x30 lib/refcount.c:156 > __key_get include/linux/key.h:281 [inline] > find_key_to_update+0x67/0x80 security/keys/keyring.c:1127 > key_create_or_update+0x4e5/0xb20 security/keys/key.c:905 > __do_sys_add_key security/keys/keyctl.c:132 [inline] > __se_sys_add_key security/keys/keyctl.c:72 [inline] > __x64_sys_add_key+0x219/0x3f0 security/keys/keyctl.c:72 > do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > which to me implies that there's some locking bug, and somebody > released the key without holding a lock. > > That code looks a bit confused to me. Releasing a key without holding > a lock looks permitted, but if that's the case then __key_get() is > complete garbage. It would need to use 'refcount_inc_not_zero()' and > failure would require failing the caller. > > But I haven't followed the key locking rules, so who knows. That "put > without lock" scenario would explain the crash, though. > > David? > Yes this is a bogus bisection. The key is supposed to have refcount >= 1 since it's in a keyring. So some bug is causing it to have refcount 0. Perhaps some place calling key_put() too many times. Unfortunately I can't get the reproducer to work locally. Note that there are 2 other syzbot reports that look related. No reproducers for them, though: Title: KASAN: use-after-free Read in key_put Last occurred: 1 day ago Reported: 28 days ago Branches: Mainline Dashboard link: https://syzkaller.appspot.com/bug?id=f13750b1124e01191250cf930086dcc40740fa30 Original thread: https://lore.kernel.org/lkml/0000000000008c3e590592cf4b7f@google.com/T/#u Title: KASAN: use-after-free Read in keyring_compare_object Last occurred: 49 days ago Reported: 84 days ago Branches: Mainline Dashboard link: https://syzkaller.appspot.com/bug?id=529ab6a98286c2a97c445988a62760a58d4a1d4b Original thread: https://lore.kernel.org/lkml/000000000000038ef6058e6f3592@google.com/T/#u - Eric From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6BC2FA3735 for ; Thu, 17 Oct 2019 16:00:35 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7750B21D7D for ; Thu, 17 Oct 2019 16:00:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="dyJ/KRjT"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="bPI16PNP" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7750B21D7D Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-riscv-bounces+infradead-linux-riscv=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=2VROjwN+8J0P/GTjuRkYU5YDCFM/a3IIPgl/pN8urcU=; b=dyJ/KRjTivo6zi YtcrYF5j5THk/9YxNKbK3iUuhXJNbiMEE77RoVEcZSuRsiu8AdNo2G8QnuA1xux/AXMkVrusqvvvl 03LwNVeRCwO/lzEuWJGcXV/VAZ72lrIz8JXMY972A0XvwNAdnDecUv+Zg+4fmezK7H1IOU+3CdkQ6 0knREWoh8gwUNTkgjnCZ1hnFsq6v6SRhANfk95VZQtyveA30ZZWea9s+P5otjNHF4yiB+nS9sDg/7 K9W7cs2U7ez8ep9Pg4xP10xEL0Wm/Ax810vwlgcAEZ/6TGJcyFFYjZ0I0DtmMREzjjBdqVOiGALC6 2dmuByDSUL0kCDbcXxpw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1iL8CY-0005qC-Dd; Thu, 17 Oct 2019 16:00:34 +0000 Received: from mail.kernel.org ([198.145.29.99]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1iL8CU-0005or-U7 for linux-riscv@lists.infradead.org; Thu, 17 Oct 2019 16:00:32 +0000 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D29D521835; Thu, 17 Oct 2019 16:00:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1571328030; bh=MJNtM0gGXpObzCT2JelP1fq2yMAZ27mOcUIIpChX9qY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bPI16PNPk8Rfcbn3KXIe6pk14cZKallPkfJI/6Wj+wbb1o1Dj5QouFruB4yslOdVd JNLwbbPX4hkwgQYi0KCZNgI7jR+Tymds3yHFyHwKm1/a8Ux2CndwxhuEcDyL5Mj4K9 bRarDWPQIkzz7EIfrgXF76q9tVdEb4YT17uVSbgc= Date: Thu, 17 Oct 2019 09:00:28 -0700 From: Eric Biggers To: Linus Torvalds Subject: Re: WARNING: refcount bug in find_key_to_update Message-ID: <20191017160028.GA726@sol.localdomain> Mail-Followup-To: Linus Torvalds , syzbot , aou@eecs.berkeley.edu, David Howells , Jarkko Sakkinen , James Morris James Morris , keyrings@vger.kernel.org, Linux Kernel Mailing List , linux-riscv@lists.infradead.org, LSM List , Palmer Dabbelt , "Serge E. Hallyn" , syzkaller-bugs References: <000000000000830fe50595115344@google.com> <00000000000071e2fc05951229ad@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.2 (2019-09-21) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20191017_090031_008935_A87B7A3F X-CRM114-Status: GOOD ( 15.04 ) X-BeenThere: linux-riscv@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: aou@eecs.berkeley.edu, syzbot , Palmer Dabbelt , syzkaller-bugs , James Morris James Morris , Jarkko Sakkinen , Linux Kernel Mailing List , David Howells , LSM List , keyrings@vger.kernel.org, linux-riscv@lists.infradead.org, "Serge E. Hallyn" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-riscv" Errors-To: linux-riscv-bounces+infradead-linux-riscv=archiver.kernel.org@lists.infradead.org On Thu, Oct 17, 2019 at 08:53:06AM -0700, Linus Torvalds wrote: > On Wed, Oct 16, 2019 at 7:42 PM syzbot > wrote: > > > > syzbot has bisected this bug to 0570bc8b7c9b ("Merge tag > > 'riscv/for-v5.3-rc1' ...") > > Yeah, that looks unlikely. The only non-riscv changes are from > documentation updates and moving a config variable around. > > Looks like the crash is quite unlikely, and only happens in one out of > ten runs for the ones it has happened to. > > The backtrace looks simple enough, though: > > RIP: 0010:refcount_inc_checked+0x2b/0x30 lib/refcount.c:156 > __key_get include/linux/key.h:281 [inline] > find_key_to_update+0x67/0x80 security/keys/keyring.c:1127 > key_create_or_update+0x4e5/0xb20 security/keys/key.c:905 > __do_sys_add_key security/keys/keyctl.c:132 [inline] > __se_sys_add_key security/keys/keyctl.c:72 [inline] > __x64_sys_add_key+0x219/0x3f0 security/keys/keyctl.c:72 > do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > which to me implies that there's some locking bug, and somebody > released the key without holding a lock. > > That code looks a bit confused to me. Releasing a key without holding > a lock looks permitted, but if that's the case then __key_get() is > complete garbage. It would need to use 'refcount_inc_not_zero()' and > failure would require failing the caller. > > But I haven't followed the key locking rules, so who knows. That "put > without lock" scenario would explain the crash, though. > > David? > Yes this is a bogus bisection. The key is supposed to have refcount >= 1 since it's in a keyring. So some bug is causing it to have refcount 0. Perhaps some place calling key_put() too many times. Unfortunately I can't get the reproducer to work locally. Note that there are 2 other syzbot reports that look related. No reproducers for them, though: Title: KASAN: use-after-free Read in key_put Last occurred: 1 day ago Reported: 28 days ago Branches: Mainline Dashboard link: https://syzkaller.appspot.com/bug?id=f13750b1124e01191250cf930086dcc40740fa30 Original thread: https://lore.kernel.org/lkml/0000000000008c3e590592cf4b7f@google.com/T/#u Title: KASAN: use-after-free Read in keyring_compare_object Last occurred: 49 days ago Reported: 84 days ago Branches: Mainline Dashboard link: https://syzkaller.appspot.com/bug?id=529ab6a98286c2a97c445988a62760a58d4a1d4b Original thread: https://lore.kernel.org/lkml/000000000000038ef6058e6f3592@google.com/T/#u - Eric _______________________________________________ linux-riscv mailing list linux-riscv@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-riscv