All of lore.kernel.org
 help / color / mirror / Atom feed
From: Axel Rasmussen <axelrasmussen@google.com>
To: syzbot <syzbot+19e6dd9943972fa1c58a@syzkaller.appspotmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	"David S. Miller" <davem@davemloft.net>,
	dsahern@kernel.org, gregkh@linuxfoundation.org, kuba@kernel.org,
	LKML <linux-kernel@vger.kernel.org>,
	liuhangbin@gmail.com, netdev@vger.kernel.org,
	sfr@canb.auug.org.au, syzkaller-bugs@googlegroups.com,
	tj@kernel.org, Vlastimil Babka <vbabka@suse.cz>
Subject: Re: KASAN: use-after-free Write in kernfs_path_from_node_locked
Date: Mon, 30 Nov 2020 10:02:16 -0800	[thread overview]
Message-ID: <CAJHvVcgshQpsHc7LbT9rj4VPCc0bL7Y3c_tGE0c5mUP5Q+8JjA@mail.gmail.com> (raw)
In-Reply-To: <000000000000d0f2fb05b552b3f3@google.com>

I spent some time looking into this:

I think there are actually two bugs here. The write-after-free in
kernfs_path_from_node_locked has an entirely different call trace
(towards the end of this log:
https://syzkaller.appspot.com/text?tag=CrashLog&x=16b1e0e9500000)
compared to the NULL pointer dereference in neigh_periodic_work crash.

For the neigh_periodic_work crash, I struggle to see how this is
related to 0f818c4bc1. It looks like what happens is at some point (I
haven't spotted where) we free struct neighbour->lock, and then later
when the workqueue calls into us we try to acquire it. I don't see any
connection between this code and 0f818c4bc1. The lock in question
isn't mmap_lock, but rather a separate lock owned by the struct
neighbour.



For the kernfs_path_from_node_locked crash, that one *does* look
related to 0f818c4bc1. I'll continue debugging and send a patch.

On Mon, Nov 30, 2020 at 5:08 AM syzbot
<syzbot+19e6dd9943972fa1c58a@syzkaller.appspotmail.com> wrote:
>
> syzbot has bisected this issue to:
>
> commit 0f818c4bc1f3dc0d6d0ea916e0ab30cf5e75f4c0
> Author: Axel Rasmussen <axelrasmussen@google.com>
> Date:   Tue Nov 24 05:37:42 2020 +0000
>
>     mm: mmap_lock: add tracepoints around lock acquisition
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1626291d500000
> start commit:   6174f052 Add linux-next specific files for 20201127
> git tree:       linux-next
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=1526291d500000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1126291d500000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=79c69cf2521bef9c
> dashboard link: https://syzkaller.appspot.com/bug?extid=19e6dd9943972fa1c58a
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12c3351d500000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c28809500000
>
> Reported-by: syzbot+19e6dd9943972fa1c58a@syzkaller.appspotmail.com
> Fixes: 0f818c4bc1f3 ("mm: mmap_lock: add tracepoints around lock acquisition")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

      reply	other threads:[~2020-11-30 18:03 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-30  8:40 KASAN: use-after-free Write in kernfs_path_from_node_locked syzbot
2020-11-30 13:08 ` syzbot
2020-11-30 18:02   ` Axel Rasmussen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAJHvVcgshQpsHc7LbT9rj4VPCc0bL7Y3c_tGE0c5mUP5Q+8JjA@mail.gmail.com \
    --to=axelrasmussen@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=liuhangbin@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=sfr@canb.auug.org.au \
    --cc=syzbot+19e6dd9943972fa1c58a@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tj@kernel.org \
    --cc=vbabka@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.