[syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    551acdc3c3d2 Merge tag 'net-5.17-final' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=131b279d700000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d35f9bc6884af6c9
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11dbf961700000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17f5b119700000

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1163699d700000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1363699d700000
console output: https://syzkaller.appspot.com/x/log.txt?x=1563699d700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3f2f/0x56c0 kernel/locking/lockdep.c:4897
Read of size 8 at addr ffff88807bc048a8 by task syz-executor399/3618

CPU: 1 PID: 3618 Comm: syz-executor399 Not tainted 5.17.0-rc8-syzkaller-00045-g551acdc3c3d2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 __lock_acquire+0x3f2f/0x56c0 kernel/locking/lockdep.c:4897
 lock_acquire kernel/locking/lockdep.c:5639 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5604
 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
 _raw_spin_lock_irq+0x32/0x50 kernel/locking/spinlock.c:170
 spin_lock_irq include/linux/spinlock.h:374 [inline]
 post_one_notification.isra.0+0x59/0x830 kernel/watch_queue.c:86
 __post_watch_notification kernel/watch_queue.c:206 [inline]
 __post_watch_notification+0x561/0x840 kernel/watch_queue.c:176
 post_watch_notification include/linux/watch_queue.h:109 [inline]
 notify_key security/keys/internal.h:199 [inline]
 __key_update security/keys/key.c:775 [inline]
 key_create_or_update+0xdbf/0xde0 security/keys/key.c:979
 __do_sys_add_key+0x215/0x430 security/keys/keyctl.c:134
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f53132c8a89
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f531327a2f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007f5313350428 RCX: 00007f53132c8a89
RDX: 00000000200000c0 RSI: 0000000020000080 RDI: 0000000020000040
RBP: 0000000000000000 R08: 00000000fffffffc R09: 0000000000000000
R10: 0000000000000048 R11: 0000000000000246 R12: 00007f5313350420
R13: 00007f531335042c R14: 00007f531331e074 R15: 3a74707972637366
 </TASK>

Allocated by task 3615:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 alloc_pipe_info+0x105/0x590 fs/pipe.c:790
 get_pipe_inode fs/pipe.c:881 [inline]
 create_pipe_files+0x8d/0x880 fs/pipe.c:913
 __do_pipe_flags fs/pipe.c:962 [inline]
 do_pipe2+0x96/0x1b0 fs/pipe.c:1010
 __do_sys_pipe2 fs/pipe.c:1028 [inline]
 __se_sys_pipe2 fs/pipe.c:1026 [inline]
 __x64_sys_pipe2+0x50/0x70 fs/pipe.c:1026
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 3616:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
 slab_free mm/slub.c:3509 [inline]
 kfree+0xd0/0x390 mm/slub.c:4562
 put_pipe_info fs/pipe.c:711 [inline]
 pipe_release+0x2bf/0x320 fs/pipe.c:734
 __fput+0x286/0x9f0 fs/file_table.c:317
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88807bc04800
 which belongs to the cache kmalloc-cg-512 of size 512
The buggy address is located 168 bytes inside of
 512-byte region [ffff88807bc04800, ffff88807bc04a00)
The buggy address belongs to the page:
page:ffffea0001ef0100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bc04
head:ffffea0001ef0100 order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c42dc0
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3609, ts 50514720858, free_ts 25116018184
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
 alloc_slab_page mm/slub.c:1799 [inline]
 allocate_slab+0x27f/0x3c0 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0xbe1/0x12b0 mm/slub.c:3018
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
 slab_alloc_node mm/slub.c:3196 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc_trace+0x2f8/0x3d0 mm/slub.c:3255
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 alloc_pipe_info+0x105/0x590 fs/pipe.c:790
 get_pipe_inode fs/pipe.c:881 [inline]
 create_pipe_files+0x8d/0x880 fs/pipe.c:913
 __do_pipe_flags fs/pipe.c:962 [inline]
 do_pipe2+0x96/0x1b0 fs/pipe.c:1010
 __do_sys_pipe2 fs/pipe.c:1028 [inline]
 __se_sys_pipe2 fs/pipe.c:1026 [inline]
 __x64_sys_pipe2+0x50/0x70 fs/pipe.c:1026
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 __unfreeze_partials+0x320/0x340 mm/slub.c:2536
 qlink_free mm/kasan/quarantine.c:157 [inline]
 qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:260 [inline]
 slab_post_alloc_hook mm/slab.h:732 [inline]
 slab_alloc_node mm/slub.c:3230 [inline]
 slab_alloc mm/slub.c:3238 [inline]
 kmem_cache_alloc_trace+0x258/0x3d0 mm/slub.c:3255
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
 tomoyo_init_log+0xc6a/0x1ee0 security/tomoyo/audit.c:264
 tomoyo_supervisor+0x34d/0xf00 security/tomoyo/common.c:2097
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x17f/0x1f0 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x13ce/0x1f80 security/tomoyo/domain.c:879
 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline]
 tomoyo_bprm_check_security+0x121/0x1a0 security/tomoyo/tomoyo.c:91
 security_bprm_check+0x45/0xa0 security/security.c:866
 search_binary_handler fs/exec.c:1715 [inline]
 exec_binprm fs/exec.c:1768 [inline]
 bprm_execve fs/exec.c:1837 [inline]
 bprm_execve+0x732/0x19b0 fs/exec.c:1799
 do_execveat_common+0x5e3/0x780 fs/exec.c:1926
 do_execve fs/exec.c:1994 [inline]
 __do_sys_execve fs/exec.c:2070 [inline]
 __se_sys_execve fs/exec.c:2065 [inline]
 __x64_sys_execve+0x8f/0xc0 fs/exec.c:2065

Memory state around the buggy address:
 ffff88807bc04780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807bc04800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807bc04880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff88807bc04900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807bc04980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[David Howells]

> memcpy((void*)0x20000280, "/dev/adsp1\000", 11);

Is that significant to the test?!  I presume it's some sort of sound device?

David

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Dmitry Vyukov]

On Mon, 21 Mar 2022 at 16:40, David Howells <dhowells@redhat.com> wrote:
>
> > memcpy((void*)0x20000280, "/dev/adsp1\000", 11);
>
> Is that significant to the test?!  I presume it's some sort of sound device?

Hi David,

syzkaller tries to minimize reproducers and remove anything that's not
necessary to reproduce the crash.
However, this is done mechanically. Things may have some secondary
effects that prevent removal, or a crash may be simply flaky and then
removing just anything may lead to no crash.

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Siddh Raman Pant]

#syz test: git@github.com:siddhpant/linux.git post_one_notification

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git@github.com:siddhpant/linux.git/post_one_notification: failed to run ["git" "fetch" "--force" "219a8dc7158a7de03b74c244ef07dcd062b9b3f7" "post_one_notification"]: exit status 128
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.



Tested on:

commit:         [unknown 
git tree:       git@github.com:siddhpant/linux.git post_one_notification
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler:       

Note: no patches were applied.

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Siddh Raman Pant]

#syz test: https://github.com/siddhpant/linux.git post_one_notification

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.com

Tested on:

commit:         778e6ace kernel/watch_queue: Make pipe NULL while clea..
git tree:       https://github.com/siddhpant/linux.git post_one_notification
console output: https://syzkaller.appspot.com/x/log.txt?x=13049d52080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=95c061eee05f8e15
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Siddh Raman Pant]

#syz test: https://github.com/siddhpant/linux.git post_one_notification

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.com

Tested on:

commit:         fa4c07d9 kernel/watch_queue: Make pipe NULL while clea..
git tree:       https://github.com/siddhpant/linux.git post_one_notification
console output: https://syzkaller.appspot.com/x/log.txt?x=17f5cf52080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=95c061eee05f8e15
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Siddh Raman Pant]

#syz test: https://github.com/siddhpant/linux.git post_one_notification

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.com

Tested on:

commit:         16007670 kernel/watch_queue: Make pipe NULL while clea..
git tree:       https://github.com/siddhpant/linux.git post_one_notification
console output: https://syzkaller.appspot.com/x/log.txt?x=11a6eade080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=95c061eee05f8e15
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Siddh Raman Pant]

On Wed, 03 Aug 2022 09:39:34 +0530  Eric Biggers <ebiggers@kernel.org> wrote:
 > I don't think that's true; the pointer doesn't get dereferenced after
 > watch_queue::defunct is set.  See my message on the other thread where I
 > explained this: https://lore.kernel.org/lkml/YunKlJCDlmyn2hJ4@sol.localdomain
 > 
 > Of course, if you actually have a reproducer, or a KASAN report, or anything at
 > all that shows there is still a problem, then please post it.
 > 
 > - Eric

Replying to the other thread.

Thanks,
Siddh

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Eric Biggers]

On Wed, Aug 03, 2022 at 09:34:10AM +0530, Siddh Raman Pant wrote:
> On Wed, 03 Aug 2022 03:57:19 +0530  Eric Biggers <ebiggers@kernel.org> wrote:
> > It appears this was already fixed, so no need for any more activity on this bug:
> > 
> > #syz fix: watchqueue: make sure to serialize 'wqueue->defunct' properly
> > 
> > - Eric
> 
> It doesn't address the dangling pointer remaining in the watch_queue,
> which was the root cause of this crash. The use-after-free happened
> because the pipe was freed but a dangling pointer of it remained in
> a watch_queue, and an attempt to dereference it was there.
> 

I don't think that's true; the pointer doesn't get dereferenced after
watch_queue::defunct is set.  See my message on the other thread where I
explained this: https://lore.kernel.org/lkml/YunKlJCDlmyn2hJ4@sol.localdomain

Of course, if you actually have a reproducer, or a KASAN report, or anything at
all that shows there is still a problem, then please post it.

- Eric

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Siddh Raman Pant]

On Wed, 03 Aug 2022 03:57:19 +0530  Eric Biggers <ebiggers@kernel.org> wrote:
> It appears this was already fixed, so no need for any more activity on this bug:
> 
> #syz fix: watchqueue: make sure to serialize 'wqueue->defunct' properly
> 
> - Eric

It doesn't address the dangling pointer remaining in the watch_queue,
which was the root cause of this crash. The use-after-free happened
because the pipe was freed but a dangling pointer of it remained in
a watch_queue, and an attempt to dereference it was there.

Thanks,
Siddh

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[Eric Biggers]

On Mon, Aug 01, 2022 at 03:54:09AM -0700, syzbot wrote:
> Hello,
> 
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
> 
> Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.com
> 
> Tested on:
> 
> commit:         3d7cb6b0 Linux 5.19
> git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> console output: https://syzkaller.appspot.com/x/log.txt?x=14066d7a080000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=70dd99d568a89e0
> dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> 
> Note: no patches were applied.
> Note: testing is done by a robot and is best-effort only.

It appears this was already fixed, so no need for any more activity on this bug:

#syz fix: watchqueue: make sure to serialize 'wqueue->defunct' properly

- Eric

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.com

Tested on:

commit:         3d7cb6b0 Linux 5.19
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=14066d7a080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=70dd99d568a89e0
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] KASAN: use-after-free Read in post_one_notification

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.com

Tested on:

commit:         551acdc3 Merge tag 'net-5.17-final' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=133a814a080000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e006319d4b3bc11a
dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13b8c83c080000

Note: testing is done by a robot and is best-effort only.