[syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts

[syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    3dbdb38e2869 Merge branch 'for-5.14' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11f4b9d8300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1700b0b2b41cd52c
dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
compiler:       Debian clang version 11.0.1-2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:272
Write of size 8 at addr ffff888021498d80 by task syz-executor.1/32612

CPU: 0 PID: 32612 Comm: syz-executor.1 Not tainted 5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:96
 print_address_description+0x66/0x3b0 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x163/0x210 mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:135 [inline]
 kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
 atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
 dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:272
 release_task+0x323/0x15a0 kernel/exit.c:191
 exit_notify kernel/exit.c:699 [inline]
 do_exit+0x1aa2/0x2510 kernel/exit.c:845
 do_group_exit+0x168/0x2d0 kernel/exit.c:922
 get_signal+0x16c0/0x20d0 kernel/signal.c:2796
 arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:789
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
 do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: Unable to access opcode bytes at RIP 0x4665af.
RSP: 002b:00007fa6e68ec218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 000000000056bf88 RCX: 00000000004665d9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 000000000056bf8c
RBP: 000000000056bf80 R08: 000000000000000d R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 000000000056bf8c
R13: 00007fff105041ff R14: 00007fa6e68ec300 R15: 0000000000022000

Allocated by task 32600:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2997
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 alloc_ucounts+0x176/0x420 kernel/ucount.c:169
 set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
 __sys_setuid+0x355/0x4a0 kernel/sys.c:623
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 32580:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:229 [inline]
 slab_free_hook mm/slub.c:1639 [inline]
 slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1664
 slab_free mm/slub.c:3224 [inline]
 kfree+0xcf/0x2d0 mm/slub.c:4268
 put_cred_rcu+0x221/0x400 kernel/cred.c:124
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2793
 __do_softirq+0x372/0x783 kernel/softirq.c:558

The buggy address belongs to the object at ffff888021498d00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 128 bytes inside of
 192-byte region [ffff888021498d00, ffff888021498dc0)
The buggy address belongs to the page:
page:ffffea0000852600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21498
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001c8ac80 0000000400000004 ffff888011841a00
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 32273, ts 862400369934, free_ts 857108006622
 prep_new_page mm/page_alloc.c:2445 [inline]
 get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4178
 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5386
 alloc_slab_page mm/slub.c:1702 [inline]
 allocate_slab+0xf1/0x540 mm/slub.c:1842
 new_slab mm/slub.c:1905 [inline]
 new_slab_objects mm/slub.c:2651 [inline]
 ___slab_alloc+0x1cf/0x350 mm/slub.c:2814
 __slab_alloc mm/slub.c:2854 [inline]
 slab_alloc_node mm/slub.c:2936 [inline]
 slab_alloc mm/slub.c:2978 [inline]
 kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2995
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 push_stack+0x86/0x710 kernel/bpf/verifier.c:1019
 check_cond_jmp_op kernel/bpf/verifier.c:8815 [inline]
 do_check+0x18d54/0x218b0 kernel/bpf/verifier.c:10882
 do_check_common+0xc01/0x21a0 kernel/bpf/verifier.c:12865
 do_check_main kernel/bpf/verifier.c:12931 [inline]
 bpf_check+0x112e2/0x14720 kernel/bpf/verifier.c:13498
 bpf_prog_load kernel/bpf/syscall.c:2274 [inline]
 __sys_bpf+0x10923/0x11d80 kernel/bpf/syscall.c:4469
 __do_sys_bpf kernel/bpf/syscall.c:4573 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:4571 [inline]
 __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4571
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1355 [inline]
 free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3341 [inline]
 free_unref_page_list+0x118/0xad0 mm/page_alloc.c:3457
 release_pages+0x18bb/0x1af0 mm/swap.c:972
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:242 [inline]
 tlb_flush_mmu+0x780/0x910 mm/mmu_gather.c:249
 tlb_finish_mmu+0xcb/0x200 mm/mmu_gather.c:340
 exit_mmap+0x404/0x7a0 mm/mmap.c:3204
 __mmput+0x111/0x370 kernel/fork.c:1101
 exit_mm+0x60a/0x770 kernel/exit.c:501
 do_exit+0x6ae/0x2510 kernel/exit.c:812
 do_group_exit+0x168/0x2d0 kernel/exit.c:922
 __do_sys_exit_group+0x13/0x20 kernel/exit.c:933
 __ia32_sys_exit_group+0x0/0x40 kernel/exit.c:931
 __x64_sys_exit_group+0x37/0x40 kernel/exit.c:931
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff888021498c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888021498d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888021498d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff888021498e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888021498e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1516c341300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com

RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707

CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
 print_address_description+0x66/0x3b0 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x163/0x210 mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:135 [inline]
 kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
 atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
 dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
 release_task+0x2d3/0x1590 kernel/exit.c:191
 exit_notify kernel/exit.c:699 [inline]
 do_exit+0x1aa2/0x2510 kernel/exit.c:845
 do_group_exit+0x168/0x2d0 kernel/exit.c:922
 get_signal+0x16b0/0x2080 kernel/signal.c:2808
 arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
 handle_signal_work kernel/entry/common.c:148 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
 exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
 do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x445a69
Code: Unable to access opcode bytes at RIP 0x445a3f.
RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffff2 RBX: 00000000004ca4c8 RCX: 0000000000445a69
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000

Allocated by task 8441:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2986
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 alloc_ucounts+0x1b1/0x5d0 kernel/ucount.c:173
 set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
 __sys_setresuid+0x6d5/0x920 kernel/sys.c:702
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 13:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1628 [inline]
 slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653
 slab_free mm/slub.c:3213 [inline]
 kfree+0xcf/0x2e0 mm/slub.c:4267
 put_ucounts+0x15c/0x1a0 kernel/ucount.c:207
 put_cred_rcu+0x221/0x400 kernel/cred.c:124
 rcu_do_batch kernel/rcu/tree.c:2550 [inline]
 rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785
 __do_softirq+0x372/0x783 kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
 insert_work+0x54/0x400 kernel/workqueue.c:1332
 __queue_work+0x928/0xc60 kernel/workqueue.c:1498
 queue_work_on+0x111/0x200 kernel/workqueue.c:1525
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
 kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
 device_add+0x1073/0x1790 drivers/base/core.c:3336
 device_create_groups_vargs drivers/base/core.c:4014 [inline]
 device_create+0x241/0x2d0 drivers/base/core.c:4056
 vc_allocate+0x66a/0x780 drivers/tty/vt/vt.c:1157
 con_install+0x9f/0x880 drivers/tty/vt/vt.c:3342
 tty_driver_install_tty drivers/tty/tty_io.c:1315 [inline]
 tty_init_dev+0xc6/0x4c0 drivers/tty/tty_io.c:1429
 tty_open_by_driver drivers/tty/tty_io.c:2098 [inline]
 tty_open+0x89a/0xdd0 drivers/tty/tty_io.c:2146
 chrdev_open+0x53b/0x5f0 fs/char_dev.c:414
 do_dentry_open+0x7cb/0x1020 fs/open.c:826
 do_open fs/namei.c:3374 [inline]
 path_openat+0x27e7/0x36b0 fs/namei.c:3507
 do_filp_open+0x253/0x4d0 fs/namei.c:3534
 do_sys_openat2+0x124/0x460 fs/open.c:1204
 do_sys_open fs/open.c:1220 [inline]
 __do_sys_open fs/open.c:1228 [inline]
 __se_sys_open fs/open.c:1224 [inline]
 __x64_sys_open+0x221/0x270 fs/open.c:1224
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
 insert_work+0x54/0x400 kernel/workqueue.c:1332
 __queue_work+0x928/0xc60 kernel/workqueue.c:1498
 queue_work_on+0x111/0x200 kernel/workqueue.c:1525
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
 kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
 kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
 uevent_store+0x20/0x60 drivers/base/core.c:2372
 kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
 call_write_iter include/linux/fs.h:2114 [inline]
 new_sync_write fs/read_write.c:518 [inline]
 vfs_write+0xa39/0xc90 fs/read_write.c:605
 ksys_write+0x171/0x2a0 fs/read_write.c:658
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888025b8ef00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 128 bytes inside of
 192-byte region [ffff888025b8ef00, ffff888025b8efc0)
The buggy address belongs to the page:
page:ffffea000096e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b8e
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00005dac80 0000000c0000000c ffff888011041a00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 9979944008, free_ts 0
 prep_new_page mm/page_alloc.c:2436 [inline]
 get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
 alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
 alloc_slab_page mm/slub.c:1691 [inline]
 allocate_slab+0xf1/0x540 mm/slub.c:1831
 new_slab mm/slub.c:1894 [inline]
 new_slab_objects mm/slub.c:2640 [inline]
 ___slab_alloc+0x1cf/0x350 mm/slub.c:2803
 __slab_alloc mm/slub.c:2843 [inline]
 slab_alloc_node mm/slub.c:2925 [inline]
 slab_alloc mm/slub.c:2967 [inline]
 kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2984
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
 kobject_uevent_env+0x1311/0x1700 lib/kobject_uevent.c:614
 device_add+0x1073/0x1790 drivers/base/core.c:3336
 __video_register_device+0x37fc/0x4580 drivers/media/v4l2-core/v4l2-dev.c:1036
 video_register_device include/media/v4l2-dev.h:384 [inline]
 vivid_create_devnodes drivers/media/test-drivers/vivid/vivid-core.c:1585 [inline]
 vivid_create_instance+0x85df/0xac90 drivers/media/test-drivers/vivid/vivid-core.c:1946
 vivid_probe+0x9a/0x140 drivers/media/test-drivers/vivid/vivid-core.c:2001
 platform_probe+0x130/0x1b0 drivers/base/platform.c:1427
 call_driver_probe+0x96/0x250 drivers/base/dd.c:517
 really_probe+0x223/0x9b0 drivers/base/dd.c:595
 __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888025b8ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888025b8ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888025b8ef80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff888025b8f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888025b8f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
==================================================================

Re: [syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts

[Alexey Gladkov]

On Thu, Aug 19, 2021 at 01:32:22PM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
> dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
> compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1516c341300000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com
> 
> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
> ==================================================================
> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
> BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
> BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
> Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707
> 
> CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
>  print_address_description+0x66/0x3b0 mm/kasan/report.c:233
>  __kasan_report mm/kasan/report.c:419 [inline]
>  kasan_report+0x163/0x210 mm/kasan/report.c:436
>  check_region_inline mm/kasan/generic.c:135 [inline]
>  kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
>  instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
>  atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
>  atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
>  dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
>  release_task+0x2d3/0x1590 kernel/exit.c:191

void release_task(struct task_struct *p)
{
...
	/* don't need to get the RCU readlock here - the process is dead and
	 * can't be modifying its own credentials. But shut RCU-lockdep up */
	rcu_read_lock();
	dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
	rcu_read_unlock();
...
}

It looks like the ucounts have been released before this in the put_cred_rcu().

>  exit_notify kernel/exit.c:699 [inline]
>  do_exit+0x1aa2/0x2510 kernel/exit.c:845
>  do_group_exit+0x168/0x2d0 kernel/exit.c:922
>  get_signal+0x16b0/0x2080 kernel/signal.c:2808
>  arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
>  handle_signal_work kernel/entry/common.c:148 [inline]
>  exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
>  exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
>  syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
>  do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x445a69
> Code: Unable to access opcode bytes at RIP 0x445a3f.
> RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: fffffffffffffff2 RBX: 00000000004ca4c8 RCX: 0000000000445a69
> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
> 
> Allocated by task 8441:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track mm/kasan/common.c:46 [inline]
>  set_alloc_info mm/kasan/common.c:434 [inline]
>  ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
>  kasan_kmalloc include/linux/kasan.h:264 [inline]
>  kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2986
>  kmalloc include/linux/slab.h:591 [inline]
>  kzalloc include/linux/slab.h:721 [inline]
>  alloc_ucounts+0x1b1/0x5d0 kernel/ucount.c:173
>  set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
>  __sys_setresuid+0x6d5/0x920 kernel/sys.c:702
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Freed by task 13:
>  kasan_save_stack mm/kasan/common.c:38 [inline]
>  kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
>  kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
>  ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
>  kasan_slab_free include/linux/kasan.h:230 [inline]
>  slab_free_hook mm/slub.c:1628 [inline]
>  slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653
>  slab_free mm/slub.c:3213 [inline]
>  kfree+0xcf/0x2e0 mm/slub.c:4267
>  put_ucounts+0x15c/0x1a0 kernel/ucount.c:207
>  put_cred_rcu+0x221/0x400 kernel/cred.c:124
>  rcu_do_batch kernel/rcu/tree.c:2550 [inline]
>  rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785
>  __do_softirq+0x372/0x783 kernel/softirq.c:558
> 
> Last potentially related work creation:
>  kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>  kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
>  insert_work+0x54/0x400 kernel/workqueue.c:1332
>  __queue_work+0x928/0xc60 kernel/workqueue.c:1498
>  queue_work_on+0x111/0x200 kernel/workqueue.c:1525
>  queue_work include/linux/workqueue.h:507 [inline]
>  call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
>  kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
>  device_add+0x1073/0x1790 drivers/base/core.c:3336
>  device_create_groups_vargs drivers/base/core.c:4014 [inline]
>  device_create+0x241/0x2d0 drivers/base/core.c:4056
>  vc_allocate+0x66a/0x780 drivers/tty/vt/vt.c:1157
>  con_install+0x9f/0x880 drivers/tty/vt/vt.c:3342
>  tty_driver_install_tty drivers/tty/tty_io.c:1315 [inline]
>  tty_init_dev+0xc6/0x4c0 drivers/tty/tty_io.c:1429
>  tty_open_by_driver drivers/tty/tty_io.c:2098 [inline]
>  tty_open+0x89a/0xdd0 drivers/tty/tty_io.c:2146
>  chrdev_open+0x53b/0x5f0 fs/char_dev.c:414
>  do_dentry_open+0x7cb/0x1020 fs/open.c:826
>  do_open fs/namei.c:3374 [inline]
>  path_openat+0x27e7/0x36b0 fs/namei.c:3507
>  do_filp_open+0x253/0x4d0 fs/namei.c:3534
>  do_sys_openat2+0x124/0x460 fs/open.c:1204
>  do_sys_open fs/open.c:1220 [inline]
>  __do_sys_open fs/open.c:1228 [inline]
>  __se_sys_open fs/open.c:1224 [inline]
>  __x64_sys_open+0x221/0x270 fs/open.c:1224
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Second to last potentially related work creation:
>  kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>  kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
>  insert_work+0x54/0x400 kernel/workqueue.c:1332
>  __queue_work+0x928/0xc60 kernel/workqueue.c:1498
>  queue_work_on+0x111/0x200 kernel/workqueue.c:1525
>  queue_work include/linux/workqueue.h:507 [inline]
>  call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
>  kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
>  kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
>  uevent_store+0x20/0x60 drivers/base/core.c:2372
>  kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
>  call_write_iter include/linux/fs.h:2114 [inline]
>  new_sync_write fs/read_write.c:518 [inline]
>  vfs_write+0xa39/0xc90 fs/read_write.c:605
>  ksys_write+0x171/0x2a0 fs/read_write.c:658
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> The buggy address belongs to the object at ffff888025b8ef00
>  which belongs to the cache kmalloc-192 of size 192
> The buggy address is located 128 bytes inside of
>  192-byte region [ffff888025b8ef00, ffff888025b8efc0)
> The buggy address belongs to the page:
> page:ffffea000096e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b8e
> flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
> raw: 00fff00000000200 ffffea00005dac80 0000000c0000000c ffff888011041a00
> raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 9979944008, free_ts 0
>  prep_new_page mm/page_alloc.c:2436 [inline]
>  get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
>  __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
>  alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
>  alloc_slab_page mm/slub.c:1691 [inline]
>  allocate_slab+0xf1/0x540 mm/slub.c:1831
>  new_slab mm/slub.c:1894 [inline]
>  new_slab_objects mm/slub.c:2640 [inline]
>  ___slab_alloc+0x1cf/0x350 mm/slub.c:2803
>  __slab_alloc mm/slub.c:2843 [inline]
>  slab_alloc_node mm/slub.c:2925 [inline]
>  slab_alloc mm/slub.c:2967 [inline]
>  kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2984
>  kmalloc include/linux/slab.h:591 [inline]
>  kzalloc include/linux/slab.h:721 [inline]
>  call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
>  kobject_uevent_env+0x1311/0x1700 lib/kobject_uevent.c:614
>  device_add+0x1073/0x1790 drivers/base/core.c:3336
>  __video_register_device+0x37fc/0x4580 drivers/media/v4l2-core/v4l2-dev.c:1036
>  video_register_device include/media/v4l2-dev.h:384 [inline]
>  vivid_create_devnodes drivers/media/test-drivers/vivid/vivid-core.c:1585 [inline]
>  vivid_create_instance+0x85df/0xac90 drivers/media/test-drivers/vivid/vivid-core.c:1946
>  vivid_probe+0x9a/0x140 drivers/media/test-drivers/vivid/vivid-core.c:2001
>  platform_probe+0x130/0x1b0 drivers/base/platform.c:1427
>  call_driver_probe+0x96/0x250 drivers/base/dd.c:517
>  really_probe+0x223/0x9b0 drivers/base/dd.c:595
>  __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
> page_owner free stack trace missing
> 
> Memory state around the buggy address:
>  ffff888025b8ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>  ffff888025b8ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff888025b8ef80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>                    ^
>  ffff888025b8f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffff888025b8f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
> ==================================================================
> 

-- 
Rgrds, legion

Re: [syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts

[Eric W. Biederman]

Alexey Gladkov <legion@kernel.org> writes:

> On Thu, Aug 19, 2021 at 01:32:22PM -0700, syzbot wrote:
>> syzbot has found a reproducer for the following issue on:
>> 
>> HEAD commit:    d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
>> dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
>> compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1516c341300000
>> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com
>> 
>> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
>> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
>> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
>> ==================================================================
>> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
>> BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
>> BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
>> BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
>> Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707
>> 
>> CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:88 [inline]
>>  dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
>>  print_address_description+0x66/0x3b0 mm/kasan/report.c:233
>>  __kasan_report mm/kasan/report.c:419 [inline]
>>  kasan_report+0x163/0x210 mm/kasan/report.c:436
>>  check_region_inline mm/kasan/generic.c:135 [inline]
>>  kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
>>  instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
>>  atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
>>  atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
>>  dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
>>  release_task+0x2d3/0x1590 kernel/exit.c:191
>
> void release_task(struct task_struct *p)
> {
> ...
> 	/* don't need to get the RCU readlock here - the process is dead and
> 	 * can't be modifying its own credentials. But shut RCU-lockdep up */
> 	rcu_read_lock();
> 	dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
> 	rcu_read_unlock();
> ...
> }
>
> It looks like the ucounts have been released before this in the put_cred_rcu().

That should not be.

After that in release_task there is:

put_task_struct_rcu_user
  delayed_put_task_struct
     put_task_struct
        __put_task_struct
           exit_creds
              put_cred
                 __put_cred
                    put_cred_rcu
                       put_ucounts

So there very much should be a valid cred reference at that point.

>>  exit_notify kernel/exit.c:699 [inline]
>>  do_exit+0x1aa2/0x2510 kernel/exit.c:845
>>  do_group_exit+0x168/0x2d0 kernel/exit.c:922
>>  get_signal+0x16b0/0x2080 kernel/signal.c:2808
>>  arch_do_signal_or_restart+0x8e/0x6d0 arch/x86/kernel/signal.c:865
>>  handle_signal_work kernel/entry/common.c:148 [inline]
>>  exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
>>  exit_to_user_mode_prepare+0x191/0x220 kernel/entry/common.c:209
>>  __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
>>  syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:302
>>  do_syscall_64+0x4c/0xb0 arch/x86/entry/common.c:86
>>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>> RIP: 0033:0x445a69
>> Code: Unable to access opcode bytes at RIP 0x445a3f.
>> RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
>> RAX: fffffffffffffff2 RBX: 00000000004ca4c8 RCX: 0000000000445a69
>> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
>> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
>> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
>> 
>> Allocated by task 8441:
>>  kasan_save_stack mm/kasan/common.c:38 [inline]
>>  kasan_set_track mm/kasan/common.c:46 [inline]
>>  set_alloc_info mm/kasan/common.c:434 [inline]
>>  ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513
>>  kasan_kmalloc include/linux/kasan.h:264 [inline]
>>  kmem_cache_alloc_trace+0x96/0x340 mm/slub.c:2986
>>  kmalloc include/linux/slab.h:591 [inline]
>>  kzalloc include/linux/slab.h:721 [inline]
>>  alloc_ucounts+0x1b1/0x5d0 kernel/ucount.c:173
>>  set_cred_ucounts+0x220/0x2d0 kernel/cred.c:684
>>  __sys_setresuid+0x6d5/0x920 kernel/sys.c:702
>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>> 
>> Freed by task 13:
>>  kasan_save_stack mm/kasan/common.c:38 [inline]
>>  kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
>>  kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
>>  ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366
>>  kasan_slab_free include/linux/kasan.h:230 [inline]
>>  slab_free_hook mm/slub.c:1628 [inline]
>>  slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653
>>  slab_free mm/slub.c:3213 [inline]
>>  kfree+0xcf/0x2e0 mm/slub.c:4267
>>  put_ucounts+0x15c/0x1a0 kernel/ucount.c:207
>>  put_cred_rcu+0x221/0x400 kernel/cred.c:124
>>  rcu_do_batch kernel/rcu/tree.c:2550 [inline]
>>  rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785
>>  __do_softirq+0x372/0x783 kernel/softirq.c:558
>> 
>> Last potentially related work creation:
>>  kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>>  kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
>>  insert_work+0x54/0x400 kernel/workqueue.c:1332
>>  __queue_work+0x928/0xc60 kernel/workqueue.c:1498
>>  queue_work_on+0x111/0x200 kernel/workqueue.c:1525
>>  queue_work include/linux/workqueue.h:507 [inline]
>>  call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
>>  kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
>>  device_add+0x1073/0x1790 drivers/base/core.c:3336
>>  device_create_groups_vargs drivers/base/core.c:4014 [inline]
>>  device_create+0x241/0x2d0 drivers/base/core.c:4056
>>  vc_allocate+0x66a/0x780 drivers/tty/vt/vt.c:1157
>>  con_install+0x9f/0x880 drivers/tty/vt/vt.c:3342
>>  tty_driver_install_tty drivers/tty/tty_io.c:1315 [inline]
>>  tty_init_dev+0xc6/0x4c0 drivers/tty/tty_io.c:1429
>>  tty_open_by_driver drivers/tty/tty_io.c:2098 [inline]
>>  tty_open+0x89a/0xdd0 drivers/tty/tty_io.c:2146
>>  chrdev_open+0x53b/0x5f0 fs/char_dev.c:414
>>  do_dentry_open+0x7cb/0x1020 fs/open.c:826
>>  do_open fs/namei.c:3374 [inline]
>>  path_openat+0x27e7/0x36b0 fs/namei.c:3507
>>  do_filp_open+0x253/0x4d0 fs/namei.c:3534
>>  do_sys_openat2+0x124/0x460 fs/open.c:1204
>>  do_sys_open fs/open.c:1220 [inline]
>>  __do_sys_open fs/open.c:1228 [inline]
>>  __se_sys_open fs/open.c:1224 [inline]
>>  __x64_sys_open+0x221/0x270 fs/open.c:1224
>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>> 
>> Second to last potentially related work creation:
>>  kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
>>  kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
>>  insert_work+0x54/0x400 kernel/workqueue.c:1332
>>  __queue_work+0x928/0xc60 kernel/workqueue.c:1498
>>  queue_work_on+0x111/0x200 kernel/workqueue.c:1525
>>  queue_work include/linux/workqueue.h:507 [inline]
>>  call_usermodehelper_exec+0x283/0x470 kernel/umh.c:435
>>  kobject_uevent_env+0x1337/0x1700 lib/kobject_uevent.c:618
>>  kobject_synth_uevent+0x3bf/0x900 lib/kobject_uevent.c:208
>>  uevent_store+0x20/0x60 drivers/base/core.c:2372
>>  kernfs_fop_write_iter+0x3b6/0x510 fs/kernfs/file.c:296
>>  call_write_iter include/linux/fs.h:2114 [inline]
>>  new_sync_write fs/read_write.c:518 [inline]
>>  vfs_write+0xa39/0xc90 fs/read_write.c:605
>>  ksys_write+0x171/0x2a0 fs/read_write.c:658
>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
>>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>> 
>> The buggy address belongs to the object at ffff888025b8ef00
>>  which belongs to the cache kmalloc-192 of size 192
>> The buggy address is located 128 bytes inside of
>>  192-byte region [ffff888025b8ef00, ffff888025b8efc0)
>> The buggy address belongs to the page:
>> page:ffffea000096e380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b8e
>> flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
>> raw: 00fff00000000200 ffffea00005dac80 0000000c0000000c ffff888011041a00
>> raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
>> page dumped because: kasan: bad access detected
>> page_owner tracks the page as allocated
>> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 9979944008, free_ts 0
>>  prep_new_page mm/page_alloc.c:2436 [inline]
>>  get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169
>>  __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391
>>  alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2119
>>  alloc_slab_page mm/slub.c:1691 [inline]
>>  allocate_slab+0xf1/0x540 mm/slub.c:1831
>>  new_slab mm/slub.c:1894 [inline]
>>  new_slab_objects mm/slub.c:2640 [inline]
>>  ___slab_alloc+0x1cf/0x350 mm/slub.c:2803
>>  __slab_alloc mm/slub.c:2843 [inline]
>>  slab_alloc_node mm/slub.c:2925 [inline]
>>  slab_alloc mm/slub.c:2967 [inline]
>>  kmem_cache_alloc_trace+0x29d/0x340 mm/slub.c:2984
>>  kmalloc include/linux/slab.h:591 [inline]
>>  kzalloc include/linux/slab.h:721 [inline]
>>  call_usermodehelper_setup+0x8a/0x260 kernel/umh.c:365
>>  kobject_uevent_env+0x1311/0x1700 lib/kobject_uevent.c:614
>>  device_add+0x1073/0x1790 drivers/base/core.c:3336
>>  __video_register_device+0x37fc/0x4580 drivers/media/v4l2-core/v4l2-dev.c:1036
>>  video_register_device include/media/v4l2-dev.h:384 [inline]
>>  vivid_create_devnodes drivers/media/test-drivers/vivid/vivid-core.c:1585 [inline]
>>  vivid_create_instance+0x85df/0xac90 drivers/media/test-drivers/vivid/vivid-core.c:1946
>>  vivid_probe+0x9a/0x140 drivers/media/test-drivers/vivid/vivid-core.c:2001
>>  platform_probe+0x130/0x1b0 drivers/base/platform.c:1427
>>  call_driver_probe+0x96/0x250 drivers/base/dd.c:517
>>  really_probe+0x223/0x9b0 drivers/base/dd.c:595
>>  __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
>> page_owner free stack trace missing
>> 
>> Memory state around the buggy address:
>>  ffff888025b8ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>>  ffff888025b8ef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> >ffff888025b8ef80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>>                    ^
>>  ffff888025b8f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>  ffff888025b8f080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
>> ==================================================================
>> 

[PATCH v1] ucounts: Increase ucounts reference counter before the security hook

[Alexey Gladkov]

We need to increment the ucounts reference counter befor security_prepare_creds()
because this function may fail and abort_creds() will try to decrement
this reference.

[   96.465056][ T8641] FAULT_INJECTION: forcing a failure.
[   96.465056][ T8641] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[   96.478453][ T8641] CPU: 1 PID: 8641 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
[   96.487215][ T8641] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   96.497254][ T8641] Call Trace:
[   96.500517][ T8641]  dump_stack_lvl+0x1d3/0x29f
[   96.505758][ T8641]  ? show_regs_print_info+0x12/0x12
[   96.510944][ T8641]  ? log_buf_vmcoreinfo_setup+0x498/0x498
[   96.516652][ T8641]  should_fail+0x384/0x4b0
[   96.521141][ T8641]  prepare_alloc_pages+0x1d1/0x5a0
[   96.526236][ T8641]  __alloc_pages+0x14d/0x5f0
[   96.530808][ T8641]  ? __rmqueue_pcplist+0x2030/0x2030
[   96.536073][ T8641]  ? lockdep_hardirqs_on_prepare+0x3e2/0x750
[   96.542056][ T8641]  ? alloc_pages+0x3f3/0x500
[   96.546635][ T8641]  allocate_slab+0xf1/0x540
[   96.551120][ T8641]  ___slab_alloc+0x1cf/0x350
[   96.555689][ T8641]  ? kzalloc+0x1d/0x30
[   96.559740][ T8641]  __kmalloc+0x2e7/0x390
[   96.563980][ T8641]  ? kzalloc+0x1d/0x30
[   96.568029][ T8641]  kzalloc+0x1d/0x30
[   96.571903][ T8641]  security_prepare_creds+0x46/0x220
[   96.577174][ T8641]  prepare_creds+0x411/0x640
[   96.581747][ T8641]  __sys_setfsuid+0xe2/0x3a0
[   96.586333][ T8641]  do_syscall_64+0x3d/0xb0
[   96.590739][ T8641]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   96.596611][ T8641] RIP: 0033:0x445a69
[   96.600483][ T8641] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   96.620152][ T8641] RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 000000000000007a
[   96.628543][ T8641] RAX: ffffffffffffffda RBX: 00000000004ca4c8 RCX: 0000000000445a69
[   96.636600][ T8641] RDX: 0000000000000010 RSI: 00007f10541732f0 RDI: 0000000000000000
[   96.644550][ T8641] RBP: 00000000004ca4c0 R08: 0000000000000001 R09: 0000000000000000
[   96.652500][ T8641] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca4cc
[   96.660631][ T8641] R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000

Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred")
Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com
Signed-off-by: Alexey Gladkov <legion@kernel.org>
---
 kernel/cred.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/cred.c b/kernel/cred.c
index e6fd2b3fc31f..f784e08c2fbd 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -286,13 +286,13 @@ struct cred *prepare_creds(void)
 	new->security = NULL;
 #endif
 
-	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
-		goto error;
-
 	new->ucounts = get_ucounts(new->ucounts);
 	if (!new->ucounts)
 		goto error;
 
+	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
+		goto error;
+
 	validate_creds(new);
 	return new;
 
@@ -753,13 +753,13 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
 #ifdef CONFIG_SECURITY
 	new->security = NULL;
 #endif
-	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
-		goto error;
-
 	new->ucounts = get_ucounts(new->ucounts);
 	if (!new->ucounts)
 		goto error;
 
+	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
+		goto error;
+
 	put_cred(old);
 	validate_creds(new);
 	return new;
-- 
2.32.0

Re: [syzbot] KASAN: use-after-free Write in dec_rlimit_ucounts

[Alexey Gladkov]

On Fri, Aug 20, 2021 at 08:44:32AM -0500, Eric W. Biederman wrote:
> Alexey Gladkov <legion@kernel.org> writes:
> 
> > On Thu, Aug 19, 2021 at 01:32:22PM -0700, syzbot wrote:
> >> syzbot has found a reproducer for the following issue on:
> >> 
> >> HEAD commit:    d6d09a694205 Merge tag 'for-5.14-rc6-tag' of git://git.ker..
> >> git tree:       upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=16c8081e300000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=f61012d0b1cd846f
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=01985d7909f9468f013c
> >> compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15d0ec1e300000
> >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1516c341300000
> >> 
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com
> >> 
> >> RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00000000004ca4cc
> >> RBP: 00000000004ca4c0 R08: 0000000000000000 R09: 0000000000000000
> >> R10: 0000000000000001 R11: 0000000000000246 R12: 00000000004ca4cc
> >> R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
> >> ==================================================================
> >> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> >> BUG: KASAN: use-after-free in atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
> >> BUG: KASAN: use-after-free in atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
> >> BUG: KASAN: use-after-free in dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
> >> Write of size 8 at addr ffff888025b8ef80 by task syz-executor668/8707
> >> 
> >> CPU: 1 PID: 8707 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >> Call Trace:
> >>  __dump_stack lib/dump_stack.c:88 [inline]
> >>  dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105
> >>  print_address_description+0x66/0x3b0 mm/kasan/report.c:233
> >>  __kasan_report mm/kasan/report.c:419 [inline]
> >>  kasan_report+0x163/0x210 mm/kasan/report.c:436
> >>  check_region_inline mm/kasan/generic.c:135 [inline]
> >>  kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
> >>  instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
> >>  atomic64_add_return include/asm-generic/atomic-instrumented.h:640 [inline]
> >>  atomic_long_add_return include/asm-generic/atomic-long.h:59 [inline]
> >>  dec_rlimit_ucounts+0x88/0x170 kernel/ucount.c:279
> >>  release_task+0x2d3/0x1590 kernel/exit.c:191
> >
> > void release_task(struct task_struct *p)
> > {
> > ...
> > 	/* don't need to get the RCU readlock here - the process is dead and
> > 	 * can't be modifying its own credentials. But shut RCU-lockdep up */
> > 	rcu_read_lock();
> > 	dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
> > 	rcu_read_unlock();
> > ...
> > }
> >
> > It looks like the ucounts have been released before this in the put_cred_rcu().
> 
> That should not be.
> 
> After that in release_task there is:
> 
> put_task_struct_rcu_user
>   delayed_put_task_struct
>      put_task_struct
>         __put_task_struct
>            exit_creds
>               put_cred
>                  __put_cred
>                     put_cred_rcu
>                        put_ucounts
> 
> So there very much should be a valid cred reference at that point.

I found the problem. This is a different problem and the fact that
syzkaller combined them in one thread misled me.

-- 
Rgrds, legion

Re: [PATCH v1] ucounts: Increase ucounts reference counter before the security hook

[Eric W. Biederman]

Alexey Gladkov <legion@kernel.org> writes:

> We need to increment the ucounts reference counter befor security_prepare_creds()
> because this function may fail and abort_creds() will try to decrement
> this reference.
>
> [   96.465056][ T8641] FAULT_INJECTION: forcing a failure.
> [   96.465056][ T8641] name fail_page_alloc, interval 1, probability 0, space 0, times 0
> [   96.478453][ T8641] CPU: 1 PID: 8641 Comm: syz-executor668 Not tainted 5.14.0-rc6-syzkaller #0
> [   96.487215][ T8641] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> [   96.497254][ T8641] Call Trace:
> [   96.500517][ T8641]  dump_stack_lvl+0x1d3/0x29f
> [   96.505758][ T8641]  ? show_regs_print_info+0x12/0x12
> [   96.510944][ T8641]  ? log_buf_vmcoreinfo_setup+0x498/0x498
> [   96.516652][ T8641]  should_fail+0x384/0x4b0
> [   96.521141][ T8641]  prepare_alloc_pages+0x1d1/0x5a0
> [   96.526236][ T8641]  __alloc_pages+0x14d/0x5f0
> [   96.530808][ T8641]  ? __rmqueue_pcplist+0x2030/0x2030
> [   96.536073][ T8641]  ? lockdep_hardirqs_on_prepare+0x3e2/0x750
> [   96.542056][ T8641]  ? alloc_pages+0x3f3/0x500
> [   96.546635][ T8641]  allocate_slab+0xf1/0x540
> [   96.551120][ T8641]  ___slab_alloc+0x1cf/0x350
> [   96.555689][ T8641]  ? kzalloc+0x1d/0x30
> [   96.559740][ T8641]  __kmalloc+0x2e7/0x390
> [   96.563980][ T8641]  ? kzalloc+0x1d/0x30
> [   96.568029][ T8641]  kzalloc+0x1d/0x30
> [   96.571903][ T8641]  security_prepare_creds+0x46/0x220
> [   96.577174][ T8641]  prepare_creds+0x411/0x640
> [   96.581747][ T8641]  __sys_setfsuid+0xe2/0x3a0
> [   96.586333][ T8641]  do_syscall_64+0x3d/0xb0
> [   96.590739][ T8641]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> [   96.596611][ T8641] RIP: 0033:0x445a69
> [   96.600483][ T8641] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> [   96.620152][ T8641] RSP: 002b:00007f1054173318 EFLAGS: 00000246 ORIG_RAX: 000000000000007a
> [   96.628543][ T8641] RAX: ffffffffffffffda RBX: 00000000004ca4c8 RCX: 0000000000445a69
> [   96.636600][ T8641] RDX: 0000000000000010 RSI: 00007f10541732f0 RDI: 0000000000000000
> [   96.644550][ T8641] RBP: 00000000004ca4c0 R08: 0000000000000001 R09: 0000000000000000
> [   96.652500][ T8641] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004ca4cc
> [   96.660631][ T8641] R13: 00007fffffe0b62f R14: 00007f1054173400 R15: 0000000000022000
>
> Fixes: 905ae01c4ae2 ("Add a reference to ucounts for each cred")
> Reported-by: syzbot+01985d7909f9468f013c@syzkaller.appspotmail.com
> Signed-off-by: Alexey Gladkov <legion@kernel.org>

Applied.

It is obvious how a failure of security_prepare_creds calling
abort_creds could result a decrement without an increment.

So it looks like the fault injection did it's job.

Eric


> ---
>  kernel/cred.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index e6fd2b3fc31f..f784e08c2fbd 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -286,13 +286,13 @@ struct cred *prepare_creds(void)
>  	new->security = NULL;
>  #endif
>  
> -	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> -		goto error;
> -
>  	new->ucounts = get_ucounts(new->ucounts);
>  	if (!new->ucounts)
>  		goto error;
>  
> +	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> +		goto error;
> +
>  	validate_creds(new);
>  	return new;
>  
> @@ -753,13 +753,13 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
>  #ifdef CONFIG_SECURITY
>  	new->security = NULL;
>  #endif
> -	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> -		goto error;
> -
>  	new->ucounts = get_ucounts(new->ucounts);
>  	if (!new->ucounts)
>  		goto error;
>  
> +	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> +		goto error;
> +
>  	put_cred(old);
>  	validate_creds(new);
>  	return new;