KASAN: use-after-free Read in posix_lock_inode

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+239d99847eb49ecb3899@syzkaller.appspotmail.com>
To: bfields@fieldses.org, jlayton@kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: KASAN: use-after-free Read in posix_lock_inode
Date: Wed, 02 Jan 2019 02:31:04 -0800	[thread overview]
Message-ID: <000000000000a415f5057e772463@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    e1ef035d272e Merge tag 'armsoc-defconfig' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16bb4c4b400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9c6a26e22579190b
dashboard link: https://syzkaller.appspot.com/bug?extid=239d99847eb49ecb3899
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=128aa377400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+239d99847eb49ecb3899@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: use-after-free in what_owner_is_waiting_for fs/locks.c:1000  
[inline]
BUG: KASAN: use-after-free in posix_locks_deadlock fs/locks.c:1023 [inline]
BUG: KASAN: use-after-free in posix_lock_inode+0x1f9e/0x2750 fs/locks.c:1163
Read of size 8 at addr ffff88808791b000 by task syz-executor2/10100

CPU: 1 PID: 10100 Comm: syz-executor2 Not tainted 4.20.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
  print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
  kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
  what_owner_is_waiting_for fs/locks.c:1000 [inline]
  posix_locks_deadlock fs/locks.c:1023 [inline]
  posix_lock_inode+0x1f9e/0x2750 fs/locks.c:1163
  posix_lock_file fs/locks.c:1346 [inline]
  vfs_lock_file fs/locks.c:2314 [inline]
  vfs_lock_file+0xc7/0xf0 fs/locks.c:2309
  do_lock_file_wait.part.0+0xe5/0x260 fs/locks.c:2328
  do_lock_file_wait fs/locks.c:2324 [inline]
  fcntl_setlk+0x2f1/0xfe0 fs/locks.c:2413
  do_fcntl+0x843/0x12b0 fs/fcntl.c:370
  __do_sys_fcntl fs/fcntl.c:463 [inline]
  __se_sys_fcntl fs/fcntl.c:448 [inline]
  __x64_sys_fcntl+0x16d/0x1e0 fs/fcntl.c:448
  do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f58bbb50c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000048
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
RDX: 0000000020000140 RSI: 0000000000000007 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f58bbb516d4
R13: 00000000004be5f0 R14: 00000000004ceab0 R15: 00000000ffffffff

Allocated by task 10100:
  save_stack+0x45/0xd0 mm/kasan/common.c:73
  set_track mm/kasan/common.c:85 [inline]
  kasan_kmalloc mm/kasan/common.c:482 [inline]
  kasan_kmalloc+0xcf/0xe0 mm/kasan/common.c:455
  kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:397
  kmem_cache_alloc+0x12d/0x710 mm/slab.c:3541
  kmem_cache_zalloc include/linux/slab.h:730 [inline]
  locks_alloc_lock+0x8e/0x2f0 fs/locks.c:344
  fcntl_setlk+0xa9/0xfe0 fs/locks.c:2362
  do_fcntl+0x843/0x12b0 fs/fcntl.c:370
  __do_sys_fcntl fs/fcntl.c:463 [inline]
  __se_sys_fcntl fs/fcntl.c:448 [inline]
  __x64_sys_fcntl+0x16d/0x1e0 fs/fcntl.c:448
  do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10100:
  save_stack+0x45/0xd0 mm/kasan/common.c:73
  set_track mm/kasan/common.c:85 [inline]
  __kasan_slab_free+0x102/0x150 mm/kasan/common.c:444
  kasan_slab_free+0xe/0x10 mm/kasan/common.c:452
  __cache_free mm/slab.c:3485 [inline]
  kmem_cache_free+0x86/0x260 mm/slab.c:3747
  locks_free_lock+0x27a/0x3f0 fs/locks.c:381
  fcntl_setlk+0x7b5/0xfe0 fs/locks.c:2439
  do_fcntl+0x843/0x12b0 fs/fcntl.c:370
  __do_sys_fcntl fs/fcntl.c:463 [inline]
  __se_sys_fcntl fs/fcntl.c:448 [inline]
  __x64_sys_fcntl+0x16d/0x1e0 fs/fcntl.c:448
  do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88808791b000
  which belongs to the cache file_lock_cache of size 264
The buggy address is located 0 bytes inside of
  264-byte region [ffff88808791b000, ffff88808791b108)
The buggy address belongs to the page:
page:ffffea00021e46c0 count:1 mapcount:0 mapping:ffff8880aa16a1c0 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002333508 ffffea00021d76c8 ffff8880aa16a1c0
raw: 0000000000000000 ffff88808791b000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff88808791af00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
  ffff88808791af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88808791b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                    ^
  ffff88808791b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88808791b100: fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

next             reply	other threads:[~2019-01-02 10:31 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-02 10:31 syzbot [this message]
2019-01-02 14:24 ` KASAN: use-after-free Read in posix_lock_inode Jeff Layton
2019-01-03  0:04   ` NeilBrown
2019-01-03  1:24     ` Jeff Layton
2019-01-03  1:59       ` NeilBrown
2019-01-02 18:20 ` Jeff Layton
2019-01-02 18:51   ` Dmitry Vyukov
2019-01-02 18:54     ` Dmitry Vyukov
2019-01-02 21:42       ` Jeff Layton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000a415f5057e772463@google.com \
    --to=syzbot+239d99847eb49ecb3899@syzkaller.appspotmail.com \
    --cc=bfields@fieldses.org \
    --cc=jlayton@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.