From: Qian Cai <quic_qiancai@quicinc.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Alexey Gladkov <legion@kernel.org>, Yu Zhao <yuzhao@google.com>,
<linux-kernel@vger.kernel.org>
Subject: Re: BUG: KASAN: use-after-free in dec_rlimit_ucounts
Date: Thu, 18 Nov 2021 15:32:33 -0500 [thread overview]
Message-ID: <YZa4YbcOyjtD3+pL@fixkernel.com> (raw)
In-Reply-To: <875ysptfgi.fsf@email.froward.int.ebiederm.org>
On Thu, Nov 18, 2021 at 01:46:05PM -0600, Eric W. Biederman wrote:
> Is it possible? Yes it is possible. That is one place where
> a use-after-free has shown up and I expect would show up in the
> future.
>
> That said it is hard to believe there is still a user-after-free in the
> code. We spent the last kernel development cycle pouring through and
> correcting everything we saw until we ultimately found one very subtle
> use-after-free.
>
> If you have a reliable reproducer that you can share, we can look into
> this and see if we can track down where the reference count is going
> bad.
>
> It tends to take instrumenting the entire life cycle every increment and
> every decrement and then pouring through the logs to track down a
> use-after-free. Which is not something we can really do without a
> reproducer.
The reproducer is just to run trinity by an unprivileged user on defconfig
with KASAN enabled (On linux-next, you can do "make defconfig debug.conf"
[1], but dont think other debugging options are relevent here.)
$ trinity -C 31 -N 10000000
It is always reproduced on an arm64 server here within 5-minute so far.
Some debugging progress so far. BTW, this could happen on user_shm_unlock()
path as well.
Call trace:
dec_rlimit_ucounts
user_shm_unlock
(inlined by) user_shm_unlock at mm/mlock.c:854
shmem_lock
shmctl_do_lock
ksys_shmctl.constprop.0
__arm64_sys_shmctl
invoke_syscall
el0_svc_common.constprop.0
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
I noticed in dec_rlimit_ucounts(), dec == 0 and type ==
UCOUNT_RLIMIT_MEMLOCK.
[1] https://lore.kernel.org/lkml/20211115134754.7334-1-quic_qiancai@quicinc.com/
next prev parent reply other threads:[~2021-11-18 20:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-17 22:00 BUG: KASAN: use-after-free in dec_rlimit_ucounts Qian Cai
2021-11-18 19:46 ` Eric W. Biederman
2021-11-18 20:32 ` Qian Cai [this message]
2021-11-18 20:57 ` Eric W. Biederman
2021-11-19 13:32 ` Qian Cai
2021-11-24 21:49 ` Qian Cai
2021-11-24 21:49 ` Qian Cai
2021-11-26 5:34 ` Qian Cai
2021-11-26 5:34 ` Qian Cai
2021-12-20 5:58 ` Eric W. Biederman
2021-12-20 5:58 ` Eric W. Biederman
2021-12-21 13:09 ` Alexey Gladkov
2021-12-21 13:09 ` Alexey Gladkov
2021-12-27 15:22 ` Eric W. Biederman
2021-12-27 15:22 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YZa4YbcOyjtD3+pL@fixkernel.com \
--to=quic_qiancai@quicinc.com \
--cc=ebiederm@xmission.com \
--cc=legion@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.