From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FSL_HELO_FAKE,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0DA7C10F13 for ; Tue, 16 Apr 2019 20:30:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9146C20868 for ; Tue, 16 Apr 2019 20:30:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="W9e9JPmn" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729117AbfDPUaG (ORCPT ); Tue, 16 Apr 2019 16:30:06 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:38354 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727180AbfDPUaF (ORCPT ); Tue, 16 Apr 2019 16:30:05 -0400 Received: by mail-pl1-f196.google.com with SMTP id f36so10900760plb.5 for ; Tue, 16 Apr 2019 13:30:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=rvJ4FeH17ua6FADkjV7JGKaSCF+Byqc3JGhfIH3RRPc=; b=W9e9JPmnOlROlSHyKXNF7Qd246XvcESR0LRjZMb93phhERvFasyurFxrCfVvMXPiGC FYs0NRT46SVzeVq1N/p4CWny7hsnqrg9z8E5092nR1DPp7Ug7mW/9PB6XfsxM3wTHjX9 62Hf8syTYs+s+hOkpTxbF0I68NiOFIBEXxZ08= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=rvJ4FeH17ua6FADkjV7JGKaSCF+Byqc3JGhfIH3RRPc=; b=gUPafGnbivf34KgxWk+yg0EZjBpsbOy6yln5zffyvM7WOGkcIaMNAEaOCG+/QJN9Ev S8hiNnw38X85R+vlo5NGx0VckySWLG6ZyAR4N1ATUx6t/svaMJxtbjovIpTMuWYL7yOh Xgsp8r4QLQJfZhjJjzIUzh6ILPLmaUh9Lc4mQHKc07zjkryYArxKaUj8Bi5yHsPUtvU9 nfiSal/1KmB0ncdSX7pTDLLpF1a7g6nskrZrdHZ/N66yRmJq5CqF1PJDu3oh9P0uNQhb M5+JRdqWjdEMEGag+rPndbvDlnpB8vH+Wr63lwTrqYGBZ/p52szvRKhihAjN9hWSDPyf ixHQ== X-Gm-Message-State: APjAAAVy+/mhKvB0dcXk3US4wWAKi5jGjZCebmPY6qcYI8kxwY13obyx 4iOpzKOa8jY/HcFuy7kRlGU64FItV7SIZw== X-Google-Smtp-Source: APXvYqycDOd0/bNWB8oObm1egLWP6qneHv8Y8bDTnvyRA3TYiyJgClXY7I1wUAXs3Oq67e865s3t3g== X-Received: by 2002:a17:902:d24:: with SMTP id 33mr86420583plu.246.1555446603953; Tue, 16 Apr 2019 13:30:03 -0700 (PDT) Received: from google.com ([2620:15c:202:201:49ea:b78f:4f04:4d25]) by smtp.googlemail.com with ESMTPSA id b15sm72601028pgg.90.2019.04.16.13.30.02 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 16 Apr 2019 13:30:03 -0700 (PDT) Date: Tue, 16 Apr 2019 13:29:59 -0700 From: Zubin Mithra To: stable@vger.kernel.org Cc: gregkh@linuxfoundation.org, groeck@chromium.org, daniel@iogearbox.net, ast@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com Subject: 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") Message-ID: <20190416202958.GA3821@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org Hello, Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace. Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc8/0x129 lib/dump_stack.c:113 print_address_description+0x67/0x230 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x24e/0x28c mm/kasan/report.c:412 get_link fs/namei.c:1152 [inline] trailing_symlink+0x593/0x677 fs/namei.c:2326 path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382 filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411 filename_lookup fs/namei.c:2405 [inline] user_path_at_empty+0x59/0x6c fs/namei.c:2677 user_path include/linux/namei.h:62 [inline] do_mount+0x15c/0x17a4 fs/namespace.c:2773 ksys_mount+0x98/0xcc fs/namespace.c:3052 __do_sys_mount fs/namespace.c:3066 [inline] __se_sys_mount fs/namespace.c:3063 [inline] __x64_sys_mount+0xd0/0xdb fs/namespace.c:3063 do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x49/0xbe Allocated by task 8112: set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553 slab_post_alloc_hook+0x31/0x55 mm/slab.h:444 slab_alloc_node mm/slub.c:2706 [inline] slab_alloc mm/slub.c:2714 [inline] __kmalloc_track_caller+0x100/0x148 mm/slub.c:4290 kstrdup+0x39/0x63 mm/util.c:56 bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356 vfs_symlink2+0xfc/0x12b fs/namei.c:4238 do_symlinkat+0x14a/0x1d5 fs/namei.c:4271 do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8116: set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521 slab_free_hook mm/slub.c:1371 [inline] slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398 slab_free mm/slub.c:2953 [inline] kfree+0x177/0x212 mm/slub.c:3906 bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565 evict+0x30b/0x4ce fs/inode.c:558 iput_final fs/inode.c:1550 [inline] iput+0x541/0x551 fs/inode.c:1576 do_unlinkat+0x2fc/0x403 fs/namei.c:4180 do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x49/0xbe Could the following patch be applied to 4.19.y? 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") Tests run: * Chrome OS tryjobs * Syzkaller reproducer Thanks, - Zubin