From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31011C282DA for ; Wed, 17 Apr 2019 16:00:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F06B8217D7 for ; Wed, 17 Apr 2019 16:00:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555516824; bh=SZ893bBl0joVxz3vncKmMtX2CTG6RjQYLvF+YDpmSCA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=SU+mvTmeNfsUsnh4LNikaiOHNkYmV+6FLS3ClKvOHG80PffFd14slcyY7FgC1yn7L LjY2kJqhUV+M3u9DeWhKJ5oDpZFTfZUYIYWx4AO0wUAF7Vfxnr8TIUsqf8/+weBbwk nSTtUD7xM9wgkYFVZLHzkJX39gLqb84677ZFFOX0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729940AbfDQQAX (ORCPT ); Wed, 17 Apr 2019 12:00:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:40634 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729395AbfDQQAX (ORCPT ); Wed, 17 Apr 2019 12:00:23 -0400 Received: from localhost (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5662D206BA; Wed, 17 Apr 2019 16:00:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555516822; bh=SZ893bBl0joVxz3vncKmMtX2CTG6RjQYLvF+YDpmSCA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=MKmDkxWVLsdcOWtfLCRmA6/ozX4yNod3VehSrhWFoojxzUVNuaAoqJ/Ohhl3L07j3 Ki9hdybGg3KHVe0ZphdwI3JNvClS7SZ2HIZPtN3WZ2LqRuEnnhJcXZxWxElvAEBX0d 5sbk8gf2TUI2tThD5CPp83yPa4KEzivjgrYhhvDA= Date: Wed, 17 Apr 2019 12:00:20 -0400 From: Sasha Levin To: Zubin Mithra Cc: stable@vger.kernel.org, gregkh@linuxfoundation.org, groeck@chromium.org, daniel@iogearbox.net, ast@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com Subject: Re: 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") Message-ID: <20190417160020.GB435@sasha-vm> References: <20190416202958.GA3821@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20190416202958.GA3821@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Tue, Apr 16, 2019 at 01:29:59PM -0700, Zubin Mithra wrote: >Hello, > >Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace. > >Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0xc8/0x129 lib/dump_stack.c:113 > print_address_description+0x67/0x230 mm/kasan/report.c:256 > kasan_report_error mm/kasan/report.c:354 [inline] > kasan_report+0x24e/0x28c mm/kasan/report.c:412 > get_link fs/namei.c:1152 [inline] > trailing_symlink+0x593/0x677 fs/namei.c:2326 > path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382 > filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411 > filename_lookup fs/namei.c:2405 [inline] > user_path_at_empty+0x59/0x6c fs/namei.c:2677 > user_path include/linux/namei.h:62 [inline] > do_mount+0x15c/0x17a4 fs/namespace.c:2773 > ksys_mount+0x98/0xcc fs/namespace.c:3052 > __do_sys_mount fs/namespace.c:3066 [inline] > __se_sys_mount fs/namespace.c:3063 [inline] > __x64_sys_mount+0xd0/0xdb fs/namespace.c:3063 > do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > >Allocated by task 8112: > set_track mm/kasan/kasan.c:460 [inline] > kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553 > slab_post_alloc_hook+0x31/0x55 mm/slab.h:444 > slab_alloc_node mm/slub.c:2706 [inline] > slab_alloc mm/slub.c:2714 [inline] > __kmalloc_track_caller+0x100/0x148 mm/slub.c:4290 > kstrdup+0x39/0x63 mm/util.c:56 > bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356 > vfs_symlink2+0xfc/0x12b fs/namei.c:4238 > do_symlinkat+0x14a/0x1d5 fs/namei.c:4271 > do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > >Freed by task 8116: > set_track mm/kasan/kasan.c:460 [inline] > __kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521 > slab_free_hook mm/slub.c:1371 [inline] > slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398 > slab_free mm/slub.c:2953 [inline] > kfree+0x177/0x212 mm/slub.c:3906 > bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565 > evict+0x30b/0x4ce fs/inode.c:558 > iput_final fs/inode.c:1550 [inline] > iput+0x541/0x551 fs/inode.c:1576 > do_unlinkat+0x2fc/0x403 fs/namei.c:4180 > do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > >Could the following patch be applied to 4.19.y? >1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") > >Tests run: >* Chrome OS tryjobs >* Syzkaller reproducer I've queued it up, thanks again for all these tests! -- Thanks, Sasha