lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <000000000000638c1b057e787822@google.com>
Date:   Wed, 02 Jan 2019 04:06:04 -0800
From:   syzbot <syzbot+87b93137e0280beaeba1@...kaller.appspotmail.com>
To:     linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk
Subject: WARNING: lock held when returning to user space in grab_super

Hello,

syzbot found the following crash on:

HEAD commit:    195303136f19 Merge tag 'kconfig-v4.21-2' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=118961fd400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5e7dc790609552d7
dashboard link: https://syzkaller.appspot.com/bug?extid=87b93137e0280beaeba1
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+87b93137e0280beaeba1@...kaller.appspotmail.com

WARNING: lock held when returning to user space!
4.20.0+ #396 Not tainted
------------------------------------------------
syz-executor0/29677 is leaving the kernel with locks still held!
1 lock held by syz-executor0/29677:
  #0: 00000000ec5f6915 (&type->s_umount_key#43){++++}, at:  
grab_super+0xcc/0x400 fs/super.c:383
kobject: 'loop5' (00000000edd59d60): kobject_uevent_env
kobject: 'loop5' (00000000edd59d60): fill_kobj_path: path  
= '/devices/virtual/block/loop5'
==================================================================
BUG: KASAN: use-after-free in owner_on_cpu kernel/locking/rwsem-xadd.c:367  
[inline]
BUG: KASAN: use-after-free in rwsem_can_spin_on_owner  
kernel/locking/rwsem-xadd.c:384 [inline]
BUG: KASAN: use-after-free in rwsem_optimistic_spin  
kernel/locking/rwsem-xadd.c:437 [inline]
BUG: KASAN: use-after-free in  
__rwsem_down_write_failed_common+0x14ea/0x15e0  
kernel/locking/rwsem-xadd.c:518
Read of size 4 at addr ffff88805631c738 by task syz-executor0/29718

CPU: 0 PID: 29718 Comm: syz-executor0 Not tainted 4.20.0+ #396
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
kobject: 'loop2' (000000006e1a6a52): kobject_uevent_env
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
  print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
kobject: 'loop2' (000000006e1a6a52): fill_kobj_path: path  
= '/devices/virtual/block/loop2'
  kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
kobject: 'loop1' (0000000042cf1ea5): kobject_uevent_env
  __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
  owner_on_cpu kernel/locking/rwsem-xadd.c:367 [inline]
  rwsem_can_spin_on_owner kernel/locking/rwsem-xadd.c:384 [inline]
  rwsem_optimistic_spin kernel/locking/rwsem-xadd.c:437 [inline]
  __rwsem_down_write_failed_common+0x14ea/0x15e0  
kernel/locking/rwsem-xadd.c:518
kobject: 'loop1' (0000000042cf1ea5): fill_kobj_path: path  
= '/devices/virtual/block/loop1'
kobject: 'loop2' (000000006e1a6a52): kobject_uevent_env
kobject: 'loop2' (000000006e1a6a52): fill_kobj_path: path  
= '/devices/virtual/block/loop2'
  rwsem_down_write_failed+0xe/0x10 kernel/locking/rwsem-xadd.c:606
  call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117
  __down_write arch/x86/include/asm/rwsem.h:142 [inline]
  down_write+0xa5/0x130 kernel/locking/rwsem.c:72
kobject: 'loop5' (00000000edd59d60): kobject_uevent_env
  grab_super+0xcc/0x400 fs/super.c:383
kobject: 'loop5' (00000000edd59d60): fill_kobj_path: path  
= '/devices/virtual/block/loop5'
  sget_userns+0x435/0xed0 fs/super.c:511
  kernfs_mount_ns+0x1d7/0xa80 fs/kernfs/mount.c:324
  kernfs_mount include/linux/kernfs.h:554 [inline]
  cgroup_do_mount+0xc4/0x330 kernel/cgroup/cgroup.c:2038
  cgroup_mount+0xb6d/0xd30 kernel/cgroup/cgroup.c:2102
  mount_fs+0xae/0x31d fs/super.c:1261
  vfs_kern_mount.part.35+0xdc/0x4f0 fs/namespace.c:961
  vfs_kern_mount fs/namespace.c:951 [inline]
  do_new_mount fs/namespace.c:2469 [inline]
  do_mount+0x581/0x31f0 fs/namespace.c:2801
  ksys_mount+0x12d/0x140 fs/namespace.c:3017
  __do_sys_mount fs/namespace.c:3031 [inline]
  __se_sys_mount fs/namespace.c:3028 [inline]
  __x64_sys_mount+0xbe/0x150 fs/namespace.c:3028
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fbd6c16dc78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fbd6c16dc90 RCX: 0000000000457ec9
RDX: 0000000020000200 RSI: 0000000020000080 RDI: 0000000000000000
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbd6c16e6d4
R13: 00000000004c3a19 R14: 00000000004d64a8 R15: 0000000000000003

Allocated by task 29676:
  save_stack+0x43/0xd0 mm/kasan/common.c:73
  set_track mm/kasan/common.c:85 [inline]
  kasan_kmalloc+0xcb/0xd0 mm/kasan/common.c:482
  kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:397
  kmem_cache_alloc_node+0x147/0x730 mm/slab.c:3631
  alloc_task_struct_node kernel/fork.c:158 [inline]
  dup_task_struct kernel/fork.c:849 [inline]
  copy_process+0x2027/0x8790 kernel/fork.c:1757
  _do_fork+0x1cb/0x11d0 kernel/fork.c:2222
  __do_sys_clone kernel/fork.c:2329 [inline]
  __se_sys_clone kernel/fork.c:2323 [inline]
  __x64_sys_clone+0xbf/0x150 kernel/fork.c:2323
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 29709:
  save_stack+0x43/0xd0 mm/kasan/common.c:73
  set_track mm/kasan/common.c:85 [inline]
  __kasan_slab_free+0x102/0x150 mm/kasan/common.c:444
  kasan_slab_free+0xe/0x10 mm/kasan/common.c:452
  __cache_free mm/slab.c:3485 [inline]
  kmem_cache_free+0x83/0x290 mm/slab.c:3747
  free_task_struct kernel/fork.c:163 [inline]
  free_task+0x16e/0x1f0 kernel/fork.c:462
  __put_task_struct+0x2e6/0x620 kernel/fork.c:735
  put_task_struct include/linux/sched/task.h:96 [inline]
  delayed_put_task_struct+0x2ff/0x4c0 kernel/exit.c:181
  __rcu_reclaim kernel/rcu/rcu.h:240 [inline]
  rcu_do_batch kernel/rcu/tree.c:2452 [inline]
  invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline]
  rcu_process_callbacks+0xc5b/0x1600 kernel/rcu/tree.c:2754
  __do_softirq+0x30c/0xb2e kernel/softirq.c:292

The buggy address belongs to the object at ffff88805631c700
  which belongs to the cache task_struct(17:syz0) of size 6080
The buggy address is located 56 bytes inside of
  6080-byte region [ffff88805631c700, ffff88805631dec0)
The buggy address belongs to the page:
page:ffffea000158c700 count:1 mapcount:0 mapping:ffff88808d959e40 index:0x0  
compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00023f4688 ffffea0000394788 ffff88808d959e40
raw: 0000000000000000 ffff88805631c700 0000000100000001 ffff88805aa82c00
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff88805aa82c00

Memory state around the buggy address:
  ffff88805631c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff88805631c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88805631c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                         ^
  ffff88805631c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff88805631c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ