On Sun, Mar 5, 2017 at 12:24 PM, Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote: >>>> On Sat, Mar 04, 2017 at 03:59:36PM +0100, Dmitry Vyukov wrote: >>>> >>>>> I am getting the following use-after-free reports while running >>>>> syzkaller fuzzer on 86292b33d4b79ee03e2f43ea0381ef85f077c760 (but also >>>>> happened on 6dc39c50e4aeb769c8ae06edf2b1a732f3490913 and >>>>> c82be9d2244aacea9851c86f4fb74694c99cd874). >>>> >>>> IOW, it's not fs/namei.c patches from this window... >>>> >>>>> unlazy_walk+0xf2/0x4b0 fs/namei.c:692 >>>> >>>> Could you post disassembly (e.g. from objdump -d) of your unlazy_walk()? >>>> For the kernel the trace is from... >>>> >>>>> r4 = memfd_create(&(0x7f0000013000)="2f6465762f6877726e6700", 0x0) >>>>> name_to_handle_at(r4, &(0x7f0000003000-0x6)="2e2f62757300", >>>>> &(0x7f0000003000-0xd)={0xc, 0x0, "cd21"}, &(0x7f0000002000)=0x0, >>>>> 0x1000) >>>>> >>>>> What's strange is that dirfd passed to name_to_handle_at is memfd >>>>> handle (sic). And path lookup somehow does not fail early on this. >>>>> Does it make any sense? >>>> >>>> It doesn't, but is that the triggering call of name_to_handle_at(), or do you >>>> have it called elsewhere? I am pretty sure it is that one. I don't think I ever used name_to_handle_at syscall in my life and I definitely didn't make it lookup a memfd :) >>>> FWIW, no LOOKUP_ROOT in filename_lookup() flags + NULL root + dfd not >>>> equal to AT_FDCWD + non-empty name should've ended up in >>>> if (!d_can_lookup(dentry)) { >>>> fdput(f); >>>> return ERR_PTR(-ENOTDIR); >>>> } >>>> in path_init() and it shouldn't have progressed any further. And in case >>>> of name_to_handle_at() we have user_path_at(dfd, name, lookup_flags, &path), >>>> i.e. user_path_at_empty(dfd, name, lookup_flags, &path, NULL), i.e. >>>> filename_lookup(dfd, getname_flags(name, lookup_flags, NULL), lookup_flags, >>>> &path, NULL). IOW, filename_lookup() is called with root equal to NULL, >>>> dfd and name coming straight from userland and lookup_flags containing >>>> nothing beyond LOOKUP_EMPTY and LOOKUP_FOLLOW... > Yes, but still it somehow happens... I've added this diff: --- a/fs/namei.c +++ b/fs/namei.c @@ -2213,6 +2213,7 @@ static const char *path_init(struct nameidata *nd, unsigned flags) dentry = f.file->f_path.dentry; +pr_err("%d: path_init: s=%s flags=%d\n", current->pid, s, dentry->d_flags); if (*s) { if (!d_can_lookup(dentry)) { fdput(f); Most of the time flags are 4194304, but occasionally they are 5243016: [ 172.559822] 21279: path_init: s= flags=4194304 [ 172.572357] 21275: path_init: s= flags=4194304 [ 172.605964] 21297: path_init: s= flags=4194304 [ 172.609712] 21301: path_init: s= flags=4194304 [ 172.620832] 21287: path_init: s= flags=4194304 [ 172.651228] 21288: path_init: s= flags=4194304 [ 172.660516] 21306: path_init: s= flags=4194304 [ 172.689294] 21308: path_init: s= flags=4194304 [ 172.689743] 21281: path_init: s= flags=4194304 [ 172.705908] 21313: path_init: s= flags=4194304 [ 172.755287] 21297: path_init: s= flags=5243016 [ 172.762358] 21306: path_init: s= flags=4194304 [ 172.763248] 21306: path_init: s= flags=4194304 [ 172.766700] 21317: path_init: s= flags=4194304 [ 172.775612] 21313: path_init: s= flags=4194304 [ 172.797624] 21308: path_init: s= flags=4194304 [ 172.798709] 21328: path_init: s= flags=4194304 [ 172.800170] 21322: path_init: s= flags=4194304 ... [ 179.202077] 22190: path_init: s= flags=4194304 [ 179.209753] 22189: path_init: s= flags=4194304 [ 179.211614] 22187: path_init: s= flags=4194304 [ 179.223048] 22165: path_init: s= flags=4194304 [ 179.271114] 22195: path_init: s= flags=4194304 [ 179.290350] 22182: path_init: s= flags=4194304 [ 179.301246] 22189: path_init: s= flags=4194304 [ 179.325996] 22202: path_init: s= flags=4194304 [ 179.327900] 22203: path_init: s= flags=4194304 [ 179.349044] 22195: path_init: s= flags=4194304 [ 179.363826] 22211: path_init: s= flags=4194304 [ 179.364938] 22207: path_init: s= flags=4194304 [ 179.364985] 22206: path_init: s= flags=4194304 [ 179.415240] 22214: path_init: s= flags=4194304 [ 179.464470] 22219: path_init: s= flags=4194304 [ 179.484437] 22225: path_init: s= flags=4194304 [ 179.489139] 22207: path_init: s= flags=4194304 [ 179.495212] 22206: path_init: s= flags=4194304 [ 179.521143] 22216: path_init: s= flags=4194304 [ 179.526780] 22228: path_init: s= flags=4194304 [ 179.540650] 22227: path_init: s= flags=4194304 [ 179.545824] 22225: path_init: s= flags=4194304 [ 179.574581] 22214: path_init: s= flags=4194304 [ 179.577168] 22236: path_init: s= flags=4194304 [ 179.618489] 22240: path_init: s= flags=4194304 [ 179.644057] 22243: path_init: s= flags=4194304 [ 179.647793] 22228: path_init: s= flags=4194304 [ 179.680428] 22248: path_init: s= flags=4194304 [ 179.716533] 22240: path_init: s= flags=4194304 [ 179.720363] 22227: path_init: s= flags=4194304 [ 179.721421] 22236: path_init: s= flags=4194304 [ 179.722195] 22249: path_init: s= flags=4194304 [ 179.729854] 22252: path_init: s= flags=4194304 [ 179.772353] 22248: path_init: s= flags=5243016 [ 179.778042] 22243: path_init: s= flags=4194304 [ 179.779056] ================================================================== [ 179.779707] BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x9cf/0xa00 at addr ffff88005c34c930 [ 179.780010] Read of size 8 by task syz-executor/22243 [ 179.780010] CPU: 2 PID: 22243 Comm: syz-executor Not tainted 4.10.0+ #294 [ 179.781396] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 179.782914] Call Trace: [ 179.782914] dump_stack+0x2fb/0x3fd [ 179.782914] ? arch_local_irq_restore+0x53/0x53 [ 179.782914] ? vprintk_emit+0x566/0x770 [ 179.782914] ? console_unlock+0xf50/0xf50 [ 179.782914] ? console_unlock+0xf50/0xf50 [ 179.782914] ? lock_set_class+0xc00/0xc00 [ 179.782914] ? __lock_is_held+0xb6/0x140 [ 179.782914] ? check_noncircular+0x20/0x20 [ 179.782914] ? lock_set_class+0xc00/0xc00 [ 179.782914] ? __handle_mm_fault+0x1c84/0x2cd0 [ 179.782914] ? vprintk_default+0x28/0x30 [ 179.789989] ? vprintk_func+0x47/0x90 [ 179.789989] ? printk+0xc8/0xf9 [ 179.789989] ? load_image_and_restore+0x134/0x134 [ 179.789989] kasan_object_err+0x1c/0x90 [ 179.789989] kasan_report.part.2+0x1b0/0x460 [ 179.789989] ? kasan_check_write+0x14/0x20 [ 179.789989] ? do_raw_spin_lock+0xbd/0x1f0 [ 179.789989] ? perf_trace_lock_acquire+0x9cf/0xa00 [ 179.789989] __asan_report_load8_noabort+0x29/0x30 [ 179.789989] perf_trace_lock_acquire+0x9cf/0xa00 [ 179.789989] ? RECLAIM_FS_verbose+0x10/0x10 [ 179.789989] ? mark_held_locks+0x100/0x100 [ 179.789989] ? mark_held_locks+0x100/0x100 [ 179.789989] ? __do_page_fault+0x51b/0xb60 [ 179.789989] ? lock_acquire+0x630/0x630 [ 179.789989] ? memset+0x31/0x40 [ 179.789989] lock_acquire+0x473/0x630 [ 179.789989] ? lockref_get_not_dead+0x19/0x80 [ 179.789989] ? lock_set_class+0xc00/0xc00 [ 179.789989] ? trace_hardirqs_on_caller+0x545/0x6f0 [ 179.789989] ? mark_held_locks+0x100/0x100 [ 179.789989] ? trace_hardirqs_on_caller+0x545/0x6f0 [ 179.789989] ? mark_held_locks+0x100/0x100 [ 179.789989] ? mark_held_locks+0x100/0x100 [ 179.789989] ? retint_kernel+0x10/0x10 [ 179.789989] ? trace_hardirqs_on_caller+0x545/0x6f0 [ 179.789989] ? mark_held_locks+0x100/0x100 [ 179.789989] ? trace_hardirqs_on_caller+0x545/0x6f0 [ 179.789989] ? mark_held_locks+0x100/0x100 [ 179.789989] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 179.789989] ? retint_kernel+0x10/0x10 [ 179.789989] _raw_spin_lock+0x33/0x50 [ 179.789989] ? lockref_get_not_dead+0x19/0x80 [ 179.789989] lockref_get_not_dead+0x19/0x80 [ 179.789989] legitimize_path.isra.36+0x7d/0x1a0 [ 179.789989] unlazy_walk+0xf2/0x4b0 [ 179.789989] complete_walk+0xb2/0x1f0 [ 179.789989] path_lookupat+0x1c1/0x400 [ 179.789989] filename_lookup+0x282/0x540 [ 179.789989] ? filename_parentat+0x5b0/0x5b0 [ 179.806362] ? kmem_cache_alloc+0x3f5/0x6e0 [ 179.806648] ? getname_flags+0x256/0x580 [ 179.806648] user_path_at_empty+0x40/0x50 [ 179.806648] SyS_name_to_handle_at+0xff/0x720 [ 179.806648] ? vfs_dentry_acceptable+0x10/0x10 [ 179.806648] ? retint_kernel+0x10/0x10 [ 179.806648] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 179.806648] RIP: 0033:0x4458d9 [ 179.806648] RSP: 002b:00007faa1547cb58 EFLAGS: 00000286 ORIG_RAX: 000000000000012f [ 179.806648] RAX: ffffffffffffffda RBX: 0000000000000050 RCX: 00000000004458d9 [ 179.806648] RDX: 0000000020002ff3 RSI: 0000000020002ffa RDI: 0000000000000050 [ 179.806648] RBP: 00000000006e11b0 R08: 0000000000001000 R09: 0000000000000000 [ 179.806648] R10: 0000000020002000 R11: 0000000000000286 R12: 0000000000708000 [ 179.806648] R13: 0000000000000000 R14: 00007faa1547d9c0 R15: 00007faa1547d700 [ 179.806648] Object at ffff88005c34c880, in cache dentry size: 288 [ 179.814491] 22252: path_init: s= flags=4194304 [ 179.806648] Allocated: [ 179.806648] PID = 22260 [ 179.806648] save_stack_trace+0x16/0x20 [ 179.806648] save_stack+0x43/0xd0 [ 179.816189] kasan_kmalloc+0xaa/0xd0 [ 179.816189] kasan_slab_alloc+0x12/0x20 [ 179.816189] kmem_cache_alloc+0x102/0x6e0 [ 179.816189] __d_alloc+0xb3/0xbb0 [ 179.816189] d_alloc_pseudo+0x1d/0x30 [ 179.816189] __shmem_file_setup+0x20c/0x5a0 [ 179.816189] SyS_memfd_create+0x172/0x2c0 [ 179.816189] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 179.816189] Freed: [ 179.816189] PID = 22265 [ 179.816189] save_stack_trace+0x16/0x20 [ 179.816189] save_stack+0x43/0xd0 [ 179.816189] kasan_slab_free+0x6f/0xb0 [ 179.816189] kmem_cache_free+0x71/0x240 [ 179.816189] dentry_free+0xd5/0x160 [ 179.816189] __dentry_kill+0x471/0x6d0 [ 179.816189] dput.part.25+0x5ce/0x7c0 [ 179.816189] dput+0x1f/0x30 [ 179.816189] __fput+0x538/0x800 [ 179.816189] ____fput+0x15/0x20 [ 179.816189] task_work_run+0x197/0x260 [ 179.816189] exit_to_usermode_loop+0x23b/0x2a0 [ 179.816189] syscall_return_slowpath+0x4d3/0x570 [ 179.816189] entry_SYSCALL_64_fastpath+0xc0/0xc2 [ 179.816189] Disposed: [ 179.816189] PID = 21945 [ 179.816189] save_stack_trace+0x16/0x20 [ 179.816189] save_stack+0x43/0xd0 [ 179.816189] kasan_set_rcu_track+0xcf/0xf0 [ 179.816189] __call_rcu.constprop.77+0x1d6/0x15a0 [ 179.816189] call_rcu_sched+0x12/0x20 [ 179.816189] dentry_free+0xb7/0x160 [ 179.816189] __dentry_kill+0x471/0x6d0 [ 179.816189] dput.part.25+0x4fe/0x7c0 [ 179.816189] dput+0x1f/0x30 [ 179.816189] __debugfs_remove.part.10+0xb8/0xf0 [ 179.816189] debugfs_remove+0xea/0x1f0 [ 179.816189] bdi_unregister+0x2f9/0x550 [ 179.816189] bdi_destroy+0x15/0x20 [ 179.816189] v9fs_session_init+0x905/0x1a30 [ 179.816189] v9fs_mount+0x81/0x830 [ 179.816189] mount_fs+0x97/0x2e0 [ 179.816189] vfs_kern_mount.part.23+0xc6/0x490 [ 179.816189] do_mount+0x418/0x2da0 [ 179.816189] SyS_mount+0xab/0x120 [ 179.816189] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 179.816189] Memory state around the buggy address: [ 179.816189] ffff88005c34c800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 179.816189] ffff88005c34c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 179.816189] >ffff88005c34c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 179.816189] ^ [ 179.816189] ffff88005c34c980: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00 [ 179.816189] ffff88005c34ca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 179.816189] ==================================================================