On Mon, Jun 10, 2019 at 09:05:06PM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: d1fdb6d8 Linux 5.2-rc4 > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=12b30acaa00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=fa9f7e1b6a8bb586 > dashboard link: https://syzkaller.appspot.com/bug?extid=99de05d099a170867f22 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > userspace arch: i386 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1114dc46a00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17eade6aa00000 > > The bug was bisected to: > > commit 9c8ad7a2ff0bfe58f019ec0abc1fb965114dde7d > Author: David Howells <dhowells@xxxxxxxxxx> > Date: Thu May 16 11:52:27 2019 +0000 > > uapi, x86: Fix the syscall numbering of the mount API syscalls [ver #2] > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15c9f91ea00000 > final crash: https://syzkaller.appspot.com/x/report.txt?x=17c9f91ea00000 > console output: https://syzkaller.appspot.com/x/log.txt?x=13c9f91ea00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+99de05d099a170867f22@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 9c8ad7a2ff0b ("uapi, x86: Fix the syscall numbering of the mount API > syscalls [ver #2]") > > ================================================================== > BUG: KASAN: use-after-free in mntput+0x91/0xa0 fs/namespace.c:1207 > Read of size 4 at addr ffff88808f661124 by task syz-executor817/8955 > > CPU: 1 PID: 8955 Comm: syz-executor817 Not tainted 5.2.0-rc4 #18 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x172/0x1f0 lib/dump_stack.c:113 > print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 > __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 > kasan_report+0x12/0x20 mm/kasan/common.c:614 > __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 > mntput+0x91/0xa0 fs/namespace.c:1207 > path_put+0x50/0x70 fs/namei.c:483 > free_fs_struct+0x25/0x70 fs/fs_struct.c:91 > exit_fs+0xf0/0x130 fs/fs_struct.c:108 > do_exit+0x8e0/0x2fa0 kernel/exit.c:873 > do_group_exit+0x135/0x370 kernel/exit.c:981 > __do_sys_exit_group kernel/exit.c:992 [inline] > __se_sys_exit_group kernel/exit.c:990 [inline] > __ia32_sys_exit_group+0x44/0x50 kernel/exit.c:990 > do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] > do_fast_syscall_32+0x27b/0xd7d arch/x86/entry/common.c:408 > entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 > RIP: 0023:0xf7f16849 > Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 > 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 > 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 > RSP: 002b:00000000ffe4f85c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080ed2b8 > RDX: 0000000000000000 RSI: 00000000080d71fc RDI: 00000000080ed2c0 > RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > > Allocated by task 8955: > save_stack+0x23/0x90 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_kmalloc mm/kasan/common.c:489 [inline] > __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 > kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497 > slab_post_alloc_hook mm/slab.h:437 [inline] > slab_alloc mm/slab.c:3326 [inline] > kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3488 > kmem_cache_zalloc include/linux/slab.h:732 [inline] > alloc_vfsmnt+0x28/0x780 fs/namespace.c:182 > vfs_create_mount+0x96/0x500 fs/namespace.c:961 > __do_sys_fsmount fs/namespace.c:3423 [inline] > __se_sys_fsmount fs/namespace.c:3340 [inline] > __ia32_sys_fsmount+0x584/0xc80 fs/namespace.c:3340 > do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] > do_fast_syscall_32+0x27b/0xd7d arch/x86/entry/common.c:408 > entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 > > Freed by task 16: > save_stack+0x23/0x90 mm/kasan/common.c:71 > set_track mm/kasan/common.c:79 [inline] > __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 > kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 > __cache_free mm/slab.c:3432 [inline] > kmem_cache_free+0x86/0x260 mm/slab.c:3698 > free_vfsmnt+0x6f/0x90 fs/namespace.c:559 > delayed_free_vfsmnt+0x16/0x20 fs/namespace.c:564 > __rcu_reclaim kernel/rcu/rcu.h:222 [inline] > rcu_do_batch kernel/rcu/tree.c:2092 [inline] > invoke_rcu_callbacks kernel/rcu/tree.c:2310 [inline] > rcu_core+0xba5/0x1500 kernel/rcu/tree.c:2291 > __do_softirq+0x25c/0x94c kernel/softirq.c:292 > > The buggy address belongs to the object at ffff88808f661000 > which belongs to the cache mnt_cache of size 432 > The buggy address is located 292 bytes inside of > 432-byte region [ffff88808f661000, ffff88808f6611b0) > The buggy address belongs to the page: > page:ffffea00023d9840 refcount:1 mapcount:0 mapping:ffff8880aa594940 > index:0x0 > flags: 0x1fffc0000000200(slab) > raw: 01fffc0000000200 ffffea0002a35e08 ffffea00022a3f08 ffff8880aa594940 > raw: 0000000000000000 ffff88808f661000 0000000100000008 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff88808f661000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88808f661080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > ffff88808f661100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff88808f661180: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc > ffff88808f661200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches > Same as https://marc.info/?l=linux-fsdevel&m=156017950130792&w=2 #syz dup: BUG: Dentry still in use [unmount of tmpfs tmpfs] Also, patch sent: https://patchwork.kernel.org/patch/10990715/ ("vfs: fsmount: add missing mntget()"). - Eric