Re: KASAN: invalid-free in p9_client_create

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



How about this patch? If it is appropriate, I will send a real one.

    mm/slub: fix slab double-free when release callback of sysfs trigger

    Signed-off-by: Yanfei Xu <yanfei.xu@xxxxxxxxxxxxx>

diff --git a/mm/slub.c b/mm/slub.c
index 4148235ba554..d10c4fbf8c84 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5653,7 +5653,7 @@ static int sysfs_slab_add(struct kmem_cache *s)
        s->kobj.kset = kset;
err = kobject_init_and_add(&s->kobj, &slab_ktype, NULL, "%s", name);
        if (err) {
-               kobject_put(&s->kobj);
+               kfree_const(&s->kobj.name);
                goto out;
        }
----------------------------------------------------------
Because a previous patch dde3c6b7(mm/slub: fix a memory leak in sysfs_slab_add()) added a kobject_put() in the error path of kobject_init_and_add(). It results the release callback of sysfs, which is kmem_cache_release(), is triggered when get into the error path.

However, we will also free the 'kmem_cache' and 'kmem_cache_node' and 'kmem_cache->name' at the error path of create_cache() when kobject_init_and_add() returns failure. That makes double-free.

About the patch which introduced this issue, I think we could fix it by freeing the leaked memory directly instead of adding kobject_put().

Regards,
Yanfei



On 11/16/20 7:11 PM, Dmitry Vyukov wrote:
[Please note this e-mail is from an EXTERNAL e-mail address]

On Mon, Nov 16, 2020 at 11:30 AM syzbot
<syzbot+3a0f6c96e37e347c6ba9@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hello,

syzbot found the following issue on:

HEAD commit:    92edc4ae Add linux-next specific files for 20201113
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=142f8816500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=79ad4f8ad2d96176
dashboard link: https://syzkaller.appspot.com/bug?extid=3a0f6c96e37e347c6ba9
compiler:       gcc (GCC) 10.1.0-syz 20200507

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3a0f6c96e37e347c6ba9@xxxxxxxxxxxxxxxxxxxxxxxxx

Looks like a real double free in slab code. +MM maintainers
Note there was a preceding kmalloc failure in sysfs_slab_add.


RBP: 00007fa358076ca0 R08: 0000000020000080 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001f
R13: 00007fff7dcf224f R14: 00007fa3580779c0 R15: 000000000118bf2c
kobject_add_internal failed for 9p-fcall-cache (error: -12 parent: slab)
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3157 [inline]
BUG: KASAN: double-free or invalid-free in kmem_cache_free+0x82/0x350 mm/slub.c:3173

CPU: 0 PID: 15981 Comm: syz-executor.5 Not tainted 5.10.0-rc3-next-20201113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:79 [inline]
  dump_stack+0x107/0x163 lib/dump_stack.c:120
  print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
  kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
  ____kasan_slab_free+0x100/0x110 mm/kasan/common.c:352
  kasan_slab_free include/linux/kasan.h:194 [inline]
  slab_free_hook mm/slub.c:1548 [inline]
  slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1586
  slab_free mm/slub.c:3157 [inline]
  kmem_cache_free+0x82/0x350 mm/slub.c:3173
  create_cache mm/slab_common.c:274 [inline]
  kmem_cache_create_usercopy+0x2ab/0x300 mm/slab_common.c:357
  p9_client_create+0xc4d/0x10c0 net/9p/client.c:1063
  v9fs_session_init+0x1dd/0x1770 fs/9p/v9fs.c:406
  v9fs_mount+0x79/0x9b0 fs/9p/vfs_super.c:126
  legacy_get_tree+0x105/0x220 fs/fs_context.c:592
  vfs_get_tree+0x89/0x2f0 fs/super.c:1549
  do_new_mount fs/namespace.c:2896 [inline]
  path_mount+0x12ae/0x1e70 fs/namespace.c:3227
  do_mount fs/namespace.c:3240 [inline]
  __do_sys_mount fs/namespace.c:3448 [inline]
  __se_sys_mount fs/namespace.c:3425 [inline]
  __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45deb9
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fa358076c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000021800 RCX: 000000000045deb9
RDX: 0000000020000100 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 00007fa358076ca0 R08: 0000000020000080 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000001f
R13: 00007fff7dcf224f R14: 00007fa3580779c0 R15: 000000000118bf2c

Allocated by task 15981:
  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:39
  kasan_set_track mm/kasan/common.c:47 [inline]
  set_alloc_info mm/kasan/common.c:403 [inline]
  ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:434
  kasan_slab_alloc include/linux/kasan.h:211 [inline]
  slab_post_alloc_hook mm/slab.h:512 [inline]
  slab_alloc_node mm/slub.c:2903 [inline]
  slab_alloc mm/slub.c:2911 [inline]
  kmem_cache_alloc+0x12a/0x470 mm/slub.c:2916
  kmem_cache_zalloc include/linux/slab.h:672 [inline]
  create_cache mm/slab_common.c:251 [inline]
  kmem_cache_create_usercopy+0x1a6/0x300 mm/slab_common.c:357
  p9_client_create+0xc4d/0x10c0 net/9p/client.c:1063
  v9fs_session_init+0x1dd/0x1770 fs/9p/v9fs.c:406
  v9fs_mount+0x79/0x9b0 fs/9p/vfs_super.c:126
  legacy_get_tree+0x105/0x220 fs/fs_context.c:592
  vfs_get_tree+0x89/0x2f0 fs/super.c:1549
  do_new_mount fs/namespace.c:2896 [inline]
  path_mount+0x12ae/0x1e70 fs/namespace.c:3227
  do_mount fs/namespace.c:3240 [inline]
  __do_sys_mount fs/namespace.c:3448 [inline]
  __se_sys_mount fs/namespace.c:3425 [inline]
  __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 15981:
  kasan_save_stack+0x1b/0x40 mm/kasan/common.c:39
  kasan_set_track+0x1c/0x30 mm/kasan/common.c:47
  kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:359
  ____kasan_slab_free+0xe1/0x110 mm/kasan/common.c:373
  kasan_slab_free include/linux/kasan.h:194 [inline]
  slab_free_hook mm/slub.c:1548 [inline]
  slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1586
  slab_free mm/slub.c:3157 [inline]
  kmem_cache_free+0x82/0x350 mm/slub.c:3173
  kobject_cleanup lib/kobject.c:705 [inline]
  kobject_release lib/kobject.c:736 [inline]
  kref_put include/linux/kref.h:65 [inline]
  kobject_put+0x1c8/0x540 lib/kobject.c:753
  sysfs_slab_add+0x164/0x1d0 mm/slub.c:5656
  __kmem_cache_create+0x471/0x5a0 mm/slub.c:4476
  create_cache mm/slab_common.c:262 [inline]
  kmem_cache_create_usercopy+0x1ed/0x300 mm/slab_common.c:357
  p9_client_create+0xc4d/0x10c0 net/9p/client.c:1063
  v9fs_session_init+0x1dd/0x1770 fs/9p/v9fs.c:406
  v9fs_mount+0x79/0x9b0 fs/9p/vfs_super.c:126
  legacy_get_tree+0x105/0x220 fs/fs_context.c:592
  vfs_get_tree+0x89/0x2f0 fs/super.c:1549
  do_new_mount fs/namespace.c:2896 [inline]
  path_mount+0x12ae/0x1e70 fs/namespace.c:3227
  do_mount fs/namespace.c:3240 [inline]
  __do_sys_mount fs/namespace.c:3448 [inline]
  __se_sys_mount fs/namespace.c:3425 [inline]
  __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888013a45b40
  which belongs to the cache kmem_cache of size 224
The buggy address is located 0 bytes inside of
  224-byte region [ffff888013a45b40, ffff888013a45c20)
The buggy address belongs to the page:
page:00000000cfbbc7ff refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888013a45c80 pfn:0x13a45
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888010041000
raw: ffff888013a45c80 00000000800c0004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff888013a45a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff888013a45a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff888013a45b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                                            ^
  ffff888013a45b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff888013a45c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

--
You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000006ef45b05b436ddb4%40google.com.





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux