From: Christian Brauner <christian.brauner@ubuntu.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: syzbot <syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com>,
brauner@kernel.org, Dmitry Vyukov <dvyukov@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
gscrivan@redhat.com, Christoph Hellwig <hch@lst.de>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
stable-commits@vger.kernel.org, stable <stable@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [syzbot] KASAN: null-ptr-deref Read in filp_close (2)
Date: Wed, 14 Jul 2021 09:59:25 +0200 [thread overview]
Message-ID: <20210714075925.jtlfrhhuj4bzff3m@wittgenstein> (raw)
In-Reply-To: <CAHk-=wgWv1s1FbTxS+T7kbF-7LLm9Nz1eC+WBn+kr1WdYGtisA@mail.gmail.com>
On Tue, Jul 13, 2021 at 11:49:14AM -0700, Linus Torvalds wrote:
> On Mon, Jul 12, 2021 at 9:12 PM syzbot
> <syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com> wrote:
> >
> > syzbot has found a reproducer for the following issue on:
>
> Hmm.
>
> This issue is reported to have been already fixed:
>
> Fix commit: 9b5b8722 file: fix close_range() for unshare+cloexec
>
> and that fix is already in the reported HEAD commit:
>
> > HEAD commit: 7fef2edf sd: don't mess with SD_MINORS for CONFIG_DEBUG_BL..
>
> and the oops report clearly is from that:
>
> > CPU: 1 PID: 8445 Comm: syz-executor493 Not tainted 5.14.0-rc1-syzkaller #0
>
> so the alleged fix is already there.
>
> So clearly commit 9b5b872215fe ("file: fix close_range() for
> unshare+cloexec") does *NOT* fix the issue.
>
> This was originally bisected to that 582f1fb6b721 ("fs, close_range:
> add flag CLOSE_RANGE_CLOEXEC") in
>
> https://syzkaller.appspot.com/bug?id=1bef50bdd9622a1969608d1090b2b4a588d0c6ac
>
> which is where the "fix" is from.
>
> It would probably be good if sysbot made this kind of "hey, it was
> reported fixed, but it's not" very clear.
>
> The KASAN report looks like a use-after-free, and that "use" is
> actually the sanity check that the file count is non-zero, so it's
> really a "struct file *" that has already been free'd.
>
> That bogus free is a regular close() system call
>
> > filp_close+0x22/0x170 fs/open.c:1306
> > close_fd+0x5c/0x80 fs/file.c:628
> > __do_sys_close fs/open.c:1331 [inline]
> > __se_sys_close fs/open.c:1329 [inline]
>
> And it was opened by a "creat()" system call:
>
> > Allocated by task 8445:
> > __alloc_file+0x21/0x280 fs/file_table.c:101
> > alloc_empty_file+0x6d/0x170 fs/file_table.c:150
> > path_openat+0xde/0x27f0 fs/namei.c:3493
> > do_filp_open+0x1aa/0x400 fs/namei.c:3534
> > do_sys_openat2+0x16d/0x420 fs/open.c:1204
> > do_sys_open fs/open.c:1220 [inline]
> > __do_sys_creat fs/open.c:1294 [inline]
> > __se_sys_creat fs/open.c:1288 [inline]
> > __x64_sys_creat+0xc9/0x120 fs/open.c:1288
> > do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> But it has apparently already been closed from a workqueue:
>
> > Freed by task 8445:
> > __fput+0x288/0x920 fs/file_table.c:280
> > task_work_run+0xdd/0x1a0 kernel/task_work.c:164
>
> So it's some kind of confusion and re-use of a struct file pointer.
>
> Which is certainly consistent with the "fix" in 9b5b872215fe ("file:
> fix close_range() for unshare+cloexec"), but it very much looks like
> that fix was incomplete and not the full story.
>
> Some fdtable got re-allocated? The fix that wasn't a fix ends up
> re-checking the maximum file number under the file_lock, but there's
> clearly something else going on too.
>
> Christian?
Looking into this now.
I have to say I'm very confused by the syzkaller report here.
If I go to
https://syzkaller.appspot.com/bug?extid=283ce5a46486d6acdbaf
which is the original link in the report it shows me
android-54 KASAN: use-after-free Read in filp_close C 2 183d 183d 0/1 upstream: reported C repro on 2021/01/11 12:38
which seems to indicate that this happened on an Android specific 5.4
kernel?
But ok, so I click on the link "upstream: reported C repro on 2021/01/11 12:38"
which takes me to a google group
https://groups.google.com/g/syzkaller-android-bugs/c/FQj0qcRSy_M/m/wrY70QFzBAAJ
which again strongly indicates that this is an Android specific kernel?
HEAD commit: c9951e5d Merge 5.4.88 into android12-5.4
git tree: android12-5.4
but then I can click on the dashboard link for that crash report and it
takes me to:
https://syzkaller.appspot.com/bug?extid=53897bcb31b82c7a08fe
which seems to be the upstream report?
So I'm a bit confused whether I'm even looking at the correct bug report
but I'll just give the repro a try and see what's going on.
Christian
next prev parent reply other threads:[~2021-07-14 7:59 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-26 7:55 [syzbot] KASAN: null-ptr-deref Read in filp_close (2) syzbot
2021-03-26 8:02 ` Dmitry Vyukov
2021-03-26 9:12 ` Christian Brauner
2021-03-26 9:21 ` Dmitry Vyukov
[not found] ` <CAHrFyr7iUpMh4sicxrMWwaUHKteU=qHt-1O-3hojAAX3d5879Q@mail.gmail.com>
2021-03-26 13:50 ` Christian Brauner
2021-03-26 14:22 ` Dmitry Vyukov
2021-03-27 23:33 ` Al Viro
2021-03-29 9:21 ` Christian Brauner
2021-03-29 17:35 ` Christian Brauner
2021-04-02 12:35 ` [PATCH 0/3] file: fix and simplify close_range() Christian Brauner
2021-04-02 12:35 ` [PATCH 1/3] file: fix close_range() for unshare+cloexec Christian Brauner
2021-04-02 12:35 ` [PATCH 2/3] file: let pick_file() tell caller it's done Christian Brauner
2021-04-02 12:35 ` [PATCH 3/3] file: simplify logic in __close_range() Christian Brauner
2021-07-13 4:12 ` [syzbot] KASAN: null-ptr-deref Read in filp_close (2) syzbot
2021-07-13 18:49 ` Linus Torvalds
2021-07-14 7:59 ` Christian Brauner [this message]
2021-07-14 9:14 ` Christian Brauner
2021-07-14 11:45 ` Dmitry Vyukov
2021-07-14 13:51 ` Christian Brauner
2021-07-14 13:54 ` syzbot
2021-07-14 13:57 ` Christian Brauner
2021-07-14 14:16 ` syzbot
2021-07-14 13:53 ` Christian Brauner
2021-07-14 13:53 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210714075925.jtlfrhhuj4bzff3m@wittgenstein \
--to=christian.brauner@ubuntu.com \
--cc=brauner@kernel.org \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gscrivan@redhat.com \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).