[fs] ae1cf04e22: BUG:KASAN:use-after-free_in__debugfs_remove

Thursday, 23 May 2019

FYI, we noticed the following commit (built with gcc-7):

commit: ae1cf04e2249dbf0d35acc873068d66f9f9b6027 ("[PATCH v2 06/14] fs: convert
debugfs to use simple_remove() helper")
url:
https://github.com/0day-ci/linux/commits/Amir-Goldstein/Sort-out-fsnotify...

in testcase: trinity
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):

+---------------------------------------------+------------+------------+
|                                             | 131d233d5c | ae1cf04e22 |
+---------------------------------------------+------------+------------+
| boot_successes                              | 20         | 3          |
| boot_failures                               | 0          | 17         |
| BUG:KASAN:use-after-free_in__debugfs_remove | 0          | 17         |
+---------------------------------------------+------------+------------+

If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen(a)intel.com&gt;

[   90.398080] BUG: KASAN: use-after-free in __debugfs_remove+0x50/0xa0
[   90.399496] Read of size 4 at addr ffff8880456a6548 by task systemd-udevd/307
[   90.401020] 
[   90.401379] CPU: 0 PID: 307 Comm: systemd-udevd Not tainted 5.1.0-11167-gae1cf04 #1
[   90.403071] Call Trace:
[   90.403708]  print_address_description+0x6d/0x240
[   90.404740]  ? __debugfs_remove+0x50/0xa0
[   90.405638]  ? __debugfs_remove+0x50/0xa0
[   90.406559]  __kasan_report+0x163/0x193
[   90.407426]  ? __debugfs_remove+0x50/0xa0
[   90.408364]  __debugfs_remove+0x50/0xa0
[   90.409234]  debugfs_remove_recursive+0x12a/0x210
[   90.410433]  drm_debugfs_connector_remove+0x2a/0x40 [drm]
[   90.411783]  drm_connector_unregister+0x70/0x90 [drm]
[   90.413003]  drm_connector_unregister_all+0x8a/0xd0 [drm]
[   90.414302]  ? drm_connector_free_work_fn+0xc0/0xc0 [drm]
[   90.415582]  ? drm_client_dev_unregister+0x83/0x1a0 [drm]
[   90.416942]  drm_modeset_unregister_all+0xe/0x30 [drm]
[   90.418146]  drm_dev_unregister+0x9f/0x110 [drm]
[   90.419224]  bochs_pci_remove+0x24/0x40 [bochs_drm]
[   90.420327]  pci_device_remove+0xad/0x180
[   90.421211]  ? pcibios_free_irq+0x10/0x10
[   90.422147]  ? bochs_pci_probe+0x146/0x180 [bochs_drm]
[   90.423298]  ? pci_device_probe+0x171/0x190
[   90.424253]  really_probe+0x24b/0x4b0
[   90.425116]  driver_probe_device+0xe2/0x130
[   90.426081]  device_driver_attach+0x6e/0x90
[   90.426990]  ? device_driver_attach+0x90/0x90
[   90.427945]  __driver_attach+0xdb/0xf0
[   90.428825]  ? device_driver_attach+0x90/0x90
[   90.429770]  bus_for_each_dev+0xd8/0x140
[   90.430638]  ? subsys_dev_iter_exit+0x10/0x10
[   90.431566]  ? do_raw_spin_trylock+0x4e/0x80
[   90.432496]  ? __list_add_valid+0x77/0xa0
[   90.433381]  bus_add_driver+0x19f/0x2d0
[   90.434243]  driver_register+0x121/0x180
[   90.435140]  ? 0xffffffffa0058000
[   90.435934]  do_one_initcall+0x110/0x2b4
[   90.436804]  ? perf_trace_initcall_level+0x230/0x230
[   90.437873]  ? kasan_unpoison_shadow+0x30/0x40
[   90.438832]  ? kasan_unpoison_shadow+0x30/0x40
[   90.439813]  do_init_module+0xdf/0x349
[   90.440637]  load_module+0x395b/0x4380
[   90.441515]  ? module_frob_arch_sections+0x20/0x20
[   90.442554]  ? ima_post_read_file+0x143/0x180
[   90.443511]  ? kernel_read+0x72/0x90
[   90.444300]  ? kernel_read_file+0x298/0x2f0
[   90.445298]  ? __do_sys_finit_module+0xf7/0x160
[   90.446328]  __do_sys_finit_module+0xf7/0x160
[   90.447262]  ? __ia32_sys_init_module+0x40/0x40
[   90.448248]  ? sched_clock+0x5/0x10
[   90.449017]  ? sched_clock_cpu+0xc/0x80
[   90.449899]  ? mark_held_locks+0x1a/0x90
[   90.450760]  ? do_syscall_64+0x44/0x260
[   90.451581]  ? syscall_trace_enter+0x52/0x220
[   90.452519]  do_syscall_64+0x9e/0x260
[   90.453327]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   90.454416] RIP: 0033:0x7f0b13936229
[   90.455234] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 8b 0d 3f 4c 2b 00 f7 d8 64 89 01 48
[   90.459107] RSP: 002b:00007ffc36d16d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   90.460746] RAX: ffffffffffffffda RBX: 00005599aa9cea20 RCX: 00007f0b13936229
[   90.462280] RDX: 0000000000000000 RSI: 00007f0b1424f265 RDI: 0000000000000014
[   90.463806] RBP: 00007f0b1424f265 R08: 0000000000000000 R09: 00007ffc36d17310
[   90.465321] R10: 0000000000000014 R11: 0000000000000246 R12: 0000000000000000
[   90.466902] R13: 00005599aa9bc190 R14: 0000000000020000 R15: 00005599aa994cbc
[   90.468474] 
[   90.468850] Allocated by task 307:
[   90.469634]  save_stack+0x19/0x80
[   90.470359]  __kasan_kmalloc+0xa8/0xc0
[   90.471451]  kmem_cache_alloc+0x133/0x200
[   90.472330]  __d_alloc+0x2a/0x380
[   90.473112]  d_alloc+0x30/0xf0
[   90.473825]  d_alloc_parallel+0xc4/0xab0
[   90.474703]  __lookup_slow+0x164/0x2a0
[   90.475549]  lookup_one_len+0xe6/0x110
[   90.476374]  start_creating+0x8d/0x100
[   90.477266]  __debugfs_create_file+0x3b/0x150
[   90.478329]  drm_debugfs_connector_add+0xdd/0x100 [drm]
[   90.479626]  drm_connector_register+0x78/0x110 [drm]
[   90.480810]  drm_connector_register_all+0x91/0xf0 [drm]
[   90.482062]  drm_modeset_register_all+0x36/0x70 [drm]
[   90.483252]  drm_dev_register+0x191/0x2b0 [drm]
[   90.484308]  bochs_pci_probe+0x146/0x180 [bochs_drm]
[   90.485446]  pci_device_probe+0xf1/0x190
[   90.486310]  really_probe+0x1f3/0x4b0
[   90.487117]  driver_probe_device+0xe2/0x130
[   90.488081]  device_driver_attach+0x6e/0x90
[   90.489024]  __driver_attach+0xdb/0xf0
[   90.489872]  bus_for_each_dev+0xd8/0x140
[   90.490778]  bus_add_driver+0x19f/0x2d0
[   90.491629]  driver_register+0x121/0x180
[   90.492517]  do_one_initcall+0x110/0x2b4
[   90.493386]  do_init_module+0xdf/0x349
[   90.494252]  load_module+0x395b/0x4380
[   90.495089]  __do_sys_finit_module+0xf7/0x160
[   90.496036]  do_syscall_64+0x9e/0x260
[   90.496878]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   90.497999] 
[   90.498344] Freed by task 7:
[   90.499048]  save_stack+0x19/0x80
[   90.499825]  __kasan_slab_free+0x130/0x150

To reproduce:

        # build kernel
	cd linux
	cp config-5.1.0-11167-gae1cf04 .config
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 prepare
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 modules_prepare
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 SHELL=/bin/bash
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email

Thanks,
Rong Chen

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013