Re: KASAN: use-after-free Read in sock_release

On Thu, Nov 30, 2017 at 4:46 PM, Al Viro wrote: > On Thu, Nov 30, 2017 at 05:18:33AM -0800, Christoph Hellwig wrote: >> On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote: >> > Incidentally, grepping for sys_close() shows another piece of fun in >> >

Re: KASAN: use-after-free Read in sock_release

On Thu, Nov 30, 2017 at 4:46 PM, Al Viro wrote: > On Thu, Nov 30, 2017 at 05:18:33AM -0800, Christoph Hellwig wrote: >> On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote: >> > Incidentally, grepping for sys_close() shows another piece of fun in >> > net/netfilter/xt_bpf.c. Folks, ONCE

Re: KASAN: use-after-free Read in sock_release

On Thu, Nov 30, 2017 at 05:18:33AM -0800, Christoph Hellwig wrote: > On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote: > > Incidentally, grepping for sys_close() shows another piece of fun in > > net/netfilter/xt_bpf.c. Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S > > IT; THERE'S NO

Re: KASAN: use-after-free Read in sock_release

On Thu, Nov 30, 2017 at 05:18:33AM -0800, Christoph Hellwig wrote: > On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote: > > Incidentally, grepping for sys_close() shows another piece of fun in > > net/netfilter/xt_bpf.c. Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S > > IT; THERE'S NO

Re: KASAN: use-after-free Read in sock_release

On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote: > Incidentally, grepping for sys_close() shows another piece of fun in > net/netfilter/xt_bpf.c. Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S > IT; THERE'S NO REMOVING IT ON FAILURE EXITS. sys_close() should > never, ever be used that way.

Re: KASAN: use-after-free Read in sock_release

On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote: > Incidentally, grepping for sys_close() shows another piece of fun in > net/netfilter/xt_bpf.c. Folks, ONCE DESCRIPTOR IS INSTALLED, THAT'S > IT; THERE'S NO REMOVING IT ON FAILURE EXITS. sys_close() should > never, ever be used that way.

Re: KASAN: use-after-free Read in sock_release

On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote: > FWIW, looking through the callers of sock_alloc_file()... we might be > better off if it did sock_release() on failure. Then the calling > conventions become "sock_alloc_file() means not calling sock_release() > directly - either it'll

Re: KASAN: use-after-free Read in sock_release

On Thu, Nov 30, 2017 at 02:07:19AM +, Al Viro wrote: > FWIW, looking through the callers of sock_alloc_file()... we might be > better off if it did sock_release() on failure. Then the calling > conventions become "sock_alloc_file() means not calling sock_release() > directly - either it'll

Re: KASAN: use-after-free Read in sock_release

On Wed, Nov 29, 2017 at 11:37:04AM -0800, Cong Wang wrote: > > Allocated by task 31066: > > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > > set_track mm/kasan/kasan.c:459 [inline] > > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 > > kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613 > > kmalloc

Re: KASAN: use-after-free Read in sock_release

On Wed, Nov 29, 2017 at 11:37:04AM -0800, Cong Wang wrote: > > Allocated by task 31066: > > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > > set_track mm/kasan/kasan.c:459 [inline] > > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 > > kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3613 > > kmalloc

Re: KASAN: use-after-free Read in sock_release

On Wed, Nov 29, 2017 at 12:24:55PM -0800, Linus Torvalds wrote: > Ugh. The inode freeing really is confusing and fairly involved, but > the last free *should* happen as part of the final dput() that is done > at the end of __fput(). Note that struct socket is coallocated with its inode.

Re: KASAN: use-after-free Read in sock_release

On Wed, Nov 29, 2017 at 12:24:55PM -0800, Linus Torvalds wrote: > Ugh. The inode freeing really is confusing and fairly involved, but > the last free *should* happen as part of the final dput() that is done > at the end of __fput(). Note that struct socket is coallocated with its inode.

Re: KASAN: use-after-free Read in sock_release

On Wed, 2017-11-29 at 11:37 -0800, Cong Wang wrote: > (Cc'ing fs people...) > > On Wed, Nov 29, 2017 at 12:33 AM, syzbot > om> > wrote: > > Hello, > > > > syzkaller hit the following crash on > >

Re: KASAN: use-after-free Read in sock_release

On Wed, 2017-11-29 at 11:37 -0800, Cong Wang wrote: > (Cc'ing fs people...) > > On Wed, Nov 29, 2017 at 12:33 AM, syzbot > om> > wrote: > > Hello, > > > > syzkaller hit the following crash on > > 1d3b78bbc6e983fabb3fbf91b76339bf66e4a12c > >

Re: KASAN: use-after-free Read in sock_release

On Wed, Nov 29, 2017 at 11:37 AM, Cong Wang wrote: > (Cc'ing fs people...) > > On Wed, Nov 29, 2017 at 12:33 AM, syzbot wrote: >> BUG: KASAN: use-after-free in sock_release+0x1c6/0x1e0 net/socket.c:601 Lovely. Yeah, that is: 601 if

Re: KASAN: use-after-free Read in sock_release

On Wed, Nov 29, 2017 at 11:37 AM, Cong Wang wrote: > (Cc'ing fs people...) > > On Wed, Nov 29, 2017 at 12:33 AM, syzbot wrote: >> BUG: KASAN: use-after-free in sock_release+0x1c6/0x1e0 net/socket.c:601 Lovely. Yeah, that is: 601 if (rcu_dereference_protected(sock->wq,

Re: KASAN: use-after-free Read in sock_release

(Cc'ing fs people...) On Wed, Nov 29, 2017 at 12:33 AM, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 1d3b78bbc6e983fabb3fbf91b76339bf66e4a12c >

Re: KASAN: use-after-free Read in sock_release

(Cc'ing fs people...) On Wed, Nov 29, 2017 at 12:33 AM, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 1d3b78bbc6e983fabb3fbf91b76339bf66e4a12c > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached