LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: ebiederm@xmission.com (Eric W. Biederman)
To: Qian Cai <quic_qiancai@quicinc.com>
Cc: Alexey Gladkov <legion@kernel.org>, Yu Zhao <yuzhao@google.com>,
	<linux-kernel@vger.kernel.org>
Subject: Re: BUG: KASAN: use-after-free in dec_rlimit_ucounts
Date: Thu, 18 Nov 2021 13:46:05 -0600	[thread overview]
Message-ID: <875ysptfgi.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <YZV7Z+yXbsx9p3JN@fixkernel.com> (Qian Cai's message of "Wed, 17 Nov 2021 17:00:07 -0500")

Qian Cai <quic_qiancai@quicinc.com> writes:

> Hi there, I can still reproduce this quickly on today's linux-next and all
> the way back to 5.15-rc6 by running a syscall fuzzer for a while. The trace
> points out to this line,
>
>         for (iter = ucounts; iter; iter = iter->ns->ucounts) {
>
> It looks KASAN indicated that that "ns" had already been freed. Is that
> possible or perhaps this is more of refcount issue?

Is it possible?  Yes it is possible.  That is one place where
a use-after-free has shown up and I expect would show up in the
future.

That said it is hard to believe there is still a user-after-free in the
code.  We spent the last kernel development cycle pouring through and
correcting everything we saw until we ultimately found one very subtle
use-after-free.

If you have a reliable reproducer that you can share, we can look into
this and see if we can track down where the reference count is going
bad.

It tends to take instrumenting the entire life cycle every increment and
every decrement and then pouring through the logs to track down a
use-after-free.  Which is not something we can really do without a
reproducer.

Eric

  reply	other threads:[~2021-11-18 19:46 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-17 22:00 Qian Cai
2021-11-18 19:46 ` Eric W. Biederman [this message]
2021-11-18 20:32   ` Qian Cai
2021-11-18 20:57     ` Eric W. Biederman
2021-11-19 13:32       ` Qian Cai
2021-11-24 21:49       ` Qian Cai
2021-11-26  5:34         ` Qian Cai
2021-12-20  5:58           ` Eric W. Biederman
2021-12-21 13:09             ` Alexey Gladkov
2021-12-27 15:22               ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875ysptfgi.fsf@email.froward.int.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=legion@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=quic_qiancai@quicinc.com \
    --cc=yuzhao@google.com \
    --subject='Re: BUG: KASAN: use-after-free in dec_rlimit_ucounts' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).