fanotify use after free.

From: Dave Jones
Date: Wed Jan 22 2014 - 01:27:48 EST


Jan,

since yesterdays changes, on boot I see a flood of messages from slub debug during boot..

=============================================================================
BUG fanotify_event_info (Not tainted): Poison overwritten
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: 0xffff880247e45bc8-0xffff880247e45bcb. First byte 0x0 instead of 0x6b
INFO: Allocated in fanotify_handle_event+0x136/0x390 age=0 cpu=0 pid=293
__slab_alloc+0x456/0x565
kmem_cache_alloc+0x1fe/0x260
fanotify_handle_event+0x136/0x390
send_to_group+0xd3/0x1c0
fsnotify+0x1c8/0x340
open_exec+0xe2/0x120
load_elf_binary+0x7b7/0x18e0
search_binary_handler+0x94/0x1b0
do_execve_common.isra.26+0x5d7/0x7d0
SyS_execve+0x36/0x50
stub_execve+0x69/0xa0
INFO: Freed in fanotify_free_event+0x2e/0x40 age=0 cpu=3 pid=290
__slab_free+0x4a/0x382
kmem_cache_free+0x1c9/0x210
fanotify_free_event+0x2e/0x40
fsnotify_destroy_event+0x21/0x30
fanotify_read+0x39e/0x5e0
vfs_read+0x9b/0x160
SyS_read+0x58/0xb0
tracesys+0xdd/0xe2
INFO: Slab 0xffffea00091f9100 objects=20 used=20 fp=0x (null) flags=0x20000000004080
INFO: Object 0xffff880247e45b90 @offset=7056 fp=0xffff880247e44000

Bytes b4 ffff880247e45b80: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
Object ffff880247e45b90: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880247e45ba0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880247e45bb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880247e45bc0: 6b 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 6b 6b 6b a5 kkkkkkkk....kkk.
Redzone ffff880247e45bd0: bb bb bb bb bb bb bb bb ........
Padding ffff880247e45d10: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
CPU: 0 PID: 293 Comm: mount Tainted: G B 3.13.0+ #28
ffff880247e45b90 000000008c7fe87c ffff8800874cbb28 ffffffff9c710632
ffff88024a776ac0 ffff8800874cbb68 ffffffff9c194dad 0000000000000008
ffff880200000001 ffff880247e45bcc ffff88024a776ac0 000000000000006b
Call Trace:
[<ffffffff9c710632>] dump_stack+0x4e/0x7a
[<ffffffff9c194dad>] print_trailer+0x14d/0x200
[<ffffffff9c19505f>] check_bytes_and_report+0xcf/0x110
[<ffffffff9c196037>] check_object+0x1d7/0x250
[<ffffffff9c1f4ae6>] ? fanotify_handle_event+0x136/0x390
[<ffffffff9c70ead7>] alloc_debug_processing+0x76/0x118
[<ffffffff9c70f77d>] __slab_alloc+0x456/0x565
[<ffffffff9c1f4ae6>] ? fanotify_handle_event+0x136/0x390
[<ffffffff9c1ccea4>] ? mntput+0x24/0x40
[<ffffffff9c1b5dc9>] ? terminate_walk+0x69/0x70
[<ffffffff9c1ba6fe>] ? do_last+0x25e/0x1390
[<ffffffff9c1b6cf8>] ? inode_permission+0x18/0x50
[<ffffffff9c1f4ae6>] ? fanotify_handle_event+0x136/0x390
[<ffffffff9c1980fe>] kmem_cache_alloc+0x1fe/0x260
[<ffffffff9c1f4ae6>] fanotify_handle_event+0x136/0x390
[<ffffffff9c1bb8fd>] ? path_openat+0xcd/0x6a0
[<ffffffff9c1f0e63>] send_to_group+0xd3/0x1c0
[<ffffffff9c1f0fdf>] ? fsnotify+0x8f/0x340
[<ffffffff9c1f1118>] fsnotify+0x1c8/0x340
[<ffffffff9c1a9b4f>] do_sys_open+0x19f/0x230
[<ffffffff9c1a9bfe>] SyS_open+0x1e/0x20
[<ffffffff9c723764>] tracesys+0xdd/0xe2
FIX fanotify_event_info: Restoring 0xffff880247e45bc8-0xffff880247e45bcb=0x6b

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/