fuse: use afer free reading/writing

From: Sasha Levin
Date: Tue Apr 19 2016 - 10:25:24 EST

Hi all,

I've hit the following while fuzzing with syzkaller inside a KVM tools guest
running the latest -next kernel:

[ 1065.365235] BUG: KASAN: use-after-free in fuse_dev_do_read.constprop.5+0xfb0/0x1290 at addr ffff8800bad3fbf0
[ 1065.365256] Read of size 8 by task syz-executor/2448
[ 1065.365272] =============================================================================
[ 1065.365289] BUG fuse_request (Not tainted): kasan: bad access detected
[ 1065.365295] -----------------------------------------------------------------------------
[ 1065.365295]
[ 1065.365304] Disabling lock debugging due to kernel taint
[ 1065.365337] INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446733319112207795 cpu=2751490774 pid=-1
[ 1065.365359] __fuse_request_alloc+0x2b/0xf0
[ 1065.365397] ___slab_alloc+0x7af/0x870
[ 1065.365419] __slab_alloc.isra.22+0xf4/0x130
[ 1065.365440] kmem_cache_alloc+0x188/0x2b0
[ 1065.365467] __fuse_request_alloc+0x2b/0xf0
[ 1065.365496] __fuse_get_req+0x3f4/0x5b0
[ 1065.365520] fuse_get_req_for_background+0x22/0x30
[ 1065.365546] cuse_channel_open+0x210/0x830
[ 1065.365590] misc_open+0x42f/0x460
[ 1065.365616] chrdev_open+0x412/0x500
[ 1065.365641] do_dentry_open+0x6cc/0xba0
[ 1065.365667] vfs_open+0x1da/0x1f0
[ 1065.365694] path_openat+0x3291/0x3d10
[ 1065.365716] do_filp_open+0x1df/0x280
[ 1065.365732] do_sys_open+0x25c/0x440
[ 1065.365745] SyS_open+0x2d/0x40
[ 1065.365759] INFO: Freed in 0x1000bad60 age=18446733319112207795 cpu=0 pid=0
[ 1065.365772] fuse_request_free+0xa8/0xb0
[ 1065.365784] __slab_free+0x6a/0x2f0
[ 1065.365796] kmem_cache_free+0x257/0x2c0
[ 1065.365809] fuse_request_free+0xa8/0xb0
[ 1065.365823] fuse_put_request+0x2a3/0x310
[ 1065.365836] request_end+0x66a/0x6b0
[ 1065.365849] fuse_dev_do_write+0xa9d/0xc00
[ 1065.365862] fuse_dev_write+0x195/0x1f0
[ 1065.365875] __vfs_write+0x44b/0x520
[ 1065.365888] vfs_write+0x225/0x4a0
[ 1065.365901] SyS_write+0xe5/0x1b0
[ 1065.365935] do_syscall_64+0x2a6/0x4a0
[ 1065.365991] return_from_SYSCALL_64+0x0/0x6a
[ 1065.366010] INFO: Slab 0xffffea0002eb4f00 objects=22 used=1 fp=0xffff8800bad3fbc0 flags=0x1fffff80004080
[ 1065.366019] INFO: Object 0xffff8800bad3fbb8 @offset=15288 fp=0xbbbbbbbbbbbbbbbb
[ 1065.366019]
[ 1065.366019] Redzone ffff8800bad3fbb0: f0 8e 01 00 00 00 00 00 ........
[ 1065.366019] Object ffff8800bad3fbb8: bb bb bb bb bb bb bb bb e8 f8 d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fbc8: c0 fb d3 ba 00 88 ff ff d0 fb d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fbd8: d0 fb d3 ba 00 88 ff ff 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fbe8: 00 00 00 00 00 00 00 00 01 03 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fbf8: 38 00 00 00 00 10 00 00 01 00 00 00 00 00 00 00 8...............
[ 1065.366019] Object ffff8800bad3fc08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc18: c9 09 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc28: 10 00 00 00 00 00 00 00 a8 fc d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fc38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc58: 18 00 00 00 fb ff ff ff 01 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc68: 03 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 ........H.......
[ 1065.366019] Object ffff8800bad3fc78: 98 90 2f b3 01 88 ff ff 00 10 00 00 00 00 00 00 ../.............
[ 1065.366019] Object ffff8800bad3fc88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fc98: 98 fc d3 ba 00 88 ff ff 98 fc d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fca8: 07 00 00 00 18 00 00 00 00 00 00 00 01 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fcb8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fcc8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fcd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fce8: 00 fd d3 ba 00 88 ff ff 08 fd d3 ba 00 88 ff ff ................
[ 1065.366019] Object ffff8800bad3fcf8: 01 00 00 00 00 00 00 00 80 d4 ec 02 00 ea ff ff ................
[ 1065.366019] Object ffff8800bad3fd08: 00 10 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fd18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fd28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1065.366019] Object ffff8800bad3fd38: 00 00 00 00 00 00 00 00 a0 e7 21 a5 ff ff ff ff ..........!.....
[ 1065.366019] Redzone ffff8800bad3fd48: 00 00 00 00 00 00 00 00 ........
[ 1065.366019] Padding ffff8800bad3fe80: b2 ad 0b 00 01 00 00 00 ........
[ 1065.366019] CPU: 1 PID: 2448 Comm: syz-executor Tainted: G B 4.6.0-rc3-next-20160412-sasha-00024-geaec67e-dirty #3002
[ 1065.366019] 0000000000000000 0000000014efd39a ffff8801add078b0 ffffffffa5fcce01
[ 1065.366019] ffffffff00000001 fffffbfff61ad290 0000000041b58ab3 ffffffffb0660568
[ 1065.366019] ffffffffa5fccc88 0000000014efd39a ffff8801b2bf4000 ffffffffb067e58e
[ 1065.366019] Call Trace:
[ 1065.366019] dump_stack (lib/dump_stack.c:53)
[ 1065.366019] print_trailer (mm/slub.c:668)
[ 1065.366019] object_err (mm/slub.c:675)
[ 1065.366019] kasan_report_error (mm/kasan/report.c:180 mm/kasan/report.c:276)
[ 1065.366019] __asan_report_load8_noabort (mm/kasan/report.c:319)
[ 1065.366019] fuse_dev_do_read.constprop.5 (./arch/x86/include/asm/bitops.h:311 fs/fuse/dev.c:1320)
[ 1065.366019] fuse_dev_read (fs/fuse/dev.c:1362)
[ 1065.366019] __vfs_read (fs/read_write.c:467 fs/read_write.c:478)
[ 1065.366019] vfs_read (fs/read_write.c:499)
[ 1065.366019] SyS_pread64 (fs/read_write.c:651 fs/read_write.c:638)
[ 1065.366019] do_syscall_64 (arch/x86/entry/common.c:350)
[ 1065.366019] entry_SYSCALL64_slow_path (arch/x86/entry/entry_64.S:251)
[ 1065.366019] Memory state around the buggy address:
[ 1065.366019] ffff8800bad3fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1065.366019] ffff8800bad3fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1065.366019] >ffff8800bad3fb80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1065.366019] ^
[ 1065.366019] ffff8800bad3fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1065.366019] ffff8800bad3fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb