In the Linux kernel, the following vulnerability has been resolved:
kernfs: fix use-after-free in _kernfsremove
Syzkaller managed to trigger concurrent calls to kernfsremovebynamens() for the same file resulting in a KASAN detected use-after-free. The race occurs when the root node is freed during kernfs_drain().
To prevent this acquire an additional reference for the root of the tree that is removed before calling _kernfsremove().
Found by syzkaller with the following reproducer (slab_nomerge is required):
syzmountimage$ext4(0x0, &(0x7f0000000100)='./file0\x00', 0x100000, 0x0, 0x0, 0x0, 0x0) r0 = openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self/exe\x00', 0x0, 0x0) close(r0) pipe2(&(0x7f0000000140)={0xffffffffffffffff, <r1=>0xffffffffffffffff}, 0x800) mount$9pfd(0x0, &(0x7f0000000040)='./file0\x00', &(0x7f00000000c0), 0x408, &(0x7f0000000280)={'trans=fd,', {'rfdno', 0x3d, r0}, 0x2c, {'wfdno', 0x3d, r1}, 0x2c, {[{@cacheloose}, {@mmap}, {@loose}, {@loose}, {@mmap}], [{@mask={'mask', 0x3d, '^MAYEXEC'}}, {@fsmagic={'fsmagic', 0x3d, 0x10001}}, {@donthash}]}})
Sample report:
================================================================== BUG: KASAN: use-after-free in kernfstype include/linux/kernfs.h:335 [inline] BUG: KASAN: use-after-free in kernfsleftmostdescendant fs/kernfs/dir.c:1261 [inline] BUG: KASAN: use-after-free in _kernfs_remove.part.0+0x843/0x960 fs/kernfs/dir.c:1369 Read of size 2 at addr ffff8880088807f0 by task syz-executor.2/857
CPU: 0 PID: 857 Comm: syz-executor.2 Not tainted 6.0.0-rc3-00363-g7726d4c3e60b #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x6e/0x91 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:317 [inline] printreport.cold+0x5e/0x5e5 mm/kasan/report.c:433 kasanreport+0xa3/0x130 mm/kasan/report.c:495 kernfstype include/linux/kernfs.h:335 [inline] kernfsleftmostdescendant fs/kernfs/dir.c:1261 [inline] _kernfsremove.part.0+0x843/0x960 fs/kernfs/dir.c:1369 _kernfsremove fs/kernfs/dir.c:1356 [inline] kernfsremovebynamens+0x108/0x190 fs/kernfs/dir.c:1589 sysfsslabadd+0x133/0x1e0 mm/slub.c:5943 _kmemcachecreate+0x3e0/0x550 mm/slub.c:4899 createcache mm/slabcommon.c:229 [inline] kmemcachecreateusercopy+0x167/0x2a0 mm/slabcommon.c:335 p9clientcreate+0xd4d/0x1190 net/9p/client.c:993 v9fssessioninit+0x1e6/0x13c0 fs/9p/v9fs.c:408 v9fsmount+0xb9/0xbd0 fs/9p/vfssuper.c:126 legacygettree+0xf1/0x200 fs/fscontext.c:610 vfsgettree+0x85/0x2e0 fs/super.c:1530 donewmount fs/namespace.c:3040 [inline] pathmount+0x675/0x1d00 fs/namespace.c:3370 domount fs/namespace.c:3383 [inline] _dosysmount fs/namespace.c:3591 [inline] _sesysmount fs/namespace.c:3568 [inline] _x64sysmount+0x282/0x300 fs/namespace.c:3568 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x38/0x90 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x7f725f983aed Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f725f0f7028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f725faa3f80 RCX: 00007f725f983aed RDX: 00000000200000c0 RSI: 0000000020000040 RDI: 0000000000000000 RBP: 00007f725f9f419c R08: 0000000020000280 R09: 0000000000000000 R10: 0000000000000408 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f725faa3f80 R15: 00007f725f0d7000 </TASK>
Allocated by task 855: kasansavestack+0x1e/0x40 mm/kasan/common.c:38 kasansettrack mm/kasan/common.c:45 [inline] setallocinfo mm/kasan/common.c:437 [inline] _kasanslaballoc+0x66/0x80 mm/kasan/common.c:470 kasanslaballoc include/linux/kasan.h:224 [inline] slabpostallochook mm/slab.h:7 ---truncated---
[
    {
        "id": "CVE-2022-50432-040c0c15",
        "digest": {
            "line_hashes": [
                "24855442233788873411123070111589288434",
                "75863374898270114702874062368486184104",
                "223067440272339119615316465055989930792",
                "209538092226607445495954234664586871090",
                "68749523776568532835312981291571676532"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@94d2643df1e70a4c310ebb5e2c493eec33df1a06",
        "target": {
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-50432-1db4eb50",
        "digest": {
            "function_hash": "243056323680150295178465958235273290966",
            "length": 391.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@02eb35131050735332658029082f61515b7dfe38",
        "target": {
            "function": "kernfs_remove_by_name_ns",
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-50432-35c7132a",
        "digest": {
            "function_hash": "243056323680150295178465958235273290966",
            "length": 391.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@028cf780743eea79abffa7206b9dcfc080ad3546",
        "target": {
            "function": "kernfs_remove_by_name_ns",
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-50432-3c1e9da7",
        "digest": {
            "function_hash": "243056323680150295178465958235273290966",
            "length": 391.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6f72a3977ba9d0e5491a5c01315204272e7f9c44",
        "target": {
            "function": "kernfs_remove_by_name_ns",
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-50432-404195f9",
        "digest": {
            "line_hashes": [
                "203035903434415198404816774838243505419",
                "277644977215267705713917824458504187625",
                "132764649352897769718283583964383318389",
                "272364486505928604012053644711892904546",
                "314687175002353784935581877136467017709"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@028cf780743eea79abffa7206b9dcfc080ad3546",
        "target": {
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-50432-4750e775",
        "digest": {
            "function_hash": "243056323680150295178465958235273290966",
            "length": 391.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dfd6a477a1525773469feaf3c514b2c0fef76b5",
        "target": {
            "function": "kernfs_remove_by_name_ns",
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-50432-48a3e38a",
        "digest": {
            "line_hashes": [
                "203035903434415198404816774838243505419",
                "277644977215267705713917824458504187625",
                "132764649352897769718283583964383318389",
                "272364486505928604012053644711892904546",
                "314687175002353784935581877136467017709"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c78b0dc6fb7fb389d674e491fd376388cdfb1d53",
        "target": {
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-50432-70a0f711",
        "digest": {
            "function_hash": "206118266748592993642232827309073489476",
            "length": 391.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@94d2643df1e70a4c310ebb5e2c493eec33df1a06",
        "target": {
            "function": "kernfs_remove_by_name_ns",
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-50432-81c60751",
        "digest": {
            "function_hash": "243056323680150295178465958235273290966",
            "length": 391.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c78b0dc6fb7fb389d674e491fd376388cdfb1d53",
        "target": {
            "function": "kernfs_remove_by_name_ns",
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-50432-a688f565",
        "digest": {
            "line_hashes": [
                "203035903434415198404816774838243505419",
                "277644977215267705713917824458504187625",
                "132764649352897769718283583964383318389",
                "272364486505928604012053644711892904546",
                "314687175002353784935581877136467017709"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6f72a3977ba9d0e5491a5c01315204272e7f9c44",
        "target": {
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-50432-acf1b49c",
        "digest": {
            "line_hashes": [
                "203035903434415198404816774838243505419",
                "277644977215267705713917824458504187625",
                "132764649352897769718283583964383318389",
                "272364486505928604012053644711892904546",
                "314687175002353784935581877136467017709"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dfd6a477a1525773469feaf3c514b2c0fef76b5",
        "target": {
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-50432-b071cbb8",
        "digest": {
            "function_hash": "242262174697072054853413533310104627163",
            "length": 446.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@af1b57cc39beca203559576b3046094fc9e5eb32",
        "target": {
            "function": "kernfs_remove_by_name_ns",
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-50432-b251bf6f",
        "digest": {
            "line_hashes": [
                "203035903434415198404816774838243505419",
                "277644977215267705713917824458504187625",
                "132764649352897769718283583964383318389",
                "272364486505928604012053644711892904546",
                "314687175002353784935581877136467017709"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@02eb35131050735332658029082f61515b7dfe38",
        "target": {
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-50432-c03bd48f",
        "digest": {
            "line_hashes": [
                "218109745430106081283619621678415584610",
                "282238354826725011521612331873153335773",
                "318790896754653524146690628184752213395",
                "238801359341305488799562206836483250679",
                "100127055284451353901010280415954551665"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4abc99652812a2ddf932f137515d5c5a04723538",
        "target": {
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-50432-d4db1831",
        "digest": {
            "function_hash": "242262174697072054853413533310104627163",
            "length": 446.0
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4abc99652812a2ddf932f137515d5c5a04723538",
        "target": {
            "function": "kernfs_remove_by_name_ns",
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-50432-dde6344d",
        "digest": {
            "line_hashes": [
                "218109745430106081283619621678415584610",
                "282238354826725011521612331873153335773",
                "318790896754653524146690628184752213395",
                "238801359341305488799562206836483250679",
                "100127055284451353901010280415954551665"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@af1b57cc39beca203559576b3046094fc9e5eb32",
        "target": {
            "file": "fs/kernfs/dir.c"
        },
        "signature_type": "Line"
    }
]