[Android 6.1] KASAN: use-after-free Write in igrab
6 views
Skip to first unread message
syzbot
Jun 6, 2023, 9:23:05 PM6/6/23
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 312dfb3b7ec3 ANDROID: abi_gki_aarch64_qcom: Update QCOM sy..
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=109042c9280000
kernel config: https://syzkaller.appspot.com/x/.config?x=772a621c45fe488b
dashboard link: https://syzkaller.appspot.com/bug?extid=10e06d8d6fcd61014eb4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174087a3280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1516822d280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/37c247df1c6e/disk-312dfb3b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/88c5a78f6058/vmlinux-312dfb3b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/27b0fe1b9f86/bzImage-312dfb3b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fbbaac5d583f/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+10e06d...@syzkaller.appspotmail.com
R10: 0000000000010600 R11: 0000000000000246 R12: 00007fad755a8330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]
BUG: KASAN: use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
BUG: KASAN: use-after-free in _raw_spin_lock+0x97/0x1b0 kernel/locking/spinlock.c:154
Write of size 4 at addr ffff88810b7fcbc8 by task syz-executor378/293
CPU: 1 PID: 293 Comm: syz-executor378 Tainted: G W 6.1.25-syzkaller-00355-g312dfb3b7ec3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x158/0x4e0 mm/kasan/report.c:395
kasan_report+0x13c/0x170 mm/kasan/report.c:495
kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
do_raw_spin_lock include/linux/spinlock.h:186 [inline]
__raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
_raw_spin_lock+0x97/0x1b0 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:350 [inline]
igrab+0x20/0xa0 fs/inode.c:1388
f2fs_sync_inode_meta fs/f2fs/checkpoint.c:1148 [inline]
block_operations fs/f2fs/checkpoint.c:1256 [inline]
f2fs_write_checkpoint+0xdab/0x2410 fs/f2fs/checkpoint.c:1648
f2fs_issue_checkpoint+0x2e5/0x4f0 fs/f2fs/checkpoint.c:1855
f2fs_sync_fs+0x186/0x2f0 fs/f2fs/super.c:1669
sync_filesystem+0x1cf/0x250 fs/sync.c:66
f2fs_quota_off_umount+0x20e/0x220 fs/f2fs/super.c:2944
f2fs_put_super+0xbe/0xce0 fs/f2fs/super.c:1558
generic_shutdown_super+0x14f/0x370 fs/super.c:503
kill_block_super+0x7e/0xe0 fs/super.c:1452
kill_f2fs_super+0x2f9/0x3c0 fs/f2fs/super.c:4702
deactivate_locked_super+0xa5/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xbc5/0x2a40 kernel/exit.c:872
do_group_exit+0x21a/0x2d0 kernel/exit.c:1022
__do_sys_exit_group kernel/exit.c:1033 [inline]
__se_sys_exit_group kernel/exit.c:1031 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1031
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fad75522a09
Code: Unable to access opcode bytes at 0x7fad755229df.
RSP: 002b:00007ffcbaf04e58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fad755a8330 RCX: 00007fad75522a09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fad755a2e40
R10: 0000000000010600 R11: 0000000000000246 R12: 00007fad755a8330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Allocated by task 293:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333
kasan_slab_alloc include/linux/kasan.h:202 [inline]
slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768
slab_alloc_node mm/slub.c:3418 [inline]
slab_alloc mm/slub.c:3426 [inline]
__kmem_cache_alloc_lru mm/slub.c:3433 [inline]
kmem_cache_alloc_lru+0x102/0x220 mm/slub.c:3449
alloc_inode_sb include/linux/fs.h:3139 [inline]
f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1383
alloc_inode fs/inode.c:259 [inline]
iget_locked+0x18c/0x7e0 fs/inode.c:1286
f2fs_iget+0x55/0x4df0 fs/f2fs/inode.c:503
f2fs_lookup+0x410/0xd80 fs/f2fs/namei.c:541
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10fd/0x2d60 fs/namei.c:3711
do_filp_open+0x230/0x480 fs/namei.c:3741
do_sys_openat2+0x13f/0x850 fs/open.c:1333
do_sys_open fs/open.c:1349 [inline]
__do_sys_open fs/open.c:1357 [inline]
__se_sys_open fs/open.c:1353 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1353
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 293:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
kasan_slab_free include/linux/kasan.h:178 [inline]
slab_free_hook mm/slub.c:1744 [inline]
slab_free_freelist_hook mm/slub.c:1770 [inline]
slab_free mm/slub.c:3681 [inline]
kmem_cache_free+0x291/0x510 mm/slub.c:3703
f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1526
i_callback+0x4b/0x70 fs/inode.c:248
rcu_do_batch+0x515/0xb60 kernel/rcu/tree.c:2250
rcu_core+0x4eb/0xf10 kernel/rcu/tree.c:2510
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2527
__do_softirq+0x1d8/0x661 kernel/softirq.c:613
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
call_rcu+0xec/0x1230 kernel/rcu/tree.c:2798
destroy_inode fs/inode.c:314 [inline]
evict+0x5df/0x630 fs/inode.c:679
dispose_list fs/inode.c:697 [inline]
evict_inodes+0x5d1/0x650 fs/inode.c:747
generic_shutdown_super+0x97/0x370 fs/super.c:482
kill_block_super+0x7e/0xe0 fs/super.c:1452
kill_f2fs_super+0x2f9/0x3c0 fs/f2fs/super.c:4702
deactivate_locked_super+0xa5/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xbc5/0x2a40 kernel/exit.c:872
do_group_exit+0x21a/0x2d0 kernel/exit.c:1022
__do_sys_exit_group kernel/exit.c:1033 [inline]
__se_sys_exit_group kernel/exit.c:1031 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1031
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88810b7fcb40
which belongs to the cache f2fs_inode_cache of size 1248
The buggy address is located 136 bytes inside of
1248-byte region [ffff88810b7fcb40, ffff88810b7fd020)
The buggy address belongs to the physical page:
page:ffffea00042dfe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b7f8
head:ffffea00042dfe00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff88810b1c0c80
raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 293, tgid 293 (syz-executor378), ts 23261688081, free_ts 0
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x213/0x220 mm/page_alloc.c:2574
prep_new_page mm/page_alloc.c:2581 [inline]
get_page_from_freelist+0x2527/0x2600 mm/page_alloc.c:4374
__alloc_pages+0x3a1/0x780 mm/page_alloc.c:5651
allocate_slab mm/slub.c:1959 [inline]
new_slab+0xce/0x4c0 mm/slub.c:2012
___slab_alloc+0x6f9/0xb80 mm/slub.c:3200
__slab_alloc+0x5d/0xa0 mm/slub.c:3299
slab_alloc_node mm/slub.c:3384 [inline]
slab_alloc mm/slub.c:3426 [inline]
__kmem_cache_alloc_lru mm/slub.c:3433 [inline]
kmem_cache_alloc_lru+0x144/0x220 mm/slub.c:3449
alloc_inode_sb include/linux/fs.h:3139 [inline]
f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1383
alloc_inode fs/inode.c:259 [inline]
iget_locked+0x18c/0x7e0 fs/inode.c:1286
f2fs_iget+0x55/0x4df0 fs/f2fs/inode.c:503
f2fs_lookup+0x410/0xd80 fs/f2fs/namei.c:541
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10fd/0x2d60 fs/namei.c:3711
do_filp_open+0x230/0x480 fs/namei.c:3741
do_sys_openat2+0x13f/0x850 fs/open.c:1333
do_sys_open fs/open.c:1349 [inline]
__do_sys_open fs/open.c:1357 [inline]
__se_sys_open fs/open.c:1353 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1353
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810b7fca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88810b7fcb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff88810b7fcb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810b7fcc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810b7fcc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 312dfb3b7ec3 ANDROID: abi_gki_aarch64_qcom: Update QCOM sy..
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=109042c9280000
kernel config: https://syzkaller.appspot.com/x/.config?x=772a621c45fe488b
dashboard link: https://syzkaller.appspot.com/bug?extid=10e06d8d6fcd61014eb4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174087a3280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1516822d280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/37c247df1c6e/disk-312dfb3b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/88c5a78f6058/vmlinux-312dfb3b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/27b0fe1b9f86/bzImage-312dfb3b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fbbaac5d583f/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+10e06d...@syzkaller.appspotmail.com
R10: 0000000000010600 R11: 0000000000000246 R12: 00007fad755a8330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]
BUG: KASAN: use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
BUG: KASAN: use-after-free in _raw_spin_lock+0x97/0x1b0 kernel/locking/spinlock.c:154
Write of size 4 at addr ffff88810b7fcbc8 by task syz-executor378/293
CPU: 1 PID: 293 Comm: syz-executor378 Tainted: G W 6.1.25-syzkaller-00355-g312dfb3b7ec3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x158/0x4e0 mm/kasan/report.c:395
kasan_report+0x13c/0x170 mm/kasan/report.c:495
kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
do_raw_spin_lock include/linux/spinlock.h:186 [inline]
__raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
_raw_spin_lock+0x97/0x1b0 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:350 [inline]
igrab+0x20/0xa0 fs/inode.c:1388
f2fs_sync_inode_meta fs/f2fs/checkpoint.c:1148 [inline]
block_operations fs/f2fs/checkpoint.c:1256 [inline]
f2fs_write_checkpoint+0xdab/0x2410 fs/f2fs/checkpoint.c:1648
f2fs_issue_checkpoint+0x2e5/0x4f0 fs/f2fs/checkpoint.c:1855
f2fs_sync_fs+0x186/0x2f0 fs/f2fs/super.c:1669
sync_filesystem+0x1cf/0x250 fs/sync.c:66
f2fs_quota_off_umount+0x20e/0x220 fs/f2fs/super.c:2944
f2fs_put_super+0xbe/0xce0 fs/f2fs/super.c:1558
generic_shutdown_super+0x14f/0x370 fs/super.c:503
kill_block_super+0x7e/0xe0 fs/super.c:1452
kill_f2fs_super+0x2f9/0x3c0 fs/f2fs/super.c:4702
deactivate_locked_super+0xa5/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xbc5/0x2a40 kernel/exit.c:872
do_group_exit+0x21a/0x2d0 kernel/exit.c:1022
__do_sys_exit_group kernel/exit.c:1033 [inline]
__se_sys_exit_group kernel/exit.c:1031 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1031
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fad75522a09
Code: Unable to access opcode bytes at 0x7fad755229df.
RSP: 002b:00007ffcbaf04e58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fad755a8330 RCX: 00007fad75522a09
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007fad755a2e40
R10: 0000000000010600 R11: 0000000000000246 R12: 00007fad755a8330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Allocated by task 293:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333
kasan_slab_alloc include/linux/kasan.h:202 [inline]
slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768
slab_alloc_node mm/slub.c:3418 [inline]
slab_alloc mm/slub.c:3426 [inline]
__kmem_cache_alloc_lru mm/slub.c:3433 [inline]
kmem_cache_alloc_lru+0x102/0x220 mm/slub.c:3449
alloc_inode_sb include/linux/fs.h:3139 [inline]
f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1383
alloc_inode fs/inode.c:259 [inline]
iget_locked+0x18c/0x7e0 fs/inode.c:1286
f2fs_iget+0x55/0x4df0 fs/f2fs/inode.c:503
f2fs_lookup+0x410/0xd80 fs/f2fs/namei.c:541
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10fd/0x2d60 fs/namei.c:3711
do_filp_open+0x230/0x480 fs/namei.c:3741
do_sys_openat2+0x13f/0x850 fs/open.c:1333
do_sys_open fs/open.c:1349 [inline]
__do_sys_open fs/open.c:1357 [inline]
__se_sys_open fs/open.c:1353 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1353
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 293:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
kasan_slab_free include/linux/kasan.h:178 [inline]
slab_free_hook mm/slub.c:1744 [inline]
slab_free_freelist_hook mm/slub.c:1770 [inline]
slab_free mm/slub.c:3681 [inline]
kmem_cache_free+0x291/0x510 mm/slub.c:3703
f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1526
i_callback+0x4b/0x70 fs/inode.c:248
rcu_do_batch+0x515/0xb60 kernel/rcu/tree.c:2250
rcu_core+0x4eb/0xf10 kernel/rcu/tree.c:2510
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2527
__do_softirq+0x1d8/0x661 kernel/softirq.c:613
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
call_rcu+0xec/0x1230 kernel/rcu/tree.c:2798
destroy_inode fs/inode.c:314 [inline]
evict+0x5df/0x630 fs/inode.c:679
dispose_list fs/inode.c:697 [inline]
evict_inodes+0x5d1/0x650 fs/inode.c:747
generic_shutdown_super+0x97/0x370 fs/super.c:482
kill_block_super+0x7e/0xe0 fs/super.c:1452
kill_f2fs_super+0x2f9/0x3c0 fs/f2fs/super.c:4702
deactivate_locked_super+0xa5/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xbc5/0x2a40 kernel/exit.c:872
do_group_exit+0x21a/0x2d0 kernel/exit.c:1022
__do_sys_exit_group kernel/exit.c:1033 [inline]
__se_sys_exit_group kernel/exit.c:1031 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1031
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88810b7fcb40
which belongs to the cache f2fs_inode_cache of size 1248
The buggy address is located 136 bytes inside of
1248-byte region [ffff88810b7fcb40, ffff88810b7fd020)
The buggy address belongs to the physical page:
page:ffffea00042dfe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b7f8
head:ffffea00042dfe00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff88810b1c0c80
raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 293, tgid 293 (syz-executor378), ts 23261688081, free_ts 0
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x213/0x220 mm/page_alloc.c:2574
prep_new_page mm/page_alloc.c:2581 [inline]
get_page_from_freelist+0x2527/0x2600 mm/page_alloc.c:4374
__alloc_pages+0x3a1/0x780 mm/page_alloc.c:5651
allocate_slab mm/slub.c:1959 [inline]
new_slab+0xce/0x4c0 mm/slub.c:2012
___slab_alloc+0x6f9/0xb80 mm/slub.c:3200
__slab_alloc+0x5d/0xa0 mm/slub.c:3299
slab_alloc_node mm/slub.c:3384 [inline]
slab_alloc mm/slub.c:3426 [inline]
__kmem_cache_alloc_lru mm/slub.c:3433 [inline]
kmem_cache_alloc_lru+0x144/0x220 mm/slub.c:3449
alloc_inode_sb include/linux/fs.h:3139 [inline]
f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1383
alloc_inode fs/inode.c:259 [inline]
iget_locked+0x18c/0x7e0 fs/inode.c:1286
f2fs_iget+0x55/0x4df0 fs/f2fs/inode.c:503
f2fs_lookup+0x410/0xd80 fs/f2fs/namei.c:541
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10fd/0x2d60 fs/namei.c:3711
do_filp_open+0x230/0x480 fs/namei.c:3741
do_sys_openat2+0x13f/0x850 fs/open.c:1333
do_sys_open fs/open.c:1349 [inline]
__do_sys_open fs/open.c:1357 [inline]
__se_sys_open fs/open.c:1353 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1353
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810b7fca80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88810b7fcb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff88810b7fcb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810b7fcc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810b7fcc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 7, 2023, 1:06:25 AM6/7/23
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit c9bf02a2965159196838b59faed4ab566cb23cc6
Author: Daeho Jeong <daeho...@google.com>
Date: Fri Nov 11 17:04:06 2022 +0000
f2fs: introduce F2FS_IOC_START_ATOMIC_REPLACE
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11241715280000
start commit: 312dfb3b7ec3 ANDROID: abi_gki_aarch64_qcom: Update QCOM sy..
git tree: android14-6.1
final oops: https://syzkaller.appspot.com/x/report.txt?x=13241715280000
console output: https://syzkaller.appspot.com/x/log.txt?x=15241715280000
Fixes: c9bf02a29651 ("f2fs: introduce F2FS_IOC_START_ATOMIC_REPLACE")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit c9bf02a2965159196838b59faed4ab566cb23cc6
Author: Daeho Jeong <daeho...@google.com>
Date: Fri Nov 11 17:04:06 2022 +0000
f2fs: introduce F2FS_IOC_START_ATOMIC_REPLACE
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11241715280000
start commit: 312dfb3b7ec3 ANDROID: abi_gki_aarch64_qcom: Update QCOM sy..
git tree: android14-6.1
final oops: https://syzkaller.appspot.com/x/report.txt?x=13241715280000
console output: https://syzkaller.appspot.com/x/log.txt?x=15241715280000
kernel config: https://syzkaller.appspot.com/x/.config?x=772a621c45fe488b
dashboard link: https://syzkaller.appspot.com/bug?extid=10e06d8d6fcd61014eb4
dashboard link: https://syzkaller.appspot.com/bug?extid=10e06d8d6fcd61014eb4
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=174087a3280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1516822d280000
Reported-by: syzbot+10e06d...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1516822d280000
Fixes: c9bf02a29651 ("f2fs: introduce F2FS_IOC_START_ATOMIC_REPLACE")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Feb 3, 2024, 6:30:16 AM2/3/24
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages