Hello,
syzbot found the following issue on:
HEAD commit: ff63a5f5cdf6 ANDROID: Fix kenelci build-break for !CONFIG_..
git tree: android12-5.4
console+strace:
https://syzkaller.appspot.com/x/log.txt?x=17dfa54e880000
kernel config:
https://syzkaller.appspot.com/x/.config?x=99700db563136bf4
dashboard link:
https://syzkaller.appspot.com/bug?extid=4eedd68d161eacf7f7c9
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=1675dbd6880000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=12b8fd3c880000
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/abfcaf3d008a/disk-ff63a5f5.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/607de550eaec/vmlinux-ff63a5f5.xz
mounted in repro:
https://storage.googleapis.com/syzbot-assets/9c6a714f405d/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+4eedd6...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in data_blkaddr fs/f2fs/f2fs.h:2699 [inline]
BUG: KASAN: use-after-free in is_alive fs/f2fs/gc.c:1030 [inline]
BUG: KASAN: use-after-free in gc_data_segment fs/f2fs/gc.c:1448 [inline]
BUG: KASAN: use-after-free in do_garbage_collect+0x5b28/0x7160 fs/f2fs/gc.c:1653
Read of size 4 at addr ffff8881dbdc5150 by task kworker/u4:1/93
CPU: 1 PID: 93 Comm: kworker/u4:1 Not tainted 5.4.210-syzkaller-00004-gff63a5f5cdf6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x18e/0x1d5 lib/dump_stack.c:118
print_address_description+0x8c/0x630 mm/kasan/report.c:384
__kasan_report+0xf6/0x130 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
data_blkaddr fs/f2fs/f2fs.h:2699 [inline]
is_alive fs/f2fs/gc.c:1030 [inline]
gc_data_segment fs/f2fs/gc.c:1448 [inline]
do_garbage_collect+0x5b28/0x7160 fs/f2fs/gc.c:1653
f2fs_gc+0x872/0x17f0 fs/f2fs/gc.c:1745
f2fs_balance_fs+0x2c2/0x340 fs/f2fs/segment.c:528
f2fs_write_inode+0x694/0x730 fs/f2fs/inode.c:722
write_inode+0xf1/0x360 fs/fs-writeback.c:1326
__writeback_single_inode+0x3bf/0x840 fs/fs-writeback.c:1524
writeback_sb_inodes+0x9a9/0x19d0 fs/fs-writeback.c:1730
wb_writeback+0x3c2/0xc20 fs/fs-writeback.c:1905
wb_do_writeback+0x181/0xaf0 fs/fs-writeback.c:2050
wb_workfn+0xf8/0x450 fs/fs-writeback.c:2091
process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287
worker_thread+0xae0/0x1440 kernel/workqueue.c:2433
kthread+0x2d8/0x360 kernel/kthread.c:288
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 155:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
__kasan_kmalloc+0x131/0x1e0 mm/kasan/common.c:529
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0xd0/0x210 mm/slub.c:2842
getname_flags+0xb8/0x4e0 fs/namei.c:141
getname fs/namei.c:212 [inline]
__do_sys_unlink fs/namei.c:4189 [inline]
__se_sys_unlink fs/namei.c:4187 [inline]
__x64_sys_unlink+0x38/0x50 fs/namei.c:4187
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 155:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
kasan_set_free_info mm/kasan/common.c:345 [inline]
__kasan_slab_free+0x178/0x240 mm/kasan/common.c:487
slab_free_hook mm/slub.c:1455 [inline]
slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494
slab_free mm/slub.c:3080 [inline]
kmem_cache_free+0xa9/0x1d0 mm/slub.c:3096
putname fs/namei.c:262 [inline]
do_unlinkat+0x788/0x820 fs/namei.c:4163
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8881dbdc4400
which belongs to the cache names_cache of size 4096
The buggy address is located 3408 bytes inside of
4096-byte region [ffff8881dbdc4400, ffff8881dbdc5400)
The buggy address belongs to the page:
page:ffffea00076f7000 refcount:1 mapcount:0 mapping:ffff8881f5cf9680 index:0x0 compound_mapcount: 0
flags: 0x8000000000010200(slab|head)
raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881f5cf9680
raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x194/0x380 mm/page_alloc.c:2171
get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x2ab/0x6f0 mm/page_alloc.c:4857
alloc_slab_page+0x39/0x3e0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x97/0x450 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x320/0x4a0 mm/slub.c:2667
__slab_alloc+0x5a/0x90 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x100/0x210 mm/slub.c:2842
getname_flags+0xb8/0x4e0 fs/namei.c:141
getname fs/namei.c:212 [inline]
do_renameat2+0x28d/0x1120 fs/namei.c:4631
__do_sys_rename fs/namei.c:4752 [inline]
__se_sys_rename fs/namei.c:4750 [inline]
__x64_sys_rename+0x64/0x70 fs/namei.c:4750
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881dbdc5000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881dbdc5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881dbdc5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881dbdc5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881dbdc5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches