KASAN: use-after-free Read in move_expired_inodes
6 views
Skip to first unread message
syzbot
Dec 6, 2022, 9:04:43 AM12/6/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 92f701cae0bc Revert "net: phylink: add mac_managed_pm in p..
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1657cf47880000
kernel config: https://syzkaller.appspot.com/x/.config?x=c09f41566427ff65
dashboard link: https://syzkaller.appspot.com/bug?extid=d599b0d654db599a8cbd
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142e4b6b880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=115887f3880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/476689ffc479/disk-92f701ca.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/adf26901bede/vmlinux-92f701ca.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fffd019832bf/bzImage-92f701ca.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/17484d21030e/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d599b0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in inode_dirtied_after fs/fs-writeback.c:1370 [inline]
BUG: KASAN: use-after-free in move_expired_inodes+0x181/0x890 fs/fs-writeback.c:1402
Read of size 8 at addr ffff88810fec19e0 by task kworker/u4:2/94
CPU: 1 PID: 94 Comm: kworker/u4:2 Not tainted 5.15.76-syzkaller-00628-g92f701cae0bc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3d0 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
inode_dirtied_after fs/fs-writeback.c:1370 [inline]
move_expired_inodes+0x181/0x890 fs/fs-writeback.c:1402
queue_io+0x29f/0x500 fs/fs-writeback.c:1462
wb_writeback+0x3c3/0x9e0 fs/fs-writeback.c:2069
wb_check_old_data_flush fs/fs-writeback.c:2173 [inline]
wb_do_writeback+0x995/0xbd0 fs/fs-writeback.c:2226
wb_workfn+0xf8/0x3e0 fs/fs-writeback.c:2255
process_one_work+0x6db/0xc00 kernel/workqueue.c:2313
worker_thread+0xb3e/0x1340 kernel/workqueue.c:2460
kthread+0x41c/0x500 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Allocated by task 413:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:433 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:466
kasan_slab_alloc include/linux/kasan.h:244 [inline]
slab_post_alloc_hook mm/slab.h:550 [inline]
slab_alloc_node mm/slub.c:3236 [inline]
slab_alloc mm/slub.c:3244 [inline]
kmem_cache_alloc+0x189/0x2f0 mm/slub.c:3249
fat_alloc_inode+0x1d/0xa0 fs/fat/inode.c:748
alloc_inode fs/inode.c:236 [inline]
new_inode_pseudo+0x64/0x220 fs/inode.c:937
new_inode+0x28/0x1c0 fs/inode.c:966
fat_build_inode+0x1d9/0x3a0 fs/fat/inode.c:601
msdos_lookup+0x3d7/0x4e0 fs/fat/namei_msdos.c:216
lookup_open fs/namei.c:3312 [inline]
open_last_lookups fs/namei.c:3404 [inline]
path_openat+0x113e/0x2ea0 fs/namei.c:3612
do_filp_open+0x277/0x4f0 fs/namei.c:3642
do_sys_openat2+0x13b/0x500 fs/open.c:1234
do_sys_open fs/open.c:1250 [inline]
__do_sys_openat fs/open.c:1266 [inline]
__se_sys_openat fs/open.c:1261 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1261
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xd3/0xf0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
__call_rcu kernel/rcu/tree.c:2993 [inline]
call_rcu+0x140/0x1400 kernel/rcu/tree.c:3073
destroy_inode fs/inode.c:291 [inline]
evict+0x5de/0x630 fs/inode.c:602
iput_final fs/inode.c:1663 [inline]
iput+0x61c/0x7d0 fs/inode.c:1689
dentry_unlink_inode+0x349/0x430 fs/dcache.c:376
__dentry_kill+0x3e2/0x5d0 fs/dcache.c:582
dentry_kill+0xc0/0x2a0
dput+0x175/0x320 fs/dcache.c:888
__fput+0x65a/0x910 fs/file_table.c:288
____fput+0x15/0x20 fs/file_table.c:308
task_work_run+0x147/0x1b0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x67e/0x24d0 kernel/exit.c:828
do_group_exit+0x13a/0x300 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
The buggy address belongs to the object at ffff88810fec1860
which belongs to the cache fat_inode_cache of size 912
The buggy address is located 384 bytes inside of
912-byte region [ffff88810fec1860, ffff88810fec1bf0)
The buggy address belongs to the page:
page:ffffea00043fb000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fec0
head:ffffea00043fb000 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888108584600
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 413, ts 24519494136, free_ts 0
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1ab/0x1b0 mm/page_alloc.c:2495
prep_new_page mm/page_alloc.c:2501 [inline]
get_page_from_freelist+0x38b/0x400 mm/page_alloc.c:4281
__alloc_pages+0x3a8/0x7c0 mm/page_alloc.c:5548
allocate_slab+0x62/0x580 mm/slub.c:1928
new_slab mm/slub.c:1991 [inline]
___slab_alloc+0x2e2/0x6f0 mm/slub.c:3024
__slab_alloc+0x4a/0x90 mm/slub.c:3111
slab_alloc_node mm/slub.c:3202 [inline]
slab_alloc mm/slub.c:3244 [inline]
kmem_cache_alloc+0x205/0x2f0 mm/slub.c:3249
fat_alloc_inode+0x1d/0xa0 fs/fat/inode.c:748
alloc_inode fs/inode.c:236 [inline]
new_inode_pseudo+0x64/0x220 fs/inode.c:937
new_inode+0x28/0x1c0 fs/inode.c:966
fat_fill_super+0x32c2/0x4b30 fs/fat/inode.c:1846
msdos_fill_super+0x2e/0x40 fs/fat/namei_msdos.c:655
mount_bdev+0x280/0x3b0 fs/super.c:1368
msdos_mount+0x34/0x40 fs/fat/namei_msdos.c:662
legacy_get_tree+0xf0/0x190 fs/fs_context.c:610
vfs_get_tree+0x88/0x290 fs/super.c:1498
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810fec1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810fec1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810fec1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810fec1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810fec1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 92f701cae0bc Revert "net: phylink: add mac_managed_pm in p..
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1657cf47880000
kernel config: https://syzkaller.appspot.com/x/.config?x=c09f41566427ff65
dashboard link: https://syzkaller.appspot.com/bug?extid=d599b0d654db599a8cbd
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142e4b6b880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=115887f3880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/476689ffc479/disk-92f701ca.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/adf26901bede/vmlinux-92f701ca.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fffd019832bf/bzImage-92f701ca.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/17484d21030e/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d599b0...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in inode_dirtied_after fs/fs-writeback.c:1370 [inline]
BUG: KASAN: use-after-free in move_expired_inodes+0x181/0x890 fs/fs-writeback.c:1402
Read of size 8 at addr ffff88810fec19e0 by task kworker/u4:2/94
CPU: 1 PID: 94 Comm: kworker/u4:2 Not tainted 5.15.76-syzkaller-00628-g92f701cae0bc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description+0x87/0x3d0 mm/kasan/report.c:256
__kasan_report mm/kasan/report.c:435 [inline]
kasan_report+0x1a6/0x1f0 mm/kasan/report.c:452
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
inode_dirtied_after fs/fs-writeback.c:1370 [inline]
move_expired_inodes+0x181/0x890 fs/fs-writeback.c:1402
queue_io+0x29f/0x500 fs/fs-writeback.c:1462
wb_writeback+0x3c3/0x9e0 fs/fs-writeback.c:2069
wb_check_old_data_flush fs/fs-writeback.c:2173 [inline]
wb_do_writeback+0x995/0xbd0 fs/fs-writeback.c:2226
wb_workfn+0xf8/0x3e0 fs/fs-writeback.c:2255
process_one_work+0x6db/0xc00 kernel/workqueue.c:2313
worker_thread+0xb3e/0x1340 kernel/workqueue.c:2460
kthread+0x41c/0x500 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Allocated by task 413:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:433 [inline]
__kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:466
kasan_slab_alloc include/linux/kasan.h:244 [inline]
slab_post_alloc_hook mm/slab.h:550 [inline]
slab_alloc_node mm/slub.c:3236 [inline]
slab_alloc mm/slub.c:3244 [inline]
kmem_cache_alloc+0x189/0x2f0 mm/slub.c:3249
fat_alloc_inode+0x1d/0xa0 fs/fat/inode.c:748
alloc_inode fs/inode.c:236 [inline]
new_inode_pseudo+0x64/0x220 fs/inode.c:937
new_inode+0x28/0x1c0 fs/inode.c:966
fat_build_inode+0x1d9/0x3a0 fs/fat/inode.c:601
msdos_lookup+0x3d7/0x4e0 fs/fat/namei_msdos.c:216
lookup_open fs/namei.c:3312 [inline]
open_last_lookups fs/namei.c:3404 [inline]
path_openat+0x113e/0x2ea0 fs/namei.c:3612
do_filp_open+0x277/0x4f0 fs/namei.c:3642
do_sys_openat2+0x13b/0x500 fs/open.c:1234
do_sys_open fs/open.c:1250 [inline]
__do_sys_openat fs/open.c:1266 [inline]
__se_sys_openat fs/open.c:1261 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1261
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Last potentially related work creation:
kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
__kasan_record_aux_stack+0xd3/0xf0 mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:358
__call_rcu kernel/rcu/tree.c:2993 [inline]
call_rcu+0x140/0x1400 kernel/rcu/tree.c:3073
destroy_inode fs/inode.c:291 [inline]
evict+0x5de/0x630 fs/inode.c:602
iput_final fs/inode.c:1663 [inline]
iput+0x61c/0x7d0 fs/inode.c:1689
dentry_unlink_inode+0x349/0x430 fs/dcache.c:376
__dentry_kill+0x3e2/0x5d0 fs/dcache.c:582
dentry_kill+0xc0/0x2a0
dput+0x175/0x320 fs/dcache.c:888
__fput+0x65a/0x910 fs/file_table.c:288
____fput+0x15/0x20 fs/file_table.c:308
task_work_run+0x147/0x1b0 kernel/task_work.c:164
exit_task_work include/linux/task_work.h:32 [inline]
do_exit+0x67e/0x24d0 kernel/exit.c:828
do_group_exit+0x13a/0x300 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
The buggy address belongs to the object at ffff88810fec1860
which belongs to the cache fat_inode_cache of size 912
The buggy address is located 384 bytes inside of
912-byte region [ffff88810fec1860, ffff88810fec1bf0)
The buggy address belongs to the page:
page:ffffea00043fb000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fec0
head:ffffea00043fb000 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x4000000000010200(slab|head|zone=1)
raw: 4000000000010200 0000000000000000 dead000000000122 ffff888108584600
raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 413, ts 24519494136, free_ts 0
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x1ab/0x1b0 mm/page_alloc.c:2495
prep_new_page mm/page_alloc.c:2501 [inline]
get_page_from_freelist+0x38b/0x400 mm/page_alloc.c:4281
__alloc_pages+0x3a8/0x7c0 mm/page_alloc.c:5548
allocate_slab+0x62/0x580 mm/slub.c:1928
new_slab mm/slub.c:1991 [inline]
___slab_alloc+0x2e2/0x6f0 mm/slub.c:3024
__slab_alloc+0x4a/0x90 mm/slub.c:3111
slab_alloc_node mm/slub.c:3202 [inline]
slab_alloc mm/slub.c:3244 [inline]
kmem_cache_alloc+0x205/0x2f0 mm/slub.c:3249
fat_alloc_inode+0x1d/0xa0 fs/fat/inode.c:748
alloc_inode fs/inode.c:236 [inline]
new_inode_pseudo+0x64/0x220 fs/inode.c:937
new_inode+0x28/0x1c0 fs/inode.c:966
fat_fill_super+0x32c2/0x4b30 fs/fat/inode.c:1846
msdos_fill_super+0x2e/0x40 fs/fat/namei_msdos.c:655
mount_bdev+0x280/0x3b0 fs/super.c:1368
msdos_mount+0x34/0x40 fs/fat/namei_msdos.c:662
legacy_get_tree+0xf0/0x190 fs/fs_context.c:610
vfs_get_tree+0x88/0x290 fs/super.c:1498
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810fec1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810fec1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810fec1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810fec1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810fec1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Dec 6, 2022, 9:59:21 PM12/6/22
to syzkaller-a...@googlegroups.com
syzbot has bisected this issue to:
commit 0d942303430824f785ac7ed8434a05d87bf4bb13
Author: Lukas Czerner <lcze...@redhat.com>
Date: Thu Aug 25 10:06:57 2022 +0000
fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1511db97880000
start commit: 92f701cae0bc Revert "net: phylink: add mac_managed_pm in p..
git tree: android13-5.15-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=1711db97880000
console output: https://syzkaller.appspot.com/x/log.txt?x=1311db97880000
Fixes: 0d9423034308 ("fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 0d942303430824f785ac7ed8434a05d87bf4bb13
Author: Lukas Czerner <lcze...@redhat.com>
Date: Thu Aug 25 10:06:57 2022 +0000
fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1511db97880000
start commit: 92f701cae0bc Revert "net: phylink: add mac_managed_pm in p..
git tree: android13-5.15-lts
final oops: https://syzkaller.appspot.com/x/report.txt?x=1711db97880000
console output: https://syzkaller.appspot.com/x/log.txt?x=1311db97880000
kernel config: https://syzkaller.appspot.com/x/.config?x=c09f41566427ff65
dashboard link: https://syzkaller.appspot.com/bug?extid=d599b0d654db599a8cbd
dashboard link: https://syzkaller.appspot.com/bug?extid=d599b0d654db599a8cbd
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142e4b6b880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=115887f3880000
Reported-by: syzbot+d599b0...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=115887f3880000
Fixes: 0d9423034308 ("fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages