[syzbot] [nilfs?] KASAN: use-after-free Read in nilfs_set_link
9 views
Skip to first unread message
syzbot
Jan 11, 2024, 3:06:30 PMJan 11
to konishi...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 52b1853b080a Merge tag 'i2c-for-6.7-final' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10027331e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=655f8abe9fe69b3b
dashboard link: https://syzkaller.appspot.com/bug?extid=4936b06b07f365af31cc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d62025e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13c38055e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bf8c17cb6cda/disk-52b1853b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7aa7b6d00e92/vmlinux-52b1853b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dbc54614504d/bzImage-52b1853b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/25a961b83aac/mount_0.gz
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=172c038de80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=14ac038de80000
console output: https://syzkaller.appspot.com/x/log.txt?x=10ac038de80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4936b0...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: out-of-bounds in nilfs_set_link+0x24d/0x2e0 fs/nilfs2/dir.c:421
Read of size 2 at addr ffff888078f08008 by task syz-executor397/5051
CPU: 1 PID: 5051 Comm: syz-executor397 Not tainted 6.7.0-rc8-syzkaller-00177-g52b1853b080a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x142/0x170 mm/kasan/report.c:588
nilfs_set_link+0x24d/0x2e0 fs/nilfs2/dir.c:421
nilfs_rename+0x5d8/0x6b0 fs/nilfs2/namei.c:414
vfs_rename+0xaba/0xde0 fs/namei.c:4844
do_renameat2+0xd5a/0x1390 fs/namei.c:4996
__do_sys_rename fs/namei.c:5042 [inline]
__se_sys_rename fs/namei.c:5040 [inline]
__x64_sys_rename+0x86/0x90 fs/namei.c:5040
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fb7b8290669
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd4bb0238 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7b8290669
RDX: 00007fb7b8290669 RSI: 0000000020000040 RDI: 0000000020000180
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000f69 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 431bde82d7b634db R15: 00007fffd4bb02a0
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001e3c200 refcount:1 mapcount:1 mapping:0000000000000000 index:0x55b79e908 pfn:0x78f08
memcg:ffff888141652000
anon flags: 0xfff000000a0028(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0x0()
raw: 00fff000000a0028 ffffea0001391e88 ffffea00013f1b48 ffff888029cbb001
raw: 000000055b79e908 0000000000000000 0000000100000000 ffff888141652000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5052, tgid 5052 (udevd), ts 58139256944, free_ts 52307690585
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0x33ea/0x3570 mm/page_alloc.c:3312
__alloc_pages+0x255/0x680 mm/page_alloc.c:4568
alloc_pages_mpol+0x3de/0x640 mm/mempolicy.c:2133
vma_alloc_folio+0xf3/0x3f0 mm/mempolicy.c:2172
wp_page_copy mm/memory.c:3120 [inline]
do_wp_page+0x125e/0x4d40 mm/memory.c:3511
handle_pte_fault mm/memory.c:5055 [inline]
__handle_mm_fault mm/memory.c:5180 [inline]
handle_mm_fault+0x1b1c/0x6680 mm/memory.c:5345
do_user_addr_fault arch/x86/mm/fault.c:1364 [inline]
handle_page_fault arch/x86/mm/fault.c:1507 [inline]
exc_page_fault+0x456/0x870 arch/x86/mm/fault.c:1563
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x931/0xa60 mm/page_alloc.c:2347
free_unref_page_list+0x5a0/0x840 mm/page_alloc.c:2533
release_pages+0x2117/0x2400 mm/swap.c:1042
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
exit_mmap+0x4d3/0xc60 mm/mmap.c:3324
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x9af/0x2740 kernel/exit.c:856
do_group_exit+0x206/0x2c0 kernel/exit.c:1018
__do_sys_exit_group kernel/exit.c:1029 [inline]
__se_sys_exit_group kernel/exit.c:1027 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1027
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Memory state around the buggy address:
ffff888078f07f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888078f07f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888078f08000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888078f08080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888078f08100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 52b1853b080a Merge tag 'i2c-for-6.7-final' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10027331e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=655f8abe9fe69b3b
dashboard link: https://syzkaller.appspot.com/bug?extid=4936b06b07f365af31cc
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d62025e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13c38055e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bf8c17cb6cda/disk-52b1853b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7aa7b6d00e92/vmlinux-52b1853b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dbc54614504d/bzImage-52b1853b.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/25a961b83aac/mount_0.gz
Bisection is inconclusive: the issue happens on the oldest tested release.
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=172c038de80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=14ac038de80000
console output: https://syzkaller.appspot.com/x/log.txt?x=10ac038de80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4936b0...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: out-of-bounds in nilfs_set_link+0x24d/0x2e0 fs/nilfs2/dir.c:421
Read of size 2 at addr ffff888078f08008 by task syz-executor397/5051
CPU: 1 PID: 5051 Comm: syz-executor397 Not tainted 6.7.0-rc8-syzkaller-00177-g52b1853b080a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x142/0x170 mm/kasan/report.c:588
nilfs_set_link+0x24d/0x2e0 fs/nilfs2/dir.c:421
nilfs_rename+0x5d8/0x6b0 fs/nilfs2/namei.c:414
vfs_rename+0xaba/0xde0 fs/namei.c:4844
do_renameat2+0xd5a/0x1390 fs/namei.c:4996
__do_sys_rename fs/namei.c:5042 [inline]
__se_sys_rename fs/namei.c:5040 [inline]
__x64_sys_rename+0x86/0x90 fs/namei.c:5040
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fb7b8290669
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffd4bb0238 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb7b8290669
RDX: 00007fb7b8290669 RSI: 0000000020000040 RDI: 0000000020000180
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000f69 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 431bde82d7b634db R15: 00007fffd4bb02a0
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001e3c200 refcount:1 mapcount:1 mapping:0000000000000000 index:0x55b79e908 pfn:0x78f08
memcg:ffff888141652000
anon flags: 0xfff000000a0028(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0x0()
raw: 00fff000000a0028 ffffea0001391e88 ffffea00013f1b48 ffff888029cbb001
raw: 000000055b79e908 0000000000000000 0000000100000000 ffff888141652000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5052, tgid 5052 (udevd), ts 58139256944, free_ts 52307690585
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1544 [inline]
get_page_from_freelist+0x33ea/0x3570 mm/page_alloc.c:3312
__alloc_pages+0x255/0x680 mm/page_alloc.c:4568
alloc_pages_mpol+0x3de/0x640 mm/mempolicy.c:2133
vma_alloc_folio+0xf3/0x3f0 mm/mempolicy.c:2172
wp_page_copy mm/memory.c:3120 [inline]
do_wp_page+0x125e/0x4d40 mm/memory.c:3511
handle_pte_fault mm/memory.c:5055 [inline]
__handle_mm_fault mm/memory.c:5180 [inline]
handle_mm_fault+0x1b1c/0x6680 mm/memory.c:5345
do_user_addr_fault arch/x86/mm/fault.c:1364 [inline]
handle_page_fault arch/x86/mm/fault.c:1507 [inline]
exc_page_fault+0x456/0x870 arch/x86/mm/fault.c:1563
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1137 [inline]
free_unref_page_prepare+0x931/0xa60 mm/page_alloc.c:2347
free_unref_page_list+0x5a0/0x840 mm/page_alloc.c:2533
release_pages+0x2117/0x2400 mm/swap.c:1042
tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
exit_mmap+0x4d3/0xc60 mm/mmap.c:3324
__mmput+0x115/0x3c0 kernel/fork.c:1349
exit_mm+0x21f/0x300 kernel/exit.c:567
do_exit+0x9af/0x2740 kernel/exit.c:856
do_group_exit+0x206/0x2c0 kernel/exit.c:1018
__do_sys_exit_group kernel/exit.c:1029 [inline]
__se_sys_exit_group kernel/exit.c:1027 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1027
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Memory state around the buggy address:
ffff888078f07f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888078f07f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888078f08000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff888078f08080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888078f08100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Feb 17, 2024, 11:42:03 PMFeb 17
to ax...@kernel.dk, bra...@kernel.org, ja...@suse.cz, konishi...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <ja...@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000
fs: Block writes to mounted block devices
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10639b34180000
start commit: 52b1853b080a Merge tag 'i2c-for-6.7-final' of git://git.ke..
git tree: upstream
#syz fix: fs: Block writes to mounted block devices
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <ja...@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000
fs: Block writes to mounted block devices
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10639b34180000
start commit: 52b1853b080a Merge tag 'i2c-for-6.7-final' of git://git.ke..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=655f8abe9fe69b3b
dashboard link: https://syzkaller.appspot.com/bug?extid=4936b06b07f365af31cc
dashboard link: https://syzkaller.appspot.com/bug?extid=4936b06b07f365af31cc
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11d62025e80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13c38055e80000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13c38055e80000
#syz fix: fs: Block writes to mounted block devices
Jan Kara
Feb 19, 2024, 6:47:30 AMFeb 19
to syzbot, ax...@kernel.dk, bra...@kernel.org, ja...@suse.cz, konishi...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
why the commit makes them not work anymore. There are no working
reproducers for this bug though so I'll leave it upto the nilfs maintainer
to decide what to do.
Honza
--
Jan Kara <ja...@suse.com>
SUSE Labs, CR
Ryusuke Konishi
Feb 19, 2024, 7:13:28 AMFeb 19
to Jan Kara, syzbot, ax...@kernel.dk, bra...@kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
This is one of the issues that I could not reproduce and could not
proceed with the analysis, but since it may be caused by an abnormal
state of the directory file (even if it was overwritten), I would like
to leave it as a subject of investigation.
Thanks,
Ryusuke Konishi
syzbot
Apr 16, 2024, 4:38:12 PM (11 days ago) Apr 16
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages