[syzbot] [netfs?] KASAN: slab-use-after-free Write in __fscache_relinquish_cookie

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 596764183be8 Add linux-next specific files for 20240129
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12643c47e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=584144ad19f381aa
dashboard link: https://syzkaller.appspot.com/bug?extid=a4c1a7875b2babd9e359
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ed937fe80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17805467e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b647c038857b/disk-59676418.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/729e26c3ac55/vmlinux-59676418.xz
kernel image: https://storage.googleapis.com/syzbot-assets/15aa5e287059/bzImage-59676418.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a4c1a7...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: wild-memory-access in test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
BUG: KASAN: wild-memory-access in __fscache_relinquish_cookie+0x2a/0x620 fs/netfs/fscache_cookie.c:977
Write of size 8 at addr adacafaea9a8ac9a by task syz-executor410/9304

CPU: 0 PID: 9304 Comm: syz-executor410 Not tainted 6.8.0-rc1-next-20240129-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
kasan_report+0xd9/0x110 mm/kasan/report.c:601
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
test_and_set_bit include/asm-generic/bitops/instrumented-atomic.h:71 [inline]
__fscache_relinquish_cookie+0x2a/0x620 fs/netfs/fscache_cookie.c:977
fscache_relinquish_cookie include/linux/fscache.h:308 [inline]
v9fs_evict_inode+0x102/0x150 fs/9p/vfs_inode.c:356
evict+0x2ed/0x6c0 fs/inode.c:666
iput_final fs/inode.c:1740 [inline]
iput.part.0+0x573/0x7c0 fs/inode.c:1766
iput+0x5c/0x80 fs/inode.c:1756
v9fs_fid_iget_dotl+0x1b4/0x260 fs/9p/vfs_inode_dotl.c:96
v9fs_get_inode_from_fid fs/9p/v9fs.h:230 [inline]
v9fs_mount+0x515/0xa90 fs/9p/vfs_super.c:142
legacy_get_tree+0x109/0x220 fs/fs_context.c:662
vfs_get_tree+0x8f/0x380 fs/super.c:1784
do_new_mount fs/namespace.c:3352 [inline]
path_mount+0x14e6/0x1f20 fs/namespace.c:3679
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount fs/namespace.c:3875 [inline]
__x64_sys_mount+0x297/0x320 fs/namespace.c:3875
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f0b9d2fb899
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe6ee450d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0b9d2fb899
RDX: 00000000200001c0 RSI: 0000000020000040 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000020000300 R09: 00007f0b9d200990
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe6ee450fc
R13: 00007ffe6ee45130 R14: 00007ffe6ee45110 R15: 0000000000001086
</TASK>
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

please test uaf in __fscache_relinquish_cookie

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 360a5304ec03..e36467ed618f 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -353,7 +353,9 @@ void v9fs_evict_inode(struct inode *inode)
filemap_fdatawrite(&inode->i_data);

#ifdef CONFIG_9P_FSCACHE
- fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false);
+ printk("mra: %d, %s\n", mapping_release_always(inode->i_mapping), __func__);
+ if (mapping_release_always(inode->i_mapping))
+ fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false);
#endif
}

diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
index ef9db3e03506..fd26bafe4279 100644
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -78,6 +78,7 @@ struct inode *v9fs_fid_iget_dotl(struct super_block *sb, struct p9_fid *fid)

retval = v9fs_init_inode(v9ses, inode, &fid->qid,
st->st_mode, new_decode_dev(st->st_rdev));
+ printk("mra: %d, %s\n", mapping_release_always(inode->i_mapping), __func__);
kfree(st);
if (retval)
goto error;
@@ -86,6 +87,7 @@ struct inode *v9fs_fid_iget_dotl(struct super_block *sb, struct p9_fid *fid)
v9fs_set_netfs_context(inode);
v9fs_cache_inode_get_cookie(inode);
retval = v9fs_get_acl(inode, fid);
+ printk("2mra: %d, %s\n", mapping_release_always(inode->i_mapping), __func__);
if (retval)
goto error;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a4c1a7...@syzkaller.appspotmail.com

Tested on:

commit: 076d56d7 Add linux-next specific files for 20240202
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=1078ef2fe80000
kernel config: https://syzkaller.appspot.com/x/.config?x=4eccd90d3ac887b2
dashboard link: https://syzkaller.appspot.com/bug?extid=a4c1a7875b2babd9e359
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=107ff390180000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

In v9fs_fid_get_dotl(), if p9_client_getattr_dotl() or v9fs_init_inode() fails,
the cookie will not be properly initialized and will result in accessing improperly
allocated cookies.

When the cookie is not initialized, exit the subsequent cookie recycling process
to avoid this issue.

Reported-and-tested-by: syzbot+a4c1a7...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/9p/vfs_inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index 360a5304ec03..d27b7ecf7163 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -353,7 +353,8 @@ void v9fs_evict_inode(struct inode *inode)

filemap_fdatawrite(&inode->i_data);

#ifdef CONFIG_9P_FSCACHE
- fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false);

+ if (mapping_release_always(inode->i_mapping))
+ fscache_relinquish_cookie(v9fs_inode_cookie(v9inode), false);
#endif
}

--
2.43.0