[syzbot] [mm?] KASAN: slab-use-after-free Read in lru_add_fn

53 views
Skip to first unread message

syzbot

unread,
May 9, 2024, 1:58:27 AMMay 9
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 9221b2819b8a Add linux-next specific files for 20240503
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1263897f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=8ab537f51a6a0d98
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d47450980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e67dbdc3c37/disk-9221b281.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ade618fa19f8/vmlinux-9221b281.xz
kernel image: https://storage.googleapis.com/syzbot-assets/df12e5073c97/bzImage-9221b281.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/98f66c028d40/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d79afb...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in mapping_unevictable include/linux/pagemap.h:257 [inline]
BUG: KASAN: slab-use-after-free in folio_evictable mm/internal.h:353 [inline]
BUG: KASAN: slab-use-after-free in lru_add_fn+0x2cc/0x1a20 mm/swap.c:184
Read of size 8 at addr ffff88807ffa84a8 by task udevd/5139

CPU: 0 PID: 5139 Comm: udevd Not tainted 6.9.0-rc6-next-20240503-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
mapping_unevictable include/linux/pagemap.h:257 [inline]
folio_evictable mm/internal.h:353 [inline]
lru_add_fn+0x2cc/0x1a20 mm/swap.c:184
folio_batch_move_lru+0x322/0x690 mm/swap.c:220
lru_add_drain_cpu+0x10e/0x8c0 mm/swap.c:657
lru_add_drain+0x123/0x3e0 mm/swap.c:757
wp_can_reuse_anon_folio mm/memory.c:3550 [inline]
do_wp_page+0x2c65/0x5310 mm/memory.c:3662
handle_pte_fault+0x1189/0x70f0 mm/memory.c:5396
__handle_mm_fault mm/memory.c:5523 [inline]
handle_mm_fault+0x10df/0x1ba0 mm/memory.c:5688
do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fe7b90c72a4
Code: c0 02 49 8b 0c c6 64 8b 34 25 18 00 00 00 85 f6 75 22 48 39 cd 75 0c 48 8d 3d 24 e6 0e 00 e9 66 fe ff ff 48 c1 ea 0c 48 31 ca <48> 89 55 10 49 89 2c c6 eb 3c 89 d8 48 c1 ea 0c 48 89 ce 49 8d 3c
RSP: 002b:00007ffc001e7800 EFLAGS: 00010206
RAX: 0000000000000003 RBX: 0000000000000003 RCX: 000055697463f110
RDX: 0000556c22f4b72b RSI: 0000000000000000 RDI: 000055697463b660
RBP: 000055697463b650 R08: 0000000000000007 R09: 729c72b1ba2b10a4
R10: f6f0f8c87f29ff62 R11: 0000000000000007 R12: 0000000000000000
R13: 000055697463b680 R14: 00007fe7b91f1aa0 R15: 0000556974631910
</TASK>

Allocated by task 5122:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3940 [inline]
slab_alloc_node mm/slub.c:4000 [inline]
kmem_cache_alloc_lru_noprof+0x139/0x2b0 mm/slub.c:4019
nilfs_alloc_inode+0x2e/0xf0 fs/nilfs2/super.c:154
alloc_inode fs/inode.c:261 [inline]
iget5_locked+0xa4/0x280 fs/inode.c:1235
nilfs_iget_locked+0x12b/0x180 fs/nilfs2/inode.c:606
nilfs_ifile_read+0x30/0x1b0 fs/nilfs2/ifile.c:192
nilfs_attach_checkpoint+0xed/0x1a0 fs/nilfs2/super.c:557
nilfs_fill_super+0x380/0x6a0 fs/nilfs2/super.c:1067
nilfs_get_tree+0x4f9/0x920 fs/nilfs2/super.c:1211
vfs_get_tree+0x90/0x2a0 fs/super.c:1780
do_new_mount+0x2be/0xb40 fs/namespace.c:3352
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 0:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2195 [inline]
slab_free mm/slub.c:4436 [inline]
kmem_cache_free+0x145/0x350 mm/slub.c:4511
rcu_do_batch kernel/rcu/tree.c:2566 [inline]
rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2840
handle_softirqs+0x2d6/0x990 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
__call_rcu_common kernel/rcu/tree.c:3103 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:3207
nilfs_put_root+0x97/0xc0 fs/nilfs2/the_nilfs.c:909
nilfs_segctor_destroy fs/nilfs2/segment.c:2753 [inline]
nilfs_detach_log_writer+0x8bb/0xbe0 fs/nilfs2/segment.c:2816
nilfs_put_super+0x4d/0x160 fs/nilfs2/super.c:498
generic_shutdown_super+0x136/0x2d0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1676
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1267
task_work_run+0x24f/0x310 kernel/task_work.c:180
ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
ptrace_report_syscall include/linux/ptrace.h:415 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
syscall_exit_to_user_mode+0x273/0x370 kernel/entry/common.c:218
do_syscall_64+0x102/0x240 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807ffa8000
which belongs to the cache nilfs2_inode_cache of size 1512
The buggy address is located 1192 bytes inside of
freed 1512-byte region [ffff88807ffa8000, ffff88807ffa85e8)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ffa8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88801f030301
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff88801abec3c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffefff ffff88801f030301
head: 00fff00000000040 ffff88801abec3c0 dead000000000122 0000000000000000
head: 0000000000000000 0000000080130013 00000001ffffefff ffff88801f030301
head: 00fff00000000003 ffffea0001ffea01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5122, tgid 5122 (syz-executor.0), ts 74532588239, free_ts 16451630334
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
prep_new_page mm/page_alloc.c:1476 [inline]
get_page_from_freelist+0x2ce2/0x2d90 mm/page_alloc.c:3438
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4696
__alloc_pages_node_noprof include/linux/gfp.h:244 [inline]
alloc_pages_node_noprof include/linux/gfp.h:271 [inline]
alloc_slab_page+0x5f/0x120 mm/slub.c:2264
allocate_slab+0x5a/0x2e0 mm/slub.c:2427
new_slab mm/slub.c:2480 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3666
__slab_alloc+0x58/0xa0 mm/slub.c:3756
__slab_alloc_node mm/slub.c:3809 [inline]
slab_alloc_node mm/slub.c:3988 [inline]
kmem_cache_alloc_lru_noprof+0x1c5/0x2b0 mm/slub.c:4019
nilfs_alloc_inode+0x2e/0xf0 fs/nilfs2/super.c:154
alloc_inode fs/inode.c:261 [inline]
iget5_locked+0xa4/0x280 fs/inode.c:1235
nilfs_iget_locked+0x12b/0x180 fs/nilfs2/inode.c:606
nilfs_ifile_read+0x30/0x1b0 fs/nilfs2/ifile.c:192
nilfs_attach_checkpoint+0xed/0x1a0 fs/nilfs2/super.c:557
nilfs_fill_super+0x380/0x6a0 fs/nilfs2/super.c:1067
nilfs_get_tree+0x4f9/0x920 fs/nilfs2/super.c:1211
vfs_get_tree+0x90/0x2a0 fs/super.c:1780
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1088 [inline]
free_unref_page+0xd22/0xea0 mm/page_alloc.c:2601
free_contig_range+0x9e/0x160 mm/page_alloc.c:6655
destroy_args+0x8a/0x890 mm/debug_vm_pgtable.c:1037
debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1417
do_one_initcall+0x248/0x880 init/main.c:1265
do_initcall_level+0x157/0x210 init/main.c:1327
do_initcalls+0x3f/0x80 init/main.c:1343
kernel_init_freeable+0x435/0x5d0 init/main.c:1576
kernel_init+0x1d/0x2b0 init/main.c:1465
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
ffff88807ffa8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807ffa8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807ffa8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807ffa8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807ffa8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,
Jun 11, 2024, 2:10:23 PMJun 11
to ak...@linux-foundation.org, konishi...@gmail.com, linux-...@vger.kernel.org, linu...@kvack.org, linux...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:

HEAD commit: 83a7eefedc9b Linux 6.10-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15eb4c7a980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1073d8ee980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c645e2980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-83a7eefe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c1eea9d0e321/vmlinux-83a7eefe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1a79e458e1e6/bzImage-83a7eefe.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1f873a22e09f/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d79afb...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in mapping_unevictable include/linux/pagemap.h:259 [inline]
BUG: KASAN: slab-use-after-free in folio_evictable mm/internal.h:353 [inline]
BUG: KASAN: slab-use-after-free in lru_add_fn+0x192/0xd70 mm/swap.c:184
Read of size 8 at addr ffff888032180b10 by task syz-executor358/5362

CPU: 2 PID: 5362 Comm: syz-executor358 Not tainted 6.10.0-rc3-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
mapping_unevictable include/linux/pagemap.h:259 [inline]
folio_evictable mm/internal.h:353 [inline]
lru_add_fn+0x192/0xd70 mm/swap.c:184
folio_batch_move_lru+0x243/0x400 mm/swap.c:220
folio_batch_add_and_move+0xe5/0x160 mm/swap.c:236
folio_add_lru+0x37d/0x7f0 mm/swap.c:522
shmem_alloc_and_add_folio+0x4ae/0x790 mm/shmem.c:1722
shmem_get_folio_gfp+0x687/0x13d0 mm/shmem.c:2055
shmem_get_folio mm/shmem.c:2160 [inline]
shmem_write_begin+0x15a/0x360 mm/shmem.c:2743
generic_perform_write+0x272/0x620 mm/filemap.c:4015
shmem_file_write_iter+0x114/0x140 mm/shmem.c:2919
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0x6b6/0x1140 fs/read_write.c:590
ksys_write+0x12f/0x260 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f882e62a330
Code: 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 71 9d 07 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
RSP: 002b:00007fffd60928f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fffd6092910 RCX: 00007f882e62a330
RDX: 0000000000100000 RSI: 00007f8826000000 RDI: 0000000000000003
RBP: 00007f8826000000 R08: 0000000000000ab9 R09: 0000000000000ab5
R10: 00000000000007c2 R11: 0000000000000202 R12: 00007fffd6092aac
R13: 00007fffd6092950 R14: 0000000000000003 R15: 0000000000100000
</TASK>

Allocated by task 5360:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3941 [inline]
slab_alloc_node mm/slub.c:4001 [inline]
kmem_cache_alloc_lru_noprof+0x121/0x2f0 mm/slub.c:4020
nilfs_alloc_inode+0x26/0x150 fs/nilfs2/super.c:154
alloc_inode+0x5d/0x230 fs/inode.c:261
iget5_locked fs/inode.c:1235 [inline]
iget5_locked+0x1c9/0x2c0 fs/inode.c:1228
nilfs_iget_locked+0xa1/0xe0 fs/nilfs2/inode.c:606
nilfs_ifile_read+0x2f/0x1e0 fs/nilfs2/ifile.c:192
nilfs_attach_checkpoint+0x12d/0x1d0 fs/nilfs2/super.c:557
nilfs_fill_super fs/nilfs2/super.c:1067 [inline]
nilfs_get_tree+0x951/0x1000 fs/nilfs2/super.c:1211
vfs_get_tree+0x8f/0x380 fs/super.c:1780
do_new_mount fs/namespace.c:3352 [inline]
path_mount+0x14e6/0x1f20 fs/namespace.c:3679
do_mount fs/namespace.c:3692 [inline]
__do_sys_mount fs/namespace.c:3898 [inline]
__se_sys_mount fs/namespace.c:3875 [inline]
__x64_sys_mount+0x297/0x320 fs/namespace.c:3875
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 0:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2196 [inline]
slab_free mm/slub.c:4437 [inline]
kmem_cache_free+0x12f/0x3a0 mm/slub.c:4512
i_callback+0x43/0x70 fs/inode.c:250
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2809
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
__call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:3072
destroy_inode+0x12c/0x1b0 fs/inode.c:316
iput_final fs/inode.c:1741 [inline]
iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
iput+0x5c/0x80 fs/inode.c:1757
nilfs_put_root+0xae/0xe0 fs/nilfs2/the_nilfs.c:925
nilfs_segctor_destroy fs/nilfs2/segment.c:2788 [inline]
nilfs_detach_log_writer+0x5ef/0xaa0 fs/nilfs2/segment.c:2850
nilfs_put_super+0x43/0x1b0 fs/nilfs2/super.c:498
generic_shutdown_super+0x159/0x3d0 fs/super.c:642
kill_block_super+0x3b/0x90 fs/super.c:1676
deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
deactivate_super+0xde/0x100 fs/super.c:506
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14e/0x250 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888032180668
which belongs to the cache nilfs2_inode_cache of size 1512
The buggy address is located 1192 bytes inside of
freed 1512-byte region [ffff888032180668, ffff888032180c50)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32180
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888016ad9540 ffffea0000c84e00 0000000000000002
raw: 0000000000000000 0000000080130013 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888016ad9540 ffffea0000c84e00 0000000000000002
head: 0000000000000000 0000000080130013 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea0000c86001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5215, tgid 5215 (syz-executor358), ts 206379124412, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1468
prep_new_page mm/page_alloc.c:1476 [inline]
get_page_from_freelist+0x136a/0x2e50 mm/page_alloc.c:3420
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4678
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x56/0x110 mm/slub.c:2265
allocate_slab mm/slub.c:2428 [inline]
new_slab+0x84/0x260 mm/slub.c:2481
___slab_alloc+0xdac/0x1870 mm/slub.c:3667
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3757
__slab_alloc_node mm/slub.c:3810 [inline]
slab_alloc_node mm/slub.c:3989 [inline]
kmem_cache_alloc_lru_noprof+0x2a0/0x2f0 mm/slub.c:4020
nilfs_alloc_inode+0x26/0x150 fs/nilfs2/super.c:154
alloc_inode+0x5d/0x230 fs/inode.c:261
iget5_locked fs/inode.c:1235 [inline]
iget5_locked+0x1c9/0x2c0 fs/inode.c:1228
nilfs_attach_btree_node_cache+0x255/0x410 fs/nilfs2/inode.c:684
nilfs_btree_init+0x1d6/0x2d0 fs/nilfs2/btree.c:2431
nilfs_bmap_read+0x3fc/0x6a0 fs/nilfs2/bmap.c:539
nilfs_read_inode_common+0x7c6/0x9f0 fs/nilfs2/inode.c:476
__nilfs_read_inode fs/nilfs2/inode.c:501 [inline]
nilfs_iget+0x2ae/0x850 fs/nilfs2/inode.c:621
page_owner free stack trace missing

Memory state around the buggy address:
ffff888032180a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888032180a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888032180b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888032180b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888032180c00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
==================================================================


---

Hillf Danton

unread,
Jun 12, 2024, 6:45:37 AMJun 12
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, 11 Jun 2024 11:10:20 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 83a7eefedc9b Linux 6.10-rc3
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c645e2980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/fs/read_write.c
+++ y/fs/read_write.c 2024-06-12 18:38:40.826180800 +0800
@@ -583,6 +583,7 @@ ssize_t vfs_write(struct file *file, con
return ret;
if (count > MAX_RW_COUNT)
count = MAX_RW_COUNT;
+ ihold(file_inode(file));
file_start_write(file);
if (file->f_op->write)
ret = file->f_op->write(file, buf, count, pos);
@@ -596,6 +597,7 @@ ssize_t vfs_write(struct file *file, con
}
inc_syscw(current);
file_end_write(file);
+ iput(file_inode(file));
return ret;
}

--

syzbot

unread,
Jun 12, 2024, 7:04:03 AMJun 12
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in lru_add_fn

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in mapping_unevictable include/linux/pagemap.h:259 [inline]
BUG: KASAN: slab-use-after-free in folio_evictable mm/internal.h:353 [inline]
BUG: KASAN: slab-use-after-free in lru_add_fn+0x192/0xd70 mm/swap.c:184
Read of size 8 at addr ffff888034b5be50 by task udevd/5343

CPU: 0 PID: 5343 Comm: udevd Not tainted 6.10.0-rc3-syzkaller-g2ef5971ff345-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
mapping_unevictable include/linux/pagemap.h:259 [inline]
folio_evictable mm/internal.h:353 [inline]
lru_add_fn+0x192/0xd70 mm/swap.c:184
folio_batch_move_lru+0x243/0x400 mm/swap.c:220
lru_add_drain_cpu+0x534/0x860 mm/swap.c:657
lru_add_drain+0x109/0x440 mm/swap.c:757
__folio_batch_release+0x68/0xb0 mm/swap.c:1081
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x5a1/0x1160 mm/shmem.c:1005
shmem_truncate_range mm/shmem.c:1114 [inline]
shmem_evict_inode+0x3a3/0xbb0 mm/shmem.c:1242
evict+0x2ed/0x6c0 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
iput+0x5c/0x80 fs/inode.c:1757
dentry_unlink_inode+0x295/0x480 fs/dcache.c:400
__dentry_kill+0x1d0/0x600 fs/dcache.c:603
dput.part.0+0x4b1/0x9b0 fs/dcache.c:845
dput+0x1f/0x30 fs/dcache.c:835
do_renameat2+0xc64/0xdc0 fs/namei.c:5046
__do_sys_rename fs/namei.c:5091 [inline]
__se_sys_rename fs/namei.c:5089 [inline]
__x64_sys_rename+0x81/0xa0 fs/namei.c:5089
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6ec009a93b
Code: 48 8b 15 f0 64 15 00 83 c8 ff 64 83 3a 15 75 0e 48 8b 7c 24 08 e8 d5 d4 07 00 f7 d8 19 c0 48 83 c4 18 c3 b8 52 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 10 48 8b 15 be 64 15 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffd90985168 EFLAGS: 00000202 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6ec009a93b
RDX: 0000559846ecd125 RSI: 00007ffd90985188 RDI: 00007ffd90985588
RBP: 0000559d1f3d3820 R08: 0000000000000006 R09: 168ebfe9144866bd
R10: 00000000000001b6 R11: 0000000000000202 R12: 0000559d1f3d5c10
R13: 00007ffd90985188 R14: 00007ffd90985588 R15: 0000559d00997160
</TASK>

Allocated by task 5370:
The buggy address belongs to the object at ffff888034b5b9a8
which belongs to the cache nilfs2_inode_cache of size 1512
The buggy address is located 1192 bytes inside of
freed 1512-byte region [ffff888034b5b9a8, ffff888034b5bf90)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34b58
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888026293801
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888016ab97c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffefff ffff888026293801
head: 00fff00000000040 ffff888016ab97c0 dead000000000122 0000000000000000
head: 0000000000000000 0000000080130013 00000001ffffefff ffff888026293801
head: 00fff00000000003 ffffea0000d2d601 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5334, tgid 5334 (syz-executor), ts 82510212172, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1468
prep_new_page mm/page_alloc.c:1476 [inline]
get_page_from_freelist+0x136a/0x2e50 mm/page_alloc.c:3420
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4678
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x56/0x110 mm/slub.c:2265
allocate_slab mm/slub.c:2428 [inline]
new_slab+0x84/0x260 mm/slub.c:2481
___slab_alloc+0xdac/0x1870 mm/slub.c:3667
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3757
__slab_alloc_node mm/slub.c:3810 [inline]
slab_alloc_node mm/slub.c:3989 [inline]
kmem_cache_alloc_lru_noprof+0x2a0/0x2f0 mm/slub.c:4020
nilfs_alloc_inode+0x26/0x150 fs/nilfs2/super.c:154
alloc_inode+0x5d/0x230 fs/inode.c:261
iget5_locked fs/inode.c:1235 [inline]
iget5_locked+0x1c9/0x2c0 fs/inode.c:1228
nilfs_iget_locked fs/nilfs2/inode.c:606 [inline]
nilfs_iget+0xb7/0x850 fs/nilfs2/inode.c:615
nilfs_lookup fs/nilfs2/namei.c:63 [inline]
nilfs_lookup+0x105/0x130 fs/nilfs2/namei.c:54
__lookup_slow+0x24f/0x460 fs/namei.c:1692
lookup_slow fs/namei.c:1709 [inline]
walk_component+0x350/0x5b0 fs/namei.c:2004
lookup_last fs/namei.c:2469 [inline]
path_lookupat+0x17f/0x770 fs/namei.c:2493
page_owner free stack trace missing

Memory state around the buggy address:
ffff888034b5bd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888034b5bd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888034b5be00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888034b5be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888034b5bf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 2ef5971f Merge tag 'vfs-6.10-rc4.fixes' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=12110c2e980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15cc9936980000

Hillf Danton

unread,
Jun 12, 2024, 7:16:50 PMJun 12
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, 11 Jun 2024 11:10:20 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 83a7eefedc9b Linux 6.10-rc3
> git tree: upstream
--- x/fs/nilfs2/the_nilfs.c
+++ y/fs/nilfs2/the_nilfs.c
@@ -922,7 +922,6 @@ void nilfs_put_root(struct nilfs_root *r
spin_unlock(&nilfs->ns_cptree_lock);

nilfs_sysfs_delete_snapshot_group(root);
- iput(root->ifile);

kfree(root);
}
--

syzbot

unread,
Jun 12, 2024, 7:35:05 PMJun 12
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
VFS: Busy inodes after unmount (use-after-free)

Buffer I/O error on dev loop0, logical block 1020, lost sync page write
NILFS (loop0): unable to write superblock: err=-5
Buffer I/O error on dev loop0, logical block 1, lost sync page write
NILFS (loop0): unable to write superblock: err=-5
VFS: Busy inodes after unmount of loop0 (nilfs2)
------------[ cut here ]------------
kernel BUG at fs/super.c:650!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 5332 Comm: syz-executor Not tainted 6.10.0-rc3-syzkaller-gcea2a26553ac-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:generic_shutdown_super+0x31b/0x3d0 fs/super.c:650
Code: 28 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 aa 00 00 00 48 8b 55 00 48 8d b3 68 06 00 00 48 c7 c7 40 2c 3d 8b e8 36 5e 74 ff 90 <0f> 0b e8 de c2 ef ff e9 2f fd ff ff e8 d4 c2 ef ff e9 02 fd ff ff
RSP: 0018:ffffc900037efd90 EFLAGS: 00010282
RAX: 0000000000000030 RBX: ffff888034e72000 RCX: ffffffff816e69b9
RDX: 0000000000000000 RSI: ffffffff816ef706 RDI: 0000000000000005
RBP: ffffffff8e268620 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888034e729c0
R13: ffff888034e72780 R14: 0000000000000000 R15: ffff888026ba4900
FS: 0000555556270480(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b072ff000 CR3: 0000000015ff6000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kill_block_super+0x3b/0x90 fs/super.c:1676
deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
deactivate_super+0xde/0x100 fs/super.c:506
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14e/0x250 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7b1047e217
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffc7e659328 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000064 RCX: 00007f7b1047e217
RDX: 0000000000000200 RSI: 0000000000000009 RDI: 00007ffc7e65a4d0
RBP: 00007f7b104c8336 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000202 R12: 00007ffc7e65a4d0
R13: 00007f7b104c8336 R14: 0000555556270430 R15: 0000000000000005
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:generic_shutdown_super+0x31b/0x3d0 fs/super.c:650
Code: 28 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 aa 00 00 00 48 8b 55 00 48 8d b3 68 06 00 00 48 c7 c7 40 2c 3d 8b e8 36 5e 74 ff 90 <0f> 0b e8 de c2 ef ff e9 2f fd ff ff e8 d4 c2 ef ff e9 02 fd ff ff
RSP: 0018:ffffc900037efd90 EFLAGS: 00010282
RAX: 0000000000000030 RBX: ffff888034e72000 RCX: ffffffff816e69b9
RDX: 0000000000000000 RSI: ffffffff816ef706 RDI: 0000000000000005
RBP: ffffffff8e268620 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888034e729c0
R13: ffff888034e72780 R14: 0000000000000000 R15: ffff888026ba4900
FS: 0000555556270480(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc7e658b78 CR3: 0000000015ff6000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: cea2a265 mailmap: Add my outdated addresses to the map..
console output: https://syzkaller.appspot.com/x/log.txt?x=15c16d7a980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13182c0e980000

Hillf Danton

unread,
Jun 13, 2024, 6:57:57 AMJun 13
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, 11 Jun 2024 11:10:20 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 83a7eefedc9b Linux 6.10-rc3
> git tree: upstream
--- x/fs/read_write.c
+++ y/fs/read_write.c
@@ -570,6 +570,7 @@ EXPORT_SYMBOL(kernel_write);
ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_t *pos)
{
ssize_t ret;
+ struct super_block *sb;

if (!(file->f_mode & FMODE_WRITE))
return -EBADF;
@@ -583,6 +584,9 @@ ssize_t vfs_write(struct file *file, con
return ret;
if (count > MAX_RW_COUNT)
count = MAX_RW_COUNT;
+ sb = file_inode(file)->i_sb;
+ if (!down_read_trylock(&sb->s_umount))
+ return -EINVAL;
file_start_write(file);
if (file->f_op->write)
ret = file->f_op->write(file, buf, count, pos);
@@ -596,6 +600,7 @@ ssize_t vfs_write(struct file *file, con
}
inc_syscw(current);
file_end_write(file);
+ up_read(&sb->s_umount);
return ret;
}

--

syzbot

unread,
Jun 13, 2024, 7:27:05 AMJun 13
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

rtificates
[ 27.498273][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 4a58c6313a714cb9b62e9bbc978ba4e72aaa8139'
[ 28.076996][ T1] zswap: loaded using pool lzo/zsmalloc
[ 28.085428][ T1] Demotion targets for Node 0: null
[ 28.089493][ T1] Demotion targets for Node 1: null
[ 28.093331][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 28.129195][ T1] Key type .fscrypt registered
[ 28.132498][ T1] Key type fscrypt-provisioning registered
[ 28.149209][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 28.176975][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 28.183012][ T1] Key type big_key registered
[ 28.195418][ T4643] cryptomgr_probe (4643) used greatest stack depth: 26640 bytes left
[ 28.203402][ T1] Key type encrypted registered
[ 28.208063][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 28.213408][ T1] Loading compiled-in module X.509 certificates
[ 28.223552][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 4a58c6313a714cb9b62e9bbc978ba4e72aaa8139'
[ 28.231885][ T1] ima: Allocated hash algorithm: sha256
[ 28.237241][ T1] ima: No architecture policies found
[ 28.241738][ T1] evm: Initialising EVM extended attributes:
[ 28.245792][ T1] evm: security.selinux
[ 28.248896][ T1] evm: security.SMACK64 (disabled)
[ 28.252724][ T1] evm: security.SMACK64EXEC (disabled)
[ 28.256489][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 28.261651][ T1] evm: security.SMACK64MMAP (disabled)
[ 28.266334][ T1] evm: security.apparmor (disabled)
[ 28.270097][ T1] evm: security.ima
[ 28.272869][ T1] evm: security.capability
[ 28.275934][ T1] evm: HMAC attrs: 0x1
[ 28.283244][ T1] PM: Magic number: 12:860:276
[ 28.287484][ T1] usb usb16: hash matches
[ 28.290744][ T1] usb usb1-port4: hash matches
[ 28.294300][ T1] tty ttyy4: hash matches
[ 28.297451][ T1] tty tty13: hash matches
[ 28.301166][ T1] printk: legacy console [netcon0] enabled
[ 28.305399][ T1] netconsole: network logging started
[ 28.309897][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 28.315953][ T1] rdma_rxe: loaded
[ 28.320305][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 28.330077][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 28.336293][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 28.342579][ T1] clk: Disabling unused clocks
[ 28.344843][ T57] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 28.345671][ T1] ALSA device list:
[ 28.352355][ T57] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 28.354733][ T1] #0: Dummy 1
[ 28.363206][ T1] #1: Loopback 1
[ 28.365609][ T1] #2: Virtual MIDI Card 1
[ 28.374509][ T1] md: Waiting for all devices to be available before autodetect
[ 28.377950][ T1] md: If you don't use raid, use raid=noautodetect
[ 28.380791][ T1] md: Autodetecting RAID arrays.
[ 28.383158][ T1] md: autorun ...
[ 28.384821][ T1] md: ... autorun DONE.
[ 28.430411][ T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[ 28.438090][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 28.445428][ T1] devtmpfs: mounted
[ 28.550661][ T1] Freeing unused kernel image (initmem) memory: 26024K
[ 28.554436][ T1] Write protecting the kernel read-only data: 204800k
[ 28.587539][ T1] Freeing unused kernel image (rodata/data gap) memory: 1656K
[ 28.749059][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 28.762706][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 28.769324][ T1] Run /sbin/init as init process
[ 29.111224][ T1] SELinux: Class mctp_socket not defined in policy.
[ 29.114525][ T1] SELinux: Class anon_inode not defined in policy.
[ 29.117531][ T1] SELinux: Class io_uring not defined in policy.
[ 29.120566][ T1] SELinux: Class user_namespace not defined in policy.
[ 29.123879][ T1] SELinux: the above unknown classes and permissions will be denied
[ 29.262598][ T1] SELinux: policy capability network_peer_controls=1
[ 29.265456][ T1] SELinux: policy capability open_perms=1
[ 29.268086][ T1] SELinux: policy capability extended_socket_class=1
[ 29.271171][ T1] SELinux: policy capability always_check_network=0
[ 29.274533][ T1] SELinux: policy capability cgroup_seclabel=1
[ 29.277510][ T1] SELinux: policy capability nnp_nosuid_transition=1
[ 29.280588][ T1] SELinux: policy capability genfs_seclabel_symlinks=0
[ 29.283870][ T1] SELinux: policy capability ioctl_skip_cloexec=0
[ 29.286828][ T1] SELinux: policy capability userspace_initial_context=0
[ 29.445219][ T1] ------------[ cut here ]------------
[ 29.447605][ T1] WARNING: CPU: 3 PID: 1 at fs/super.c:111 super_lock+0x25a/0x3f0
[ 29.450968][ T1] Modules linked in:
[ 29.452766][ T1] CPU: 3 PID: 1 Comm: init Not tainted 6.10.0-rc3-syzkaller-g2ccbdf43d5e7-dirty #0
[ 29.456852][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 29.461336][ T1] RIP: 0010:super_lock+0x25a/0x3f0
[ 29.463998][ T1] Code: 00 00 00 be ff ff ff ff e8 23 fd ed 08 bf 01 00 00 00 89 c5 89 c6 e8 a5 e3 93 ff 83 fd 01 0f 85 5e fe ff ff e8 97 e8 93 ff 90 <0f> 0b 90 e9 50 fe ff ff e8 89 e8 93 ff 48 89 ef e8 c1 bf 6d ff b9
[ 29.472303][ T1] RSP: 0018:ffffc90000047940 EFLAGS: 00010293
[ 29.474836][ T1] RAX: 0000000000000000 RBX: ffff88801d7c2000 RCX: ffffffff81f9fcab
[ 29.478733][ T1] RDX: ffff8880166f8000 RSI: ffffffff81f9fcb9 RDI: 0000000000000005
[ 29.482754][ T1] RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000001
[ 29.486209][ T1] R10: 0000000000000001 R11: 0000000000000003 R12: 0000000000000000
[ 29.489719][ T1] R13: ffff88801d7c2108 R14: ffffffff843c8000 R15: 0000000000000001
[ 29.493572][ T1] FS: 00007fa990752500(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
[ 29.497349][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 29.499994][ T1] CR2: 0000000000000000 CR3: 000000002d31c000 CR4: 0000000000350ef0
[ 29.503268][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 29.506485][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 29.510003][ T1] Call Trace:
[ 29.511547][ T1] <TASK>
[ 29.513131][ T1] ? show_regs+0x8c/0xa0
[ 29.515097][ T1] ? __warn+0xe5/0x3c0
[ 29.517449][ T1] ? super_lock+0x25a/0x3f0
[ 29.519930][ T1] ? report_bug+0x3c0/0x580
[ 29.522377][ T1] ? handle_bug+0x3d/0x70
[ 29.524428][ T1] ? exc_invalid_op+0x17/0x50
[ 29.526474][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 29.528544][ T1] ? __pfx_delayed_superblock_init+0x10/0x10
[ 29.531076][ T1] ? super_lock+0x24b/0x3f0
[ 29.533337][ T1] ? super_lock+0x259/0x3f0
[ 29.535613][ T1] ? super_lock+0x25a/0x3f0
[ 29.537958][ T1] ? __pfx_super_lock+0x10/0x10
[ 29.539985][ T1] ? __pfx_lock_release+0x10/0x10
[ 29.542146][ T1] ? do_raw_spin_lock+0x12d/0x2c0
[ 29.544241][ T1] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 29.546860][ T1] ? __pfx_delayed_superblock_init+0x10/0x10
[ 29.549606][ T1] iterate_supers+0xb9/0x240
[ 29.551299][ T1] selinux_policy_commit+0x8cf/0xb50
[ 29.553913][ T1] ? __pfx_selinux_policy_commit+0x10/0x10
[ 29.556233][ T1] sel_write_load+0xc17/0x1c60
[ 29.558255][ T1] ? __pfx_sel_write_load+0x10/0x10
[ 29.560434][ T1] ? __pfx_lock_acquire+0x10/0x10
[ 29.562504][ T1] ? __pfx_down_read_trylock+0x10/0x10
[ 29.565016][ T1] ? __pfx_sel_write_load+0x10/0x10
[ 29.567861][ T1] vfs_write+0x30e/0x11e0
[ 29.569822][ T1] ? __pfx_vfs_write+0x10/0x10
[ 29.572138][ T1] ? do_sys_openat2+0xb1/0x1e0
[ 29.574299][ T1] ? __pfx_do_sys_openat2+0x10/0x10
[ 29.576739][ T1] ? __fget_light+0x173/0x210
[ 29.578933][ T1] ksys_write+0x12f/0x260
[ 29.581014][ T1] ? __pfx_ksys_write+0x10/0x10
[ 29.583566][ T1] do_syscall_64+0xcd/0x250
[ 29.585811][ T1] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 29.588505][ T1] RIP: 0033:0x7fa9908a6bf2
[ 29.590427][ T1] Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83
[ 29.599851][ T1] RSP: 002b:00007fff0724f798 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 29.603501][ T1] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 00007fa9908a6bf2
[ 29.607062][ T1] RDX: 00000000000415ce RSI: 00007fa990673000 RDI: 0000000000000004
[ 29.610435][ T1] RBP: 0000000000000004 R08: 0000000000000005 R09: 0000000000000000
[ 29.614021][ T1] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa990673000
[ 29.617946][ T1] R13: 00000000000415ce R14: 00007fa990673000 R15: 00007fa9906ec16d
[ 29.621423][ T1] </TASK>
[ 29.622972][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 29.626195][ T1] CPU: 3 PID: 1 Comm: init Not tainted 6.10.0-rc3-syzkaller-g2ccbdf43d5e7-dirty #0
[ 29.630064][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 29.634065][ T1] Call Trace:
[ 29.635583][ T1] <TASK>
[ 29.637030][ T1] dump_stack_lvl+0x3d/0x1f0
[ 29.639218][ T1] panic+0x6f5/0x7a0
[ 29.641169][ T1] ? __pfx_panic+0x10/0x10
[ 29.643238][ T1] ? show_trace_log_lvl+0x363/0x500
[ 29.645594][ T1] ? check_panic_on_warn+0x1f/0xb0
[ 29.647902][ T1] ? super_lock+0x25a/0x3f0
[ 29.649860][ T1] check_panic_on_warn+0xab/0xb0
[ 29.652103][ T1] __warn+0xf1/0x3c0
[ 29.653742][ T1] ? super_lock+0x25a/0x3f0
[ 29.655782][ T1] report_bug+0x3c0/0x580
[ 29.657433][ T1] handle_bug+0x3d/0x70
[ 29.658883][ T1] exc_invalid_op+0x17/0x50
[ 29.660432][ T1] asm_exc_invalid_op+0x1a/0x20
[ 29.662230][ T1] RIP: 0010:super_lock+0x25a/0x3f0
[ 29.664395][ T1] Code: 00 00 00 be ff ff ff ff e8 23 fd ed 08 bf 01 00 00 00 89 c5 89 c6 e8 a5 e3 93 ff 83 fd 01 0f 85 5e fe ff ff e8 97 e8 93 ff 90 <0f> 0b 90 e9 50 fe ff ff e8 89 e8 93 ff 48 89 ef e8 c1 bf 6d ff b9
[ 29.671842][ T1] RSP: 0018:ffffc90000047940 EFLAGS: 00010293
[ 29.674411][ T1] RAX: 0000000000000000 RBX: ffff88801d7c2000 RCX: ffffffff81f9fcab
[ 29.677961][ T1] RDX: ffff8880166f8000 RSI: ffffffff81f9fcb9 RDI: 0000000000000005
[ 29.681331][ T1] RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000001
[ 29.684832][ T1] R10: 0000000000000001 R11: 0000000000000003 R12: 0000000000000000
[ 29.687874][ T1] R13: ffff88801d7c2108 R14: ffffffff843c8000 R15: 0000000000000001
[ 29.691398][ T1] ? __pfx_delayed_superblock_init+0x10/0x10
[ 29.693916][ T1] ? super_lock+0x24b/0x3f0
[ 29.695826][ T1] ? super_lock+0x259/0x3f0
[ 29.697741][ T1] ? __pfx_super_lock+0x10/0x10
[ 29.699789][ T1] ? __pfx_lock_release+0x10/0x10
[ 29.701976][ T1] ? do_raw_spin_lock+0x12d/0x2c0
[ 29.703627][ T1] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 29.705590][ T1] ? __pfx_delayed_superblock_init+0x10/0x10
[ 29.708029][ T1] iterate_supers+0xb9/0x240
[ 29.709711][ T1] selinux_policy_commit+0x8cf/0xb50
[ 29.711603][ T1] ? __pfx_selinux_policy_commit+0x10/0x10
[ 29.713750][ T1] sel_write_load+0xc17/0x1c60
[ 29.715547][ T1] ? __pfx_sel_write_load+0x10/0x10
[ 29.717449][ T1] ? __pfx_lock_acquire+0x10/0x10
[ 29.719811][ T1] ? __pfx_down_read_trylock+0x10/0x10
[ 29.722372][ T1] ? __pfx_sel_write_load+0x10/0x10
[ 29.724678][ T1] vfs_write+0x30e/0x11e0
[ 29.726426][ T1] ? __pfx_vfs_write+0x10/0x10
[ 29.728360][ T1] ? do_sys_openat2+0xb1/0x1e0
[ 29.729992][ T1] ? __pfx_do_sys_openat2+0x10/0x10
[ 29.731819][ T1] ? __fget_light+0x173/0x210
[ 29.733440][ T1] ksys_write+0x12f/0x260
[ 29.734819][ T1] ? __pfx_ksys_write+0x10/0x10
[ 29.736566][ T1] do_syscall_64+0xcd/0x250
[ 29.738441][ T1] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 29.740554][ T1] RIP: 0033:0x7fa9908a6bf2
[ 29.742049][ T1] Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83
[ 29.748513][ T1] RSP: 002b:00007fff0724f798 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 29.751715][ T1] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 00007fa9908a6bf2
[ 29.754465][ T1] RDX: 00000000000415ce RSI: 00007fa990673000 RDI: 0000000000000004
[ 29.757170][ T1] RBP: 0000000000000004 R08: 0000000000000005 R09: 0000000000000000
[ 29.760005][ T1] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa990673000
[ 29.762865][ T1] R13: 00000000000415ce R14: 00007fa990673000 R15: 00007fa9906ec16d
[ 29.765759][ T1] </TASK>
[ 29.767583][ T1] Kernel Offset: disabled
[ 29.769327][ T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3794894381=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c2e072610
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c2e0726105cc811a456d900c62443159acc29c32 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240516-163404'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c2e0726105cc811a456d900c62443159acc29c32 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240516-163404'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c2e0726105cc811a456d900c62443159acc29c32\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16473b02980000


Tested on:

commit: 2ccbdf43 Merge tag 'for-linus' of git://git.kernel.org..
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=132d1b36980000

Hillf Danton

unread,
Jun 13, 2024, 8:24:46 AMJun 13
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, 11 Jun 2024 11:10:20 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 83a7eefedc9b Linux 6.10-rc3
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c645e2980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

--- x/fs/read_write.c
+++ y/fs/read_write.c
@@ -570,6 +570,7 @@ EXPORT_SYMBOL(kernel_write);
ssize_t vfs_write(struct file *file, const char __user *buf, size_t count, loff_t *pos)
{
ssize_t ret;
+ struct super_block *sb;

if (!(file->f_mode & FMODE_WRITE))
return -EBADF;
@@ -583,6 +584,9 @@ ssize_t vfs_write(struct file *file, con
return ret;
if (count > MAX_RW_COUNT)
count = MAX_RW_COUNT;
+ sb = file_inode(file)->i_sb;
+ if (!atomic_inc_not_zero(&sb->s_active))
+ return -EINVAL;
file_start_write(file);
if (file->f_op->write)
ret = file->f_op->write(file, buf, count, pos);
@@ -596,6 +600,7 @@ ssize_t vfs_write(struct file *file, con
}
inc_syscw(current);
file_end_write(file);
+ deactivate_super(sb);
return ret;
}

--

syzbot

unread,
Jun 13, 2024, 8:45:06 AMJun 13
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in lru_add_fn

NILFS (loop0): unable to write superblock: err=-5
Buffer I/O error on dev loop0, logical block 1, lost sync page write
NILFS (loop0): unable to write superblock: err=-5
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in mapping_unevictable include/linux/pagemap.h:259 [inline]
BUG: KASAN: slab-use-after-free in folio_evictable mm/internal.h:353 [inline]
BUG: KASAN: slab-use-after-free in lru_add_fn+0x192/0xd70 mm/swap.c:184
Read of size 8 at addr ffff888037e42b18 by task syz-executor/5333

CPU: 3 PID: 5333 Comm: syz-executor Not tainted 6.10.0-rc3-syzkaller-g2ccbdf43d5e7-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
__fput+0x54e/0xbb0 fs/file_table.c:430
task_work_run+0x14e/0x250 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6f3cc7cc4b
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007ffef95738f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6f3cc7cc4b
RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003
RBP: 00007ffef95739ac R08: 0000000000000000 R09: 00007ffef9573697
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000032
R13: 00000000000181b0 R14: 0000000000018130 R15: 0000000000000005
</TASK>

Allocated by task 5369:
Freed by task 12:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2196 [inline]
slab_free mm/slub.c:4437 [inline]
kmem_cache_free+0x12f/0x3a0 mm/slub.c:4512
i_callback+0x43/0x70 fs/inode.c:250
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2809
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
do_softirq kernel/softirq.c:455 [inline]
do_softirq+0xb2/0xf0 kernel/softirq.c:442
__local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
spin_unlock_bh include/linux/spinlock.h:396 [inline]
addrconf_dad_work+0x4c2/0x1500 net/ipv6/addrconf.c:4223
process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
__call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:3072
destroy_inode+0x12c/0x1b0 fs/inode.c:316
iput_final fs/inode.c:1741 [inline]
iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
iput+0x5c/0x80 fs/inode.c:1757
nilfs_put_root+0xae/0xe0 fs/nilfs2/the_nilfs.c:925
nilfs_segctor_destroy fs/nilfs2/segment.c:2788 [inline]
nilfs_detach_log_writer+0x5ef/0xaa0 fs/nilfs2/segment.c:2850
nilfs_put_super+0x43/0x1b0 fs/nilfs2/super.c:498
generic_shutdown_super+0x159/0x3d0 fs/super.c:642
kill_block_super+0x3b/0x90 fs/super.c:1676
deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
deactivate_super+0xde/0x100 fs/super.c:506
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14e/0x250 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888037e42670
which belongs to the cache nilfs2_inode_cache of size 1512
The buggy address is located 1192 bytes inside of
freed 1512-byte region [ffff888037e42670, ffff888037e42c58)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37e40
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888020dade01
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff8880192ad540 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffefff ffff888020dade01
head: 00fff00000000040 ffff8880192ad540 dead000000000122 0000000000000000
head: 0000000000000000 0000000080130013 00000001ffffefff ffff888020dade01
head: 00fff00000000003 ffffea0000df9001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5369, tgid 5368 (syz-executor), ts 98810143084, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1468
prep_new_page mm/page_alloc.c:1476 [inline]
get_page_from_freelist+0x136a/0x2e50 mm/page_alloc.c:3420
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4678
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x56/0x110 mm/slub.c:2265
allocate_slab mm/slub.c:2428 [inline]
new_slab+0x84/0x260 mm/slub.c:2481
___slab_alloc+0xdac/0x1870 mm/slub.c:3667
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3757
__slab_alloc_node mm/slub.c:3810 [inline]
slab_alloc_node mm/slub.c:3989 [inline]
kmem_cache_alloc_lru_noprof+0x2a0/0x2f0 mm/slub.c:4020
nilfs_alloc_inode+0x26/0x150 fs/nilfs2/super.c:154
alloc_inode+0x5d/0x230 fs/inode.c:261
iget5_locked fs/inode.c:1235 [inline]
iget5_locked+0x1c9/0x2c0 fs/inode.c:1228
nilfs_iget_locked+0xa1/0xe0 fs/nilfs2/inode.c:606
nilfs_dat_read+0x88/0x360 fs/nilfs2/dat.c:508
nilfs_load_super_root fs/nilfs2/the_nilfs.c:120 [inline]
load_nilfs+0x399/0x12d0 fs/nilfs2/the_nilfs.c:301
nilfs_fill_super fs/nilfs2/super.c:1062 [inline]
nilfs_get_tree+0x8c9/0x1000 fs/nilfs2/super.c:1211
vfs_get_tree+0x8f/0x380 fs/super.c:1780
page_owner free stack trace missing

Memory state around the buggy address:
ffff888037e42a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888037e42a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888037e42b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888037e42b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888037e42c00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
==================================================================


Tested on:

commit: 2ccbdf43 Merge tag 'for-linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=16e791fe980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17700e41980000

Hillf Danton

unread,
Jun 14, 2024, 6:41:57 AMJun 14
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, 11 Jun 2024 11:10:20 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 83a7eefedc9b Linux 6.10-rc3
> git tree: upstream
--- x/mm/truncate.c
+++ y/mm/truncate.c
@@ -418,6 +418,9 @@ void truncate_inode_pages_range(struct a
truncate_folio_batch_exceptionals(mapping, &fbatch, indices);
folio_batch_release(&fbatch);
}
+
+ if (mapping_exiting(mapping))
+ lru_add_drain_all();
}
EXPORT_SYMBOL(truncate_inode_pages_range);

--

syzbot

unread,
Jun 14, 2024, 7:01:05 AMJun 14
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

425207325 203a73250073255f 732500642573255f 7325006425207325
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 645f6464615f5f6d 6163646165702020 7373622039322065 6900666564007165
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 635f645f5f5f5f6d 2063642062202020 203133203932200a 65000a6564006c65
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 bfbfbfbfbfbfbfbf bfbfbfbfbfbfbfbf bfbfbfbfbfbfbfbf bfbf2b313423342c
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 262821df2e2e33df 3228df3232202b22 df312e232d2435bf 2324353124322431
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 4141414141414141 4141414141414141 4141414141414141 4141414141414141
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2020202020202020 2020202020202020 2020202020202020 2020202020202020
info registers vcpu 2

CPU#2
RAX=0000000000031e43 RBX=0000000000000002 RCX=ffffffff8ae81889 RDX=0000000000000000
RSI=ffffffff8b2caf60 RDI=ffffffff8b900680 RBP=ffffed1002fd9000 RSP=ffffc90000197e08
R8 =0000000000000001 R9 =ffffed100d646fe5 R10=ffff88806b237f2b R11=0000000000000001
R12=0000000000000002 R13=ffff888017ec8000 R14=ffffffff8fe47610 R15=0000000000000000
RIP=ffffffff8ae82c7f RFL=00000242 [---Z---] CPL=0 II=0 A20=1 SMM=0 HLT=1
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88806b200000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000091000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe000008f000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=00007faa44fa8000 CR3=000000000d97a000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=0000000080000010 Opmask01=0000000000001d1f Opmask02=00000000ff001fff Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000006f20 74276e6163003a23
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00002f6e69622f3a 6e776f6474756873
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 ffff0f0e0d0c0b0a 0908070605040302
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000006f20 74276e6163003a23
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 6362696c5f5f0045 5441564952505f43
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 5f766e6f63675f5f 0000000000000000 000000706d74752f 6e75722f7261762f
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 706d742f73666d61 7220746f6e207369 206d657473797365 6c696620746f6f72
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 00656c6966207261 6c75676572206120 746f6e2073692027 7325270074696e69
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
info registers vcpu 3

CPU#3
RAX=0000000000000046 RBX=1ffff92000865f88 RCX=ffffffff816ae5ae RDX=0000000000000001
RSI=ffffffff8b2cb260 RDI=ffffffff8b900680 RBP=0000000000000200 RSP=ffffc9000432fc30
R8 =0000000000000000 R9 =fffffbfff284dc5c R10=ffffffff9426e2e7 R11=0000000000000000
R12=0000000000000001 R13=0000000000000000 R14=ffff88802fc63d60 R15=0000000000000000
RIP=ffffffff816bdc22 RFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 00007f550c57f740 ffffffff 00c00000
GS =0000 ffff88806b300000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe00000d8000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe00000d6000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=0000557369a0b038 CR3=0000000027fb2000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=0000000004040003 Opmask01=0000000000000001 Opmask02=00000000ffff3f01 Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007ffc005273e0 0000003000000010
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007ffc005273e0 0000003000000010
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 2e2e2e2e2e2e2e2e 2e2e2e2e2e2e2e2e
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000ff0000
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000ff000000ff00 0000000000000000
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2525252525252525 2525252525252525 2525252525252525 2525252525252525
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 6f73616572003663 6974617473006575 6575715f6c6f7274 6e6f63203a732500
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 4a56444057001346 4c51445156004050 4050545f494a5751 4b4a46051f560000
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000911 0000000000000000 306572673670692f 74656e2f6c617574
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000041 0000000000000000 00306e6170772f74 656e2f307968702f
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 504f007a6b45041e 4100185711054316 0f010d19050d0025 1b164a040e155c69
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 577f5f7f7f773f5f 755f595f7f577f7f 5f573f5f575f4f3f 5f7f5f565e7f5f7f
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 64252e6425207325 203a73250073255f 732500642573255f 7325006425207325
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 645f6464615f5f6d 6163646165702020 7373622039322065 6900666564007165
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 635f645f5f5f5f6d 2063642062202020 203133203932200a 65000a6564006c65
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 bfbfbfbfbfbfbfbf bfbfbfbfbfbfbfbf bfbfbfbfbfbfbfbf bfbf2b313423342c
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 262821df2e2e33df 3228df3232202b22 df312e232d2435bf 2324353124322431
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 4141414141414141 4141414141414141 4141414141414141 4141414141414141
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2020202020202020 2020202020202020 2020202020202020 2020202020202020
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2079012086=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c2e072610
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c2e0726105cc811a456d900c62443159acc29c32 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240516-163404'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c2e0726105cc811a456d900c62443159acc29c32 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240516-163404'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c2e0726105cc811a456d900c62443159acc29c32\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1691eca6980000


Tested on:

commit: d20f6b3d Merge tag 'net-6.10-rc4' of git://git.kernel...
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12672e2e980000

Hillf Danton

unread,
Jun 14, 2024, 7:32:42 AMJun 14
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Tue, 11 Jun 2024 11:10:20 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 83a7eefedc9b Linux 6.10-rc3
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17c645e2980000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 83a7eefedc9b

syzbot

unread,
Jun 14, 2024, 7:57:04 AMJun 14
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+d79afb...@syzkaller.appspotmail.com

Tested on:

commit: 83a7eefe Linux 6.10-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15239646980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12217302980000

Note: testing is done by a robot and is best-effort only.

syzbot

unread,
Jun 15, 2024, 7:52:55 PMJun 15
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [RFC PATCH] mm: truncate: flush lru cache for evicted inode
Author: hda...@sina.com

On Sat, 15 Jun 2024 21:44:54 +0100 Matthew Wilcox wrote:
> On Sat, Jun 15, 2024 at 07:59:53AM +0800, Hillf Danton wrote:
> > On Fri, 14 Jun 2024 14:42:20 +0100 Matthew Wilcox wrote:
> > > On Fri, Jun 14, 2024 at 09:18:56PM +0800, Hillf Danton wrote:
> > > > Flush lru cache to avoid folio->mapping uaf in case of inode teardown.
> > >
> > > What? inodes are supposed to have all their folios removed before
> > > being freed. Part of removing a folio sets the folio->mapping to NULL.
> > > Where is the report?
> > >
> > Subject: Re: [syzbot] [nilfs?] [mm?] KASAN: slab-use-after-free Read in lru_add_fn
> > https://lore.kernel.org/lkml/000000000000ca...@google.com/
>
> Thanks. This fix is wrong. Of course syzbot says it fixes the problem,
> but you're just avoiding putting the folios into the situation where we
> have debug that would detect the problem.
>
> I suspect this would trigger:
>
Happy to test your idea.

> +++ b/fs/inode.c
> @@ -282,6 +282,7 @@ static struct inode *alloc_inode(struct super_block *sb)
> void __destroy_inode(struct inode *inode)
> {
> BUG_ON(inode_has_buffers(inode));
> + BUG_ON(inode->i_data.nrpages);
> inode_detach_wb(inode);
> security_inode_free(inode);
> fsnotify_inode_delete(inode);
>
> and what a real fix would look like would be calling clear_inode()
> before calling iput() in nilfs_put_root(). But I'm not an expert

Hm...given I_FREEING checked in clear_inode(), fix like this one could be
tried in midle 2026.

> in this layer of the VFS, so I might well be wrong.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 83a7eefedc9b

--- x/mm/truncate.c
+++ y/mm/truncate.c
@@ -419,6 +419,9 @@ void truncate_inode_pages_range(struct a
truncate_folio_batch_exceptionals(mapping, &fbatch, indices);
folio_batch_release(&fbatch);
}
+
+ if (mapping_exiting(mapping))
+ lru_add_drain_all();
}
EXPORT_SYMBOL(truncate_inode_pages_range);

--- x/fs/inode.c
+++ y/fs/inode.c
@@ -282,6 +282,7 @@ static struct inode *alloc_inode(struct
void __destroy_inode(struct inode *inode)
{
BUG_ON(inode_has_buffers(inode));
+ BUG_ON(inode->i_data.nrpages);
inode_detach_wb(inode);
security_inode_free(inode);
fsnotify_inode_delete(inode);
--

syzbot

unread,
Jun 15, 2024, 8:10:03 PMJun 15
to hda...@sina.com, ja...@suse.cz, konishi...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, linux...@vger.kernel.org, syzkall...@googlegroups.com, wi...@infradead.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in __destroy_inode

NILFS (loop0): I/O error reading meta-data file (ino=3, block-offset=0)
NILFS (loop0): I/O error reading meta-data file (ino=3, block-offset=0)
NILFS (loop0): disposed unprocessed dirty file(s) when stopping log writer
------------[ cut here ]------------
kernel BUG at fs/inode.c:285!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 2 PID: 5330 Comm: syz-executor Not tainted 6.10.0-rc3-syzkaller-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__destroy_inode+0x5e4/0x7a0 fs/inode.c:285
Code: 2a 03 00 00 48 c7 c7 40 78 3d 8b c6 05 aa 6d cc 0d 01 e8 bf d9 69 ff e9 0e fc ff ff e8 a5 8b 8c ff 90 0f 0b e8 9d 8b 8c ff 90 <0f> 0b e8 95 8b 8c ff 90 0f 0b 90 e9 fa fa ff ff e8 87 8b 8c ff 90
RSP: 0018:ffffc900035afaf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880325ba7c8 RCX: ffffffff82015439
RDX: ffff8880222ec880 RSI: ffffffff820159b3 RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880325ba980
R13: 0000000000000024 R14: ffffffff8b706c60 R15: ffff8880325ba8a0
FS: 0000555571e27480(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f01cb366731 CR3: 0000000034ef4000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
destroy_inode+0x91/0x1b0 fs/inode.c:310
iput_final fs/inode.c:1742 [inline]
iput.part.0+0x5a8/0x7f0 fs/inode.c:1768
iput+0x5c/0x80 fs/inode.c:1758
nilfs_put_root+0xae/0xe0 fs/nilfs2/the_nilfs.c:925
nilfs_segctor_destroy fs/nilfs2/segment.c:2788 [inline]
nilfs_detach_log_writer+0x5ef/0xaa0 fs/nilfs2/segment.c:2850
nilfs_put_super+0x43/0x1b0 fs/nilfs2/super.c:498
generic_shutdown_super+0x159/0x3d0 fs/super.c:642
kill_block_super+0x3b/0x90 fs/super.c:1676
deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
deactivate_super+0xde/0x100 fs/super.c:506
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14e/0x250 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc203a7e217
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fffe9265ae8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000064 RCX: 00007fc203a7e217
RDX: 0000000000000200 RSI: 0000000000000009 RDI: 00007fffe9266c90
RBP: 00007fc203ac8336 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000202 R12: 00007fffe9266c90
R13: 00007fc203ac8336 R14: 0000555571e27430 R15: 0000000000000005
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__destroy_inode+0x5e4/0x7a0 fs/inode.c:285
Code: 2a 03 00 00 48 c7 c7 40 78 3d 8b c6 05 aa 6d cc 0d 01 e8 bf d9 69 ff e9 0e fc ff ff e8 a5 8b 8c ff 90 0f 0b e8 9d 8b 8c ff 90 <0f> 0b e8 95 8b 8c ff 90 0f 0b 90 e9 fa fa ff ff e8 87 8b 8c ff 90
RSP: 0018:ffffc900035afaf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880325ba7c8 RCX: ffffffff82015439
RDX: ffff8880222ec880 RSI: ffffffff820159b3 RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8880325ba980
R13: 0000000000000024 R14: ffffffff8b706c60 R15: ffff8880325ba8a0
FS: 0000555571e27480(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c0016fb000 CR3: 0000000034ef4000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 83a7eefe Linux 6.10-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11bb8ada980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16642012980000

syzbot

unread,
Jun 15, 2024, 10:40:07 PMJun 15
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [RFC PATCH] mm: truncate: flush lru cache for evicted inode
Author: hda...@sina.com

On Sat, 15 Jun 2024 21:44:54 +0100 Matthew Wilcox wrote:
>
> I suspect this would trigger:
>
> +++ b/fs/inode.c
> @@ -282,6 +282,7 @@ static struct inode *alloc_inode(struct super_block *sb)
> void __destroy_inode(struct inode *inode)
> {
> BUG_ON(inode_has_buffers(inode));
> + BUG_ON(inode->i_data.nrpages);
> inode_detach_wb(inode);
> security_inode_free(inode);
> fsnotify_inode_delete(inode);
>
Yes, it was triggered [1]

[1] https://lore.kernel.org/lkml/00000000000084...@google.com/

and given trigger after nrpages is checked in clear_inode(),

iput(inode)
evict(inode)
truncate_inode_pages_final(&inode->i_data);
clear_inode(inode);
destroy_inode(inode);

why is folio added to exiting mapping?
--- x/mm/filemap.c
+++ y/mm/filemap.c
@@ -870,6 +870,7 @@ noinline int __filemap_add_folio(struct
folio_ref_add(folio, nr);
folio->mapping = mapping;
folio->index = xas.xa_index;
+ BUG_ON(mapping_exiting(mapping));

for (;;) {
int order = -1, split_order = 0;
--

syzbot

unread,
Jun 15, 2024, 11:06:05 PMJun 15
to hda...@sina.com, ja...@suse.cz, konishi...@gmail.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, linu...@kvack.org, linux...@vger.kernel.org, syzkall...@googlegroups.com, wi...@infradead.org
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in __filemap_add_folio

NILFS (loop0): I/O error reading meta-data file (ino=3, block-offset=0)
NILFS (loop0): I/O error reading meta-data file (ino=3, block-offset=0)
NILFS (loop0): disposed unprocessed dirty file(s) when stopping log writer
------------[ cut here ]------------
kernel BUG at mm/filemap.c:873!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 5321 Comm: syz-executor Not tainted 6.10.0-rc3-syzkaller-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__filemap_add_folio+0xd1d/0xe80 mm/filemap.c:873
Code: 37 8b 4c 89 f7 e8 23 68 10 00 90 0f 0b e8 9b 14 ce ff 48 c7 c6 e0 92 37 8b 4c 89 f7 e8 0c 68 10 00 90 0f 0b e8 84 14 ce ff 90 <0f> 0b e8 7c 14 ce ff 90 0f 0b 90 e9 24 fb ff ff e8 6e 14 ce ff 48
RSP: 0018:ffffc900035773f0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff81bfc8cd
RDX: ffff888023052440 RSI: ffffffff81bfd0cc RDI: 0000000000000001
RBP: ffff88803233a9f0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000003 R12: ffffc90003577468
R13: 0000000000000000 R14: ffffea0000b3f7c0 R15: 0000000000000000
FS: 000055556c846480(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe311b9ff8 CR3: 000000001ae02000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
filemap_add_folio+0x110/0x220 mm/filemap.c:971
__filemap_get_folio+0x455/0xa80 mm/filemap.c:1959
filemap_grab_folio include/linux/pagemap.h:697 [inline]
nilfs_grab_buffer+0xc3/0x370 fs/nilfs2/page.c:57
nilfs_mdt_submit_block+0x9f/0x870 fs/nilfs2/mdt.c:121
nilfs_mdt_read_block+0xa4/0x3b0 fs/nilfs2/mdt.c:176
nilfs_mdt_get_block+0xdb/0xb90 fs/nilfs2/mdt.c:251
nilfs_palloc_get_block+0xb5/0x300 fs/nilfs2/alloc.c:217
nilfs_palloc_get_entry_block+0x165/0x1b0 fs/nilfs2/alloc.c:319
nilfs_ifile_delete_inode+0x1e6/0x260 fs/nilfs2/ifile.c:109
nilfs_evict_inode+0x294/0x550 fs/nilfs2/inode.c:950
evict+0x2ed/0x6c0 fs/inode.c:667
iput_final fs/inode.c:1741 [inline]
iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
iput+0x5c/0x80 fs/inode.c:1757
nilfs_put_root+0xae/0xe0 fs/nilfs2/the_nilfs.c:925
nilfs_segctor_destroy fs/nilfs2/segment.c:2788 [inline]
nilfs_detach_log_writer+0x5ef/0xaa0 fs/nilfs2/segment.c:2850
nilfs_put_super+0x43/0x1b0 fs/nilfs2/super.c:498
generic_shutdown_super+0x159/0x3d0 fs/super.c:642
kill_block_super+0x3b/0x90 fs/super.c:1676
deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
deactivate_super+0xde/0x100 fs/super.c:506
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14e/0x250 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f70d447e217
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffe311ba288 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000064 RCX: 00007f70d447e217
RDX: 0000000000000200 RSI: 0000000000000009 RDI: 00007ffe311bb430
RBP: 00007f70d44c8336 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000202 R12: 00007ffe311bb430
R13: 00007f70d44c8336 R14: 000055556c846430 R15: 0000000000000005
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__filemap_add_folio+0xd1d/0xe80 mm/filemap.c:873
Code: 37 8b 4c 89 f7 e8 23 68 10 00 90 0f 0b e8 9b 14 ce ff 48 c7 c6 e0 92 37 8b 4c 89 f7 e8 0c 68 10 00 90 0f 0b e8 84 14 ce ff 90 <0f> 0b e8 7c 14 ce ff 90 0f 0b 90 e9 24 fb ff ff e8 6e 14 ce ff 48
RSP: 0018:ffffc900035773f0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff81bfc8cd
RDX: ffff888023052440 RSI: ffffffff81bfd0cc RDI: 0000000000000001
RBP: ffff88803233a9f0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000003 R12: ffffc90003577468
R13: 0000000000000000 R14: ffffea0000b3f7c0 R15: 0000000000000000
FS: 000055556c846480(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f70d45a8000 CR3: 000000001ae02000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: 83a7eefe Linux 6.10-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=15608256980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=147bb012980000

Ryusuke Konishi

unread,
Jun 23, 2024, 1:11:45 AMJun 23
to Andrew Morton, linux-nilfs, syzbot, syzkall...@googlegroups.com, LKML, hda...@sina.com, ja...@suse.cz, linux-...@vger.kernel.org, wi...@infradead.org
Hi Andrew, please apply this bug fix series.

This series fixes one use-after-free issue reported by syzbot, caused
by nilfs2's internal inode being exposed in the namespace on a
corrupted filesystem, and a couple of flaws that cause problems if the
starting number of non-reserved inodes written in the on-disk super
block is intentionally (or corruptly) changed from its default value.

Thanks,
Ryusuke Konishi


Ryusuke Konishi (3):
nilfs2: fix inode number range checks
nilfs2: add missing check for inode numbers on directory entries
nilfs2: fix incorrect inode allocation from reserved inodes

fs/nilfs2/alloc.c | 19 +++++++++++++++----
fs/nilfs2/alloc.h | 4 ++--
fs/nilfs2/dat.c | 2 +-
fs/nilfs2/dir.c | 6 ++++++
fs/nilfs2/ifile.c | 7 ++-----
fs/nilfs2/nilfs.h | 10 ++++++++--
fs/nilfs2/the_nilfs.c | 6 ++++++
fs/nilfs2/the_nilfs.h | 2 +-
8 files changed, 41 insertions(+), 15 deletions(-)

--
2.34.1

Ryusuke Konishi

unread,
Jun 23, 2024, 1:11:48 AMJun 23
to Andrew Morton, linux-nilfs, syzbot, syzkall...@googlegroups.com, LKML, hda...@sina.com, ja...@suse.cz, linux-...@vger.kernel.org, wi...@infradead.org
In the current implementation of nilfs2, "nilfs->ns_first_ino", which
gives the first non-reserved inode number, is read from the
superblock, but its lower limit is not checked.

As a result, if a number that overlaps with the inode number range of
reserved inodes such as the root directory or metadata files is set in
the super block parameter, the inode number test macros
(NILFS_MDT_INODE and NILFS_VALID_INODE) will not function properly.

In addition, these test macros use left bit-shift calculations using
with the inode number as the shift count via the BIT macro, but the
result of a shift calculation that exceeds the bit width of an integer
is undefined in the C specification, so if "ns_first_ino" is set to a
large value other than the default value NILFS_USER_INO (=11), the
macros may potentially malfunction depending on the environment.

Fix these issues by checking the lower bound of "nilfs->ns_first_ino"
and by preventing bit shifts equal to or greater than the
NILFS_USER_INO constant in the inode number test macros.

Also, change the type of "ns_first_ino" from signed integer to
unsigned integer to avoid the need for type casting in comparisons
such as the lower bound check introduced this time.

Signed-off-by: Ryusuke Konishi <konishi...@gmail.com>
Cc: sta...@vger.kernel.org
---
fs/nilfs2/nilfs.h | 5 +++--
fs/nilfs2/the_nilfs.c | 6 ++++++
fs/nilfs2/the_nilfs.h | 2 +-
3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/fs/nilfs2/nilfs.h b/fs/nilfs2/nilfs.h
index 728e90be3570..7e39e277c77f 100644
--- a/fs/nilfs2/nilfs.h
+++ b/fs/nilfs2/nilfs.h
@@ -116,9 +116,10 @@ enum {
#define NILFS_FIRST_INO(sb) (((struct the_nilfs *)sb->s_fs_info)->ns_first_ino)

#define NILFS_MDT_INODE(sb, ino) \
- ((ino) < NILFS_FIRST_INO(sb) && (NILFS_MDT_INO_BITS & BIT(ino)))
+ ((ino) < NILFS_USER_INO && (NILFS_MDT_INO_BITS & BIT(ino)))
#define NILFS_VALID_INODE(sb, ino) \
- ((ino) >= NILFS_FIRST_INO(sb) || (NILFS_SYS_INO_BITS & BIT(ino)))
+ ((ino) >= NILFS_FIRST_INO(sb) || \
+ ((ino) < NILFS_USER_INO && (NILFS_SYS_INO_BITS & BIT(ino))))

/**
* struct nilfs_transaction_info: context information for synchronization
diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
index f41d7b6d432c..e44dde57ab65 100644
--- a/fs/nilfs2/the_nilfs.c
+++ b/fs/nilfs2/the_nilfs.c
@@ -452,6 +452,12 @@ static int nilfs_store_disk_layout(struct the_nilfs *nilfs,
}

nilfs->ns_first_ino = le32_to_cpu(sbp->s_first_ino);
+ if (nilfs->ns_first_ino < NILFS_USER_INO) {
+ nilfs_err(nilfs->ns_sb,
+ "too small lower limit for non-reserved inode numbers: %u",
+ nilfs->ns_first_ino);
+ return -EINVAL;
+ }

nilfs->ns_blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment);
if (nilfs->ns_blocks_per_segment < NILFS_SEG_MIN_BLOCKS) {
diff --git a/fs/nilfs2/the_nilfs.h b/fs/nilfs2/the_nilfs.h
index 85da0629415d..1e829ed7b0ef 100644
--- a/fs/nilfs2/the_nilfs.h
+++ b/fs/nilfs2/the_nilfs.h
@@ -182,7 +182,7 @@ struct the_nilfs {
unsigned long ns_nrsvsegs;
unsigned long ns_first_data_block;
int ns_inode_size;
- int ns_first_ino;
+ unsigned int ns_first_ino;
u32 ns_crc_seed;

/* /sys/fs/<nilfs>/<device> */
--
2.34.1

Ryusuke Konishi

unread,
Jun 23, 2024, 1:11:51 AMJun 23
to Andrew Morton, linux-nilfs, syzbot, syzkall...@googlegroups.com, LKML, hda...@sina.com, ja...@suse.cz, linux-...@vger.kernel.org, wi...@infradead.org
Syzbot reported that mounting and unmounting a specific pattern of
corrupted nilfs2 filesystem images causes a use-after-free of metadata
file inodes, which triggers a kernel bug in lru_add_fn().

As Jan Kara pointed out, this is because the link count of a metadata
file gets corrupted to 0, and nilfs_evict_inode(), which is called
from iput(), tries to delete that inode (ifile inode in this case).

The inconsistency occurs because directories containing the inode
numbers of these metadata files that should not be visible in the
namespace are read without checking.

Fix this issue by treating the inode numbers of these internal files
as errors in the sanity check helper when reading directory
folios/pages.

Also thanks to Hillf Danton and Matthew Wilcox for their initial
mm-layer analysis.

Signed-off-by: Ryusuke Konishi <konishi...@gmail.com>
Reported-by: syzbot+d79afb...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
Reported-by: Jan Kara <ja...@suse.cz>
Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3
Tested-by: Ryusuke Konishi <konishi...@gmail.com>
Cc: sta...@vger.kernel.org
---
fs/nilfs2/dir.c | 6 ++++++
fs/nilfs2/nilfs.h | 5 +++++
2 files changed, 11 insertions(+)

diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
index 52e50b1b7f22..dddfa604491a 100644
--- a/fs/nilfs2/dir.c
+++ b/fs/nilfs2/dir.c
@@ -135,6 +135,9 @@ static bool nilfs_check_folio(struct folio *folio, char *kaddr)
goto Enamelen;
if (((offs + rec_len - 1) ^ offs) & ~(chunk_size-1))
goto Espan;
+ if (unlikely(p->inode &&
+ NILFS_PRIVATE_INODE(le64_to_cpu(p->inode))))
+ goto Einumber;
}
if (offs != limit)
goto Eend;
@@ -160,6 +163,9 @@ static bool nilfs_check_folio(struct folio *folio, char *kaddr)
goto bad_entry;
Espan:
error = "directory entry across blocks";
+ goto bad_entry;
+Einumber:
+ error = "disallowed inode number";
bad_entry:
nilfs_error(sb,
"bad entry in directory #%lu: %s - offset=%lu, inode=%lu, rec_len=%zd, name_len=%d",
diff --git a/fs/nilfs2/nilfs.h b/fs/nilfs2/nilfs.h
index 7e39e277c77f..4017f7856440 100644
--- a/fs/nilfs2/nilfs.h
+++ b/fs/nilfs2/nilfs.h
@@ -121,6 +121,11 @@ enum {
((ino) >= NILFS_FIRST_INO(sb) || \
((ino) < NILFS_USER_INO && (NILFS_SYS_INO_BITS & BIT(ino))))

+#define NILFS_PRIVATE_INODE(ino) ({ \
+ ino_t __ino = (ino); \
+ ((__ino) < NILFS_USER_INO && (__ino) != NILFS_ROOT_INO && \
+ (__ino) != NILFS_SKETCH_INO); })
+
/**
* struct nilfs_transaction_info: context information for synchronization
* @ti_magic: Magic number
--
2.34.1

Ryusuke Konishi

unread,
Jun 23, 2024, 1:11:55 AMJun 23
to Andrew Morton, linux-nilfs, syzbot, syzkall...@googlegroups.com, LKML, hda...@sina.com, ja...@suse.cz, linux-...@vger.kernel.org, wi...@infradead.org
If the bitmap block that manages the inode allocation status is
corrupted, nilfs_ifile_create_inode() may allocate a new inode from
the reserved inode area where it should not be allocated.

Previous fix commit d325dc6eb763 ("nilfs2: fix use-after-free bug of
struct nilfs_root"), fixed the problem that reserved inodes with inode
numbers less than NILFS_USER_INO (=11) were incorrectly reallocated
due to bitmap corruption, but since the start number of non-reserved
inodes is read from the super block and may change, in which case
inode allocation may occur from the extended reserved inode area.

If that happens, access to that inode will cause an IO error, causing
the file system to degrade to an error state.

Fix this potential issue by adding a wraparound option to the common
metadata object allocation routine and by modifying
nilfs_ifile_create_inode() to disable the option so that it only
allocates inodes with inode numbers greater than or equal to the inode
number read in "nilfs->ns_first_ino", regardless of the bitmap status
of reserved inodes.

Signed-off-by: Ryusuke Konishi <konishi...@gmail.com>
Cc: sta...@vger.kernel.org
---
fs/nilfs2/alloc.c | 19 +++++++++++++++----
fs/nilfs2/alloc.h | 4 ++--
fs/nilfs2/dat.c | 2 +-
fs/nilfs2/ifile.c | 7 ++-----
4 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/fs/nilfs2/alloc.c b/fs/nilfs2/alloc.c
index 89caef7513db..ba50388ee4bf 100644
--- a/fs/nilfs2/alloc.c
+++ b/fs/nilfs2/alloc.c
@@ -377,11 +377,12 @@ void *nilfs_palloc_block_get_entry(const struct inode *inode, __u64 nr,
* @target: offset number of an entry in the group (start point)
* @bsize: size in bits
* @lock: spin lock protecting @bitmap
+ * @wrap: whether to wrap around
*/
static int nilfs_palloc_find_available_slot(unsigned char *bitmap,
unsigned long target,
unsigned int bsize,
- spinlock_t *lock)
+ spinlock_t *lock, bool wrap)
{
int pos, end = bsize;

@@ -397,6 +398,8 @@ static int nilfs_palloc_find_available_slot(unsigned char *bitmap,

end = target;
}
+ if (!wrap)
+ return -ENOSPC;

/* wrap around */
for (pos = 0; pos < end; pos++) {
@@ -495,9 +498,10 @@ int nilfs_palloc_count_max_entries(struct inode *inode, u64 nused, u64 *nmaxp)
* nilfs_palloc_prepare_alloc_entry - prepare to allocate a persistent object
* @inode: inode of metadata file using this allocator
* @req: nilfs_palloc_req structure exchanged for the allocation
+ * @wrap: whether to wrap around
*/
int nilfs_palloc_prepare_alloc_entry(struct inode *inode,
- struct nilfs_palloc_req *req)
+ struct nilfs_palloc_req *req, bool wrap)
{
struct buffer_head *desc_bh, *bitmap_bh;
struct nilfs_palloc_group_desc *desc;
@@ -516,7 +520,7 @@ int nilfs_palloc_prepare_alloc_entry(struct inode *inode,
entries_per_group = nilfs_palloc_entries_per_group(inode);

for (i = 0; i < ngroups; i += n) {
- if (group >= ngroups) {
+ if (group >= ngroups && wrap) {
/* wrap around */
group = 0;
maxgroup = nilfs_palloc_group(inode, req->pr_entry_nr,
@@ -550,7 +554,14 @@ int nilfs_palloc_prepare_alloc_entry(struct inode *inode,
bitmap_kaddr = kmap_local_page(bitmap_bh->b_page);
bitmap = bitmap_kaddr + bh_offset(bitmap_bh);
pos = nilfs_palloc_find_available_slot(
- bitmap, group_offset, entries_per_group, lock);
+ bitmap, group_offset, entries_per_group, lock,
+ wrap);
+ /*
+ * Since the search for a free slot in the second and
+ * subsequent bitmap blocks always starts from the
+ * beginning, the wrap flag only has an effect on the
+ * first search.
+ */
kunmap_local(bitmap_kaddr);
if (pos >= 0)
goto found;
diff --git a/fs/nilfs2/alloc.h b/fs/nilfs2/alloc.h
index b667e869ac07..d825a9faca6d 100644
--- a/fs/nilfs2/alloc.h
+++ b/fs/nilfs2/alloc.h
@@ -50,8 +50,8 @@ struct nilfs_palloc_req {
struct buffer_head *pr_entry_bh;
};

-int nilfs_palloc_prepare_alloc_entry(struct inode *,
- struct nilfs_palloc_req *);
+int nilfs_palloc_prepare_alloc_entry(struct inode *inode,
+ struct nilfs_palloc_req *req, bool wrap);
void nilfs_palloc_commit_alloc_entry(struct inode *,
struct nilfs_palloc_req *);
void nilfs_palloc_abort_alloc_entry(struct inode *, struct nilfs_palloc_req *);
diff --git a/fs/nilfs2/dat.c b/fs/nilfs2/dat.c
index 180fc8d36213..fc1caf63a42a 100644
--- a/fs/nilfs2/dat.c
+++ b/fs/nilfs2/dat.c
@@ -75,7 +75,7 @@ int nilfs_dat_prepare_alloc(struct inode *dat, struct nilfs_palloc_req *req)
{
int ret;

- ret = nilfs_palloc_prepare_alloc_entry(dat, req);
+ ret = nilfs_palloc_prepare_alloc_entry(dat, req, true);
if (ret < 0)
return ret;

diff --git a/fs/nilfs2/ifile.c b/fs/nilfs2/ifile.c
index 612e609158b5..1e86b9303b7c 100644
--- a/fs/nilfs2/ifile.c
+++ b/fs/nilfs2/ifile.c
@@ -56,13 +56,10 @@ int nilfs_ifile_create_inode(struct inode *ifile, ino_t *out_ino,
struct nilfs_palloc_req req;
int ret;

- req.pr_entry_nr = 0; /*
- * 0 says find free inode from beginning
- * of a group. dull code!!
- */
+ req.pr_entry_nr = NILFS_FIRST_INO(ifile->i_sb);
req.pr_entry_bh = NULL;

- ret = nilfs_palloc_prepare_alloc_entry(ifile, &req);
+ ret = nilfs_palloc_prepare_alloc_entry(ifile, &req, false);
if (!ret) {
ret = nilfs_palloc_get_entry_block(ifile, req.pr_entry_nr, 1,
&req.pr_entry_bh);
--
2.34.1

Reply all
Reply to author
Forward
0 new messages