[syzbot] BUG: unable to handle kernel paging request in kernfs_put_active

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: a6b443748715 Merge branch 'for-next/core', remote-tracking..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=17025144880000
kernel config: https://syzkaller.appspot.com/x/.config?x=14bf9ec0df433b27
dashboard link: https://syzkaller.appspot.com/bug?extid=258ad6d2cb6685e145bc
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=106b8164880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1040a75d080000

Downloadable assets:
disk image: https://storage.googleapis.com/81b491dd5861/disk-a6b44374.raw.xz
vmlinux: https://storage.googleapis.com/69c979cdc99a/vmlinux-a6b44374.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+258ad6...@syzkaller.appspotmail.com

Unable to handle kernel paging request at virtual address 004065676e6168fb
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
[004065676e6168fb] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 2562 Comm: udevd Not tainted 6.0.0-rc4-syzkaller-17255-ga6b443748715 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : kernfs_lockdep fs/kernfs/dir.c:43 [inline]
pc : kernfs_put_active+0x24/0x11c fs/kernfs/dir.c:449
lr : kernfs_put_active+0x20/0x11c fs/kernfs/dir.c:443
sp : ffff800015fcbc50
x29: ffff800015fcbc50 x28: ffff0000c4810000 x27: 0001000000000000
x26: 0000000000000152 x25: ffff0000c538f348 x24: ffff8000086fe770
x23: ffff0000c92e5620 x22: 0000000000000007 x21: ffff0000cbc31500
x20: ffff8000086fba20 x19: 2f4065676e616863 x18: 0000000000000000
x17: 0000000000000000 x16: ffff80000db78658 x15: ffff0000c4810000
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000c4810000
x11: ff808000086f6a0c x10: 0000000000000000 x9 : ffff8000086f6a0c
x8 : ffff0000c4810000 x7 : ffff8000095d8f84 x6 : 0000000000000000
x5 : 0000000000000080 x4 : ffff0001fefd3740 x3 : 0000000000083500
x2 : ffff0000c8aa3000 x1 : 0000000000000000 x0 : 2f4065676e616863
Call trace:
kernfs_put_active+0x24/0x11c fs/kernfs/dir.c:446
kernfs_fop_write_iter+0x1fc/0x294 fs/kernfs/file.c:358
call_write_iter include/linux/fs.h:2187 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x2dc/0x46c fs/read_write.c:578
ksys_write+0xb4/0x160 fs/read_write.c:631
__do_sys_write fs/read_write.c:643 [inline]
__se_sys_write fs/read_write.c:640 [inline]
__arm64_sys_write+0x24/0x34 fs/read_write.c:640
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
el0t_64_sync+0x18c/0x190
Code: aa1e03f4 aa0003f3 97eea9d1 b40004f3 (79413275)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: aa1e03f4 mov x20, x30
4: aa0003f3 mov x19, x0
8: 97eea9d1 bl 0xffffffffffbaa74c
c: b40004f3 cbz x19, 0xa8
* 10: 79413275 ldrh w21, [x19, #152] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in alloc_nilfs

loop0: detected capacity change from 0 to 60
Unable to handle kernel paging request at virtual address dead4ead00000400

Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0

[dead4ead00000400] address between user and kernel address ranges

Internal error: Oops: 96000004 [#1] PREEMPT SMP
Modules linked in:

CPU: 0 PID: 3764 Comm: syz-executor.0 Not tainted 6.0.0-rc5-syzkaller-00094-ga335366bad13-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022

pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : slab_alloc mm/slub.c:3251 [inline]
pc : kmem_cache_alloc_trace+0x184/0x324 mm/slub.c:3282
lr : slab_pre_alloc_hook mm/slab.h:702 [inline]
lr : slab_alloc_node mm/slub.c:3157 [inline]
lr : slab_alloc mm/slub.c:3251 [inline]
lr : kmem_cache_alloc_trace+0x8c/0x324 mm/slub.c:3282
sp : ffff800012863a80
x29: ffff800012863a90 x28: ffff0000cc881a80 x27: ffff80000d379000
x26: ffff80000cdb6559 x25: 0000000000000083 x24: dead4ead00000000
x23: 0000000000000000 x22: ffff800008f79c5c x21: ffff0000c0001600
x20: 00000000000004d0 x19: 0000000000000dc0 x18: 0000000000000000
x17: 0000000000000000 x16: ffff80000dbb9658 x15: ffff0000cc881a80
x14: 0000000000000010 x13: 0000000000000000 x12: ffff0000cc881a80
x11: 0000000000000001 x10: 0000000000000000 x9 : 0000000000000400
x8 : 00000000000054e8 x7 : ffff8000084b677c x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 00000000000054f0
x2 : 0000000000000000 x1 : 0000000000000800 x0 : 0000000000000000
Call trace:
next_tid mm/slub.c:2311 [inline]
slab_alloc_node mm/slub.c:3227 [inline]
slab_alloc mm/slub.c:3251 [inline]
kmem_cache_alloc_trace+0x184/0x324 mm/slub.c:3282
kmalloc include/linux/slab.h:600 [inline]
kzalloc include/linux/slab.h:733 [inline]
alloc_nilfs+0x2c/0x13c fs/nilfs2/the_nilfs.c:59
nilfs_fill_super+0x40/0x2e8 fs/nilfs2/super.c:1041
nilfs_mount+0x370/0x52c fs/nilfs2/super.c:1317
legacy_get_tree+0x30/0x74 fs/fs_context.c:610
vfs_get_tree+0x40/0x140 fs/super.c:1530
do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
path_mount+0x358/0x914 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568

__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142

do_el0_svc+0x48/0x154 arch/arm64/kernel/syscall.c:206

el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
el0t_64_sync+0x18c/0x190

Code: 54000d41 34000d4b b9402aa9 91002103 (f8696b19)

---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):

0: 54000d41 b.ne 0x1a8 // b.any
4: 34000d4b cbz w11, 0x1ac
8: b9402aa9 ldr w9, [x21, #40]
c: 91002103 add x3, x8, #0x8
* 10: f8696b19 ldr x25, [x24, x9] <-- trapping instruction


Tested on:

commit: a335366b Merge tag 'gpio-fixes-for-v6.0-rc6' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13c941a0880000
kernel config: https://syzkaller.appspot.com/x/.config?x=ae78587f35f51bbd

dashboard link: https://syzkaller.appspot.com/bug?extid=258ad6d2cb6685e145bc
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=12af94f8880000

[Tetsuo Handa]

I don't know whether crafted filesystem image is used is relevant to this problem.
But I think a bug is inside NILFS2 filesystem code.

When inode allocation fails due to security_inode_alloc() returning -ENOMEM, some
inconsistent state happens. It seems to me that destruction of partially initialized
inode corrupts kernel memory (and causes various oops depending on timings).

[Tetsuo Handa]

On 2022/09/18 0:50, Tetsuo Handa wrote:
> I don't know whether crafted filesystem image is used is relevant to this problem.
> But I think a bug is inside NILFS2 filesystem code.

I confirmed that use of crafted filesystem image is irrelevant to this problem.
You can reproduce this problem using fault injection patch

----------
diff --git a/fs/inode.c b/fs/inode.c
index ba1de23c13c1..dfde0cadd51e 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -192,6 +192,10 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
inode->i_wb_frn_history = 0;
#endif

+ if (!strcmp(current->comm, "my_touch")) {
+ inode->i_security = NULL;
+ goto out;
+ }
if (security_inode_alloc(inode))
goto out;
spin_lock_init(&inode->i_lock);
----------

and script which uses freshly created clean filesystem image.

----------
cp -p /bin/touch my_touch
dd if=/dev/zero of=nilfs.img bs=134221824 count=1
mkfs.nilfs2 nilfs.img
while date; do mount -o loop -t nilfs2 nilfs.img /mnt/; ./my_touch /mnt/file; umount -d /mnt/; done
----------

For your information, use of loop module is also irrelevant to this problem.
Since this is a memory corruption, oops happens at random location.

----------
root@fuzz:~/linux# fdisk -l /dev/sdb
Disk /dev/sdb: 129 MiB, 135266304 bytes, 264192 sectors
Disk model: VBOX HARDDISK
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
root@fuzz:~# mkfs.nilfs2 /dev/sdb
mkfs.nilfs2 (nilfs-utils 2.2.8)
Start writing file system initial data to the device
Blocksize:4096 Device:/dev/sdb Device Size:135266304
File system initialization succeeded !!
root@fuzz:~# while date; do mount -t nilfs2 /dev/sdb /mnt/; ./my_touch /mnt/file; umount /mnt/; done
----------

----------
[ 298.082977][ T4437] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 299.544397][ T4447] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 300.927033][ T4457] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 302.264135][ T4467] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 302.321643][ T4471] ------------[ cut here ]------------
[ 302.322713][ T4471] kernel BUG at arch/x86/mm/physaddr.c:23!
[ 302.324231][ T4471] invalid opcode: 0000 [#1] PREEMPT SMP
[ 302.325534][ T4471] CPU: 1 PID: 4471 Comm: my_touch Not tainted 6.0.0-rc5-00094-ga335366bad13-dirty #855
[ 302.327840][ T4471] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 302.329932][ T4471] RIP: 0010:__phys_addr+0xe5/0xf0
[ 302.331203][ T4471] Code: d5 27 00 48 c7 c7 80 38 50 86 4c 89 fe 4c 89 f2 e8 40 47 68 01 eb 9a e8 e9 d4 27 00 0f 0b e8 e2 d4 27 00 0f 0b e8 db d4 27 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 53 48 89 fb e8 c7 d4 27 00 48 81
[ 302.335926][ T4471] RSP: 0018:ffffc90003a97ac0 EFLAGS: 00010293
[ 302.337401][ T4471] RAX: ffffffff811b9035 RBX: 000000007fffffff RCX: ffff888106ee0000
[ 302.339356][ T4471] RDX: 0000000000000000 RSI: 000000007fffffff RDI: 000000001fffffff
[ 302.341314][ T4471] RBP: ffffffffffffffff R08: ffffffff811b8ff9 R09: 0000000000000c40
[ 302.343242][ T4471] R10: ffffffff816d23a0 R11: ffff888106ee0000 R12: ffff888012c26000
[ 302.345201][ T4471] R13: 0000000000000041 R14: ffff888011d10158 R15: 000000007fffffff
[ 302.347107][ T4471] FS: 00007f50cbe78740(0000) GS:ffff888121a00000(0000) knlGS:0000000000000000
[ 302.349316][ T4471] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 302.351011][ T4471] CR2: 00007f50cbd08b60 CR3: 0000000011ad4000 CR4: 00000000000506e0
[ 302.353031][ T4471] Call Trace:
[ 302.353868][ T4471] <TASK>
[ 302.354587][ T4471] kfree+0x47/0x2b0
[ 302.355528][ T4471] ? nilfs_mdt_destroy+0x1c/0x30
[ 302.356787][ T4471] ? trace_kmem_cache_alloc+0x2d/0xe0
[ 302.358140][ T4471] nilfs_mdt_destroy+0x1c/0x30
[ 302.359368][ T4471] nilfs_free_inode+0x20/0x40
[ 302.360466][ T4471] ? nilfs_setup_super+0x210/0x210
[ 302.361763][ T4471] alloc_inode+0xc1/0xe0
[ 302.362851][ T4471] new_inode+0x1e/0xd0
[ 302.364096][ T4471] nilfs_new_inode+0x37/0x340
[ 302.365349][ T4471] nilfs_create+0x5a/0x150
[ 302.366621][ T4471] ? nilfs_lookup+0x90/0x90
[ 302.367875][ T4471] path_openat+0x8d4/0x1510
[ 302.372812][ T4471] do_filp_open+0xb9/0x1a0
[ 302.374131][ T4471] ? alloc_fd+0x2de/0x320
[ 302.375151][ T4471] ? do_raw_spin_unlock+0x64/0x2b0
[ 302.376581][ T4471] ? _raw_spin_unlock+0x24/0x40
[ 302.377904][ T4471] do_sys_openat2+0x9b/0x240
[ 302.392326][ T4471] __x64_sys_openat+0xcb/0xf0
[ 302.406515][ T4471] do_syscall_64+0x3d/0x90
[ 302.420310][ T4471] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 302.432032][ T4471] RIP: 0033:0x7f50cbd146eb
[ 302.445517][ T4471] Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00 00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 54 24 28 64 48 2b 14 25
[ 302.475988][ T4471] RSP: 002b:00007ffea2dd8af0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 302.491286][ T4471] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f50cbd146eb
[ 302.506272][ T4471] RDX: 0000000000000941 RSI: 00007ffea2dd974c RDI: 00000000ffffff9c
[ 302.516526][ T4471] RBP: 00007ffea2dd974c R08: 0000000000000001 R09: 0000000000000000
[ 302.532010][ T4471] R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941
[ 302.547302][ T4471] R13: 0000000000000002 R14: 00007f50cbebf2e0 R15: 00007ffea2dd8de8
[ 302.562739][ T4471] </TASK>
[ 302.576503][ T4471] Modules linked in:
[ 302.590802][ T4471] ---[ end trace 0000000000000000 ]---
[ 302.607760][ T4471] RIP: 0010:__phys_addr+0xe5/0xf0
[ 302.622428][ T4471] Code: d5 27 00 48 c7 c7 80 38 50 86 4c 89 fe 4c 89 f2 e8 40 47 68 01 eb 9a e8 e9 d4 27 00 0f 0b e8 e2 d4 27 00 0f 0b e8 db d4 27 00 <0f> 0b 66 0f 1f 84 00 00 00 00 00 53 48 89 fb e8 c7 d4 27 00 48 81
[ 302.653011][ T4471] RSP: 0018:ffffc90003a97ac0 EFLAGS: 00010293
[ 302.667464][ T4471] RAX: ffffffff811b9035 RBX: 000000007fffffff RCX: ffff888106ee0000
[ 302.682257][ T4471] RDX: 0000000000000000 RSI: 000000007fffffff RDI: 000000001fffffff
[ 302.696817][ T4471] RBP: ffffffffffffffff R08: ffffffff811b8ff9 R09: 0000000000000c40
[ 302.711387][ T4471] R10: ffffffff816d23a0 R11: ffff888106ee0000 R12: ffff888012c26000
[ 302.725838][ T4471] R13: 0000000000000041 R14: ffff888011d10158 R15: 000000007fffffff
[ 302.740693][ T4471] FS: 00007f50cbe78740(0000) GS:ffff888121a00000(0000) knlGS:0000000000000000
[ 302.755595][ T4471] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 302.770509][ T4471] CR2: 00007f50cbd08b60 CR3: 0000000011ad4000 CR4: 00000000000506e0
[ 302.784918][ T4471] Kernel panic - not syncing: Fatal exception
[ 302.799730][ T4471] Kernel Offset: disabled
[ 302.813206][ T4471] Rebooting in 10 seconds..
----------

----------
[ 506.599768][ T9545] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 508.025268][ T9555] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 509.390901][ T9565] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 510.763935][ T9575] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 512.169897][ T9585] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 513.548042][ T9595] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 514.910318][ T9605] NILFS (sdb): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[ 516.279080][ T9614] BUG: kernel NULL pointer dereference, address: 00000000000001a8
[ 516.294944][ T9614] #PF: supervisor read access in kernel mode
[ 516.310648][ T9614] #PF: error_code(0x0000) - not-present page
[ 516.326186][ T9614] PGD 8a8c9067 P4D 8a8c9067 PUD 88e9c067 PMD 0
[ 516.341907][ T9614] Oops: 0000 [#1] PREEMPT SMP
[ 516.356456][ T9614] CPU: 1 PID: 9614 Comm: mount.nilfs2 Not tainted 6.0.0-rc5-00094-ga335366bad13-dirty #855
[ 516.372406][ T9614] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 516.383284][ T9614] RIP: 0010:nilfs_attach_log_writer+0x2b2/0x440
[ 516.397928][ T9614] Code: 35 ff 48 85 db 74 0f e8 cc b0 35 ff 49 89 9c 24 b8 02 00 00 eb 05 e8 bd b0 35 ff 4d 89 a5 28 02 00 00 49 8b 45 18 48 8b 58 30 <48> 83 bb a8 01 00 00 00 74 07 e8 9f b0 35 ff eb 16 e8 98 b0 35 ff
[ 516.429611][ T9614] RSP: 0018:ffffc900112dfc98 EFLAGS: 00010293
[ 516.445173][ T9614] RAX: ffffffff89de8e38 RBX: 0000000000000000 RCX: ffff88800ba43900
[ 516.461654][ T9614] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 516.478266][ T9614] RBP: ffff8881035f3000 R08: ffffffff820db43a R09: 0000000000000000
[ 516.494788][ T9614] R10: ffffffff82759b34 R11: ffff88800ba43900 R12: ffff88810544b000
[ 516.511110][ T9614] R13: ffff8881035f3000 R14: ffff88810d501d00 R15: ffff8881035f3000
[ 516.528123][ T9614] FS: 00007f6749ad1800(0000) GS:ffff888121a00000(0000) knlGS:0000000000000000
[ 516.545496][ T9614] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 516.562052][ T9614] CR2: 00000000000001a8 CR3: 00000000802b2000 CR4: 00000000000506e0
[ 516.579321][ T9614] Call Trace:
[ 516.595390][ T9614] <TASK>
[ 516.611067][ T9614] ? nilfs_attach_checkpoint+0x172/0x1c0
[ 516.627444][ T9614] nilfs_fill_super+0x19d/0x2c0
[ 516.643529][ T9614] nilfs_mount+0x387/0x590
[ 516.659363][ T9614] ? trace_kmalloc+0x2d/0xe0
[ 516.675432][ T9614] ? kfree+0x35/0x2b0
[ 516.691383][ T9614] ? aa_get_newest_label+0x6b/0x350
[ 516.709097][ T9614] legacy_get_tree+0x2c/0x70
[ 516.724981][ T9614] vfs_get_tree+0x2f/0x110
[ 516.740205][ T9614] do_new_mount+0x1dd/0x560
[ 516.754968][ T9614] __se_sys_mount+0x286/0x2e0
[ 516.769748][ T9614] ? syscall_enter_from_user_mode+0x2e/0x1d0
[ 516.784000][ T9614] do_syscall_64+0x3d/0x90
[ 516.798686][ T9614] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 516.818489][ T9614] RIP: 0033:0x7f6749926eae
[ 516.835460][ T9614] Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 52 1f 0f 00 f7 d8 64 89 01 48
[ 516.869770][ T9614] RSP: 002b:00007ffd011ea2a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 516.886854][ T9614] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6749926eae
[ 516.903145][ T9614] RDX: 00000000006a0b40 RSI: 00000000006a0b60 RDI: 00000000006a0b80
[ 516.919669][ T9614] RBP: 00000000006a0910 R08: 0000000000000000 R09: 00000000006a4850
[ 516.935717][ T9614] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 516.952125][ T9614] R13: 00000000006a0b40 R14: 00000000006a0b80 R15: 00000000006a0910
[ 516.968742][ T9614] </TASK>
[ 516.983539][ T9614] Modules linked in:
[ 516.998303][ T9614] CR2: 00000000000001a8
[ 517.013537][ T9614] ---[ end trace 0000000000000000 ]---
[ 517.030306][ T9614] RIP: 0010:nilfs_attach_log_writer+0x2b2/0x440
[ 517.045670][ T9614] Code: 35 ff 48 85 db 74 0f e8 cc b0 35 ff 49 89 9c 24 b8 02 00 00 eb 05 e8 bd b0 35 ff 4d 89 a5 28 02 00 00 49 8b 45 18 48 8b 58 30 <48> 83 bb a8 01 00 00 00 74 07 e8 9f b0 35 ff eb 16 e8 98 b0 35 ff
[ 517.078650][ T9614] RSP: 0018:ffffc900112dfc98 EFLAGS: 00010293
[ 517.094862][ T9614] RAX: ffffffff89de8e38 RBX: 0000000000000000 RCX: ffff88800ba43900
[ 517.111291][ T9614] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 517.123443][ T9614] RBP: ffff8881035f3000 R08: ffffffff820db43a R09: 0000000000000000
[ 517.139682][ T9614] R10: ffffffff82759b34 R11: ffff88800ba43900 R12: ffff88810544b000
[ 517.157097][ T9614] R13: ffff8881035f3000 R14: ffff88810d501d00 R15: ffff8881035f3000
[ 517.175687][ T9614] FS: 00007f6749ad1800(0000) GS:ffff888121a00000(0000) knlGS:0000000000000000
[ 517.193810][ T9614] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 517.210835][ T9614] CR2: 00000000000001a8 CR3: 00000000802b2000 CR4: 00000000000506e0
[ 517.228628][ T9614] Kernel panic - not syncing: Fatal exception
[ 517.245269][ T9614] Kernel Offset: disabled
[ 517.261513][ T9614] Rebooting in 10 seconds..
----------

[Ryusuke Konishi]

<snip>

Thank you for your help, Handa-san.

The first oops inserted by your injection patch is already reported by
[1], and the bug fix is queued in the for-next branch of vfs tree [2].
Take a look at the patch titled "fs: fix UAF/GPF bug in
nilfs_mdt_destroy" in the
latest linux-next or vfs/for-next.

[1] https://lore.kernel.org/all/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR...@mail.gmail.com/T/#u
(report)
[2] https://lkml.kernel.org/r/20220816040859...@hust.edu.cn
(vfs patch)

The correction was done for inode_init_always() instead of fixing
nilfs2. Please refer to [3] for the background.

[3] https://lkml.kernel.org/r/20220815175114.2357...@gmail.com
(discussion of how to fix it. The nilfs2 patch itself was withdrawn)

I confirmed that the patch [2] fixes the second oops as well.

I'm not sure if the patch [2] fixes the originally reported problem,
but it will be fixed if it's the same.

Thanks,
Ryusuke Konishi

[Tetsuo Handa]

On 2022/09/18 19:19, Ryusuke Konishi wrote:
> I'm not sure if the patch [2] fixes the originally reported problem,
> but it will be fixed if it's the same.

Will be fixed. Thank you.

#syz fix: fs: fix UAF/GPF bug in nilfs_mdt_destroy