[syzbot] KASAN: invalid-free in gadgetfs_kill_sb
6 views
Skip to first unread message
syzbot
Dec 5, 2022, 4:19:39 AM12/5/22
to ba...@kernel.org, gre...@linuxfoundation.org, hbh...@gmail.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, mi...@kernel.org, rdu...@infradead.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=146ed1d5880000
kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
dashboard link: https://syzkaller.appspot.com/bug?extid=73a8d1eac3883b38173b
compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: riscv64
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+73a8d1...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3509 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xe0/0x3e4 mm/slub.c:4562
CPU: 0 PID: 3915 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474b98>] kasan_report_invalid_free+0x62/0x92 mm/kasan/report.c:381
[<ffffffff80473a82>] ____kasan_slab_free+0x170/0x180 mm/kasan/common.c:346
[<ffffffff80473fde>] __kasan_slab_free+0x10/0x18 mm/kasan/common.c:374
[<ffffffff80469750>] kasan_slab_free include/linux/kasan.h:236 [inline]
[<ffffffff80469750>] slab_free_hook mm/slub.c:1728 [inline]
[<ffffffff80469750>] slab_free_freelist_hook+0x8e/0x1cc mm/slub.c:1754
[<ffffffff8046d302>] slab_free mm/slub.c:3509 [inline]
[<ffffffff8046d302>] kfree+0xe0/0x3e4 mm/slub.c:4562
[<ffffffff81df6dae>] gadgetfs_kill_sb+0x56/0x68 drivers/usb/gadget/legacy/inode.c:2088
[<ffffffff804ce138>] deactivate_locked_super+0x9a/0x11a fs/super.c:332
[<ffffffff804cf982>] vfs_get_super fs/super.c:1160 [inline]
[<ffffffff804cf982>] get_tree_single+0x11e/0x12e fs/super.c:1177
[<ffffffff81df60f4>] gadgetfs_get_tree+0x26/0x30 drivers/usb/gadget/legacy/inode.c:2067
[<ffffffff804cc844>] vfs_get_tree+0x4a/0x19c fs/super.c:1497
[<ffffffff80522e36>] do_new_mount fs/namespace.c:2994 [inline]
[<ffffffff80522e36>] path_mount+0xe9c/0x14dc fs/namespace.c:3324
[<ffffffff80524014>] do_mount fs/namespace.c:3337 [inline]
[<ffffffff80524014>] __do_sys_mount fs/namespace.c:3545 [inline]
[<ffffffff80524014>] sys_mount+0x360/0x3ee fs/namespace.c:3522
[<ffffffff80005716>] ret_from_syscall+0x0/0x2
Allocated by task 2066:
stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0x80/0xb2 mm/kasan/common.c:524
kasan_kmalloc include/linux/kasan.h:270 [inline]
kmem_cache_alloc_trace+0x178/0x2e0 mm/slub.c:3257
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:715 [inline]
apparmor_sk_alloc_security+0x70/0xca security/apparmor/lsm.c:792
security_sk_alloc+0x48/0x90 security/security.c:2255
sk_prot_alloc+0xb6/0x20e net/core/sock.c:1926
sk_alloc+0x34/0x602 net/core/sock.c:1976
inet_create net/ipv4/af_inet.c:319 [inline]
inet_create+0x28c/0x964 net/ipv4/af_inet.c:245
__sock_create+0x322/0x646 net/socket.c:1468
sock_create net/socket.c:1519 [inline]
__sys_socket+0xe4/0x1e0 net/socket.c:1561
__do_sys_socket net/socket.c:1570 [inline]
sys_socket+0x2c/0x3a net/socket.c:1568
ret_from_syscall+0x0/0x2
Freed by task 3916:
stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
kasan_set_track+0x1a/0x26 mm/kasan/common.c:45
kasan_set_free_info+0x1e/0x3a mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x15e/0x180 mm/kasan/common.c:328
__kasan_slab_free+0x10/0x18 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:236 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0x8e/0x1cc mm/slub.c:1754
slab_free mm/slub.c:3509 [inline]
kfree+0xe0/0x3e4 mm/slub.c:4562
gadgetfs_kill_sb+0x56/0x68 drivers/usb/gadget/legacy/inode.c:2088
deactivate_locked_super+0x9a/0x11a fs/super.c:332
deactivate_super fs/super.c:363 [inline]
deactivate_super+0x80/0x94 fs/super.c:359
cleanup_mnt+0x220/0x2c0 fs/namespace.c:1143
__cleanup_mnt+0x1c/0x26 fs/namespace.c:1150
task_work_run+0xdc/0x154 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
do_notify_resume+0x894/0xa56 arch/riscv/kernel/signal.c:320
ret_from_exception+0x0/0x10
Last potentially related work creation:
stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
__kasan_record_aux_stack+0xc4/0xdc mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xe/0x16 mm/kasan/generic.c:358
kvfree_call_rcu+0x8e/0x440 kernel/rcu/tree.c:3591
memcg_update_list_lru_node mm/list_lru.c:411 [inline]
memcg_update_list_lru mm/list_lru.c:467 [inline]
memcg_update_all_list_lrus+0x2d0/0x5c6 mm/list_lru.c:501
memcg_alloc_cache_id mm/memcontrol.c:2964 [inline]
memcg_online_kmem mm/memcontrol.c:3635 [inline]
mem_cgroup_css_alloc+0xa86/0xc60 mm/memcontrol.c:5225
css_create kernel/cgroup/cgroup.c:5299 [inline]
cgroup_apply_control_enable+0x2c0/0x654 kernel/cgroup/cgroup.c:3124
cgroup_mkdir+0x388/0x9e6 kernel/cgroup/cgroup.c:5517
kernfs_iop_mkdir+0xc8/0xfa fs/kernfs/dir.c:1169
vfs_mkdir+0x110/0x202 fs/namei.c:3933
do_mkdirat+0x22e/0x262 fs/namei.c:3959
__do_sys_mkdirat fs/namei.c:3974 [inline]
sys_mkdirat+0x88/0xb2 fs/namei.c:3972
ret_from_syscall+0x0/0x2
The buggy address belongs to the object at ffffaf80072eb0e0
which belongs to the cache kmalloc-16 of size 16
The buggy address is located 0 bytes inside of
16-byte region [ffffaf80072eb0e0, ffffaf80072eb0f0)
The buggy address belongs to the page:
page:ffffaf807a84e218 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x874eb
flags: 0x8000000200(slab|section=16|node=0|zone=0)
raw: 0000008000000200 0000000000000100 0000000000000122 ffffaf80072013c0
raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1244986300, free_ts 0
stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
create_dummy_stack mm/page_owner.c:59 [inline]
register_early_stack+0x8a/0xcc mm/page_owner.c:75
init_page_owner+0x8a/0x5cc mm/page_owner.c:87
invoke_init_callbacks mm/page_ext.c:112 [inline]
page_ext_init+0x4e6/0x50c mm/page_ext.c:419
page_owner free stack trace missing
Memory state around the buggy address:
ffffaf80072eaf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffaf80072eb000: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 01 fc fc
>ffffaf80072eb080: 00 07 fc fc 00 00 fc fc fa fb fc fc fa fb fc fc
^
ffffaf80072eb100: fb fb fc fc fb fb fc fc 00 00 fc fc 00 00 fc fc
ffffaf80072eb180: 00 04 fc fc 00 01 fc fc fa fb fc fc fb fb fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=146ed1d5880000
kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
dashboard link: https://syzkaller.appspot.com/bug?extid=73a8d1eac3883b38173b
compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: riscv64
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+73a8d1...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3509 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xe0/0x3e4 mm/slub.c:4562
CPU: 0 PID: 3915 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474b98>] kasan_report_invalid_free+0x62/0x92 mm/kasan/report.c:381
[<ffffffff80473a82>] ____kasan_slab_free+0x170/0x180 mm/kasan/common.c:346
[<ffffffff80473fde>] __kasan_slab_free+0x10/0x18 mm/kasan/common.c:374
[<ffffffff80469750>] kasan_slab_free include/linux/kasan.h:236 [inline]
[<ffffffff80469750>] slab_free_hook mm/slub.c:1728 [inline]
[<ffffffff80469750>] slab_free_freelist_hook+0x8e/0x1cc mm/slub.c:1754
[<ffffffff8046d302>] slab_free mm/slub.c:3509 [inline]
[<ffffffff8046d302>] kfree+0xe0/0x3e4 mm/slub.c:4562
[<ffffffff81df6dae>] gadgetfs_kill_sb+0x56/0x68 drivers/usb/gadget/legacy/inode.c:2088
[<ffffffff804ce138>] deactivate_locked_super+0x9a/0x11a fs/super.c:332
[<ffffffff804cf982>] vfs_get_super fs/super.c:1160 [inline]
[<ffffffff804cf982>] get_tree_single+0x11e/0x12e fs/super.c:1177
[<ffffffff81df60f4>] gadgetfs_get_tree+0x26/0x30 drivers/usb/gadget/legacy/inode.c:2067
[<ffffffff804cc844>] vfs_get_tree+0x4a/0x19c fs/super.c:1497
[<ffffffff80522e36>] do_new_mount fs/namespace.c:2994 [inline]
[<ffffffff80522e36>] path_mount+0xe9c/0x14dc fs/namespace.c:3324
[<ffffffff80524014>] do_mount fs/namespace.c:3337 [inline]
[<ffffffff80524014>] __do_sys_mount fs/namespace.c:3545 [inline]
[<ffffffff80524014>] sys_mount+0x360/0x3ee fs/namespace.c:3522
[<ffffffff80005716>] ret_from_syscall+0x0/0x2
Allocated by task 2066:
stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0x80/0xb2 mm/kasan/common.c:524
kasan_kmalloc include/linux/kasan.h:270 [inline]
kmem_cache_alloc_trace+0x178/0x2e0 mm/slub.c:3257
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:715 [inline]
apparmor_sk_alloc_security+0x70/0xca security/apparmor/lsm.c:792
security_sk_alloc+0x48/0x90 security/security.c:2255
sk_prot_alloc+0xb6/0x20e net/core/sock.c:1926
sk_alloc+0x34/0x602 net/core/sock.c:1976
inet_create net/ipv4/af_inet.c:319 [inline]
inet_create+0x28c/0x964 net/ipv4/af_inet.c:245
__sock_create+0x322/0x646 net/socket.c:1468
sock_create net/socket.c:1519 [inline]
__sys_socket+0xe4/0x1e0 net/socket.c:1561
__do_sys_socket net/socket.c:1570 [inline]
sys_socket+0x2c/0x3a net/socket.c:1568
ret_from_syscall+0x0/0x2
Freed by task 3916:
stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
kasan_set_track+0x1a/0x26 mm/kasan/common.c:45
kasan_set_free_info+0x1e/0x3a mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0x15e/0x180 mm/kasan/common.c:328
__kasan_slab_free+0x10/0x18 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:236 [inline]
slab_free_hook mm/slub.c:1728 [inline]
slab_free_freelist_hook+0x8e/0x1cc mm/slub.c:1754
slab_free mm/slub.c:3509 [inline]
kfree+0xe0/0x3e4 mm/slub.c:4562
gadgetfs_kill_sb+0x56/0x68 drivers/usb/gadget/legacy/inode.c:2088
deactivate_locked_super+0x9a/0x11a fs/super.c:332
deactivate_super fs/super.c:363 [inline]
deactivate_super+0x80/0x94 fs/super.c:359
cleanup_mnt+0x220/0x2c0 fs/namespace.c:1143
__cleanup_mnt+0x1c/0x26 fs/namespace.c:1150
task_work_run+0xdc/0x154 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
do_notify_resume+0x894/0xa56 arch/riscv/kernel/signal.c:320
ret_from_exception+0x0/0x10
Last potentially related work creation:
stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
kasan_save_stack+0x2c/0x58 mm/kasan/common.c:38
__kasan_record_aux_stack+0xc4/0xdc mm/kasan/generic.c:348
kasan_record_aux_stack_noalloc+0xe/0x16 mm/kasan/generic.c:358
kvfree_call_rcu+0x8e/0x440 kernel/rcu/tree.c:3591
memcg_update_list_lru_node mm/list_lru.c:411 [inline]
memcg_update_list_lru mm/list_lru.c:467 [inline]
memcg_update_all_list_lrus+0x2d0/0x5c6 mm/list_lru.c:501
memcg_alloc_cache_id mm/memcontrol.c:2964 [inline]
memcg_online_kmem mm/memcontrol.c:3635 [inline]
mem_cgroup_css_alloc+0xa86/0xc60 mm/memcontrol.c:5225
css_create kernel/cgroup/cgroup.c:5299 [inline]
cgroup_apply_control_enable+0x2c0/0x654 kernel/cgroup/cgroup.c:3124
cgroup_mkdir+0x388/0x9e6 kernel/cgroup/cgroup.c:5517
kernfs_iop_mkdir+0xc8/0xfa fs/kernfs/dir.c:1169
vfs_mkdir+0x110/0x202 fs/namei.c:3933
do_mkdirat+0x22e/0x262 fs/namei.c:3959
__do_sys_mkdirat fs/namei.c:3974 [inline]
sys_mkdirat+0x88/0xb2 fs/namei.c:3972
ret_from_syscall+0x0/0x2
The buggy address belongs to the object at ffffaf80072eb0e0
which belongs to the cache kmalloc-16 of size 16
The buggy address is located 0 bytes inside of
16-byte region [ffffaf80072eb0e0, ffffaf80072eb0f0)
The buggy address belongs to the page:
page:ffffaf807a84e218 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x874eb
flags: 0x8000000200(slab|section=16|node=0|zone=0)
raw: 0000008000000200 0000000000000100 0000000000000122 ffffaf80072013c0
raw: 0000000000000000 0000000080800080 00000001ffffffff 0000000000000000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1244986300, free_ts 0
stack_trace_save+0xa6/0xd8 kernel/stacktrace.c:122
create_dummy_stack mm/page_owner.c:59 [inline]
register_early_stack+0x8a/0xcc mm/page_owner.c:75
init_page_owner+0x8a/0x5cc mm/page_owner.c:87
invoke_init_callbacks mm/page_ext.c:112 [inline]
page_ext_init+0x4e6/0x50c mm/page_ext.c:419
page_owner free stack trace missing
Memory state around the buggy address:
ffffaf80072eaf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffaf80072eb000: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 01 fc fc
>ffffaf80072eb080: 00 07 fc fc 00 00 fc fc fa fb fc fc fa fb fc fc
^
ffffaf80072eb100: fb fb fc fc fb fb fc fc 00 00 fc fc 00 00 fc fc
ffffaf80072eb180: 00 04 fc fc 00 01 fc fc fa fb fc fc fb fb fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Alan Stern
Dec 5, 2022, 11:44:20 AM12/5/22
to syzbot, Alexander Viro, ba...@kernel.org, gre...@linuxfoundation.org, hbh...@gmail.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, mi...@kernel.org, rdu...@infradead.org, syzkall...@googlegroups.com
On Mon, Dec 05, 2022 at 01:19:38AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> console output: https://syzkaller.appspot.com/x/log.txt?x=146ed1d5880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
> dashboard link: https://syzkaller.appspot.com/bug?extid=73a8d1eac3883b38173b
> compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+73a8d1...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3509 [inline]
> BUG: KASAN: double-free or invalid-free in kfree+0xe0/0x3e4 mm/slub.c:4562
>
> CPU: 0 PID: 3915 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
> Hardware name: riscv-virtio,qemu (DT)
> Call Trace:
...
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
> console output: https://syzkaller.appspot.com/x/log.txt?x=146ed1d5880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
> dashboard link: https://syzkaller.appspot.com/bug?extid=73a8d1eac3883b38173b
> compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: riscv64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+73a8d1...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3509 [inline]
> BUG: KASAN: double-free or invalid-free in kfree+0xe0/0x3e4 mm/slub.c:4562
>
> CPU: 0 PID: 3915 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
> Hardware name: riscv-virtio,qemu (DT)
> Call Trace:
> [<ffffffff8046d302>] kfree+0xe0/0x3e4 mm/slub.c:4562
> [<ffffffff81df6dae>] gadgetfs_kill_sb+0x56/0x68 drivers/usb/gadget/legacy/inode.c:2088
> [<ffffffff804ce138>] deactivate_locked_super+0x9a/0x11a fs/super.c:332
> [<ffffffff804cf982>] vfs_get_super fs/super.c:1160 [inline]
> [<ffffffff804cf982>] get_tree_single+0x11e/0x12e fs/super.c:1177
> [<ffffffff81df60f4>] gadgetfs_get_tree+0x26/0x30 drivers/usb/gadget/legacy/inode.c:2067
> [<ffffffff804cc844>] vfs_get_tree+0x4a/0x19c fs/super.c:1497
> [<ffffffff80522e36>] do_new_mount fs/namespace.c:2994 [inline]
> [<ffffffff80522e36>] path_mount+0xe9c/0x14dc fs/namespace.c:3324
> [<ffffffff80524014>] do_mount fs/namespace.c:3337 [inline]
> [<ffffffff80524014>] __do_sys_mount fs/namespace.c:3545 [inline]
> [<ffffffff80524014>] sys_mount+0x360/0x3ee fs/namespace.c:3522
> [<ffffffff80005716>] ret_from_syscall+0x0/0x2
...
> [<ffffffff81df6dae>] gadgetfs_kill_sb+0x56/0x68 drivers/usb/gadget/legacy/inode.c:2088
> [<ffffffff804ce138>] deactivate_locked_super+0x9a/0x11a fs/super.c:332
> [<ffffffff804cf982>] vfs_get_super fs/super.c:1160 [inline]
> [<ffffffff804cf982>] get_tree_single+0x11e/0x12e fs/super.c:1177
> [<ffffffff81df60f4>] gadgetfs_get_tree+0x26/0x30 drivers/usb/gadget/legacy/inode.c:2067
> [<ffffffff804cc844>] vfs_get_tree+0x4a/0x19c fs/super.c:1497
> [<ffffffff80522e36>] do_new_mount fs/namespace.c:2994 [inline]
> [<ffffffff80522e36>] path_mount+0xe9c/0x14dc fs/namespace.c:3324
> [<ffffffff80524014>] do_mount fs/namespace.c:3337 [inline]
> [<ffffffff80524014>] __do_sys_mount fs/namespace.c:3545 [inline]
> [<ffffffff80524014>] sys_mount+0x360/0x3ee fs/namespace.c:3522
> [<ffffffff80005716>] ret_from_syscall+0x0/0x2
So task 3915 is trying to mount a superblock that probably is
concurrently being unmounted. Why does that cause the filesystem code
to deactivate it before it has been fully activated?
> Freed by task 3916:
...
> kfree+0xe0/0x3e4 mm/slub.c:4562
> gadgetfs_kill_sb+0x56/0x68 drivers/usb/gadget/legacy/inode.c:2088
> deactivate_locked_super+0x9a/0x11a fs/super.c:332
> deactivate_super fs/super.c:363 [inline]
> deactivate_super+0x80/0x94 fs/super.c:359
> cleanup_mnt+0x220/0x2c0 fs/namespace.c:1143
> __cleanup_mnt+0x1c/0x26 fs/namespace.c:1150
> task_work_run+0xdc/0x154 kernel/task_work.c:164
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> do_notify_resume+0x894/0xa56 arch/riscv/kernel/signal.c:320
> ret_from_exception+0x0/0x10
Presumably this trace comes from the first unmount.
> gadgetfs_kill_sb+0x56/0x68 drivers/usb/gadget/legacy/inode.c:2088
> deactivate_locked_super+0x9a/0x11a fs/super.c:332
> deactivate_super fs/super.c:363 [inline]
> deactivate_super+0x80/0x94 fs/super.c:359
> cleanup_mnt+0x220/0x2c0 fs/namespace.c:1143
> __cleanup_mnt+0x1c/0x26 fs/namespace.c:1150
> task_work_run+0xdc/0x154 kernel/task_work.c:164
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> do_notify_resume+0x894/0xa56 arch/riscv/kernel/signal.c:320
> ret_from_exception+0x0/0x10
It certainly looks like inode.c is getting confused because its
->kill_sb() callback is invoked a second time before the second
->get_tree() callback has completed. Which suggests that the problem
may lie in the filesystem code rather than the USB code. Maybe it
doesn't handle this race between mount and unmount.
Al, can you suggest anything?
Alan Stern
syzbot
Apr 4, 2023, 4:05:40 AM4/4/23
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages