[syzbot] [gfs2?] KASAN: slab-use-after-free Write in gfs2_qd_dealloc

8 views
Skip to first unread message

syzbot

unread,
Sep 29, 2023, 9:30:38 AM9/29/23
to agru...@redhat.com, gf...@lists.linux.dev, linux-...@vger.kernel.org, linux-...@vger.kernel.org, rpet...@redhat.com, syzkall...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 6465e260f487 Linux 6.6-rc3
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12ee3056680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11db4412680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1483ceea680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2efb305347e3/disk-6465e260.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a9d60ae17a65/vmlinux-6465e260.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f071608b2aba/bzImage-6465e260.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/87420f0aa338/mount_0.gz

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13ba0642680000
console output: https://syzkaller.appspot.com/x/log.txt?x=17ba0642680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+29c47e...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x83/0xf0 fs/gfs2/quota.c:115
Write of size 4 at addr ffff888025754a78 by task ksoftirqd/0/16

CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.6.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
gfs2_qd_dealloc+0x83/0xf0 fs/gfs2/quota.c:115
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
run_ksoftirqd+0xc5/0x120 kernel/softirq.c:921
smpboot_thread_fn+0x530/0x9f0 kernel/smpboot.c:164
kthread+0x2d3/0x370 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>

Allocated by task 5055:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
init_sbd fs/gfs2/ops_fstype.c:77 [inline]
gfs2_fill_super+0x136/0x26c0 fs/gfs2/ops_fstype.c:1164
get_tree_bdev+0x416/0x5b0 fs/super.c:1577
gfs2_get_tree+0x54/0x210 fs/gfs2/ops_fstype.c:1348
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5030:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
generic_shutdown_super+0x13a/0x2c0 fs/super.c:693
kill_block_super+0x41/0x70 fs/super.c:1646
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
ptrace_notify+0x2cd/0x380 kernel/signal.c:2387
ptrace_report_syscall include/linux/ptrace.h:411 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
syscall_exit_work kernel/entry/common.c:251 [inline]
syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888025754000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff888025754000, ffff888025756000)

The buggy address belongs to the physical page:
page:ffffea000095d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25750
head:ffffea000095d400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea0000952e00 0000000000000002
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4714, tgid 4714 (dhcpcd-run-hook), ts 36549622906, free_ts 36548101490
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1114
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x11cd/0x2040 security/tomoyo/audit.c:264
tomoyo_supervisor+0x386/0x11f0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x1383/0x1cf0 security/tomoyo/domain.c:878
tomoyo_bprm_check_security+0x114/0x170 security/tomoyo/tomoyo.c:101
security_bprm_check+0x63/0xa0 security/security.c:1103
search_binary_handler fs/exec.c:1727 [inline]
exec_binprm fs/exec.c:1781 [inline]
bprm_execve+0x8c7/0x17c0 fs/exec.c:1856
do_execveat_common+0x580/0x720 fs/exec.c:1964
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
discard_slab mm/slub.c:2116 [inline]
__unfreeze_partials+0x1dc/0x220 mm/slub.c:2655
put_cpu_partial+0x17b/0x250 mm/slub.c:2731
__slab_free+0x2b6/0x390 mm/slub.c:3679
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x67/0x3d0 mm/slab.h:762
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x141/0x270 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1022 [inline]
__kmalloc+0xa8/0x230 mm/slab_common.c:1036
kmalloc include/linux/slab.h:603 [inline]
tomoyo_add_entry security/tomoyo/common.c:2023 [inline]
tomoyo_supervisor+0xe06/0x11f0 security/tomoyo/common.c:2095
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x1383/0x1cf0 security/tomoyo/domain.c:878
tomoyo_bprm_check_security+0x114/0x170 security/tomoyo/tomoyo.c:101
security_bprm_check+0x63/0xa0 security/security.c:1103

Memory state around the buggy address:
ffff888025754900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888025754980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888025754a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888025754a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888025754b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Edward AD

unread,
Sep 30, 2023, 9:11:35 AM9/30/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..73d522d7c81b 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -1501,9 +1501,8 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

gfs2_qd_list_dispose(&dispose);

- wait_event_timeout(sdp->sd_kill_wait,
- (count = atomic_read(&sdp->sd_quota_count)) == 0,
- HZ * 60);
+ wait_event(sdp->sd_kill_wait,
+ (count = atomic_read(&sdp->sd_quota_count)) == 0);

if (count != 0)
fs_err(sdp, "%d left-over quota data objects\n", count);

syzbot

unread,
Sep 30, 2023, 9:28:26 AM9/30/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in gfs2_qd_dealloc

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x83/0xf0 fs/gfs2/quota.c:115
Write of size 4 at addr ffff888021940a78 by task syz-executor.0/5384

CPU: 0 PID: 5384 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
gfs2_qd_dealloc+0x83/0xf0 fs/gfs2/quota.c:115
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu+0xf1/0x1b0 kernel/softirq.c:632
irq_exit_rcu+0x9/0x20 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1074
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:preempt_count_add+0x5c/0x180 kernel/sched/core.c:5847
Code: 10 00 75 07 65 8b 05 4b 4a a3 7e 65 01 1d 44 4a a3 7e 48 c7 c0 20 33 ef 91 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 d9 00 00 00 <83> 3d 7d c4 8e 10 00 75 11 65 8b 05 1c 4a a3 7e 0f b6 c0 3d f5 00
RSP: 0018:ffffc90004d1f1c8 EFLAGS: 00000297
RAX: 0000000000000004 RBX: 0000000000000001 RCX: ffffffff91ef3303
RDX: ffff888078b05940 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffc90004d1f2c0 R08: ffffffff813d9ec1 R09: ffffc90004d1f3b0
R10: 0000000000000003 R11: ffff888078b05940 R12: ffff888078b05940
R13: dffffc0000000000 R14: 0000000000000001 R15: dffffc0000000000
unwind_next_frame+0xc1/0x29e0 arch/x86/kernel/unwind_orc.c:479
arch_stack_walk+0x146/0x1a0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x117/0x1c0 kernel/stacktrace.c:122
save_stack+0xfa/0x1e0 mm/page_owner.c:128
__reset_page_owner+0x4f/0x190 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page_list+0x596/0x830 mm/page_alloc.c:2451
release_pages+0x2113/0x23f0 mm/swap.c:1042
__folio_batch_release+0x84/0x100 mm/swap.c:1062
folio_batch_release include/linux/pagevec.h:83 [inline]
shmem_undo_range+0x6ad/0x19c0 mm/shmem.c:1022
shmem_truncate_range mm/shmem.c:1114 [inline]
shmem_evict_inode+0x29e/0xa80 mm/shmem.c:1243
evict+0x2a4/0x620 fs/inode.c:664
__dentry_kill+0x436/0x650 fs/dcache.c:607
dentry_kill+0xbb/0x290
dput+0x21e/0x470 fs/dcache.c:913
__fput+0x60d/0x910 fs/file_table.c:392
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7efcc847de17
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff37ab65f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007efcc847de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007fff37ab66b0
RBP: 00007fff37ab66b0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff37ab7770
R13: 00007efcc84c73b9 R14: 0000000000015ee0 R15: 0000000000000003
</TASK>

Allocated by task 5781:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
init_sbd fs/gfs2/ops_fstype.c:77 [inline]
gfs2_fill_super+0x136/0x26c0 fs/gfs2/ops_fstype.c:1164
get_tree_bdev+0x416/0x5b0 fs/super.c:1577
gfs2_get_tree+0x54/0x210 fs/gfs2/ops_fstype.c:1348
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5384:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
generic_shutdown_super+0x13a/0x2c0 fs/super.c:693
kill_block_super+0x41/0x70 fs/super.c:1646
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888021940000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff888021940000, ffff888021942000)

The buggy address belongs to the physical page:
page:ffffea0000865000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21940
head:ffffea0000865000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea000090a600 0000000000000003
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5380, tgid 5380 (sh), ts 77913728905, free_ts 77903163637
tomoyo_print_header security/tomoyo/audit.c:156 [inline]
tomoyo_init_log+0x1c9/0x2040 security/tomoyo/audit.c:255
tomoyo_supervisor+0x386/0x11f0 security/tomoyo/common.c:2089
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_path_permission+0x243/0x360 security/tomoyo/file.c:587
tomoyo_check_open_permission+0x2fb/0x500 security/tomoyo/file.c:777
security_file_open+0x63/0xa0 security/security.c:2836

Memory state around the buggy address:
ffff888021940900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888021940980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888021940a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888021940a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888021940b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 10 00 adc %al,(%rax)
2: 75 07 jne 0xb
4: 65 8b 05 4b 4a a3 7e mov %gs:0x7ea34a4b(%rip),%eax # 0x7ea34a56
b: 65 01 1d 44 4a a3 7e add %ebx,%gs:0x7ea34a44(%rip) # 0x7ea34a56
12: 48 c7 c0 20 33 ef 91 mov $0xffffffff91ef3320,%rax
19: 48 c1 e8 03 shr $0x3,%rax
1d: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
22: 84 c0 test %al,%al
24: 0f 85 d9 00 00 00 jne 0x103
* 2a: 83 3d 7d c4 8e 10 00 cmpl $0x0,0x108ec47d(%rip) # 0x108ec4ae <-- trapping instruction
31: 75 11 jne 0x44
33: 65 8b 05 1c 4a a3 7e mov %gs:0x7ea34a1c(%rip),%eax # 0x7ea34a56
3a: 0f b6 c0 movzbl %al,%eax
3d: 3d .byte 0x3d
3e: f5 cmc


Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=149527ae680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=167cb82a680000

Edward AD

unread,
Sep 30, 2023, 11:10:31 AM9/30/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..32f91383c19c 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,7 +112,7 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
- if (atomic_dec_and_test(&sdp->sd_quota_count))
+ if (atomic_read(&sdp->sd_quota_count) == 0)
wake_up(&sdp->sd_kill_wait);
}

@@ -135,6 +135,7 @@ static void gfs2_qd_dispose(struct gfs2_quota_data *qd)
}

gfs2_glock_put(qd->qd_gl);
+ atomic_dec(&sdp->sd_quota_count);
call_rcu(&qd->qd_rcu, gfs2_qd_dealloc);
}

@@ -1501,9 +1502,8 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

Edward AD

unread,
Sep 30, 2023, 11:15:58 AM9/30/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..cb5f0c16b447 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,7 +112,7 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
- if (atomic_dec_and_test(&sdp->sd_quota_count))
+ if (atomic_read(&sdp->sd_quota_count) == 0)
wake_up(&sdp->sd_kill_wait);
}

@@ -122,6 +122,7 @@ static void gfs2_qd_dispose(struct gfs2_quota_data *qd)

spin_lock(&qd_lock);
list_del(&qd->qd_list);
+ atomic_dec(&sdp->sd_quota_count);
spin_unlock(&qd_lock);

spin_lock_bucket(qd->qd_hash);

syzbot

unread,
Sep 30, 2023, 11:22:32 AM9/30/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in gfs2_qd_dealloc

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x85/0xf0 fs/gfs2/quota.c:115
Read of size 4 at addr ffff88807bdc8a78 by task ksoftirqd/1/22

CPU: 1 PID: 22 Comm: ksoftirqd/1 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
gfs2_qd_dealloc+0x85/0xf0 fs/gfs2/quota.c:115
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
run_ksoftirqd+0xc5/0x120 kernel/softirq.c:921
smpboot_thread_fn+0x530/0x9f0 kernel/smpboot.c:164
kthread+0x2d3/0x370 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>

Allocated by task 5803:
The buggy address belongs to the object at ffff88807bdc8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff88807bdc8000, ffff88807bdca000)

The buggy address belongs to the physical page:
page:ffffea0001ef7200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bdc8
head:ffffea0001ef7200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea000061c600 dead000000000003
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4864, tgid 4864 (dhcpcd-run-hook), ts 41488886773, free_ts 41477582693
__do_kmalloc_node mm/slab_common.c:1022 [inline]
__kmalloc+0xa8/0x230 mm/slab_common.c:1036
kmalloc include/linux/slab.h:603 [inline]
tomoyo_realpath_from_path+0xcf/0x5e0 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x2b7/0x730 security/tomoyo/file.c:822
security_inode_getattr+0xd3/0x120 security/security.c:2153
vfs_getattr+0x2a/0x3a0 fs/stat.c:169
vfs_fstat fs/stat.c:194 [inline]
vfs_fstatat+0xd6/0x190 fs/stat.c:291

Memory state around the buggy address:
ffff88807bdc8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807bdc8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807bdc8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807bdc8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807bdc8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=173a7dda680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=122e458a680000

syzbot

unread,
Sep 30, 2023, 11:34:29 AM9/30/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in gfs2_qd_dealloc

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x85/0xf0 fs/gfs2/quota.c:115
Read of size 4 at addr ffff88807d22ca78 by task syz-executor.0/5384

CPU: 0 PID: 5384 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
gfs2_qd_dealloc+0x85/0xf0 fs/gfs2/quota.c:115
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu+0xf1/0x1b0 kernel/softirq.c:632
irq_exit_rcu+0x9/0x20 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1074
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:check_kcov_mode kernel/kcov.c:175 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:236 [inline]
RIP: 0010:__sanitizer_cov_trace_switch+0xbb/0x110 kernel/kcov.c:341
Code: c2 49 39 d2 74 71 4c 8b 74 d6 10 65 8b 05 f5 a8 75 7e a9 00 01 ff 00 74 11 a9 00 01 00 00 74 de 41 83 bb 04 16 00 00 00 74 d4 <41> 8b 83 e0 15 00 00 83 f8 03 75 c8 49 8b 8b e8 15 00 00 45 8b bb
RSP: 0018:ffffc900052c71c0 EFLAGS: 00000246
RAX: 0000000080000001 RBX: 0000000000000000 RCX: ffff888028ef5940
RDX: 0000000000000006 RSI: ffffffff8d19cdc0 RDI: 0000000000000005
RBP: 0000000000000005 R08: 0000000000000005 R09: ffffffff813da5e3
R10: 0000000000000008 R11: ffff888028ef5940 R12: ffffffff8eb2ad10
R13: dffffc0000000000 R14: 0000000000000008 R15: 1ffff92000a58e58
unwind_next_frame+0x7c3/0x29e0 arch/x86/kernel/unwind_orc.c:515
arch_stack_walk+0x146/0x1a0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x117/0x1c0 kernel/stacktrace.c:122
save_stack+0xfa/0x1e0 mm/page_owner.c:128
__reset_page_owner+0x4f/0x190 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page_list+0x596/0x830 mm/page_alloc.c:2451
release_pages+0x2113/0x23f0 mm/swap.c:1042
__folio_batch_release+0x84/0x100 mm/swap.c:1062
folio_batch_release include/linux/pagevec.h:83 [inline]
shmem_undo_range+0x6ad/0x19c0 mm/shmem.c:1022
shmem_truncate_range mm/shmem.c:1114 [inline]
shmem_evict_inode+0x29e/0xa80 mm/shmem.c:1243
evict+0x2a4/0x620 fs/inode.c:664
__dentry_kill+0x436/0x650 fs/dcache.c:607
dentry_kill+0xbb/0x290
dput+0x21e/0x470 fs/dcache.c:913
__fput+0x60d/0x910 fs/file_table.c:392
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f821e47de17
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd4757b2e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f821e47de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffd4757b3a0
RBP: 00007ffd4757b3a0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd4757c460
R13: 00007f821e4c73b9 R14: 0000000000018554 R15: 0000000000000003
</TASK>

Allocated by task 5819:
The buggy address belongs to the object at ffff88807d22c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff88807d22c000, ffff88807d22e000)

The buggy address belongs to the physical page:
page:ffffea0001f48a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d228
head:ffffea0001f48a00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea0001f4e600 dead000000000004
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4863, tgid 4863 (dhcpcd-run-hook), ts 42490715685, free_ts 42477574008
ffff88807d22c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807d22c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807d22ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807d22ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807d22cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: c2 49 39 ret $0x3949
3: d2 74 71 4c shlb %cl,0x4c(%rcx,%rsi,2)
7: 8b 74 d6 10 mov 0x10(%rsi,%rdx,8),%esi
b: 65 8b 05 f5 a8 75 7e mov %gs:0x7e75a8f5(%rip),%eax # 0x7e75a907
12: a9 00 01 ff 00 test $0xff0100,%eax
17: 74 11 je 0x2a
19: a9 00 01 00 00 test $0x100,%eax
1e: 74 de je 0xfffffffe
20: 41 83 bb 04 16 00 00 cmpl $0x0,0x1604(%r11)
27: 00
28: 74 d4 je 0xfffffffe
* 2a: 41 8b 83 e0 15 00 00 mov 0x15e0(%r11),%eax <-- trapping instruction
31: 83 f8 03 cmp $0x3,%eax
34: 75 c8 jne 0xfffffffe
36: 49 8b 8b e8 15 00 00 mov 0x15e8(%r11),%rcx
3d: 45 rex.RB
3e: 8b .byte 0x8b
3f: bb .byte 0xbb


Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16aef21a680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14847a1a680000

Edward AD

unread,
Oct 3, 2023, 6:01:36 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..f7c0b0b73e97 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,7 +112,9 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
- if (atomic_dec_and_test(&sdp->sd_quota_count))
+ if (!sdp)
+ return;
+ if (atomic_read(&sdp->sd_quota_count) == 0)
wake_up(&sdp->sd_kill_wait);
}

@@ -122,6 +124,7 @@ static void gfs2_qd_dispose(struct gfs2_quota_data *qd)

spin_lock(&qd_lock);
list_del(&qd->qd_list);
+ atomic_dec(&sdp->sd_quota_count);
spin_unlock(&qd_lock);

spin_lock_bucket(qd->qd_hash);
@@ -1501,9 +1504,8 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

syzbot

unread,
Oct 3, 2023, 6:18:28 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in gfs2_qd_dealloc

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x8a/0x100 fs/gfs2/quota.c:117
Read of size 4 at addr ffff888017710a78 by task udevd/5381

CPU: 1 PID: 5381 Comm: udevd Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
gfs2_qd_dealloc+0x8a/0x100 fs/gfs2/quota.c:117
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu+0xf1/0x1b0 kernel/softirq.c:632
irq_exit_rcu+0x9/0x20 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1074
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:filter_irq_stacks+0x2e/0xa0 kernel/stacktrace.c:394
Code: 55 41 57 41 56 41 55 41 54 53 85 f6 74 72 49 89 fe 41 89 f4 45 31 ff 48 c7 c5 90 01 e0 8a 49 c7 c5 40 f5 d7 8a 48 89 fb eb 0c <49> ff c7 48 83 c3 08 4d 39 fc 74 4f 48 89 d8 48 c1 e8 03 48 b9 00
RSP: 0018:ffffc90004fbf9d0 EFLAGS: 00000283
RAX: ffffffff81769937 RBX: ffffc90004fbfa70 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000009 RDI: ffffc90004fbfa60
RBP: ffffffff8ae00190 R08: ffffffff81349cfc R09: 1ffffffff1d34f1d
R10: dffffc0000000000 R11: fffffbfff1d34f1e R12: 0000000000000009
R13: ffffffff8ad7f540 R14: ffffc90004fbfa60 R15: 0000000000000002
__stack_depot_save+0x20/0x650 lib/stackdepot.c:377
kasan_save_stack+0x4f/0x60 mm/kasan/common.c:46
__kasan_record_aux_stack+0xad/0xc0 mm/kasan/generic.c:492
__call_rcu_common kernel/rcu/tree.c:2653 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:2767
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc63c716ab9
Code: 00 00 00 44 8b 54 24 58 48 89 44 24 30 48 8d 44 24 40 48 89 44 24 38 64 8b 04 25 18 00 00 00 85 c0 75 21 b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 40 a3 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007fff180f8ea0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: fffffffffffffffe RBX: 00007fff180fb000 RCX: 00007fc63c716ab9
RDX: 0000000000080000 RSI: 00007fc63cc7fdd8 RDI: 000000000000000b
RBP: 000055726b104950 R08: 000055726b100b10 R09: 00007fc63c7f1b20
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000b
R13: 00007fc63cc7fdd8 R14: 0000000000080000 R15: 0000000000000001
</TASK>

Allocated by task 5812:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
init_sbd fs/gfs2/ops_fstype.c:77 [inline]
gfs2_fill_super+0x136/0x26c0 fs/gfs2/ops_fstype.c:1164
get_tree_bdev+0x416/0x5b0 fs/super.c:1577
gfs2_get_tree+0x54/0x210 fs/gfs2/ops_fstype.c:1348
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5396:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
generic_shutdown_super+0x13a/0x2c0 fs/super.c:693
kill_block_super+0x41/0x70 fs/super.c:1646
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888017710000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff888017710000, ffff888017712000)

The buggy address belongs to the physical page:
page:ffffea00005dc400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17710
head:ffffea00005dc400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea0001ef9200 dead000000000005
raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 8586024694, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
alloc_page_interleave+0x22/0x1d0 mm/mempolicy.c:2131
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1022 [inline]
__kmalloc+0xa8/0x230 mm/slab_common.c:1036
acpi_ut_initialize_buffer+0x1d1/0x2b0
acpi_rs_create_pci_routing_table+0x116/0xa50 drivers/acpi/acpica/rscreate.c:212
acpi_rs_get_prt_method_data+0xe8/0x140 drivers/acpi/acpica/rsutils.c:456
acpi_pci_irq_find_prt_entry+0x16e/0xde0 drivers/acpi/pci_irq.c:214
acpi_pci_irq_lookup+0xb0/0x7a0 drivers/acpi/pci_irq.c:298
acpi_pci_irq_enable+0x23a/0x9a0 drivers/acpi/pci_irq.c:413
do_pci_enable_device+0x212/0x490 drivers/pci/pci.c:1953
page_owner free stack trace missing

Memory state around the buggy address:
ffff888017710900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888017710980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888017710a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888017710a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888017710b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 55 push %rbp
1: 41 57 push %r15
3: 41 56 push %r14
5: 41 55 push %r13
7: 41 54 push %r12
9: 53 push %rbx
a: 85 f6 test %esi,%esi
c: 74 72 je 0x80
e: 49 89 fe mov %rdi,%r14
11: 41 89 f4 mov %esi,%r12d
14: 45 31 ff xor %r15d,%r15d
17: 48 c7 c5 90 01 e0 8a mov $0xffffffff8ae00190,%rbp
1e: 49 c7 c5 40 f5 d7 8a mov $0xffffffff8ad7f540,%r13
25: 48 89 fb mov %rdi,%rbx
28: eb 0c jmp 0x36
* 2a: 49 ff c7 inc %r15 <-- trapping instruction
2d: 48 83 c3 08 add $0x8,%rbx
31: 4d 39 fc cmp %r15,%r12
34: 74 4f je 0x85
36: 48 89 d8 mov %rbx,%rax
39: 48 c1 e8 03 shr $0x3,%rax
3d: 48 rex.W
3e: b9 .byte 0xb9


Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=161c9c92680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1175f992680000

Edward AD

unread,
Oct 3, 2023, 6:37:22 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..25f257e41a96 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -109,9 +109,11 @@ static inline void spin_unlock_bucket(unsigned int hash)
static void gfs2_qd_dealloc(struct rcu_head *rcu)
{
struct gfs2_quota_data *qd = container_of(rcu, struct gfs2_quota_data, qd_rcu);
- struct gfs2_sbd *sdp = qd->qd_sbd;
+ struct gfs2_sbd *sdp = READ_ONCE(qd->qd_sbd);

kmem_cache_free(gfs2_quotad_cachep, qd);
+ if (!sdp)
+ return;
if (atomic_dec_and_test(&sdp->sd_quota_count))
wake_up(&sdp->sd_kill_wait);
}

syzbot

unread,
Oct 3, 2023, 6:49:28 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in gfs2_qd_dealloc

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x88/0xf0 fs/gfs2/quota.c:117
Write of size 4 at addr ffff8880252bca78 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
gfs2_qd_dealloc+0x88/0xf0 fs/gfs2/quota.c:117
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu+0xf1/0x1b0 kernel/softirq.c:632
irq_exit_rcu+0x9/0x20 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1074
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x20/0x30 drivers/acpi/processor_idle.c:113
Code: 7f 04 eb 36 66 0f 1f 44 00 00 65 48 8b 05 e8 4b 36 75 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d 76 a5 95 00 f3 0f 1e fa fb f4 <fa> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 fa ec 48 8b 05
RSP: 0018:ffffffff8d007ca8 EFLAGS: 00000246
RAX: ffffffff8d094540 RBX: ffff888012ec6064 RCX: 000000000001eb49
RDX: 0000000000000001 RSI: ffff888012ec6000 RDI: ffff888012ec6064
RBP: 0000000000038df8 R08: ffff8880b9836bcb R09: 1ffff11017306d79
R10: dffffc0000000000 R11: ffffed1017306d7a R12: ffff888140ac5000
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8da1f660
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x10e/0x470 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0x90 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:134 [inline]
cpuidle_idle_call kernel/sched/idle.c:215 [inline]
do_idle+0x374/0x5c0 kernel/sched/idle.c:282
cpu_startup_entry+0x41/0x60 kernel/sched/idle.c:380
rest_init+0x2e0/0x300 init/main.c:726
arch_call_rest_init+0xe/0x10 init/main.c:823
start_kernel+0x46e/0x4f0 init/main.c:1068
x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:556
x86_64_start_kernel+0x99/0xa0 arch/x86/kernel/head64.c:537
secondary_startup_64_no_verify+0x167/0x16b
</TASK>

Allocated by task 5805:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
init_sbd fs/gfs2/ops_fstype.c:77 [inline]
gfs2_fill_super+0x136/0x26c0 fs/gfs2/ops_fstype.c:1164
get_tree_bdev+0x416/0x5b0 fs/super.c:1577
gfs2_get_tree+0x54/0x210 fs/gfs2/ops_fstype.c:1348
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5392:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
generic_shutdown_super+0x13a/0x2c0 fs/super.c:693
kill_block_super+0x41/0x70 fs/super.c:1646
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880252bc000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff8880252bc000, ffff8880252be000)

The buggy address belongs to the physical page:
page:ffffea000094ae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x252b8
head:ffffea000094ae00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea0000909c00 0000000000000002
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4708, tgid 4708 (dhcpcd-run-hook), ts 45194433683, free_ts 45158202311
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1114
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
__kmem_cache_alloc_node+0x141/0x270 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1022 [inline]
__kmalloc_node_track_caller+0xa5/0x230 mm/slab_common.c:1043
__do_krealloc mm/slab_common.c:1411 [inline]
krealloc+0x79/0x110 mm/slab_common.c:1444
ima_collect_measurement+0x54a/0x890 security/integrity/ima/ima_api.c:296
process_measurement+0xfea/0x1cf0 security/integrity/ima/ima_main.c:345
ima_bprm_check+0x128/0x2b0 security/integrity/ima/ima_main.c:518
search_binary_handler fs/exec.c:1727 [inline]
exec_binprm fs/exec.c:1781 [inline]
bprm_execve+0x8c7/0x17c0 fs/exec.c:1856

Memory state around the buggy address:
ffff8880252bc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880252bc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880252bca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880252bca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880252bcb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 7f 04 jg 0x6
2: eb 36 jmp 0x3a
4: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
a: 65 48 8b 05 e8 4b 36 mov %gs:0x75364be8(%rip),%rax # 0x75364bfa
11: 75
12: 48 f7 00 08 00 00 00 testq $0x8,(%rax)
19: 75 10 jne 0x2b
1b: 66 90 xchg %ax,%ax
1d: 0f 00 2d 76 a5 95 00 verw 0x95a576(%rip) # 0x95a59a
24: f3 0f 1e fa endbr64
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: c3 ret
2c: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
33: 00 00 00
36: 0f 1f 40 00 nopl 0x0(%rax)
3a: 89 fa mov %edi,%edx
3c: ec in (%dx),%al
3d: 48 rex.W
3e: 8b .byte 0x8b
3f: 05 .byte 0x5


Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1493c1b2680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1713c1b2680000

Edward AD

unread,
Oct 3, 2023, 6:57:21 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..1dba7e29b9c3 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,6 +112,8 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
+ if (IS_ERR_OR_NULL(sdp))

syzbot

unread,
Oct 3, 2023, 7:10:38 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in gfs2_qd_dealloc

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x91/0x100 fs/gfs2/quota.c:117
Write of size 4 at addr ffff888020aaca78 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
gfs2_qd_dealloc+0x91/0x100 fs/gfs2/quota.c:117
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu+0xf1/0x1b0 kernel/softirq.c:632
irq_exit_rcu+0x9/0x20 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1074
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x20/0x30 drivers/acpi/processor_idle.c:113
Code: 7f 04 eb 36 66 0f 1f 44 00 00 65 48 8b 05 e8 4b 36 75 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d 76 a5 95 00 f3 0f 1e fa fb f4 <fa> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 fa ec 48 8b 05
RSP: 0018:ffffc90000187d08 EFLAGS: 00000246
RAX: ffff888016e4bb80 RBX: ffff888014ae8864 RCX: 0000000000031321
RDX: 0000000000000001 RSI: ffff888014ae8800 RDI: ffff888014ae8864
RBP: 0000000000038df8 R08: ffff8880b9936bcb R09: 1ffff11017326d79
R10: dffffc0000000000 R11: ffffed1017326d7a R12: ffff8881416a3000
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8da1f660
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x10e/0x470 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0x90 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:134 [inline]
cpuidle_idle_call kernel/sched/idle.c:215 [inline]
do_idle+0x374/0x5c0 kernel/sched/idle.c:282
cpu_startup_entry+0x41/0x60 kernel/sched/idle.c:380
start_secondary+0xee/0xf0 arch/x86/kernel/smpboot.c:326
secondary_startup_64_no_verify+0x167/0x16b
</TASK>

Allocated by task 5847:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
init_sbd fs/gfs2/ops_fstype.c:77 [inline]
gfs2_fill_super+0x136/0x26c0 fs/gfs2/ops_fstype.c:1164
get_tree_bdev+0x416/0x5b0 fs/super.c:1577
gfs2_get_tree+0x54/0x210 fs/gfs2/ops_fstype.c:1348
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5393:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
generic_shutdown_super+0x13a/0x2c0 fs/super.c:693
kill_block_super+0x41/0x70 fs/super.c:1646
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888020aac000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff888020aac000, ffff888020aae000)

The buggy address belongs to the physical page:
page:ffffea000082aa00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20aa8
head:ffffea000082aa00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea0001f00600 0000000000000004
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5393, tgid 5393 (syz-executor.0), ts 105654591450, free_ts 99513568186
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1022 [inline]
__kmalloc_node+0xa7/0x230 mm/slab_common.c:1030
kmalloc_node include/linux/slab.h:619 [inline]
kvmalloc_node+0x72/0x180 mm/util.c:607
kvmalloc include/linux/slab.h:737 [inline]
kvmalloc_array include/linux/slab.h:755 [inline]
__ptr_ring_init_queue_alloc include/linux/ptr_ring.h:471 [inline]
ptr_ring_init include/linux/ptr_ring.h:489 [inline]
wg_packet_queue_init+0x92/0x2f0 drivers/net/wireguard/queueing.c:32
wg_newlink+0x417/0x710 drivers/net/wireguard/device.c:358
rtnl_newlink_create net/core/rtnetlink.c:3485 [inline]
__rtnl_newlink net/core/rtnetlink.c:3705 [inline]
rtnl_newlink+0x1579/0x2070 net/core/rtnetlink.c:3718
rtnetlink_rcv_msg+0x87e/0x1030 net/core/rtnetlink.c:6444
netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0x7dc/0x970 net/netlink/af_netlink.c:1368
netlink_sendmsg+0xa37/0xd70 net/netlink/af_netlink.c:1910
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
discard_slab mm/slub.c:2116 [inline]
__unfreeze_partials+0x1dc/0x220 mm/slub.c:2655
put_cpu_partial+0x17b/0x250 mm/slub.c:2731
__slab_free+0x2b6/0x390 mm/slub.c:3679
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x67/0x3d0 mm/slab.h:762
slab_alloc_node mm/slub.c:3478 [inline]
slab_alloc mm/slub.c:3486 [inline]
__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
kmem_cache_alloc+0x123/0x300 mm/slub.c:3502
getname_flags+0xbc/0x4e0 fs/namei.c:140
vfs_fstatat+0x11c/0x190 fs/stat.c:294
__do_sys_newfstatat fs/stat.c:459 [inline]
__se_sys_newfstatat fs/stat.c:453 [inline]
__x64_sys_newfstatat+0x117/0x190 fs/stat.c:453
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
ffff888020aac900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888020aac980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888020aaca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888020aaca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888020aacb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
console output: https://syzkaller.appspot.com/x/log.txt?x=106e82be680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13e0746e680000

Edward AD

unread,
Oct 3, 2023, 7:48:51 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 33ca04733e93..9c62d33dd7d9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -66,6 +66,7 @@ void free_sbd(struct gfs2_sbd *sdp)
{
if (sdp->sd_lkstats)
free_percpu(sdp->sd_lkstats);
+ printk("%s \n", __func__);
kfree(sdp);
}

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..2e88382d1303 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,6 +112,7 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
+ printk("%p, %p, %s\n", qd, sdp, __func__);
if (atomic_dec_and_test(&sdp->sd_quota_count))
wake_up(&sdp->sd_kill_wait);
}
@@ -1501,10 +1502,11 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

gfs2_qd_list_dispose(&dispose);

+ printk("1, %s\n", __func__);
wait_event_timeout(sdp->sd_kill_wait,
- (count = atomic_read(&sdp->sd_quota_count)) == 0,
- HZ * 60);
+ (count = atomic_read(&sdp->sd_quota_count)) == 0);

+ printk("2, %s, %d\n", __func__, count);

syzbot

unread,
Oct 3, 2023, 7:56:27 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/gfs2/quota.c:1507:51: error: too few arguments provided to function-like macro invocation
fs/gfs2/quota.c:1506:2: error: use of undeclared identifier 'wait_event_timeout'; did you mean 'wait_on_bit_timeout'?


Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1553c1b2680000

Edward AD

unread,
Oct 3, 2023, 7:57:03 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 33ca04733e93..9c62d33dd7d9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -66,6 +66,7 @@ void free_sbd(struct gfs2_sbd *sdp)
{
if (sdp->sd_lkstats)
free_percpu(sdp->sd_lkstats);
+ printk("%s \n", __func__);
kfree(sdp);
}

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..2e88382d1303 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,6 +112,7 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
+ printk("%p, %p, %s\n", qd, sdp, __func__);
if (atomic_dec_and_test(&sdp->sd_quota_count))
wake_up(&sdp->sd_kill_wait);
}
@@ -1501,10 +1502,11 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

gfs2_qd_list_dispose(&dispose);

+ printk("1, %s\n", __func__);
wait_event(sdp->sd_kill_wait,

syzbot

unread,
Oct 3, 2023, 7:58:29 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/gfs2/ops_fstype.c
checking file fs/gfs2/quota.c
Hunk #2 FAILED at 1502.
1 out of 2 hunks FAILED



Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=1396b66e680000

Edward AD

unread,
Oct 3, 2023, 8:02:46 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 33ca04733e93..9c62d33dd7d9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -66,6 +66,7 @@ void free_sbd(struct gfs2_sbd *sdp)
{
if (sdp->sd_lkstats)
free_percpu(sdp->sd_lkstats);
+ printk("%s \n", __func__);
kfree(sdp);
}

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..dee394804112 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,6 +112,7 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
+ printk("%p, %p, %s\n", qd, sdp, __func__);
if (atomic_dec_and_test(&sdp->sd_quota_count))
wake_up(&sdp->sd_kill_wait);
}
@@ -1501,10 +1502,11 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

gfs2_qd_list_dispose(&dispose);

- wait_event_timeout(sdp->sd_kill_wait,
- (count = atomic_read(&sdp->sd_quota_count)) == 0,
- HZ * 60);
+ printk("1, %s\n", __func__);
+ wait_event(sdp->sd_kill_wait,

syzbot

unread,
Oct 3, 2023, 8:15:45 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in gfs2_qd_dealloc

ffff88807634e930, ffff88807f6d8000, gfs2_qd_dealloc
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x9a/0x100 fs/gfs2/quota.c:116
Write of size 4 at addr ffff88807f6d8a78 by task swapper/1/0

CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
gfs2_qd_dealloc+0x9a/0x100 fs/gfs2/quota.c:116
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu+0xf1/0x1b0 kernel/softirq.c:632
irq_exit_rcu+0x9/0x20 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1074
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:acpi_safe_halt+0x20/0x30 drivers/acpi/processor_idle.c:113
Code: 7f 04 eb 36 66 0f 1f 44 00 00 65 48 8b 05 e8 4b 36 75 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d 76 a5 95 00 f3 0f 1e fa fb f4 <fa> c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 fa ec 48 8b 05
RSP: 0018:ffffc90000187d08 EFLAGS: 00000246
RAX: ffff888016e43b80 RBX: ffff88801328a864 RCX: 000000000005ec31
RDX: 0000000000000001 RSI: ffff88801328a800 RDI: ffff88801328a864
RBP: 0000000000038df8 R08: ffff8880b9936bcb R09: 1ffff11017326d79
R10: dffffc0000000000 R11: ffffed1017326d7a R12: ffff888144eb8800
R13: 0000000000000000 R14: 0000000000000001 R15: ffffffff8da1f720
acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707
cpuidle_enter_state+0x10e/0x470 drivers/cpuidle/cpuidle.c:267
cpuidle_enter+0x5d/0x90 drivers/cpuidle/cpuidle.c:388
call_cpuidle kernel/sched/idle.c:134 [inline]
cpuidle_idle_call kernel/sched/idle.c:215 [inline]
do_idle+0x374/0x5c0 kernel/sched/idle.c:282
cpu_startup_entry+0x41/0x60 kernel/sched/idle.c:380
start_secondary+0xee/0xf0 arch/x86/kernel/smpboot.c:326
secondary_startup_64_no_verify+0x167/0x16b
</TASK>

Allocated by task 5794:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
init_sbd fs/gfs2/ops_fstype.c:78 [inline]
gfs2_fill_super+0x138/0x25f0 fs/gfs2/ops_fstype.c:1165
get_tree_bdev+0x416/0x5b0 fs/super.c:1577
gfs2_get_tree+0x54/0x210 fs/gfs2/ops_fstype.c:1349
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5389:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
generic_shutdown_super+0x13a/0x2c0 fs/super.c:693
kill_block_super+0x41/0x70 fs/super.c:1646
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88807f6d8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff88807f6d8000, ffff88807f6da000)

The buggy address belongs to the physical page:
page:ffffea0001fdb600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f6d8
head:ffffea0001fdb600 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea0001e53e00 0000000000000004
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4697, tgid 4697 (dhcpcd), ts 88292863172, free_ts 88259942267
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1022 [inline]
__kmalloc_node_track_caller+0xa5/0x230 mm/slab_common.c:1043
kmalloc_reserve+0xf3/0x260 net/core/skbuff.c:581
__alloc_skb+0x1b1/0x420 net/core/skbuff.c:650
alloc_skb include/linux/skbuff.h:1286 [inline]
netlink_dump+0x20b/0xcc0 net/netlink/af_netlink.c:2233
netlink_recvmsg+0x6b9/0x11d0 net/netlink/af_netlink.c:1992
sock_recvmsg_nosec net/socket.c:1027 [inline]
sock_recvmsg net/socket.c:1049 [inline]
____sys_recvmsg+0x2a4/0x580 net/socket.c:2760
___sys_recvmsg net/socket.c:2802 [inline]
__sys_recvmsg+0x2f0/0x3d0 net/socket.c:2832
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
ffff88807f6d8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f6d8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807f6d8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f6d8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f6d8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1679e89a680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13f4423a680000

Edward AD

unread,
Oct 3, 2023, 8:36:40 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 33ca04733e93..9c62d33dd7d9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -66,6 +66,7 @@ void free_sbd(struct gfs2_sbd *sdp)
{
if (sdp->sd_lkstats)
free_percpu(sdp->sd_lkstats);
+ printk("%s, %p \n", __func__, sdp);
kfree(sdp);
}

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..dee394804112 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,6 +112,7 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
+ printk("%p, %p, %s\n", qd, sdp, __func__);
if (atomic_dec_and_test(&sdp->sd_quota_count))
wake_up(&sdp->sd_kill_wait);
}
@@ -1501,10 +1502,11 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

gfs2_qd_list_dispose(&dispose);

- wait_event_timeout(sdp->sd_kill_wait,
- (count = atomic_read(&sdp->sd_quota_count)) == 0,
- HZ * 60);
+ printk("1, %s\n", __func__);
+ wait_event(sdp->sd_kill_wait,
+ (count = atomic_read(&sdp->sd_quota_count)) == 0);

+ printk("2, %s, %d\n", __func__, count);
if (count != 0)
fs_err(sdp, "%d left-over quota data objects\n", count);

diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index 02d93da21b2b..0b2a49e5de49 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -603,9 +603,11 @@ static void gfs2_put_super(struct super_block *sb)
spin_unlock(&sdp->sd_jindex_spin);

if (!sb_rdonly(sb)) {
+ printk("1, %s, %p\n", __func__, sdp);
gfs2_make_fs_ro(sdp);
}
if (gfs2_withdrawn(sdp)) {
+ printk("2, %s, %p\n", __func__, sdp);
gfs2_destroy_threads(sdp);
gfs2_quota_cleanup(sdp);
}

syzbot

unread,
Oct 3, 2023, 8:49:38 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in gfs2_qd_dealloc

ffff888067000bd0, ffff8880287ac000, gfs2_qd_dealloc
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x9a/0x100 fs/gfs2/quota.c:116
Write of size 4 at addr ffff8880287aca78 by task syz-executor.0/5390

CPU: 1 PID: 5390 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
gfs2_qd_dealloc+0x9a/0x100 fs/gfs2/quota.c:116
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu+0xf1/0x1b0 kernel/softirq.c:632
irq_exit_rcu+0x9/0x20 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1074
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:check_kcov_mode kernel/kcov.c:175 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:236 [inline]
RIP: 0010:__sanitizer_cov_trace_cmp4+0x2e/0x90 kernel/kcov.c:278
Code: 4c 8b 04 24 65 48 8b 15 c0 ac 75 7e 65 8b 05 c1 ac 75 7e a9 00 01 ff 00 74 10 a9 00 01 00 00 74 5b 83 ba 04 16 00 00 00 74 52 <8b> 82 e0 15 00 00 83 f8 03 75 47 48 8b 8a e8 15 00 00 44 8b 8a e4
RSP: 0018:ffffc90004b9f3e0 EFLAGS: 00000246
RAX: 0000000080000001 RBX: 00000000000a0000 RCX: 00000000000a0001
RDX: ffff8880783f9dc0 RSI: 000000000000c5b9 RDI: 00000000000a0000
RBP: 000000000000c5b9 R08: ffffffff813da069 R09: ffffc90004b9f5b0
R10: 0000000000000003 R11: ffff8880783f9dc0 R12: ffffc90004b9f4c0
R13: 00000000000a0001 R14: ffffffff8b000000 R15: ffffffff81c5b96d
orc_find arch/x86/kernel/unwind_orc.c:211 [inline]
unwind_next_frame+0x249/0x29e0 arch/x86/kernel/unwind_orc.c:494
arch_stack_walk+0x146/0x1a0 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x117/0x1c0 kernel/stacktrace.c:122
save_stack+0xfa/0x1e0 mm/page_owner.c:128
__reset_page_owner+0x4f/0x190 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page_list+0x596/0x830 mm/page_alloc.c:2451
release_pages+0x2113/0x23f0 mm/swap.c:1042
__folio_batch_release+0x84/0x100 mm/swap.c:1062
folio_batch_release include/linux/pagevec.h:83 [inline]
truncate_inode_pages_range+0x45d/0x11a0 mm/truncate.c:371
kill_bdev block/bdev.c:76 [inline]
blkdev_flush_mapping+0x15a/0x2b0 block/bdev.c:630
blkdev_put_whole block/bdev.c:661 [inline]
blkdev_put+0x4a9/0x770 block/bdev.c:898
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f9b9547de17
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd8d15c318 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9b9547de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffd8d15c3d0
RBP: 00007ffd8d15c3d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd8d15d490
R13: 00007f9b954c73b9 R14: 000000000001da1c R15: 0000000000000003
</TASK>

Allocated by task 5823:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
init_sbd fs/gfs2/ops_fstype.c:78 [inline]
gfs2_fill_super+0x138/0x2600 fs/gfs2/ops_fstype.c:1165
get_tree_bdev+0x416/0x5b0 fs/super.c:1577
gfs2_get_tree+0x54/0x210 fs/gfs2/ops_fstype.c:1349
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5390:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
generic_shutdown_super+0x13a/0x2c0 fs/super.c:693
kill_block_super+0x41/0x70 fs/super.c:1646
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880287ac000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff8880287ac000, ffff8880287ae000)

The buggy address belongs to the physical page:
page:ffffea0000a1ea00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x287a8
head:ffffea0000a1ea00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea00009f2200 dead000000000003
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4696, tgid 4696 (dhcpcd), ts 79825370949, free_ts 79824505174
__slab_free+0x2f6/0x390 mm/slub.c:3715
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x67/0x3d0 mm/slab.h:762
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x141/0x270 mm/slub.c:3517
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1114
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
kernfs_fop_open+0x3e7/0xcc0 fs/kernfs/file.c:670
do_dentry_open+0x80f/0x1430 fs/open.c:929
do_open fs/namei.c:3639 [inline]
path_openat+0x27bb/0x3180 fs/namei.c:3796
do_filp_open+0x234/0x490 fs/namei.c:3823
do_sys_openat2+0x13e/0x1d0 fs/open.c:1422
do_sys_open fs/open.c:1437 [inline]
__do_sys_openat fs/open.c:1453 [inline]
__se_sys_openat fs/open.c:1448 [inline]
__x64_sys_openat+0x247/0x290 fs/open.c:1448
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80

Memory state around the buggy address:
ffff8880287ac900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880287ac980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880287aca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880287aca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880287acb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 4c 8b 04 24 mov (%rsp),%r8
4: 65 48 8b 15 c0 ac 75 mov %gs:0x7e75acc0(%rip),%rdx # 0x7e75accc
b: 7e
c: 65 8b 05 c1 ac 75 7e mov %gs:0x7e75acc1(%rip),%eax # 0x7e75acd4
13: a9 00 01 ff 00 test $0xff0100,%eax
18: 74 10 je 0x2a
1a: a9 00 01 00 00 test $0x100,%eax
1f: 74 5b je 0x7c
21: 83 ba 04 16 00 00 00 cmpl $0x0,0x1604(%rdx)
28: 74 52 je 0x7c
* 2a: 8b 82 e0 15 00 00 mov 0x15e0(%rdx),%eax <-- trapping instruction
30: 83 f8 03 cmp $0x3,%eax
33: 75 47 jne 0x7c
35: 48 8b 8a e8 15 00 00 mov 0x15e8(%rdx),%rcx
3c: 44 rex.R
3d: 8b .byte 0x8b
3e: 8a e4 mov %ah,%ah


Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=158565d6680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=169c9c92680000

Edward AD

unread,
Oct 3, 2023, 9:06:13 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test slab uaf in gfs2_qd_dealloc

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 6465e260f487

diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 33ca04733e93..9c62d33dd7d9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -66,6 +66,7 @@ void free_sbd(struct gfs2_sbd *sdp)
{
if (sdp->sd_lkstats)
free_percpu(sdp->sd_lkstats);
+ printk("%s, %p \n", __func__, sdp);
kfree(sdp);
}

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 171b2713d2e5..9746b5a6d81b 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -112,6 +112,7 @@ static void gfs2_qd_dealloc(struct rcu_head *rcu)
struct gfs2_sbd *sdp = qd->qd_sbd;

kmem_cache_free(gfs2_quotad_cachep, qd);
+ printk("%p, %p, %s\n", qd, sdp, __func__);
if (atomic_dec_and_test(&sdp->sd_quota_count))
wake_up(&sdp->sd_kill_wait);
}
@@ -135,12 +136,14 @@ static void gfs2_qd_dispose(struct gfs2_quota_data *qd)
}

gfs2_glock_put(qd->qd_gl);
+ printk("%p, %p, %s\n", qd, sdp, __func__);
call_rcu(&qd->qd_rcu, gfs2_qd_dealloc);
}

static void gfs2_qd_list_dispose(struct list_head *list)
{
struct gfs2_quota_data *qd;
+ printk("%p, %s\n", qd, __func__);

while (!list_empty(list)) {
qd = list_first_entry(list, struct gfs2_quota_data, qd_lru);
@@ -184,6 +187,7 @@ static unsigned long gfs2_qd_shrink_scan(struct shrinker *shrink,

freed = list_lru_shrink_walk(&gfs2_qd_lru, sc,
gfs2_qd_isolate, &dispose);
+ printk(" %s\n", __func__);

gfs2_qd_list_dispose(&dispose);

@@ -326,6 +330,7 @@ static void qd_put(struct gfs2_quota_data *qd)
lockref_mark_dead(&qd->qd_lockref);
spin_unlock(&qd->qd_lockref.lock);

+ printk("%p, %p, %s\n", qd, sdp, __func__);
gfs2_qd_dispose(qd);
return;
}
@@ -1501,10 +1506,11 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

gfs2_qd_list_dispose(&dispose);

- wait_event_timeout(sdp->sd_kill_wait,
- (count = atomic_read(&sdp->sd_quota_count)) == 0,
- HZ * 60);
+ printk("1, %s\n", __func__);
+ wait_event(sdp->sd_kill_wait,
+ (count = atomic_read(&sdp->sd_quota_count)) == 0);

+ printk("2, %s, %d\n", __func__, count);
if (count != 0)
fs_err(sdp, "%d left-over quota data objects\n", count);

diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index 02d93da21b2b..59494dbe2c4a 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -585,6 +585,7 @@ static void gfs2_put_super(struct super_block *sb)
struct gfs2_sbd *sdp = sb->s_fs_info;
struct gfs2_jdesc *jd;

+ printk("0, %s, %p\n", __func__, sdp);
/* No more recovery requests */
set_bit(SDF_NORECOVERY, &sdp->sd_flags);
smp_mb();
@@ -603,9 +604,11 @@ static void gfs2_put_super(struct super_block *sb)
spin_unlock(&sdp->sd_jindex_spin);

if (!sb_rdonly(sb)) {
+ printk("1, %s, %p\n", __func__, sdp);
gfs2_make_fs_ro(sdp);
}
if (gfs2_withdrawn(sdp)) {
+ printk("2, %s, %p\n", __func__, sdp);
gfs2_destroy_threads(sdp);
gfs2_quota_cleanup(sdp);
}
@@ -649,6 +652,7 @@ static void gfs2_put_super(struct super_block *sb)

/* At this point, we're through participating in the lockspace */
gfs2_sys_fs_del(sdp);
+ printk("3, %s, %p\n", __func__, sdp);
free_sbd(sdp);
}

Edward AD

unread,
Oct 3, 2023, 9:14:53 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
index 02d93da21b2b..af68bbefc850 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -585,6 +585,7 @@ static void gfs2_put_super(struct super_block *sb)
struct gfs2_sbd *sdp = sb->s_fs_info;
struct gfs2_jdesc *jd;

+ printk("0, %s, %p\n", __func__, sdp);
/* No more recovery requests */
set_bit(SDF_NORECOVERY, &sdp->sd_flags);
smp_mb();
@@ -603,9 +604,11 @@ static void gfs2_put_super(struct super_block *sb)
spin_unlock(&sdp->sd_jindex_spin);

if (!sb_rdonly(sb)) {
+ printk("1, %s, %p\n", __func__, sdp);
gfs2_make_fs_ro(sdp);
}
if (gfs2_withdrawn(sdp)) {
+ printk("2, %s, %p\n", __func__, sdp);
gfs2_destroy_threads(sdp);
gfs2_quota_cleanup(sdp);
}
@@ -649,6 +652,9 @@ static void gfs2_put_super(struct super_block *sb)

/* At this point, we're through participating in the lockspace */
gfs2_sys_fs_del(sdp);
+ printk("3, %s, %p\n", __func__, sdp);
+ wait_event(sdp->sd_kill_wait,
+ atomic_read(&sdp->sd_quota_count) == 0);
free_sbd(sdp);
}

syzbot

unread,
Oct 3, 2023, 9:39:40 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in gfs2_qd_dealloc

ffff888063d637e0, ffff88801f1e8000, gfs2_qd_dealloc
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x9a/0x100 fs/gfs2/quota.c:116
Write of size 4 at addr ffff88801f1e8a78 by task syz-executor.0/5395

CPU: 1 PID: 5395 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1375 [inline]
gfs2_qd_dealloc+0x9a/0x100 fs/gfs2/quota.c:116
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu+0xf1/0x1b0 kernel/softirq.c:632
irq_exit_rcu+0x9/0x20 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1074
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xd8/0x140 kernel/locking/spinlock.c:194
Code: 9c 8f 44 24 20 42 80 3c 23 00 74 08 4c 89 f7 e8 ae b6 10 f7 f6 44 24 21 02 75 4e 41 f7 c7 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> e3 a9 88 f6 65 8b 05 e4 f2 2b 75 85 c0 74 3f 48 c7 04 24 0e 36
RSP: 0018:ffffc90004d5f800 EFLAGS: 00000206
RAX: ee750290b0d5dd00 RBX: 1ffff920009abf04 RCX: ffffffff816dbfea
RDX: dffffc0000000000 RSI: ffffffff8b0aa380 RDI: 0000000000000001
RBP: ffffc90004d5f890 R08: ffffffff906fb3df R09: 1ffffffff20df67b
R10: dffffc0000000000 R11: fffffbfff20df67c R12: dffffc0000000000
R13: 1ffff920009abf00 R14: ffffc90004d5f820 R15: 0000000000000246
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
unlock_page_lruvec_irqrestore include/linux/memcontrol.h:1632 [inline]
release_pages+0x20eb/0x23f0 mm/swap.c:1039
__folio_batch_release+0x84/0x100 mm/swap.c:1062
folio_batch_release include/linux/pagevec.h:83 [inline]
truncate_inode_pages_range+0x45d/0x11a0 mm/truncate.c:371
kill_bdev block/bdev.c:76 [inline]
blkdev_flush_mapping+0x15a/0x2b0 block/bdev.c:630
blkdev_put_whole block/bdev.c:661 [inline]
blkdev_put+0x4a9/0x770 block/bdev.c:898
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f873ec7de17
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff51412c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f873ec7de17
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007fff51412d50
RBP: 00007fff51412d50 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff51413e10
R13: 00007f873ecc73b9 R14: 000000000002de37 R15: 0000000000000003
</TASK>

Allocated by task 6207:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
init_sbd fs/gfs2/ops_fstype.c:78 [inline]
gfs2_fill_super+0x138/0x2600 fs/gfs2/ops_fstype.c:1165
get_tree_bdev+0x416/0x5b0 fs/super.c:1577
gfs2_get_tree+0x54/0x210 fs/gfs2/ops_fstype.c:1349
vfs_get_tree+0x8c/0x280 fs/super.c:1750
do_new_mount+0x28f/0xae0 fs/namespace.c:3335
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5395:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook mm/slub.c:1826 [inline]
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0x25f/0x3b0 mm/slub.c:3822
generic_shutdown_super+0x13a/0x2c0 fs/super.c:693
kill_block_super+0x41/0x70 fs/super.c:1646
deactivate_locked_super+0xa4/0x110 fs/super.c:481
cleanup_mnt+0x426/0x4c0 fs/namespace.c:1254
task_work_run+0x24a/0x300 kernel/task_work.c:180
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x64/0x280 kernel/entry/common.c:296
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:45
__kasan_record_aux_stack+0xad/0xc0 mm/kasan/generic.c:492
insert_work+0x3e/0x320 kernel/workqueue.c:1647
__queue_work+0xc06/0x1010 kernel/workqueue.c:1799
rcu_work_rcufn+0xff/0x140 kernel/workqueue.c:2039
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0xacf/0x1790 kernel/rcu/tree.c:2403
__do_softirq+0x2ab/0x908 kernel/softirq.c:553

Second to last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:45
__kasan_record_aux_stack+0xad/0xc0 mm/kasan/generic.c:492
__call_rcu_common kernel/rcu/tree.c:2653 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:2767
call_rcu_hurry include/linux/rcupdate.h:117 [inline]
queue_rcu_work+0x8f/0xa0 kernel/workqueue.c:2059
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x90f/0x1400 kernel/workqueue.c:2703
worker_thread+0xa5f/0xff0 kernel/workqueue.c:2784
kthread+0x2d3/0x370 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

The buggy address belongs to the object at ffff88801f1e8000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 2680 bytes inside of
freed 8192-byte region [ffff88801f1e8000, ffff88801f1ea000)

The buggy address belongs to the physical page:
page:ffffea00007c7a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f1e8
head:ffffea00007c7a00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012842280 ffffea0000a6ba00 dead000000000005
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4686, tgid 4686 (rcS), ts 45766440412, free_ts 45717036867
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
prep_new_page mm/page_alloc.c:1543 [inline]
get_page_from_freelist+0x31db/0x3360 mm/page_alloc.c:3170
__alloc_pages+0x255/0x670 mm/page_alloc.c:4426
alloc_slab_page+0x6a/0x160 mm/slub.c:1870
allocate_slab mm/slub.c:2017 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2070
___slab_alloc+0xc85/0x1310 mm/slub.c:3223
__slab_alloc mm/slub.c:3322 [inline]
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x1af/0x270 mm/slub.c:3517
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1114
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x11cd/0x2040 security/tomoyo/audit.c:264
tomoyo_supervisor+0x386/0x11f0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x1383/0x1cf0 security/tomoyo/domain.c:878
tomoyo_bprm_check_security+0x114/0x170 security/tomoyo/tomoyo.c:101
security_bprm_check+0x63/0xa0 security/security.c:1103
search_binary_handler fs/exec.c:1727 [inline]
exec_binprm fs/exec.c:1781 [inline]
bprm_execve+0x8c7/0x17c0 fs/exec.c:1856
do_execveat_common+0x580/0x720 fs/exec.c:1964
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1136 [inline]
free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
discard_slab mm/slub.c:2116 [inline]
__unfreeze_partials+0x1dc/0x220 mm/slub.c:2655
put_cpu_partial+0x17b/0x250 mm/slub.c:2731
__slab_free+0x2b6/0x390 mm/slub.c:3679
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x67/0x3d0 mm/slab.h:762
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x141/0x270 mm/slub.c:3517
kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1114
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
tomoyo_print_bprm security/tomoyo/audit.c:26 [inline]
tomoyo_init_log+0x11cd/0x2040 security/tomoyo/audit.c:264
tomoyo_supervisor+0x386/0x11f0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x1383/0x1cf0 security/tomoyo/domain.c:878
tomoyo_bprm_check_security+0x114/0x170 security/tomoyo/tomoyo.c:101

Memory state around the buggy address:
ffff88801f1e8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801f1e8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801f1e8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801f1e8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801f1e8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 9c pushf
1: 8f 44 24 20 pop 0x20(%rsp)
5: 42 80 3c 23 00 cmpb $0x0,(%rbx,%r12,1)
a: 74 08 je 0x14
c: 4c 89 f7 mov %r14,%rdi
f: e8 ae b6 10 f7 call 0xf710b6c2
14: f6 44 24 21 02 testb $0x2,0x21(%rsp)
19: 75 4e jne 0x69
1b: 41 f7 c7 00 02 00 00 test $0x200,%r15d
22: 74 01 je 0x25
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 e3 a9 88 f6 call 0xf688aa12 <-- trapping instruction
2f: 65 8b 05 e4 f2 2b 75 mov %gs:0x752bf2e4(%rip),%eax # 0x752bf31a
36: 85 c0 test %eax,%eax
38: 74 3f je 0x79
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: 04 24 add $0x24,%al
3e: 0e (bad)
3f: 36 ss


Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10b9bde6680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10c9938a680000

syzbot

unread,
Oct 3, 2023, 10:02:48 AM10/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+29c47e...@syzkaller.appspotmail.com

Tested on:

commit: 6465e260 Linux 6.6-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16c6e3e6680000
kernel config: https://syzkaller.appspot.com/x/.config?x=12da82ece7bf46f9
dashboard link: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1090746e680000

Note: testing is done by a robot and is best-effort only.

Edward AD

unread,
Oct 3, 2023, 10:24:42 AM10/3/23
to syzbot+29c47e...@syzkaller.appspotmail.com, agru...@redhat.com, gf...@lists.linux.dev, linux-...@vger.kernel.org, linux-...@vger.kernel.org, rpet...@redhat.com, syzkall...@googlegroups.com
There is a probability that gfs2_put_super will first release gfs2_sbd,
and then execute the callback function gfs2_qd_dealloc of call_rcu to call
the already released sbd opportunity.
Therefore, before releasing gfs2_sbd in gfs2_put_super, execute the rcu
callback function gfs2_qd_dealloc by waiting for "sdp->sd_quota_count == 0" to
avoid such issues.

Reported-and-tested-by: syzbot+29c47e...@syzkaller.appspotmail.com
Signed-off-by: Edward AD <ead...@sina.com>
---
fs/gfs2/super.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index 02d93da21b2b..86b68f0eadae 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -649,6 +649,8 @@ static void gfs2_put_super(struct super_block *sb)

/* At this point, we're through participating in the lockspace */
gfs2_sys_fs_del(sdp);
+ wait_event(sdp->sd_kill_wait,
+ atomic_read(&sdp->sd_quota_count) == 0);
free_sbd(sdp);
}

--
2.25.1

Reply all
Reply to author
Forward
0 new messages