[syzbot] KASAN: use-after-free Read in btrfs_scan_one_device (2)
8 views
Skip to first unread message
syzbot
Mar 3, 2022, 5:35:20 AM3/3/22
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, terr...@fb.com
Hello,
syzbot found the following issue on:
HEAD commit: 2293be58d6a1 Merge tag 'trace-v5.17-rc4' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15f8b2d4700000
kernel config: https://syzkaller.appspot.com/x/.config?x=5f28851401b410e5
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152ee696700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11739502700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+82650a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in btrfs_printk+0x395/0x425 fs/btrfs/super.c:244
Read of size 8 at addr ffff8880237906d8 by task udevd/3694
CPU: 1 PID: 3694 Comm: udevd Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
btrfs_printk+0x395/0x425 fs/btrfs/super.c:244
device_list_add.cold+0xd7/0x2ed fs/btrfs/volumes.c:957
btrfs_scan_one_device+0x4c7/0x5c0 fs/btrfs/volumes.c:1387
btrfs_control_ioctl+0x12a/0x2d0 fs/btrfs/super.c:2409
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f86e0e090e7
Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 61 9d 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffcb6ec2788 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f86e0e090e7
RDX: 00007ffcb6ec2798 RSI: 0000000090009427 RDI: 0000000000000009
RBP: 0000000000000009 R08: 000055f3f60246f0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcb6ec37d8 R14: 000055f3f7c4fbc0 R15: 00007f86e0cac6c0
</TASK>
Allocated by task 3672:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
kmalloc_node include/linux/slab.h:604 [inline]
kvmalloc_node+0x97/0x100 mm/util.c:580
kvmalloc include/linux/slab.h:731 [inline]
kvzalloc include/linux/slab.h:739 [inline]
btrfs_mount_root+0x118/0xc10 fs/btrfs/super.c:1665
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1784
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount fs/namespace.c:3552 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 3672:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
__cache_free mm/slab.c:3437 [inline]
kfree+0xf8/0x2b0 mm/slab.c:3794
kvfree+0x42/0x50 mm/util.c:613
deactivate_locked_super+0x94/0x160 fs/super.c:332
btrfs_mount_root+0x78e/0xc10 fs/btrfs/super.c:1730
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1784
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount fs/namespace.c:3552 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888023790000
which belongs to the cache kmalloc-16k of size 16384
The buggy address is located 1752 bytes inside of
16384-byte region [ffff888023790000, ffff888023794000)
The buggy address belongs to the page:
page:ffffea00008de400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23790
head:ffffea00008de400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000990008 ffffea000098fe08 ffff888010c40b00
raw: 0000000000000000 ffff888023790000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x2520c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 3672, ts 53936584194, free_ts 53419420055
prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
__alloc_pages_node include/linux/gfp.h:572 [inline]
kmem_getpages mm/slab.c:1378 [inline]
cache_grow_begin+0x75/0x390 mm/slab.c:2584
cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
____cache_alloc mm/slab.c:3040 [inline]
____cache_alloc mm/slab.c:3023 [inline]
slab_alloc_node mm/slab.c:3241 [inline]
kmem_cache_alloc_node_trace+0x49c/0x5b0 mm/slab.c:3609
__do_kmalloc_node mm/slab.c:3631 [inline]
__kmalloc_node+0x38/0x60 mm/slab.c:3639
kmalloc_node include/linux/slab.h:604 [inline]
kvmalloc_node+0x97/0x100 mm/util.c:580
kvmalloc include/linux/slab.h:731 [inline]
kvzalloc include/linux/slab.h:739 [inline]
btrfs_mount_root+0x118/0xc10 fs/btrfs/super.c:1665
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1784
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404
__put_page+0x193/0x1e0 mm/swap.c:128
folio_put include/linux/mm.h:1199 [inline]
put_page include/linux/mm.h:1237 [inline]
do_exit+0x1f5f/0x2a30 kernel/exit.c:845
do_group_exit+0xd2/0x2f0 kernel/exit.c:935
__do_sys_exit_group kernel/exit.c:946 [inline]
__se_sys_exit_group kernel/exit.c:944 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Memory state around the buggy address:
ffff888023790580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888023790600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888023790680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888023790700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888023790780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 2293be58d6a1 Merge tag 'trace-v5.17-rc4' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15f8b2d4700000
kernel config: https://syzkaller.appspot.com/x/.config?x=5f28851401b410e5
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=152ee696700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11739502700000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+82650a...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in btrfs_printk+0x395/0x425 fs/btrfs/super.c:244
Read of size 8 at addr ffff8880237906d8 by task udevd/3694
CPU: 1 PID: 3694 Comm: udevd Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
btrfs_printk+0x395/0x425 fs/btrfs/super.c:244
device_list_add.cold+0xd7/0x2ed fs/btrfs/volumes.c:957
btrfs_scan_one_device+0x4c7/0x5c0 fs/btrfs/volumes.c:1387
btrfs_control_ioctl+0x12a/0x2d0 fs/btrfs/super.c:2409
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f86e0e090e7
Code: 3c 1c e8 1c ff ff ff 85 c0 79 87 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 61 9d 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffcb6ec2788 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f86e0e090e7
RDX: 00007ffcb6ec2798 RSI: 0000000090009427 RDI: 0000000000000009
RBP: 0000000000000009 R08: 000055f3f60246f0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcb6ec37d8 R14: 000055f3f7c4fbc0 R15: 00007f86e0cac6c0
</TASK>
Allocated by task 3672:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
kmalloc_node include/linux/slab.h:604 [inline]
kvmalloc_node+0x97/0x100 mm/util.c:580
kvmalloc include/linux/slab.h:731 [inline]
kvzalloc include/linux/slab.h:739 [inline]
btrfs_mount_root+0x118/0xc10 fs/btrfs/super.c:1665
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1784
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount fs/namespace.c:3552 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 3672:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
__cache_free mm/slab.c:3437 [inline]
kfree+0xf8/0x2b0 mm/slab.c:3794
kvfree+0x42/0x50 mm/util.c:613
deactivate_locked_super+0x94/0x160 fs/super.c:332
btrfs_mount_root+0x78e/0xc10 fs/btrfs/super.c:1730
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1784
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount fs/namespace.c:3552 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888023790000
which belongs to the cache kmalloc-16k of size 16384
The buggy address is located 1752 bytes inside of
16384-byte region [ffff888023790000, ffff888023794000)
The buggy address belongs to the page:
page:ffffea00008de400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23790
head:ffffea00008de400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000990008 ffffea000098fe08 ffff888010c40b00
raw: 0000000000000000 ffff888023790000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x2520c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 3672, ts 53936584194, free_ts 53419420055
prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
__alloc_pages_node include/linux/gfp.h:572 [inline]
kmem_getpages mm/slab.c:1378 [inline]
cache_grow_begin+0x75/0x390 mm/slab.c:2584
cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
____cache_alloc mm/slab.c:3040 [inline]
____cache_alloc mm/slab.c:3023 [inline]
slab_alloc_node mm/slab.c:3241 [inline]
kmem_cache_alloc_node_trace+0x49c/0x5b0 mm/slab.c:3609
__do_kmalloc_node mm/slab.c:3631 [inline]
__kmalloc_node+0x38/0x60 mm/slab.c:3639
kmalloc_node include/linux/slab.h:604 [inline]
kvmalloc_node+0x97/0x100 mm/util.c:580
kvmalloc include/linux/slab.h:731 [inline]
kvzalloc include/linux/slab.h:739 [inline]
btrfs_mount_root+0x118/0xc10 fs/btrfs/super.c:1665
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1784
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404
__put_page+0x193/0x1e0 mm/swap.c:128
folio_put include/linux/mm.h:1199 [inline]
put_page include/linux/mm.h:1237 [inline]
do_exit+0x1f5f/0x2a30 kernel/exit.c:845
do_group_exit+0xd2/0x2f0 kernel/exit.c:935
__do_sys_exit_group kernel/exit.c:946 [inline]
__se_sys_exit_group kernel/exit.c:944 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:944
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Memory state around the buggy address:
ffff888023790580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888023790600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888023790680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888023790700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888023790780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Dongliang Mu
Mar 3, 2022, 6:13:35 AM3/3/22
to syzbot, c...@fb.com, David Sterba, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-kernel, syzkaller-bugs, terr...@fb.com
Fix this by modifying another site using fs_info.
I will push a patch request later.
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000066b78e05d94df48b%40google.com.
syzbot
Mar 3, 2022, 7:08:10 AM3/3/22
to mudongl...@gmail.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+82650a...@syzkaller.appspotmail.com
Tested on:
commit: 5859a2b1 Merge branch 'ucount-rlimit-fixes-for-v5.17' ..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git --
kernel config: https://syzkaller.appspot.com/x/.config?x=542b2708133cc492
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+82650a...@syzkaller.appspotmail.com
Tested on:
commit: 5859a2b1 Merge branch 'ucount-rlimit-fixes-for-v5.17' ..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git --
kernel config: https://syzkaller.appspot.com/x/.config?x=542b2708133cc492
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14a9a7e6700000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
Hillf Danton
Mar 3, 2022, 8:43:31 PM3/3/22
to syzbot, Anand Jain, dst...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 03 Mar 2022 02:35:19 -0800
Device is closed with the uuid_mutex held in btrfs_close_devices(), and
given uuid_mutex asserted in btrfs_scan_one_device(), the trigger of the
report is fs_info was freed by btrfs_kill_super() without deattaching it
from device.
Hillf
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 2293be58d6a1
--- x/fs/btrfs/super.c
+++ y/fs/btrfs/super.c
@@ -1644,6 +1644,7 @@ static struct dentry *btrfs_mount_root(s
void *new_sec_opts = NULL;
fmode_t mode = FMODE_READ;
int error = 0;
+ int closed = 0;
if (!(flags & SB_RDONLY))
mode |= FMODE_WRITE;
@@ -1712,6 +1713,7 @@ static struct dentry *btrfs_mount_root(s
}
if (s->s_root) {
+ closed = 1;
btrfs_close_devices(fs_devices);
btrfs_free_fs_info(fs_info);
if ((flags ^ s->s_flags) & SB_RDONLY)
@@ -1727,6 +1729,8 @@ static struct dentry *btrfs_mount_root(s
error = security_sb_set_mnt_opts(s, new_sec_opts, 0, NULL);
security_free_mnt_opts(&new_sec_opts);
if (error) {
+ if (!closed)
+ btrfs_close_devices(fs_devices);
deactivate_locked_super(s);
return ERR_PTR(error);
}
--
given uuid_mutex asserted in btrfs_scan_one_device(), the trigger of the
report is fs_info was freed by btrfs_kill_super() without deattaching it
from device.
Hillf
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 2293be58d6a1
--- x/fs/btrfs/super.c
+++ y/fs/btrfs/super.c
@@ -1644,6 +1644,7 @@ static struct dentry *btrfs_mount_root(s
void *new_sec_opts = NULL;
fmode_t mode = FMODE_READ;
int error = 0;
+ int closed = 0;
if (!(flags & SB_RDONLY))
mode |= FMODE_WRITE;
@@ -1712,6 +1713,7 @@ static struct dentry *btrfs_mount_root(s
}
if (s->s_root) {
+ closed = 1;
btrfs_close_devices(fs_devices);
btrfs_free_fs_info(fs_info);
if ((flags ^ s->s_flags) & SB_RDONLY)
@@ -1727,6 +1729,8 @@ static struct dentry *btrfs_mount_root(s
error = security_sb_set_mnt_opts(s, new_sec_opts, 0, NULL);
security_free_mnt_opts(&new_sec_opts);
if (error) {
+ if (!closed)
+ btrfs_close_devices(fs_devices);
deactivate_locked_super(s);
return ERR_PTR(error);
}
--
syzbot
Mar 3, 2022, 9:08:15 PM3/3/22
to anand...@oracle.com, dst...@suse.com, hda...@sina.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in invalidate_bdev
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 4000 Comm: syz-executor143 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1-dirty #0
Code: fe 66 2e 0f 1f 84 00 00 00 00 00 55 53 48 89 fb e8 46 02 b2 fd 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 93 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffffc90000e07840 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff83c5df9a RDI: 0000000000000030
RBP: ffff888026948000 R08: 0000000000000000 R09: ffffffff8b814683
R10: fffffbfff17028d0 R11: 0000000000000001 R12: ffff88802b5095c0
R13: 0000000000000001 R14: 0000000000000001 R15: ffff88801fb54000
FS: 00007fc526ad8700(0000) GS:ffff88802cb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005614541cd000 CR3: 0000000022cb3000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
open_ctree+0xacf/0x4817 fs/btrfs/disk-io.c:3389
btrfs_fill_super fs/btrfs/super.c:1358 [inline]
btrfs_mount_root.cold+0x15/0x1a2 fs/btrfs/super.c:1726
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc526ad82f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fc526bb13e0 RCX: 00007fc526b2c2a9
RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000020000080
RBP: 0030656c69662f2e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 00007fc526b7d478
R13: 00007fc526b7d1f0 R14: 00007fc526b7d0a8 R15: 00007fc526bb13e8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:invalidate_bdev+0x1f/0xd0 block/bdev.c:83
Code: fe 66 2e 0f 1f 84 00 00 00 00 00 55 53 48 89 fb e8 46 02 b2 fd 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 93 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffffc90000e07840 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff83c5df9a RDI: 0000000000000030
RBP: ffff888026948000 R08: 0000000000000000 R09: ffffffff8b814683
R10: fffffbfff17028d0 R11: 0000000000000001 R12: ffff88802b5095c0
R13: 0000000000000001 R14: 0000000000000001 R15: ffff88801fb54000
FS: 00007fc526ad8700(0000) GS:ffff88802cb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005614541cd000 CR3: 0000000022cb3000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
7: 00 00 00
a: 55 push %rbp
b: 53 push %rbx
c: 48 89 fb mov %rdi,%rbx
f: e8 46 02 b2 fd callq 0xfdb2025a
14: 48 8d 7b 30 lea 0x30(%rbx),%rdi
18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1f: fc ff df
22: 48 89 fa mov %rdi,%rdx
25: 48 c1 ea 03 shr $0x3,%rdx
* 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2d: 0f 85 93 00 00 00 jne 0xc6
33: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
3a: fc ff df
3d: 48 rex.W
3e: 8b .byte 0x8b
Tested on:
commit: 2293be58 Merge tag 'trace-v5.17-rc4' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=13d047e1700000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in invalidate_bdev
general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 PID: 4000 Comm: syz-executor143 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:invalidate_bdev+0x1f/0xd0 block/bdev.c:83
Code: fe 66 2e 0f 1f 84 00 00 00 00 00 55 53 48 89 fb e8 46 02 b2 fd 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 93 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffffc90000e07840 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff83c5df9a RDI: 0000000000000030
RBP: ffff888026948000 R08: 0000000000000000 R09: ffffffff8b814683
R10: fffffbfff17028d0 R11: 0000000000000001 R12: ffff88802b5095c0
R13: 0000000000000001 R14: 0000000000000001 R15: ffff88801fb54000
FS: 00007fc526ad8700(0000) GS:ffff88802cb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005614541cd000 CR3: 0000000022cb3000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
open_ctree+0xacf/0x4817 fs/btrfs/disk-io.c:3389
btrfs_fill_super fs/btrfs/super.c:1358 [inline]
btrfs_mount_root.cold+0x15/0x1a2 fs/btrfs/super.c:1726
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1788
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount fs/namespace.c:3552 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc526b2c2a9
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount fs/namespace.c:3552 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc526ad82f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fc526bb13e0 RCX: 00007fc526b2c2a9
RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000020000080
RBP: 0030656c69662f2e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 00007fc526b7d478
R13: 00007fc526b7d1f0 R14: 00007fc526b7d0a8 R15: 00007fc526bb13e8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:invalidate_bdev+0x1f/0xd0 block/bdev.c:83
Code: fe 66 2e 0f 1f 84 00 00 00 00 00 55 53 48 89 fb e8 46 02 b2 fd 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 93 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffffc90000e07840 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff83c5df9a RDI: 0000000000000030
RBP: ffff888026948000 R08: 0000000000000000 R09: ffffffff8b814683
R10: fffffbfff17028d0 R11: 0000000000000001 R12: ffff88802b5095c0
R13: 0000000000000001 R14: 0000000000000001 R15: ffff88801fb54000
FS: 00007fc526ad8700(0000) GS:ffff88802cb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005614541cd000 CR3: 0000000022cb3000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
7: 00 00 00
a: 55 push %rbp
b: 53 push %rbx
c: 48 89 fb mov %rdi,%rbx
f: e8 46 02 b2 fd callq 0xfdb2025a
14: 48 8d 7b 30 lea 0x30(%rbx),%rdi
18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1f: fc ff df
22: 48 89 fa mov %rdi,%rdx
25: 48 c1 ea 03 shr $0x3,%rdx
* 29: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2d: 0f 85 93 00 00 00 jne 0xc6
33: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
3a: fc ff df
3d: 48 rex.W
3e: 8b .byte 0x8b
Tested on:
commit: 2293be58 Merge tag 'trace-v5.17-rc4' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=13d047e1700000
kernel config: https://syzkaller.appspot.com/x/.config?x=5f28851401b410e5
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=133011f1700000
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Anand Jain
Mar 3, 2022, 10:23:43 PM3/3/22
to syzbot, dst...@suse.com, hda...@sina.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
::
> Tested on:
>
> commit: 2293be58 Merge tag 'trace-v5.17-rc4' of git://git.kern..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
::
>
> commit: 2293be58 Merge tag 'trace-v5.17-rc4' of git://git.kern..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
> patch: https://syzkaller.appspot.com/x/patch.diff?x=133011f1700000
There is no commit id in the patch. The patch diff doesn't match any
changes in the current misc-next?
Thanks, Anand
Hillf Danton
Mar 4, 2022, 12:22:49 AM3/4/22
to syzbot, anand...@oracle.com, dst...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 03 Mar 2022 18:08:14 -0800
Check if fs_devices->latest_dev and fs_devices->latest_dev->bdev are stable
using the uuid_mutex.
diff -pur a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
--- a/fs/btrfs/disk-io.c 2022-03-04 12:03:46.496257700 +0800
+++ b/fs/btrfs/disk-io.c 2022-03-04 12:51:44.296744400 +0800
@@ -3386,7 +3386,9 @@ int __cold open_ctree(struct super_block
mapping_set_gfp_mask(fs_info->btree_inode->i_mapping, GFP_NOFS);
btrfs_init_btree_inode(fs_info);
- invalidate_bdev(fs_devices->latest_dev->bdev);
+ err = btrfs_invalidate_bdev(fs_devices);
+ if (err)
+ goto fail;
/*
* Read super block and check the signature bytes only
diff -pur a/fs/btrfs/super.c b/fs/btrfs/super.c
--- a/fs/btrfs/super.c 2022-03-04 11:59:09.105853000 +0800
+++ b/fs/btrfs/super.c 2022-03-04 09:26:58.032689700 +0800
--- a/fs/btrfs/volumes.c 2022-03-04 12:04:04.955810600 +0800
+++ b/fs/btrfs/volumes.c 2022-03-04 12:57:48.406739400 +0800
@@ -1105,6 +1105,20 @@ void btrfs_free_extra_devids(struct btrf
mutex_unlock(&uuid_mutex);
}
+int btrfs_invalidate_bdev(struct btrfs_fs_devices *fs_devices)
+{
+ int err = -ENODEV;
+
+ mutex_lock(&uuid_mutex);
+ if (fs_devices->latest_dev &&
+ fs_devices->latest_dev->bdev) {
+ err = 0;
+ invalidate_bdev(fs_devices->latest_dev->bdev);
+ }
+ mutex_unlock(&uuid_mutex);
+ return err;
+}
+
static void btrfs_close_bdev(struct btrfs_device *device)
{
if (!device->bdev)
diff -pur a/fs/btrfs/volumes.h b/fs/btrfs/volumes.h
--- a/fs/btrfs/volumes.h 2022-03-04 12:04:04.977142800 +0800
+++ b/fs/btrfs/volumes.h 2022-03-04 12:58:19.290341100 +0800
@@ -508,6 +508,7 @@ struct btrfs_device *btrfs_scan_one_devi
int btrfs_forget_devices(const char *path);
void btrfs_close_devices(struct btrfs_fs_devices *fs_devices);
void btrfs_free_extra_devids(struct btrfs_fs_devices *fs_devices);
+int btrfs_invalidate_bdev(struct btrfs_fs_devices *fs_devices);
void btrfs_assign_next_active_device(struct btrfs_device *device,
struct btrfs_device *this_dev);
struct btrfs_device *btrfs_find_device_by_devspec(struct btrfs_fs_info *fs_info,
--
using the uuid_mutex.
diff -pur a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
--- a/fs/btrfs/disk-io.c 2022-03-04 12:03:46.496257700 +0800
+++ b/fs/btrfs/disk-io.c 2022-03-04 12:51:44.296744400 +0800
@@ -3386,7 +3386,9 @@ int __cold open_ctree(struct super_block
mapping_set_gfp_mask(fs_info->btree_inode->i_mapping, GFP_NOFS);
btrfs_init_btree_inode(fs_info);
- invalidate_bdev(fs_devices->latest_dev->bdev);
+ err = btrfs_invalidate_bdev(fs_devices);
+ if (err)
+ goto fail;
/*
* Read super block and check the signature bytes only
diff -pur a/fs/btrfs/super.c b/fs/btrfs/super.c
--- a/fs/btrfs/super.c 2022-03-04 11:59:09.105853000 +0800
+++ b/fs/btrfs/super.c 2022-03-04 09:26:58.032689700 +0800
@@ -1644,6 +1644,7 @@ static struct dentry *btrfs_mount_root(s
void *new_sec_opts = NULL;
fmode_t mode = FMODE_READ;
int error = 0;
+ int closed = 0;
if (!(flags & SB_RDONLY))
mode |= FMODE_WRITE;
@@ -1712,6 +1713,7 @@ static struct dentry *btrfs_mount_root(s
}
if (s->s_root) {
+ closed = 1;
btrfs_close_devices(fs_devices);
btrfs_free_fs_info(fs_info);
if ((flags ^ s->s_flags) & SB_RDONLY)
@@ -1727,6 +1729,8 @@ static struct dentry *btrfs_mount_root(s
error = security_sb_set_mnt_opts(s, new_sec_opts, 0, NULL);
security_free_mnt_opts(&new_sec_opts);
if (error) {
+ if (!closed)
+ btrfs_close_devices(fs_devices);
deactivate_locked_super(s);
return ERR_PTR(error);
}
diff -pur a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
void *new_sec_opts = NULL;
fmode_t mode = FMODE_READ;
int error = 0;
+ int closed = 0;
if (!(flags & SB_RDONLY))
mode |= FMODE_WRITE;
@@ -1712,6 +1713,7 @@ static struct dentry *btrfs_mount_root(s
}
if (s->s_root) {
+ closed = 1;
btrfs_close_devices(fs_devices);
btrfs_free_fs_info(fs_info);
if ((flags ^ s->s_flags) & SB_RDONLY)
@@ -1727,6 +1729,8 @@ static struct dentry *btrfs_mount_root(s
error = security_sb_set_mnt_opts(s, new_sec_opts, 0, NULL);
security_free_mnt_opts(&new_sec_opts);
if (error) {
+ if (!closed)
+ btrfs_close_devices(fs_devices);
deactivate_locked_super(s);
return ERR_PTR(error);
}
--- a/fs/btrfs/volumes.c 2022-03-04 12:04:04.955810600 +0800
+++ b/fs/btrfs/volumes.c 2022-03-04 12:57:48.406739400 +0800
@@ -1105,6 +1105,20 @@ void btrfs_free_extra_devids(struct btrf
mutex_unlock(&uuid_mutex);
}
+int btrfs_invalidate_bdev(struct btrfs_fs_devices *fs_devices)
+{
+ int err = -ENODEV;
+
+ mutex_lock(&uuid_mutex);
+ if (fs_devices->latest_dev &&
+ fs_devices->latest_dev->bdev) {
+ err = 0;
+ invalidate_bdev(fs_devices->latest_dev->bdev);
+ }
+ mutex_unlock(&uuid_mutex);
+ return err;
+}
+
static void btrfs_close_bdev(struct btrfs_device *device)
{
if (!device->bdev)
diff -pur a/fs/btrfs/volumes.h b/fs/btrfs/volumes.h
--- a/fs/btrfs/volumes.h 2022-03-04 12:04:04.977142800 +0800
+++ b/fs/btrfs/volumes.h 2022-03-04 12:58:19.290341100 +0800
@@ -508,6 +508,7 @@ struct btrfs_device *btrfs_scan_one_devi
int btrfs_forget_devices(const char *path);
void btrfs_close_devices(struct btrfs_fs_devices *fs_devices);
void btrfs_free_extra_devids(struct btrfs_fs_devices *fs_devices);
+int btrfs_invalidate_bdev(struct btrfs_fs_devices *fs_devices);
void btrfs_assign_next_active_device(struct btrfs_device *device,
struct btrfs_device *this_dev);
struct btrfs_device *btrfs_find_device_by_devspec(struct btrfs_fs_info *fs_info,
--
syzbot
Mar 4, 2022, 12:40:13 AM3/4/22
to anand...@oracle.com, dst...@suse.com, hda...@sina.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in btrfs_iget
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault, probably for non-canonical address 0xdffffc000000003e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001f0-0x00000000000001f7]
CPU: 0 PID: 3975 Comm: syz-executor324 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1-dirty #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:btrfs_inode_hash fs/btrfs/btrfs_inode.h:258 [inline]
RIP: 0010:btrfs_iget_locked fs/btrfs/inode.c:5503 [inline]
RIP: 0010:btrfs_iget_path fs/btrfs/inode.c:5525 [inline]
RIP: 0010:btrfs_iget+0x7a/0x210 fs/btrfs/inode.c:5554
Code: f3 65 48 8b 04 25 28 00 00 00 48 89 44 24 58 31 c0 e8 3a 5f 33 fe 49 8d be f7 01 00 00 48 89 f8 48 89 fe 48 c1 e8 03 83 e6 07 <42> 0f b6 14 20 49 8d 86 fe 01 00 00 48 89 c1 48 c1 e9 03 42 0f b6
RSP: 0018:ffffc900029ef940 EFLAGS: 00010202
RAX: 000000000000003e RBX: 1ffff9200053df28 RCX: 0000000000000000
RDX: ffff88801c40e2c0 RSI: 0000000000000007 RDI: 00000000000001f7
RBP: ffff888023dce000 R08: 0000000000000000 R09: ffffc900029ef6f7
R10: ffffffff8912a851 R11: 0000000000000001 R12: dffffc0000000000
R13: 0000000000000100 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fec6fcc0700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000563567f04618 CR3: 0000000026c41000 CR4: 0000000000150ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
btrfs_fill_super fs/btrfs/super.c:1364 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
btrfs_mount_root.cold+0x93/0x1a2 fs/btrfs/super.c:1726
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1788
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount fs/namespace.c:3552 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fec6fd142a9
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
fc_mount fs/namespace.c:1030 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1060
vfs_kern_mount+0x3c/0x60 fs/namespace.c:1047
btrfs_mount+0x234/0xa60 fs/btrfs/super.c:1788
legacy_get_tree+0x105/0x220 fs/fs_context.c:610
vfs_get_tree+0x89/0x2f0 fs/super.c:1497
do_new_mount fs/namespace.c:3024 [inline]
path_mount+0x1320/0x1fa0 fs/namespace.c:3354
do_mount fs/namespace.c:3367 [inline]
__do_sys_mount fs/namespace.c:3575 [inline]
__se_sys_mount fs/namespace.c:3552 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3552
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fec6fcc02f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fec6fd993e0 RCX: 00007fec6fd142a9
RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000020000080
RBP: 0030656c69662f2e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 00007fec6fd65478
RBP: 0030656c69662f2e R08: 0000000000000000 R09: 0000000000000000
R13: 00007fec6fd651f0 R14: 00007fec6fd650a8 R15: 00007fec6fd993e8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btrfs_inode_hash fs/btrfs/btrfs_inode.h:258 [inline]
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btrfs_iget_locked fs/btrfs/inode.c:5503 [inline]
RIP: 0010:btrfs_iget_path fs/btrfs/inode.c:5525 [inline]
RIP: 0010:btrfs_iget+0x7a/0x210 fs/btrfs/inode.c:5554
Code: f3 65 48 8b 04 25 28 00 00 00 48 89 44 24 58 31 c0 e8 3a 5f 33 fe 49 8d be f7 01 00 00 48 89 f8 48 89 fe 48 c1 e8 03 83 e6 07 <42> 0f b6 14 20 49 8d 86 fe 01 00 00 48 89 c1 48 c1 e9 03 42 0f b6
RSP: 0018:ffffc900029ef940 EFLAGS: 00010202
RAX: 000000000000003e RBX: 1ffff9200053df28 RCX: 0000000000000000
RDX: ffff88801c40e2c0 RSI: 0000000000000007 RDI: 00000000000001f7
RBP: ffff888023dce000 R08: 0000000000000000 R09: ffffc900029ef6f7
R10: ffffffff8912a851 R11: 0000000000000001 R12: dffffc0000000000
R13: 0000000000000100 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fec6fcc0700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000563567f04618 CR3: 0000000026c41000 CR4: 0000000000150ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
0: f3 65 48 8b 04 25 28 repz mov %gs:0x28,%rax
7: 00 00 00
a: 48 89 44 24 58 mov %rax,0x58(%rsp)
f: 31 c0 xor %eax,%eax
11: e8 3a 5f 33 fe callq 0xfe335f50
16: 49 8d be f7 01 00 00 lea 0x1f7(%r14),%rdi
1d: 48 89 f8 mov %rdi,%rax
20: 48 89 fe mov %rdi,%rsi
23: 48 c1 e8 03 shr $0x3,%rax
27: 83 e6 07 and $0x7,%esi
* 2a: 42 0f b6 14 20 movzbl (%rax,%r12,1),%edx <-- trapping instruction
2f: 49 8d 86 fe 01 00 00 lea 0x1fe(%r14),%rax
36: 48 89 c1 mov %rax,%rcx
39: 48 c1 e9 03 shr $0x3,%rcx
3d: 42 rex.X
3e: 0f .byte 0xf
3f: b6 .byte 0xb6
Tested on:
commit: 2293be58 Merge tag 'trace-v5.17-rc4' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config: https://syzkaller.appspot.com/x/.config?x=5f28851401b410e5
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=11de2ad6700000
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Hillf Danton
Mar 4, 2022, 6:49:20 AM3/4/22
to syzbot, anand...@oracle.com, dst...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On Thu, 03 Mar 2022 21:40:12 -0800
Make fs_devices->fs_info stable through out its lifespan by waiting for
fs_devices to cut off link to fs_info when killing super.
diff -pur a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
--- a/fs/btrfs/ctree.h 2022-03-04 18:35:29.677440700 +0800
+++ b/fs/btrfs/ctree.h 2022-03-04 18:40:13.673766400 +0800
@@ -851,6 +851,7 @@ struct btrfs_fs_info {
struct btrfs_fs_devices *fs_devices;
+ struct completion serialize_fs_devices;
/*
* The space_info list is effectively read only after initial
* setup. It is populated at mount time and cleaned up after
@@ -1667,6 +1667,7 @@ static struct dentry *btrfs_mount_root(s
error = -ENOMEM;
goto error_sec_opts;
}
+ init_completion(&fs_info->serialize_fs_devices);
btrfs_init_fs_info(fs_info);
fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL);
@@ -2342,7 +2343,17 @@ static int btrfs_statfs(struct dentry *d
static void btrfs_kill_super(struct super_block *sb)
{
struct btrfs_fs_info *fs_info = btrfs_sb(sb);
+ bool wait = false;
+
kill_anon_super(sb);
+
+ mutex_lock(&uuid_mutex);
+ wait = fs_info->fs_devices &&
+ fs_info->fs_devices->fs_info == fs_info;
+ mutex_unlock(&uuid_mutex);
+ if (wait)
+ wait_for_completion(&fs_info->serialize_fs_devices);
+
btrfs_free_fs_info(fs_info);
@@ -1191,17 +1191,23 @@ void btrfs_close_devices(struct btrfs_fs
{
LIST_HEAD(list);
struct btrfs_fs_devices *tmp;
+ struct btrfs_fs_info *fs_info;
mutex_lock(&uuid_mutex);
+ fs_info = fs_devices->fs_info;
close_fs_devices(fs_devices);
if (!fs_devices->opened)
list_splice_init(&fs_devices->seed_list, &list);
+ else
+ fs_info = NULL;
list_for_each_entry_safe(fs_devices, tmp, &list, seed_list) {
close_fs_devices(fs_devices);
list_del(&fs_devices->seed_list);
free_fs_devices(fs_devices);
}
+ if (fs_info)
+ complete(&fs_info->serialize_fs_devices);
mutex_unlock(&uuid_mutex);
}
--
fs_devices to cut off link to fs_info when killing super.
diff -pur a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
--- a/fs/btrfs/ctree.h 2022-03-04 18:35:29.677440700 +0800
+++ b/fs/btrfs/ctree.h 2022-03-04 18:40:13.673766400 +0800
@@ -851,6 +851,7 @@ struct btrfs_fs_info {
struct btrfs_fs_devices *fs_devices;
+ struct completion serialize_fs_devices;
/*
* The space_info list is effectively read only after initial
* setup. It is populated at mount time and cleaned up after
diff -pur a/fs/btrfs/super.c b/fs/btrfs/super.c
--- a/fs/btrfs/super.c 2022-03-04 11:59:09.105853000 +0800
+++ b/fs/btrfs/super.c 2022-03-04 19:00:49.983897700 +0800
--- a/fs/btrfs/super.c 2022-03-04 11:59:09.105853000 +0800
@@ -1667,6 +1667,7 @@ static struct dentry *btrfs_mount_root(s
error = -ENOMEM;
goto error_sec_opts;
}
+ init_completion(&fs_info->serialize_fs_devices);
btrfs_init_fs_info(fs_info);
fs_info->super_copy = kzalloc(BTRFS_SUPER_INFO_SIZE, GFP_KERNEL);
@@ -2342,7 +2343,17 @@ static int btrfs_statfs(struct dentry *d
static void btrfs_kill_super(struct super_block *sb)
{
struct btrfs_fs_info *fs_info = btrfs_sb(sb);
+ bool wait = false;
+
kill_anon_super(sb);
+
+ mutex_lock(&uuid_mutex);
+ wait = fs_info->fs_devices &&
+ fs_info->fs_devices->fs_info == fs_info;
+ mutex_unlock(&uuid_mutex);
+ if (wait)
+ wait_for_completion(&fs_info->serialize_fs_devices);
+
btrfs_free_fs_info(fs_info);
}
diff -pur a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
--- a/fs/btrfs/volumes.c 2022-03-04 12:04:04.955810600 +0800
+++ b/fs/btrfs/volumes.c 2022-03-04 19:37:28.783612100 +0800
diff -pur a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
--- a/fs/btrfs/volumes.c 2022-03-04 12:04:04.955810600 +0800
@@ -1191,17 +1191,23 @@ void btrfs_close_devices(struct btrfs_fs
{
LIST_HEAD(list);
struct btrfs_fs_devices *tmp;
+ struct btrfs_fs_info *fs_info;
mutex_lock(&uuid_mutex);
+ fs_info = fs_devices->fs_info;
close_fs_devices(fs_devices);
if (!fs_devices->opened)
list_splice_init(&fs_devices->seed_list, &list);
+ else
+ fs_info = NULL;
list_for_each_entry_safe(fs_devices, tmp, &list, seed_list) {
close_fs_devices(fs_devices);
list_del(&fs_devices->seed_list);
free_fs_devices(fs_devices);
}
+ if (fs_info)
+ complete(&fs_info->serialize_fs_devices);
mutex_unlock(&uuid_mutex);
}
--
syzbot
Mar 4, 2022, 7:09:08 AM3/4/22
to anand...@oracle.com, dst...@suse.com, hda...@sina.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+82650a...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+82650a...@syzkaller.appspotmail.com
Tested on:
commit: 2293be58 Merge tag 'trace-v5.17-rc4' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
commit: 2293be58 Merge tag 'trace-v5.17-rc4' of git://git.kern..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
kernel config: https://syzkaller.appspot.com/x/.config?x=5f28851401b410e5
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1723b521700000
dashboard link: https://syzkaller.appspot.com/bug?extid=82650a4e0ed38f218363
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Hillf Danton
Mar 4, 2022, 6:43:34 PM3/4/22
to Anand Jain, syzbot, dst...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hey Anand,
Wonder why a commit id helps fix the uaf reported. The diff was prepared
for syzbot reproducer with misc-next ignored in bid to avoid complication
like the difference in commits between the fix and report.
Hillf
for syzbot reproducer with misc-next ignored in bid to avoid complication
like the difference in commits between the fix and report.
Hillf
Reply all
Reply to author
Forward
0 new messages