[syzbot] [ocfs2?] KASAN: slab-use-after-free Read in ocfs2_lock_global_qf
14 views
Skip to first unread message
syzbot
Nov 11, 2024, 4:46:27āÆAM11/11/24
to jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, ma...@fasheh.com, ocfs2...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c2ee9f594da8 KVM: selftests: Fix build on on non-x86 archi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17bfcc30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41330fd2db03893d
dashboard link: https://syzkaller.appspot.com/bug?extid=d173bf8a5a7faeede34c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d116f71ad0eb/disk-c2ee9f59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdd6f545b105/vmlinux-c2ee9f59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0d26b05e3d7c/bzImage-c2ee9f59.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in ocfs2_lock_global_qf+0xb8/0x2b0 fs/ocfs2/quota_global.c:303
Read of size 8 at addr ffff88805fc78028 by task syz.3.122/6441
CPU: 1 UID: 0 PID: 6441 Comm: syz.3.122 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
ocfs2_lock_global_qf+0xb8/0x2b0 fs/ocfs2/quota_global.c:303
ocfs2_get_next_id+0x233/0x760 fs/ocfs2/quota_global.c:900
dquot_get_next_dqblk+0x73/0x3a0 fs/quota/dquot.c:2701
quota_getnextquota+0x2c5/0x6c0 fs/quota/quota.c:250
__do_sys_quotactl fs/quota/quota.c:961 [inline]
__se_sys_quotactl+0x2c4/0xa30 fs/quota/quota.c:917
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f89ffd7dff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8a00b48038 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3
RAX: ffffffffffffffda RBX: 00007f89fff35f80 RCX: 00007f89ffd7dff9
RDX: 0000000000000000 RSI: 0000000020000c80 RDI: ffffffff80000900
RBP: 00007f89ffdf0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f89fff35f80 R15: 00007fff22979a58
</TASK>
Allocated by task 6441:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
kmalloc_noprof include/linux/slab.h:878 [inline]
ocfs2_local_read_info+0x1ee/0x19f0 fs/ocfs2/quota_local.c:699
dquot_load_quota_sb+0x762/0xbb0 fs/quota/dquot.c:2458
dquot_load_quota_inode+0x320/0x600 fs/quota/dquot.c:2495
ocfs2_enable_quotas+0x169/0x450 fs/ocfs2/super.c:926
ocfs2_fill_super+0x4c8d/0x5750 fs/ocfs2/super.c:1141
mount_bdev+0x20a/0x2d0 fs/super.c:1679
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2b0 fs/super.c:1800
do_new_mount+0x2be/0xb40 fs/namespace.c:3507
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6441:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x1a0/0x440 mm/slub.c:4727
ocfs2_local_free_info+0x81f/0x9a0 fs/ocfs2/quota_local.c:869
dquot_disable+0x1160/0x1cd0 fs/quota/dquot.c:2303
dquot_suspend include/linux/quotaops.h:85 [inline]
ocfs2_susp_quotas+0x16c/0x340 fs/ocfs2/super.c:892
ocfs2_remount+0x576/0xc30 fs/ocfs2/super.c:647
reconfigure_super+0x445/0x880 fs/super.c:1083
do_remount fs/namespace.c:3047 [inline]
path_mount+0xc22/0xfa0 fs/namespace.c:3826
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88805fc78000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 40 bytes inside of
freed 1024-byte region [ffff88805fc78000, ffff88805fc78400)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5fc78
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac41dc0 ffffea0001e51c00 dead000000000002
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 ffffea0001e51c00 dead000000000002
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00017f1e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5289, tgid 5289 (kworker/u8:8), ts 91435154744, free_ts 91399801248
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3039/0x3180 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
ieee802_11_parse_elems_full+0xdb/0x2880 net/mac80211/parse.c:958
ieee802_11_parse_elems_crc net/mac80211/ieee80211_i.h:2383 [inline]
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2390 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline]
ieee80211_ibss_rx_queued_mgmt+0x4c8/0x2d70 net/mac80211/ibss.c:1606
ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline]
ieee80211_iface_work+0x8a5/0xf20 net/mac80211/iface.c:1657
cfg80211_wiphy_work+0x2db/0x490 net/wireless/core.c:440
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
page last free pid 5574 tgid 5574 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcd0/0xf00 mm/page_alloc.c:2638
discard_slab mm/slub.c:2677 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3145
put_cpu_partial+0x17c/0x250 mm/slub.c:3220
__slab_free+0x2ea/0x3d0 mm/slub.c:4449
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
user_path_at+0x24/0x60 fs/namei.c:3015
do_faccessat+0x5e2/0xb80 fs/open.c:493
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88805fc77f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88805fc77f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805fc78000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805fc78080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805fc78100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c2ee9f594da8 KVM: selftests: Fix build on on non-x86 archi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17bfcc30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41330fd2db03893d
dashboard link: https://syzkaller.appspot.com/bug?extid=d173bf8a5a7faeede34c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d116f71ad0eb/disk-c2ee9f59.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdd6f545b105/vmlinux-c2ee9f59.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0d26b05e3d7c/bzImage-c2ee9f59.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in ocfs2_lock_global_qf+0xb8/0x2b0 fs/ocfs2/quota_global.c:303
Read of size 8 at addr ffff88805fc78028 by task syz.3.122/6441
CPU: 1 UID: 0 PID: 6441 Comm: syz.3.122 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
ocfs2_lock_global_qf+0xb8/0x2b0 fs/ocfs2/quota_global.c:303
ocfs2_get_next_id+0x233/0x760 fs/ocfs2/quota_global.c:900
dquot_get_next_dqblk+0x73/0x3a0 fs/quota/dquot.c:2701
quota_getnextquota+0x2c5/0x6c0 fs/quota/quota.c:250
__do_sys_quotactl fs/quota/quota.c:961 [inline]
__se_sys_quotactl+0x2c4/0xa30 fs/quota/quota.c:917
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f89ffd7dff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8a00b48038 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3
RAX: ffffffffffffffda RBX: 00007f89fff35f80 RCX: 00007f89ffd7dff9
RDX: 0000000000000000 RSI: 0000000020000c80 RDI: ffffffff80000900
RBP: 00007f89ffdf0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f89fff35f80 R15: 00007fff22979a58
</TASK>
Allocated by task 6441:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
kmalloc_noprof include/linux/slab.h:878 [inline]
ocfs2_local_read_info+0x1ee/0x19f0 fs/ocfs2/quota_local.c:699
dquot_load_quota_sb+0x762/0xbb0 fs/quota/dquot.c:2458
dquot_load_quota_inode+0x320/0x600 fs/quota/dquot.c:2495
ocfs2_enable_quotas+0x169/0x450 fs/ocfs2/super.c:926
ocfs2_fill_super+0x4c8d/0x5750 fs/ocfs2/super.c:1141
mount_bdev+0x20a/0x2d0 fs/super.c:1679
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2b0 fs/super.c:1800
do_new_mount+0x2be/0xb40 fs/namespace.c:3507
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6441:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x1a0/0x440 mm/slub.c:4727
ocfs2_local_free_info+0x81f/0x9a0 fs/ocfs2/quota_local.c:869
dquot_disable+0x1160/0x1cd0 fs/quota/dquot.c:2303
dquot_suspend include/linux/quotaops.h:85 [inline]
ocfs2_susp_quotas+0x16c/0x340 fs/ocfs2/super.c:892
ocfs2_remount+0x576/0xc30 fs/ocfs2/super.c:647
reconfigure_super+0x445/0x880 fs/super.c:1083
do_remount fs/namespace.c:3047 [inline]
path_mount+0xc22/0xfa0 fs/namespace.c:3826
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88805fc78000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 40 bytes inside of
freed 1024-byte region [ffff88805fc78000, ffff88805fc78400)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5fc78
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac41dc0 ffffea0001e51c00 dead000000000002
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 ffffea0001e51c00 dead000000000002
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00017f1e01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5289, tgid 5289 (kworker/u8:8), ts 91435154744, free_ts 91399801248
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3039/0x3180 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_noprof+0x25a/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
ieee802_11_parse_elems_full+0xdb/0x2880 net/mac80211/parse.c:958
ieee802_11_parse_elems_crc net/mac80211/ieee80211_i.h:2383 [inline]
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2390 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline]
ieee80211_ibss_rx_queued_mgmt+0x4c8/0x2d70 net/mac80211/ibss.c:1606
ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline]
ieee80211_iface_work+0x8a5/0xf20 net/mac80211/iface.c:1657
cfg80211_wiphy_work+0x2db/0x490 net/wireless/core.c:440
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
page last free pid 5574 tgid 5574 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcd0/0xf00 mm/page_alloc.c:2638
discard_slab mm/slub.c:2677 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3145
put_cpu_partial+0x17c/0x250 mm/slub.c:3220
__slab_free+0x2ea/0x3d0 mm/slub.c:4449
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
user_path_at+0x24/0x60 fs/namei.c:3015
do_faccessat+0x5e2/0xb80 fs/open.c:493
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88805fc77f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88805fc77f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805fc78000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805fc78080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805fc78100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Dec 10, 2024, 2:13:26āÆAM12/10/24
to jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, ma...@fasheh.com, ocfs2...@lists.linux.dev, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 7cb1b4663150 Merge tag 'locking_urgent_for_v6.13_rc3' of g..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15a034df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c7c9f223bfe8924e
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179853e8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a883190d5c75/disk-7cb1b466.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/238e5eeeb128/vmlinux-7cb1b466.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8bc8850a6795/bzImage-7cb1b466.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ac761c5756ee/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
(syz-executor353,5820,1):ocfs2_block_check_validate:402 ERROR: CRC32 failed: stored: 0xcfdff595, computed 0xefed4a20. Applying ECC.
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
CPU: 0 UID: 0 PID: 5820 Comm: syz-executor353 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
ocfs2_lock_global_qf+0xb8/0x2b0 fs/ocfs2/quota_global.c:303
ocfs2_get_next_id+0x22c/0x740 fs/ocfs2/quota_global.c:900
dquot_get_next_dqblk+0x73/0x3a0 fs/quota/dquot.c:2702
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe711e58a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3d54632b99
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: ffffffff80000900
RBP: 00007f3d546aa5f0 R08: 0000000020000c40 R09: 000055556b9fb4c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe711e58d0
R13: 00007ffe711e5af8 R14: 431bde82d7b634db R15: 00007f3d5467b03b
</TASK>
Allocated by task 5820:
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314
kmalloc_noprof include/linux/slab.h:901 [inline]
ocfs2_local_read_info+0x1ee/0x19f0 fs/ocfs2/quota_local.c:699
dquot_load_quota_sb+0x762/0xbb0 fs/quota/dquot.c:2459
dquot_load_quota_inode+0x320/0x600 fs/quota/dquot.c:2496
ocfs2_enable_quotas+0x169/0x450 fs/ocfs2/super.c:926
ocfs2_fill_super+0x4ca1/0x5760 fs/ocfs2/super.c:1141
mount_bdev+0x20a/0x2d0 fs/super.c:1693
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2b0 fs/super.c:1814
slab_free_hook mm/slub.c:2338 [inline]
slab_free mm/slub.c:4598 [inline]
kfree+0x196/0x430 mm/slub.c:4746
ocfs2_local_free_info+0x81f/0x9a0 fs/ocfs2/quota_local.c:869
dquot_disable+0x1160/0x1cd0 fs/quota/dquot.c:2304
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x35460
raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 ffffea000533c600 0000000000000002
head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0000d51801 ffffffffffffffff 0000000000000000
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2269
alloc_slab_page+0x6a/0x110 mm/slub.c:2408
allocate_slab+0x5a/0x2b0 mm/slub.c:2574
new_slab mm/slub.c:2627 [inline]
___slab_alloc+0xc27/0x14a0 mm/slub.c:3815
__slab_alloc+0x58/0xa0 mm/slub.c:3905
__slab_alloc_node mm/slub.c:3980 [inline]
slab_alloc_node mm/slub.c:4141 [inline]
__do_kmalloc_node mm/slub.c:4282 [inline]
__kmalloc_noprof+0x2e6/0x4c0 mm/slub.c:4295
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
tomoyo_init_log+0x1b3d/0x2050 security/tomoyo/audit.c:275
tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
tomoyo_bprm_check_security+0x117/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x86/0x250 security/security.c:1296
search_binary_handler fs/exec.c:1736 [inline]
exec_binprm fs/exec.c:1790 [inline]
bprm_execve+0xa53/0x17a0 fs/exec.c:1842
page last free pid 5485 tgid 5485 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0xd2c/0x1000 mm/page_alloc.c:2657
discard_slab mm/slub.c:2673 [inline]
__put_partials+0x160/0x1c0 mm/slub.c:3142
put_cpu_partial+0x17c/0x250 mm/slub.c:3217
__slab_free+0x290/0x380 mm/slub.c:4468
slab_post_alloc_hook mm/slub.c:4104 [inline]
slab_alloc_node mm/slub.c:4153 [inline]
__do_kmalloc_node mm/slub.c:4282 [inline]
__kmalloc_noprof+0x236/0x4c0 mm/slub.c:4295
kmalloc_noprof include/linux/slab.h:905 [inline]
tomoyo_add_entry security/tomoyo/common.c:2023 [inline]
tomoyo_supervisor+0xe0d/0x11f0 security/tomoyo/common.c:2095
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
tomoyo_bprm_check_security+0x117/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x86/0x250 security/security.c:1296
search_binary_handler fs/exec.c:1736 [inline]
exec_binprm fs/exec.c:1790 [inline]
bprm_execve+0xa53/0x17a0 fs/exec.c:1842
do_execveat_common+0x55f/0x6f0 fs/exec.c:1949
do_execve fs/exec.c:2023 [inline]
__do_sys_execve fs/exec.c:2099 [inline]
__se_sys_execve fs/exec.c:2094 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2094
Memory state around the buggy address:
ffff888035460f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888035460f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888035461000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888035461080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888035461100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 7cb1b4663150 Merge tag 'locking_urgent_for_v6.13_rc3' of g..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15a034df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=c7c9f223bfe8924e
dashboard link: https://syzkaller.appspot.com/bug?extid=d173bf8a5a7faeede34c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e0eb30580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=179853e8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a883190d5c75/disk-7cb1b466.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/238e5eeeb128/vmlinux-7cb1b466.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8bc8850a6795/bzImage-7cb1b466.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ac761c5756ee/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
==================================================================
BUG: KASAN: slab-use-after-free in ocfs2_lock_global_qf+0xb8/0x2b0 fs/ocfs2/quota_global.c:303
Read of size 8 at addr ffff888035461028 by task syz-executor353/5820
BUG: KASAN: slab-use-after-free in ocfs2_lock_global_qf+0xb8/0x2b0 fs/ocfs2/quota_global.c:303
CPU: 0 UID: 0 PID: 5820 Comm: syz-executor353 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
ocfs2_lock_global_qf+0xb8/0x2b0 fs/ocfs2/quota_global.c:303
ocfs2_get_next_id+0x22c/0x740 fs/ocfs2/quota_global.c:900
dquot_get_next_dqblk+0x73/0x3a0 fs/quota/dquot.c:2702
quota_getnextquota+0x2c5/0x6c0 fs/quota/quota.c:250
__do_sys_quotactl fs/quota/quota.c:961 [inline]
__se_sys_quotactl+0x2c4/0xa30 fs/quota/quota.c:917
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3d54632b99
__do_sys_quotactl fs/quota/quota.c:961 [inline]
__se_sys_quotactl+0x2c4/0xa30 fs/quota/quota.c:917
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe711e58a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3d54632b99
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: ffffffff80000900
RBP: 00007f3d546aa5f0 R08: 0000000020000c40 R09: 000055556b9fb4c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe711e58d0
R13: 00007ffe711e5af8 R14: 431bde82d7b634db R15: 00007f3d5467b03b
</TASK>
Allocated by task 5820:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
__kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314
kmalloc_noprof include/linux/slab.h:901 [inline]
ocfs2_local_read_info+0x1ee/0x19f0 fs/ocfs2/quota_local.c:699
dquot_load_quota_sb+0x762/0xbb0 fs/quota/dquot.c:2459
dquot_load_quota_inode+0x320/0x600 fs/quota/dquot.c:2496
ocfs2_enable_quotas+0x169/0x450 fs/ocfs2/super.c:926
ocfs2_fill_super+0x4ca1/0x5760 fs/ocfs2/super.c:1141
mount_bdev+0x20a/0x2d0 fs/super.c:1693
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2b0 fs/super.c:1814
do_new_mount+0x2be/0xb40 fs/namespace.c:3507
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5820:
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
slab_free_hook mm/slub.c:2338 [inline]
slab_free mm/slub.c:4598 [inline]
kfree+0x196/0x430 mm/slub.c:4746
ocfs2_local_free_info+0x81f/0x9a0 fs/ocfs2/quota_local.c:869
dquot_disable+0x1160/0x1cd0 fs/quota/dquot.c:2304
dquot_suspend include/linux/quotaops.h:85 [inline]
ocfs2_susp_quotas+0x16c/0x340 fs/ocfs2/super.c:892
ocfs2_remount+0x576/0xc30 fs/ocfs2/super.c:647
reconfigure_super+0x43a/0x870 fs/super.c:1083
ocfs2_susp_quotas+0x16c/0x340 fs/ocfs2/super.c:892
ocfs2_remount+0x576/0xc30 fs/ocfs2/super.c:647
do_remount fs/namespace.c:3047 [inline]
path_mount+0xc22/0xfa0 fs/namespace.c:3826
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888035461000
path_mount+0xc22/0xfa0 fs/namespace.c:3826
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 40 bytes inside of
freed 1024-byte region [ffff888035461000, ffff888035461400)
The buggy address is located 40 bytes inside of
The buggy address belongs to the physical page:
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac41dc0 ffffea000533c600 0000000000000002
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 ffffea000533c600 0000000000000002
head: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0000d51801 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5485, tgid 5485 (S41dhcpcd), ts 36970568324, free_ts 36970094811
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3474
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4751
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2269
alloc_slab_page+0x6a/0x110 mm/slub.c:2408
allocate_slab+0x5a/0x2b0 mm/slub.c:2574
new_slab mm/slub.c:2627 [inline]
___slab_alloc+0xc27/0x14a0 mm/slub.c:3815
__slab_alloc+0x58/0xa0 mm/slub.c:3905
__slab_alloc_node mm/slub.c:3980 [inline]
slab_alloc_node mm/slub.c:4141 [inline]
__do_kmalloc_node mm/slub.c:4282 [inline]
__kmalloc_noprof+0x2e6/0x4c0 mm/slub.c:4295
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
tomoyo_init_log+0x1b3d/0x2050 security/tomoyo/audit.c:275
tomoyo_supervisor+0x38a/0x11f0 security/tomoyo/common.c:2089
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
tomoyo_bprm_check_security+0x117/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x86/0x250 security/security.c:1296
search_binary_handler fs/exec.c:1736 [inline]
exec_binprm fs/exec.c:1790 [inline]
bprm_execve+0xa53/0x17a0 fs/exec.c:1842
page last free pid 5485 tgid 5485 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0xd2c/0x1000 mm/page_alloc.c:2657
discard_slab mm/slub.c:2673 [inline]
__put_partials+0x160/0x1c0 mm/slub.c:3142
put_cpu_partial+0x17c/0x250 mm/slub.c:3217
__slab_free+0x290/0x380 mm/slub.c:4468
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
slab_post_alloc_hook mm/slub.c:4104 [inline]
slab_alloc_node mm/slub.c:4153 [inline]
__do_kmalloc_node mm/slub.c:4282 [inline]
__kmalloc_noprof+0x236/0x4c0 mm/slub.c:4295
kmalloc_noprof include/linux/slab.h:905 [inline]
tomoyo_add_entry security/tomoyo/common.c:2023 [inline]
tomoyo_supervisor+0xe0d/0x11f0 security/tomoyo/common.c:2095
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x178/0x210 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0x146e/0x1d40 security/tomoyo/domain.c:881
tomoyo_bprm_check_security+0x117/0x180 security/tomoyo/tomoyo.c:102
security_bprm_check+0x86/0x250 security/security.c:1296
search_binary_handler fs/exec.c:1736 [inline]
exec_binprm fs/exec.c:1790 [inline]
bprm_execve+0xa53/0x17a0 fs/exec.c:1842
do_execveat_common+0x55f/0x6f0 fs/exec.c:1949
do_execve fs/exec.c:2023 [inline]
__do_sys_execve fs/exec.c:2099 [inline]
__se_sys_execve fs/exec.c:2094 [inline]
__x64_sys_execve+0x92/0xb0 fs/exec.c:2094
Memory state around the buggy address:
ffff888035460f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888035461000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888035461080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888035461100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Dec 14, 2024, 9:37:42āÆPM12/14/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] ocfs2: fix use-after-free due to dangling quota pointer and checking suspended flag
Author: dennis....@gmail.com
Signed-off-by: Dennis Lam <dennis....@gmail.com>
---
#syz test
fs/ocfs2/quota_global.c | 3 ++-
fs/ocfs2/quota_local.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 2b0daced98eb..c6d38340d6d4 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -893,7 +893,8 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
int status = 0;
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
+ if (!sb_has_quota_loaded(sb, type) ||
+ sb_dqopt(sb)->flags & DQUOT_SUSPENDED) {
status = -ESRCH;
goto out;
}
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 73d3367c533b..2956d888c131 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
brelse(oinfo->dqi_libh);
brelse(oinfo->dqi_lqi_bh);
kfree(oinfo);
+ info->dqi_priv = NULL;
return status;
}
--
2.47.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] ocfs2: fix use-after-free due to dangling quota pointer and checking suspended flag
Author: dennis....@gmail.com
Signed-off-by: Dennis Lam <dennis....@gmail.com>
---
#syz test
fs/ocfs2/quota_global.c | 3 ++-
fs/ocfs2/quota_local.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 2b0daced98eb..c6d38340d6d4 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -893,7 +893,8 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
int status = 0;
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
+ if (!sb_has_quota_loaded(sb, type) ||
+ sb_dqopt(sb)->flags & DQUOT_SUSPENDED) {
status = -ESRCH;
goto out;
}
diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
index 73d3367c533b..2956d888c131 100644
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -867,6 +867,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
brelse(oinfo->dqi_libh);
brelse(oinfo->dqi_lqi_bh);
kfree(oinfo);
+ info->dqi_priv = NULL;
return status;
}
--
2.47.0
syzbot
Dec 14, 2024, 10:09:04āÆPM12/14/24
to dennis....@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested on:
commit: 2d8308bf Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13226730580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested on:
commit: 2d8308bf Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13226730580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c7c9f223bfe8924e
dashboard link: https://syzkaller.appspot.com/bug?extid=d173bf8a5a7faeede34c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13c2fbe8580000
dashboard link: https://syzkaller.appspot.com/bug?extid=d173bf8a5a7faeede34c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
syzbot
Dec 17, 2024, 8:35:31āÆPM12/17/24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH v2] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: dennis....@gmail.com
When mounting ocfs2 and then remounting it as read-only, a
slab-use-after-free occurs after the user uses a syscall to
quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the
dangling pointer.
During the remounting process, the pointer dqi_priv is freed but is
never set as null leaving it to to be accessed. Additionally, the
read-only option for remounting sets the DQUOT_SUSPENDED flag instead of
setting the DQUOT_USAGE_ENABLED flags. Moreover, later in the process of
getting the next quota, the function ocfs2_get_next_id is called and
only checks the quota usage flags and not the quota suspended flags.
To fix this, I set dqi_priv to null when it is freed after remounting
with read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.
Signed-off-by: Dennis Lam <dennis....@gmail.com>
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested-by: syzbot+d173bf...@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6731d26f.050a022...@google.com/T/
---
Changes in v2:
- replaced dquot suspended check with !sb_has_quota_active instead
- link to v1: https://lore.kernel.org/lkml/20241215035828.1069...@gmail.com/
#syz test
fs/ocfs2/quota_global.c | 2 +-
fs/ocfs2/quota_local.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
index 2b0daced98eb..096b799d60a0 100644
--- a/fs/ocfs2/quota_global.c
+++ b/fs/ocfs2/quota_global.c
@@ -893,7 +893,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
int status = 0;
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
+ if (!sb_has_quota_active(sb, type)){
trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
- if (!sb_has_quota_loaded(sb, type)) {
syzbot
Dec 17, 2024, 9:24:04āÆPM12/17/24
to dennis....@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested on:
commit: aef25be3 hexagon: Disable constant extender optimizati..
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested-by: syzbot+d173bf...@syzkaller.appspotmail.com
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133d4b44580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1234f097ee657d8b
dashboard link: https://syzkaller.appspot.com/bug?extid=d173bf8a5a7faeede34c
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10a4d7e8580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Reply all
Reply to author
Forward
0 new messages