KASAN: use-after-free Read in nilfs_segctor_confirm
11 views
Skip to first unread message
syzbot
Nov 18, 2022, 9:16:37 AM11/18/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=120e4901880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=09ffbea3b5a1edc48817
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+09ffbe...@syzkaller.appspotmail.com
NILFS (loop5): I/O error reading meta-data file (ino=6, block-offset=1)
attempt to access beyond end of device
loop5: rw=0, want=72057594037928010, limit=2048
NILFS (loop5): I/O error reading meta-data file (ino=6, block-offset=1)
==================================================================
BUG: KASAN: use-after-free in nilfs_segctor_confirm+0x15f/0x180 fs/nilfs2/segment.c:839
Read of size 8 at addr ffff888093df3870 by task syz-executor.5/8161
CPU: 0 PID: 8161 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
nilfs_segctor_confirm+0x15f/0x180 fs/nilfs2/segment.c:839
nilfs_segctor_destroy fs/nilfs2/segment.c:2726 [inline]
nilfs_detach_log_writer+0x868/0x9f0 fs/nilfs2/segment.c:2807
nilfs_put_super+0x3f/0x1a0 fs/nilfs2/super.c:469
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fce8506daa7
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc367a9f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fce8506daa7
RDX: 00007ffcc367aacb RSI: 000000000000000a RDI: 00007ffcc367aac0
RBP: 00007ffcc367aac0 R08: 00000000ffffffff R09: 00007ffcc367a890
R10: 0000555556c78903 R11: 0000000000000246 R12: 00007fce850c6b2e
R13: 00007ffcc367bb80 R14: 0000555556c78810 R15: 00007ffcc367bbc0
Allocated by task 32409:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nilfs_find_or_create_root+0x84/0x460 fs/nilfs2/the_nilfs.c:752
nilfs_attach_checkpoint+0xc1/0x4b0 fs/nilfs2/super.c:520
nilfs_fill_super fs/nilfs2/super.c:1068 [inline]
nilfs_mount+0xa25/0xe70 fs/nilfs2/super.c:1321
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8161:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
nilfs_put_root+0xb1/0xd0 fs/nilfs2/the_nilfs.c:809
nilfs_clear_inode+0x1d1/0x240 fs/nilfs2/inode.c:776
nilfs_evict_inode+0x318/0x440 fs/nilfs2/inode.c:789
evict+0x2ed/0x760 fs/inode.c:559
dispose_list+0x124/0x1f0 fs/inode.c:594
evict_inodes+0x341/0x430 fs/inode.c:644
generic_shutdown_super+0xb3/0x370 fs/super.c:448
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888093df3840
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
256-byte region [ffff888093df3840, ffff888093df3940)
The buggy address belongs to the page:
page:ffffea00024f7cc0 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002d6e3c8 ffffea0002833748 ffff88813bff07c0
raw: 0000000000000000 ffff888093df30c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093df3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888093df3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888093df3800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff888093df3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888093df3900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=120e4901880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=09ffbea3b5a1edc48817
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+09ffbe...@syzkaller.appspotmail.com
NILFS (loop5): I/O error reading meta-data file (ino=6, block-offset=1)
attempt to access beyond end of device
loop5: rw=0, want=72057594037928010, limit=2048
NILFS (loop5): I/O error reading meta-data file (ino=6, block-offset=1)
==================================================================
BUG: KASAN: use-after-free in nilfs_segctor_confirm+0x15f/0x180 fs/nilfs2/segment.c:839
Read of size 8 at addr ffff888093df3870 by task syz-executor.5/8161
CPU: 0 PID: 8161 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
nilfs_segctor_confirm+0x15f/0x180 fs/nilfs2/segment.c:839
nilfs_segctor_destroy fs/nilfs2/segment.c:2726 [inline]
nilfs_detach_log_writer+0x868/0x9f0 fs/nilfs2/segment.c:2807
nilfs_put_super+0x3f/0x1a0 fs/nilfs2/super.c:469
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fce8506daa7
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc367a9f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fce8506daa7
RDX: 00007ffcc367aacb RSI: 000000000000000a RDI: 00007ffcc367aac0
RBP: 00007ffcc367aac0 R08: 00000000ffffffff R09: 00007ffcc367a890
R10: 0000555556c78903 R11: 0000000000000246 R12: 00007fce850c6b2e
R13: 00007ffcc367bb80 R14: 0000555556c78810 R15: 00007ffcc367bbc0
Allocated by task 32409:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nilfs_find_or_create_root+0x84/0x460 fs/nilfs2/the_nilfs.c:752
nilfs_attach_checkpoint+0xc1/0x4b0 fs/nilfs2/super.c:520
nilfs_fill_super fs/nilfs2/super.c:1068 [inline]
nilfs_mount+0xa25/0xe70 fs/nilfs2/super.c:1321
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8161:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
nilfs_put_root+0xb1/0xd0 fs/nilfs2/the_nilfs.c:809
nilfs_clear_inode+0x1d1/0x240 fs/nilfs2/inode.c:776
nilfs_evict_inode+0x318/0x440 fs/nilfs2/inode.c:789
evict+0x2ed/0x760 fs/inode.c:559
dispose_list+0x124/0x1f0 fs/inode.c:594
evict_inodes+0x341/0x430 fs/inode.c:644
generic_shutdown_super+0xb3/0x370 fs/super.c:448
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888093df3840
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
256-byte region [ffff888093df3840, ffff888093df3940)
The buggy address belongs to the page:
page:ffffea00024f7cc0 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002d6e3c8 ffffea0002833748 ffff88813bff07c0
raw: 0000000000000000 ffff888093df30c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888093df3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888093df3780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888093df3800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff888093df3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888093df3900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 18, 2022, 10:07:44 AM11/18/22
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13419349880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121f631880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0b79d61186e8/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+09ffbe...@syzkaller.appspotmail.com
loop0: rw=0, want=7227310118, limit=2048
NILFS (loop0): I/O error reading meta-data file (ino=6, block-offset=1)
CPU: 1 PID: 8103 Comm: syz-executor210 Not tainted 4.19.211-syzkaller #0
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf11a5b18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fcb5b2acea7
RDX: 00007ffcf11a5bda RSI: 000000000000000a RDI: 00007ffcf11a5bd0
RBP: 00007ffcf11a5bd0 R08: 00000000ffffffff R09: 00007ffcf11a59b0
R10: 0000555556ce0683 R11: 0000000000000206 R12: 00007ffcf11a6c40
R13: 0000555556ce05f0 R14: 00007ffcf11a5b40 R15: 0000000000000044
Allocated by task 8593:
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002ac25c8 ffffea0002ac0c88 ffff88813bff07c0
raw: 0000000000000000 ffff8880ab037080 000000010000000c 0000000000000000
ffff8880ab037880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ab037900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880ab037980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ab037a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=09ffbea3b5a1edc48817
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a6b6d9880000
dashboard link: https://syzkaller.appspot.com/bug?extid=09ffbea3b5a1edc48817
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121f631880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+09ffbe...@syzkaller.appspotmail.com
attempt to access beyond end of device
loop0: rw=0, want=72057594037928010, limit=2048
NILFS (loop0): I/O error reading meta-data file (ino=6, block-offset=1)
==================================================================
BUG: KASAN: use-after-free in nilfs_segctor_confirm+0x15f/0x180 fs/nilfs2/segment.c:839
Read of size 8 at addr ffff8880ab037970 by task syz-executor210/8103
BUG: KASAN: use-after-free in nilfs_segctor_confirm+0x15f/0x180 fs/nilfs2/segment.c:839
CPU: 1 PID: 8103 Comm: syz-executor210 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
nilfs_segctor_confirm+0x15f/0x180 fs/nilfs2/segment.c:839
nilfs_segctor_destroy fs/nilfs2/segment.c:2726 [inline]
nilfs_detach_log_writer+0x868/0x9f0 fs/nilfs2/segment.c:2807
nilfs_put_super+0x3f/0x1a0 fs/nilfs2/super.c:469
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fcb5b2acea7
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
nilfs_segctor_confirm+0x15f/0x180 fs/nilfs2/segment.c:839
nilfs_segctor_destroy fs/nilfs2/segment.c:2726 [inline]
nilfs_detach_log_writer+0x868/0x9f0 fs/nilfs2/segment.c:2807
nilfs_put_super+0x3f/0x1a0 fs/nilfs2/super.c:469
generic_shutdown_super+0x144/0x370 fs/super.c:456
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf11a5b18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fcb5b2acea7
RDX: 00007ffcf11a5bda RSI: 000000000000000a RDI: 00007ffcf11a5bd0
RBP: 00007ffcf11a5bd0 R08: 00000000ffffffff R09: 00007ffcf11a59b0
R10: 0000555556ce0683 R11: 0000000000000206 R12: 00007ffcf11a6c40
R13: 0000555556ce05f0 R14: 00007ffcf11a5b40 R15: 0000000000000044
Allocated by task 8593:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nilfs_find_or_create_root+0x84/0x460 fs/nilfs2/the_nilfs.c:752
nilfs_attach_checkpoint+0xc1/0x4b0 fs/nilfs2/super.c:520
nilfs_fill_super fs/nilfs2/super.c:1068 [inline]
nilfs_mount+0xa25/0xe70 fs/nilfs2/super.c:1321
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8103:
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
nilfs_find_or_create_root+0x84/0x460 fs/nilfs2/the_nilfs.c:752
nilfs_attach_checkpoint+0xc1/0x4b0 fs/nilfs2/super.c:520
nilfs_fill_super fs/nilfs2/super.c:1068 [inline]
nilfs_mount+0xa25/0xe70 fs/nilfs2/super.c:1321
mount_fs+0xa3/0x310 fs/super.c:1261
vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2492 [inline]
do_mount+0x115c/0x2f50 fs/namespace.c:2822
ksys_mount+0xcf/0x130 fs/namespace.c:3038
__do_sys_mount fs/namespace.c:3052 [inline]
__se_sys_mount fs/namespace.c:3049 [inline]
__x64_sys_mount+0xba/0x150 fs/namespace.c:3049
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
nilfs_put_root+0xb1/0xd0 fs/nilfs2/the_nilfs.c:809
nilfs_clear_inode+0x1d1/0x240 fs/nilfs2/inode.c:776
nilfs_evict_inode+0x318/0x440 fs/nilfs2/inode.c:789
evict+0x2ed/0x760 fs/inode.c:559
dispose_list+0x124/0x1f0 fs/inode.c:594
evict_inodes+0x341/0x430 fs/inode.c:644
generic_shutdown_super+0xb3/0x370 fs/super.c:448
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880ab037940
kfree+0xcc/0x210 mm/slab.c:3822
nilfs_put_root+0xb1/0xd0 fs/nilfs2/the_nilfs.c:809
nilfs_clear_inode+0x1d1/0x240 fs/nilfs2/inode.c:776
nilfs_evict_inode+0x318/0x440 fs/nilfs2/inode.c:789
evict+0x2ed/0x760 fs/inode.c:559
dispose_list+0x124/0x1f0 fs/inode.c:594
evict_inodes+0x341/0x430 fs/inode.c:644
generic_shutdown_super+0xb3/0x370 fs/super.c:448
kill_block_super+0x97/0xf0 fs/super.c:1185
deactivate_locked_super+0x94/0x160 fs/super.c:329
deactivate_super+0x174/0x1a0 fs/super.c:360
cleanup_mnt+0x1a8/0x290 fs/namespace.c:1098
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
256-byte region [ffff8880ab037940, ffff8880ab037a40)
The buggy address is located 48 bytes inside of
The buggy address belongs to the page:
page:ffffea0002ac0dc0 count:1 mapcount:0 mapping:ffff88813bff07c0 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea0002ac25c8 ffffea0002ac0c88 ffff88813bff07c0
raw: 0000000000000000 ffff8880ab037080 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880ab037800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880ab037880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880ab037900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880ab037980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ab037a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
syzbot
Nov 20, 2022, 1:43:39 AM11/20/22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e911713e40ca Linux 4.14.299
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12028f95880000
kernel config: https://syzkaller.appspot.com/x/.config?x=1d7ed9728cc57838
dashboard link: https://syzkaller.appspot.com/bug?extid=c98e005f97eb5c1e4b5a
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1472f4f9880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8588259d654/disk-e911713e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/700d08072e5e/vmlinux-e911713e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/844ad5da2ed5/bzImage-e911713e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7400e1ccffc6/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c98e00...@syzkaller.appspotmail.com
attempt to access beyond end of device
loop0: rw=0, want=72057594037928010, limit=2048
NILFS (loop0): I/O error reading meta-data file (ino=6, block-offset=1)
==================================================================
BUG: KASAN: use-after-free in nilfs_segctor_confirm+0x147/0x160 fs/nilfs2/segment.c:855
Read of size 8 at addr ffff8880b0b302b0 by task syz-executor228/7987
CPU: 0 PID: 7987 Comm: syz-executor228 Not tainted 4.14.299-syzkaller #0
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
nilfs_segctor_confirm+0x147/0x160 fs/nilfs2/segment.c:855
nilfs_segctor_destroy fs/nilfs2/segment.c:2749 [inline]
nilfs_detach_log_writer+0x7f9/0x980 fs/nilfs2/segment.c:2829
nilfs_put_super+0x3f/0x190 fs/nilfs2/super.c:480
generic_shutdown_super+0x144/0x370 fs/super.c:446
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
Allocated by task 8460:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
nilfs_find_or_create_root+0x84/0x410 fs/nilfs2/the_nilfs.c:761
nilfs_attach_checkpoint+0xa2/0x420 fs/nilfs2/super.c:531
nilfs_fill_super fs/nilfs2/super.c:1079 [inline]
nilfs_mount+0x911/0xd00 fs/nilfs2/super.c:1332
mount_fs+0x92/0x2a0 fs/super.c:1237
vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2572 [inline]
do_mount+0xe65/0x2a30 fs/namespace.c:2905
SYSC_mount fs/namespace.c:3121 [inline]
SyS_mount+0xa8/0x120 fs/namespace.c:3098
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
Freed by task 7987:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
nilfs_put_root+0x9a/0xc0 fs/nilfs2/the_nilfs.c:819
nilfs_clear_inode+0x251/0x2e0 fs/nilfs2/inode.c:934
nilfs_evict_inode+0x2dd/0x3a0 fs/nilfs2/inode.c:947
evict+0x2c8/0x700 fs/inode.c:554
dispose_list+0x109/0x1e0 fs/inode.c:589
evict_inodes+0x2cd/0x3a0 fs/inode.c:639
generic_shutdown_super+0xb3/0x370 fs/super.c:438
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
The buggy address belongs to the object at ffff8880b0b30280
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880b0b30000 ffff8880b0b30dc0 0000000100000006
raw: ffffea0002bccfa0 ffffea0002c2c7e0 ffff88813fe747c0 0000000000000000
ffff8880b0b30200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880b0b30280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880b0b30300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880b0b30380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: e911713e40ca Linux 4.14.299
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12028f95880000
kernel config: https://syzkaller.appspot.com/x/.config?x=1d7ed9728cc57838
dashboard link: https://syzkaller.appspot.com/bug?extid=c98e005f97eb5c1e4b5a
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1736ebe9880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1472f4f9880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8588259d654/disk-e911713e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/700d08072e5e/vmlinux-e911713e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/844ad5da2ed5/bzImage-e911713e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7400e1ccffc6/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
attempt to access beyond end of device
loop0: rw=0, want=72057594037928010, limit=2048
NILFS (loop0): I/O error reading meta-data file (ino=6, block-offset=1)
==================================================================
Read of size 8 at addr ffff8880b0b302b0 by task syz-executor228/7987
CPU: 0 PID: 7987 Comm: syz-executor228 Not tainted 4.14.299-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
Call Trace:
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
nilfs_segctor_confirm+0x147/0x160 fs/nilfs2/segment.c:855
nilfs_segctor_destroy fs/nilfs2/segment.c:2749 [inline]
nilfs_detach_log_writer+0x7f9/0x980 fs/nilfs2/segment.c:2829
nilfs_put_super+0x3f/0x190 fs/nilfs2/super.c:480
generic_shutdown_super+0x144/0x370 fs/super.c:446
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
Allocated by task 8460:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
kmem_cache_alloc_trace+0x131/0x3d0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
nilfs_find_or_create_root+0x84/0x410 fs/nilfs2/the_nilfs.c:761
nilfs_attach_checkpoint+0xa2/0x420 fs/nilfs2/super.c:531
nilfs_fill_super fs/nilfs2/super.c:1079 [inline]
nilfs_mount+0x911/0xd00 fs/nilfs2/super.c:1332
mount_fs+0x92/0x2a0 fs/super.c:1237
vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
vfs_kern_mount fs/namespace.c:1036 [inline]
do_new_mount fs/namespace.c:2572 [inline]
do_mount+0xe65/0x2a30 fs/namespace.c:2905
SYSC_mount fs/namespace.c:3121 [inline]
SyS_mount+0xa8/0x120 fs/namespace.c:3098
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
Freed by task 7987:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xc9/0x250 mm/slab.c:3815
nilfs_put_root+0x9a/0xc0 fs/nilfs2/the_nilfs.c:819
nilfs_clear_inode+0x251/0x2e0 fs/nilfs2/inode.c:934
nilfs_evict_inode+0x2dd/0x3a0 fs/nilfs2/inode.c:947
evict+0x2c8/0x700 fs/inode.c:554
dispose_list+0x109/0x1e0 fs/inode.c:589
evict_inodes+0x2cd/0x3a0 fs/inode.c:639
generic_shutdown_super+0xb3/0x370 fs/super.c:438
kill_block_super+0x95/0xe0 fs/super.c:1161
deactivate_locked_super+0x6c/0xd0 fs/super.c:319
deactivate_super+0x7f/0xa0 fs/super.c:350
cleanup_mnt+0x186/0x2c0 fs/namespace.c:1183
task_work_run+0x11f/0x190 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x5e/0xd3
The buggy address belongs to the object at ffff8880b0b30280
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
256-byte region [ffff8880b0b30280, ffff8880b0b30380)
The buggy address is located 48 bytes inside of
The buggy address belongs to the page:
page:ffffea0002c2cc00 count:1 mapcount:0 mapping:ffff8880b0b30000 index:0xffff8880b0b30dc0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880b0b30000 ffff8880b0b30dc0 0000000100000006
raw: ffffea0002bccfa0 ffffea0002c2c7e0 ffff88813fe747c0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880b0b30180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Memory state around the buggy address:
ffff8880b0b30200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880b0b30280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880b0b30300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880b0b30380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages