KASAN: use-after-free Read in sysv_new_block

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 3f8a27f9e27b Linux 4.19.211
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12ff1c7b880000
kernel config: https://syzkaller.appspot.com/x/.config?x=9b9277b418617afe
dashboard link: https://syzkaller.appspot.com/bug?extid=820856e34e86e5399d8a
compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1165404d880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12c100f3880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/98c0bdb4abb3/disk-3f8a27f9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea228ff02669/vmlinux-3f8a27f9.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/cd5e3a1fef47/mount_1.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+820856...@syzkaller.appspotmail.com

sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
==================================================================
BUG: KASAN: use-after-free in sysv_new_block+0x79f/0x990 fs/sysv/balloc.c:113
Read of size 4 at addr ffff8880904b40c8 by task syz-executor243/8118

CPU: 0 PID: 8118 Comm: syz-executor243 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432
sysv_new_block+0x79f/0x990 fs/sysv/balloc.c:113
alloc_branch fs/sysv/itree.c:134 [inline]
get_block+0x3fa/0x1510 fs/sysv/itree.c:251
__block_write_begin_int+0x46c/0x17b0 fs/buffer.c:1978
__block_write_begin fs/buffer.c:2028 [inline]
block_write_begin+0x58/0x2e0 fs/buffer.c:2087
sysv_write_begin+0x35/0xe0 fs/sysv/itree.c:485
generic_perform_write+0x1f8/0x4d0 mm/filemap.c:3170
__generic_file_write_iter+0x24b/0x610 mm/filemap.c:3295
generic_file_write_iter+0x3f8/0x730 mm/filemap.c:3323
call_write_iter include/linux/fs.h:1821 [inline]
new_sync_write fs/read_write.c:474 [inline]
__vfs_write+0x51b/0x770 fs/read_write.c:487
vfs_write+0x1f3/0x540 fs/read_write.c:549
ksys_write+0x12b/0x2a0 fs/read_write.c:599
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f0f2c45b899
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe9a5ec918 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0f2c45b899
RDX: 00000000fffffe45 RSI: 00000000200000c0 RDI: 0000000000000004
RBP: 00007ffe9a5ec980 R08: 00000000000f4240 R09: 00000000000f4240
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000f4240 R14: 00007ffe9a5ec944 R15: 00007ffe9a5ec950

The buggy address belongs to the page:
page:ffffea0002412d00 count:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0xfff00000000000()
raw: 00fff00000000000 ffffea0002410608 ffffea000237a208 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8880904b3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880904b4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880904b4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880904b4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880904b4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 179ef7fe8677 Linux 4.14.300
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=143b7e97880000
kernel config: https://syzkaller.appspot.com/x/.config?x=aa85f51ec321d5a9
dashboard link: https://syzkaller.appspot.com/bug?extid=386af4de52c85d48c289

compiler: gcc version 10.2.1 20210110 (Debian 10.2.1-6)

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=127b3529880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1742defb880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d311ef57b59a/disk-179ef7fe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/25bf5d729f69/vmlinux-179ef7fe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/db9b96571e69/bzImage-179ef7fe.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/da3738786a5d/mount_1.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:

Reported-by: syzbot+386af4...@syzkaller.appspotmail.com

sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
==================================================================

BUG: KASAN: use-after-free in sysv_new_block+0x6e2/0x8c0 fs/sysv/balloc.c:113
Read of size 4 at addr ffff88808bf700c8 by task syz-executor367/8020

CPU: 0 PID: 8020 Comm: syz-executor367 Not tainted 4.14.300-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:

__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x1b2/0x281 lib/dump_stack.c:58
print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
kasan_report mm/kasan/report.c:409 [inline]
__asan_report_load4_noabort+0x68/0x70 mm/kasan/report.c:429
sysv_new_block+0x6e2/0x8c0 fs/sysv/balloc.c:113
alloc_branch fs/sysv/itree.c:134 [inline]
get_block+0x379/0x1230 fs/sysv/itree.c:251
__block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
__block_write_begin fs/buffer.c:2088 [inline]
block_write_begin+0x58/0x270 fs/buffer.c:2147
sysv_write_begin+0x35/0xc0 fs/sysv/itree.c:485
generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
__generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
call_write_iter include/linux/fs.h:1780 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x44c/0x630 fs/read_write.c:482
vfs_write+0x17f/0x4d0 fs/read_write.c:544
SYSC_write fs/read_write.c:590 [inline]
SyS_write+0xf2/0x210 fs/read_write.c:582
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x5e/0xd3

The buggy address belongs to the page:

page:ffffea00022fdc00 count:0 mapcount:0 mapping: (null) index:0x1
flags: 0xfff00000000000()
raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea00022fdc60 ffffea00022fdbe0 0000000000000000 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff88808bf6ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808bf70000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88808bf70080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88808bf70100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88808bf70180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff