Hello,
syzbot found the following issue on:
HEAD commit: 59b13c2b647e Linux 6.1.52
git tree: linux-6.1.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=16cae1b4680000
kernel config:
https://syzkaller.appspot.com/x/.config?x=9e161b7571806ac8
dashboard link:
https://syzkaller.appspot.com/bug?extid=cc11ec9ae925602af228
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/9337ea48258d/disk-59b13c2b.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/baf3218feb51/vmlinux-59b13c2b.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/e0faa5f64bea/bzImage-59b13c2b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+cc11ec...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in copy_page_from_iter_atomic+0x872/0x1100 lib/iov_iter.c:820
Read of size 4096 at addr ffff8880a1040000 by task kworker/u4:3/51
CPU: 0 PID: 51 Comm: kworker/u4:3 Not tainted 6.1.52-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: loop5 loop_workfn
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
kasan_check_range+0x27f/0x290 mm/kasan/generic.c:189
memcpy+0x25/0x60 mm/kasan/shadow.c:65
copy_page_from_iter_atomic+0x872/0x1100 lib/iov_iter.c:820
generic_perform_write+0x36c/0x5e0 mm/filemap.c:3762
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3882
generic_file_write_iter+0xab/0x310 mm/filemap.c:3914
do_iter_write+0x6e6/0xc50 fs/read_write.c:861
lo_write_bvec drivers/block/loop.c:249 [inline]
lo_write_simple drivers/block/loop.c:271 [inline]
do_req_filebacked drivers/block/loop.c:495 [inline]
loop_handle_cmd drivers/block/loop.c:1882 [inline]
loop_process_work+0x13ff/0x2200 drivers/block/loop.c:1917
process_one_work+0x8aa/0x11f0 kernel/workqueue.c:2292
worker_thread+0xa5f/0x1210 kernel/workqueue.c:2439
kthread+0x26e/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The buggy address belongs to the physical page:
page:ffffea0002841000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa1040
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001e6c548 ffffea0001f3a9c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100dc0(GFP_USER|__GFP_ZERO), pid 7970, tgid 7957 (syz-executor.5), ts 309795443051, free_ts 309939044170
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
lbmLogInit fs/jfs/jfs_logmgr.c:1816 [inline]
lmLogInit+0x376/0x1c90 fs/jfs/jfs_logmgr.c:1270
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x552/0x1030 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe3/0x640 fs/jfs/jfs_mount.c:253
jfs_fill_super+0x67d/0xc40 fs/jfs/super.c:565
mount_bdev+0x2c9/0x3f0 fs/super.c:1432
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1562
do_new_mount+0x28b/0xae0 fs/namespace.c:3040
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page+0x98/0x570 mm/page_alloc.c:3484
lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
lmLogShutdown+0x4f8/0x960 fs/jfs/jfs_logmgr.c:1684
lmLogClose+0x293/0x530 fs/jfs/jfs_logmgr.c:1460
jfs_umount+0x298/0x370 fs/jfs/jfs_umount.c:116
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x340 fs/super.c:501
kill_block_super+0x7a/0xe0 fs/super.c:1459
deactivate_locked_super+0xa0/0x110 fs/super.c:332
cleanup_mnt+0x490/0x520 fs/namespace.c:1186
task_work_run+0x246/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xd9/0x100 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:297
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880a103ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a103ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880a1040000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880a1040080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880a1040100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup