[v6.1] KASAN: use-after-free Read in hfsplus_release_folio
1 view
Skip to first unread message
syzbot
Mar 9, 2023, 3:17:50 AM3/9/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 42616e0f09fb Linux 6.1.15
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12af65bcc80000
kernel config: https://syzkaller.appspot.com/x/.config?x=650737f7e9682672
dashboard link: https://syzkaller.appspot.com/bug?extid=5ccc44d06857c4e9364e
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f10713d1fd0f/disk-42616e0f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5a1307bb774e/vmlinux-42616e0f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/388238a30fe4/Image-42616e0f.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5ccc44...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in hfsplus_release_folio+0x410/0x4ac fs/hfsplus/inode.c:92
Read of size 4 at addr ffff0000d7700038 by task syz-executor.4/4327
CPU: 1 PID: 4327 Comm: syz-executor.4 Not tainted 6.1.15-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x178/0x4e0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
hfsplus_release_folio+0x410/0x4ac fs/hfsplus/inode.c:92
filemap_release_folio+0x144/0x30c mm/filemap.c:3949
block_invalidate_folio+0x4c4/0x814 fs/buffer.c:1526
folio_invalidate mm/truncate.c:159 [inline]
truncate_cleanup_folio+0x180/0x4c0 mm/truncate.c:179
truncate_inode_pages_range+0x288/0x13b0 mm/truncate.c:369
truncate_inode_pages mm/truncate.c:452 [inline]
truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:487
hfsplus_evict_inode+0x2c/0xc0 fs/hfsplus/super.c:168
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x968/0xa4c fs/inode.c:1773
hfsplus_put_super+0x1b0/0x2ec fs/hfsplus/super.c:302
generic_shutdown_super+0x130/0x2f0 fs/super.c:492
kill_block_super+0x70/0xdc fs/super.c:1428
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Allocated by task 28361:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace+0x7c/0x94 mm/slab_common.c:1050
kmalloc include/linux/slab.h:553 [inline]
kzalloc include/linux/slab.h:689 [inline]
hfsplus_btree_open+0x6c/0xd00 fs/hfsplus/btree.c:142
hfsplus_fill_super+0x910/0x166c fs/hfsplus/super.c:485
mount_bdev+0x26c/0x368 fs/super.c:1401
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1531
do_new_mount+0x25c/0x8c8 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Freed by task 4327:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x20c mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x500 mm/slub.c:3674
kfree+0x104/0x268 mm/slab_common.c:1007
hfsplus_btree_close+0x25c/0x288 fs/hfsplus/btree.c:280
hfsplus_put_super+0x140/0x2ec fs/hfsplus/super.c:298
generic_shutdown_super+0x130/0x2f0 fs/super.c:492
kill_block_super+0x70/0xdc fs/super.c:1428
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000d7700000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 56 bytes inside of
4096-byte region [ffff0000d7700000, ffff0000d7701000)
The buggy address belongs to the physical page:
page:0000000080812965 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117700
head:0000000080812965 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc0003679a00 dead000000000002 ffff0000c0002a80
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d76fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000d76fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000d7700000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000d7700080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000d7700100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 42616e0f09fb Linux 6.1.15
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12af65bcc80000
kernel config: https://syzkaller.appspot.com/x/.config?x=650737f7e9682672
dashboard link: https://syzkaller.appspot.com/bug?extid=5ccc44d06857c4e9364e
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f10713d1fd0f/disk-42616e0f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5a1307bb774e/vmlinux-42616e0f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/388238a30fe4/Image-42616e0f.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5ccc44...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in hfsplus_release_folio+0x410/0x4ac fs/hfsplus/inode.c:92
Read of size 4 at addr ffff0000d7700038 by task syz-executor.4/4327
CPU: 1 PID: 4327 Comm: syz-executor.4 Not tainted 6.1.15-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x178/0x4e0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
hfsplus_release_folio+0x410/0x4ac fs/hfsplus/inode.c:92
filemap_release_folio+0x144/0x30c mm/filemap.c:3949
block_invalidate_folio+0x4c4/0x814 fs/buffer.c:1526
folio_invalidate mm/truncate.c:159 [inline]
truncate_cleanup_folio+0x180/0x4c0 mm/truncate.c:179
truncate_inode_pages_range+0x288/0x13b0 mm/truncate.c:369
truncate_inode_pages mm/truncate.c:452 [inline]
truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:487
hfsplus_evict_inode+0x2c/0xc0 fs/hfsplus/super.c:168
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x968/0xa4c fs/inode.c:1773
hfsplus_put_super+0x1b0/0x2ec fs/hfsplus/super.c:302
generic_shutdown_super+0x130/0x2f0 fs/super.c:492
kill_block_super+0x70/0xdc fs/super.c:1428
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Allocated by task 28361:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace+0x7c/0x94 mm/slab_common.c:1050
kmalloc include/linux/slab.h:553 [inline]
kzalloc include/linux/slab.h:689 [inline]
hfsplus_btree_open+0x6c/0xd00 fs/hfsplus/btree.c:142
hfsplus_fill_super+0x910/0x166c fs/hfsplus/super.c:485
mount_bdev+0x26c/0x368 fs/super.c:1401
hfsplus_mount+0x44/0x58 fs/hfsplus/super.c:641
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1531
do_new_mount+0x25c/0x8c8 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Freed by task 4327:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x20c mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x500 mm/slub.c:3674
kfree+0x104/0x268 mm/slab_common.c:1007
hfsplus_btree_close+0x25c/0x288 fs/hfsplus/btree.c:280
hfsplus_put_super+0x140/0x2ec fs/hfsplus/super.c:298
generic_shutdown_super+0x130/0x2f0 fs/super.c:492
kill_block_super+0x70/0xdc fs/super.c:1428
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2144/0x3470 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000d7700000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 56 bytes inside of
4096-byte region [ffff0000d7700000, ffff0000d7701000)
The buggy address belongs to the physical page:
page:0000000080812965 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117700
head:0000000080812965 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc0003679a00 dead000000000002 ffff0000c0002a80
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d76fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000d76fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000d7700000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000d7700080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000d7700100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Mar 9, 2023, 6:40:50 AM3/9/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 42616e0f09fb Linux 6.1.15
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16842dd4c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1076b842c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f10713d1fd0f/disk-42616e0f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5a1307bb774e/vmlinux-42616e0f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/388238a30fe4/Image-42616e0f.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/e75d44bb3943/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5ccc44...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 1024
CPU: 0 PID: 4307 Comm: syz-executor954 Not tainted 6.1.15-syzkaller #0
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x538/0x1af8 kernel/exit.c:867
do_group_exit+0x194/0x22c kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1021
Freed by task 4307:
do_exit+0x538/0x1af8 kernel/exit.c:867
do_group_exit+0x194/0x22c kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1021
The buggy address belongs to the physical page:
page:00000000386b5da6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118338
head:00000000386b5da6 order:3 compound_mapcount:0 compound_pincount:0
ffff0000d833df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d833e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000d833e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000d833e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
HEAD commit: 42616e0f09fb Linux 6.1.15
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=650737f7e9682672
dashboard link: https://syzkaller.appspot.com/bug?extid=5ccc44d06857c4e9364e
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ac27cac80000
dashboard link: https://syzkaller.appspot.com/bug?extid=5ccc44d06857c4e9364e
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1076b842c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f10713d1fd0f/disk-42616e0f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5a1307bb774e/vmlinux-42616e0f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/388238a30fe4/Image-42616e0f.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5ccc44...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in hfsplus_release_folio+0x410/0x4ac fs/hfsplus/inode.c:92
Read of size 4 at addr ffff0000d833e038 by task syz-executor954/4307
BUG: KASAN: use-after-free in hfsplus_release_folio+0x410/0x4ac fs/hfsplus/inode.c:92
CPU: 0 PID: 4307 Comm: syz-executor954 Not tainted 6.1.15-syzkaller #0
do_exit+0x538/0x1af8 kernel/exit.c:867
do_group_exit+0x194/0x22c kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1021
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Allocated by task 4307:
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x20c mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x500 mm/slub.c:3674
kfree+0x104/0x268 mm/slab_common.c:1007
hfsplus_btree_close+0x25c/0x288 fs/hfsplus/btree.c:280
hfsplus_put_super+0x140/0x2ec fs/hfsplus/super.c:298
generic_shutdown_super+0x130/0x2f0 fs/super.c:492
kill_block_super+0x70/0xdc fs/super.c:1428
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x20c mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x500 mm/slub.c:3674
kfree+0x104/0x268 mm/slab_common.c:1007
hfsplus_btree_close+0x25c/0x288 fs/hfsplus/btree.c:280
hfsplus_put_super+0x140/0x2ec fs/hfsplus/super.c:298
generic_shutdown_super+0x130/0x2f0 fs/super.c:492
kill_block_super+0x70/0xdc fs/super.c:1428
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
do_exit+0x538/0x1af8 kernel/exit.c:867
do_group_exit+0x194/0x22c kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1021
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the object at ffff0000d833e000
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 56 bytes inside of
4096-byte region [ffff0000d833e000, ffff0000d833f000)
The buggy address is located 56 bytes inside of
The buggy address belongs to the physical page:
head:00000000386b5da6 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002a80
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d833df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d833df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d833e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000d833e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000d833e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
syzbot
Apr 8, 2023, 2:06:27 PM4/8/23
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 0c80bef0b7d297ea86e5408fe79c45479e504a26
Author: Dongliang Mu <mudongl...@gmail.com>
Date: Sun Feb 26 12:49:47 2023 +0000
fs: hfsplus: fix UAF issue in hfsplus_put_super
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1535d707c80000
start commit: 42616e0f09fb Linux 6.1.15
git tree: linux-6.1.y
#syz fix: fs: hfsplus: fix UAF issue in hfsplus_put_super
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 0c80bef0b7d297ea86e5408fe79c45479e504a26
Author: Dongliang Mu <mudongl...@gmail.com>
Date: Sun Feb 26 12:49:47 2023 +0000
fs: hfsplus: fix UAF issue in hfsplus_put_super
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1535d707c80000
start commit: 42616e0f09fb Linux 6.1.15
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=650737f7e9682672
dashboard link: https://syzkaller.appspot.com/bug?extid=5ccc44d06857c4e9364e
dashboard link: https://syzkaller.appspot.com/bug?extid=5ccc44d06857c4e9364e
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ac27cac80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1076b842c80000
If the result looks correct, please mark the issue as fixed by replying with:
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14ac27cac80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1076b842c80000
#syz fix: fs: hfsplus: fix UAF issue in hfsplus_put_super
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages