[v5.15] KASAN: use-after-free Read in xfs_inode_item_push
0 views
Skip to first unread message
syzbot
May 17, 2023, 3:05:44 PM5/17/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 9d6bde853685 Linux 5.15.112
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1016b2c2280000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61e8195d8bdf36e
dashboard link: https://syzkaller.appspot.com/bug?extid=157a2285a060ad6f76e2
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b65d6c2ec328/disk-9d6bde85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf811ebac37b/vmlinux-9d6bde85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b2f32fdecf97/bzImage-9d6bde85.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+157a22...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in xfs_inode_item_push+0x25e/0x2c0 fs/xfs/xfs_inode_item.c:582
Read of size 8 at addr ffff88807e879170 by task xfsaild/loop1/8913
CPU: 1 PID: 8913 Comm: xfsaild/loop1 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
xfs_inode_item_push+0x25e/0x2c0 fs/xfs/xfs_inode_item.c:582
xfsaild_push_item fs/xfs/xfs_trans_ail.c:414 [inline]
xfsaild_push fs/xfs/xfs_trans_ail.c:472 [inline]
xfsaild+0xd6d/0x2970 fs/xfs/xfs_trans_ail.c:657
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Allocated by task 8875:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8e/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0xf3/0x280 mm/slub.c:3233
kmem_cache_zalloc include/linux/slab.h:711 [inline]
xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:675
xfs_trans_ijoin+0xb6/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
xfs_create+0xbca/0x1370 fs/xfs/xfs_inode.c:1056
xfs_generic_create+0x426/0xd70 fs/xfs/xfs_iops.c:197
lookup_open fs/namei.c:3392 [inline]
open_last_lookups fs/namei.c:3462 [inline]
path_openat+0x12f6/0x2f20 fs/namei.c:3669
do_filp_open+0x21c/0x460 fs/namei.c:3699
do_sys_openat2+0x13b/0x500 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_open fs/open.c:1235 [inline]
__se_sys_open fs/open.c:1231 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1231
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Freed by task 8919:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
slab_free mm/slub.c:3499 [inline]
kmem_cache_free+0x91/0x1f0 mm/slub.c:3515
xfs_inode_free_callback+0x1bd/0x230 fs/xfs/xfs_icache.c:142
rcu_do_batch kernel/rcu/tree.c:2510 [inline]
rcu_core+0xa15/0x1650 kernel/rcu/tree.c:2750
__do_softirq+0x3b3/0x93a kernel/softirq.c:558
The buggy address belongs to the object at ffff88807e879140
which belongs to the cache xfs_ili of size 256
The buggy address is located 48 bytes inside of
256-byte region [ffff88807e879140, ffff88807e879240)
The buggy address belongs to the page:
page:ffffea0001fa1e40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e879
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8880197a0640
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5053, ts 394016723359, free_ts 361124449778
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
alloc_slab_page mm/slub.c:1775 [inline]
allocate_slab mm/slub.c:1912 [inline]
new_slab+0xbb/0x4b0 mm/slub.c:1975
___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
__slab_alloc mm/slub.c:3095 [inline]
slab_alloc_node mm/slub.c:3186 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0x18e/0x280 mm/slub.c:3233
kmem_cache_zalloc include/linux/slab.h:711 [inline]
xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:675
xfs_trans_ijoin+0xb6/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
xfs_init_new_inode+0xd8c/0x1100 fs/xfs/xfs_inode.c:918
xfs_create_tmpfile+0x655/0xb60 fs/xfs/xfs_inode.c:1168
xfs_rename_alloc_whiteout fs/xfs/xfs_inode.c:3067 [inline]
xfs_rename+0x2c2/0x1f70 fs/xfs/xfs_inode.c:3122
xfs_vn_rename+0x384/0x4d0 fs/xfs/xfs_iops.c:475
vfs_rename+0xd8f/0x1190 fs/namei.c:4736
ovl_do_rename+0x1b4/0x290 fs/overlayfs/overlayfs.h:234
ovl_rename+0xe59/0x1390 fs/overlayfs/dir.c:1266
vfs_rename+0xd8f/0x1190 fs/namei.c:4736
do_renameat2+0xb97/0x13b0 fs/namei.c:4887
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
free_slab mm/slub.c:2015 [inline]
discard_slab mm/slub.c:2021 [inline]
__unfreeze_partials+0x1b7/0x210 mm/slub.c:2507
put_cpu_partial+0x132/0x1a0 mm/slub.c:2587
do_slab_free mm/slub.c:3487 [inline]
___cache_free+0xe3/0x100 mm/slub.c:3506
qlist_free_all+0x36/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0xf3/0x280 mm/slub.c:3233
getname_flags+0xb8/0x4e0 fs/namei.c:138
user_path_at_empty+0x2a/0x180 fs/namei.c:2852
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x106/0x3b0 fs/stat.c:221
vfs_fstatat fs/stat.c:243 [inline]
__do_sys_newfstatat fs/stat.c:411 [inline]
__se_sys_newfstatat fs/stat.c:405 [inline]
__x64_sys_newfstatat+0x12c/0x1b0 fs/stat.c:405
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Memory state around the buggy address:
ffff88807e879000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807e879080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807e879100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
^
ffff88807e879180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807e879200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 9d6bde853685 Linux 5.15.112
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1016b2c2280000
kernel config: https://syzkaller.appspot.com/x/.config?x=a61e8195d8bdf36e
dashboard link: https://syzkaller.appspot.com/bug?extid=157a2285a060ad6f76e2
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b65d6c2ec328/disk-9d6bde85.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf811ebac37b/vmlinux-9d6bde85.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b2f32fdecf97/bzImage-9d6bde85.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+157a22...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in xfs_inode_item_push+0x25e/0x2c0 fs/xfs/xfs_inode_item.c:582
Read of size 8 at addr ffff88807e879170 by task xfsaild/loop1/8913
CPU: 1 PID: 8913 Comm: xfsaild/loop1 Not tainted 5.15.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
xfs_inode_item_push+0x25e/0x2c0 fs/xfs/xfs_inode_item.c:582
xfsaild_push_item fs/xfs/xfs_trans_ail.c:414 [inline]
xfsaild_push fs/xfs/xfs_trans_ail.c:472 [inline]
xfsaild+0xd6d/0x2970 fs/xfs/xfs_trans_ail.c:657
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Allocated by task 8875:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8e/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0xf3/0x280 mm/slub.c:3233
kmem_cache_zalloc include/linux/slab.h:711 [inline]
xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:675
xfs_trans_ijoin+0xb6/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
xfs_create+0xbca/0x1370 fs/xfs/xfs_inode.c:1056
xfs_generic_create+0x426/0xd70 fs/xfs/xfs_iops.c:197
lookup_open fs/namei.c:3392 [inline]
open_last_lookups fs/namei.c:3462 [inline]
path_openat+0x12f6/0x2f20 fs/namei.c:3669
do_filp_open+0x21c/0x460 fs/namei.c:3699
do_sys_openat2+0x13b/0x500 fs/open.c:1211
do_sys_open fs/open.c:1227 [inline]
__do_sys_open fs/open.c:1235 [inline]
__se_sys_open fs/open.c:1231 [inline]
__x64_sys_open+0x221/0x270 fs/open.c:1231
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Freed by task 8919:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
slab_free mm/slub.c:3499 [inline]
kmem_cache_free+0x91/0x1f0 mm/slub.c:3515
xfs_inode_free_callback+0x1bd/0x230 fs/xfs/xfs_icache.c:142
rcu_do_batch kernel/rcu/tree.c:2510 [inline]
rcu_core+0xa15/0x1650 kernel/rcu/tree.c:2750
__do_softirq+0x3b3/0x93a kernel/softirq.c:558
The buggy address belongs to the object at ffff88807e879140
which belongs to the cache xfs_ili of size 256
The buggy address is located 48 bytes inside of
256-byte region [ffff88807e879140, ffff88807e879240)
The buggy address belongs to the page:
page:ffffea0001fa1e40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e879
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8880197a0640
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5053, ts 394016723359, free_ts 361124449778
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
alloc_slab_page mm/slub.c:1775 [inline]
allocate_slab mm/slub.c:1912 [inline]
new_slab+0xbb/0x4b0 mm/slub.c:1975
___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
__slab_alloc mm/slub.c:3095 [inline]
slab_alloc_node mm/slub.c:3186 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0x18e/0x280 mm/slub.c:3233
kmem_cache_zalloc include/linux/slab.h:711 [inline]
xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:675
xfs_trans_ijoin+0xb6/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
xfs_init_new_inode+0xd8c/0x1100 fs/xfs/xfs_inode.c:918
xfs_create_tmpfile+0x655/0xb60 fs/xfs/xfs_inode.c:1168
xfs_rename_alloc_whiteout fs/xfs/xfs_inode.c:3067 [inline]
xfs_rename+0x2c2/0x1f70 fs/xfs/xfs_inode.c:3122
xfs_vn_rename+0x384/0x4d0 fs/xfs/xfs_iops.c:475
vfs_rename+0xd8f/0x1190 fs/namei.c:4736
ovl_do_rename+0x1b4/0x290 fs/overlayfs/overlayfs.h:234
ovl_rename+0xe59/0x1390 fs/overlayfs/dir.c:1266
vfs_rename+0xd8f/0x1190 fs/namei.c:4736
do_renameat2+0xb97/0x13b0 fs/namei.c:4887
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
free_slab mm/slub.c:2015 [inline]
discard_slab mm/slub.c:2021 [inline]
__unfreeze_partials+0x1b7/0x210 mm/slub.c:2507
put_cpu_partial+0x132/0x1a0 mm/slub.c:2587
do_slab_free mm/slub.c:3487 [inline]
___cache_free+0xe3/0x100 mm/slub.c:3506
qlist_free_all+0x36/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
kmem_cache_alloc+0xf3/0x280 mm/slub.c:3233
getname_flags+0xb8/0x4e0 fs/namei.c:138
user_path_at_empty+0x2a/0x180 fs/namei.c:2852
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x106/0x3b0 fs/stat.c:221
vfs_fstatat fs/stat.c:243 [inline]
__do_sys_newfstatat fs/stat.c:411 [inline]
__se_sys_newfstatat fs/stat.c:405 [inline]
__x64_sys_newfstatat+0x12c/0x1b0 fs/stat.c:405
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Memory state around the buggy address:
ffff88807e879000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807e879080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807e879100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
^
ffff88807e879180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807e879200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Aug 28, 2023, 4:02:58 AM8/28/23
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages