[v5.15] KASAN: use-after-free Write in txEnd
0 views
Skip to first unread message
syzbot
Feb 13, 2024, 8:53:29 PMFeb 13
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 6139f2a02fe0 Linux 5.15.148
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=167bec62180000
kernel config: https://syzkaller.appspot.com/x/.config?x=c170eb20d8be8542
dashboard link: https://syzkaller.appspot.com/bug?extid=56e00af64faba56750bf
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1326d2fc180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/528e8fe56997/disk-6139f2a0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/18abf1e442f9/vmlinux-6139f2a0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0538a5d3b1f3/bzImage-6139f2a0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d77b755300be/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+56e00a...@syzkaller.appspotmail.com
... Log Wrap ... Log Wrap ... Log Wrap ...
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KASAN: use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: use-after-free in txEnd+0x350/0x560 fs/jfs/jfs_txnmgr.c:554
Write of size 8 at addr ffff88807df79040 by task jfsCommit/276
CPU: 1 PID: 276 Comm: jfsCommit Not tainted 5.15.148-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_write include/linux/instrumented.h:86 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
txEnd+0x350/0x560 fs/jfs/jfs_txnmgr.c:554
txLazyCommit fs/jfs/jfs_txnmgr.c:2718 [inline]
jfs_lazycommit+0x60d/0xc30 fs/jfs/jfs_txnmgr.c:2766
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Allocated by task 3600:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
open_inline_log fs/jfs/jfs_logmgr.c:1167 [inline]
lmLogOpen+0x314/0x1030 fs/jfs/jfs_logmgr.c:1077
jfs_mount_rw+0xe3/0x640 fs/jfs/jfs_mount.c:253
jfs_fill_super+0x69f/0xc70 fs/jfs/super.c:570
mount_bdev+0x2c9/0x3f0 fs/super.c:1387
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1517
do_new_mount+0x2ba/0xb40 fs/namespace.c:3005
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Freed by task 3536:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
slab_free mm/slub.c:3499 [inline]
kfree+0xf1/0x270 mm/slub.c:4559
lmLogClose+0x29d/0x530
jfs_umount+0x298/0x370 fs/jfs/jfs_umount.c:116
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x136/0x2c0 fs/super.c:475
kill_block_super+0x7a/0xe0 fs/super.c:1414
deactivate_locked_super+0xa0/0x110 fs/super.c:335
cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
task_work_run+0x129/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:175
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:208
__syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
syscall_exit_to_user_mode+0x5d/0x250 kernel/entry/common.c:301
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
The buggy address belongs to the object at ffff88807df79000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
1024-byte region [ffff88807df79000, ffff88807df79400)
The buggy address belongs to the page:
page:ffffea0001f7de00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7df78
head:ffffea0001f7de00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011c41dc0
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 788, ts 85582687692, free_ts 85575345315
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
alloc_slab_page mm/slub.c:1775 [inline]
allocate_slab mm/slub.c:1912 [inline]
new_slab+0xbb/0x4b0 mm/slub.c:1975
___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
__slab_alloc mm/slub.c:3095 [inline]
slab_alloc_node mm/slub.c:3186 [inline]
slab_alloc mm/slub.c:3228 [inline]
__kmalloc+0x1c9/0x300 mm/slub.c:4403
kmalloc include/linux/slab.h:596 [inline]
kzalloc include/linux/slab.h:721 [inline]
ieee802_11_parse_elems_crc+0xb3/0x1130 net/mac80211/util.c:1478
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2238 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline]
ieee80211_ibss_rx_queued_mgmt+0x380/0x2af0 net/mac80211/ibss.c:1643
ieee80211_iface_process_skb net/mac80211/iface.c:1441 [inline]
ieee80211_iface_work+0x78f/0xcc0 net/mac80211/iface.c:1495
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
worker_thread+0xaca/0x1280 kernel/workqueue.c:2457
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
free_slab mm/slub.c:2015 [inline]
discard_slab mm/slub.c:2021 [inline]
__unfreeze_partials+0x1b7/0x210 mm/slub.c:2507
put_cpu_partial+0x132/0x1a0 mm/slub.c:2587
do_slab_free mm/slub.c:3487 [inline]
___cache_free+0xe3/0x100 mm/slub.c:3506
qlist_free_all+0x36/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
__kmalloc+0x120/0x300 mm/slub.c:4403
kmalloc include/linux/slab.h:596 [inline]
tomoyo_realpath_from_path+0xd8/0x5e0 security/tomoyo/realpath.c:254
tomoyo_mount_acl security/tomoyo/mount.c:141 [inline]
tomoyo_mount_permission+0x9f4/0xb20 security/tomoyo/mount.c:237
security_sb_mount+0x88/0xc0 security/security.c:978
path_mount+0xbd/0x10a0 fs/namespace.c:3277
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
Memory state around the buggy address:
ffff88807df78f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807df78f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807df79000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807df79080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807df79100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 6139f2a02fe0 Linux 5.15.148
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=167bec62180000
kernel config: https://syzkaller.appspot.com/x/.config?x=c170eb20d8be8542
dashboard link: https://syzkaller.appspot.com/bug?extid=56e00af64faba56750bf
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1326d2fc180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/528e8fe56997/disk-6139f2a0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/18abf1e442f9/vmlinux-6139f2a0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0538a5d3b1f3/bzImage-6139f2a0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d77b755300be/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+56e00a...@syzkaller.appspotmail.com
... Log Wrap ... Log Wrap ... Log Wrap ...
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KASAN: use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: use-after-free in txEnd+0x350/0x560 fs/jfs/jfs_txnmgr.c:554
Write of size 8 at addr ffff88807df79040 by task jfsCommit/276
CPU: 1 PID: 276 Comm: jfsCommit Not tainted 5.15.148-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_write include/linux/instrumented.h:86 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
txEnd+0x350/0x560 fs/jfs/jfs_txnmgr.c:554
txLazyCommit fs/jfs/jfs_txnmgr.c:2718 [inline]
jfs_lazycommit+0x60d/0xc30 fs/jfs/jfs_txnmgr.c:2766
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Allocated by task 3600:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xba/0xf0 mm/kasan/common.c:513
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmem_cache_alloc_trace+0x143/0x290 mm/slub.c:3247
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
open_inline_log fs/jfs/jfs_logmgr.c:1167 [inline]
lmLogOpen+0x314/0x1030 fs/jfs/jfs_logmgr.c:1077
jfs_mount_rw+0xe3/0x640 fs/jfs/jfs_mount.c:253
jfs_fill_super+0x69f/0xc70 fs/jfs/super.c:570
mount_bdev+0x2c9/0x3f0 fs/super.c:1387
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1517
do_new_mount+0x2ba/0xb40 fs/namespace.c:3005
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
Freed by task 3536:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
slab_free mm/slub.c:3499 [inline]
kfree+0xf1/0x270 mm/slub.c:4559
lmLogClose+0x29d/0x530
jfs_umount+0x298/0x370 fs/jfs/jfs_umount.c:116
jfs_put_super+0x86/0x180 fs/jfs/super.c:194
generic_shutdown_super+0x136/0x2c0 fs/super.c:475
kill_block_super+0x7a/0xe0 fs/super.c:1414
deactivate_locked_super+0xa0/0x110 fs/super.c:335
cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
task_work_run+0x129/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:175
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:208
__syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
syscall_exit_to_user_mode+0x5d/0x250 kernel/entry/common.c:301
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x61/0xcb
The buggy address belongs to the object at ffff88807df79000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
1024-byte region [ffff88807df79000, ffff88807df79400)
The buggy address belongs to the page:
page:ffffea0001f7de00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7df78
head:ffffea0001f7de00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011c41dc0
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 788, ts 85582687692, free_ts 85575345315
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5421
alloc_slab_page mm/slub.c:1775 [inline]
allocate_slab mm/slub.c:1912 [inline]
new_slab+0xbb/0x4b0 mm/slub.c:1975
___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
__slab_alloc mm/slub.c:3095 [inline]
slab_alloc_node mm/slub.c:3186 [inline]
slab_alloc mm/slub.c:3228 [inline]
__kmalloc+0x1c9/0x300 mm/slub.c:4403
kmalloc include/linux/slab.h:596 [inline]
kzalloc include/linux/slab.h:721 [inline]
ieee802_11_parse_elems_crc+0xb3/0x1130 net/mac80211/util.c:1478
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2238 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline]
ieee80211_ibss_rx_queued_mgmt+0x380/0x2af0 net/mac80211/ibss.c:1643
ieee80211_iface_process_skb net/mac80211/iface.c:1441 [inline]
ieee80211_iface_work+0x78f/0xcc0 net/mac80211/iface.c:1495
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
worker_thread+0xaca/0x1280 kernel/workqueue.c:2457
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page+0x95/0x2d0 mm/page_alloc.c:3396
free_slab mm/slub.c:2015 [inline]
discard_slab mm/slub.c:2021 [inline]
__unfreeze_partials+0x1b7/0x210 mm/slub.c:2507
put_cpu_partial+0x132/0x1a0 mm/slub.c:2587
do_slab_free mm/slub.c:3487 [inline]
___cache_free+0xe3/0x100 mm/slub.c:3506
qlist_free_all+0x36/0x90 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x2f/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
slab_alloc mm/slub.c:3228 [inline]
__kmalloc+0x120/0x300 mm/slub.c:4403
kmalloc include/linux/slab.h:596 [inline]
tomoyo_realpath_from_path+0xd8/0x5e0 security/tomoyo/realpath.c:254
tomoyo_mount_acl security/tomoyo/mount.c:141 [inline]
tomoyo_mount_permission+0x9f4/0xb20 security/tomoyo/mount.c:237
security_sb_mount+0x88/0xc0 security/security.c:978
path_mount+0xbd/0x10a0 fs/namespace.c:3277
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
Memory state around the buggy address:
ffff88807df78f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807df78f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807df79000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807df79080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807df79100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 11, 2024, 5:29:34 PMApr 11
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: cdfd0a7f0139 Linux 5.15.154
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11e6914d180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a0d657e4df0a8dde
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c9d54d180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15554b25180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/093210fbc9bd/disk-cdfd0a7f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dbab34a8852d/vmlinux-cdfd0a7f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e3e218d1a57e/Image-cdfd0a7f.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/255bd1094305/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+56e00a...@syzkaller.appspotmail.com
... Log Wrap ... Log Wrap ... Log Wrap ...
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KASAN: use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
BUG: KASAN: use-after-free in txEnd+0x31c/0x574 fs/jfs/jfs_txnmgr.c:554
Write of size 8 at addr ffff0000cdb7c840 by task jfsCommit/233
CPU: 1 PID: 233 Comm: jfsCommit Not tainted 5.15.154-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
kasan_check_range+0x274/0x2b4 mm/kasan/generic.c:189
__kasan_check_write+0x44/0x54 mm/kasan/shadow.c:37
txLazyCommit fs/jfs/jfs_txnmgr.c:2718 [inline]
jfs_lazycommit+0x4d4/0xa40 fs/jfs/jfs_txnmgr.c:2766
kthread+0x37c/0x45c kernel/kthread.c:334
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Allocated by task 4758:
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmem_cache_alloc_trace+0x27c/0x47c mm/slub.c:3247
jfs_mount_rw+0xe4/0x57c fs/jfs/jfs_mount.c:253
jfs_fill_super+0x508/0xa08 fs/jfs/super.c:570
mount_bdev+0x274/0x370 fs/super.c:1387
jfs_do_mount+0x44/0x58 fs/jfs/super.c:675
legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
vfs_get_tree+0x90/0x274 fs/super.c:1517
do_new_mount+0x278/0x8fc fs/namespace.c:3005
path_mount+0x594/0x101c fs/namespace.c:3335
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3533
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Freed by task 3996:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
slab_free mm/slub.c:3499 [inline]
kfree+0x178/0x410 mm/slub.c:4559
lmLogClose+0x270/0x4d8
jfs_umount+0x24c/0x338 fs/jfs/jfs_umount.c:116
jfs_put_super+0x90/0x188 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x29c fs/super.c:475
kill_block_super+0x70/0xdc fs/super.c:1414
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000cdb7c800
head:000000008144149d order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffe00000010200(slab|head|node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000010200 0000000000000000 0000000e00000001 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
ffff0000cdb7c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000cdb7c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000cdb7c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000cdb7c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
---
HEAD commit: cdfd0a7f0139 Linux 5.15.154
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11e6914d180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a0d657e4df0a8dde
dashboard link: https://syzkaller.appspot.com/bug?extid=56e00af64faba56750bf
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13c9d54d180000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15554b25180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/093210fbc9bd/disk-cdfd0a7f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dbab34a8852d/vmlinux-cdfd0a7f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e3e218d1a57e/Image-cdfd0a7f.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/255bd1094305/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+56e00a...@syzkaller.appspotmail.com
... Log Wrap ... Log Wrap ... Log Wrap ...
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KASAN: use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
Write of size 8 at addr ffff0000cdb7c840 by task jfsCommit/233
CPU: 1 PID: 233 Comm: jfsCommit Not tainted 5.15.154-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
kasan_check_range+0x274/0x2b4 mm/kasan/generic.c:189
__kasan_check_write+0x44/0x54 mm/kasan/shadow.c:37
instrument_atomic_write include/linux/instrumented.h:86 [inline]
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
txEnd+0x31c/0x574 fs/jfs/jfs_txnmgr.c:554
clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
txLazyCommit fs/jfs/jfs_txnmgr.c:2718 [inline]
jfs_lazycommit+0x4d4/0xa40 fs/jfs/jfs_txnmgr.c:2766
kthread+0x37c/0x45c kernel/kthread.c:334
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Allocated by task 4758:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmem_cache_alloc_trace+0x27c/0x47c mm/slub.c:3247
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
open_inline_log fs/jfs/jfs_logmgr.c:1167 [inline]
lmLogOpen+0x290/0xdc0 fs/jfs/jfs_logmgr.c:1077
kzalloc include/linux/slab.h:721 [inline]
open_inline_log fs/jfs/jfs_logmgr.c:1167 [inline]
jfs_mount_rw+0xe4/0x57c fs/jfs/jfs_mount.c:253
jfs_fill_super+0x508/0xa08 fs/jfs/super.c:570
mount_bdev+0x274/0x370 fs/super.c:1387
jfs_do_mount+0x44/0x58 fs/jfs/super.c:675
legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
vfs_get_tree+0x90/0x274 fs/super.c:1517
do_new_mount+0x278/0x8fc fs/namespace.c:3005
path_mount+0x594/0x101c fs/namespace.c:3335
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount fs/namespace.c:3533 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3533
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Freed by task 3996:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0x128/0x1ec mm/slub.c:1731
slab_free_hook mm/slub.c:1705 [inline]
slab_free mm/slub.c:3499 [inline]
kfree+0x178/0x410 mm/slub.c:4559
lmLogClose+0x270/0x4d8
jfs_umount+0x24c/0x338 fs/jfs/jfs_umount.c:116
jfs_put_super+0x90/0x188 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x29c fs/super.c:475
kill_block_super+0x70/0xdc fs/super.c:1414
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000cdb7c800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
1024-byte region [ffff0000cdb7c800, ffff0000cdb7cc00)
The buggy address is located 64 bytes inside of
The buggy address belongs to the page:
page:000000008144149d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10db78
head:000000008144149d order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffe00000010200(slab|head|node=0|zone=2|lastcpupid=0xfff)
raw: 05ffe00000010200 0000000000000000 0000000e00000001 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000cdb7c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000cdb7c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000cdb7c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000cdb7c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000cdb7c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
... Log Wrap ... Log Wrap ... Log Wrap ...
Reply all
Reply to author
Forward
0 new messages