[v5.15] KASAN: use-after-free Read in __ocfs2_find_path
9 views
Skip to first unread message
syzbot
Oct 5, 2024, 4:46:24 PM10/5/24
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3a5928702e71 Linux 5.15.167
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16633307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=171882977b524c53
dashboard link: https://syzkaller.appspot.com/bug?extid=e41668d5154370928317
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/22ee27cb312d/disk-3a592870.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/90bf6a3e3d20/vmlinux-3a592870.xz
kernel image: https://storage.googleapis.com/syzbot-assets/096dd2c73ac3/Image-3a592870.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e41668...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: use-after-free in __ocfs2_find_path+0x1dc/0x6a8 fs/ocfs2/alloc.c:1817
Read of size 4 at addr ffff0000ea144000 by task syz.4.5/4133
CPU: 1 PID: 4133 Comm: syz.4.5 Not tainted 5.15.167-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
__ocfs2_find_path+0x1dc/0x6a8 fs/ocfs2/alloc.c:1817
ocfs2_find_leaf+0xd0/0x218 fs/ocfs2/alloc.c:1931
ocfs2_get_clusters_nocache+0x16c/0xa38 fs/ocfs2/extent_map.c:418
ocfs2_get_clusters+0x448/0x964 fs/ocfs2/extent_map.c:621
ocfs2_extent_map_get_blocks+0x1d8/0x650 fs/ocfs2/extent_map.c:668
ocfs2_read_virt_blocks+0x2bc/0x960 fs/ocfs2/extent_map.c:977
ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_entry+0x3ac/0x2450 fs/ocfs2/dir.c:1080
ocfs2_find_files_on_disk+0x10c/0x3d0 fs/ocfs2/dir.c:1982
ocfs2_lookup_ino_from_name+0xb8/0x1d4 fs/ocfs2/dir.c:2004
_ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:136 [inline]
ocfs2_get_system_file_inode+0x2c8/0x6b8 fs/ocfs2/sysfile.c:112
ocfs2_init_global_system_inodes+0x2bc/0x618 fs/ocfs2/super.c:458
ocfs2_initialize_super fs/ocfs2/super.c:2276 [inline]
ocfs2_fill_super+0x394c/0x498c fs/ocfs2/super.c:995
mount_bdev+0x274/0x370 fs/super.c:1398
ocfs2_mount+0x44/0x58 fs/ocfs2/super.c:1187
legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
vfs_get_tree+0x90/0x274 fs/super.c:1528
do_new_mount+0x278/0x8fc fs/namespace.c:3005
path_mount+0x594/0x101c fs/namespace.c:3335
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount fs/namespace.c:3533 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3533
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the page:
page:000000007fabb8a9 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12a144
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0003a85148 ffff0001b41c7520 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000ea143f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000ea143f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000ea144000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000ea144080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ea144100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
(syz.4.5,4133,1):ocfs2_read_blocks:240 ERROR: status = -12
(syz.4.5,4133,1):__ocfs2_find_path:1837 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_find_leaf:1933 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_get_clusters_nocache:421 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_get_clusters:624 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_extent_map_get_blocks:671 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_read_virt_blocks:981 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_read_dir_block:511 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_init_global_system_inodes:462 ERROR: status = -22
(syz.4.5,4133,0):ocfs2_init_global_system_inodes:464 ERROR: Unable to load system inode 1, possibly corrupt fs?
(syz.4.5,4133,0):ocfs2_init_global_system_inodes:473 ERROR: status = -22
(syz.4.5,4133,0):ocfs2_initialize_super:2278 ERROR: status = -22
(syz.4.5,4133,0):ocfs2_fill_super:1177 ERROR: status = -22
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 3a5928702e71 Linux 5.15.167
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16633307980000
kernel config: https://syzkaller.appspot.com/x/.config?x=171882977b524c53
dashboard link: https://syzkaller.appspot.com/bug?extid=e41668d5154370928317
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/22ee27cb312d/disk-3a592870.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/90bf6a3e3d20/vmlinux-3a592870.xz
kernel image: https://storage.googleapis.com/syzbot-assets/096dd2c73ac3/Image-3a592870.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e41668...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: use-after-free in __ocfs2_find_path+0x1dc/0x6a8 fs/ocfs2/alloc.c:1817
Read of size 4 at addr ffff0000ea144000 by task syz.4.5/4133
CPU: 1 PID: 4133 Comm: syz.4.5 Not tainted 5.15.167-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
__ocfs2_find_path+0x1dc/0x6a8 fs/ocfs2/alloc.c:1817
ocfs2_find_leaf+0xd0/0x218 fs/ocfs2/alloc.c:1931
ocfs2_get_clusters_nocache+0x16c/0xa38 fs/ocfs2/extent_map.c:418
ocfs2_get_clusters+0x448/0x964 fs/ocfs2/extent_map.c:621
ocfs2_extent_map_get_blocks+0x1d8/0x650 fs/ocfs2/extent_map.c:668
ocfs2_read_virt_blocks+0x2bc/0x960 fs/ocfs2/extent_map.c:977
ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_entry+0x3ac/0x2450 fs/ocfs2/dir.c:1080
ocfs2_find_files_on_disk+0x10c/0x3d0 fs/ocfs2/dir.c:1982
ocfs2_lookup_ino_from_name+0xb8/0x1d4 fs/ocfs2/dir.c:2004
_ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:136 [inline]
ocfs2_get_system_file_inode+0x2c8/0x6b8 fs/ocfs2/sysfile.c:112
ocfs2_init_global_system_inodes+0x2bc/0x618 fs/ocfs2/super.c:458
ocfs2_initialize_super fs/ocfs2/super.c:2276 [inline]
ocfs2_fill_super+0x394c/0x498c fs/ocfs2/super.c:995
mount_bdev+0x274/0x370 fs/super.c:1398
ocfs2_mount+0x44/0x58 fs/ocfs2/super.c:1187
legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
vfs_get_tree+0x90/0x274 fs/super.c:1528
do_new_mount+0x278/0x8fc fs/namespace.c:3005
path_mount+0x594/0x101c fs/namespace.c:3335
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount fs/namespace.c:3533 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3533
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the page:
page:000000007fabb8a9 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12a144
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0003a85148 ffff0001b41c7520 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000ea143f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000ea143f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000ea144000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000ea144080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000ea144100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
(syz.4.5,4133,1):ocfs2_read_blocks:240 ERROR: status = -12
(syz.4.5,4133,1):__ocfs2_find_path:1837 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_find_leaf:1933 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_get_clusters_nocache:421 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_get_clusters:624 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_extent_map_get_blocks:671 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_read_virt_blocks:981 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_read_dir_block:511 ERROR: status = -12
(syz.4.5,4133,1):ocfs2_init_global_system_inodes:462 ERROR: status = -22
(syz.4.5,4133,0):ocfs2_init_global_system_inodes:464 ERROR: Unable to load system inode 1, possibly corrupt fs?
(syz.4.5,4133,0):ocfs2_init_global_system_inodes:473 ERROR: status = -22
(syz.4.5,4133,0):ocfs2_initialize_super:2278 ERROR: status = -22
(syz.4.5,4133,0):ocfs2_fill_super:1177 ERROR: status = -22
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 5, 2024, 5:05:27 PM10/5/24
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 3a5928702e71 Linux 5.15.167
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11c8b380580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4d3fd5cca89ae935
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d0fbd0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef5025f3d708/disk-3a592870.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/776fbdad3aa8/vmlinux-3a592870.xz
kernel image: https://storage.googleapis.com/syzbot-assets/79541db5bd16/bzImage-3a592870.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1141994422fb/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e41668...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: use-after-free in __ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
Read of size 4 at addr ffff888065aa7000 by task syz-executor423/3570
CPU: 0 PID: 3570 Comm: syz-executor423 Not tainted 5.15.167-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
__ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
ocfs2_find_leaf+0xcb/0x220 fs/ocfs2/alloc.c:1931
ocfs2_get_clusters_nocache+0x1a9/0xbe0 fs/ocfs2/extent_map.c:418
ocfs2_get_clusters+0x5b5/0xbc0 fs/ocfs2/extent_map.c:621
ocfs2_extent_map_get_blocks+0x248/0x7d0 fs/ocfs2/extent_map.c:668
ocfs2_read_virt_blocks+0x2ea/0xa10 fs/ocfs2/extent_map.c:977
ocfs2_find_files_on_disk+0xea/0x310 fs/ocfs2/dir.c:1982
ocfs2_lookup_ino_from_name+0xad/0x1e0 fs/ocfs2/dir.c:2004
_ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:136 [inline]
ocfs2_get_system_file_inode+0x314/0x7b0 fs/ocfs2/sysfile.c:112
ocfs2_init_global_system_inodes+0x328/0x720 fs/ocfs2/super.c:458
ocfs2_initialize_super fs/ocfs2/super.c:2276 [inline]
ocfs2_fill_super+0x479e/0x58a0 fs/ocfs2/super.c:995
mount_bdev+0x2c9/0x3f0 fs/super.c:1398
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1528
do_new_mount+0x2ba/0xb40 fs/namespace.c:3005
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f1f9135743a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 1e 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1f91309088 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f1f913090a0 RCX: 00007f1f9135743a
RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007f1f913090a0
RBP: 0000000000000004 R08: 00007f1f913090e0 R09: 0000000000004444
R10: 0000000001000000 R11: 0000000000000282 R12: 00007f1f913090e0
R13: 0000000001000000 R14: 0000000000000003 R15: 0000000001000000
</TASK>
The buggy address belongs to the page:
page:ffffea000196a9c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x65aa7
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea000196aa08 ffff8880b9040960 0000000000000000
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 3570, ts 46687290697, free_ts 46789887949
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5423
alloc_pages_vma+0x39a/0x800 mm/mempolicy.c:2146
do_anonymous_page mm/memory.c:3808 [inline]
handle_pte_fault mm/memory.c:4618 [inline]
__handle_mm_fault mm/memory.c:4755 [inline]
handle_mm_fault+0x2f49/0x5960 mm/memory.c:4853
do_user_addr_fault arch/x86/mm/fault.c:1357 [inline]
handle_page_fault arch/x86/mm/fault.c:1445 [inline]
exc_page_fault+0x271/0x700 arch/x86/mm/fault.c:1501
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
unmap_region+0x304/0x350 mm/mmap.c:2668
__do_munmap+0x12db/0x1740 mm/mmap.c:2899
__vm_munmap+0x134/0x230 mm/mmap.c:2922
__do_sys_munmap mm/mmap.c:2948 [inline]
__se_sys_munmap mm/mmap.c:2944 [inline]
__x64_sys_munmap+0x67/0x70 mm/mmap.c:2944
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Memory state around the buggy address:
ffff888065aa6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888065aa6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888065aa7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888065aa7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888065aa7100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 3a5928702e71 Linux 5.15.167
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=4d3fd5cca89ae935
dashboard link: https://syzkaller.appspot.com/bug?extid=e41668d5154370928317
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ac7d27980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d0fbd0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef5025f3d708/disk-3a592870.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/776fbdad3aa8/vmlinux-3a592870.xz
kernel image: https://storage.googleapis.com/syzbot-assets/79541db5bd16/bzImage-3a592870.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1141994422fb/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e41668...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
Read of size 4 at addr ffff888065aa7000 by task syz-executor423/3570
CPU: 0 PID: 3570 Comm: syz-executor423 Not tainted 5.15.167-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
__ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
ocfs2_find_leaf+0xcb/0x220 fs/ocfs2/alloc.c:1931
ocfs2_get_clusters_nocache+0x1a9/0xbe0 fs/ocfs2/extent_map.c:418
ocfs2_get_clusters+0x5b5/0xbc0 fs/ocfs2/extent_map.c:621
ocfs2_extent_map_get_blocks+0x248/0x7d0 fs/ocfs2/extent_map.c:668
ocfs2_read_virt_blocks+0x2ea/0xa10 fs/ocfs2/extent_map.c:977
ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_entry+0x437/0x26d0 fs/ocfs2/dir.c:1080
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_files_on_disk+0xea/0x310 fs/ocfs2/dir.c:1982
ocfs2_lookup_ino_from_name+0xad/0x1e0 fs/ocfs2/dir.c:2004
_ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:136 [inline]
ocfs2_get_system_file_inode+0x314/0x7b0 fs/ocfs2/sysfile.c:112
ocfs2_init_global_system_inodes+0x328/0x720 fs/ocfs2/super.c:458
ocfs2_initialize_super fs/ocfs2/super.c:2276 [inline]
ocfs2_fill_super+0x479e/0x58a0 fs/ocfs2/super.c:995
mount_bdev+0x2c9/0x3f0 fs/super.c:1398
legacy_get_tree+0xeb/0x180 fs/fs_context.c:611
vfs_get_tree+0x88/0x270 fs/super.c:1528
do_new_mount+0x2ba/0xb40 fs/namespace.c:3005
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3533
__do_sys_mount fs/namespace.c:3556 [inline]
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f1f9135743a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 1e 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1f91309088 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f1f913090a0 RCX: 00007f1f9135743a
RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007f1f913090a0
RBP: 0000000000000004 R08: 00007f1f913090e0 R09: 0000000000004444
R10: 0000000001000000 R11: 0000000000000282 R12: 00007f1f913090e0
R13: 0000000001000000 R14: 0000000000000003 R15: 0000000001000000
</TASK>
The buggy address belongs to the page:
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea000196aa08 ffff8880b9040960 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page dumped because: kasan: bad access detected
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 3570, ts 46687290697, free_ts 46789887949
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5423
alloc_pages_vma+0x39a/0x800 mm/mempolicy.c:2146
do_anonymous_page mm/memory.c:3808 [inline]
handle_pte_fault mm/memory.c:4618 [inline]
__handle_mm_fault mm/memory.c:4755 [inline]
handle_mm_fault+0x2f49/0x5960 mm/memory.c:4853
do_user_addr_fault arch/x86/mm/fault.c:1357 [inline]
handle_page_fault arch/x86/mm/fault.c:1445 [inline]
exc_page_fault+0x271/0x700 arch/x86/mm/fault.c:1501
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1340 [inline]
free_pcp_prepare mm/page_alloc.c:1391 [inline]
free_unref_page_prepare+0xc34/0xcf0 mm/page_alloc.c:3317
free_unref_page_list+0x1f7/0x8e0 mm/page_alloc.c:3433
release_pages+0x1bb9/0x1f40 mm/swap.c:963
tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
tlb_flush_mmu mm/mmu_gather.c:247 [inline]
tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
unmap_region+0x304/0x350 mm/mmap.c:2668
__do_munmap+0x12db/0x1740 mm/mmap.c:2899
__vm_munmap+0x134/0x230 mm/mmap.c:2922
__do_sys_munmap mm/mmap.c:2948 [inline]
__se_sys_munmap mm/mmap.c:2944 [inline]
__x64_sys_munmap+0x67/0x70 mm/mmap.c:2944
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Memory state around the buggy address:
ffff888065aa6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888065aa7000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888065aa7080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888065aa7100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Oct 7, 2024, 3:25:30 AM10/7/24
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: aa4cd140bba5 Linux 6.1.112
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13e8179f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=33931c04473f8585
dashboard link: https://syzkaller.appspot.com/bug?extid=f8b0b16d348d536d9a6b
disk image: https://storage.googleapis.com/syzbot-assets/2a9778339706/disk-aa4cd140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b568a6da8a9b/vmlinux-aa4cd140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3c56af7eb2c4/bzImage-aa4cd140.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8b0b1...@syzkaller.appspotmail.com
loop1: detected capacity change from 0 to 32768
CPU: 0 PID: 3757 Comm: syz.1.2 Not tainted 6.1.112-syzkaller #0
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
ocfs2_find_files_on_disk+0x10d/0x3a0 fs/ocfs2/dir.c:1982
ocfs2_initialize_super fs/ocfs2/super.c:2250 [inline]
ocfs2_fill_super+0x2f82/0x5730 fs/ocfs2/super.c:994
mount_bdev+0x2c9/0x3f0 fs/super.c:1443
legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
vfs_get_tree+0x88/0x270 fs/super.c:1573
do_new_mount+0x2ba/0xb40 fs/namespace.c:3051
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f75e877f79a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f75e9545e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f75e9545ef0 RCX: 00007f75e877f79a
RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007f75e9545eb0
RBP: 0000000020004440 R08: 00007f75e9545ef0 R09: 0000000001000000
R10: 0000000001000000 R11: 0000000000000246 R12: 0000000020000780
R13: 00007f75e9545eb0 R14: 000000000000444a R15: 00000000200005c0
</TASK>
The buggy address belongs to the physical page:
page:ffffea000158e400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x56390
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea000158e448 ffff8880b8e411e0 0000000000000000
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2517
prep_new_page mm/page_alloc.c:2524 [inline]
get_page_from_freelist+0x322e/0x33b0 mm/page_alloc.c:4290
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5558
__folio_alloc+0xf/0x30 mm/page_alloc.c:5590
vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2243
shmem_alloc_folio mm/shmem.c:1589 [inline]
shmem_alloc_and_acct_folio+0x5a8/0xd50 mm/shmem.c:1613
shmem_get_folio_gfp+0x13f0/0x3470 mm/shmem.c:1941
shmem_get_folio mm/shmem.c:2072 [inline]
shmem_write_begin+0x16e/0x4e0 mm/shmem.c:2559
generic_perform_write+0x2fc/0x5e0 mm/filemap.c:3817
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3945
generic_file_write_iter+0xab/0x310 mm/filemap.c:3977
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x857/0xbc0 fs/read_write.c:584
ksys_write+0x19c/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
free_pcp_prepare mm/page_alloc.c:1494 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3369
free_unref_page_list+0x663/0x900 mm/page_alloc.c:3510
release_pages+0x2836/0x2b40 mm/swap.c:1055
__pagevec_release+0x80/0xf0 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
shmem_undo_range+0x865/0x2390 mm/shmem.c:946
shmem_truncate_range mm/shmem.c:1062 [inline]
shmem_evict_inode+0x265/0xa60 mm/shmem.c:1171
evict+0x529/0x930 fs/inode.c:701
__dentry_kill+0x436/0x650 fs/dcache.c:611
dentry_kill+0xbb/0x290
dput+0xfb/0x1d0 fs/dcache.c:918
do_renameat2+0xded/0x1440 fs/namei.c:5031
__do_sys_rename fs/namei.c:5075 [inline]
__se_sys_rename fs/namei.c:5073 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5073
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff88805638ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88805638ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888056390000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888056390080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888056390100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
syzbot found the following issue on:
HEAD commit: aa4cd140bba5 Linux 6.1.112
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13e8179f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=33931c04473f8585
dashboard link: https://syzkaller.appspot.com/bug?extid=f8b0b16d348d536d9a6b
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2a9778339706/disk-aa4cd140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b568a6da8a9b/vmlinux-aa4cd140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3c56af7eb2c4/bzImage-aa4cd140.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
loop1: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: use-after-free in __ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
Read of size 4 at addr ffff888056390000 by task syz.1.2/3757
BUG: KASAN: use-after-free in __ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
CPU: 0 PID: 3757 Comm: syz.1.2 Not tainted 6.1.112-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
__ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
ocfs2_find_leaf+0xcb/0x220 fs/ocfs2/alloc.c:1931
ocfs2_get_clusters_nocache+0x1a9/0xbe0 fs/ocfs2/extent_map.c:418
ocfs2_get_clusters+0x5b5/0xbc0 fs/ocfs2/extent_map.c:621
ocfs2_extent_map_get_blocks+0x248/0x7d0 fs/ocfs2/extent_map.c:668
ocfs2_read_virt_blocks+0x313/0xab0 fs/ocfs2/extent_map.c:977
ocfs2_find_leaf+0xcb/0x220 fs/ocfs2/alloc.c:1931
ocfs2_get_clusters_nocache+0x1a9/0xbe0 fs/ocfs2/extent_map.c:418
ocfs2_get_clusters+0x5b5/0xbc0 fs/ocfs2/extent_map.c:621
ocfs2_extent_map_get_blocks+0x248/0x7d0 fs/ocfs2/extent_map.c:668
ocfs2_read_dir_block fs/ocfs2/dir.c:508 [inline]
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_entry+0x436/0x28c0 fs/ocfs2/dir.c:1080
ocfs2_find_entry_el fs/ocfs2/dir.c:715 [inline]
ocfs2_find_files_on_disk+0x10d/0x3a0 fs/ocfs2/dir.c:1982
ocfs2_lookup_ino_from_name+0xad/0x1e0 fs/ocfs2/dir.c:2004
_ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:136 [inline]
ocfs2_get_system_file_inode+0x314/0x7b0 fs/ocfs2/sysfile.c:112
ocfs2_init_global_system_inodes+0x328/0x720 fs/ocfs2/super.c:457
_ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:136 [inline]
ocfs2_get_system_file_inode+0x314/0x7b0 fs/ocfs2/sysfile.c:112
ocfs2_initialize_super fs/ocfs2/super.c:2250 [inline]
ocfs2_fill_super+0x2f82/0x5730 fs/ocfs2/super.c:994
mount_bdev+0x2c9/0x3f0 fs/super.c:1443
legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
vfs_get_tree+0x88/0x270 fs/super.c:1573
do_new_mount+0x2ba/0xb40 fs/namespace.c:3051
do_mount fs/namespace.c:3394 [inline]
__do_sys_mount fs/namespace.c:3602 [inline]
__se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f75e877f79a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f75e9545e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f75e9545ef0 RCX: 00007f75e877f79a
RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007f75e9545eb0
RBP: 0000000020004440 R08: 00007f75e9545ef0 R09: 0000000001000000
R10: 0000000001000000 R11: 0000000000000246 R12: 0000000020000780
R13: 00007f75e9545eb0 R14: 000000000000444a R15: 00000000200005c0
</TASK>
The buggy address belongs to the physical page:
page:ffffea000158e400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x56390
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea000158e448 ffff8880b8e411e0 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 3714, tgid 3714 (udevd), ts 62711515275, free_ts 62718285998
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2517
prep_new_page mm/page_alloc.c:2524 [inline]
get_page_from_freelist+0x322e/0x33b0 mm/page_alloc.c:4290
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5558
__folio_alloc+0xf/0x30 mm/page_alloc.c:5590
vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2243
shmem_alloc_folio mm/shmem.c:1589 [inline]
shmem_alloc_and_acct_folio+0x5a8/0xd50 mm/shmem.c:1613
shmem_get_folio_gfp+0x13f0/0x3470 mm/shmem.c:1941
shmem_get_folio mm/shmem.c:2072 [inline]
shmem_write_begin+0x16e/0x4e0 mm/shmem.c:2559
generic_perform_write+0x2fc/0x5e0 mm/filemap.c:3817
__generic_file_write_iter+0x176/0x400 mm/filemap.c:3945
generic_file_write_iter+0xab/0x310 mm/filemap.c:3977
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x857/0xbc0 fs/read_write.c:584
ksys_write+0x19c/0x2c0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1444 [inline]
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pcp_prepare mm/page_alloc.c:1494 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3369
free_unref_page_list+0x663/0x900 mm/page_alloc.c:3510
release_pages+0x2836/0x2b40 mm/swap.c:1055
__pagevec_release+0x80/0xf0 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
shmem_undo_range+0x865/0x2390 mm/shmem.c:946
shmem_truncate_range mm/shmem.c:1062 [inline]
shmem_evict_inode+0x265/0xa60 mm/shmem.c:1171
evict+0x529/0x930 fs/inode.c:701
__dentry_kill+0x436/0x650 fs/dcache.c:611
dentry_kill+0xbb/0x290
dput+0xfb/0x1d0 fs/dcache.c:918
do_renameat2+0xded/0x1440 fs/namei.c:5031
__do_sys_rename fs/namei.c:5075 [inline]
__se_sys_rename fs/namei.c:5073 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5073
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff88805638ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888056390000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888056390080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888056390100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
syzbot
Oct 7, 2024, 3:40:23 AM10/7/24
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: aa4cd140bba5 Linux 6.1.112
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11394327980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13fd5b80580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2a9778339706/disk-aa4cd140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b568a6da8a9b/vmlinux-aa4cd140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3c56af7eb2c4/bzImage-aa4cd140.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/a9534c7d876c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8b0b1...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
CPU: 0 PID: 3640 Comm: syz-executor259 Not tainted 6.1.112-syzkaller #0
RIP: 0033:0x7faa9d005e9a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faa9cfc0fd8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007faa9cfc0ff0 RCX: 00007faa9d005e9a
RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007faa9cfc0ff0
RBP: 0000000000000004 R08: 00007faa9cfc1030 R09: 0000000000004444
R10: 0000000001000000 R11: 0000000000000282 R12: 00007faa9cfc1030
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001cac2c8 ffffea0002ff9108 0000000000000000
do_anonymous_page mm/memory.c:4189 [inline]
handle_pte_fault mm/memory.c:5027 [inline]
__handle_mm_fault mm/memory.c:5171 [inline]
handle_mm_fault+0x2e8e/0x5340 mm/memory.c:5292
do_user_addr_fault arch/x86/mm/fault.c:1340 [inline]
handle_page_fault arch/x86/mm/fault.c:1431 [inline]
exc_page_fault+0x26f/0x620 arch/x86/mm/fault.c:1487
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
tlb_flush_mmu+0xfc/0x210 mm/mmu_gather.c:261
tlb_finish_mmu+0xce/0x1f0 mm/mmu_gather.c:361
unmap_region+0x29f/0x2f0 mm/mmap.c:2332
do_mas_align_munmap+0xec8/0x15f0 mm/mmap.c:2582
do_mas_munmap+0x246/0x2b0 mm/mmap.c:2640
__vm_munmap+0x268/0x370 mm/mmap.c:2917
__do_sys_munmap mm/mmap.c:2942 [inline]
__se_sys_munmap mm/mmap.c:2939 [inline]
__x64_sys_munmap+0x5c/0x70 mm/mmap.c:2939
ffff88807f746f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807f747000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807f747080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807f747100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
HEAD commit: aa4cd140bba5 Linux 6.1.112
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=33931c04473f8585
dashboard link: https://syzkaller.appspot.com/bug?extid=f8b0b16d348d536d9a6b
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1184179f980000
dashboard link: https://syzkaller.appspot.com/bug?extid=f8b0b16d348d536d9a6b
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13fd5b80580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2a9778339706/disk-aa4cd140.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b568a6da8a9b/vmlinux-aa4cd140.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3c56af7eb2c4/bzImage-aa4cd140.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f8b0b1...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in __ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
Read of size 4 at addr ffff88807f747000 by task syz-executor259/3640
BUG: KASAN: use-after-free in __ocfs2_find_path+0x1ff/0x7e0 fs/ocfs2/alloc.c:1817
CPU: 0 PID: 3640 Comm: syz-executor259 Not tainted 6.1.112-syzkaller #0
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faa9cfc0fd8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007faa9cfc0ff0 RCX: 00007faa9d005e9a
RDX: 0000000020004440 RSI: 0000000020000780 RDI: 00007faa9cfc0ff0
RBP: 0000000000000004 R08: 00007faa9cfc1030 R09: 0000000000004444
R10: 0000000001000000 R11: 0000000000000282 R12: 00007faa9cfc1030
R13: 0000000001000000 R14: 0000000000000003 R15: 0000000001000000
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001fdd1c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7f747
The buggy address belongs to the physical page:
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001cac2c8 ffffea0002ff9108 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 3631, tgid 3631 (sshd), ts 53985253608, free_ts 53992703306
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2517
prep_new_page mm/page_alloc.c:2524 [inline]
get_page_from_freelist+0x322e/0x33b0 mm/page_alloc.c:4290
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5558
__folio_alloc+0xf/0x30 mm/page_alloc.c:5590
vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2243
alloc_page_vma include/linux/gfp.h:284 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2517
prep_new_page mm/page_alloc.c:2524 [inline]
get_page_from_freelist+0x322e/0x33b0 mm/page_alloc.c:4290
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5558
__folio_alloc+0xf/0x30 mm/page_alloc.c:5590
vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2243
do_anonymous_page mm/memory.c:4189 [inline]
handle_pte_fault mm/memory.c:5027 [inline]
__handle_mm_fault mm/memory.c:5171 [inline]
handle_mm_fault+0x2e8e/0x5340 mm/memory.c:5292
do_user_addr_fault arch/x86/mm/fault.c:1340 [inline]
handle_page_fault arch/x86/mm/fault.c:1431 [inline]
exc_page_fault+0x26f/0x620 arch/x86/mm/fault.c:1487
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1444 [inline]
free_pcp_prepare mm/page_alloc.c:1494 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3369
free_unref_page_list+0x663/0x900 mm/page_alloc.c:3510
release_pages+0x2836/0x2b40 mm/swap.c:1055
tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1444 [inline]
free_pcp_prepare mm/page_alloc.c:1494 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3369
free_unref_page_list+0x663/0x900 mm/page_alloc.c:3510
release_pages+0x2836/0x2b40 mm/swap.c:1055
tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
tlb_flush_mmu+0xfc/0x210 mm/mmu_gather.c:261
tlb_finish_mmu+0xce/0x1f0 mm/mmu_gather.c:361
unmap_region+0x29f/0x2f0 mm/mmap.c:2332
do_mas_align_munmap+0xec8/0x15f0 mm/mmap.c:2582
do_mas_munmap+0x246/0x2b0 mm/mmap.c:2640
__vm_munmap+0x268/0x370 mm/mmap.c:2917
__do_sys_munmap mm/mmap.c:2942 [inline]
__se_sys_munmap mm/mmap.c:2939 [inline]
__x64_sys_munmap+0x5c/0x70 mm/mmap.c:2939
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff88807f746f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Memory state around the buggy address:
ffff88807f746f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807f747000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807f747080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807f747100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
syzbot
May 2, 2025, 7:11:03 PM5/2/25
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 17c99ab3db2ba74096d36c69daa6e784e98fc0b8
Author: Vasiliy Kovalev <kov...@altlinux.org>
Date: Fri Feb 14 08:49:08 2025 +0000
ocfs2: validate l_tree_depth to avoid out-of-bounds access
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12cb8b68580000
start commit: 3a5928702e71 Linux 5.15.167
git tree: linux-5.15.y
#syz fix: ocfs2: validate l_tree_depth to avoid out-of-bounds access
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 17c99ab3db2ba74096d36c69daa6e784e98fc0b8
Author: Vasiliy Kovalev <kov...@altlinux.org>
Date: Fri Feb 14 08:49:08 2025 +0000
ocfs2: validate l_tree_depth to avoid out-of-bounds access
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12cb8b68580000
start commit: 3a5928702e71 Linux 5.15.167
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=4d3fd5cca89ae935
dashboard link: https://syzkaller.appspot.com/bug?extid=e41668d5154370928317
dashboard link: https://syzkaller.appspot.com/bug?extid=e41668d5154370928317
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ac7d27980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d0fbd0580000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15d0fbd0580000
#syz fix: ocfs2: validate l_tree_depth to avoid out-of-bounds access
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
May 12, 2025, 9:30:03 PM5/12/25
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 81aba693b129e82e11bb54f569504d943d018de9
Author: Lizhi Xu <lizh...@windriver.com>
Date: Mon Sep 2 02:36:35 2024 +0000
ocfs2: remove unreasonable unlock in ocfs2_read_blocks
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=129f2cd4580000
start commit: aa4cd140bba5 Linux 6.1.112
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=33931c04473f8585
dashboard link: https://syzkaller.appspot.com/bug?extid=f8b0b16d348d536d9a6b
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c35b80580000
dashboard link: https://syzkaller.appspot.com/bug?extid=f8b0b16d348d536d9a6b
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: ocfs2: remove unreasonable unlock in ocfs2_read_blocks
Reply all
Reply to author
Forward
0 new messages