[v6.1] KASAN: use-after-free Read in ocfs2_get_next_id
4 views
Skip to first unread message
syzbot
Jan 12, 2025, 6:44:20 PM1/12/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c63962be84ef Linux 6.1.124
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14656bc4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2f99ac2134f3ff64
dashboard link: https://syzkaller.appspot.com/bug?extid=a14aec508f735d7e36eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ce6b92b931c/disk-c63962be.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/edbb3cdca2c4/vmlinux-c63962be.xz
kernel image: https://storage.googleapis.com/syzbot-assets/728732ee05ab/Image-c63962be.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a14aec...@syzkaller.appspotmail.com
ocfs2: Mounting device (7,7) on (node local, slot 0) with ordered data mode.
==================================================================
BUG: KASAN: use-after-free in ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
BUG: KASAN: use-after-free in ocfs2_get_next_id+0x250/0x944 fs/ocfs2/quota_global.c:888
Read of size 8 at addr ffff00011020c028 by task syz.7.502/10186
CPU: 0 PID: 10186 Comm: syz.7.502 Not tainted 6.1.124-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:427
kasan_report+0xd4/0x130 mm/kasan/report.c:531
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
ocfs2_get_next_id+0x250/0x944 fs/ocfs2/quota_global.c:888
dquot_get_next_dqblk+0x7c/0x348 fs/quota/dquot.c:2717
quota_getnextquota+0x264/0x650 fs/quota/quota.c:250
do_quotactl+0x52c/0x698 fs/quota/quota.c:800
__do_sys_quotactl fs/quota/quota.c:960 [inline]
__se_sys_quotactl fs/quota/quota.c:916 [inline]
__arm64_sys_quotactl+0x2d8/0x7a0 fs/quota/quota.c:916
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 10186:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace+0x7c/0x94 mm/slab_common.c:1031
kmalloc include/linux/slab.h:563 [inline]
ocfs2_local_read_info+0x1b8/0x15bc fs/ocfs2/quota_local.c:696
dquot_load_quota_sb+0x6f0/0xb1c fs/quota/dquot.c:2470
dquot_load_quota_inode+0x280/0x4f4 fs/quota/dquot.c:2507
ocfs2_enable_quotas+0x1d4/0x3cc fs/ocfs2/super.c:926
ocfs2_fill_super+0x3aa4/0x48c4 fs/ocfs2/super.c:1139
mount_bdev+0x274/0x370 fs/super.c:1443
ocfs2_mount+0x44/0x58 fs/ocfs2/super.c:1186
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1573
do_new_mount+0x278/0x8fc fs/namespace.c:3056
path_mount+0x590/0xe5c fs/namespace.c:3386
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3584
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Freed by task 10186:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674
kfree+0xcc/0x1b8 mm/slab_common.c:988
ocfs2_local_free_info+0x720/0x8a4 fs/ocfs2/quota_local.c:869
dquot_disable+0xebc/0x17c0 fs/quota/dquot.c:2316
dquot_suspend include/linux/quotaops.h:85 [inline]
ocfs2_susp_quotas+0x1f0/0x2d4 fs/ocfs2/super.c:892
ocfs2_remount+0x464/0x9cc fs/ocfs2/super.c:647
legacy_reconfigure+0xfc/0x114 fs/fs_context.c:655
reconfigure_super+0x318/0x7a4 fs/super.c:977
do_remount fs/namespace.c:2712 [inline]
path_mount+0xc70/0xe5c fs/namespace.c:3378
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3584
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Last potentially related work creation:
kasan_save_stack+0x40/0x70 mm/kasan/common.c:45
__kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486
kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496
call_rcu+0xfc/0xa40 kernel/rcu/tree.c:2845
__qdisc_destroy+0x2b0/0x558 net/sched/sch_generic.c:1084
qdisc_put net/sched/sch_generic.c:1104 [inline]
dev_shutdown+0x360/0x480 net/sched/sch_generic.c:1492
unregister_netdevice_many+0x934/0x175c net/core/dev.c:10938
default_device_exit_batch+0x9f4/0xa70 net/core/dev.c:11460
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x5dc/0xa18 net/core/net_namespace.c:621
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
The buggy address belongs to the object at ffff00011020c000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 40 bytes inside of
1024-byte region [ffff00011020c000, ffff00011020c400)
The buggy address belongs to the physical page:
page:0000000097b987fa refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x150208
head:0000000097b987fa order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002780
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00011020bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff00011020bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff00011020c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff00011020c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff00011020c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c63962be84ef Linux 6.1.124
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14656bc4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2f99ac2134f3ff64
dashboard link: https://syzkaller.appspot.com/bug?extid=a14aec508f735d7e36eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ce6b92b931c/disk-c63962be.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/edbb3cdca2c4/vmlinux-c63962be.xz
kernel image: https://storage.googleapis.com/syzbot-assets/728732ee05ab/Image-c63962be.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a14aec...@syzkaller.appspotmail.com
ocfs2: Mounting device (7,7) on (node local, slot 0) with ordered data mode.
==================================================================
BUG: KASAN: use-after-free in ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
BUG: KASAN: use-after-free in ocfs2_get_next_id+0x250/0x944 fs/ocfs2/quota_global.c:888
Read of size 8 at addr ffff00011020c028 by task syz.7.502/10186
CPU: 0 PID: 10186 Comm: syz.7.502 Not tainted 6.1.124-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:427
kasan_report+0xd4/0x130 mm/kasan/report.c:531
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
ocfs2_get_next_id+0x250/0x944 fs/ocfs2/quota_global.c:888
dquot_get_next_dqblk+0x7c/0x348 fs/quota/dquot.c:2717
quota_getnextquota+0x264/0x650 fs/quota/quota.c:250
do_quotactl+0x52c/0x698 fs/quota/quota.c:800
__do_sys_quotactl fs/quota/quota.c:960 [inline]
__se_sys_quotactl fs/quota/quota.c:916 [inline]
__arm64_sys_quotactl+0x2d8/0x7a0 fs/quota/quota.c:916
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 10186:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace+0x7c/0x94 mm/slab_common.c:1031
kmalloc include/linux/slab.h:563 [inline]
ocfs2_local_read_info+0x1b8/0x15bc fs/ocfs2/quota_local.c:696
dquot_load_quota_sb+0x6f0/0xb1c fs/quota/dquot.c:2470
dquot_load_quota_inode+0x280/0x4f4 fs/quota/dquot.c:2507
ocfs2_enable_quotas+0x1d4/0x3cc fs/ocfs2/super.c:926
ocfs2_fill_super+0x3aa4/0x48c4 fs/ocfs2/super.c:1139
mount_bdev+0x274/0x370 fs/super.c:1443
ocfs2_mount+0x44/0x58 fs/ocfs2/super.c:1186
legacy_get_tree+0xd4/0x16c fs/fs_context.c:632
vfs_get_tree+0x90/0x274 fs/super.c:1573
do_new_mount+0x278/0x8fc fs/namespace.c:3056
path_mount+0x590/0xe5c fs/namespace.c:3386
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3584
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Freed by task 10186:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674
kfree+0xcc/0x1b8 mm/slab_common.c:988
ocfs2_local_free_info+0x720/0x8a4 fs/ocfs2/quota_local.c:869
dquot_disable+0xebc/0x17c0 fs/quota/dquot.c:2316
dquot_suspend include/linux/quotaops.h:85 [inline]
ocfs2_susp_quotas+0x1f0/0x2d4 fs/ocfs2/super.c:892
ocfs2_remount+0x464/0x9cc fs/ocfs2/super.c:647
legacy_reconfigure+0xfc/0x114 fs/fs_context.c:655
reconfigure_super+0x318/0x7a4 fs/super.c:977
do_remount fs/namespace.c:2712 [inline]
path_mount+0xc70/0xe5c fs/namespace.c:3378
do_mount fs/namespace.c:3399 [inline]
__do_sys_mount fs/namespace.c:3607 [inline]
__se_sys_mount fs/namespace.c:3584 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3584
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Last potentially related work creation:
kasan_save_stack+0x40/0x70 mm/kasan/common.c:45
__kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486
kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496
call_rcu+0xfc/0xa40 kernel/rcu/tree.c:2845
__qdisc_destroy+0x2b0/0x558 net/sched/sch_generic.c:1084
qdisc_put net/sched/sch_generic.c:1104 [inline]
dev_shutdown+0x360/0x480 net/sched/sch_generic.c:1492
unregister_netdevice_many+0x934/0x175c net/core/dev.c:10938
default_device_exit_batch+0x9f4/0xa70 net/core/dev.c:11460
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x5dc/0xa18 net/core/net_namespace.c:621
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
The buggy address belongs to the object at ffff00011020c000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 40 bytes inside of
1024-byte region [ffff00011020c000, ffff00011020c400)
The buggy address belongs to the physical page:
page:0000000097b987fa refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x150208
head:0000000097b987fa order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002780
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00011020bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff00011020bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff00011020c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff00011020c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff00011020c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 12, 2025, 6:53:22 PM1/12/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4735586da88e Linux 5.15.176
syzbot found the following issue on:
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=175becb0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=caf0c22a63c5c861
dashboard link: https://syzkaller.appspot.com/bug?extid=7bbc287dbb8308afda1e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e7a2d136136/disk-4735586d.raw.xz
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/7597375cf469/vmlinux-4735586d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/132474c9ad82/Image-4735586d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
==================================================================
BUG: KASAN: use-after-free in ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
Read of size 8 at addr ffff0000c7b14828 by task syz.2.286/4930
CPU: 0 PID: 4930 Comm: syz.2.286 Not tainted 5.15.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309
ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
ocfs2_get_next_id+0x22c/0x8ac fs/ocfs2/quota_global.c:888
dquot_get_next_dqblk+0x7c/0x348 fs/quota/dquot.c:2710
quota_getnextquota+0x264/0x674 fs/quota/quota.c:249
do_quotactl+0x52c/0x698 fs/quota/quota.c:799
__do_sys_quotactl fs/quota/quota.c:959 [inline]
__se_sys_quotactl fs/quota/quota.c:915 [inline]
__arm64_sys_quotactl+0x2d8/0x7a4 fs/quota/quota.c:915
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Allocated by task 4930:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
kmem_cache_alloc_trace+0x27c/0x47c mm/slub.c:3247
kmalloc include/linux/slab.h:591 [inline]
ocfs2_local_read_info+0x1b8/0x15bc fs/ocfs2/quota_local.c:696
dquot_load_quota_sb+0x6f0/0xb1c fs/quota/dquot.c:2463
dquot_load_quota_inode+0x280/0x4f4 fs/quota/dquot.c:2500
ocfs2_enable_quotas+0x1d4/0x3cc fs/ocfs2/super.c:927
ocfs2_fill_super+0x37bc/0x4abc fs/ocfs2/super.c:1140
mount_bdev+0x274/0x370 fs/super.c:1400
ocfs2_mount+0x44/0x58 fs/ocfs2/super.c:1187
legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
vfs_get_tree+0x90/0x274 fs/super.c:1530
do_new_mount+0x278/0x8fc fs/namespace.c:3012
path_mount+0x594/0x101c fs/namespace.c:3342
do_mount fs/namespace.c:3355 [inline]
__do_sys_mount fs/namespace.c:3563 [inline]
__se_sys_mount fs/namespace.c:3540 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3540
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Freed by task 4930:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0x128/0x1ec mm/slub.c:1731
slab_free mm/slub.c:3499 [inline]
kfree+0x178/0x410 mm/slub.c:4559
ocfs2_local_free_info+0x720/0x8a4 fs/ocfs2/quota_local.c:869
dquot_disable+0xefc/0x1800 fs/quota/dquot.c:2309
dquot_suspend include/linux/quotaops.h:84 [inline]
ocfs2_susp_quotas+0x1f0/0x2d4 fs/ocfs2/super.c:893
ocfs2_remount+0x464/0x9cc fs/ocfs2/super.c:648
legacy_reconfigure+0xfc/0x114 fs/fs_context.c:634
reconfigure_super+0x1d0/0x6ec fs/super.c:938
do_remount fs/namespace.c:2668 [inline]
path_mount+0xbec/0x101c fs/namespace.c:3334
do_mount fs/namespace.c:3355 [inline]
__do_sys_mount fs/namespace.c:3563 [inline]
__se_sys_mount fs/namespace.c:3540 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3540
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000c7b14800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 40 bytes inside of
1024-byte region [ffff0000c7b14800, ffff0000c7b14c00)
The buggy address is located 40 bytes inside of
The buggy address belongs to the page:
page:00000000a9804054 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x107b10
head:00000000a9804054 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc0003a3d600 0000000600000006 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c7b14700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Memory state around the buggy address:
ffff0000c7b14780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c7b14800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000c7b14880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000c7b14900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
syzbot
Jan 12, 2025, 7:05:23 PM1/12/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: c63962be84ef Linux 6.1.124
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=170d6bc4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=129e8a18580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ce6b92b931c/disk-c63962be.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/edbb3cdca2c4/vmlinux-c63962be.xz
kernel image: https://storage.googleapis.com/syzbot-assets/728732ee05ab/Image-c63962be.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d2861eefed7b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a14aec...@syzkaller.appspotmail.com
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
CPU: 0 PID: 4290 Comm: syz-executor214 Not tainted 6.1.124-syzkaller #0
Allocated by task 4290:
Freed by task 4290:
The buggy address belongs to the object at ffff0000d0fc0000
The buggy address belongs to the physical page:
page:00000000264f5995 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110fc0
head:00000000264f5995 order:3 compound_mapcount:0 compound_pincount:0
ffff0000d0fbff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d0fc0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000d0fc0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000d0fc0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: c63962be84ef Linux 6.1.124
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=2f99ac2134f3ff64
dashboard link: https://syzkaller.appspot.com/bug?extid=a14aec508f735d7e36eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1734b1df980000
dashboard link: https://syzkaller.appspot.com/bug?extid=a14aec508f735d7e36eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=129e8a18580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ce6b92b931c/disk-c63962be.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/edbb3cdca2c4/vmlinux-c63962be.xz
kernel image: https://storage.googleapis.com/syzbot-assets/728732ee05ab/Image-c63962be.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a14aec...@syzkaller.appspotmail.com
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
==================================================================
BUG: KASAN: use-after-free in ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
BUG: KASAN: use-after-free in ocfs2_get_next_id+0x250/0x944 fs/ocfs2/quota_global.c:888
Read of size 8 at addr ffff0000d0fc0028 by task syz-executor214/4290
BUG: KASAN: use-after-free in ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
BUG: KASAN: use-after-free in ocfs2_get_next_id+0x250/0x944 fs/ocfs2/quota_global.c:888
CPU: 0 PID: 4290 Comm: syz-executor214 Not tainted 6.1.124-syzkaller #0
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 40 bytes inside of
1024-byte region [ffff0000d0fc0000, ffff0000d0fc0400)
The buggy address is located 40 bytes inside of
The buggy address belongs to the physical page:
head:00000000264f5995 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc00031bfa00 dead000000000002 ffff0000c0002780
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d0fbff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d0fbff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d0fc0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000d0fc0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000d0fc0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Jan 12, 2025, 7:12:23 PM1/12/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 4735586da88e Linux 5.15.176
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11f4b1df980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1227ecb0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e7a2d136136/disk-4735586d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7597375cf469/vmlinux-4735586d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/132474c9ad82/Image-4735586d.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/09795614bac3/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7bbc28...@syzkaller.appspotmail.com
CPU: 1 PID: 4018 Comm: syz-executor221 Not tainted 5.15.176-syzkaller #0
Allocated by task 4018:
Freed by task 4018:
The buggy address belongs to the object at ffff0000da812000
head:00000000f3d2e6f3 order:3 compound_mapcount:0 compound_pincount:0
ffff0000da811f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000da812000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000da812080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000da812100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
HEAD commit: 4735586da88e Linux 5.15.176
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=caf0c22a63c5c861
dashboard link: https://syzkaller.appspot.com/bug?extid=7bbc287dbb8308afda1e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15de8a18580000
dashboard link: https://syzkaller.appspot.com/bug?extid=7bbc287dbb8308afda1e
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1227ecb0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e7a2d136136/disk-4735586d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7597375cf469/vmlinux-4735586d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/132474c9ad82/Image-4735586d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7bbc28...@syzkaller.appspotmail.com
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
==================================================================
BUG: KASAN: use-after-free in ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
BUG: KASAN: use-after-free in ocfs2_get_next_id+0x22c/0x8ac fs/ocfs2/quota_global.c:888
Read of size 8 at addr ffff0000da812028 by task syz-executor221/4018
BUG: KASAN: use-after-free in ocfs2_lock_global_qf fs/ocfs2/quota_global.c:303 [inline]
BUG: KASAN: use-after-free in ocfs2_get_next_id+0x22c/0x8ac fs/ocfs2/quota_global.c:888
CPU: 1 PID: 4018 Comm: syz-executor221 Not tainted 5.15.176-syzkaller #0
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 40 bytes inside of
1024-byte region [ffff0000da812000, ffff0000da812400)
The buggy address is located 40 bytes inside of
The buggy address belongs to the page:
page:00000000f3d2e6f3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a810
head:00000000f3d2e6f3 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc0003426e00 0000000200000002 ffff0000c0002780
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000da811f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000da811f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000da812000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000da812080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000da812100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
syzbot
Feb 14, 2025, 5:50:03 PM2/14/25
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 2d431192486367eee03cc28d0b53b97dafcb8e63
Author: Dennis Lam <dennis....@gmail.com>
Date: Wed Dec 18 02:39:25 2024 +0000
ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=143e19a4580000
start commit: c63962be84ef Linux 6.1.124
git tree: linux-6.1.y
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1596b1df980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1186bef8580000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 2d431192486367eee03cc28d0b53b97dafcb8e63
Author: Dennis Lam <dennis....@gmail.com>
Date: Wed Dec 18 02:39:25 2024 +0000
ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=143e19a4580000
start commit: c63962be84ef Linux 6.1.124
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=2f99ac2134f3ff64
dashboard link: https://syzkaller.appspot.com/bug?extid=a14aec508f735d7e36eb
userspace arch: arm64
dashboard link: https://syzkaller.appspot.com/bug?extid=a14aec508f735d7e36eb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1596b1df980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1186bef8580000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Apr 25, 2025, 8:04:17 PM4/25/25
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages