[syzbot] [ocfs2?] KASAN: use-after-free Read in __ocfs2_flush_truncate_log
9 views
Skip to first unread message
syzbot
Sep 28, 2024, 4:44:28 PM9/28/24
to jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, ma...@fasheh.com, ocfs2...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: abf2050f51fd Merge tag 'media/v6.12-1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1603b107980000
kernel config: https://syzkaller.appspot.com/x/.config?x=bc30a30374b0753
dashboard link: https://syzkaller.appspot.com/bug?extid=4d55dad3a9e8e9f7d2b5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1507aa27980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12d2c99f980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-abf2050f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2179ebeade58/vmlinux-abf2050f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f05289b5cf7c/bzImage-abf2050f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fd7a8b92de34/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4d55da...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
BUG: KASAN: use-after-free in __ocfs2_flush_truncate_log+0x824/0x1250 fs/ocfs2/alloc.c:6054
Read of size 4 at addr ffff888045e6fac0 by task kworker/u4:3/41
CPU: 0 UID: 0 PID: 41 Comm: kworker/u4:3 Not tainted 6.11.0-syzkaller-09959-gabf2050f51fd #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: ocfs2_wq ocfs2_truncate_log_worker
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
__ocfs2_flush_truncate_log+0x824/0x1250 fs/ocfs2/alloc.c:6054
ocfs2_flush_truncate_log fs/ocfs2/alloc.c:6076 [inline]
ocfs2_truncate_log_worker+0xa2/0x1b0 fs/ocfs2/alloc.c:6089
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4d pfn:0x45e6f
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea0001179b88 ffffea0001179c08 0000000000000000
raw: 000000000000004d 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5109, tgid 5109 (syz-executor412), ts 88738057363, free_ts 88913146991
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
folio_alloc_mpol_noprof+0x36/0x50 mm/mempolicy.c:2283
shmem_alloc_folio mm/shmem.c:1774 [inline]
shmem_alloc_and_add_folio+0x49b/0x13d0 mm/shmem.c:1813
shmem_get_folio_gfp+0x5a9/0x20a0 mm/shmem.c:2335
shmem_get_folio mm/shmem.c:2441 [inline]
shmem_write_begin+0x17e/0x460 mm/shmem.c:3046
generic_perform_write+0x344/0x6d0 mm/filemap.c:4050
shmem_file_write_iter+0xf9/0x120 mm/shmem.c:3221
new_sync_write fs/read_write.c:590 [inline]
vfs_write+0xa6d/0xc90 fs/read_write.c:683
ksys_write+0x183/0x2b0 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5109 tgid 5109 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
folios_put_refs+0x76c/0x860 mm/swap.c:1007
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x64c/0x1cf0 mm/shmem.c:1032
shmem_truncate_range mm/shmem.c:1144 [inline]
shmem_evict_inode+0x29b/0xa80 mm/shmem.c:1272
evict+0x4e8/0x9b0 fs/inode.c:723
__dentry_kill+0x20d/0x630 fs/dcache.c:615
dput+0x19f/0x2b0 fs/dcache.c:857
__fput+0x5d2/0x880 fs/file_table.c:439
__do_sys_close fs/open.c:1565 [inline]
__se_sys_close fs/open.c:1550 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1550
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888045e6f980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888045e6fa00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888045e6fa80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888045e6fb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888045e6fb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: abf2050f51fd Merge tag 'media/v6.12-1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1603b107980000
kernel config: https://syzkaller.appspot.com/x/.config?x=bc30a30374b0753
dashboard link: https://syzkaller.appspot.com/bug?extid=4d55dad3a9e8e9f7d2b5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1507aa27980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12d2c99f980000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-abf2050f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2179ebeade58/vmlinux-abf2050f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f05289b5cf7c/bzImage-abf2050f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/fd7a8b92de34/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4d55da...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
BUG: KASAN: use-after-free in __ocfs2_flush_truncate_log+0x824/0x1250 fs/ocfs2/alloc.c:6054
Read of size 4 at addr ffff888045e6fac0 by task kworker/u4:3/41
CPU: 0 UID: 0 PID: 41 Comm: kworker/u4:3 Not tainted 6.11.0-syzkaller-09959-gabf2050f51fd #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: ocfs2_wq ocfs2_truncate_log_worker
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
__ocfs2_flush_truncate_log+0x824/0x1250 fs/ocfs2/alloc.c:6054
ocfs2_flush_truncate_log fs/ocfs2/alloc.c:6076 [inline]
ocfs2_truncate_log_worker+0xa2/0x1b0 fs/ocfs2/alloc.c:6089
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x4d pfn:0x45e6f
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea0001179b88 ffffea0001179c08 0000000000000000
raw: 000000000000004d 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5109, tgid 5109 (syz-executor412), ts 88738057363, free_ts 88913146991
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
folio_alloc_mpol_noprof+0x36/0x50 mm/mempolicy.c:2283
shmem_alloc_folio mm/shmem.c:1774 [inline]
shmem_alloc_and_add_folio+0x49b/0x13d0 mm/shmem.c:1813
shmem_get_folio_gfp+0x5a9/0x20a0 mm/shmem.c:2335
shmem_get_folio mm/shmem.c:2441 [inline]
shmem_write_begin+0x17e/0x460 mm/shmem.c:3046
generic_perform_write+0x344/0x6d0 mm/filemap.c:4050
shmem_file_write_iter+0xf9/0x120 mm/shmem.c:3221
new_sync_write fs/read_write.c:590 [inline]
vfs_write+0xa6d/0xc90 fs/read_write.c:683
ksys_write+0x183/0x2b0 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5109 tgid 5109 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
folios_put_refs+0x76c/0x860 mm/swap.c:1007
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x64c/0x1cf0 mm/shmem.c:1032
shmem_truncate_range mm/shmem.c:1144 [inline]
shmem_evict_inode+0x29b/0xa80 mm/shmem.c:1272
evict+0x4e8/0x9b0 fs/inode.c:723
__dentry_kill+0x20d/0x630 fs/dcache.c:615
dput+0x19f/0x2b0 fs/dcache.c:857
__fput+0x5d2/0x880 fs/file_table.c:439
__do_sys_close fs/open.c:1565 [inline]
__se_sys_close fs/open.c:1550 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1550
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888045e6f980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888045e6fa00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888045e6fa80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888045e6fb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888045e6fb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Lizhi Xu
Sep 29, 2024, 12:48:07 AM9/29/24
to syzbot+4d55da...@syzkaller.appspotmail.com, jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, ma...@fasheh.com, ocfs2...@lists.linux.dev, syzkall...@googlegroups.com
When the truncate log is initialized, it got a too big tl_used in truncate
log inode, tl_used is 64512 and tl_count is 39.
So, when the condition tl_used > tl_count holds, use the value of tl_count
to tl_used.
#syz test
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index ea9127ba3208..a309920fecd1 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -6326,6 +6326,25 @@ void ocfs2_truncate_log_shutdown(struct ocfs2_super *osb)
}
}
+void ocfs2_bh_valid(struct buffer_head *bh)
+{
+ struct ocfs2_dinode *di;
+ struct ocfs2_truncate_log *tl;
+
+ if (IS_ERR_OR_NULL(bh))
+ return;
+
+ di = (struct ocfs2_dinode *) bh->b_data;
+ tl = &di->id2.i_dealloc;
+
+ if (tl->tl_used > tl->tl_count) {
+ mlog(ML_NOTICE, "tl_used [%d] is greater than tl_count [%d], "
+ "set it to tl_count.\n", le16_to_cpu(tl->tl_used),
+ le16_to_cpu(tl->tl_count));
+ tl->tl_used = cpu_to_le16(tl->tl_count);
+ }
+}
+
int ocfs2_truncate_log_init(struct ocfs2_super *osb)
{
int status;
@@ -6339,6 +6358,8 @@ int ocfs2_truncate_log_init(struct ocfs2_super *osb)
if (status < 0)
mlog_errno(status);
+ ocfs2_bh_valid(tl_bh);
+
/* ocfs2_truncate_log_shutdown keys on the existence of
* osb->osb_tl_inode so we don't set any of the osb variables
* until we're sure all is well. */
log inode, tl_used is 64512 and tl_count is 39.
So, when the condition tl_used > tl_count holds, use the value of tl_count
to tl_used.
#syz test
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index ea9127ba3208..a309920fecd1 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -6326,6 +6326,25 @@ void ocfs2_truncate_log_shutdown(struct ocfs2_super *osb)
}
}
+void ocfs2_bh_valid(struct buffer_head *bh)
+{
+ struct ocfs2_dinode *di;
+ struct ocfs2_truncate_log *tl;
+
+ if (IS_ERR_OR_NULL(bh))
+ return;
+
+ di = (struct ocfs2_dinode *) bh->b_data;
+ tl = &di->id2.i_dealloc;
+
+ if (tl->tl_used > tl->tl_count) {
+ mlog(ML_NOTICE, "tl_used [%d] is greater than tl_count [%d], "
+ "set it to tl_count.\n", le16_to_cpu(tl->tl_used),
+ le16_to_cpu(tl->tl_count));
+ tl->tl_used = cpu_to_le16(tl->tl_count);
+ }
+}
+
int ocfs2_truncate_log_init(struct ocfs2_super *osb)
{
int status;
@@ -6339,6 +6358,8 @@ int ocfs2_truncate_log_init(struct ocfs2_super *osb)
if (status < 0)
mlog_errno(status);
+ ocfs2_bh_valid(tl_bh);
+
/* ocfs2_truncate_log_shutdown keys on the existence of
* osb->osb_tl_inode so we don't set any of the osb variables
* until we're sure all is well. */
syzbot
Sep 29, 2024, 1:09:06 AM9/29/24
to jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, lizh...@windriver.com, ma...@fasheh.com, ocfs2...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+4d55da...@syzkaller.appspotmail.com
Tested-by: syzbot+4d55da...@syzkaller.appspotmail.com
Tested on:
commit: 3efc5736 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12edfe27980000
kernel config: https://syzkaller.appspot.com/x/.config?x=7782ef71990b6dba
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+4d55da...@syzkaller.appspotmail.com
Tested-by: syzbot+4d55da...@syzkaller.appspotmail.com
Tested on:
commit: 3efc5736 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12edfe27980000
kernel config: https://syzkaller.appspot.com/x/.config?x=7782ef71990b6dba
dashboard link: https://syzkaller.appspot.com/bug?extid=4d55dad3a9e8e9f7d2b5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12fb4d9f980000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Note: testing is done by a robot and is best-effort only.
syzbot
6:20 AM (9 hours ago) 6:20 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 211ddde0823f1442e4ad052a2f30f050145ccada
Author: dman...@yandex.ru
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 211ddde0823f1442e4ad052a2f30f050145ccada
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 211ddde0823f1442e4ad052a2f30f050145ccada
Author: dman...@yandex.ru
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 211ddde0823f1442e4ad052a2f30f050145ccada
syzbot
6:23 AM (9 hours ago) 6:23 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages