[syzbot] [f2fs?] KASAN: use-after-free Write in __attach_extent_node
16 views
Skip to first unread message
syzbot
Jan 31, 2023, 10:24:41 AM1/31/23
to ch...@kernel.org, jae...@kernel.org, linux-f2...@lists.sourceforge.net, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
CPU: 1 PID: 5273 Comm: syz-executor122 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
rb_link_node include/linux/rbtree.h:65 [inline]
__attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
__insert_extent_tree+0x25b/0x580 fs/f2fs/extent_cache.c:655
__update_extent_tree_range+0x15cf/0x1e00 fs/f2fs/extent_cache.c:795
__update_extent_cache fs/f2fs/extent_cache.c:962 [inline]
f2fs_update_read_extent_cache+0x410/0x580 fs/f2fs/extent_cache.c:1052
f2fs_outplace_write_data+0x1e2/0x380 fs/f2fs/segment.c:3453
f2fs_do_write_data_page+0x122d/0x2570 fs/f2fs/data.c:2745
f2fs_write_single_data_page+0x1162/0x1c90 fs/f2fs/data.c:2863
f2fs_write_cache_pages+0xf6e/0x2330 fs/f2fs/data.c:3115
__f2fs_write_data_pages fs/f2fs/data.c:3265 [inline]
f2fs_write_data_pages+0x7d2/0xc30 fs/f2fs/data.c:3292
do_writepages+0x3c3/0x680 mm/page-writeback.c:2581
filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388
__filemap_fdatawrite_range mm/filemap.c:421 [inline]
file_write_and_wait_range+0x219/0x320 mm/filemap.c:777
f2fs_do_sync_file+0x611/0x19f0 fs/f2fs/file.c:275
generic_write_sync include/linux/fs.h:2885 [inline]
f2fs_file_write_iter+0x659/0x2400 fs/f2fs/file.c:4721
call_write_iter include/linux/fs.h:2189 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7dc/0xc50 fs/read_write.c:584
ksys_write+0x177/0x2a0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fbe7cc4e4a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbe7cbf12f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fbe7ccd1780 RCX: 00007fbe7cc4e4a9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007fbe7cc9daec R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 6974797a616c6f6e
R13: 00007fbe7cc9d8e8 R14: 0030656c69662f2e R15: 00007fbe7ccd1788
</TASK>
Allocated by task 5273:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
f2fs_kmem_cache_alloc_nofail fs/f2fs/f2fs.h:2796 [inline]
f2fs_kmem_cache_alloc fs/f2fs/f2fs.h:2806 [inline]
__grab_extent_tree+0x19b/0x420 fs/f2fs/extent_cache.c:423
f2fs_init_extent_tree+0x20c/0x450 fs/f2fs/extent_cache.c:533
f2fs_new_inode+0xd89/0x1060 fs/f2fs/namei.c:312
__f2fs_tmpfile+0xa5/0x380 fs/f2fs/namei.c:852
f2fs_ioc_start_atomic_write+0x3ec/0x970 fs/f2fs/file.c:2098
__f2fs_ioctl+0x137d/0xb540
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5278:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
__destroy_extent_tree+0x6fa/0x880 fs/f2fs/extent_cache.c:1193
f2fs_destroy_extent_tree+0x13/0x20 fs/f2fs/extent_cache.c:1204
f2fs_evict_inode+0x324/0x1310 fs/f2fs/inode.c:789
evict+0x2a4/0x620 fs/inode.c:664
f2fs_abort_atomic_write+0xc7/0x410 fs/f2fs/segment.c:196
f2fs_ioc_abort_atomic_write fs/f2fs/file.c:2182 [inline]
__f2fs_ioctl+0x3294/0xb540 fs/f2fs/file.c:4156
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880714514e0
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 8 bytes inside of
144-byte region [ffff8880714514e0, ffff888071451570)
The buggy address belongs to the physical page:
page:ffffea0001c51440 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71451
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88814662c8c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5255, tgid 5254 (syz-executor122), ts 207313154622, free_ts 199367221676
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
f2fs_kmem_cache_alloc_nofail fs/f2fs/f2fs.h:2796 [inline]
f2fs_kmem_cache_alloc fs/f2fs/f2fs.h:2806 [inline]
__grab_extent_tree+0x19b/0x420 fs/f2fs/extent_cache.c:423
f2fs_init_extent_tree+0x20c/0x450 fs/f2fs/extent_cache.c:533
f2fs_new_inode+0xd89/0x1060 fs/f2fs/namei.c:312
__f2fs_tmpfile+0xa5/0x380 fs/f2fs/namei.c:852
f2fs_ioc_start_atomic_write+0x3ec/0x970 fs/f2fs/file.c:2098
__f2fs_ioctl+0x137d/0xb540
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]
free_pcp_prepare+0x751/0x780 mm/page_alloc.c:1496
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page_list+0xb2/0x830 mm/page_alloc.c:3510
release_pages+0x233e/0x25e0 mm/swap.c:1076
__pagevec_release+0x7d/0xf0 mm/swap.c:1096
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
shmem_undo_range+0x6d0/0x1fe0 mm/shmem.c:947
shmem_truncate_range mm/shmem.c:1042 [inline]
shmem_evict_inode+0x276/0xa10 mm/shmem.c:1151
evict+0x2a4/0x620 fs/inode.c:664
__dentry_kill+0x3b1/0x5b0 fs/dcache.c:607
dentry_kill+0xbb/0x290
dput+0x1f3/0x410 fs/dcache.c:913
__fput+0x5e4/0x880 fs/file_table.c:328
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
Memory state around the buggy address:
ffff888071451380: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
ffff888071451400: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888071451480: 00 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb
^
ffff888071451500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
ffff888071451580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
CPU: 1 PID: 5273 Comm: syz-executor122 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
rb_link_node include/linux/rbtree.h:65 [inline]
__attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
__insert_extent_tree+0x25b/0x580 fs/f2fs/extent_cache.c:655
__update_extent_tree_range+0x15cf/0x1e00 fs/f2fs/extent_cache.c:795
__update_extent_cache fs/f2fs/extent_cache.c:962 [inline]
f2fs_update_read_extent_cache+0x410/0x580 fs/f2fs/extent_cache.c:1052
f2fs_outplace_write_data+0x1e2/0x380 fs/f2fs/segment.c:3453
f2fs_do_write_data_page+0x122d/0x2570 fs/f2fs/data.c:2745
f2fs_write_single_data_page+0x1162/0x1c90 fs/f2fs/data.c:2863
f2fs_write_cache_pages+0xf6e/0x2330 fs/f2fs/data.c:3115
__f2fs_write_data_pages fs/f2fs/data.c:3265 [inline]
f2fs_write_data_pages+0x7d2/0xc30 fs/f2fs/data.c:3292
do_writepages+0x3c3/0x680 mm/page-writeback.c:2581
filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388
__filemap_fdatawrite_range mm/filemap.c:421 [inline]
file_write_and_wait_range+0x219/0x320 mm/filemap.c:777
f2fs_do_sync_file+0x611/0x19f0 fs/f2fs/file.c:275
generic_write_sync include/linux/fs.h:2885 [inline]
f2fs_file_write_iter+0x659/0x2400 fs/f2fs/file.c:4721
call_write_iter include/linux/fs.h:2189 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7dc/0xc50 fs/read_write.c:584
ksys_write+0x177/0x2a0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fbe7cc4e4a9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbe7cbf12f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fbe7ccd1780 RCX: 00007fbe7cc4e4a9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007fbe7cc9daec R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 6974797a616c6f6e
R13: 00007fbe7cc9d8e8 R14: 0030656c69662f2e R15: 00007fbe7ccd1788
</TASK>
Allocated by task 5273:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
f2fs_kmem_cache_alloc_nofail fs/f2fs/f2fs.h:2796 [inline]
f2fs_kmem_cache_alloc fs/f2fs/f2fs.h:2806 [inline]
__grab_extent_tree+0x19b/0x420 fs/f2fs/extent_cache.c:423
f2fs_init_extent_tree+0x20c/0x450 fs/f2fs/extent_cache.c:533
f2fs_new_inode+0xd89/0x1060 fs/f2fs/namei.c:312
__f2fs_tmpfile+0xa5/0x380 fs/f2fs/namei.c:852
f2fs_ioc_start_atomic_write+0x3ec/0x970 fs/f2fs/file.c:2098
__f2fs_ioctl+0x137d/0xb540
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5278:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
__destroy_extent_tree+0x6fa/0x880 fs/f2fs/extent_cache.c:1193
f2fs_destroy_extent_tree+0x13/0x20 fs/f2fs/extent_cache.c:1204
f2fs_evict_inode+0x324/0x1310 fs/f2fs/inode.c:789
evict+0x2a4/0x620 fs/inode.c:664
f2fs_abort_atomic_write+0xc7/0x410 fs/f2fs/segment.c:196
f2fs_ioc_abort_atomic_write fs/f2fs/file.c:2182 [inline]
__f2fs_ioctl+0x3294/0xb540 fs/f2fs/file.c:4156
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880714514e0
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 8 bytes inside of
144-byte region [ffff8880714514e0, ffff888071451570)
The buggy address belongs to the physical page:
page:ffffea0001c51440 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71451
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88814662c8c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5255, tgid 5254 (syz-executor122), ts 207313154622, free_ts 199367221676
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
f2fs_kmem_cache_alloc_nofail fs/f2fs/f2fs.h:2796 [inline]
f2fs_kmem_cache_alloc fs/f2fs/f2fs.h:2806 [inline]
__grab_extent_tree+0x19b/0x420 fs/f2fs/extent_cache.c:423
f2fs_init_extent_tree+0x20c/0x450 fs/f2fs/extent_cache.c:533
f2fs_new_inode+0xd89/0x1060 fs/f2fs/namei.c:312
__f2fs_tmpfile+0xa5/0x380 fs/f2fs/namei.c:852
f2fs_ioc_start_atomic_write+0x3ec/0x970 fs/f2fs/file.c:2098
__f2fs_ioctl+0x137d/0xb540
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]
free_pcp_prepare+0x751/0x780 mm/page_alloc.c:1496
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page_list+0xb2/0x830 mm/page_alloc.c:3510
release_pages+0x233e/0x25e0 mm/swap.c:1076
__pagevec_release+0x7d/0xf0 mm/swap.c:1096
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
shmem_undo_range+0x6d0/0x1fe0 mm/shmem.c:947
shmem_truncate_range mm/shmem.c:1042 [inline]
shmem_evict_inode+0x276/0xa10 mm/shmem.c:1151
evict+0x2a4/0x620 fs/inode.c:664
__dentry_kill+0x3b1/0x5b0 fs/dcache.c:607
dentry_kill+0xbb/0x290
dput+0x1f3/0x410 fs/dcache.c:913
__fput+0x5e4/0x880 fs/file_table.c:328
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
Memory state around the buggy address:
ffff888071451380: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
ffff888071451400: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888071451480: 00 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb
^
ffff888071451500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
ffff888071451580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
ead...@sina.com
Feb 4, 2023, 10:08:36 PM2/4/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
From: Edward Adam Davis <ead...@sina.com>
On Date: Tue, 31 Jan 2023 07:24:40 -0800, syzbot wrote:
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -361,6 +361,8 @@ static struct extent_node *__attach_extent_node(struct f2fs_sb_info *sbi,
struct extent_tree_info *eti = &sbi->extent_tree[et->type];
struct extent_node *en;
+ WARN_ON(!p || !*p);
+ BUG_ON(!et);
en = f2fs_kmem_cache_alloc(extent_node_slab, GFP_ATOMIC, false, sbi);
if (!en)
return NULL;
On Date: Tue, 31 Jan 2023 07:24:40 -0800, syzbot wrote:
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -361,6 +361,8 @@ static struct extent_node *__attach_extent_node(struct f2fs_sb_info *sbi,
struct extent_tree_info *eti = &sbi->extent_tree[et->type];
struct extent_node *en;
+ WARN_ON(!p || !*p);
+ BUG_ON(!et);
en = f2fs_kmem_cache_alloc(extent_node_slab, GFP_ATOMIC, false, sbi);
if (!en)
return NULL;
syzbot
Feb 4, 2023, 10:29:21 PM2/4/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __attach_extent_node
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5600 at fs/f2fs/extent_cache.c:364 __attach_extent_node+0xc7/0x4c0
Modules linked in:
CPU: 0 PID: 5600 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Code: 7c ab 48 89 df e8 c9 6a 0b fe eb a1 e8 62 24 b7 fd 48 c7 c7 40 bb 2b 8d 48 89 de e8 83 53 9b 00 48 85 ed 75 a6 e8 49 24 b7 fd <0f> 0b 48 89 6c 24 20 4c 89 64 24 38 4d 85 e4 0f 84 d6 03 00 00 48
RSP: 0018:ffffc90005eae958 EFLAGS: 00010293
RAX: ffffffff83d42181 RBX: 0000000000000000 RCX: ffff88807e05ba80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff88807274e0d8 R08: ffffffff83d42148 R09: 0000000000000001
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88807274e0d0
R13: ffff888027218000 R14: dffffc0000000000 R15: ffff888027218000
FS: 00007f7fd5990700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020103000 CR3: 0000000023e6e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__insert_extent_tree+0x24b/0x570
__update_extent_tree_range+0x1548/0x1d50
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f7fd4c8c0c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7fd5990168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7fd4dabf80 RCX: 00007f7fd4c8c0c9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd70a6517f R14: 00007f7fd5990300 R15: 0000000000022000
</TASK>
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13ca81ad480000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17d98f75480000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __attach_extent_node
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5600 at fs/f2fs/extent_cache.c:364 __attach_extent_node+0xc7/0x4c0
Modules linked in:
CPU: 0 PID: 5600 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:__attach_extent_node+0xc7/0x4c0
Code: 7c ab 48 89 df e8 c9 6a 0b fe eb a1 e8 62 24 b7 fd 48 c7 c7 40 bb 2b 8d 48 89 de e8 83 53 9b 00 48 85 ed 75 a6 e8 49 24 b7 fd <0f> 0b 48 89 6c 24 20 4c 89 64 24 38 4d 85 e4 0f 84 d6 03 00 00 48
RSP: 0018:ffffc90005eae958 EFLAGS: 00010293
RAX: ffffffff83d42181 RBX: 0000000000000000 RCX: ffff88807e05ba80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: ffff88807274e0d8 R08: ffffffff83d42148 R09: 0000000000000001
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88807274e0d0
R13: ffff888027218000 R14: dffffc0000000000 R15: ffff888027218000
FS: 00007f7fd5990700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020103000 CR3: 0000000023e6e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__insert_extent_tree+0x24b/0x570
__update_extent_tree_range+0x1548/0x1d50
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f7fd4c8c0c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7fd5990168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f7fd4dabf80 RCX: 00007f7fd4c8c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007f7fd4ce7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd70a6517f R14: 00007f7fd5990300 R15: 0000000000022000
</TASK>
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13ca81ad480000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=17d98f75480000
ead...@sina.com
Feb 4, 2023, 11:59:25 PM2/4/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -361,6 +361,9 @@ static struct extent_node *__attach_extent_node(struct f2fs_sb_info *sbi,
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
struct extent_tree_info *eti = &sbi->extent_tree[et->type];
struct extent_node *en;
+ if (!p || !*p)
struct extent_node *en;
+ return NULL;
+
syzbot
Feb 5, 2023, 12:27:19 AM2/5/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __update_extent_tree_range
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x77/0x1f80
Read of size 8 at addr ffff88806b8a9388 by task syz-executor.0/7322
CPU: 0 PID: 7322 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
__lock_acquire+0x77/0x1f80
lock_acquire+0x20b/0x600
_raw_write_lock+0x2e/0x40
__update_extent_tree_range+0x431/0x1d50
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f31c3c8c0c9
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f31c4a31168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f31c3dabf80 RCX: 00007f31c3c8c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007f31c3ce7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd506629af R14: 00007f31c4a31300 R15: 0000000000022000
</TASK>
Allocated by task 7322:
kasan_set_track+0x40/0x70
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 7327:
kasan_set_track+0x40/0x70
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x311/0x720
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88806b8a9340
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 72 bytes inside of
144-byte region [ffff88806b8a9340, ffff88806b8a93d0)
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88801bcef8c0 ffffea0001aa2980 0000000000000002
raw: ffff88806b8a99c0 0000000080130012 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 6464, tgid 6463 (syz-executor.0), ts 110100758063, free_ts 13712936475
page_owner tracks the page as allocated
get_page_from_freelist+0x3403/0x3580
__alloc_pages+0x291/0x7e0
alloc_slab_page+0x6a/0x160
new_slab+0x84/0x2f0
___slab_alloc+0xa07/0x1000
kmem_cache_alloc+0x1b0/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
free_unref_page_prepare+0xf3a/0x1040
page last free stack trace:
free_unref_page+0x37/0x3f0
free_contig_range+0x9e/0x150
destroy_args+0x102/0x930
debug_vm_pgtable+0x446/0x4b0
do_one_initcall+0x292/0xa20
do_initcall_level+0x157/0x210
do_initcalls+0x3f/0x80
kernel_init_freeable+0x42e/0x5e0
kernel_init+0x1d/0x2a0
ret_from_fork+0x1f/0x30
Memory state around the buggy address:
ffff88806b8a9300: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff88806b8a9380: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
^
ffff88806b8a9400: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88806b8a9480: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb
==================================================================
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10311ba5480000
ead...@sina.com
Feb 24, 2023, 6:41:06 AM2/24/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -652,9 +652,12 @@ static struct extent_node *__insert_extent_tree(struct f2fs_sb_info *sbi,
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
p = f2fs_lookup_rb_tree_for_insert(sbi, &et->root, &parent,
ei->fofs, &leftmost);
do_insert:
+ if (!mutex_trylock(&eti->extent_tree_lock))
+ return NULL;
+
en = __attach_extent_node(sbi, et, ei, parent, p, leftmost);
if (!en)
- return NULL;
+ goto out;
__try_update_largest_extent(et, en);
@@ -663,6 +666,8 @@ static struct extent_node *__insert_extent_tree(struct f2fs_sb_info *sbi,
list_add_tail(&en->list, &eti->extent_list);
et->cached_en = en;
spin_unlock(&eti->extent_lock);
+out:
+ mutex_unlock(&eti->extent_tree_lock);
return en;
}
syzbot
Feb 24, 2023, 9:41:19 AM2/24/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __update_extent_tree_range
==================================================================
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __update_extent_tree_range
BUG: KASAN: use-after-free in __lock_acquire+0x77/0x1f80
Read of size 8 at addr ffff8880753cc5f8 by task syz-executor.0/5753
CPU: 1 PID: 5753 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
__lock_acquire+0x77/0x1f80
lock_acquire+0x20b/0x600
_raw_write_lock+0x2e/0x40
__update_extent_tree_range+0x431/0x1d50
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fba50c8c0c9
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
__lock_acquire+0x77/0x1f80
lock_acquire+0x20b/0x600
_raw_write_lock+0x2e/0x40
__update_extent_tree_range+0x431/0x1d50
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fba51982168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fba50dabf80 RCX: 00007fba50c8c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007fba50ce7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffff99c5d3f R14: 00007fba51982300 R15: 0000000000022000
</TASK>
Allocated by task 5753:
kasan_set_track+0x40/0x70
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5771:
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_set_track+0x40/0x70
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x311/0x720
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880753cc5b0
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x311/0x720
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 72 bytes inside of
144-byte region [ffff8880753cc5b0, ffff8880753cc640)
The buggy address is located 72 bytes inside of
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff8881461fca00 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5666, tgid 5665 (syz-executor.0), ts 86534459606, free_ts 85331804235
page_owner tracks the page as allocated
get_page_from_freelist+0x3403/0x3580
__alloc_pages+0x291/0x7e0
alloc_slab_page+0x6a/0x160
new_slab+0x84/0x2f0
___slab_alloc+0xa07/0x1000
kmem_cache_alloc+0x1b0/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
f2fs_create+0x197/0x530
__alloc_pages+0x291/0x7e0
alloc_slab_page+0x6a/0x160
new_slab+0x84/0x2f0
___slab_alloc+0xa07/0x1000
kmem_cache_alloc+0x1b0/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
path_openat+0x12b9/0x2e30
do_filp_open+0x26d/0x500
do_sys_openat2+0x128/0x4f0
__x64_sys_openat+0x247/0x290
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
free_unref_page_prepare+0xf3a/0x1040
free_unref_page+0x37/0x3f0
__unfreeze_partials+0x1b1/0x1f0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
free_unref_page_prepare+0xf3a/0x1040
free_unref_page+0x37/0x3f0
put_cpu_partial+0x106/0x170
qlist_free_all+0x22/0x60
kasan_quarantine_reduce+0x15a/0x170
__kasan_slab_alloc+0x23/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc_node+0x158/0x2c0
dup_task_struct+0x57/0x6d0
copy_process+0x5c9/0x3f90
kernel_clone+0x215/0x950
__x64_sys_clone+0x22d/0x290
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880753cc500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
>ffff8880753cc580: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb
^
ffff8880753cc600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8880753cc680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=140b0b3b480000
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12589b40c80000
ead...@sina.com
Feb 24, 2023, 7:40:10 PM2/24/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -789,6 +789,8 @@ static void __update_extent_tree_range(struct inode *inode,
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
BUG_ON(type != EX_READ);
if (tei->blk) {
+ struct extent_tree_info *eti = &sbi->extent_tree[et->type];
+ mutex_lock(&eti->extent_tree_lock);
__set_extent_info(&ei, fofs, len, tei->blk, false,
0, 0, EX_READ);
if (!__try_merge_extent_node(sbi, et, &ei, prev_en, next_en))
@@ -803,6 +805,7 @@ static void __update_extent_tree_range(struct inode *inode,
et->largest_updated = true;
set_inode_flag(inode, FI_NO_EXTENT);
}
+ mutex_unlock(&eti->extent_tree_lock);
}
if (is_inode_flag_set(inode, FI_NO_EXTENT))
syzbot
Feb 24, 2023, 10:16:26 PM2/24/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in __update_extent_tree_range
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5607, name: syz-executor.0
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
4 locks held by syz-executor.0/5607:
#0: ffff888029552868 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0
#1: ffff88807e042460 (sb_writers#13){.+.+}-{0:0}, at: vfs_write+0x27f/0xc50
#2: ffff88807972c3b0 (&sbi->cp_rwsem){.+.+}-{3:3}, at: f2fs_do_write_data_page+0x1003/0x27c0
#3: ffff888073ef3118 (&et->lock){++++}-{2:2}, at: __update_extent_tree_range+0x42f/0x1ea0
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 5607 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
__might_resched+0x4f6/0x6c0
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
__mutex_lock_common+0xbf/0x2630
mutex_lock_nested+0x1b/0x20
__update_extent_tree_range+0x138e/0x1ea0
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0f6228c0c9
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f6309c168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f0f623abf80 RCX: 00007f0f6228c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007f0f622e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd27f0235f R14: 00007f0f6309c300 R15: 0000000000022000
</TASK>
=============================
[ BUG: Invalid wait context ]
6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0 Tainted: G W
-----------------------------
syz-executor.0/5607 is trying to lock:
ffff88807972cc58 (&eti->extent_tree_lock){+.+.}-{3:3}, at: __update_extent_tree_range+0x138e/0x1ea0
other info that might help us debug this:
context-{4:4}
4 locks held by syz-executor.0/5607:
#0: ffff888029552868 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0
#1: ffff88807e042460 (sb_writers#13){.+.+}-{0:0}, at: vfs_write+0x27f/0xc50
#2: ffff88807972c3b0 (&sbi->cp_rwsem){.+.+}-{3:3}, at: f2fs_do_write_data_page+0x1003/0x27c0
#3: ffff888073ef3118 (&et->lock){++++}-{2:2}, at: __update_extent_tree_range+0x42f/0x1ea0
stack backtrace:
CPU: 1 PID: 5607 Comm: syz-executor.0 Tainted: G W 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
__lock_acquire+0x14b1/0x1f80
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
lock_acquire+0x20b/0x600
__mutex_lock_common+0x1c2/0x2630
mutex_lock_nested+0x1b/0x20
__update_extent_tree_range+0x138e/0x1ea0
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0f6228c0c9
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f6309c168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f0f623abf80 RCX: 00007f0f6228c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007f0f622e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd27f0235f R14: 00007f0f6309c300 R15: 0000000000022000
</TASK>
==================================================================
BUG: KASAN: use-after-free in __try_merge_extent_node+0xbbd/0x10a0
Read of size 4 at addr ffff888073ef30d4 by task syz-executor.0/5607
CPU: 1 PID: 5607 Comm: syz-executor.0 Tainted: G W 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
__try_merge_extent_node+0xbbd/0x10a0
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
__update_extent_tree_range+0x149a/0x1ea0
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0f6228c0c9
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f6309c168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f0f623abf80 RCX: 00007f0f6228c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007f0f622e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd27f0235f R14: 00007f0f6309c300 R15: 0000000000022000
</TASK>
Allocated by task 5607:
kasan_set_track+0x40/0x70
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5625:
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_set_track+0x40/0x70
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x311/0x720
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888073ef30d0
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x311/0x720
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 4 bytes inside of
144-byte region [ffff888073ef30d0, ffff888073ef3160)
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88801bc25780 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5607, tgid 5606 (syz-executor.0), ts 91258803693, free_ts 90786584572
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
__d_alloc+0x31/0x760
d_alloc_cursor+0x44/0xd0
dcache_dir_open+0x3b/0x80
do_dentry_open+0x7f9/0x10f0
path_openat+0x25f4/0x2e30
do_filp_open+0x26d/0x500
do_sys_openat2+0x128/0x4f0
Memory state around the buggy address:
ffff888073ef3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888073ef3080: 00 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb
^
ffff888073ef3100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff888073ef3180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=158d5808c80000
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1423ccacc80000
ead...@sina.com
Feb 25, 2023, 12:31:30 AM2/25/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -675,6 +675,7 @@ static void __update_extent_tree_range(struct inode *inode,
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
struct extent_node *prev_en = NULL, *next_en = NULL;
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
@@ -690,11 +691,13 @@ static void __update_extent_tree_range(struct inode *inode,
trace_f2fs_update_age_extent_tree_range(inode, fofs, len,
tei->age, tei->last_blocks);
+ spin_lock(&eti->et_read_lock);
write_lock(&et->lock);
if (type == EX_READ) {
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
+ spin_unlock(&eti->et_read_lock);
return;
}
@@ -824,6 +827,7 @@ static void __update_extent_tree_range(struct inode *inode,
insert_p, insert_parent, leftmost);
out_read_extent_cache:
write_unlock(&et->lock);
+ spin_unlock(&eti->et_read_lock);
if (updated)
f2fs_mark_inode_dirty_sync(inode, true);
@@ -1190,7 +1194,9 @@ static void __destroy_extent_tree(struct inode *inode, enum extent_type type)
mutex_lock(&eti->extent_tree_lock);
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
+ spin_lock(&eti->et_read_lock);
kmem_cache_free(extent_tree_slab, et);
+ spin_unlock(&eti->et_read_lock);
atomic_dec(&eti->total_ext_tree);
mutex_unlock(&eti->extent_tree_lock);
@@ -1211,6 +1217,7 @@ static void __init_extent_tree_info(struct extent_tree_info *eti)
mutex_init(&eti->extent_tree_lock);
INIT_LIST_HEAD(&eti->extent_list);
spin_lock_init(&eti->extent_lock);
+ spin_lock_init(&eti->et_read_lock);
atomic_set(&eti->total_ext_tree, 0);
INIT_LIST_HEAD(&eti->zombie_list);
atomic_set(&eti->total_zombie_tree, 0);
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -685,6 +685,7 @@ struct extent_tree_info {
struct mutex extent_tree_lock; /* locking extent radix tree */
struct list_head extent_list; /* lru list for shrinker */
spinlock_t extent_lock; /* locking extent lru list */
+ spinlock_t et_read_lock; /* locking read extent tree */
atomic_t total_ext_tree; /* extent tree count */
struct list_head zombie_list; /* extent zombie tree list */
atomic_t total_zombie_tree; /* extent zombie tree count */
syzbot
Feb 25, 2023, 1:04:23 AM2/25/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __update_extent_tree_range
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x77/0x1f80
Read of size 8 at addr ffff888072b49458 by task syz-executor.0/5706
CPU: 1 PID: 5706 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
__lock_acquire+0x77/0x1f80
lock_acquire+0x20b/0x600
_raw_write_lock+0x2e/0x40
__update_extent_tree_range+0x467/0x1de0
kasan_report+0xce/0x100
__lock_acquire+0x77/0x1f80
lock_acquire+0x20b/0x600
_raw_write_lock+0x2e/0x40
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7effd828c0c9
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007effd8f6a168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007effd83abf80 RCX: 00007effd828c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007effd82e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcf18a8b3f R14: 00007effd8f6a300 R15: 0000000000022000
</TASK>
Allocated by task 5706:
kasan_set_track+0x40/0x70
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5722:
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_set_track+0x40/0x70
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x32a/0x740
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888072b49410
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 72 bytes inside of
144-byte region [ffff888072b49410, ffff888072b494a0)
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff8881461b4140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5651, tgid 5650 (syz-executor.0), ts 82235488460, free_ts 16127728337
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
get_page_from_freelist+0x3403/0x3580
__alloc_pages+0x291/0x7e0
alloc_slab_page+0x6a/0x160
new_slab+0x84/0x2f0
___slab_alloc+0xa07/0x1000
kmem_cache_alloc+0x1b0/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
f2fs_create+0x197/0x530
path_openat+0x12b9/0x2e30
do_filp_open+0x26d/0x500
do_sys_openat2+0x128/0x4f0
__x64_sys_openat+0x247/0x290
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
free_unref_page_prepare+0xf3a/0x1040
free_unref_page+0x37/0x3f0
__alloc_pages+0x291/0x7e0
alloc_slab_page+0x6a/0x160
new_slab+0x84/0x2f0
___slab_alloc+0xa07/0x1000
kmem_cache_alloc+0x1b0/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
f2fs_create+0x197/0x530
path_openat+0x12b9/0x2e30
do_filp_open+0x26d/0x500
do_sys_openat2+0x128/0x4f0
__x64_sys_openat+0x247/0x290
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
free_unref_page_prepare+0xf3a/0x1040
free_unref_page+0x37/0x3f0
free_contig_range+0x9e/0x150
destroy_args+0x102/0x930
debug_vm_pgtable+0x446/0x4b0
do_one_initcall+0x292/0xa20
do_initcall_level+0x157/0x210
do_initcalls+0x3f/0x80
kernel_init_freeable+0x42e/0x5e0
kernel_init+0x1d/0x2a0
ret_from_fork+0x1f/0x30
destroy_args+0x102/0x930
debug_vm_pgtable+0x446/0x4b0
do_one_initcall+0x292/0xa20
do_initcall_level+0x157/0x210
do_initcalls+0x3f/0x80
kernel_init_freeable+0x42e/0x5e0
kernel_init+0x1d/0x2a0
ret_from_fork+0x1f/0x30
Memory state around the buggy address:
ffff888072b49300: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff888072b49380: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff888072b49400: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888072b49480: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072b49500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13154964c80000
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=149021f8c80000
ead...@sina.com
Feb 25, 2023, 1:50:53 AM2/25/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -685,6 +685,7 @@ struct extent_tree_info {
struct mutex extent_tree_lock; /* locking extent radix tree */
struct list_head extent_list; /* lru list for shrinker */
spinlock_t extent_lock; /* locking extent lru list */
+ spinlock_t et_read_lock; /* locking read extent tree */
atomic_t total_ext_tree; /* extent tree count */
struct list_head zombie_list; /* extent zombie tree list */
atomic_t total_zombie_tree; /* extent zombie tree count */
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/f2fs.h
@@ -685,6 +685,7 @@ struct extent_tree_info {
struct mutex extent_tree_lock; /* locking extent radix tree */
struct list_head extent_list; /* lru list for shrinker */
spinlock_t extent_lock; /* locking extent lru list */
+ spinlock_t et_read_lock; /* locking read extent tree */
atomic_t total_ext_tree; /* extent tree count */
struct list_head zombie_list; /* extent zombie tree list */
atomic_t total_zombie_tree; /* extent zombie tree count */
+++ b/fs/f2fs/extent_cache.c
@@ -675,13 +675,17 @@ static void __update_extent_tree_range(struct inode *inode,
struct extent_node *prev_en = NULL, *next_en = NULL;
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
bool leftmost = false;
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
- if (!et)
+ spin_lock(&eti->et_read_lock);
+ if (!et) {
+ spin_unlock(&eti->et_read_lock);
return;
+ }
if (type == EX_READ)
trace_f2fs_update_read_extent_tree_range(inode, fofs, len,
@@ -695,6 +699,7 @@ static void __update_extent_tree_range(struct inode *inode,
if (type == EX_READ) {
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
+ spin_unlock(&eti->et_read_lock);
return;
}
@@ -824,6 +829,7 @@ static void __update_extent_tree_range(struct inode *inode,
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
+ spin_unlock(&eti->et_read_lock);
return;
}
insert_p, insert_parent, leftmost);
out_read_extent_cache:
write_unlock(&et->lock);
+ spin_unlock(&eti->et_read_lock);
if (updated)
f2fs_mark_inode_dirty_sync(inode, true);
@@ -1190,7 +1196,9 @@ static void __destroy_extent_tree(struct inode *inode, enum extent_type type)
out_read_extent_cache:
write_unlock(&et->lock);
+ spin_unlock(&eti->et_read_lock);
if (updated)
f2fs_mark_inode_dirty_sync(inode, true);
mutex_lock(&eti->extent_tree_lock);
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
+ spin_lock(&eti->et_read_lock);
kmem_cache_free(extent_tree_slab, et);
+ spin_unlock(&eti->et_read_lock);
atomic_dec(&eti->total_ext_tree);
mutex_unlock(&eti->extent_tree_lock);
@@ -1211,6 +1219,7 @@ static void __init_extent_tree_info(struct extent_tree_info *eti)
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
+ spin_lock(&eti->et_read_lock);
kmem_cache_free(extent_tree_slab, et);
+ spin_unlock(&eti->et_read_lock);
atomic_dec(&eti->total_ext_tree);
mutex_unlock(&eti->extent_tree_lock);
syzbot
Feb 25, 2023, 2:30:21 AM2/25/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __shrink_extent_tree
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
==================================================================
BUG: KASAN: use-after-free in do_raw_write_trylock+0x72/0x1f0
Read of size 4 at addr ffff888073fdbe00 by task syz-executor.0/5531
CPU: 0 PID: 5531 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
kasan_check_range+0x283/0x290
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
do_raw_write_trylock+0x72/0x1f0
_raw_write_trylock+0x20/0x70
__shrink_extent_tree+0x5e1/0xc50
f2fs_leave_shrinker+0x86/0x260
f2fs_put_super+0x597/0xcb0
generic_shutdown_super+0x134/0x310
kill_block_super+0x7e/0xe0
kill_f2fs_super+0x303/0x3d0
deactivate_locked_super+0xa4/0x110
cleanup_mnt+0x490/0x520
task_work_run+0x24a/0x300
exit_to_user_mode_loop+0xd1/0xf0
exit_to_user_mode_prepare+0xb1/0x140
syscall_exit_to_user_mode+0x54/0x2d0
do_syscall_64+0x4d/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff73268d537
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe667cfdc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff73268d537
RDX: 00007ffe667cfe9b RSI: 000000000000000a RDI: 00007ffe667cfe90
RBP: 00007ffe667cfe90 R08: 00000000ffffffff R09: 00007ffe667cfc60
R10: 00005555557478b3 R11: 0000000000000246 R12: 00007ff7326e6b24
R13: 00007ffe667d0f50 R14: 0000555555747810 R15: 00007ffe667d0f90
</TASK>
Allocated by task 9054:
kasan_set_track+0x40/0x70
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 9059:
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_set_track+0x40/0x70
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x32a/0x740
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888073fdbdd0
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x32a/0x740
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 48 bytes inside of
144-byte region [ffff888073fdbdd0, ffff888073fdbe60)
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff8881466f2b40 ffffea0001cf8e40 0000000000000004
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5595, tgid 5594 (syz-executor.0), ts 80035358654, free_ts 79979980358
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
get_page_from_freelist+0x3403/0x3580
__alloc_pages+0x291/0x7e0
alloc_slab_page+0x6a/0x160
new_slab+0x84/0x2f0
___slab_alloc+0xa07/0x1000
kmem_cache_alloc+0x1b0/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
f2fs_create+0x197/0x530
path_openat+0x12b9/0x2e30
do_filp_open+0x26d/0x500
do_sys_openat2+0x128/0x4f0
__x64_sys_openat+0x247/0x290
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
free_unref_page_prepare+0xf3a/0x1040
free_unref_page+0x37/0x3f0
__alloc_pages+0x291/0x7e0
alloc_slab_page+0x6a/0x160
new_slab+0x84/0x2f0
___slab_alloc+0xa07/0x1000
kmem_cache_alloc+0x1b0/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
f2fs_create+0x197/0x530
path_openat+0x12b9/0x2e30
do_filp_open+0x26d/0x500
do_sys_openat2+0x128/0x4f0
__x64_sys_openat+0x247/0x290
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
free_unref_page_prepare+0xf3a/0x1040
free_unref_page+0x37/0x3f0
__unfreeze_partials+0x1b1/0x1f0
put_cpu_partial+0x106/0x170
qlist_free_all+0x22/0x60
kasan_quarantine_reduce+0x15a/0x170
__kasan_slab_alloc+0x23/0x80
slab_post_alloc_hook+0x68/0x390
__kmem_cache_alloc_node+0x14c/0x2a0
put_cpu_partial+0x106/0x170
qlist_free_all+0x22/0x60
kasan_quarantine_reduce+0x15a/0x170
__kasan_slab_alloc+0x23/0x80
slab_post_alloc_hook+0x68/0x390
__kmalloc_node+0xa2/0x190
kvmalloc_node+0x72/0x180
f2fs_build_node_manager+0xfc5/0x1e20
f2fs_fill_super+0x46f3/0x6f30
mount_bdev+0x271/0x3a0
legacy_get_tree+0xef/0x190
vfs_get_tree+0x8c/0x270
Memory state around the buggy address:
ffff888073fdbd80: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
>ffff888073fdbe00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888073fdbe80: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb
ffff888073fdbf00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=175980a8c80000
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14dcdbf0c80000
ead...@sina.com
Feb 25, 2023, 7:56:26 AM2/25/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
en = list_first_entry(&eti->extent_list,
struct extent_node, list);
et = en->et;
+ if (!et)
+ continue;
if (!write_trylock(&et->lock)) {
/* refresh this extent node's position in extent list */
list_move_tail(&en->list, &eti->extent_list);
@@ -1190,7 +1198,9 @@ static void __destroy_extent_tree(struct inode *inode, enum extent_type type)
mutex_lock(&eti->extent_tree_lock);
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
+ spin_lock(&eti->et_read_lock);
kmem_cache_free(extent_tree_slab, et);
+ spin_unlock(&eti->et_read_lock);
atomic_dec(&eti->total_ext_tree);
mutex_unlock(&eti->extent_tree_lock);
@@ -1211,6 +1221,7 @@ static void __init_extent_tree_info(struct extent_tree_info *eti)
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
+ spin_lock(&eti->et_read_lock);
kmem_cache_free(extent_tree_slab, et);
+ spin_unlock(&eti->et_read_lock);
atomic_dec(&eti->total_ext_tree);
mutex_unlock(&eti->extent_tree_lock);
syzbot
Feb 25, 2023, 8:29:23 AM2/25/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in __destroy_extent_tree
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
kernel BUG at fs/f2fs/extent_cache.c:1199!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5612 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
RIP: 0010:__destroy_extent_tree+0x5c2/0x740
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Code: dc 0a fe e9 ff fd ff ff 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c 7b fb ff ff 48 89 ef e8 f8 db 0a fe e9 6e fb ff ff e8 8e 95 b6 fd <0f> 0b f3 0f 1e fa 65 8b 1d cd f7 2e 7c 48 c7 c0 78 9b 36 8e 48 c1
RSP: 0018:ffffc900052bf7c0 EFLAGS: 00010293
RAX: ffffffff83d4b072 RBX: 0000000000000001 RCX: ffff8880208057c0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff888076788000 R08: ffffffff83d4ad67 R09: ffffed100e779229
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1100e72753a
R13: ffff88807393a9d0 R14: ffff888076788bf0 R15: ffff888073bc9140
FS: 00007f70cd5da700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2022c4b690 CR3: 000000001d05c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f70cc88c0c9
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f70cd5da168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f70cc9ac050 RCX: 00007f70cc88c0c9
RDX: 0000000000000000 RSI: 000000000000f505 RDI: 0000000000000004
RBP: 00007f70cc8e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffed647f3cf R14: 00007f70cd5da300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__destroy_extent_tree+0x5c2/0x740
Code: dc 0a fe e9 ff fd ff ff 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c 7b fb ff ff 48 89 ef e8 f8 db 0a fe e9 6e fb ff ff e8 8e 95 b6 fd <0f> 0b f3 0f 1e fa 65 8b 1d cd f7 2e 7c 48 c7 c0 78 9b 36 8e 48 c1
RSP: 0018:ffffc900052bf7c0 EFLAGS: 00010293
RAX: ffffffff83d4b072 RBX: 0000000000000001 RCX: ffff8880208057c0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff888076788000 R08: ffffffff83d4ad67 R09: ffffed100e779229
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1100e72753a
R13: ffff88807393a9d0 R14: ffff888076788bf0 R15: ffff888073bc9140
FS: 00007f70cd5da700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efda0b52300 CR3: 000000001d05c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14e9a9f7480000
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=11a1c318c80000
ead...@sina.com
Feb 25, 2023, 10:26:42 AM2/25/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
return;
}
+ mutex_lock(&eti->extent_tree_lock);
/* free all extent info belong to this extent tree */
node_cnt = __destroy_extent_node(inode, type);
/* delete extent tree entry in radix tree */
- mutex_lock(&eti->extent_tree_lock);
syzbot
Feb 25, 2023, 11:12:24 AM2/25/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __update_extent_tree_range
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x77/0x1f80
Read of size 8 at addr ffff8880726cf118 by task syz-executor.0/5604
CPU: 0 PID: 5604 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
__lock_acquire+0x77/0x1f80
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
lock_acquire+0x20b/0x600
_raw_write_lock+0x2e/0x40
__update_extent_tree_range+0x464/0x1e20
f2fs_update_read_extent_cache+0x41e/0x590
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f00da88c0c9
f2fs_outplace_write_data+0x200/0x3d0
f2fs_do_write_data_page+0x1393/0x27c0
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f00db6d4168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f00da9abf80 RCX: 00007f00da88c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007f00da8e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff0963b5af R14: 00007f00db6d4300 R15: 0000000000022000
</TASK>
Allocated by task 5604:
kasan_set_track+0x40/0x70
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5625:
kasan_set_track+0x40/0x70
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x306/0x730
kasan_set_track+0x40/0x70
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880726cf0d0
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 72 bytes inside of
144-byte region [ffff8880726cf0d0, ffff8880726cf160)
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff888146057c80 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5604, tgid 5603 (syz-executor.0), ts 83164655154, free_ts 83116444963
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
getname_flags+0xbc/0x4e0
__se_sys_newfstatat+0xcf/0x7e0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880726cf080: 00 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb
>ffff8880726cf100: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8880726cf180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880726cf200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10d7000f480000
ead...@sina.com
Feb 25, 2023, 8:13:25 PM2/25/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -675,13 +675,17 @@ static void __update_extent_tree_range(struct inode *inode,
struct extent_node *prev_en = NULL, *next_en = NULL;
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
bool leftmost = false;
- if (!et)
+ mutex_lock(&eti->et_r_lock);
+++ b/fs/f2fs/extent_cache.c
@@ -675,13 +675,17 @@ static void __update_extent_tree_range(struct inode *inode,
struct extent_node *prev_en = NULL, *next_en = NULL;
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
bool leftmost = false;
- if (!et)
+ if (!et) {
+ mutex_unlock(&eti->et_r_lock);
return;
+ }
if (type == EX_READ)
trace_f2fs_update_read_extent_tree_range(inode, fofs, len,
@@ -695,6 +699,7 @@ static void __update_extent_tree_range(struct inode *inode,
if (type == EX_READ) {
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
+ mutex_unlock(&eti->et_r_lock);
+ }
if (type == EX_READ)
trace_f2fs_update_read_extent_tree_range(inode, fofs, len,
@@ -695,6 +699,7 @@ static void __update_extent_tree_range(struct inode *inode,
if (type == EX_READ) {
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
return;
}
@@ -824,6 +829,7 @@ static void __update_extent_tree_range(struct inode *inode,
insert_p, insert_parent, leftmost);
out_read_extent_cache:
write_unlock(&et->lock);
+ mutex_unlock(&eti->et_r_lock);
}
@@ -824,6 +829,7 @@ static void __update_extent_tree_range(struct inode *inode,
insert_p, insert_parent, leftmost);
out_read_extent_cache:
write_unlock(&et->lock);
if (updated)
f2fs_mark_inode_dirty_sync(inode, true);
@@ -1012,6 +1018,8 @@ static unsigned int __shrink_extent_tree(struct f2fs_sb_info *sbi, int nr_shrink
en = list_first_entry(&eti->extent_list,
struct extent_node, list);
et = en->et;
+ if (!et)
+ continue;
if (!write_trylock(&et->lock)) {
/* refresh this extent node's position in extent list */
list_move_tail(&en->list, &eti->extent_list);
@@ -1183,14 +1191,16 @@ static void __destroy_extent_tree(struct inode *inode, enum extent_type type)
return;
}
+ mutex_lock(&eti->extent_tree_lock);
/* free all extent info belong to this extent tree */
node_cnt = __destroy_extent_node(inode, type);
/* delete extent tree entry in radix tree */
- mutex_lock(&eti->extent_tree_lock);
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
kmem_cache_free(extent_tree_slab, et);
+ mutex_unlock(&eti->et_r_lock);
atomic_dec(&eti->total_ext_tree);
mutex_unlock(&eti->extent_tree_lock);
@@ -1209,8 +1219,10 @@ static void __init_extent_tree_info(struct extent_tree_info *eti)
{
INIT_RADIX_TREE(&eti->extent_tree_root, GFP_NOIO);
mutex_init(&eti->extent_tree_lock);
+ mutex_init(&eti->et_r_lock);
INIT_LIST_HEAD(&eti->extent_list);
spin_lock_init(&eti->extent_lock);
+ spin_lock_init(&eti->et_read_lock);
atomic_set(&eti->total_ext_tree, 0);
INIT_LIST_HEAD(&eti->zombie_list);
atomic_set(&eti->total_zombie_tree, 0);
--- a/fs/f2fs/f2fs.h
spin_lock_init(&eti->extent_lock);
+ spin_lock_init(&eti->et_read_lock);
atomic_set(&eti->total_ext_tree, 0);
INIT_LIST_HEAD(&eti->zombie_list);
atomic_set(&eti->total_zombie_tree, 0);
+++ b/fs/f2fs/f2fs.h
@@ -685,6 +685,8 @@ struct extent_tree_info {
struct mutex extent_tree_lock; /* locking extent radix tree */
struct list_head extent_list; /* lru list for shrinker */
spinlock_t extent_lock; /* locking extent lru list */
+ spinlock_t et_read_lock; /* locking read extent tree */
+ struct mutex et_r_lock; /* locking extent radix tree */
struct list_head extent_list; /* lru list for shrinker */
spinlock_t extent_lock; /* locking extent lru list */
+ spinlock_t et_read_lock; /* locking read extent tree */
syzbot
Feb 25, 2023, 8:37:30 PM2/25/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in __shrink_extent_tree
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
==================================================================
BUG: KASAN: use-after-free in do_raw_write_trylock+0x72/0x1f0
Read of size 4 at addr ffff88807f7585e0 by task syz-executor.0/5544
CPU: 1 PID: 5544 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
kasan_check_range+0x283/0x290
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
print_report+0x163/0x4c0
kasan_report+0xce/0x100
do_raw_write_trylock+0x72/0x1f0
_raw_write_trylock+0x20/0x70
__shrink_extent_tree+0x5b9/0xc80
f2fs_leave_shrinker+0x86/0x260
f2fs_put_super+0x597/0xcb0
generic_shutdown_super+0x134/0x310
kill_block_super+0x7e/0xe0
kill_f2fs_super+0x303/0x3d0
deactivate_locked_super+0xa4/0x110
cleanup_mnt+0x490/0x520
task_work_run+0x24a/0x300
exit_to_user_mode_loop+0xd1/0xf0
exit_to_user_mode_prepare+0xb1/0x140
syscall_exit_to_user_mode+0x54/0x2d0
do_syscall_64+0x4d/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fba8688d537
f2fs_put_super+0x597/0xcb0
generic_shutdown_super+0x134/0x310
kill_block_super+0x7e/0xe0
kill_f2fs_super+0x303/0x3d0
deactivate_locked_super+0xa4/0x110
cleanup_mnt+0x490/0x520
task_work_run+0x24a/0x300
exit_to_user_mode_loop+0xd1/0xf0
exit_to_user_mode_prepare+0xb1/0x140
syscall_exit_to_user_mode+0x54/0x2d0
do_syscall_64+0x4d/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc7567f748 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fba8688d537
RDX: 00007ffc7567f819 RSI: 000000000000000a RDI: 00007ffc7567f810
RBP: 00007ffc7567f810 R08: 00000000ffffffff R09: 00007ffc7567f5e0
R10: 00005555569a08b3 R11: 0000000000000246 R12: 00007fba868e6b24
R13: 00007ffc756808d0 R14: 00005555569a0810 R15: 00007ffc75680910
</TASK>
Allocated by task 5685:
kasan_set_track+0x40/0x70
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5702:
__kasan_slab_alloc+0x69/0x80
slab_post_alloc_hook+0x68/0x390
kmem_cache_alloc+0x12c/0x280
__grab_extent_tree+0x183/0x400
f2fs_init_extent_tree+0x214/0x450
f2fs_new_inode+0xdb4/0x1090
__f2fs_tmpfile+0xa5/0x380
f2fs_ioc_start_atomic_write+0x419/0x970
__f2fs_ioctl+0x1ace/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
kasan_set_track+0x40/0x70
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0xd6/0x120
kmem_cache_free+0x2b5/0x580
__destroy_extent_tree+0x307/0x730
f2fs_destroy_extent_tree+0x17/0x30
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88807f7585b0
f2fs_evict_inode+0x467/0x1650
evict+0x2a4/0x620
f2fs_abort_atomic_write+0xda/0x440
__f2fs_ioctl+0x315c/0xb2b0
__se_sys_ioctl+0xf1/0x160
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
which belongs to the cache f2fs_extent_tree of size 144
The buggy address is located 48 bytes inside of
144-byte region [ffff88807f7585b0, ffff88807f758640)
The buggy address belongs to the physical page:
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff88814616bdc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5603, tgid 5602 (syz-executor.0), ts 104469031710, free_ts 104442588112
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
f2fs_build_free_nids+0xca3/0x1190
f2fs_fill_super+0x46f3/0x6f30
mount_bdev+0x271/0x3a0
legacy_get_tree+0xef/0x190
vfs_get_tree+0x8c/0x270
do_new_mount+0x28f/0xae0
Memory state around the buggy address:
ffff88807f758500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
>ffff88807f758580: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb
^
ffff88807f758600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88807f758680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10526550c80000
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14d3ab3b480000
ead...@sina.com
Feb 25, 2023, 9:27:38 PM2/25/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -685,6 +685,8 @@ struct extent_tree_info {
struct mutex extent_tree_lock; /* locking extent radix tree */
struct list_head extent_list; /* lru list for shrinker */
spinlock_t extent_lock; /* locking extent lru list */
+ spinlock_t et_read_lock; /* locking read extent tree */
+ struct mutex et_r_lock; /* locking extent radix tree */
atomic_t total_ext_tree; /* extent tree count */
struct list_head zombie_list; /* extent zombie tree list */
atomic_t total_zombie_tree; /* extent zombie tree count */
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/f2fs.h
@@ -685,6 +685,8 @@ struct extent_tree_info {
struct mutex extent_tree_lock; /* locking extent radix tree */
struct list_head extent_list; /* lru list for shrinker */
spinlock_t extent_lock; /* locking extent lru list */
+ spinlock_t et_read_lock; /* locking read extent tree */
+ struct mutex et_r_lock; /* locking extent radix tree */
atomic_t total_ext_tree; /* extent tree count */
struct list_head zombie_list; /* extent zombie tree list */
atomic_t total_zombie_tree; /* extent zombie tree count */
+++ b/fs/f2fs/extent_cache.c
@@ -670,18 +670,23 @@ static void __update_extent_tree_range(struct inode *inode,
struct extent_info *tei, enum extent_type type)
{
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
- struct extent_tree *et = F2FS_I(inode)->extent_tree[type];
+ struct extent_tree *et;
struct extent_node *en = NULL, *en1 = NULL;
struct extent_node *prev_en = NULL, *next_en = NULL;
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
bool leftmost = false;
- if (!et)
+ mutex_lock(&eti->et_r_lock);
+ et = F2FS_I(inode)->extent_tree[type];
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
bool leftmost = false;
- if (!et)
+ mutex_lock(&eti->et_r_lock);
+ if (!et) {
+ mutex_unlock(&eti->et_r_lock);
return;
+ }
if (type == EX_READ)
trace_f2fs_update_read_extent_tree_range(inode, fofs, len,
@@ -695,6 +700,7 @@ static void __update_extent_tree_range(struct inode *inode,
+ mutex_unlock(&eti->et_r_lock);
return;
+ }
if (type == EX_READ)
trace_f2fs_update_read_extent_tree_range(inode, fofs, len,
if (type == EX_READ) {
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
+ mutex_unlock(&eti->et_r_lock);
return;
}
@@ -824,6 +830,7 @@ static void __update_extent_tree_range(struct inode *inode,
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
+ mutex_unlock(&eti->et_r_lock);
return;
}
insert_p, insert_parent, leftmost);
out_read_extent_cache:
write_unlock(&et->lock);
+ mutex_unlock(&eti->et_r_lock);
if (updated)
f2fs_mark_inode_dirty_sync(inode, true);
@@ -1003,6 +1010,9 @@ static unsigned int __shrink_extent_tree(struct f2fs_sb_info *sbi, int nr_shrink
out_read_extent_cache:
write_unlock(&et->lock);
+ mutex_unlock(&eti->et_r_lock);
if (updated)
f2fs_mark_inode_dirty_sync(inode, true);
if (!mutex_trylock(&eti->extent_tree_lock))
goto out;
+ if (!F2FS_I(inode)->extent_tree[type])
+ goto out;
+
remained = nr_shrink - (node_cnt + tree_cnt);
spin_lock(&eti->extent_lock);
@@ -1183,15 +1193,17 @@ static void __destroy_extent_tree(struct inode *inode, enum extent_type type)
return;
}
+ mutex_lock(&eti->extent_tree_lock);
/* free all extent info belong to this extent tree */
node_cnt = __destroy_extent_node(inode, type);
/* delete extent tree entry in radix tree */
- mutex_lock(&eti->extent_tree_lock);
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
+ mutex_lock(&eti->et_r_lock);
kmem_cache_free(extent_tree_slab, et);
atomic_dec(&eti->total_ext_tree);
}
+ mutex_lock(&eti->extent_tree_lock);
/* free all extent info belong to this extent tree */
node_cnt = __destroy_extent_node(inode, type);
/* delete extent tree entry in radix tree */
- mutex_lock(&eti->extent_tree_lock);
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
+ mutex_lock(&eti->et_r_lock);
kmem_cache_free(extent_tree_slab, et);
+ mutex_unlock(&eti->et_r_lock);
mutex_unlock(&eti->extent_tree_lock);
F2FS_I(inode)->extent_tree[type] = NULL;
@@ -1209,8 +1221,10 @@ static void __init_extent_tree_info(struct extent_tree_info *eti)
ead...@sina.com
Feb 25, 2023, 9:42:55 PM2/25/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
Test __attach_extent_node uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7c46948a6e9c
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -670,18 +670,23 @@ static void __update_extent_tree_range(struct inode *inode,
struct extent_info *tei, enum extent_type type)
{
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
- struct extent_tree *et = F2FS_I(inode)->extent_tree[type];
+ struct extent_tree *et;
struct extent_node *en = NULL, *en1 = NULL;
struct extent_node *prev_en = NULL, *next_en = NULL;
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
bool leftmost = false;
- if (!et)
+ mutex_lock(&eti->extent_tree_lock);
+++ b/fs/f2fs/extent_cache.c
@@ -670,18 +670,23 @@ static void __update_extent_tree_range(struct inode *inode,
struct extent_info *tei, enum extent_type type)
{
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
- struct extent_tree *et = F2FS_I(inode)->extent_tree[type];
+ struct extent_tree *et;
struct extent_node *en = NULL, *en1 = NULL;
struct extent_node *prev_en = NULL, *next_en = NULL;
struct extent_info ei, dei, prev;
struct rb_node **insert_p = NULL, *insert_parent = NULL;
+ struct extent_tree_info *eti = &sbi->extent_tree[type];
unsigned int fofs = tei->fofs, len = tei->len;
unsigned int end = fofs + len;
bool updated = false;
bool leftmost = false;
- if (!et)
+ et = F2FS_I(inode)->extent_tree[type];
+ if (!et) {
+ mutex_unlock(&eti->extent_tree_lock);
+ if (!et) {
return;
+ }
if (type == EX_READ)
trace_f2fs_update_read_extent_tree_range(inode, fofs, len,
@@ -695,6 +700,7 @@ static void __update_extent_tree_range(struct inode *inode,
if (type == EX_READ) {
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
+ mutex_unlock(&eti->extent_tree_lock);
+ }
if (type == EX_READ)
trace_f2fs_update_read_extent_tree_range(inode, fofs, len,
@@ -695,6 +700,7 @@ static void __update_extent_tree_range(struct inode *inode,
if (type == EX_READ) {
if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
write_unlock(&et->lock);
return;
}
@@ -824,6 +830,7 @@ static void __update_extent_tree_range(struct inode *inode,
insert_p, insert_parent, leftmost);
out_read_extent_cache:
write_unlock(&et->lock);
+ mutex_unlock(&eti->extent_tree_lock);
}
@@ -824,6 +830,7 @@ static void __update_extent_tree_range(struct inode *inode,
insert_p, insert_parent, leftmost);
out_read_extent_cache:
write_unlock(&et->lock);
if (updated)
f2fs_mark_inode_dirty_sync(inode, true);
@@ -1003,6 +1010,9 @@ static unsigned int __shrink_extent_tree(struct f2fs_sb_info *sbi, int nr_shrink
if (!mutex_trylock(&eti->extent_tree_lock))
goto out;
+ if (!F2FS_I(inode)->extent_tree[type])
+ goto out;
+
remained = nr_shrink - (node_cnt + tree_cnt);
spin_lock(&eti->extent_lock);
return;
}
+ mutex_lock(&eti->extent_tree_lock);
/* free all extent info belong to this extent tree */
node_cnt = __destroy_extent_node(inode, type);
/* delete extent tree entry in radix tree */
- mutex_lock(&eti->extent_tree_lock);
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
kmem_cache_free(extent_tree_slab, et);
}
+ mutex_lock(&eti->extent_tree_lock);
/* free all extent info belong to this extent tree */
node_cnt = __destroy_extent_node(inode, type);
/* delete extent tree entry in radix tree */
- mutex_lock(&eti->extent_tree_lock);
f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
radix_tree_delete(&eti->extent_tree_root, inode->i_ino);
atomic_dec(&eti->total_ext_tree);
- mutex_unlock(&eti->extent_tree_lock);
-
F2FS_I(inode)->extent_tree[type] = NULL;
+ mutex_unlock(&eti->extent_tree_lock);
trace_f2fs_destroy_extent_tree(inode, node_cnt, type);
}
syzbot
Feb 25, 2023, 9:51:19 PM2/25/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
fs/f2fs/extent_cache.c:1013:14: error: use of undeclared identifier 'inode'
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10ccc2b0c80000
syzbot tried to test the proposed patch but the build/boot failed:
fs/f2fs/extent_cache.c:1013:14: error: use of undeclared identifier 'inode'
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10ccc2b0c80000
syzbot
Feb 25, 2023, 10:12:25 PM2/25/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
fs/f2fs/extent_cache.c:1013:14: error: use of undeclared identifier 'inode'
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
syzbot tried to test the proposed patch but the build/boot failed:
fs/f2fs/extent_cache.c:1013:14: error: use of undeclared identifier 'inode'
Tested on:
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=11cbbe60c80000
ead...@sina.com
Feb 25, 2023, 10:40:13 PM2/25/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
syzbot
Feb 25, 2023, 11:12:19 PM2/25/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: held lock freed in __shrink_extent_tree
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
=========================
6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0 Not tainted
-------------------------
syz-executor.0/5531 is freeing memory ffff888028310000-ffff888028311fff, with a lock still held there!
ffff888028310c58 (&eti->extent_tree_lock){+.+.}-{3:3}, at: __shrink_extent_tree+0x52d/0xd10
2 locks held by syz-executor.0/5531:
#0: ffff8880788800e0 (&type->s_umount_key#50){+.+.}-{3:3}, at: deactivate_super+0xad/0xf0
#1: ffff888028310c58 (&eti->extent_tree_lock){+.+.}-{3:3}, at: __shrink_extent_tree+0x52d/0xd10
stack backtrace:
CPU: 1 PID: 5531 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
debug_check_no_locks_freed+0x375/0x450
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
__kmem_cache_free+0x1f8/0x3c0
f2fs_put_super+0xaec/0xcb0
generic_shutdown_super+0x134/0x310
kill_block_super+0x7e/0xe0
kill_f2fs_super+0x303/0x3d0
deactivate_locked_super+0xa4/0x110
cleanup_mnt+0x490/0x520
task_work_run+0x24a/0x300
exit_to_user_mode_loop+0xd1/0xf0
exit_to_user_mode_prepare+0xb1/0x140
syscall_exit_to_user_mode+0x54/0x2d0
do_syscall_64+0x4d/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd30c88d537
kill_block_super+0x7e/0xe0
kill_f2fs_super+0x303/0x3d0
deactivate_locked_super+0xa4/0x110
cleanup_mnt+0x490/0x520
task_work_run+0x24a/0x300
exit_to_user_mode_loop+0xd1/0xf0
exit_to_user_mode_prepare+0xb1/0x140
syscall_exit_to_user_mode+0x54/0x2d0
do_syscall_64+0x4d/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc09131598 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd30c88d537
RDX: 00007ffc09131669 RSI: 000000000000000a RDI: 00007ffc09131660
RBP: 00007ffc09131660 R08: 00000000ffffffff R09: 00007ffc09131430
R10: 00005555560d98b3 R11: 0000000000000246 R12: 00007fd30c8e6b24
R13: 00007ffc09132720 R14: 00005555560d9810 R15: 00007ffc09132760
</TASK>
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
syz-executor.0: attempt to access beyond end of device
loop0: rw=2049, sector=45096, nr_sectors = 8 limit=40427
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12374df7480000
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=11d1ed3cc80000
ead...@sina.com
Feb 26, 2023, 4:00:09 AM2/26/23
to syzbot+a6054f...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> HEAD commit: 7c46948a6e9c Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13f04ecd480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c8d5c2ee6c2bd4b8
> dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
> compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15d846f5480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177f1649480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cc51645b6401/disk-7c46948a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/be036b5604a3/vmlinux-7c46948a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/274f5abf2c8f/bzImage-7c46948a.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/f8e3282fa048/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+a6054f...@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in rb_link_node include/linux/rbtree.h:65 [inline]
> BUG: KASAN: use-after-free in __attach_extent_node+0x23d/0x480 fs/f2fs/extent_cache.c:372
> Write of size 8 at addr ffff8880714514e8 by task syz-executor122/5273
syzbot
Feb 26, 2023, 4:55:18 AM2/26/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in f2fs_get_dnode_of_data
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 PID: 8372 Comm: syz-executor.0 Not tainted 6.2.0-rc5-syzkaller-00047-g7c46948a6e9c-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
RIP: 0010:f2fs_get_dnode_of_data+0xd6/0x1e00
Code: 44 24 60 80 3c 18 00 74 08 4c 89 e7 e8 23 67 12 fe 4d 8b 34 24 4d 8d 7e 28 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 fc 66 12 fe bb 78 06 00 00 49 03 1f
RSP: 0018:ffffc9000b566cc0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: dffffc0000000000 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 00000000000000fa RDI: ffffc9000b566f20
RBP: ffffc9000b566e70 R08: ffffffff83cb7375 R09: fffffbfff1c6d326
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc9000b566f20
R13: 1ffff920016acdac R14: 0000000000000000 R15: 0000000000000028
FS: 00007f3cf53db700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020103000 CR3: 00000000266cb000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
f2fs_do_write_data_page+0x5d7/0x27c0
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
f2fs_write_single_data_page+0x14c1/0x2140
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3cf468c0c9
f2fs_write_data_pages+0x1948/0x2ed0
do_writepages+0x3a6/0x660
filemap_fdatawrite_wbc+0x125/0x180
file_write_and_wait_range+0x21f/0x320
f2fs_do_sync_file+0x7b6/0x1de0
f2fs_file_write_iter+0x7fc/0x2c20
vfs_write+0x7dd/0xc50
ksys_write+0x17c/0x2a0
do_syscall_64+0x41/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3cf53db168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f3cf47abf80 RCX: 00007f3cf468c0c9
RDX: 00000000000ffe00 RSI: 0000000020004200 RDI: 0000000000000004
RBP: 00007f3cf46e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9592697f R14: 00007f3cf53db300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:f2fs_get_dnode_of_data+0xd6/0x1e00
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 44 24 60 80 3c 18 00 74 08 4c 89 e7 e8 23 67 12 fe 4d 8b 34 24 4d 8d 7e 28 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 fc 66 12 fe bb 78 06 00 00 49 03 1f
RSP: 0018:ffffc9000b566cc0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: dffffc0000000000 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 00000000000000fa RDI: ffffc9000b566f20
RBP: ffffc9000b566e70 R08: ffffffff83cb7375 R09: fffffbfff1c6d326
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc9000b566f20
R13: 1ffff920016acdac R14: 0000000000000000 R15: 0000000000000028
FS: 00007f3cf53db700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3cf53ba718 CR3: 00000000266cb000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Code disassembly (best guess):
0: 44 24 60 rex.R and $0x60,%al
3: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1)
7: 74 08 je 0x11
9: 4c 89 e7 mov %r12,%rdi
c: e8 23 67 12 fe callq 0xfe126734
11: 4d 8b 34 24 mov (%r12),%r14
15: 4d 8d 7e 28 lea 0x28(%r14),%r15
19: 4c 89 f8 mov %r15,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 ff mov %r15,%rdi
33: e8 fc 66 12 fe callq 0xfe126734
38: bb 78 06 00 00 mov $0x678,%ebx
3d: 49 03 1f add (%r15),%rbx
Tested on:
commit: 7c46948a Merge tag 'fs.fuse.acl.v6.2-rc6' of git://git..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=f5a0f98ea28dd7b9
dashboard link: https://syzkaller.appspot.com/bug?extid=a6054f41d1cf28996a7d
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=16c850c0c80000
syzbot
Jun 16, 2023, 9:58:40 AM6/16/23
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages