[syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 1b929c02afd3 Linux 6.2-rc1
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2c431103d0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

CPU: 1 PID: 5069 Comm: syz-executor221 Not tainted 6.2.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1325
gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x644/0x2150 kernel/exit.c:867
do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1021
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2c4308d0c9
Code: Unable to access opcode bytes at 0x7f2c4308d09f.
RSP: 002b:00007ffcdd2f81f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f2c431103d0 RCX: 00007f2c4308d0c9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000012550
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2c431103d0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>

Allocated by task 5069:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216
gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1415
gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 0:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868
gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1479
gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]
do_sync+0x485/0xc80 fs/gfs2/quota.c:916
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x644/0x2150 kernel/exit.c:867
do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
__do_sys_exit_group kernel/exit.c:1023 [inline]
__se_sys_exit_group kernel/exit.c:1021 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1021
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888073997000
which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of
272-byte region [ffff888073997000, ffff888073997110)

The buggy address belongs to the physical page:
page:ffffea0001ce65c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73997
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff8881461ae500 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x12c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_RECLAIMABLE), pid 5069, tgid 5069 (syz-executor221), ts 50927644511, free_ts 12661541703
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216
gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1415
gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]
free_pcp_prepare+0x751/0x780 mm/page_alloc.c:1496
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page+0x19/0x4c0 mm/page_alloc.c:3464
free_contig_range+0xa3/0x160 mm/page_alloc.c:9485
destroy_args+0xfe/0x940 mm/debug_vm_pgtable.c:998
debug_vm_pgtable+0x43d/0x4a0 mm/debug_vm_pgtable.c:1318
do_one_initcall+0x1d1/0x410 init/main.c:1306
do_initcall_level+0x168/0x220 init/main.c:1379
do_initcalls+0x43/0x90 init/main.c:1395
kernel_init_freeable+0x428/0x5e0 init/main.c:1634
kernel_init+0x19/0x2b0 init/main.c:1522
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Memory state around the buggy address:
ffff888073996f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888073997000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888073997080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888073997100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888073997180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -460,6 +460,7 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

spin_lock(&qd_lock);

+ qd = NULL;
list_for_each_entry(iter, &sdp->sd_quota_list, qd_list) {
if (qd_check_sync(sdp, iter, &sdp->sd_quota_sync_gen)) {
qd = iter;

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -450,7 +450,7 @@ static int qd_check_sync(struct gfs2_sbd *sdp, struct gfs2_quota_data *qd,

static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

{
- struct gfs2_quota_data *qd = NULL, *iter;
+ struct gfs2_quota_data *qd = NULL, *iter = NULL;
int error;

*qdp = NULL;

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -451,7 +451,7 @@ static int qd_check_sync(struct gfs2_sbd *sdp, struct gfs2_quota_data *qd,

static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)
{

struct gfs2_quota_data *qd = NULL, *iter;

- int error;
+ int error, fd = 0;

*qdp = NULL;

@@ -463,9 +463,12 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

list_for_each_entry(iter, &sdp->sd_quota_list, qd_list) {
if (qd_check_sync(sdp, iter, &sdp->sd_quota_sync_gen)) {
qd = iter;

+ fd = 1;
break;
}
}
+ if (!fd)
+ qd = NULL;

spin_unlock(&qd_lock);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

R10: 00005555568038b3 R11: 0000000000000246 R12: 00007f594a0e6b24
R13: 00007ffceddd3f20 R14: 0000555556803810 R15: 00007ffceddd3f60
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:491
Read of size 8 at addr ffff888072eb6090 by task syz-executor.0/5542

CPU: 0 PID: 5542 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:491
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1326

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179

resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f594a08d517
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffceddd2d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f594a08d517
RDX: 00007ffceddd2e69 RSI: 000000000000000a RDI: 00007ffceddd2e60
RBP: 00007ffceddd2e60 R08: 00000000ffffffff R09: 00007ffceddd2c30
R10: 00005555568038b3 R11: 0000000000000246 R12: 00007f594a0e6b24
R13: 00007ffceddd3f20 R14: 0000555556803810 R15: 00007ffceddd3f60
</TASK>

Allocated by task 5596:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1416

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 21:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868

gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1480

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:917
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1319

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179

resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888072eb6000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888072eb6000, ffff888072eb6110)

The buggy address belongs to the physical page:

page:ffffea0001cbad80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72eb6

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff888146703b40 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5596, tgid 5595 (syz-executor.0), ts 83979809029, free_ts 14216827191

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1416

ffff888072eb5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072eb6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888072eb6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888072eb6100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072eb6180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1421e2c6480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=12f9310a480000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3547a8d517
RDX: 00007ffd1cf9e809 RSI: 000000000000000a RDI: 00007ffd1cf9e800
RBP: 00007ffd1cf9e800 R08: 00000000ffffffff R09: 00007ffd1cf9e5d0
R10: 0000555556d558b3 R11: 0000000000000246 R12: 00007f3547ae6b24
R13: 00007ffd1cf9f8c0 R14: 0000555556d55810 R15: 00007ffd1cf9f900
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:493
Read of size 8 at addr ffff888073765090 by task syz-executor.0/5534

CPU: 0 PID: 5534 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:493
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1328

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f3547a8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffd1cf9e738 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3547a8d517
RDX: 00007ffd1cf9e809 RSI: 000000000000000a RDI: 00007ffd1cf9e800
RBP: 00007ffd1cf9e800 R08: 00000000ffffffff R09: 00007ffd1cf9e5d0
R10: 0000555556d558b3 R11: 0000000000000246 R12: 00007f3547ae6b24
R13: 00007ffd1cf9f8c0 R14: 0000555556d55810 R15: 00007ffd1cf9f900
</TASK>

Allocated by task 5600:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1418

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5534:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868

gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1482

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:919
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1321

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888073765000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888073765000, ffff888073765110)

The buggy address belongs to the physical page:

page:ffffea0001cdd940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73765

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff8881462dddc0 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5600, tgid 5599 (syz-executor.0), ts 79671926158, free_ts 79340580200

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1418

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]
free_pcp_prepare+0x751/0x780 mm/page_alloc.c:1496
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page+0x19/0x4c0 mm/page_alloc.c:3464

discard_slab mm/slub.c:2098 [inline]
__unfreeze_partials+0x1a5/0x1e0 mm/slub.c:2637
put_cpu_partial+0x106/0x170 mm/slub.c:2713
qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:302

kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476

vm_area_dup+0x23/0x1b0 kernel/fork.c:466
__split_vma+0xcc/0x530 mm/mmap.c:2207
mprotect_fixup+0x538/0x820 mm/mprotect.c:620
do_mprotect_pkey+0x7ae/0xa90 mm/mprotect.c:785
__do_sys_mprotect mm/mprotect.c:812 [inline]
__se_sys_mprotect mm/mprotect.c:809 [inline]
__x64_sys_mprotect+0x7c/0x90 mm/mprotect.c:809

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:

ffff888073764f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888073765000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888073765080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888073765100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888073765180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1777f252480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=145c543a480000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f8c1448d517
RDX: 00007fffddc213c9 RSI: 000000000000000a RDI: 00007fffddc213c0
RBP: 00007fffddc213c0 R08: 00000000ffffffff R09: 00007fffddc21190
R10: 0000555556fcf8b3 R11: 0000000000000246 R12: 00007f8c144e6b24
R13: 00007fffddc22480 R14: 0000555556fcf810 R15: 00007fffddc224c0
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490

Read of size 8 at addr ffff888073716090 by task syz-executor.0/5531

CPU: 0 PID: 5531 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1325

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f8c1448d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fffddc212f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f8c1448d517
RDX: 00007fffddc213c9 RSI: 000000000000000a RDI: 00007fffddc213c0
RBP: 00007fffddc213c0 R08: 00000000ffffffff R09: 00007fffddc21190
R10: 0000555556fcf8b3 R11: 0000000000000246 R12: 00007f8c144e6b24
R13: 00007fffddc22480 R14: 0000555556fcf810 R15: 00007fffddc224c0
</TASK>

Allocated by task 5588:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1415

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 4647:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868

gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1479

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:916
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1318

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888073716000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888073716000, ffff888073716110)

The buggy address belongs to the physical page:

page:ffffea0001cdc580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73716

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff8880197b9280 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5588, tgid 5587 (syz-executor.0), ts 78822522714, free_ts 78684545129

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1415

getname_flags+0xb8/0x4e0 fs/namei.c:139
do_sys_openat2+0xba/0x4e0 fs/open.c:1304
do_sys_open fs/open.c:1326 [inline]
__do_sys_openat fs/open.c:1342 [inline]
__se_sys_openat fs/open.c:1337 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1337

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:

ffff888073715f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888073716000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888073716080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888073716100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888073716180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17d8e984480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1647af1a480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -450,7 +450,7 @@ static int qd_check_sync(struct gfs2_sbd *sdp, struct gfs2_quota_data *qd,

static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)
{

- struct gfs2_quota_data *qd = NULL, *iter;
+ struct gfs2_quota_data *qd = NULL, *iter = NULL;
int error;

*qdp = NULL;

@@ -952,8 +952,11 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda)
qd = qda[x];
offset = qd2offset(qd);
error = gfs2_adjust_quota(ip, offset, qd->qd_change_sync, qd, NULL);
- if (error)
+ if (error) {
+ if (!qd)
+ fs_info(sdp, "err: %d, qda[%d]", error, x);
goto out_end_trans;
+ }

do_qc(qd, -qd->qd_change_sync);
set_bit(QDF_REFRESH, &qd->qd_flags);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RBP: 00007ffe1dbeecf0 R08: 00000000ffffffff R09: 00007ffe1dbeeac0
R10: 000055555704d8b3 R11: 0000000000000246 R12: 00007f58586e6b24
R13: 00007ffe1dbefdb0 R14: 000055555704d810 R15: 00007ffe1dbefdf0
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490

Read of size 8 at addr ffff888076f49090 by task syz-executor.0/5532

CPU: 0 PID: 5532 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490

gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1328

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f585868d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffe1dbeec28 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f585868d517
RDX: 00007ffe1dbeecf9 RSI: 000000000000000a RDI: 00007ffe1dbeecf0
RBP: 00007ffe1dbeecf0 R08: 00000000ffffffff R09: 00007ffe1dbeeac0
R10: 000055555704d8b3 R11: 0000000000000246 R12: 00007f58586e6b24
R13: 00007ffe1dbefdb0 R14: 000055555704d810 R15: 00007ffe1dbefdf0
</TASK>

Allocated by task 5595:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1418

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 15:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868

gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1482

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x47d/0xcd0 fs/gfs2/quota.c:916
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1321

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888076f49000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888076f49000, ffff888076f49110)

The buggy address belongs to the physical page:

page:ffffea0001dbd240 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x76f49

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff88801935d000 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5595, tgid 5594 (syz-executor.0), ts 77041741936, free_ts 76776536365

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1418

ffff888076f48f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888076f49000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888076f49080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888076f49100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888076f49180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17ecebda480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=14a40542480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -976,6 +976,9 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda)
GFS2_LOG_HEAD_FLUSH_NORMAL | GFS2_LFC_DO_SYNC);
out:
gfs2_qa_put(ip);
+ for (x = 0; x < num_qd; x++)
+ BUG_ON(!qda[x]);
+
return error;
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f43c0a8d517
RDX: 00007fff6e54cbc9 RSI: 000000000000000a RDI: 00007fff6e54cbc0
RBP: 00007fff6e54cbc0 R08: 00000000ffffffff R09: 00007fff6e54c990
R10: 0000555556b8d8b3 R11: 0000000000000246 R12: 00007f43c0ae6b24
R13: 00007fff6e54dc80 R14: 0000555556b8d810 R15: 00007fff6e54dcc0
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490

Read of size 8 at addr ffff888072c8d090 by task syz-executor.0/5530

CPU: 0 PID: 5530 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

RIP: 0033:0x7f43c0a8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fff6e54caf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f43c0a8d517
RDX: 00007fff6e54cbc9 RSI: 000000000000000a RDI: 00007fff6e54cbc0
RBP: 00007fff6e54cbc0 R08: 00000000ffffffff R09: 00007fff6e54c990
R10: 0000555556b8d8b3 R11: 0000000000000246 R12: 00007f43c0ae6b24
R13: 00007fff6e54dc80 R14: 0000555556b8d810 R15: 00007fff6e54dcc0

Freed by task 5581:

do_sync+0x483/0xd00 fs/gfs2/quota.c:916

gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1321
gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888072c8d000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888072c8d000, ffff888072c8d110)

The buggy address belongs to the physical page:

page:ffffea0001cb2340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72c8d

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff88801c0903c0 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5595, tgid 5594 (syz-executor.0), ts 79751945116, free_ts 12843743189

free_contig_range+0xa3/0x160 mm/page_alloc.c:9485
destroy_args+0xfe/0x940 mm/debug_vm_pgtable.c:998
debug_vm_pgtable+0x43d/0x4a0 mm/debug_vm_pgtable.c:1318
do_one_initcall+0x1d1/0x410 init/main.c:1306
do_initcall_level+0x168/0x220 init/main.c:1379
do_initcalls+0x43/0x90 init/main.c:1395
kernel_init_freeable+0x428/0x5e0 init/main.c:1634
kernel_init+0x19/0x2b0 init/main.c:1522
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Memory state around the buggy address:

ffff888072c8cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072c8d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888072c8d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888072c8d100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072c8d180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11d46676480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=160a1288480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -487,6 +487,8 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

static void qd_unlock(struct gfs2_quota_data *qd)
{
+ BUG_ON(!qd);
+
gfs2_assert_warn(qd->qd_gl->gl_name.ln_sbd,
test_bit(QDF_LOCKED, &qd->qd_flags));
clear_bit(QDF_LOCKED, &qd->qd_flags);

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -487,6 +487,8 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

static void qd_unlock(struct gfs2_quota_data *qd)
{

+ BUG_ON(IS_ERR(qd));

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -117,6 +117,7 @@ static void gfs2_qd_dispose(struct list_head *list)
while (!list_empty(list)) {
qd = list_first_entry(list, struct gfs2_quota_data, qd_lru);
sdp = qd->qd_gl->gl_name.ln_sbd;
+ mutex_lock(&sdp->sd_quota_mutex);

list_del(&qd->qd_lru);

@@ -138,6 +139,7 @@ static void gfs2_qd_dispose(struct list_head *list)

/* Delete it from the common reclaim list */
call_rcu(&qd->qd_rcu, gfs2_qd_dealloc);
+ mutex_unlock(&sdp->sd_quota_mutex);
}
}

@@ -487,6 +489,8 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

static void qd_unlock(struct gfs2_quota_data *qd)
{
+ BUG_ON(IS_ERR(qd));
+
gfs2_assert_warn(qd->qd_gl->gl_name.ln_sbd,
test_bit(QDF_LOCKED, &qd->qd_flags));
clear_bit(QDF_LOCKED, &qd->qd_flags);

@@ -1299,6 +1303,7 @@ int gfs2_quota_sync(struct super_block *sb, int type)
if (!qda)
return -ENOMEM;

+ mutex_lock(&sdp->sd_quota_mutex);
mutex_lock(&sdp->sd_quota_sync_mutex);
sdp->sd_quota_sync_gen++;

@@ -1327,6 +1332,7 @@ int gfs2_quota_sync(struct super_block *sb, int type)
} while (!error && num_qd == max_qd);

mutex_unlock(&sdp->sd_quota_sync_mutex);
+ mutex_unlock(&sdp->sd_quota_mutex);
kfree(qda);

return error;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RDX: 00007ffc60236069 RSI: 000000000000000a RDI: 00007ffc60236060
RBP: 00007ffc60236060 R08: 00000000ffffffff R09: 00007ffc60235e30
R10: 00005555573cc8b3 R11: 0000000000000246 R12: 00007fc0c0ce6b24
R13: 00007ffc60237120 R14: 00005555573cc810 R15: 00007ffc60237160
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x39/0x2e0 fs/gfs2/quota.c:492
Read of size 8 at addr ffff88807375f090 by task syz-executor.0/5528

CPU: 1 PID: 5528 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x39/0x2e0 fs/gfs2/quota.c:492
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1327

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fc0c0c8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc60235f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc0c0c8d517
RDX: 00007ffc60236069 RSI: 000000000000000a RDI: 00007ffc60236060
RBP: 00007ffc60236060 R08: 00000000ffffffff R09: 00007ffc60235e30
R10: 00005555573cc8b3 R11: 0000000000000246 R12: 00007fc0c0ce6b24
R13: 00007ffc60237120 R14: 00005555573cc810 R15: 00007ffc60237160
</TASK>

Allocated by task 5598:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1417

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5528:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868

gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1481

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:918
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1320

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88807375f000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff88807375f000, ffff88807375f110)

The buggy address belongs to the physical page:

page:ffffea0001cdd7c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7375f

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff88814617c3c0 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5598, tgid 5597 (syz-executor.0), ts 77686641655, free_ts 77389531737

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1417

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]
free_pcp_prepare+0x751/0x780 mm/page_alloc.c:1496
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page+0x19/0x4c0 mm/page_alloc.c:3464

discard_slab mm/slub.c:2098 [inline]
__unfreeze_partials+0x1a5/0x1e0 mm/slub.c:2637
put_cpu_partial+0x106/0x170 mm/slub.c:2713
qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:302

kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]

kmem_cache_alloc_lru+0x183/0x320 mm/slub.c:3483
alloc_inode_sb include/linux/fs.h:3116 [inline]
alloc_inode fs/inode.c:261 [inline]
new_inode_pseudo+0x81/0x1d0 fs/inode.c:1018
get_pipe_inode fs/pipe.c:873 [inline]
create_pipe_files+0x4b/0x6e0 fs/pipe.c:913
__do_pipe_flags+0x46/0x200 fs/pipe.c:962
do_pipe2+0x8f/0x2b0 fs/pipe.c:1010
__do_sys_pipe fs/pipe.c:1033 [inline]
__se_sys_pipe fs/pipe.c:1031 [inline]
__x64_sys_pipe+0x36/0x40 fs/pipe.c:1031

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:

ffff88807375ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807375f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807375f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807375f100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807375f180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=125a8622480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=10a8e61c480000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RBP: 00007ffcfdfd54b0 R08: 00000000ffffffff R09: 00007ffcfdfd5280
R10: 00005555569628b3 R11: 0000000000000246 R12: 00007f48b1ae6b24
R13: 00007ffcfdfd6570 R14: 0000555556962810 R15: 00007ffcfdfd65b0
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x3d/0x2f0 fs/gfs2/quota.c:492
Read of size 8 at addr ffff888072a8d090 by task syz-executor.0/5528

CPU: 1 PID: 5528 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x3d/0x2f0 fs/gfs2/quota.c:492

gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1327
gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f48b1a8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffcfdfd53e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f48b1a8d517
RDX: 00007ffcfdfd54b9 RSI: 000000000000000a RDI: 00007ffcfdfd54b0
RBP: 00007ffcfdfd54b0 R08: 00000000ffffffff R09: 00007ffcfdfd5280
R10: 00005555569628b3 R11: 0000000000000246 R12: 00007f48b1ae6b24
R13: 00007ffcfdfd6570 R14: 0000555556962810 R15: 00007ffcfdfd65b0
</TASK>

Allocated by task 5599:

The buggy address belongs to the object at ffff888072a8d000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888072a8d000, ffff888072a8d110)

The buggy address belongs to the physical page:

page:ffffea0001caa340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72a8d

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff8880196523c0 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5599, tgid 5597 (syz-executor.0), ts 80146231112, free_ts 79597710961

kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
getname_flags+0xb8/0x4e0 fs/namei.c:139
do_sys_openat2+0xba/0x4e0 fs/open.c:1304
do_sys_open fs/open.c:1326 [inline]
__do_sys_openat fs/open.c:1342 [inline]
__se_sys_openat fs/open.c:1337 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1337

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:

ffff888072a8cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072a8d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888072a8d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888072a8d100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072a8d180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=14f8d622480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=17f64086480000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

possible deadlock in bh_get

============================================
WARNING: possible recursive locking detected
6.2.0-rc1-syzkaller-dirty #0 Not tainted
--------------------------------------------
syz-executor.0/5529 is trying to acquire lock:
ffff8880750e4ae0 (&sdp->sd_quota_mutex){+.+.}-{3:3}, at: bh_get+0x110/0x7c0 fs/gfs2/quota.c:377

but task is already holding lock:
ffff8880750e4ae0 (&sdp->sd_quota_mutex){+.+.}-{3:3}, at: gfs2_quota_sync+0x9b/0x8f0 fs/gfs2/quota.c:1306

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(&sdp->sd_quota_mutex);
lock(&sdp->sd_quota_mutex);

*** DEADLOCK ***

May be due to missing lock nesting notation

3 locks held by syz-executor.0/5529:
#0: ffff888078f580e0 (&type->s_umount_key#50){+.+.}-{3:3}, at: deactivate_super+0x96/0xd0 fs/super.c:362
#1: ffff8880750e4ae0 (&sdp->sd_quota_mutex){+.+.}-{3:3}, at: gfs2_quota_sync+0x9b/0x8f0 fs/gfs2/quota.c:1306
#2: ffff8880750e4b70 (&sdp->sd_quota_sync_mutex){+.+.}-{3:3}, at: gfs2_quota_sync+0xae/0x8f0 fs/gfs2/quota.c:1307

stack backtrace:
CPU: 0 PID: 5529 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106

print_deadlock_bug kernel/locking/lockdep.c:2990 [inline]
check_deadlock kernel/locking/lockdep.c:3033 [inline]
validate_chain+0x4843/0x6ae0 kernel/locking/lockdep.c:3818
__lock_acquire+0x1292/0x1f60 kernel/locking/lockdep.c:5055
lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
__mutex_lock_common+0x1bd/0x26e0 kernel/locking/mutex.c:603
__mutex_lock kernel/locking/mutex.c:747 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
bh_get+0x110/0x7c0 fs/gfs2/quota.c:377
qd_fish fs/gfs2/quota.c:476 [inline]
gfs2_quota_sync+0x325/0x8f0 fs/gfs2/quota.c:1314

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fef4068d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fffa82dfa48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fef4068d517
RDX: 00007fffa82dfb19 RSI: 000000000000000a RDI: 00007fffa82dfb10
RBP: 00007fffa82dfb10 R08: 00000000ffffffff R09: 00007fffa82df8e0
R10: 0000555555f988b3 R11: 0000000000000246 R12: 00007fef406e6b24
R13: 00007fffa82e0bd0 R14: 0000555555f98810 R15: 00007fffa82e0c10
</TASK>

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=12a0c306480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1165ae1c480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -117,6 +117,7 @@ static void gfs2_qd_dispose(struct list_head *list)
while (!list_empty(list)) {
qd = list_first_entry(list, struct gfs2_quota_data, qd_lru);
sdp = qd->qd_gl->gl_name.ln_sbd;

+ mutex_lock(&sdp->sd_quota_sync_mutex);

list_del(&qd->qd_lru);

@@ -138,6 +139,7 @@ static void gfs2_qd_dispose(struct list_head *list)

/* Delete it from the common reclaim list */
call_rcu(&qd->qd_rcu, gfs2_qd_dealloc);

+ mutex_unlock(&sdp->sd_quota_sync_mutex);
}
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in qd_unlock

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f4262e8d517
RDX: 00007fff7ed62539 RSI: 000000000000000a RDI: 00007fff7ed62530
RBP: 00007fff7ed62530 R08: 00000000ffffffff R09: 00007fff7ed62300
R10: 0000555555c988b3 R11: 0000000000000246 R12: 00007f4262ee6b24
R13: 00007fff7ed635f0 R14: 0000555555c98810 R15: 00007fff7ed63630
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:492
Read of size 8 at addr ffff888072eee090 by task syz-executor.0/5541

CPU: 0 PID: 5541 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106

print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:492
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1327

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f4262e8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fff7ed62468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f4262e8d517
RDX: 00007fff7ed62539 RSI: 000000000000000a RDI: 00007fff7ed62530
RBP: 00007fff7ed62530 R08: 00000000ffffffff R09: 00007fff7ed62300
R10: 0000555555c988b3 R11: 0000000000000246 R12: 00007f4262ee6b24
R13: 00007fff7ed635f0 R14: 0000555555c98810 R15: 00007fff7ed63630
</TASK>

Allocated by task 5643:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]

qd_alloc+0x51/0x250 fs/gfs2/quota.c:218

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1417
gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 21:

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888072eee000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888072eee000, ffff888072eee110)

The buggy address belongs to the physical page:

page:ffffea0001cbbb80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72eee

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff8881461448c0 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5643, tgid 5642 (syz-executor.0), ts 79105278630, free_ts 77434449998

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]

qd_alloc+0x51/0x250 fs/gfs2/quota.c:218

__kmem_cache_alloc_node+0x1e0/0x340 mm/slub.c:3491
kmalloc_trace+0x26/0x60 mm/slab_common.c:1062
kmalloc include/linux/slab.h:580 [inline]
kzalloc include/linux/slab.h:720 [inline]
ext4_htree_create_dir_info fs/ext4/dir.c:438 [inline]
ext4_dx_readdir fs/ext4/dir.c:556 [inline]
ext4_readdir+0x1edb/0x3800 fs/ext4/dir.c:142
iterate_dir+0x257/0x5f0
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64+0x1db/0x4c0 fs/readdir.c:354

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:

ffff888072eedf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072eee000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888072eee080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888072eee100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072eee180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16ab66a1480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=12c52486480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -1448,6 +1448,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)

fail:
gfs2_quota_cleanup(sdp);
+ sdp = NULL;
return error;
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RBP: 00007ffd476b3f80 R08: 00000000ffffffff R09: 00007ffd476b3d50
R10: 00005555569498b3 R11: 0000000000000246 R12: 00007fa664ce6b24
R13: 00007ffd476b5040 R14: 0000555556949810 R15: 00007ffd476b5080
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490

Read of size 8 at addr ffff8880732e5090 by task syz-executor.0/5539

CPU: 0 PID: 5539 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1325

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fa664c8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffd476b3eb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fa664c8d517
RDX: 00007ffd476b3f89 RSI: 000000000000000a RDI: 00007ffd476b3f80
RBP: 00007ffd476b3f80 R08: 00000000ffffffff R09: 00007ffd476b3d50
R10: 00005555569498b3 R11: 0000000000000246 R12: 00007fa664ce6b24
R13: 00007ffd476b5040 R14: 0000555556949810 R15: 00007ffd476b5080

</TASK>

Allocated by task 5596:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]

qd_alloc+0x51/0x250 fs/gfs2/quota.c:216
gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1415

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 7:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868

gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1480

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:916
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1318

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880732e5000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff8880732e5000, ffff8880732e5110)

The buggy address belongs to the physical page:

page:ffffea0001ccb940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x732e5

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff88801c4213c0 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5596, tgid 5595 (syz-executor.0), ts 78220417177, free_ts 78158756508

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]

qd_alloc+0x51/0x250 fs/gfs2/quota.c:216
gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1415

slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476

getname_flags+0xb8/0x4e0 fs/namei.c:139
vfs_fstatat fs/stat.c:269 [inline]
__do_sys_newfstatat fs/stat.c:440 [inline]
__se_sys_newfstatat+0xcb/0x7d0 fs/stat.c:434

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:

ffff8880732e4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880732e5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880732e5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880732e5100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880732e5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=119ab516480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=12648cee480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -487,6 +487,7 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

static void qd_unlock(struct gfs2_quota_data *qd)
{

+ BUG_ON(IS_ERR((char*)qd + sizeof(struct gfs2_quota_data) - 1));

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -106,6 +106,7 @@ static inline void spin_unlock_bucket(unsigned int hash)
static void gfs2_qd_dealloc(struct rcu_head *rcu)
{
struct gfs2_quota_data *qd = container_of(rcu, struct gfs2_quota_data, qd_rcu);
+ lockref_mark_dead(&qd->qd_lockref);
kmem_cache_free(gfs2_quotad_cachep, qd);
}

@@ -487,6 +488,7 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f60d0e8d517
RDX: 00007fff452645f9 RSI: 000000000000000a RDI: 00007fff452645f0
RBP: 00007fff452645f0 R08: 00000000ffffffff R09: 00007fff452643c0
R10: 00005555557138b3 R11: 0000000000000246 R12: 00007f60d0ee6b24
R13: 00007fff452656b0 R14: 0000555555713810 R15: 00007fff452656f0
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x43/0x2f0 fs/gfs2/quota.c:491
Read of size 8 at addr ffff888072eda090 by task syz-executor.0/5532

CPU: 1 PID: 5532 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x43/0x2f0 fs/gfs2/quota.c:491
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1326

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f60d0e8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fff45264528 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f60d0e8d517
RDX: 00007fff452645f9 RSI: 000000000000000a RDI: 00007fff452645f0
RBP: 00007fff452645f0 R08: 00000000ffffffff R09: 00007fff452643c0
R10: 00005555557138b3 R11: 0000000000000246 R12: 00007f60d0ee6b24
R13: 00007fff452656b0 R14: 0000555555713810 R15: 00007fff452656f0

</TASK>

Allocated by task 5595:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1416

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 15:

do_sync+0x485/0xc80 fs/gfs2/quota.c:917
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1319

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888072eda000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888072eda000, ffff888072eda110)

The buggy address belongs to the physical page:

page:ffffea0001cbb680 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72eda

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff8880194e2dc0 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5595, tgid 5594 (syz-executor.0), ts 80763567012, free_ts 80559789999

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:216

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1416

mt_alloc_one lib/maple_tree.c:152 [inline]
mas_alloc_nodes+0x1fd/0x650 lib/maple_tree.c:1231
mas_node_count_gfp lib/maple_tree.c:1315 [inline]
mas_preallocate+0x133/0x340 lib/maple_tree.c:5724
__vma_adjust+0x865/0x21b0 mm/mmap.c:715
vma_adjust include/linux/mm.h:2793 [inline]
shift_arg_pages fs/exec.c:702 [inline]
setup_arg_pages+0x855/0xba0 fs/exec.c:831
load_elf_binary+0xba2/0x2830 fs/binfmt_elf.c:1013
search_binary_handler fs/exec.c:1735 [inline]
exec_binprm fs/exec.c:1777 [inline]
bprm_execve+0x8dc/0x1590 fs/exec.c:1851
do_execveat_common+0x598/0x750 fs/exec.c:1956
do_execve fs/exec.c:2030 [inline]
__do_sys_execve fs/exec.c:2106 [inline]
__se_sys_execve fs/exec.c:2101 [inline]
__x64_sys_execve+0x8e/0xa0 fs/exec.c:2101

Memory state around the buggy address:

ffff888072ed9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072eda000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888072eda080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888072eda100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072eda180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1506b516480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=12f57581480000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

kernel BUG in lockref_mark_dead

------------[ cut here ]------------
kernel BUG at lib/lockref.c:163!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022

RIP: 0010:lockref_mark_dead+0x95/0xa0 lib/lockref.c:163
Code: 03 38 c1 7c c2 48 89 df e8 48 a0 a6 fd eb b8 89 d9 80 e1 07 80 c1 03 38 c1 7c d3 48 89 df e8 a2 a0 a6 fd eb c9 e8 5b f8 50 fd <0f> 0b 66 0f 1f 84 00 00 00 00 00 55 41 57 41 56 41 54 53 49 89 fe
RSP: 0018:ffffc900001b7a88 EFLAGS: 00010246
RAX: ffffffff843ae315 RBX: ffff888072b6c030 RCX: ffff888012a89d40
RDX: 0000000080000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff843ae2bd R09: ffffed100e56d807
R10: ffffed100e56d807 R11: 1ffff1100e56d806 R12: ffff888072b6c108
R13: ffff888012a89d40 R14: dffffc0000000000 R15: ffffffff83bfd0a0
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d6062d6000 CR3: 0000000021885000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
gfs2_qd_dealloc+0x21/0x60 fs/gfs2/quota.c:109

rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

run_ksoftirqd+0xa2/0x100 kernel/softirq.c:934
smpboot_thread_fn+0x533/0xa10 kernel/smpboot.c:164
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:lockref_mark_dead+0x95/0xa0 lib/lockref.c:163
Code: 03 38 c1 7c c2 48 89 df e8 48 a0 a6 fd eb b8 89 d9 80 e1 07 80 c1 03 38 c1 7c d3 48 89 df e8 a2 a0 a6 fd eb c9 e8 5b f8 50 fd <0f> 0b 66 0f 1f 84 00 00 00 00 00 55 41 57 41 56 41 54 53 49 89 fe
RSP: 0018:ffffc900001b7a88 EFLAGS: 00010246

RAX: ffffffff843ae315 RBX: ffff888072b6c030 RCX: ffff888012a89d40
RDX: 0000000080000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff843ae2bd R09: ffffed100e56d807
R10: ffffed100e56d807 R11: 1ffff1100e56d806 R12: ffff888072b6c108
R13: ffff888012a89d40 R14: dffffc0000000000 R15: ffffffff83bfd0a0
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d6062d6000 CR3: 0000000021885000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16cd8fbe480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=17519ca6480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800

> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -106,6 +106,9 @@ static inline void spin_unlock_bucket(unsigned int hash)

static void gfs2_qd_dealloc(struct rcu_head *rcu)
{
struct gfs2_quota_data *qd = container_of(rcu, struct gfs2_quota_data, qd_rcu);

+ spin_lock(&qd->qd_lockref.lock);
+ qd->qd_lockref.count = -128;
+ spin_unlock(&qd->qd_lockref.lock);
kmem_cache_free(gfs2_quotad_cachep, qd);
}

@@ -487,6 +490,7 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

[ead...@sina.com]

@@ -106,6 +106,7 @@ static inline void spin_unlock_bucket(unsigned int hash)

static void gfs2_qd_dealloc(struct rcu_head *rcu)
{
struct gfs2_quota_data *qd = container_of(rcu, struct gfs2_quota_data, qd_rcu);

+ qd->qd_lockref.count = -128;
kmem_cache_free(gfs2_quotad_cachep, qd);
}

@@ -487,6 +488,7 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

inconsistent lock state in gfs2_qd_dealloc

================================
WARNING: inconsistent lock state
6.2.0-rc1-syzkaller-dirty #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
ksoftirqd/0/15 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff888073f6a048 (&qd->qd_lockref.lock){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
ffff888073f6a048 (&qd->qd_lockref.lock){+.?.}-{2:2}, at: gfs2_qd_dealloc+0x1e/0xa0 fs/gfs2/quota.c:109
{SOFTIRQ-ON-W} state was registered at:
lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:350 [inline]
lockref_get_not_dead+0x22/0xb0 lib/lockref.c:185
qd_check_sync+0x132/0x3f0 fs/gfs2/quota.c:444
qd_fish fs/gfs2/quota.c:467 [inline]
gfs2_quota_sync+0x202/0x8b0 fs/gfs2/quota.c:1313

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

irq event stamp: 299328
hardirqs last enabled at (299328): [<ffffffff8aba538b>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (299328): [<ffffffff8aba538b>] _raw_spin_unlock_irqrestore+0x8b/0x120 kernel/locking/spinlock.c:194
hardirqs last disabled at (299327): [<ffffffff8aba511e>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (299327): [<ffffffff8aba511e>] _raw_spin_lock_irqsave+0x8e/0x100 kernel/locking/spinlock.c:162
softirqs last enabled at (299078): [<ffffffff81548f52>] run_ksoftirqd+0xa2/0x100 kernel/softirq.c:934
softirqs last disabled at (299083): [<ffffffff81548f52>] run_ksoftirqd+0xa2/0x100 kernel/softirq.c:934

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----

lock(&qd->qd_lockref.lock);
<Interrupt>
lock(&qd->qd_lockref.lock);

*** DEADLOCK ***

1 lock held by ksoftirqd/0/15:
#0: ffffffff8d326d80 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire+0x0/0x20

stack backtrace:
CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106

print_usage_bug+0x8b4/0xba0 kernel/locking/lockdep.c:3963
mark_lock_irq+0xa7f/0xe60
mark_lock+0x21e/0x350 kernel/locking/lockdep.c:4634
__lock_acquire+0xb7d/0x1f60 kernel/locking/lockdep.c:5009
lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:350 [inline]
gfs2_qd_dealloc+0x1e/0xa0 fs/gfs2/quota.c:109

rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571
run_ksoftirqd+0xa2/0x100 kernel/softirq.c:934
smpboot_thread_fn+0x533/0xa10 kernel/smpboot.c:164
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=114bd6ee480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=1700dc7e480000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in qd_unlock

R10: 00005555562ac8b3 R11: 0000000000000246 R12: 00007f5ea2ce6b24
R13: 00007ffc8aa61da0 R14: 00005555562ac810 R15: 00007ffc8aa61de0
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x43/0x2f0 fs/gfs2/quota.c:492
Read of size 8 at addr ffff8880733df090 by task syz-executor.0/5542

CPU: 1 PID: 5542 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106

print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x43/0x2f0 fs/gfs2/quota.c:492
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1327

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f5ea2c8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc8aa60c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f5ea2c8d517
RDX: 00007ffc8aa60ce9 RSI: 000000000000000a RDI: 00007ffc8aa60ce0
RBP: 00007ffc8aa60ce0 R08: 00000000ffffffff R09: 00007ffc8aa60ab0
R10: 00005555562ac8b3 R11: 0000000000000246 R12: 00007f5ea2ce6b24
R13: 00007ffc8aa61da0 R14: 00005555562ac810 R15: 00007ffc8aa61de0
</TASK>

Allocated by task 5642:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]

qd_alloc+0x51/0x250 fs/gfs2/quota.c:217
gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1417

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5542:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809

rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868

gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1481

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:918
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1320

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880733df000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff8880733df000, ffff8880733df110)

The buggy address belongs to the physical page:

page:ffffea0001ccf7c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x733df

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff88801c155b40 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5642, tgid 5641 (syz-executor.0), ts 81451405314, free_ts 80310982859

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]

qd_alloc+0x51/0x250 fs/gfs2/quota.c:217
gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1417

vm_area_alloc+0x20/0xe0 kernel/fork.c:458
mmap_region+0xd38/0x1e20 mm/mmap.c:2601
do_mmap+0x8d9/0xf30 mm/mmap.c:1411
vm_mmap_pgoff+0x19e/0x2b0 mm/util.c:520
ksys_mmap_pgoff+0x48c/0x6d0 mm/mmap.c:1457

do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:

ffff8880733def80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880733df000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880733df080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880733df100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880733df180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1227f619480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=158392a1480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000

> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -106,6 +106,7 @@ static inline void spin_unlock_bucket(unsigned int hash)
static void gfs2_qd_dealloc(struct rcu_head *rcu)
{
struct gfs2_quota_data *qd = container_of(rcu, struct gfs2_quota_data, qd_rcu);

+ qd->qd_sbd = NULL;
kmem_cache_free(gfs2_quotad_cachep, qd);
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in qd_unlock

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007efdd688d517
RDX: 00007fff34520db9 RSI: 000000000000000a RDI: 00007fff34520db0
RBP: 00007fff34520db0 R08: 00000000ffffffff R09: 00007fff34520b80
R10: 0000555555ca38b3 R11: 0000000000000246 R12: 00007efdd68e6b24
R13: 00007fff34521e70 R14: 0000555555ca3810 R15: 00007fff34521eb0
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:491
Read of size 8 at addr ffff888075a86090 by task syz-executor.0/5532

CPU: 0 PID: 5532 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:306
print_report+0x107/0x1f0 mm/kasan/report.c:417
kasan_report+0xcd/0x100 mm/kasan/report.c:517
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:491
gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1326

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7efdd688d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fff34520ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007efdd688d517
RDX: 00007fff34520db9 RSI: 000000000000000a RDI: 00007fff34520db0
RBP: 00007fff34520db0 R08: 00000000ffffffff R09: 00007fff34520b80
R10: 0000555555ca38b3 R11: 0000000000000246 R12: 00007efdd68e6b24
R13: 00007fff34521e70 R14: 0000555555ca3810 R15: 00007fff34521eb0
</TASK>

Allocated by task 5601:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:217

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1416

gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x400/0x620 fs/super.c:1282
gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5628:

kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x94/0x1d0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x9c1/0x1690 kernel/rcu/tree.c:2506
__do_softirq+0x277/0x738 kernel/softirq.c:571

Last potentially related work creation:
kasan_save_stack+0x2b/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:488
__call_rcu_common kernel/rcu/tree.c:2755 [inline]
call_rcu+0x163/0xa70 kernel/rcu/tree.c:2868

gfs2_quota_cleanup+0x457/0x6b0 fs/gfs2/quota.c:1480

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:917
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1319

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888075a86000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888075a86000, ffff888075a86110)

The buggy address belongs to the physical page:

page:ffffea0001d6a180 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75a86

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff88814618cdc0 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5601, tgid 5599 (syz-executor.0), ts 81209929771, free_ts 80716307165

prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x742/0x7c0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
alloc_slab_page+0xbd/0x190 mm/slub.c:1851
allocate_slab+0x5e/0x3c0 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0x782/0xe20 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x268/0x350 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x51/0x250 fs/gfs2/quota.c:217

gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1416

ptlock_alloc+0x1c/0x60 mm/memory.c:5843
ptlock_init include/linux/mm.h:2466 [inline]
pgtable_pte_page_ctor include/linux/mm.h:2493 [inline]
__pte_alloc_one include/asm-generic/pgalloc.h:66 [inline]
pte_alloc_one+0xc3/0x320 arch/x86/mm/pgtable.c:33
__pte_alloc+0x75/0x220 mm/memory.c:421
do_anonymous_page+0xda9/0x10b0 mm/memory.c:4042
handle_pte_fault mm/memory.c:4929 [inline]
__handle_mm_fault mm/memory.c:5073 [inline]
handle_mm_fault+0x1610/0x26b0 mm/memory.c:5219
do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428
handle_page_fault arch/x86/mm/fault.c:1519 [inline]
exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570

Memory state around the buggy address:

ffff888075a85f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888075a86000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888075a86080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888075a86100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888075a86180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

==================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11cc0341480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=15bfd539480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000

> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -1457,6 +1457,7 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)
struct gfs2_quota_data *qd;

spin_lock(&qd_lock);
+ mutex_lock(&sdp->sd_quota_sync_mutex);
while (!list_empty(head)) {
qd = list_last_entry(head, struct gfs2_quota_data, qd_list);

@@ -1480,6 +1481,7 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

spin_lock(&qd_lock);
}
+ mutex_unlock(&sdp->sd_quota_sync_mutex);
spin_unlock(&qd_lock);

gfs2_assert_warn(sdp, !atomic_read(&sdp->sd_quota_count));

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: sleeping function called from invalid context in gfs2_quota_cleanup

function = gfs2_dinode_in, file = fs/gfs2/glops.c, line = 460
gfs2: fsid=syz:syz.0: G: s:EX n:2/924 f:qobnN t:EX d:EX/0 a:0 v:0 r:3 m:20 p:1
gfs2: fsid=syz:syz.0: H: s:EX f:H e:0 p:5533 [syz-executor.0] gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1318
gfs2: fsid=syz:syz.0: I: n:11/2340 t:8 f:0x00 d:0x00000201 s:176 p:0
gfs2: fsid=syz:syz.0: about to withdraw this file system
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5533, name: syz-executor.0
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
4 locks held by syz-executor.0/5533:
#0: ffff88807d0f40e0 (&type->s_umount_key#50){+.+.}-{3:3}, at: deactivate_super+0x96/0xd0 fs/super.c:362
#1: ffff888078da4b70 (&sdp->sd_quota_sync_mutex){+.+.}-{3:3}, at: gfs2_quota_sync+0x9b/0x8b0 fs/gfs2/quota.c:1302
#2: ffff888073181578 (&gfs2_quota_imutex_key){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:756 [inline]
#2: ffff888073181578 (&gfs2_quota_imutex_key){+.+.}-{3:3}, at: do_sync+0x300/0xc80 fs/gfs2/quota.c:908
#3: ffffffff8d88d8f8 (qd_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
#3: ffffffff8d88d8f8 (qd_lock){+.+.}-{2:2}, at: gfs2_quota_cleanup+0x33/0x6d0 fs/gfs2/quota.c:1459
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 PID: 5533 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106

__might_resched+0x4e9/0x6b0 kernel/sched/core.c:9985
__mutex_lock_common+0xba/0x26e0 kernel/locking/mutex.c:580

__mutex_lock kernel/locking/mutex.c:747 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799

gfs2_quota_cleanup+0x4a/0x6d0 fs/gfs2/quota.c:1460

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:916
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1318

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fbf69e8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffd8dce68c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fbf69e8d517
RDX: 00007ffd8dce6999 RSI: 000000000000000a RDI: 00007ffd8dce6990
RBP: 00007ffd8dce6990 R08: 00000000ffffffff R09: 00007ffd8dce6760
R10: 0000555555d798b3 R11: 0000000000000246 R12: 00007fbf69ee6b24
R13: 00007ffd8dce7a50 R14: 0000555555d79810 R15: 00007ffd8dce7a90
</TASK>

=============================
[ BUG: Invalid wait context ]
6.2.0-rc1-syzkaller-dirty #0 Tainted: G W
-----------------------------
syz-executor.0/5533 is trying to lock:
ffff888078da4b70 (&sdp->sd_quota_sync_mutex){+.+.}-{3:3}, at: gfs2_quota_cleanup+0x4a/0x6d0 fs/gfs2/quota.c:1460

other info that might help us debug this:

context-{4:4}
4 locks held by syz-executor.0/5533:
#0: ffff88807d0f40e0 (&type->s_umount_key#50){+.+.}-{3:3}, at: deactivate_super+0x96/0xd0 fs/super.c:362
#1: ffff888078da4b70 (&sdp->sd_quota_sync_mutex){+.+.}-{3:3}, at: gfs2_quota_sync+0x9b/0x8b0 fs/gfs2/quota.c:1302
#2: ffff888073181578 (&gfs2_quota_imutex_key){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:756 [inline]
#2: ffff888073181578 (&gfs2_quota_imutex_key){+.+.}-{3:3}, at: do_sync+0x300/0xc80 fs/gfs2/quota.c:908
#3: ffffffff8d88d8f8 (qd_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
#3: ffffffff8d88d8f8 (qd_lock){+.+.}-{2:2}, at: gfs2_quota_cleanup+0x33/0x6d0 fs/gfs2/quota.c:1459
stack backtrace:
CPU: 1 PID: 5533 Comm: syz-executor.0 Tainted: G W 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106

print_lock_invalid_wait_context kernel/locking/lockdep.c:4707 [inline]
check_wait_context kernel/locking/lockdep.c:4768 [inline]
__lock_acquire+0x14f2/0x1f60 kernel/locking/lockdep.c:5005

lock_acquire+0x182/0x3c0 kernel/locking/lockdep.c:5668
__mutex_lock_common+0x1bd/0x26e0 kernel/locking/mutex.c:603
__mutex_lock kernel/locking/mutex.c:747 [inline]
mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799

gfs2_quota_cleanup+0x4a/0x6d0 fs/gfs2/quota.c:1460

gfs2_make_fs_ro+0x517/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw+0x609/0x1540 fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:460 [inline]
gfs2_inode_refresh+0xb2d/0xf60 fs/gfs2/glops.c:480
gfs2_instantiate+0x15e/0x220 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_wait+0x1d9/0x2a0 fs/gfs2/glock.c:1319
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]

do_sync+0x485/0xc80 fs/gfs2/quota.c:916
gfs2_quota_sync+0x3da/0x8b0 fs/gfs2/quota.c:1318

gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
sync_filesystem+0xe8/0x220 fs/sync.c:56
generic_shutdown_super+0x6b/0x310 fs/super.c:474
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fbf69e8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffd8dce68c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fbf69e8d517
RDX: 00007ffd8dce6999 RSI: 000000000000000a RDI: 00007ffd8dce6990
RBP: 00007ffd8dce6990 R08: 00000000ffffffff R09: 00007ffd8dce6760
R10: 0000555555d798b3 R11: 0000000000000246 R12: 00007fbf69ee6b24
R13: 00007ffd8dce7a50 R14: 0000555555d79810 R15: 00007ffd8dce7a90
</TASK>
BUG: scheduling while atomic: syz-executor.0/5533/0x00000002
INFO: lockdep is turned off.
Modules linked in:
Preemption disabled at:
[<0000000000000000>] 0x0

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=121678a9480000

kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=10d54cde480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000

> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -1321,6 +1321,9 @@ int gfs2_quota_sync(struct super_block *sb, int type)
qda[x]->qd_sync_gen =
sdp->sd_quota_sync_gen;

+ if (!sdp->sd_quota_bitmap)
+ break;

+
for (x = 0; x < num_qd; x++)

qd_unlock(qda[x]);
}

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+3f6a67...@syzkaller.appspotmail.com

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=168167a9480000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a2682e7795a8901
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1725bd7a480000

Note: testing is done by a robot and is best-effort only.

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

[ 81.372851][ T5532] CPU: 1 PID: 5532 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0
[ 81.382080][ T5532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
[ 81.392343][ T5532] Call Trace:
[ 81.395654][ T5532] <TASK>
[ 81.398603][ T5532] dump_stack_lvl+0x1b1/0x290
[ 81.418421][ T5532] gfs2_assert_warn_i+0x19a/0x2e0
[ 81.423480][ T5532] gfs2_quota_cleanup+0x4c6/0x6b0
[ 81.428611][ T5532] gfs2_make_fs_ro+0x517/0x610
[ 81.457802][ T5532] gfs2_withdraw+0x609/0x1540
[ 81.481452][ T5532] gfs2_inode_refresh+0xb2d/0xf60
[ 81.506658][ T5532] gfs2_instantiate+0x15e/0x220
[ 81.511504][ T5532] gfs2_glock_wait+0x1d9/0x2a0
[ 81.516352][ T5532] do_sync+0x485/0xc80
[ 81.554943][ T5532] gfs2_quota_sync+0x3da/0x8b0
[ 81.559738][ T5532] gfs2_sync_fs+0x49/0xb0
[ 81.564063][ T5532] sync_filesystem+0xe8/0x220
[ 81.568740][ T5532] generic_shutdown_super+0x6b/0x310
[ 81.574112][ T5532] kill_block_super+0x79/0xd0
[ 81.578779][ T5532] deactivate_locked_super+0xa7/0xf0
[ 81.584064][ T5532] cleanup_mnt+0x494/0x520
[ 81.593753][ T5532] task_work_run+0x243/0x300
[ 81.608837][ T5532] exit_to_user_mode_loop+0x124/0x150
[ 81.614232][ T5532] exit_to_user_mode_prepare+0xb2/0x140
[ 81.619820][ T5532] syscall_exit_to_user_mode+0x26/0x60
[ 81.625287][ T5532] do_syscall_64+0x49/0xb0
[ 81.629710][ T5532] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 81.636292][ T5532] RIP: 0033:0x7efdd688d517
[ 81.640728][ T5532] Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 81.660550][ T5532] RSP: 002b:00007fff34520ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 81.669413][ T5532] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007efdd688d517
[ 81.677403][ T5532] RDX: 00007fff34520db9 RSI: 000000000000000a RDI: 00007fff34520db0
[ 81.685388][ T5532] RBP: 00007fff34520db0 R08: 00000000ffffffff R09: 00007fff34520b80
[ 81.695973][ T5532] R10: 0000555555ca38b3 R11: 0000000000000246 R12: 00007efdd68e6b24
[ 81.704152][ T5532] R13: 00007fff34521e70 R14: 0000555555ca3810 R15: 00007fff34521eb0
[ 81.712868][ T5532] </TASK>

The function "gfs2_quota_cleanup()" may be called in the function "do_sync()",
This will cause the qda obtained in the function "qd_check_sync" to be released, resulting in the occurrence of uaf.
In order to avoid this uaf, we can increase the judgment of "sdp->sd_quota_bitmap" released in the function
"gfs2_quota_cleanup" to confirm that "sdp->sd_quota_list" has been released.

Link: https://lore.kernel.org/all/0000000000002b...@google.com
Reported-and-tested-by: syzbot+3f6a67...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@sina.com>
---
fs/gfs2/quota.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 1ed1722..4cf66bd 100644

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -1321,6 +1321,9 @@ int gfs2_quota_sync(struct super_block *sb, int type)
qda[x]->qd_sync_gen =
sdp->sd_quota_sync_gen;

+ if (!sdp->sd_quota_bitmap)
+ break;
+
for (x = 0; x < num_qd; x++)
qd_unlock(qda[x]);
}

--
2.39.0

[Andreas Gruenbacher]

Hello Edward,

I can see that there is a problem in the gfs2 quota code, but this
unfortunately doesn't look like an acceptable fix. A better approach
would be to use proper reference counting for gfs2_quota_data objects.
In this case, gfs2_quota_sync() is still holding a reference, so the
underlying object shouldn't be freed.

Fixing this properly will require more than a handful of lines.

> Link: https://lore.kernel.org/all/0000000000002b...@google.com
> Reported-and-tested-by: syzbot+3f6a67...@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <ead...@sina.com>
> ---
> fs/gfs2/quota.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
> index 1ed1722..4cf66bd 100644
> --- a/fs/gfs2/quota.c
> +++ b/fs/gfs2/quota.c
> @@ -1321,6 +1321,9 @@ int gfs2_quota_sync(struct super_block *sb, int type)
> qda[x]->qd_sync_gen =
> sdp->sd_quota_sync_gen;
>
> + if (!sdp->sd_quota_bitmap)
> + break;
> +
> for (x = 0; x < num_qd; x++)
> qd_unlock(qda[x]);
> }
> --
> 2.39.0
>

Thanks,
Andreas

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -1459,6 +1459,8 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)
spin_lock(&qd_lock);

while (!list_empty(head)) {
qd = list_last_entry(head, struct gfs2_quota_data, qd_list);

+ if (qd->qd_lockref.count > 0)
+ continue;

list_del(&qd->qd_list);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: rcu detected stall in corrupted

rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2669 jiffies s: 2353 root: 0x1/.
rcu: blocking rcu_node structures (internal RCU debug):
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 5533 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023

RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60
Code: 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 53 48 89 fb e8 13 00 00 00 48 8b 3d f4 27 ab 0c 48 89 de 5b e9 c3 65 53 00 0f 1f 00 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0d 80 62 78 7e 65 8b 15 81 62 78
RSP: 0018:ffffc900051ff5d8 EFLAGS: 00000283
RAX: ffff888073b27010 RBX: dffffc0000000000 RCX: ffff88801f413a80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000002 R08: ffffffff83b9dbec R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff888077dfca60
R13: 1ffff1100efbf94c R14: ffff888077dfca68 R15: dead000000000122
FS: 0000555557348400(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f536403f850 CR3: 000000007c779000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

gfs2_quota_cleanup+0x107/0x730
gfs2_make_fs_ro+0x50c/0x600
gfs2_withdraw+0x63e/0x1550
gfs2_inode_refresh+0xb32/0xfa0
gfs2_instantiate+0x18c/0x250
gfs2_glock_wait+0x1df/0x2b0
do_sync+0x482/0xc70
gfs2_quota_sync+0x37d/0x820
gfs2_sync_fs+0x4d/0xb0
sync_filesystem+0xec/0x220
generic_shutdown_super+0x6f/0x310
kill_block_super+0x7e/0xe0
deactivate_locked_super+0xa4/0x110
cleanup_mnt+0x490/0x520
task_work_run+0x24a/0x300
exit_to_user_mode_loop+0xd1/0xf0
exit_to_user_mode_prepare+0xb1/0x140
syscall_exit_to_user_mode+0x54/0x2d0
do_syscall_64+0x4d/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc2d9c8d517

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffebcd867a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc2d9c8d517
RDX: 00007ffebcd86879 RSI: 000000000000000a RDI: 00007ffebcd86870
RBP: 00007ffebcd86870 R08: 00000000ffffffff R09: 00007ffebcd86640
R10: 00005555573498b3 R11: 0000000000000246 R12: 00007fc2d9ce6b24
R13: 00007ffebcd87930 R14: 0000555557349810 R15: 00007ffebcd87970
</TASK>

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=115e9abb480000
kernel config: https://syzkaller.appspot.com/x/.config?x=a52f9c3367809abd
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=114f4775480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -1459,6 +1459,10 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)

spin_lock(&qd_lock);
while (!list_empty(head)) {
qd = list_last_entry(head, struct gfs2_quota_data, qd_list);
+ if (qd->qd_lockref.count > 0) {

+ spin_unlock(&qd_lock);
+ return;
+ }

list_del(&qd->qd_list);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in gfs2_gl_hash_clear

INFO: task syz-executor.0:5537 blocked for more than 143 seconds.
Not tainted 6.2.0-rc1-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0 state:D stack:20536 pid:5537 ppid:1 flags:0x00004006
Call Trace:
<TASK>
__schedule+0x13ca/0x43c0
schedule+0xc3/0x190
schedule_timeout+0x1ae/0x300
gfs2_gl_hash_clear+0x192/0x300
gfs2_put_super+0x827/0x890
generic_shutdown_super+0x134/0x310

kill_block_super+0x7e/0xe0
deactivate_locked_super+0xa4/0x110
cleanup_mnt+0x490/0x520
task_work_run+0x24a/0x300
exit_to_user_mode_loop+0xd1/0xf0
exit_to_user_mode_prepare+0xb1/0x140
syscall_exit_to_user_mode+0x54/0x2d0
do_syscall_64+0x4d/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f2ca328d517
RSP: 002b:00007fffbdbebda8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f2ca328d517
RDX: 00007fffbdbebe79 RSI: 000000000000000a RDI: 00007fffbdbebe70
RBP: 00007fffbdbebe70 R08: 00000000ffffffff R09: 00007fffbdbebc40
R10: 0000555555f358b3 R11: 0000000000000246 R12: 00007f2ca32e6b24
R13: 00007fffbdbecf30 R14: 0000555555f35810 R15: 00007fffbdbecf70
</TASK>

Showing all locks held in the system:
1 lock held by rcu_tasks_kthre/12:
#0: ffffffff8cd26dd0 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x26/0xce0
1 lock held by rcu_tasks_trace/13:
#0: ffffffff8cd275d0 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x26/0xce0
1 lock held by khungtaskd/28:
#0: ffffffff8cd26c00 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
2 locks held by getty/4747:
#0: ffff88814b7d0098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70
#1: ffffc900015902f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x53b/0x1630
1 lock held by syz-executor.0/5537:
#0: ffff888078e920e0 (&type->s_umount_key#50){+.+.}-{3:3}, at: deactivate_super+0xad/0xf0

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 28 Comm: khungtaskd Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023

Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
nmi_cpu_backtrace+0x47b/0x500
nmi_trigger_cpumask_backtrace+0x1d3/0x430
watchdog+0xf70/0xfb0
kthread+0x270/0x300
ret_from_fork+0x1f/0x30
</TASK>

Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0

CPU: 0 PID: 11 Comm: kworker/u4:1 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023

Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:cpus_read_lock+0x0/0x130
Code: 09 66 0f 1f 84 00 00 00 00 00 66 0f 1f 00 e8 87 fe 37 00 48 c7 c7 a0 36 bc 8c e9 2b 51 49 09 66 2e 0f 1f 84 00 00 00 00 00 90 <f3> 0f 1e fa 53 e8 66 fe 37 00 48 c7 c7 20 6e c9 8a be 31 00 00 00
RSP: 0018:ffffc90000107b68 EFLAGS: 00000293
RAX: ffffffff81b6e94d RBX: ffffffff91869260 RCX: ffff88801237ba80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff91869260
RBP: ffffc90000107c50 R08: ffffffff81dfd0bb R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: dffffc0000000000
R13: 1ffff1100243a983 R14: ffffffff918c86e0 R15: 1ffff92000020f70
FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055816f4e6600 CR3: 000000000ca8e000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

static_key_disable+0x12/0x20
toggle_allocation_gate+0x1a9/0x240
process_one_work+0x96c/0x13e0
worker_thread+0xa63/0x1210
kthread+0x270/0x300
ret_from_fork+0x1f/0x30

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=148084e3480000
kernel config: https://syzkaller.appspot.com/x/.config?x=a52f9c3367809abd
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=138fc219480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -1454,11 +1454,12 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
void gfs2_quota_cleanup(struct gfs2_sbd *sdp)
{
struct list_head *head = &sdp->sd_quota_list;
- struct gfs2_quota_data *qd;
+ struct gfs2_quota_data *qd, *n;

spin_lock(&qd_lock);
- while (!list_empty(head)) {
- qd = list_last_entry(head, struct gfs2_quota_data, qd_list);
+ list_for_each_entry_safe(qd, n, head, qd_list) {

+ if (qd->qd_lockref.count > 0)

+ continue;

list_del(&qd->qd_list);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in gfs2_gl_hash_clear

INFO: task syz-executor.0:5537 blocked for more than 143 seconds.
Not tainted 6.2.0-rc1-syzkaller-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:21272 pid:5537 ppid:1 flags:0x00004004

Call Trace:
<TASK>
__schedule+0x13ca/0x43c0
schedule+0xc3/0x190
schedule_timeout+0x1ae/0x300
gfs2_gl_hash_clear+0x192/0x300
gfs2_put_super+0x827/0x890
generic_shutdown_super+0x134/0x310
kill_block_super+0x7e/0xe0
deactivate_locked_super+0xa4/0x110
cleanup_mnt+0x490/0x520
task_work_run+0x24a/0x300
exit_to_user_mode_loop+0xd1/0xf0
exit_to_user_mode_prepare+0xb1/0x140
syscall_exit_to_user_mode+0x54/0x2d0
do_syscall_64+0x4d/0xc0
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7efe9328d517
RSP: 002b:00007ffccd9359f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007efe9328d517
RDX: 00007ffccd935ac9 RSI: 000000000000000a RDI: 00007ffccd935ac0
RBP: 00007ffccd935ac0 R08: 00000000ffffffff R09: 00007ffccd935890
R10: 00005555568328b3 R11: 0000000000000246 R12: 00007efe932e6b24
R13: 00007ffccd936b80 R14: 0000555556832810 R15: 00007ffccd936bc0

</TASK>

Showing all locks held in the system:
1 lock held by rcu_tasks_kthre/12:
#0: ffffffff8cd26dd0 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x26/0xce0
1 lock held by rcu_tasks_trace/13:
#0: ffffffff8cd275d0 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x26/0xce0
1 lock held by khungtaskd/28:
#0: ffffffff8cd26c00 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30

2 locks held by getty/4752:
#0: ffff88802847e098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70
#1: ffffc900015802f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x53b/0x1630

1 lock held by syz-executor.0/5537:

#0: ffff888024f8a0e0 (&type->s_umount_key#50){+.+.}-{3:3}, at: deactivate_super+0xad/0xf0

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Call Trace:
<TASK>
dump_stack_lvl+0x1b5/0x2a0
nmi_cpu_backtrace+0x47b/0x500
nmi_trigger_cpumask_backtrace+0x1d3/0x430
watchdog+0xf70/0xfb0
kthread+0x270/0x300
ret_from_fork+0x1f/0x30
</TASK>

Sending NMI from CPU 0 to CPUs 1:

NMI backtrace for cpu 1

CPU: 1 PID: 75 Comm: kworker/u4:4 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: events_unbound toggle_allocation_gate

RIP: 0010:kasan_check_range+0x15/0x290
Code: ea ff ff ff c3 0f 0b b8 ea ff ff ff c3 0f 1f 84 00 00 00 00 00 66 0f 1f 00 55 41 57 41 56 53 b0 01 48 85 f6 0f 84 9a 01 00 00 <48> 89 fd 48 01 f5 0f 82 5a 02 00 00 48 89 fd 48 c1 ed 2f 81 fd ff
RSP: 0018:ffffc900015d7808 EFLAGS: 00000002
RAX: ffff888018bd0001 RBX: ffffffff8132a509 RCX: ffffffff8132a509
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff8f9efcca
RBP: ffffc900015d7a10 R08: dffffc0000000000 R09: ffffed100240d0e1
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000001
R13: dffffc0000000000 R14: ffffffff8f9efcca R15: 00002aaaaaaab924
FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000557b7a63d600 CR3: 0000000012063000 CR4: 00000000003506e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

memcpy+0x29/0x70
text_poke_memcpy+0x9/0x10
__text_poke+0x574/0x8e0
text_poke_bp_batch+0x650/0x850
text_poke_finish+0x1a/0x30
arch_jump_label_transform_apply+0x17/0x30
static_key_disable_cpuslocked+0xce/0x1b0
static_key_disable+0x1a/0x20

toggle_allocation_gate+0x1a9/0x240
process_one_work+0x96c/0x13e0
worker_thread+0xa63/0x1210
kthread+0x270/0x300
ret_from_fork+0x1f/0x30
</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17f9e99b480000
kernel config: https://syzkaller.appspot.com/x/.config?x=a52f9c3367809abd
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10f6e2d9480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -1321,6 +1321,9 @@ int gfs2_quota_sync(struct super_block *sb, int type)
qda[x]->qd_sync_gen =
sdp->sd_quota_sync_gen;

+ if (error == -EIO)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+3f6a67...@syzkaller.appspotmail.com

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=131562df480000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10dbfec8c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -461,7 +461,8 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)
spin_lock(&qd_lock);

list_for_each_entry(iter, &sdp->sd_quota_list, qd_list) {
- if (qd_check_sync(sdp, iter, &sdp->sd_quota_sync_gen)) {
+ if (qd_check_sync(sdp, iter, &sdp->sd_quota_sync_gen) &&
+ need_sync(iter)) {
qd = iter;
break;
}
@@ -1321,6 +1322,9 @@ int gfs2_quota_sync(struct super_block *sb, int type)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/gfs2/quota.c:465:5: error: implicit declaration of function 'need_sync' [-Werror=implicit-function-declaration]
fs/gfs2/quota.c:1091:12: error: static declaration of 'need_sync' follows non-static declaration

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1271ab94c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -462,6 +462,8 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

list_for_each_entry(iter, &sdp->sd_quota_list, qd_list) {

if (qd_check_sync(sdp, iter, &sdp->sd_quota_sync_gen)) {

+ if (!need_sync(iter))
+ continue;
qd = iter;
break;
}
@@ -1321,6 +1323,9 @@ int gfs2_quota_sync(struct super_block *sb, int type)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/gfs2/quota.c:465:9: error: implicit declaration of function 'need_sync' [-Werror=implicit-function-declaration]
fs/gfs2/quota.c:1092:12: error: static declaration of 'need_sync' follows non-static declaration

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12a0a018c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c

@@ -81,6 +81,7 @@ static DEFINE_SPINLOCK(qd_lock);
struct list_lru gfs2_qd_lru;

static struct hlist_bl_head qd_hash_table[GFS2_QD_HASH_SIZE];
+static int need_sync(struct gfs2_quota_data *qd);

static unsigned int gfs2_qd_hash(const struct gfs2_sbd *sdp,
const struct kqid qid)
@@ -462,6 +463,8 @@ static int qd_fish(struct gfs2_sbd *sdp, struct gfs2_quota_data **qdp)

list_for_each_entry(iter, &sdp->sd_quota_list, qd_list) {
if (qd_check_sync(sdp, iter, &sdp->sd_quota_sync_gen)) {
+ if (!need_sync(iter))
+ continue;
qd = iter;
break;
}

@@ -1321,6 +1324,9 @@ int gfs2_quota_sync(struct super_block *sb, int type)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+3f6a67...@syzkaller.appspotmail.com

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16f386f8c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=172b347f480000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -449,9 +449,6 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)
ip->i_depth = (u8)depth;
ip->i_entries = be32_to_cpu(str->di_entries);

- if (gfs2_is_stuffed(ip) && inode->i_size > gfs2_max_stuffed_size(ip))
- goto corrupt;
-
if (S_ISREG(inode->i_mode))
gfs2_set_aops(inode);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in qd_unlock

RSP: 002b:00007fffad5dbb18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3b10c8d567
RDX: 00007fffad5dbbe9 RSI: 000000000000000a RDI: 00007fffad5dbbe0
RBP: 00007fffad5dbbe0 R08: 00000000ffffffff R09: 00007fffad5db9b0
R10: 00005555555e18b3 R11: 0000000000000246 R12: 00007f3b10ce6b24
R13: 00007fffad5dcca0 R14: 00005555555e1810 R15: 00007fffad5dcce0
</TASK>
==================================================================

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x20/0x190 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888072ba0090 by task syz-executor.0/5530

CPU: 1 PID: 5530 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]

dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:306 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:417
kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x141/0x190 mm/kasan/generic.c:189

instrument_atomic_read include/linux/instrumented.h:72 [inline]
_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

qd_unlock+0x20/0x190 fs/gfs2/quota.c:490
gfs2_quota_sync+0x39d/0x660 fs/gfs2/quota.c:1325
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3b10c8d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fffad5dbb18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3b10c8d567
RDX: 00007fffad5dbbe9 RSI: 000000000000000a RDI: 00007fffad5dbbe0
RBP: 00007fffad5dbbe0 R08: 00000000ffffffff R09: 00007fffad5db9b0
R10: 00005555555e18b3 R11: 0000000000000246 R12: 00007f3b10ce6b24
R13: 00007fffad5dcca0 R14: 00005555555e1810 R15: 00007fffad5dcce0
</TASK>

Allocated by task 5604:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325

kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]

kmem_cache_alloc+0x1e4/0x430 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x4e/0x300 fs/gfs2/quota.c:216
gfs2_quota_init+0x7bb/0xf70 fs/gfs2/quota.c:1415
gfs2_make_fs_rw+0x424/0x640 fs/gfs2/super.c:153
gfs2_fill_super+0x22c8/0x27a0 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x444/0x760 fs/super.c:1282
gfs2_get_tree+0x4e/0x270 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
do_new_mount fs/namespace.c:3145 [inline]
path_mount+0x132a/0x1e20 fs/namespace.c:3475

do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]

__se_sys_mount fs/namespace.c:3674 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5530:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:518
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200

kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]

slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0xee/0x5c0 mm/slub.c:3809
rcu_do_batch kernel/rcu/tree.c:2246 [inline]
rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2506
__do_softirq+0x1fb/0xadc kernel/softirq.c:571

Last potentially related work creation:

kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:488
__call_rcu_common.constprop.0+0x99/0x820 kernel/rcu/tree.c:2755
gfs2_quota_cleanup+0x483/0x860 fs/gfs2/quota.c:1479
gfs2_make_fs_ro+0x202/0x610 fs/gfs2/super.c:560
signal_our_withdraw fs/gfs2/util.c:166 [inline]
gfs2_withdraw.cold+0x4b4/0xf9a fs/gfs2/util.c:351
gfs2_dinode_in fs/gfs2/glops.c:457 [inline]
gfs2_inode_refresh+0xbf8/0xf60 fs/gfs2/glops.c:477
inode_go_instantiate+0x4a/0x70 fs/gfs2/glops.c:496
gfs2_instantiate+0x16a/0x250 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_holder_ready fs/gfs2/glock.c:1295 [inline]
gfs2_glock_wait+0x197/0x2e0 fs/gfs2/glock.c:1319
gfs2_glock_nq+0xae4/0x1470 fs/gfs2/glock.c:1567
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]
do_sync+0x62f/0xcf0 fs/gfs2/quota.c:916
gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888072ba0000

which belongs to the cache gfs2_quotad of size 272
The buggy address is located 144 bytes inside of

272-byte region [ffff888072ba0000, ffff888072ba0110)

The buggy address belongs to the physical page:

page:ffffea0001cae800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x72ba0

flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)

raw: 00fff00000000200 ffff888018fab140 dead000000000122 0000000000000000

raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5604, tgid 5603 (syz-executor.0), ts 62041431121, free_ts 61836511251
prep_new_page mm/page_alloc.c:2531 [inline]
get_page_from_freelist+0x119c/0x2ce0 mm/page_alloc.c:4283
__alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5549
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2286
alloc_slab_page mm/slub.c:1851 [inline]
allocate_slab+0x25f/0x350 mm/slub.c:1998
new_slab mm/slub.c:2051 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3193
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292

__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]

kmem_cache_alloc+0x379/0x430 mm/slub.c:3476
kmem_cache_zalloc include/linux/slab.h:710 [inline]
qd_alloc+0x4e/0x300 fs/gfs2/quota.c:216
gfs2_quota_init+0x7bb/0xf70 fs/gfs2/quota.c:1415
gfs2_make_fs_rw+0x424/0x640 fs/gfs2/super.c:153
gfs2_fill_super+0x22c8/0x27a0 fs/gfs2/ops_fstype.c:1274
get_tree_bdev+0x444/0x760 fs/super.c:1282
gfs2_get_tree+0x4e/0x270 fs/gfs2/ops_fstype.c:1330
vfs_get_tree+0x8d/0x2f0 fs/super.c:1489
do_new_mount fs/namespace.c:3145 [inline]
path_mount+0x132a/0x1e20 fs/namespace.c:3475

do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]

__se_sys_mount fs/namespace.c:3674 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3674

page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1446 [inline]

free_pcp_prepare+0x66a/0xc20 mm/page_alloc.c:1496
free_unref_page_prepare mm/page_alloc.c:3369 [inline]
free_unref_page+0x1d/0x490 mm/page_alloc.c:3464
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2637
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x192/0x220 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302

kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:761 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]

kmem_cache_alloc+0x1e4/0x430 mm/slub.c:3476
getname_flags.part.0+0x50/0x4f0 fs/namei.c:139
getname_flags include/linux/audit.h:320 [inline]
getname fs/namei.c:218 [inline]
__do_sys_unlink fs/namei.c:4368 [inline]
__se_sys_unlink fs/namei.c:4366 [inline]
__x64_sys_unlink+0xb5/0x110 fs/namei.c:4366
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:

ffff888072b9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072ba0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888072ba0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888072ba0100: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888072ba0180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=15c72b98c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1122c638c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]

BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c

@@ -457,7 +457,6 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)

return 0;
corrupt:
- gfs2_consist_inode(ip);
return -EIO;
}

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+3f6a67...@syzkaller.appspotmail.com

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1302c1d4c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=11cf2338c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

-- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -913,10 +913,6 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda)
goto out_dq;
}

- error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, 0, &i_gh);
- if (error)
- goto out_dq;
-
for (x = 0; x < num_qd; x++) {
offset = qd2offset(qda[x]);
if (gfs2_write_alloc_required(ip, offset,
@@ -965,8 +961,6 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda)
gfs2_trans_end(sdp);
out_ipres:
gfs2_inplace_release(ip);
-out_alloc:
- gfs2_glock_dq_uninit(&i_gh);
out_dq:
while (qx--)
gfs2_glock_dq_uninit(&ghs[qx]);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/gfs2/quota.c:938:3: error: label 'out_alloc' used but not defined

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=128b98a1c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/quota.c

+++ b/fs/gfs2/quota.c
@@ -913,10 +913,6 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda)
goto out_dq;
}

- error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, 0, &i_gh);
- if (error)
- goto out_dq;
-
for (x = 0; x < num_qd; x++) {
offset = qd2offset(qda[x]);
if (gfs2_write_alloc_required(ip, offset,

@@ -966,7 +962,6 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda)
out_ipres:
gfs2_inplace_release(ip);

[ead...@sina.com]

@@ -913,7 +913,7 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda)

goto out_dq;
}

- error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, 0, &i_gh);

+ error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, GL_ASYNC, &i_gh);
if (error)
goto out_dq;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

kernel BUG in inode_go_sync

gfs2: fsid=syz:syz.0: G: s:UN n:2/924 f:lfqobn t:EX d:EX/0 a:0 v:0 r:2 m:20 p:1
gfs2: fsid=syz:syz.0: H: s:EX f:W e:0 p:5531 [syz-executor.0] __mark_inode_dirty+0x247/0x11e0 fs/fs-writeback.c:2419
------------[ cut here ]------------
kernel BUG at fs/gfs2/glops.c:312!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5531 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

RIP: 0010:inode_go_sync+0x4bd/0x560 fs/gfs2/glops.c:312
Code: 00 00 48 8b 7b 30 31 c9 31 d2 31 f6 e8 bc 6b 2c fe e9 82 fe ff ff e8 f2 b1 f0 fd ba 01 00 00 00 48 89 ee 31 ff e8 73 18 ff ff <0f> 0b 48 89 df e8 99 a3 40 fe e9 d0 fb ff ff e8 cf b1 f0 fd be 08
RSP: 0018:ffffc9000591f780 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888071a0b5c0 RCX: 0000000000000000
RDX: ffff8880778957c0 RSI: ffffffff838f707d RDI: 0000000000000001
RBP: ffff888076b62a40 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffff888076b62ce0 R15: 0000000000000000
FS: 0000555557453400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffc56f95128 CR3: 00000000291f7000 CR4: 0000000000350ef0
Call Trace:
<TASK>
do_xmote+0x2f5/0xc40 fs/gfs2/glock.c:708
run_queue+0x3cf/0x660 fs/gfs2/glock.c:846
gfs2_glock_nq+0x592/0x1470 fs/gfs2/glock.c:1563
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]
gfs2_dirty_inode+0x38f/0x820 fs/gfs2/super.c:488
__mark_inode_dirty+0x247/0x11e0 fs/fs-writeback.c:2419
mark_inode_dirty include/linux/fs.h:2462 [inline]
gfs2_adjust_quota+0x66e/0x870 fs/gfs2/quota.c:873
do_sync+0x916/0xb90 fs/gfs2/quota.c:950
gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1313

gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7ff0a908d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc541a4f08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff0a908d567
RDX: 00007ffc541a4fd9 RSI: 000000000000000a RDI: 00007ffc541a4fd0
RBP: 00007ffc541a4fd0 R08: 00000000ffffffff R09: 00007ffc541a4da0
R10: 00005555574548b3 R11: 0000000000000246 R12: 00007ff0a90e6b24
R13: 00007ffc541a6090 R14: 0000555557454810 R15: 00007ffc541a60d0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:inode_go_sync+0x4bd/0x560 fs/gfs2/glops.c:312
Code: 00 00 48 8b 7b 30 31 c9 31 d2 31 f6 e8 bc 6b 2c fe e9 82 fe ff ff e8 f2 b1 f0 fd ba 01 00 00 00 48 89 ee 31 ff e8 73 18 ff ff <0f> 0b 48 89 df e8 99 a3 40 fe e9 d0 fb ff ff e8 cf b1 f0 fd be 08
RSP: 0018:ffffc9000591f780 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888071a0b5c0 RCX: 0000000000000000
RDX: ffff8880778957c0 RSI: ffffffff838f707d RDI: 0000000000000001
RBP: ffff888076b62a40 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: ffff888076b62ce0 R15: 0000000000000000
FS: 0000555557453400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f1dc37e5300 CR3: 00000000291f7000 CR4: 0000000000350ef0

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=12a1f416c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10ce469ac80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -400,10 +400,14 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)
struct inode *inode = &ip->i_inode;
bool is_new = inode->i_state & I_NEW;

- if (unlikely(ip->i_no_addr != be64_to_cpu(str->di_num.no_addr)))
+ if (unlikely(ip->i_no_addr != be64_to_cpu(str->di_num.no_addr))) {
+ WARN_ON_ONCE(1);
goto corrupt;
- if (unlikely(!is_new && inode_wrong_type(inode, mode)))
+ }
+ if (unlikely(!is_new && inode_wrong_type(inode, mode))) {
+ WARN_ON_ONCE(1);
goto corrupt;
+ }
ip->i_no_formal_ino = be64_to_cpu(str->di_num.no_formal_ino);
inode->i_mode = mode;
if (is_new) {
@@ -439,18 +443,24 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)
/* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */
gfs2_set_inode_flags(inode);
height = be16_to_cpu(str->di_height);
- if (unlikely(height > GFS2_MAX_META_HEIGHT))
+ if (unlikely(height > GFS2_MAX_META_HEIGHT)) {
+ WARN_ON_ONCE(1);
goto corrupt;
+ }
ip->i_height = (u8)height;

depth = be16_to_cpu(str->di_depth);
- if (unlikely(depth > GFS2_DIR_MAX_DEPTH))
+ if (unlikely(depth > GFS2_DIR_MAX_DEPTH)) {
+ WARN_ON_ONCE(1);
goto corrupt;
+ }

ip->i_depth = (u8)depth;
ip->i_entries = be32_to_cpu(str->di_entries);

- if (gfs2_is_stuffed(ip) && inode->i_size > gfs2_max_stuffed_size(ip))

+ if (gfs2_is_stuffed(ip) && inode->i_size > gfs2_max_stuffed_size(ip)) {
+ WARN_ON_ONCE(1);
goto corrupt;
+ }

if (S_ISREG(inode->i_mode))
gfs2_set_aops(inode);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in __folio_mark_dirty

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5501 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 0 PID: 5501 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 0 PID: 5501 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 0 PID: 5501 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Code: 78 70 48 89 44 24 10 e8 16 d5 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 27 d6 5b 08 31 ff 41 89 c4
RSP: 0018:ffffc900052ff8b0 EFLAGS: 00010093
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff8880272a0000 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea0001e43b00 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888144c4ea78
R13: ffffffff8e778140 R14: 0000000000000293 R15: ffff88801cc1a258
FS: 0000555555b72400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055b4351cc950 CR3: 000000007e4a2000 CR4: 0000000000350ef0
Call Trace:
<TASK>
__set_page_dirty include/linux/pagemap.h:1052 [inline]
mark_buffer_dirty+0x70d/0xa40 fs/buffer.c:1105
gfs2_unpin+0x109/0xcf0 fs/gfs2/lops.c:111
buf_lo_after_commit+0x144/0x210 fs/gfs2/lops.c:747
lops_after_commit fs/gfs2/lops.h:49 [inline]
gfs2_log_flush+0x140f/0x28a0 fs/gfs2/log.c:1107
do_sync+0x5ad/0xcf0 fs/gfs2/quota.c:975
gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318

gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fc68108d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffea8a3d258 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc68108d567
RDX: 00007ffea8a3d329 RSI: 000000000000000a RDI: 00007ffea8a3d320
RBP: 00007ffea8a3d320 R08: 00000000ffffffff R09: 00007ffea8a3d0f0
R10: 0000555555b738b3 R11: 0000000000000246 R12: 00007fc6810e6b24
R13: 00007ffea8a3e3e0 R14: 0000555555b73810 R15: 00007ffea8a3e420
</TASK>

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11ada4f6c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=159881bac80000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in gfs2_inode_refresh

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5532 at fs/gfs2/glops.c:447 gfs2_dinode_in fs/gfs2/glops.c:447 [inline]
WARNING: CPU: 0 PID: 5532 at fs/gfs2/glops.c:447 gfs2_inode_refresh+0xdfd/0x10a0 fs/gfs2/glops.c:490
Modules linked in:
CPU: 0 PID: 5532 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

RIP: 0010:gfs2_dinode_in fs/gfs2/glops.c:447 [inline]
RIP: 0010:gfs2_inode_refresh+0xdfd/0x10a0 fs/gfs2/glops.c:490
Code: 48 c1 ea 03 80 3c 02 00 49 0f ce 0f 85 9c 02 00 00 0f b7 04 24 4c 89 b5 98 04 00 00 66 89 45 00 e9 da f4 ff ff e8 43 a3 f0 fd <0f> 0b e9 c0 fe ff ff e8 37 a3 f0 fd 0f 0b e9 b4 fe ff ff e8 2b a3
RSP: 0018:ffffc9000523f920 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 1ffff92000a47f28 RCX: 0000000000000000
RDX: ffff888028880000 RSI: ffffffff83904ffd RDI: 0000000000000003
RBP: ffff888072c835c0 R08: 0000000000000003 R09: 000000000000000a
R10: 0000000000000300 R11: 1ffffffff18f34b9 R12: 0000000000000000
R13: 0000000000000300 R14: ffff888072c83620 R15: ffff8880794bd000
FS: 000055555576c400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000056226a0b4078 CR3: 0000000071216000 CR4: 0000000000350ef0
Call Trace:
<TASK>
inode_go_instantiate+0x4a/0x70 fs/gfs2/glops.c:509

gfs2_instantiate+0x16a/0x250 fs/gfs2/glock.c:456
gfs2_glock_holder_ready fs/gfs2/glock.c:1299 [inline]
gfs2_glock_holder_ready fs/gfs2/glock.c:1295 [inline]
gfs2_glock_wait+0x197/0x2e0 fs/gfs2/glock.c:1319
gfs2_glock_nq+0xae4/0x1470 fs/gfs2/glock.c:1567
gfs2_glock_nq_init fs/gfs2/glock.h:262 [inline]
do_sync+0x62f/0xcf0 fs/gfs2/quota.c:916

gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f9b3a48d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fffc52b74f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9b3a48d567
RDX: 00007fffc52b75c9 RSI: 000000000000000a RDI: 00007fffc52b75c0
RBP: 00007fffc52b75c0 R08: 00000000ffffffff R09: 00007fffc52b7390
R10: 000055555576d8b3 R11: 0000000000000246 R12: 00007f9b3a4e6b24
R13: 00007fffc52b8680 R14: 000055555576d810 R15: 00007fffc52b86c0

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=149fd886c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=174bce6ec80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

@@ -439,18 +443,26 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)

/* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */
gfs2_set_inode_flags(inode);
height = be16_to_cpu(str->di_height);
- if (unlikely(height > GFS2_MAX_META_HEIGHT))
+ if (unlikely(height > GFS2_MAX_META_HEIGHT)) {

+ printk(KERN_INFO "buf->di_height: %d\n", height);

+ WARN_ON_ONCE(1);
goto corrupt;
+ }
ip->i_height = (u8)height;

depth = be16_to_cpu(str->di_depth);
- if (unlikely(depth > GFS2_DIR_MAX_DEPTH))
+ if (unlikely(depth > GFS2_DIR_MAX_DEPTH)) {

+ printk(KERN_INFO "buf->di_depth: %d\n", depth);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in gfs2_inode_refresh

buf->di_height: 768
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5528 at fs/gfs2/glops.c:448 gfs2_dinode_in fs/gfs2/glops.c:447 [inline]
WARNING: CPU: 0 PID: 5528 at fs/gfs2/glops.c:448 gfs2_inode_refresh.cold+0x15/0x54 fs/gfs2/glops.c:492
Modules linked in:
CPU: 0 PID: 5528 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

RIP: 0010:gfs2_dinode_in fs/gfs2/glops.c:448 [inline]
RIP: 0010:gfs2_inode_refresh.cold+0x15/0x54 fs/gfs2/glops.c:492
Code: 06 c6 f9 e9 17 0f bf f9 4c 89 ef e8 eb bb ff f7 e9 5b ff ff ff e8 61 c9 af f7 41 0f b7 f5 48 c7 c7 60 f6 97 8a e8 48 dd f2 ff <0f> 0b e9 e3 24 bf f9 e8 45 c9 af f7 41 0f b7 f7 48 c7 c7 a0 f6 97
RSP: 0018:ffffc90005727920 EFLAGS: 00010286
RAX: 0000000000000013 RBX: ffff88807125e000 RCX: 0000000000000000
RDX: ffff888023e31d40 RSI: ffffffff8166133c RDI: fffff52000ae4f16
RBP: ffff888074cb35c0 R08: 0000000000000013 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000300 R14: ffff888074cb35e8 R15: ffff888074cb3620
FS: 0000555556682400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000056516db5c078 CR3: 000000001e4ba000 CR4: 0000000000350ef0
Call Trace:
<TASK>
inode_go_instantiate+0x4a/0x70 fs/gfs2/glops.c:511

RIP: 0033:0x7fcc30e8d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffe5d9bb688 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fcc30e8d567
RDX: 00007ffe5d9bb759 RSI: 000000000000000a RDI: 00007ffe5d9bb750
RBP: 00007ffe5d9bb750 R08: 00000000ffffffff R09: 00007ffe5d9bb520
R10: 00005555566838b3 R11: 0000000000000246 R12: 00007fcc30ee6b24
R13: 00007ffe5d9bc810 R14: 0000555556683810 R15: 00007ffe5d9bc850

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=10472bc2c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=145ef4f6c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

@@ -439,18 +443,29 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)

/* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */
gfs2_set_inode_flags(inode);
height = be16_to_cpu(str->di_height);
- if (unlikely(height > GFS2_MAX_META_HEIGHT))
+ if (unlikely(height > GFS2_MAX_META_HEIGHT)) {
+ printk(KERN_INFO "buf->di_height: %d\n", height);

+ depth = be16_to_cpu(str->di_depth);

+ printk(KERN_INFO "buf->di_depth: %d\n", depth);

+ printk(KERN_INFO "inode->i_size: %d\n", inode->i_size);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in gfs2_inode_refresh

buf->di_height: 768

buf->di_depth: 0
inode->i_size: 176
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5531 at fs/gfs2/glops.c:451 gfs2_dinode_in fs/gfs2/glops.c:450 [inline]
WARNING: CPU: 1 PID: 5531 at fs/gfs2/glops.c:451 gfs2_inode_refresh.cold+0x91/0xda fs/gfs2/glops.c:495
Modules linked in:
CPU: 1 PID: 5531 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

RIP: 0010:gfs2_dinode_in fs/gfs2/glops.c:451 [inline]
RIP: 0010:gfs2_inode_refresh.cold+0x91/0xda fs/gfs2/glops.c:495
Code: 37 00 48 c1 e0 2a 48 c1 ea 03 80 3c 02 00 74 0a 48 8b 7c 24 10 e8 e5 ba ff f7 48 8b 75 50 48 c7 c7 e0 f6 97 8a e8 cc dc f2 ff <0f> 0b e9 67 24 bf f9 e8 c9 c8 af f7 41 0f b7 f7 48 c7 c7 a0 f6 97
RSP: 0018:ffffc9000500f920 EFLAGS: 00010286
RAX: 0000000000000012 RBX: ffff88802977c000 RCX: 0000000000000000
RDX: ffff8880263f57c0 RSI: ffffffff8166133c RDI: fffff52000a01f16
RBP: ffff88806e83b5c0 R08: 0000000000000012 R09: 0000000000000000

R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000000

R13: 0000000000000300 R14: ffff88806e83b5e8 R15: ffff88806e83b620
FS: 0000555556e2e400(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055a250efa078 CR3: 000000007831f000 CR4: 0000000000350ee0
Call Trace:
<TASK>
inode_go_instantiate+0x4a/0x70 fs/gfs2/glops.c:514

RIP: 0033:0x7f7ce428d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc3fab5138 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7ce428d567
RDX: 00007ffc3fab5209 RSI: 000000000000000a RDI: 00007ffc3fab5200
RBP: 00007ffc3fab5200 R08: 00000000ffffffff R09: 00007ffc3fab4fd0
R10: 0000555556e2f8b3 R11: 0000000000000246 R12: 00007f7ce42e6b24
R13: 00007ffc3fab62c0 R14: 0000555556e2f810 R15: 00007ffc3fab6300

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=134b4091c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14eac5bac80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c

@@ -439,8 +439,13 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)

/* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */
gfs2_set_inode_flags(inode);
height = be16_to_cpu(str->di_height);
- if (unlikely(height > GFS2_MAX_META_HEIGHT))

- goto corrupt;

+ if (unlikely(height > GFS2_MAX_META_HEIGHT)) {
+ printk(KERN_INFO "buf->di_height: %d\n", height);
+ depth = be16_to_cpu(str->di_depth);
+ printk(KERN_INFO "buf->di_depth: %d\n", depth);
+ printk(KERN_INFO "inode->i_size: %d\n", inode->i_size);

+ return -EIO;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+3f6a67...@syzkaller.appspotmail.com

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=166b6316c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=16753802c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

+ height = GFS2_MAX_META_HEIGHT;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

UBSAN: array-index-out-of-bounds in __gfs2_iomap_get

buf->di_height: 768
buf->di_depth: 0
inode->i_size: 176

================================================================================
UBSAN: array-index-out-of-bounds in fs/gfs2/bmap.c:898:64
index 11 is out of range for type 'u64 [11]'
CPU: 1 PID: 5512 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106

ubsan_epilogue+0xa/0x31 lib/ubsan.c:151
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:282
__gfs2_iomap_get+0x152f/0x1920 fs/gfs2/bmap.c:898
gfs2_iomap_get+0xb1/0x1e0 fs/gfs2/bmap.c:1396
gfs2_block_map+0x232/0xc20 fs/gfs2/bmap.c:1211
gfs2_write_alloc_required+0x3f1/0x510 fs/gfs2/bmap.c:2319
do_sync+0x707/0xcf0 fs/gfs2/quota.c:922

gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fa200e8d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fffcf264548 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fa200e8d567
RDX: 00007fffcf264619 RSI: 000000000000000a RDI: 00007fffcf264610
RBP: 00007fffcf264610 R08: 00000000ffffffff R09: 00007fffcf2643e0
R10: 0000555555d578b3 R11: 0000000000000246 R12: 00007fa200ee6b24
R13: 00007fffcf2656d0 R14: 0000555555d57810 R15: 00007fffcf265710
</TASK>
================================================================================

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=13395c5ec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10086e4ac80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

+ if (unlikely(height >= GFS2_MAX_META_HEIGHT)) {

+ printk(KERN_INFO "buf->di_height: %d\n", height);
+ depth = be16_to_cpu(str->di_depth);
+ printk(KERN_INFO "buf->di_depth: %d\n", depth);
+ printk(KERN_INFO "inode->i_size: %d\n", inode->i_size);

+ height = GFS2_MAX_META_HEIGHT - 1;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: array-index-out-of-bounds in __gfs2_iomap_get

buf->di_height: 768
buf->di_depth: 0
inode->i_size: 176
================================================================================
UBSAN: array-index-out-of-bounds in fs/gfs2/bmap.c:898:64
index 11 is out of range for type 'u64 [11]'

CPU: 0 PID: 5533 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

RIP: 0033:0x7fd4e3e8d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fffa68bc618 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd4e3e8d567
RDX: 00007fffa68bc6e9 RSI: 000000000000000a RDI: 00007fffa68bc6e0
RBP: 00007fffa68bc6e0 R08: 00000000ffffffff R09: 00007fffa68bc4b0
R10: 0000555555c188b3 R11: 0000000000000246 R12: 00007fd4e3ee6b24
R13: 00007fffa68bd7a0 R14: 0000555555c18810 R15: 00007fffa68bd7e0

</TASK>
================================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11270c81c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=15ec2721c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
@@ -895,7 +895,7 @@ static int __gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length,
iomap->length = len << inode->i_blkbits;

height = ip->i_height;
- while ((lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height])
+ while (height < GFS2_MAX_META_HEIGHT && (lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height])
height++;
find_metapath(sdp, lblock, mp, height);
if (height > ip->i_height || gfs2_is_stuffed(ip))

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in __folio_mark_dirty

buf->di_height: 768
buf->di_depth: 0
inode->i_size: 176

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5521 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 0 PID: 5521 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 0 PID: 5521 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 0 PID: 5521 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728

Code: 78 70 48 89 44 24 10 e8 06 e7 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 17 e8 5b 08 31 ff 41 89 c4
RSP: 0018:ffffc9000583f8b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff888077529d40 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea0001e2b700 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888012865f78
R13: ffffffff8e778180 R14: 0000000000000293 R15: ffff88802a3a97c8
FS: 0000555556770400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ff1516d0e3c CR3: 000000007000e000 CR4: 0000000000350ef0
Call Trace:
<TASK>

__set_page_dirty include/linux/pagemap.h:1052 [inline]
mark_buffer_dirty+0x70d/0xa40 fs/buffer.c:1105
gfs2_unpin+0x109/0xcf0 fs/gfs2/lops.c:111
buf_lo_after_commit+0x144/0x210 fs/gfs2/lops.c:747
lops_after_commit fs/gfs2/lops.h:49 [inline]
gfs2_log_flush+0x140f/0x28a0 fs/gfs2/log.c:1107
do_sync+0x5ad/0xcf0 fs/gfs2/quota.c:975

gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7faa76e8d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffe827a3c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007faa76e8d567
RDX: 00007ffe827a3d49 RSI: 000000000000000a RDI: 00007ffe827a3d40
RBP: 00007ffe827a3d40 R08: 00000000ffffffff R09: 00007ffe827a3b10
R10: 00005555567718b3 R11: 0000000000000246 R12: 00007faa76ee6b24
R13: 00007ffe827a4e00 R14: 0000555556771810 R15: 00007ffe827a4e40
</TASK>

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1420fad6c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1567bbbac80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

@@ -895,8 +895,12 @@ static int __gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length,

iomap->length = len << inode->i_blkbits;

height = ip->i_height;
- while ((lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height])
+ while (height < GFS2_MAX_META_HEIGHT &&

+ (lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height]) {
+ printk("lblock:%d, height:%d, sb_bsize: %d, heightsize:%d\n",
+ lblock, height, sdp->sd_sb.sb_bsize, sdp->sd_heightsize[height]);
height++;
+ }

find_metapath(sdp, lblock, mp, height);
if (height > ip->i_height || gfs2_is_stuffed(ip))

goto do_alloc;

[ead...@sina.com]

--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -736,6 +736,7 @@ static void buf_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)
{
struct list_head *head;
struct gfs2_bufdata *bd;
+ int i = 0;

if (tr == NULL)
return;
@@ -745,6 +746,8 @@ static void buf_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)
bd = list_first_entry(head, struct gfs2_bufdata, bd_list);
list_del_init(&bd->bd_list);
gfs2_unpin(sdp, bd->bd_bh, tr);
+ i++;
+ printk("buf_lo_after_commit: %d\n", i);
}
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_mark_dirty

lblock:0, height:9, sb_bsize: 4096, heightsize:0
lblock:0, height:9, sb_bsize: 4096, heightsize:0
lblock:0, height:9, sb_bsize: 4096, heightsize:0
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5507 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 0 PID: 5507 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 0 PID: 5507 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 0 PID: 5507 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Code: 78 70 48 89 44 24 10 e8 06 e7 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 17 e8 5b 08 31 ff 41 89 c4

RSP: 0018:ffffc9000541f8b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff88801ad557c0 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea00009eb440 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888012883e78
R13: ffffffff8e778240 R14: 0000000000000293 R15: ffff888021d982a8
FS: 00005555567dc400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f4c97c4a300 CR3: 0000000070741000 CR4: 0000000000350ef0

RIP: 0033:0x7fa4a988d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fffa120a228 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fa4a988d567
RDX: 00007fffa120a2f9 RSI: 000000000000000a RDI: 00007fffa120a2f0
RBP: 00007fffa120a2f0 R08: 00000000ffffffff R09: 00007fffa120a0c0
R10: 00005555567dd8b3 R11: 0000000000000246 R12: 00007fa4a98e6b24
R13: 00007fffa120b3b0 R14: 00005555567dd810 R15: 00007fffa120b3f0

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=108abfaac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1799eb9ac80000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_mark_dirty

buf->di_height: 768
buf->di_depth: 0
inode->i_size: 176

lblock:0, height:9, sb_bsize: 4096, heightsize:0
lblock:0, height:9, sb_bsize: 4096, heightsize:0
lblock:0, height:9, sb_bsize: 4096, heightsize:0
------------[ cut here ]------------

WARNING: CPU: 0 PID: 5532 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 0 PID: 5532 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 0 PID: 5532 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 0 PID: 5532 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Code: 78 70 48 89 44 24 10 e8 06 e7 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 17 e8 5b 08 31 ff 41 89 c4

RSP: 0018:ffffc9000572f8b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff88801e790000 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea00009a6740 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888140c8ea78
R13: ffffffff8e778280 R14: 0000000000000293 R15: ffff88807562e258
FS: 0000555555c6c400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f45cc3a8000 CR3: 0000000070c79000 CR4: 0000000000350ef0

Call Trace:
<TASK>
__set_page_dirty include/linux/pagemap.h:1052 [inline]
mark_buffer_dirty+0x70d/0xa40 fs/buffer.c:1105
gfs2_unpin+0x109/0xcf0 fs/gfs2/lops.c:111

buf_lo_after_commit+0x17a/0x230 fs/gfs2/lops.c:748

lops_after_commit fs/gfs2/lops.h:49 [inline]
gfs2_log_flush+0x140f/0x28a0 fs/gfs2/log.c:1107
do_sync+0x5ad/0xcf0 fs/gfs2/quota.c:975
gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f45cc28d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffd2dd7a7e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f45cc28d567
RDX: 00007ffd2dd7a8b9 RSI: 000000000000000a RDI: 00007ffd2dd7a8b0
RBP: 00007ffd2dd7a8b0 R08: 00000000ffffffff R09: 00007ffd2dd7a680
R10: 0000555555c6d8b3 R11: 0000000000000246 R12: 00007f45cc2e6b24
R13: 00007ffd2dd7b970 R14: 0000555555c6d810 R15: 00007ffd2dd7b9b0

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1410b54ec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=11731509c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -736,6 +736,7 @@ static void buf_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)
{
struct list_head *head;
struct gfs2_bufdata *bd;
+ int i = 0;

if (tr == NULL)
return;
@@ -745,6 +746,8 @@ static void buf_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)
bd = list_first_entry(head, struct gfs2_bufdata, bd_list);
list_del_init(&bd->bd_list);
gfs2_unpin(sdp, bd->bd_bh, tr);
+ i++;
+ printk("buf_lo_after_commit: %d\n", i);
}
}

--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
@@ -895,8 +895,12 @@ static int __gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length,
iomap->length = len << inode->i_blkbits;

height = ip->i_height;
- while ((lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height])
+ while (height < GFS2_MAX_META_HEIGHT &&
+ (lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height]) {

+ printk("lblock:%d, height:%d, sb_bsize: %d, heightsize:%d,pos:%d,size:%d\n",
+ lblock, height, sdp->sd_sb.sb_bsize, sdp->sd_heightsize[height], pos, size);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_mark_dirty

lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176
lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176
lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5528 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 1 PID: 5528 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 1 PID: 5528 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 1 PID: 5528 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Code: 78 70 48 89 44 24 10 e8 06 e7 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 17 e8 5b 08 31 ff 41 89 c4

RSP: 0018:ffffc9000566f8b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff8880271cba80 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea0001c5f5c0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888144c4a878
R13: ffffffff8e778280 R14: 0000000000000293 R15: ffff888070101280
FS: 0000555555c95400(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f23cb29a440 CR3: 000000001fcf6000 CR4: 0000000000350ee0

RIP: 0033:0x7fd6a668d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffda5e7f8a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd6a668d567
RDX: 00007ffda5e7f979 RSI: 000000000000000a RDI: 00007ffda5e7f970
RBP: 00007ffda5e7f970 R08: 00000000ffffffff R09: 00007ffda5e7f740
R10: 0000555555c968b3 R11: 0000000000000246 R12: 00007fd6a66e6b24
R13: 00007ffda5e80a30 R14: 0000555555c96810 R15: 00007ffda5e80a70

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=10a2aea6c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7a23fb7114ed14bf
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1600cc6ac80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
@@ -895,8 +895,12 @@ static int __gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length,
iomap->length = len << inode->i_blkbits;

height = ip->i_height;
- while ((lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height])
+ while (height < GFS2_MAX_META_HEIGHT &&
+ (lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height]) {
+ printk("lblock:%d, height:%d, sb_bsize: %d, heightsize:%d,pos:%d,size:%d\n",
+ lblock, height, sdp->sd_sb.sb_bsize, sdp->sd_heightsize[height], pos, size);
height++;
+ }
find_metapath(sdp, lblock, mp, height);
if (height > ip->i_height || gfs2_is_stuffed(ip))
goto do_alloc;

--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -736,12 +736,15 @@ static void buf_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)

{
struct list_head *head;
struct gfs2_bufdata *bd;
+ int i = 0;

if (tr == NULL)
return;

head = &tr->tr_buf;
while (!list_empty(head)) {

+ i++;
+ printk("buf_lo_after_commit: %d\n", i);
bd = list_first_entry(head, struct gfs2_bufdata, bd_list);
list_del_init(&bd->bd_list);
gfs2_unpin(sdp, bd->bd_bh, tr);

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -1362,6 +1362,8 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
u64 dblock;
u32 extlen = 0;
int error;
+ u32 qcid = 0;
+

if (gfs2_check_internal_file_size(sdp->sd_qc_inode, 1, 64 << 20))
return -EIO;
@@ -1407,6 +1409,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
USRQUOTA : GRPQUOTA;
struct kqid qc_id = make_kqid(&init_user_ns, qtype,
be32_to_cpu(qc->qc_id));
+ qcid = be32_to_cpu(qc->qc_id);
qc++;
if (!qc_change)
continue;
@@ -1442,7 +1445,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
}

if (found)
- fs_info(sdp, "found %u quota changes\n", found);
+ fs_info(sdp, "found %u quota changes, qc_id:%d\n", found, qcid);

return 0;

@@ -1471,6 +1474,7 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)
hlist_bl_del_rcu(&qd->qd_hlist);
spin_unlock_bucket(qd->qd_hash);

+ fs_info(sdp, "qc_id:%d\n", cpu_to_be32(from_kqid(&init_user_ns, qd->qd_id));
gfs2_assert_warn(sdp, !qd->qd_change);
gfs2_assert_warn(sdp, !qd->qd_slot_count);
gfs2_assert_warn(sdp, !qd->qd_bh_count);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/gfs2/quota.c:1764: error: unterminated argument list invoking macro "fs_info"
fs/gfs2/quota.c:1477:3: error: 'fs_info' undeclared (first use in this function); did you mean 'qc_info'?
fs/gfs2/quota.c:1477:10: error: expected ';' at end of input
fs/gfs2/quota.c:1477:3: error: expected declaration or statement at end of input

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=173578f5c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

@@ -1362,6 +1362,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)

u64 dblock;
u32 extlen = 0;
int error;
+ u32 qcid = 0;

if (gfs2_check_internal_file_size(sdp->sd_qc_inode, 1, 64 << 20))
return -EIO;

@@ -1407,6 +1408,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)

USRQUOTA : GRPQUOTA;
struct kqid qc_id = make_kqid(&init_user_ns, qtype,
be32_to_cpu(qc->qc_id));
+ qcid = be32_to_cpu(qc->qc_id);
qc++;
if (!qc_change)
continue;

@@ -1442,7 +1444,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)

}

if (found)
- fs_info(sdp, "found %u quota changes\n", found);
+ fs_info(sdp, "found %u quota changes, qc_id:%d\n", found, qcid);

return 0;

@@ -1471,6 +1473,7 @@ void gfs2_quota_cleanup(struct gfs2_sbd *sdp)
hlist_bl_del_rcu(&qd->qd_hlist);
spin_unlock_bucket(qd->qd_hash);

+ fs_info(sdp, "qc_id:%d\n", cpu_to_be32(from_kqid(&init_user_ns, qd->qd_id)));

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_mark_dirty

lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176
lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176

buf_lo_after_commit: 1
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5527 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 0 PID: 5527 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 0 PID: 5527 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 0 PID: 5527 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728

Code: 78 70 48 89 44 24 10 e8 c6 e8 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 d7 e9 5b 08 31 ff 41 89 c4
RSP: 0018:ffffc90005ea78b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff888022163a80 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea000078c300 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88801bcadf78
R13: ffffffff8e7782c0 R14: 0000000000000293 R15: ffff88807afb9280
FS: 0000555555771400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055fb53fc08b0 CR3: 000000001c92b000 CR4: 0000000000350ef0

Call Trace:
<TASK>
__set_page_dirty include/linux/pagemap.h:1052 [inline]
mark_buffer_dirty+0x70d/0xa40 fs/buffer.c:1105
gfs2_unpin+0x109/0xcf0 fs/gfs2/lops.c:111

buf_lo_after_commit.cold+0xd3/0x1b1 fs/gfs2/lops.c:750

lops_after_commit fs/gfs2/lops.h:49 [inline]
gfs2_log_flush+0x140f/0x28a0 fs/gfs2/log.c:1107
do_sync+0x5ad/0xcf0 fs/gfs2/quota.c:975
gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f070b48d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffca0f0b228 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f070b48d567
RDX: 00007ffca0f0b2f9 RSI: 000000000000000a RDI: 00007ffca0f0b2f0
RBP: 00007ffca0f0b2f0 R08: 00000000ffffffff R09: 00007ffca0f0b0c0
R10: 00005555557728b3 R11: 0000000000000246 R12: 00007f070b4e6b24
R13: 00007ffca0f0c3b0 R14: 0000555555772810 R15: 00007ffca0f0c3f0
</TASK>

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=174f0ab6c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7fd5c16932c4cc
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=14bd9025c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

+ while (height < GFS2_MAX_META_HEIGHT + 10 &&

@@ -1376,6 +1377,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
__GFP_ZERO);
if (!sdp->sd_quota_bitmap)
return error;
+ qcid = ip->i_inode.i_ino;

for (x = 0; x < blocks; x++) {
struct buffer_head *bh;

@@ -1442,7 +1444,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
}

if (found)
- fs_info(sdp, "found %u quota changes\n", found);

+ fs_info(sdp, "found %u quota changes, i_ino:%d\n", found, qcid);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

UBSAN: array-index-out-of-bounds in __gfs2_iomap_get

buf->di_height: 768
buf->di_depth: 0

inode->i_size: 176

lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176

lblock:0, height:10, sb_bsize: 4096, heightsize:0,pos:0,size:176
================================================================================
UBSAN: array-index-out-of-bounds in fs/gfs2/bmap.c:899:64

index 11 is out of range for type 'u64 [11]'

CPU: 1 PID: 5507 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x31 lib/ubsan.c:151
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:282

__gfs2_iomap_get+0x1654/0x1a60 fs/gfs2/bmap.c:899
gfs2_iomap_get+0xb1/0x1e0 fs/gfs2/bmap.c:1400
gfs2_block_map+0x232/0xc20 fs/gfs2/bmap.c:1215
gfs2_write_alloc_required+0x3f1/0x510 fs/gfs2/bmap.c:2323
do_sync+0x707/0xcf0 fs/gfs2/quota.c:922

gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1738
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fd54948d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffdb28e5a18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fd54948d567
RDX: 00007ffdb28e5ae9 RSI: 000000000000000a RDI: 00007ffdb28e5ae0
RBP: 00007ffdb28e5ae0 R08: 00000000ffffffff R09: 00007ffdb28e58b0
R10: 00005555555e98b3 R11: 0000000000000246 R12: 00007fd5494e6b24
R13: 00007ffdb28e6ba0 R14: 00005555555e9810 R15: 00007ffdb28e6be0
</TASK>
================================================================================

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=144300c1c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7fd5c16932c4cc
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=13712e1ec80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -352,6 +352,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
}
sdp->sd_max_height = x;
sdp->sd_heightsize[x] = ~0;
+ printk("sdp->sd_max_height: %d\n", x);
gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);

sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
@@ -895,8 +895,13 @@ static int __gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length,

iomap->length = len << inode->i_blkbits;

height = ip->i_height;
- while ((lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height])

+ printk("ip->i_height: %d\n", height);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: array-index-out-of-bounds in __gfs2_iomap_get

inode->i_size: 176
ip->i_height: 9

lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176
lblock:0, height:10, sb_bsize: 4096, heightsize:0,pos:0,size:176
================================================================================

UBSAN: array-index-out-of-bounds in fs/gfs2/bmap.c:900:64

index 11 is out of range for type 'u64 [11]'

CPU: 1 PID: 5533 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
ubsan_epilogue+0xa/0x31 lib/ubsan.c:151
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:282

__gfs2_iomap_get.cold+0x32a/0x1259 fs/gfs2/bmap.c:900
gfs2_iomap_get+0xb1/0x1e0 fs/gfs2/bmap.c:1401
gfs2_block_map+0x232/0xc20 fs/gfs2/bmap.c:1216
gfs2_write_alloc_required+0x3f1/0x510 fs/gfs2/bmap.c:2324

do_sync+0x707/0xcf0 fs/gfs2/quota.c:922
gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386

gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1739

deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7f4b2148d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fff0a9a64f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f4b2148d567
RDX: 00007fff0a9a65c9 RSI: 000000000000000a RDI: 00007fff0a9a65c0
RBP: 00007fff0a9a65c0 R08: 00000000ffffffff R09: 00007fff0a9a6390
R10: 0000555555efb8b3 R11: 0000000000000246 R12: 00007f4b214e6b24
R13: 00007fff0a9a7680 R14: 0000555555efb810 R15: 00007fff0a9a76c0

</TASK>
================================================================================


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=120b81dec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7fd5c16932c4cc
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1351d1dec80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -352,6 +352,7 @@ static int gfs2_read_sb(struct gfs2_sbd *sdp, int silent)
}
sdp->sd_max_height = x;
sdp->sd_heightsize[x] = ~0;
+ printk("sdp->sd_max_height: %d\n", x);
gfs2_assert(sdp, sdp->sd_max_height <= GFS2_MAX_META_HEIGHT);

sdp->sd_max_dents_per_leaf = (sdp->sd_sb.sb_bsize -
--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
@@ -895,8 +895,13 @@ static int __gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length,
iomap->length = len << inode->i_blkbits;

height = ip->i_height;
- while ((lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height])

+ printk("ip->i_height: %d, i_ino: %d\n", height, ip->i_inode.i_ino);
+ while (height < GFS2_MAX_META_HEIGHT &&

+ (lblock + 1) * sdp->sd_sb.sb_bsize > sdp->sd_heightsize[height]) {
+ printk("lblock:%d, height:%d, sb_bsize: %d, heightsize:%d,pos:%d,size:%d\n",
+ lblock, height, sdp->sd_sb.sb_bsize, sdp->sd_heightsize[height], pos, size);
height++;
+ }
find_metapath(sdp, lblock, mp, height);
if (height > ip->i_height || gfs2_is_stuffed(ip))
goto do_alloc;

--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -1362,6 +1362,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
u64 dblock;
u32 extlen = 0;
int error;
+ u32 qcid = 0;

if (gfs2_check_internal_file_size(sdp->sd_qc_inode, 1, 64 << 20))
return -EIO;
@@ -1376,6 +1377,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
__GFP_ZERO);
if (!sdp->sd_quota_bitmap)
return error;
+ qcid = ip->i_inode.i_ino;

for (x = 0; x < blocks; x++) {
struct buffer_head *bh;
@@ -1442,7 +1444,7 @@ int gfs2_quota_init(struct gfs2_sbd *sdp)
}

if (found)
- fs_info(sdp, "found %u quota changes\n", found);

+ fs_info(sdp, "found %u quota changes, i_ino:%d, i_height: %d\n", found, qcid, ip->i_height);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in __folio_mark_dirty

lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176

ip->i_height: 9, i_ino: 2340

lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176

buf_lo_after_commit: 1
------------[ cut here ]------------

WARNING: CPU: 1 PID: 5528 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 1 PID: 5528 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 1 PID: 5528 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 1 PID: 5528 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023

RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728

Code: 78 70 48 89 44 24 10 e8 f6 d6 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 07 d8 5b 08 31 ff 41 89 c4
RSP: 0018:ffffc900052cf8b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff88802a0f57c0 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea0000a7cb40 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88801283df78
R13: ffffffff8e778340 R14: 0000000000000293 R15: ffff888074ea2258
FS: 0000555556d29400(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fff2a9a8238 CR3: 000000001feab000 CR4: 0000000000350ee0

Call Trace:
<TASK>
__set_page_dirty include/linux/pagemap.h:1052 [inline]
mark_buffer_dirty+0x70d/0xa40 fs/buffer.c:1105
gfs2_unpin+0x109/0xcf0 fs/gfs2/lops.c:111
buf_lo_after_commit.cold+0xd3/0x1b1 fs/gfs2/lops.c:750
lops_after_commit fs/gfs2/lops.h:49 [inline]
gfs2_log_flush+0x140f/0x28a0 fs/gfs2/log.c:1107
do_sync+0x5ad/0xcf0 fs/gfs2/quota.c:975

gfs2_quota_sync+0x2e6/0x660 fs/gfs2/quota.c:1318
gfs2_sync_fs+0x44/0xb0 fs/gfs2/super.c:650
sync_filesystem.part.0+0x75/0x1d0 fs/sync.c:56
sync_filesystem+0x8f/0xc0 fs/sync.c:43
generic_shutdown_super+0x74/0x410 fs/super.c:474
kill_block_super+0x9b/0xf0 fs/super.c:1386
gfs2_kill_sb+0x108/0x170 fs/gfs2/ops_fstype.c:1739
deactivate_locked_super+0x98/0x160 fs/super.c:332
deactivate_super+0xb1/0xd0 fs/super.c:363
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1291
task_work_run+0x16f/0x270 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd

RIP: 0033:0x7fc4e288d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffe09986758 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc4e288d567
RDX: 00007ffe09986829 RSI: 000000000000000a RDI: 00007ffe09986820
RBP: 00007ffe09986820 R08: 00000000ffffffff R09: 00007ffe099865f0
R10: 0000555556d2a8b3 R11: 0000000000000246 R12: 00007fc4e28e6b24
R13: 00007ffe099878e0 R14: 0000555556d2a810 R15: 00007ffe09987920
</TASK>

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=14a6da49c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7fd5c16932c4cc
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=177f0ab6c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

+ printk(KERN_INFO "inode->i_size: %d, ip->i_inode.i_ino: %d,ip->i_height:%d,%s\n", inode->i_size, ip->i_inode.i_ino,ip->i_height, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_mark_dirty

inode->i_size: 176, ip->i_inode.i_ino: 2340,ip->i_height:0,gfs2_dinode_in

ip->i_height: 9, i_ino: 2340
lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176
ip->i_height: 9, i_ino: 2340
lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176
ip->i_height: 9, i_ino: 2340
lblock:0, height:9, sb_bsize: 4096, heightsize:0,pos:0,size:176
buf_lo_after_commit: 1
------------[ cut here ]------------

WARNING: CPU: 0 PID: 5526 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 0 PID: 5526 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 0 PID: 5526 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 0 PID: 5526 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728

Code: 78 70 48 89 44 24 10 e8 76 d7 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 87 d8 5b 08 31 ff 41 89 c4
RSP: 0018:ffffc90005af78b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff88801b953a80 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea0000866f40 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88801ccaea78
R13: ffffffff8e778340 R14: 0000000000000293 R15: ffff8880706d8d38
FS: 00005555569a7400(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f23c7fcb440 CR3: 000000002932f000 CR4: 0000000000350ef0

RIP: 0033:0x7f9cfe48d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffef0f0fb48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f9cfe48d567
RDX: 00007ffef0f0fc19 RSI: 000000000000000a RDI: 00007ffef0f0fc10
RBP: 00007ffef0f0fc10 R08: 00000000ffffffff R09: 00007ffef0f0f9e0
R10: 00005555569a88b3 R11: 0000000000000246 R12: 00007f9cfe4e6b24
R13: 00007ffef0f10cd0 R14: 00005555569a8810 R15: 00007ffef0f10d10

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=10fd3c9ec80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7fd5c16932c4cc
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1046574dc80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -442,10 +442,14 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)

/* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */
gfs2_set_inode_flags(inode);
height = be16_to_cpu(str->di_height);
- if (unlikely(height > GFS2_MAX_META_HEIGHT))

+ if (unlikely(height > GFS2_MAX_META_HEIGHT)) {
+ if (gfs2_is_stuffed(ip))
+ goto dem;
goto corrupt;

+ }
ip->i_height = (u8)height;

+dem:
depth = be16_to_cpu(str->di_depth);
if (unlikely(depth > GFS2_DIR_MAX_DEPTH))
goto corrupt;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_mark_dirty

ip->i_height: 1, i_ino: 2078

buf_lo_after_commit: 1
------------[ cut here ]------------

WARNING: CPU: 1 PID: 5527 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 1 PID: 5527 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 1 PID: 5527 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 1 PID: 5527 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728

Code: 78 70 48 89 44 24 10 e8 06 d5 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 17 d6 5b 08 31 ff 41 89 c4
RSP: 0018:ffffc9000559f8b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff888024d48000 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea0001d4acc0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888140c91d78
R13: ffffffff8e778280 R14: 0000000000000293 R15: ffff88801c3302a8
FS: 00005555561dc400(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555561e5848 CR3: 0000000075ce9000 CR4: 0000000000350ee0

RIP: 0033:0x7f324ce8d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc6a579818 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f324ce8d567
RDX: 00007ffc6a5798e9 RSI: 000000000000000a RDI: 00007ffc6a5798e0
RBP: 00007ffc6a5798e0 R08: 00000000ffffffff R09: 00007ffc6a5796b0
R10: 00005555561dd8b3 R11: 0000000000000246 R12: 00007f324cee6b24
R13: 00007ffc6a57a9a0 R14: 00005555561dd810 R15: 00007ffc6a57a9e0

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1678d751c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7fd5c16932c4cc
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=15620649c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

@@ -442,10 +442,17 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)

/* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */
gfs2_set_inode_flags(inode);
height = be16_to_cpu(str->di_height);
- if (unlikely(height > GFS2_MAX_META_HEIGHT))

+ printk("str->di_height:%d, ip->i_inode.i_ino: %d, ip->i_height:%d, %s",
+ height, ip->i_inode.i_ino, ip->i_height, __func__);

+ if (unlikely(height > GFS2_MAX_META_HEIGHT)) {
+ if (gfs2_is_stuffed(ip)) {
+ goto dem;

+ }

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __folio_mark_dirty

ip->i_height: 1, i_ino: 2078

str->di_height:768, ip->i_inode.i_ino: 2340, ip->i_height:0, gfs2_dinode_in

buf_lo_after_commit: 1
------------[ cut here ]------------

WARNING: CPU: 1 PID: 5517 at include/linux/backing-dev.h:253 inode_to_wb include/linux/backing-dev.h:253 [inline]
WARNING: CPU: 1 PID: 5517 at include/linux/backing-dev.h:253 folio_account_dirtied mm/page-writeback.c:2677 [inline]
WARNING: CPU: 1 PID: 5517 at include/linux/backing-dev.h:253 __folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Modules linked in:
CPU: 1 PID: 5517 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
RIP: 0010:inode_to_wb include/linux/backing-dev.h:253 [inline]
RIP: 0010:folio_account_dirtied mm/page-writeback.c:2677 [inline]
RIP: 0010:__folio_mark_dirty+0xba8/0xf50 mm/page-writeback.c:2728
Code: 78 70 48 89 44 24 10 e8 06 d5 5b 08 31 ff 89 c6 89 44 24 10 e8 c9 b8 d2 ff 8b 44 24 10 85 c0 0f 85 62 f9 ff ff e8 08 bc d2 ff <0f> 0b e9 56 f9 ff ff e8 fc bb d2 ff e8 17 d6 5b 08 31 ff 41 89 c4

RSP: 0018:ffffc900050bf8b0 EFLAGS: 00010093

RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000

RDX: ffff888024e89d40 RSI: ffffffff81ae3738 RDI: 0000000000000005
RBP: ffffea0000849a40 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888012816a78
R13: ffffffff8e7782c0 R14: 0000000000000293 R15: ffff8880293b5d10
FS: 0000555556502400(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f06a56819ee CR3: 0000000029d1c000 CR4: 0000000000350ee0

RIP: 0033:0x7fdfa7e8d567

Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fff95ca6ee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fdfa7e8d567
RDX: 00007fff95ca6fb9 RSI: 000000000000000a RDI: 00007fff95ca6fb0
RBP: 00007fff95ca6fb0 R08: 00000000ffffffff R09: 00007fff95ca6d80
R10: 00005555565038b3 R11: 0000000000000246 R12: 00007fdfa7ee6b24
R13: 00007fff95ca8070 R14: 0000555556503810 R15: 00007fff95ca80b0

</TASK>


Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1709e739c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=b7fd5c16932c4cc
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=15afa139c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c4ea18480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1359b338480000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/2d8c5072480f/disk-1b929c02.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/46687f1395db/vmlinux-1b929c02.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/26f1afa5ec00/bzImage-1b929c02.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/35edd581b491/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f6a67...@syzkaller.appspotmail.com

syzbot report:
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

Test 1b929c02afd3 uaf.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 1b929c02afd3

--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -107,6 +107,10 @@ static void gfs2_unpin(struct gfs2_sbd *sdp, struct buffer_head *bh,
BUG_ON(!buffer_uptodate(bh));
BUG_ON(!buffer_pinned(bh));

+ if (!sdp->sd_log_pinned) {
+ printk("not pinned, %s", __func__);
+ return;
+ }
lock_buffer(bh);
mark_buffer_dirty(bh);
clear_buffer_pinned(bh);
@@ -736,12 +740,15 @@ static void buf_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/gfs2/lops.c:110:6: error: wrong type argument to unary exclamation mark

Tested on:

commit: 1b929c02 Linux 6.2-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=16b193f5c80000

[ead...@sina.com]

From: Edward Adam Davis <ead...@sina.com>

On Mon, 02 Jan 2023 13:20:44 -0800
> HEAD commit: 1b929c02afd3 Linux 6.2-rc1
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1799c250480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=68e0be42c8ee4bb4

> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

+ if (!atomic_read(sdp->sd_log_pinned)) {