[v6.1] KASAN: use-after-free Read in xfs_inode_item_push
1 view
Skip to first unread message
syzbot
Apr 29, 2023, 3:57:50 PM4/29/23
Hello,
syzbot found the following issue on:
HEAD commit: ca1c9012c941 Linux 6.1.26
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1336c844280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f749f501f45a424b
dashboard link: https://syzkaller.appspot.com/bug?extid=64a8825197de5a98dd5b
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fa9c42c5de02/disk-ca1c9012.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/deeadb7af907/vmlinux-ca1c9012.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3b2d047683d5/bzImage-ca1c9012.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in xfs_inode_item_push+0x28b/0x2e0 fs/xfs/xfs_inode_item.c:594
Read of size 8 at addr ffff8880739322c0 by task xfsaild/loop3/5353
CPU: 1 PID: 5353 Comm: xfsaild/loop3 Not tainted 6.1.26-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
xfs_inode_item_push+0x28b/0x2e0 fs/xfs/xfs_inode_item.c:594
xfsaild_push_item fs/xfs/xfs_trans_ail.c:414 [inline]
xfsaild_push fs/xfs/xfs_trans_ail.c:484 [inline]
xfsaild+0xc69/0x2780 fs/xfs/xfs_trans_ail.c:669
kthread+0x26e/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Allocated by task 5345:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x50/0x370 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x10c/0x2d0 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:679 [inline]
xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:687
xfs_trans_ijoin+0xb9/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
xfs_init_new_inode+0xd6a/0x10c0 fs/xfs/xfs_inode.c:902
xfs_create+0x948/0x1360 fs/xfs/xfs_inode.c:1023
xfs_generic_create+0x48d/0xd70 fs/xfs/xfs_iops.c:199
lookup_open fs/namei.c:3413 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x12f1/0x2e60 fs/namei.c:3711
do_filp_open+0x230/0x480 fs/namei.c:3741
do_sys_openat2+0x13b/0x500 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_sys_openat fs/open.c:1342 [inline]
__se_sys_openat fs/open.c:1337 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1337
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 21:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0x292/0x510 mm/slub.c:3683
xfs_inode_free_callback+0x14e/0x1c0 fs/xfs/xfs_icache.c:145
rcu_do_batch kernel/rcu/tree.c:2250 [inline]
rcu_core+0xa9a/0x1790 kernel/rcu/tree.c:2510
__do_softirq+0x2e9/0xa4c kernel/softirq.c:571
The buggy address belongs to the object at ffff888073932290
which belongs to the cache xfs_ili of size 264
The buggy address is located 48 bytes inside of
264-byte region [ffff888073932290, ffff888073932398)
The buggy address belongs to the physical page:
page:ffffea0001ce4c80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73932
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00021d3440 dead000000000006 ffff888140b6bc80
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 19237, tgid 19235 (syz-executor.2), ts 853973430659, free_ts 842611329911
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
alloc_slab_page+0x6a/0x150 mm/slub.c:1794
allocate_slab mm/slub.c:1939 [inline]
new_slab+0x84/0x2d0 mm/slub.c:1992
___slab_alloc+0xa71/0x1080 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x1a5/0x2d0 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:679 [inline]
xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:687
xfs_trans_ijoin+0xb9/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
xfs_init_new_inode+0xd6a/0x10c0 fs/xfs/xfs_inode.c:902
xfs_qm_qino_alloc+0x4fb/0xa20 fs/xfs/xfs_qm.c:782
xfs_qm_init_quotainos+0x654/0x8a0 fs/xfs/xfs_qm.c:1548
xfs_qm_init_quotainfo+0x11a/0x12f0 fs/xfs/xfs_qm.c:635
xfs_qm_mount_quotas+0x97/0x620 fs/xfs/xfs_qm.c:1424
xfs_mountfs+0x185d/0x1f00 fs/xfs/xfs_mount.c:945
xfs_fs_fill_super+0xf90/0x11e0 fs/xfs/xfs_super.c:1666
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page+0x98/0x570 mm/page_alloc.c:3484
qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x50/0x370 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x10c/0x2d0 mm/slub.c:3422
getname_flags+0xb8/0x4e0 fs/namei.c:139
user_path_at_empty+0x2a/0x180 fs/namei.c:2875
do_readlinkat+0x114/0x3a0 fs/stat.c:468
__do_sys_readlink fs/stat.c:501 [inline]
__se_sys_readlink fs/stat.c:498 [inline]
__x64_sys_readlink+0x7b/0x90 fs/stat.c:498
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff888073932180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888073932200: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
>ffff888073932280: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888073932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888073932380: fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: ca1c9012c941 Linux 6.1.26
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1336c844280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f749f501f45a424b
dashboard link: https://syzkaller.appspot.com/bug?extid=64a8825197de5a98dd5b
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fa9c42c5de02/disk-ca1c9012.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/deeadb7af907/vmlinux-ca1c9012.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3b2d047683d5/bzImage-ca1c9012.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in xfs_inode_item_push+0x28b/0x2e0 fs/xfs/xfs_inode_item.c:594
Read of size 8 at addr ffff8880739322c0 by task xfsaild/loop3/5353
CPU: 1 PID: 5353 Comm: xfsaild/loop3 Not tainted 6.1.26-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15f/0x4f0 mm/kasan/report.c:395
kasan_report+0x136/0x160 mm/kasan/report.c:495
xfs_inode_item_push+0x28b/0x2e0 fs/xfs/xfs_inode_item.c:594
xfsaild_push_item fs/xfs/xfs_trans_ail.c:414 [inline]
xfsaild_push fs/xfs/xfs_trans_ail.c:484 [inline]
xfsaild+0xc69/0x2780 fs/xfs/xfs_trans_ail.c:669
kthread+0x26e/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Allocated by task 5345:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
__kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x50/0x370 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x10c/0x2d0 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:679 [inline]
xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:687
xfs_trans_ijoin+0xb9/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
xfs_init_new_inode+0xd6a/0x10c0 fs/xfs/xfs_inode.c:902
xfs_create+0x948/0x1360 fs/xfs/xfs_inode.c:1023
xfs_generic_create+0x48d/0xd70 fs/xfs/xfs_iops.c:199
lookup_open fs/namei.c:3413 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x12f1/0x2e60 fs/namei.c:3711
do_filp_open+0x230/0x480 fs/namei.c:3741
do_sys_openat2+0x13b/0x500 fs/open.c:1310
do_sys_open fs/open.c:1326 [inline]
__do_sys_openat fs/open.c:1342 [inline]
__se_sys_openat fs/open.c:1337 [inline]
__x64_sys_openat+0x243/0x290 fs/open.c:1337
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 21:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0x292/0x510 mm/slub.c:3683
xfs_inode_free_callback+0x14e/0x1c0 fs/xfs/xfs_icache.c:145
rcu_do_batch kernel/rcu/tree.c:2250 [inline]
rcu_core+0xa9a/0x1790 kernel/rcu/tree.c:2510
__do_softirq+0x2e9/0xa4c kernel/softirq.c:571
The buggy address belongs to the object at ffff888073932290
which belongs to the cache xfs_ili of size 264
The buggy address is located 48 bytes inside of
264-byte region [ffff888073932290, ffff888073932398)
The buggy address belongs to the physical page:
page:ffffea0001ce4c80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x73932
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00021d3440 dead000000000006 ffff888140b6bc80
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x112c50(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 19237, tgid 19235 (syz-executor.2), ts 853973430659, free_ts 842611329911
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
prep_new_page mm/page_alloc.c:2540 [inline]
get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
__alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
alloc_slab_page+0x6a/0x150 mm/slub.c:1794
allocate_slab mm/slub.c:1939 [inline]
new_slab+0x84/0x2d0 mm/slub.c:1992
___slab_alloc+0xa71/0x1080 mm/slub.c:3180
__slab_alloc mm/slub.c:3279 [inline]
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x1a5/0x2d0 mm/slub.c:3422
kmem_cache_zalloc include/linux/slab.h:679 [inline]
xfs_inode_item_init+0x2f/0xc0 fs/xfs/xfs_inode_item.c:687
xfs_trans_ijoin+0xb9/0xe0 fs/xfs/libxfs/xfs_trans_inode.c:36
xfs_init_new_inode+0xd6a/0x10c0 fs/xfs/xfs_inode.c:902
xfs_qm_qino_alloc+0x4fb/0xa20 fs/xfs/xfs_qm.c:782
xfs_qm_init_quotainos+0x654/0x8a0 fs/xfs/xfs_qm.c:1548
xfs_qm_init_quotainfo+0x11a/0x12f0 fs/xfs/xfs_qm.c:635
xfs_qm_mount_quotas+0x97/0x620 fs/xfs/xfs_qm.c:1424
xfs_mountfs+0x185d/0x1f00 fs/xfs/xfs_mount.c:945
xfs_fs_fill_super+0xf90/0x11e0 fs/xfs/xfs_super.c:1666
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1460 [inline]
free_pcp_prepare mm/page_alloc.c:1510 [inline]
free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
free_unref_page+0x98/0x570 mm/page_alloc.c:3484
qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x162/0x180 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x50/0x370 mm/slab.h:737
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x10c/0x2d0 mm/slub.c:3422
getname_flags+0xb8/0x4e0 fs/namei.c:139
user_path_at_empty+0x2a/0x180 fs/namei.c:2875
do_readlinkat+0x114/0x3a0 fs/stat.c:468
__do_sys_readlink fs/stat.c:501 [inline]
__se_sys_readlink fs/stat.c:498 [inline]
__x64_sys_readlink+0x7b/0x90 fs/stat.c:498
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff888073932180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888073932200: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
>ffff888073932280: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888073932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888073932380: fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Aug 23, 2023, 12:03:37 PM8/23/23
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages