All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	 linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [mm?] KASAN: slab-use-after-free Read in lru_add_fn
Date: Wed, 08 May 2024 22:58:26 -0700	[thread overview]
Message-ID: <0000000000008874480617ff1bad@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    9221b2819b8a Add linux-next specific files for 20240503
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1263897f180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8ab537f51a6a0d98
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17d47450980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e67dbdc3c37/disk-9221b281.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ade618fa19f8/vmlinux-9221b281.xz
kernel image: https://storage.googleapis.com/syzbot-assets/df12e5073c97/bzImage-9221b281.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/98f66c028d40/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: slab-use-after-free in mapping_unevictable include/linux/pagemap.h:257 [inline]
BUG: KASAN: slab-use-after-free in folio_evictable mm/internal.h:353 [inline]
BUG: KASAN: slab-use-after-free in lru_add_fn+0x2cc/0x1a20 mm/swap.c:184
Read of size 8 at addr ffff88807ffa84a8 by task udevd/5139

CPU: 0 PID: 5139 Comm: udevd Not tainted 6.9.0-rc6-next-20240503-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 mapping_unevictable include/linux/pagemap.h:257 [inline]
 folio_evictable mm/internal.h:353 [inline]
 lru_add_fn+0x2cc/0x1a20 mm/swap.c:184
 folio_batch_move_lru+0x322/0x690 mm/swap.c:220
 lru_add_drain_cpu+0x10e/0x8c0 mm/swap.c:657
 lru_add_drain+0x123/0x3e0 mm/swap.c:757
 wp_can_reuse_anon_folio mm/memory.c:3550 [inline]
 do_wp_page+0x2c65/0x5310 mm/memory.c:3662
 handle_pte_fault+0x1189/0x70f0 mm/memory.c:5396
 __handle_mm_fault mm/memory.c:5523 [inline]
 handle_mm_fault+0x10df/0x1ba0 mm/memory.c:5688
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fe7b90c72a4
Code: c0 02 49 8b 0c c6 64 8b 34 25 18 00 00 00 85 f6 75 22 48 39 cd 75 0c 48 8d 3d 24 e6 0e 00 e9 66 fe ff ff 48 c1 ea 0c 48 31 ca <48> 89 55 10 49 89 2c c6 eb 3c 89 d8 48 c1 ea 0c 48 89 ce 49 8d 3c
RSP: 002b:00007ffc001e7800 EFLAGS: 00010206
RAX: 0000000000000003 RBX: 0000000000000003 RCX: 000055697463f110
RDX: 0000556c22f4b72b RSI: 0000000000000000 RDI: 000055697463b660
RBP: 000055697463b650 R08: 0000000000000007 R09: 729c72b1ba2b10a4
R10: f6f0f8c87f29ff62 R11: 0000000000000007 R12: 0000000000000000
R13: 000055697463b680 R14: 00007fe7b91f1aa0 R15: 0000556974631910
 </TASK>

Allocated by task 5122:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3940 [inline]
 slab_alloc_node mm/slub.c:4000 [inline]
 kmem_cache_alloc_lru_noprof+0x139/0x2b0 mm/slub.c:4019
 nilfs_alloc_inode+0x2e/0xf0 fs/nilfs2/super.c:154
 alloc_inode fs/inode.c:261 [inline]
 iget5_locked+0xa4/0x280 fs/inode.c:1235
 nilfs_iget_locked+0x12b/0x180 fs/nilfs2/inode.c:606
 nilfs_ifile_read+0x30/0x1b0 fs/nilfs2/ifile.c:192
 nilfs_attach_checkpoint+0xed/0x1a0 fs/nilfs2/super.c:557
 nilfs_fill_super+0x380/0x6a0 fs/nilfs2/super.c:1067
 nilfs_get_tree+0x4f9/0x920 fs/nilfs2/super.c:1211
 vfs_get_tree+0x90/0x2a0 fs/super.c:1780
 do_new_mount+0x2be/0xb40 fs/namespace.c:3352
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 0:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2195 [inline]
 slab_free mm/slub.c:4436 [inline]
 kmem_cache_free+0x145/0x350 mm/slub.c:4511
 rcu_do_batch kernel/rcu/tree.c:2566 [inline]
 rcu_core+0xafd/0x1830 kernel/rcu/tree.c:2840
 handle_softirqs+0x2d6/0x990 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Last potentially related work creation:
 kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
 __kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
 __call_rcu_common kernel/rcu/tree.c:3103 [inline]
 call_rcu+0x167/0xa70 kernel/rcu/tree.c:3207
 nilfs_put_root+0x97/0xc0 fs/nilfs2/the_nilfs.c:909
 nilfs_segctor_destroy fs/nilfs2/segment.c:2753 [inline]
 nilfs_detach_log_writer+0x8bb/0xbe0 fs/nilfs2/segment.c:2816
 nilfs_put_super+0x4d/0x160 fs/nilfs2/super.c:498
 generic_shutdown_super+0x136/0x2d0 fs/super.c:642
 kill_block_super+0x44/0x90 fs/super.c:1676
 deactivate_locked_super+0xc4/0x130 fs/super.c:473
 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1267
 task_work_run+0x24f/0x310 kernel/task_work.c:180
 ptrace_notify+0x2d2/0x380 kernel/signal.c:2402
 ptrace_report_syscall include/linux/ptrace.h:415 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
 syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
 syscall_exit_to_user_mode+0x273/0x370 kernel/entry/common.c:218
 do_syscall_64+0x102/0x240 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807ffa8000
 which belongs to the cache nilfs2_inode_cache of size 1512
The buggy address is located 1192 bytes inside of
 freed 1512-byte region [ffff88807ffa8000, ffff88807ffa85e8)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ffa8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88801f030301
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff88801abec3c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080130013 00000001ffffefff ffff88801f030301
head: 00fff00000000040 ffff88801abec3c0 dead000000000122 0000000000000000
head: 0000000000000000 0000000080130013 00000001ffffefff ffff88801f030301
head: 00fff00000000003 ffffea0001ffea01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 5122, tgid 5122 (syz-executor.0), ts 74532588239, free_ts 16451630334
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x2ce2/0x2d90 mm/page_alloc.c:3438
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4696
 __alloc_pages_node_noprof include/linux/gfp.h:244 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:271 [inline]
 alloc_slab_page+0x5f/0x120 mm/slub.c:2264
 allocate_slab+0x5a/0x2e0 mm/slub.c:2427
 new_slab mm/slub.c:2480 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3666
 __slab_alloc+0x58/0xa0 mm/slub.c:3756
 __slab_alloc_node mm/slub.c:3809 [inline]
 slab_alloc_node mm/slub.c:3988 [inline]
 kmem_cache_alloc_lru_noprof+0x1c5/0x2b0 mm/slub.c:4019
 nilfs_alloc_inode+0x2e/0xf0 fs/nilfs2/super.c:154
 alloc_inode fs/inode.c:261 [inline]
 iget5_locked+0xa4/0x280 fs/inode.c:1235
 nilfs_iget_locked+0x12b/0x180 fs/nilfs2/inode.c:606
 nilfs_ifile_read+0x30/0x1b0 fs/nilfs2/ifile.c:192
 nilfs_attach_checkpoint+0xed/0x1a0 fs/nilfs2/super.c:557
 nilfs_fill_super+0x380/0x6a0 fs/nilfs2/super.c:1067
 nilfs_get_tree+0x4f9/0x920 fs/nilfs2/super.c:1211
 vfs_get_tree+0x90/0x2a0 fs/super.c:1780
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0xd22/0xea0 mm/page_alloc.c:2601
 free_contig_range+0x9e/0x160 mm/page_alloc.c:6655
 destroy_args+0x8a/0x890 mm/debug_vm_pgtable.c:1037
 debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1417
 do_one_initcall+0x248/0x880 init/main.c:1265
 do_initcall_level+0x157/0x210 init/main.c:1327
 do_initcalls+0x3f/0x80 init/main.c:1343
 kernel_init_freeable+0x435/0x5d0 init/main.c:1576
 kernel_init+0x1d/0x2b0 init/main.c:1465
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88807ffa8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807ffa8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807ffa8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff88807ffa8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807ffa8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

                 reply	other threads:[~2024-05-09  5:58 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000008874480617ff1bad@google.com \
    --to=syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.