All of lore.kernel.org
 help / color / mirror / Atom feed
* KASAN: use-after-free Read in iput (2)
@ 2020-11-22 21:23 syzbot
  0 siblings, 0 replies; only message in thread
From: syzbot @ 2020-11-22 21:23 UTC (permalink / raw)
  To: linux-fsdevel, linux-kernel, syzkaller-bugs, viro

Hello,

syzbot found the following issue on:

HEAD commit:    20529233 Add linux-next specific files for 20201118
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=112a581c500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2c4fb58b6526b3c1
dashboard link: https://syzkaller.appspot.com/bug?extid=2cc8170bf3401fadbbfd
compiler:       gcc (GCC) 10.1.0-syz 20200507

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2cc8170bf3401fadbbfd@syzkaller.appspotmail.com

R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 0000000020000200 R15: 0000000020000040
gfs2: fsid=syz:syz.0: can't lock local "sc" file: -5
==================================================================
BUG: KASAN: use-after-free in iput+0x6b/0x70 fs/inode.c:1670
Read of size 8 at addr ffff8880848047a8 by task syz-executor.3/27017

CPU: 1 PID: 27017 Comm: syz-executor.3 Not tainted 5.10.0-rc4-next-20201118-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 iput+0x6b/0x70 fs/inode.c:1670
 init_statfs fs/gfs2/ops_fstype.c:684 [inline]
 init_journal fs/gfs2/ops_fstype.c:788 [inline]
 init_inodes+0x2103/0x2650 fs/gfs2/ops_fstype.c:857
 gfs2_fill_super+0x199c/0x23f0 fs/gfs2/ops_fstype.c:1184
 get_tree_bdev+0x421/0x740 fs/super.c:1344
 gfs2_get_tree+0x4a/0x270 fs/gfs2/ops_fstype.c:1260
 vfs_get_tree+0x89/0x2f0 fs/super.c:1549
 do_new_mount fs/namespace.c:2896 [inline]
 path_mount+0x12ae/0x1e70 fs/namespace.c:3227
 do_mount fs/namespace.c:3240 [inline]
 __do_sys_mount fs/namespace.c:3448 [inline]
 __se_sys_mount fs/namespace.c:3425 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x46090a
Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a 89 fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007f5a79d67a88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f5a79d67b20 RCX: 000000000046090a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f5a79d67ae0
RBP: 00007f5a79d67ae0 R08: 00007f5a79d67b20 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 0000000020000200 R15: 0000000020000040

Allocated by task 27017:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:49
 kasan_set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:480
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc_node mm/slub.c:2900 [inline]
 slab_alloc mm/slub.c:2908 [inline]
 kmem_cache_alloc+0x12a/0x470 mm/slub.c:2913
 gfs2_alloc_inode+0x38/0x1a0 fs/gfs2/super.c:1548
 alloc_inode+0x61/0x230 fs/inode.c:234
 iget5_locked fs/inode.c:1150 [inline]
 iget5_locked+0x134/0x220 fs/inode.c:1143
 gfs2_iget fs/gfs2/inode.c:60 [inline]
 gfs2_inode_lookup+0x104/0xb30 fs/gfs2/inode.c:136
 gfs2_dir_search+0x20f/0x2c0 fs/gfs2/dir.c:1662
 gfs2_lookupi+0x46e/0x630 fs/gfs2/inode.c:329
 gfs2_lookup_simple+0x99/0xe0 fs/gfs2/inode.c:269
 init_statfs fs/gfs2/ops_fstype.c:641 [inline]
 init_journal fs/gfs2/ops_fstype.c:788 [inline]
 init_inodes+0x169d/0x2650 fs/gfs2/ops_fstype.c:857
 gfs2_fill_super+0x199c/0x23f0 fs/gfs2/ops_fstype.c:1184
 get_tree_bdev+0x421/0x740 fs/super.c:1344
 gfs2_get_tree+0x4a/0x270 fs/gfs2/ops_fstype.c:1260
 vfs_get_tree+0x89/0x2f0 fs/super.c:1549
 do_new_mount fs/namespace.c:2896 [inline]
 path_mount+0x12ae/0x1e70 fs/namespace.c:3227
 do_mount fs/namespace.c:3240 [inline]
 __do_sys_mount fs/namespace.c:3448 [inline]
 __se_sys_mount fs/namespace.c:3425 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 10:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:49
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:57
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:356
 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:438
 slab_free_hook mm/slub.c:1545 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1583
 slab_free mm/slub.c:3154 [inline]
 kmem_cache_free+0x82/0x350 mm/slub.c:3170
 i_callback+0x3f/0x70 fs/inode.c:223
 rcu_do_batch kernel/rcu/tree.c:2499 [inline]
 rcu_core+0x5e4/0xef0 kernel/rcu/tree.c:2730
 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298

Last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:49
 kasan_record_aux_stack+0xc0/0xf0 mm/kasan/generic.c:347
 __call_rcu kernel/rcu/tree.c:2972 [inline]
 call_rcu+0xbb/0x700 kernel/rcu/tree.c:3047
 destroy_inode+0x129/0x1b0 fs/inode.c:289
 iput_final fs/inode.c:1654 [inline]
 iput.part.0+0x3fe/0x820 fs/inode.c:1680
 iput+0x58/0x70 fs/inode.c:1670
 init_statfs fs/gfs2/ops_fstype.c:672 [inline]
 init_journal fs/gfs2/ops_fstype.c:788 [inline]
 init_inodes+0x19a7/0x2650 fs/gfs2/ops_fstype.c:857
 gfs2_fill_super+0x199c/0x23f0 fs/gfs2/ops_fstype.c:1184
 get_tree_bdev+0x421/0x740 fs/super.c:1344
 gfs2_get_tree+0x4a/0x270 fs/gfs2/ops_fstype.c:1260
 vfs_get_tree+0x89/0x2f0 fs/super.c:1549
 do_new_mount fs/namespace.c:2896 [inline]
 path_mount+0x12ae/0x1e70 fs/namespace.c:3227
 do_mount fs/namespace.c:3240 [inline]
 __do_sys_mount fs/namespace.c:3448 [inline]
 __se_sys_mount fs/namespace.c:3425 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Second to last call_rcu():
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:49
 kasan_record_aux_stack+0xc0/0xf0 mm/kasan/generic.c:347
 __call_rcu kernel/rcu/tree.c:2972 [inline]
 call_rcu+0xbb/0x700 kernel/rcu/tree.c:3047
 destroy_inode+0x129/0x1b0 fs/inode.c:289
 iput_final fs/inode.c:1654 [inline]
 iput.part.0+0x3fe/0x820 fs/inode.c:1680
 iput+0x58/0x70 fs/inode.c:1670
 free_local_statfs_inodes+0xef/0x370 fs/gfs2/super.c:1574
 uninit_statfs fs/gfs2/ops_fstype.c:696 [inline]
 init_journal fs/gfs2/ops_fstype.c:828 [inline]
 init_inodes+0x1e12/0x2650 fs/gfs2/ops_fstype.c:897
 gfs2_fill_super+0x199c/0x23f0 fs/gfs2/ops_fstype.c:1184
 get_tree_bdev+0x421/0x740 fs/super.c:1344
 gfs2_get_tree+0x4a/0x270 fs/gfs2/ops_fstype.c:1260
 vfs_get_tree+0x89/0x2f0 fs/super.c:1549
 do_new_mount fs/namespace.c:2896 [inline]
 path_mount+0x12ae/0x1e70 fs/namespace.c:3227
 do_mount fs/namespace.c:3240 [inline]
 __do_sys_mount fs/namespace.c:3448 [inline]
 __se_sys_mount fs/namespace.c:3425 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8880848046d0
 which belongs to the cache gfs2_inode of size 1520
The buggy address is located 216 bytes inside of
 1520-byte region [ffff8880848046d0, ffff888084804cc0)
The buggy address belongs to the page:
page:0000000034b508a6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x84800
head:0000000034b508a6 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88814380b3c0
raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888084804680: fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb fb
 ffff888084804700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888084804780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff888084804800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888084804880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-11-22 21:23 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-22 21:23 KASAN: use-after-free Read in iput (2) syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.