From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752511AbcKRKKT (ORCPT ); Fri, 18 Nov 2016 05:10:19 -0500 Received: from mail-wm0-f46.google.com ([74.125.82.46]:37809 "EHLO mail-wm0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751905AbcKRKKR (ORCPT ); Fri, 18 Nov 2016 05:10:17 -0500 MIME-Version: 1.0 From: Dmitry Vyukov Date: Fri, 18 Nov 2016 11:09:54 +0100 Message-ID: Subject: logfs: GPF in logfs_alloc_inode To: joern@logfs.org, Prasad Joshi , logfs@logfs.org, LKML , Al Viro , "linux-fsdevel@vger.kernel.org" Cc: syzkaller Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, The following program triggers GPF in logfs_alloc_inode: https://gist.githubusercontent.com/dvyukov/64a2113e4cb484d9b7e0ef4ff8a522d0/raw/fffdfb8b781ec758563e08765a258da71e6ff2a1/gistfile1.txt general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN Modules linked in: CPU: 2 PID: 6602 Comm: a.out Not tainted 4.9.0-rc5+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88003604c400 task.stack: ffff880035380000 RIP: 0010:[] [< inline >] i_uid_write ./include/linux/fs.h:1469 RIP: 0010:[] [] logfs_init_inode.isra.5+0x155/0x480 fs/logfs/inode.c:212 RSP: 0018:ffff880035387838 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff8800640af9e0 RCX: 0000000000000000 RDX: 000000000000011b RSI: ffffffff8995e940 RDI: 00000000000008d8 RBP: ffff8800353878c0 R08: 00000000000004d0 R09: 0000000000000000 R10: 0000000000000006 R11: 0000000000000000 R12: ffff8800640afe00 R13: 1ffff10006a70f07 R14: 0000000000000000 R15: ffff88006b563700 FS: 0000000001b3b940(0000) GS:ffff88006d000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8526a449de CR3: 0000000034106000 CR4: 00000000000006e0 Stack: 0000000041b58ab3 ffffffff894c4c0b ffffffff82513fc0 000000000000aa81 ffffffff819efe35 ffff88006a63a7ff 1ffff1000d4c7500 ffffe8ffffc18490 00000001819effad 0000000000000003 ffff88000000000c 0000000000000282 Call Trace: [] logfs_alloc_inode+0x35/0x40 fs/logfs/inode.c:234 [] alloc_inode+0x66/0x180 fs/inode.c:207 [] new_inode_pseudo+0x6e/0x190 fs/inode.c:889 [] new_inode+0x21/0x50 fs/inode.c:918 [] logfs_new_meta_inode+0x26/0x120 fs/logfs/inode.c:267 [] logfs_init_mapping+0x47/0x160 fs/logfs/segment.c:912 [< inline >] logfs_read_sb fs/logfs/super.c:446 [< inline >] logfs_get_sb_device fs/logfs/super.c:546 [] logfs_mount+0x690/0x1e50 fs/logfs/super.c:600 [] mount_fs+0x9c/0x2e0 fs/super.c:1177 [] vfs_kern_mount.part.22+0x6c/0x2f0 fs/namespace.c:954 [< inline >] vfs_kern_mount fs/namespace.c:2433 [< inline >] do_new_mount fs/namespace.c:2436 [] do_mount+0x41d/0x2db0 fs/namespace.c:2758 [< inline >] SYSC_mount fs/namespace.c:2974 [] SyS_mount+0xb0/0x120 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 arch/x86/entry/entry_64.S:209 Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 13 03 00 00 4c 8b 73 28 48 b8 00 00 00 00 00 fc ff df 49 8d be d8 08 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 e3 02 00 00 48 8d 7b 04 48 b8 00 00 00 00 00 RIP [< inline >] i_uid_write ./include/linux/fs.h:1469 RIP [] logfs_init_inode.isra.5+0x155/0x480 fs/logfs/inode.c:212 RSP ---[ end trace a44003de9322a2bc ]--- LogFS: Start mount 1 ================================================================== BUG: KASAN: use-after-free in __rwsem_down_write_failed_common+0xde7/0xf90 at addr ffff88003604c430 Read of size 4 by task a.out/6605 CPU: 1 PID: 6605 Comm: a.out Tainted: G B D 4.9.0-rc5+ #49 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffff88003cf6f130 ffffffff834c2a59 ffffffff00000001 1ffff100079eddb9 ffffed00079eddb1 0000000041b58ab3 ffffffff895758d0 ffffffff834c276b ffffffff894f179e ffffffff815774c0 ffff88003cf6eff0 dffffc0000000000 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x2ee/0x3f5 lib/dump_stack.c:51 [] kasan_object_err+0x21/0x70 mm/kasan/report.c:159 [< inline >] print_address_description mm/kasan/report.c:197 [< inline >] kasan_report_error mm/kasan/report.c:286 [] kasan_report+0x1eb/0x4c0 mm/kasan/report.c:306 [] __asan_report_load4_noabort+0x19/0x20 mm/kasan/report.c:331 [< inline >] rwsem_optimistic_spin kernel/locking/rwsem-xadd.c:339 [] __rwsem_down_write_failed_common+0xde7/0xf90 kernel/locking/rwsem-xadd.c:470 [] rwsem_down_write_failed+0x13/0x20 kernel/locking/rwsem-xadd.c:555 [] call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:105 [< inline >] __down_write ./arch/x86/include/asm/rwsem.h:125 [] down_write+0xac/0x120 kernel/locking/rwsem.c:54 [] grab_super+0xa8/0x290 fs/super.c:364 [] sget_userns+0x1f8/0xd40 fs/super.c:491 [] sget+0xc4/0x100 fs/super.c:548 [< inline >] logfs_get_sb_device fs/logfs/super.c:522 [] logfs_mount+0x38e/0x1e50 fs/logfs/super.c:600 [] mount_fs+0x9c/0x2e0 fs/super.c:1177 [] vfs_kern_mount.part.22+0x6c/0x2f0 fs/namespace.c:954 [< inline >] vfs_kern_mount fs/namespace.c:2433 [< inline >] do_new_mount fs/namespace.c:2436 [] do_mount+0x41d/0x2db0 fs/namespace.c:2758 [< inline >] SYSC_mount fs/namespace.c:2974 [] SyS_mount+0xb0/0x120 fs/namespace.c:2951 [] entry_SYSCALL_64_fastpath+0x23/0xc6 arch/x86/entry/entry_64.S:209 Object at ffff88003604c400, in cache task_struct size: 5632 Allocated: PID = 6598 [ 204.878017] [] save_stack_trace+0x1b/0x20 [ 204.878017] [] save_stack+0x43/0xd0 [ 204.878017] [] kasan_kmalloc+0xad/0xe0 [ 204.878017] [] kasan_slab_alloc+0x12/0x20 [ 204.878017] [] kmem_cache_alloc_node+0x138/0x740 [ 204.878017] [] copy_process.part.38+0x1995/0x4920 [ 204.878017] [] _do_fork+0x205/0x1070 [ 204.878017] [] SyS_clone+0x3c/0x50 [ 204.878017] [] do_syscall_64+0x2f4/0x940 [ 204.878017] [] return_from_SYSCALL_64+0x0/0x7a Freed: PID = 0 [ 204.878017] [] save_stack_trace+0x1b/0x20 [ 204.878017] [] save_stack+0x43/0xd0 [ 204.878017] [] kasan_slab_free+0x72/0xc0 [ 204.878017] [] kmem_cache_free+0x7b/0x2f0 [ 204.878017] [] free_task+0x114/0x190 [ 204.878017] [] __put_task_struct+0x258/0x610 [ 204.878017] [] delayed_put_task_struct+0xe4/0x4b0 [ 204.878017] [] rcu_do_batch.isra.70+0x9ed/0xe20 [ 204.878017] [] rcu_process_callbacks+0x48c/0xd70 [ 204.878017] [] __do_softirq+0x32b/0xca8 Memory state around the buggy address: ffff88003604c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88003604c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88003604c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88003604c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88003604c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== On commit a25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (4.9-rc5).