Re: [syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

Re: [syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+f25c61df1ec3d235d52f@syzkaller.appspotmail.com

Tested on:

commit:         28c736b0 Add linux-next specific files for 20230822
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=13e2b3bba80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=20999f779fa96017
dashboard link: https://syzkaller.appspot.com/bug?extid=f25c61df1ec3d235d52f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1362b3bba80000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

[Christian Brauner]

#syz dup: KASAN: slab-use-after-free Read in fuse_test_super

Re: [syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

[syzbot]

> #syz dup: [syzbot] [fuse?] KASAN: slab-use-after-free Read in fuse_test_super

can't find the dup bug

Re: [syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

[Christian Brauner]

#syz dup: [syzbot] [fuse?] KASAN: slab-use-after-free Read in fuse_test_super

Re: [syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

    T1] RPL Segment Routing with IPv6
[   22.153462][    T1] In-situ OAM (IOAM) with IPv6
[   22.158633][    T1] mip6: Mobile IPv6
[   22.167745][    T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[   22.185212][    T1] ip6_gre: GRE over IPv6 tunneling driver
[   22.197237][    T1] NET: Registered PF_PACKET protocol family
[   22.203406][    T1] NET: Registered PF_KEY protocol family
[   22.209481][    T1] Bridge firewalling registered
[   22.214972][    T1] NET: Registered PF_X25 protocol family
[   22.220716][    T1] X25: Linux Version 0.2
[   22.301783][    T1] NET: Registered PF_NETROM protocol family
[   22.389320][    T1] NET: Registered PF_ROSE protocol family
[   22.395297][    T1] NET: Registered PF_AX25 protocol family
[   22.401145][    T1] can: controller area network core
[   22.407441][    T1] NET: Registered PF_CAN protocol family
[   22.413109][    T1] can: raw protocol
[   22.417186][    T1] can: broadcast manager protocol
[   22.422248][    T1] can: netlink gateway - max_hops=1
[   22.427654][    T1] can: SAE J1939
[   22.431196][    T1] can: isotp protocol (max_pdu_size 8300)
[   22.437369][    T1] Bluetooth: RFCOMM TTY layer initialized
[   22.443097][    T1] Bluetooth: RFCOMM socket layer initialized
[   22.449713][    T1] Bluetooth: RFCOMM ver 1.11
[   22.454468][    T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[   22.460598][    T1] Bluetooth: BNEP filters: protocol multicast
[   22.467157][    T1] Bluetooth: BNEP socket layer initialized
[   22.472946][    T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[   22.478826][    T1] Bluetooth: CMTP socket layer initialized
[   22.484665][    T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[   22.491508][    T1] Bluetooth: HIDP socket layer initialized
[   22.502104][    T1] NET: Registered PF_RXRPC protocol family
[   22.508020][    T1] Key type rxrpc registered
[   22.512934][    T1] Key type rxrpc_s registered
[   22.519379][    T1] NET: Registered PF_KCM protocol family
[   22.526198][    T1] lec:lane_module_init: lec.c: initialized
[   22.532235][    T1] mpoa:atm_mpoa_init: mpc.c: initialized
[   22.538764][    T1] l2tp_core: L2TP core driver, V2.0
[   22.544063][    T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[   22.549753][    T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[   22.556606][    T1] l2tp_netlink: L2TP netlink interface
[   22.562260][    T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[   22.569431][    T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[   22.577749][    T1] NET: Registered PF_PHONET protocol family
[   22.584800][    T1] 8021q: 802.1Q VLAN Support v1.8
[   22.608369][    T1] DCCP: Activated CCID 2 (TCP-like)
[   22.614078][    T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[   22.621209][    T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   22.632363][    T1] sctp: Hash tables configured (bind 32/56)
[   22.641253][    T1] NET: Registered PF_RDS protocol family
[   22.647757][    T1] Registered RDS/infiniband transport
[   22.653720][    T1] Registered RDS/tcp transport
[   22.658688][    T1] tipc: Activated (version 2.0.0)
[   22.664367][    T1] NET: Registered PF_TIPC protocol family
[   22.670831][    T1] tipc: Started in single node mode
[   22.676860][    T1] NET: Registered PF_SMC protocol family
[   22.682686][    T1] 9pnet: Installing 9P2000 support
[   22.688768][    T1] NET: Registered PF_CAIF protocol family
[   22.702700][    T1] NET: Registered PF_IEEE802154 protocol family
[   22.710080][    T1] Key type dns_resolver registered
[   22.715485][    T1] Key type ceph registered
[   22.720499][    T1] libceph: loaded (mon/osd proto 15/24)
[   22.728520][    T1] batman_adv: B.A.T.M.A.N. advanced 2023.3 (compatibility version 15) loaded
[   22.737761][    T1] openvswitch: Open vSwitch switching datapath
[   22.747749][    T1] NET: Registered PF_VSOCK protocol family
[   22.753909][    T1] mpls_gso: MPLS GSO support
[   22.767156][    T1] start plist test
[   22.776649][    T1] end plist test
[   22.789647][    T1] IPI shorthand broadcast: enabled
[   22.795205][    T1] AVX2 version of gcm_enc/dec engaged.
[   22.800844][    T1] AES CTR mode by8 optimization enabled
[   24.946860][    T1] sched_clock: Marking stable (24900021811, 44080130)->(24947471898, -3369957)
[   24.963256][    T1] registered taskstats version 1
[   24.991977][    T1] Loading compiled-in X.509 certificates
[   25.002988][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 6ff01a4b96c932563103f4d4fff2d5d5224413d4'
[   25.018103][    T1] zswap: loaded using pool lzo/zbud
[   25.254541][    T1] debug_vm_pgtable: [debug_vm_pgtable         ]: Validating architecture page table helpers
[   28.206068][    T1] Key type .fscrypt registered
[   28.210844][    T1] Key type fscrypt-provisioning registered
[   28.225620][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   28.251109][    T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[   28.259400][    T1] Key type big_key registered
[   28.266816][    T1] Key type encrypted registered
[   28.271690][    T1] AppArmor: AppArmor sha1 policy hashing enabled
[   28.278086][    T1] ima: No TPM chip found, activating TPM-bypass!
[   28.284455][    T1] Loading compiled-in module X.509 certificates
[   28.295355][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: 6ff01a4b96c932563103f4d4fff2d5d5224413d4'
[   28.306295][    T1] ima: Allocated hash algorithm: sha256
[   28.311992][    T1] ima: No architecture policies found
[   28.317903][    T1] evm: Initialising EVM extended attributes:
[   28.323988][    T1] evm: security.selinux (disabled)
[   28.329111][    T1] evm: security.SMACK64 (disabled)
[   28.334298][    T1] evm: security.SMACK64EXEC (disabled)
[   28.340638][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   28.346557][    T1] evm: security.SMACK64MMAP (disabled)
[   28.352203][    T1] evm: security.apparmor
[   28.356464][    T1] evm: security.ima
[   28.360293][    T1] evm: security.capability
[   28.364715][    T1] evm: HMAC attrs: 0x1
[   28.371158][    T1] PM:   Magic number: 3:991:932
[   28.379710][    T1] printk: console [netcon0] enabled
[   28.384982][    T1] netconsole: network logging started
[   28.390833][    T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[   28.398542][    T1] rdma_rxe: loaded
[   28.403224][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   28.415177][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   28.423103][   T54] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   28.432796][   T54] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[   28.442788][    T1] clk: Disabling unused clocks
[   28.448246][    T1] ALSA device list:
[   28.452320][    T1]   #0: Dummy 1
[   28.456220][    T1]   #1: Loopback 1
[   28.459931][    T1]   #2: Virtual MIDI Card 1
[   28.466828][    T1] md: Waiting for all devices to be available before autodetect
[   28.474753][    T1] md: If you don't use raid, use raid=noautodetect
[   28.481592][    T1] md: Autodetecting RAID arrays.
[   28.486591][    T1] md: autorun ...
[   28.490209][    T1] md: ... autorun DONE.
[   28.550861][    T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[   28.563733][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   28.584466][    T1] devtmpfs: mounted
[   28.752930][    T1] Freeing unused kernel image (initmem) memory: 3396K
[   28.759784][    T1] Write protecting the kernel read-only data: 188416k
[   28.769443][    T1] Freeing unused kernel image (rodata/data gap) memory: 700K
[   28.896155][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   28.908769][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   28.918782][    T1] Run /sbin/init as init process
[   28.923727][    T1]   with arguments:
[   28.927591][    T1]     /sbin/init
[   28.931132][    T1]   with environment:
[   28.935216][    T1]     HOME=/
[   28.938421][    T1]     TERM=linux
[   28.941948][    T1]     spec_store_bypass_disable=prctl
[   28.947789][    T1]     BOOT_IMAGE=/boot/bzImage
[   29.033669][    T1] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
[   29.045504][    T1] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[   29.053923][    T1] CPU: 1 PID: 1 Comm: init Not tainted 6.5.0-rc7-next-20230822-syzkaller-dirty #0
[   29.063122][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[   29.073176][    T1] RIP: 0010:do_raw_spin_lock+0x6e/0x2b0
[   29.078757][    T1] Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
[   29.098364][    T1] RSP: 0000:ffffc90000067b28 EFLAGS: 00010247
[   29.104512][    T1] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   29.112477][    T1] RDX: 0000000000000000 RSI: ffffffff8ae8fc60 RDI: 0000000000000004
[   29.120616][    T1] RBP: 1ffff9200000cf66 R08: 0000000000000000 R09: fffffbfff1d9ba3a
[   29.128598][    T1] R10: ffffffff8ecdd1d7 R11: ffffffff8a3cdc9d R12: 0000000000000000
[   29.136743][    T1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000680000
[   29.144714][    T1] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   29.153649][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.160258][    T1] CR2: 00007ffc17ddb229 CR3: 0000000026fb0000 CR4: 00000000003506e0
[   29.168335][    T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.176321][    T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.184297][    T1] Call Trace:
[   29.187574][    T1]  <TASK>
[   29.190504][    T1]  ? show_regs+0x8f/0xa0
[   29.194762][    T1]  ? die_addr+0x4f/0xd0
[   29.198926][    T1]  ? exc_general_protection+0x154/0x230
[   29.204761][    T1]  ? asm_exc_general_protection+0x26/0x30
[   29.210679][    T1]  ? syscall_exit_to_user_mode+0x1d/0x60
[   29.216327][    T1]  ? do_raw_spin_lock+0x6e/0x2b0
[   29.221382][    T1]  ? spin_bug+0x1d0/0x1d0
[   29.225722][    T1]  ? lock_release+0x4bf/0x680
[   29.230413][    T1]  ? dput+0x251/0xfd0
[   29.234447][    T1]  list_lru_add+0xce/0x540
[   29.238877][    T1]  ? dput+0x39/0xfd0
[   29.243068][    T1]  dput+0x87f/0xfd0
[   29.246888][    T1]  proc_kill_sb+0x6d/0x100
[   29.251320][    T1]  deactivate_locked_super+0x19c/0x2d0
[   29.256793][    T1]  deactivate_super+0xde/0x100
[   29.261580][    T1]  cleanup_mnt+0x222/0x3d0
[   29.266442][    T1]  mntput_no_expire+0x864/0xbc0
[   29.271303][    T1]  ? do_raw_spin_unlock+0x173/0x230
[   29.276528][    T1]  ? _raw_spin_unlock+0x28/0x40
[   29.281394][    T1]  ? mnt_get_count+0x1e0/0x1e0
[   29.286165][    T1]  ? _raw_spin_unlock+0x28/0x40
[   29.291024][    T1]  mntput+0x6b/0x90
[   29.294874][    T1]  __fput+0x560/0xa70
[   29.298875][    T1]  task_work_run+0x14d/0x240
[   29.303486][    T1]  ? task_work_cancel+0x30/0x30
[   29.308359][    T1]  ? kernel_execve+0x3f9/0x4e0
[   29.313223][    T1]  exit_to_user_mode_prepare+0x210/0x240
[   29.318874][    T1]  syscall_exit_to_user_mode+0x1d/0x60
[   29.324339][    T1]  ? rest_init+0x2b0/0x2b0
[   29.328762][    T1]  ret_from_fork_asm+0x11/0x20
[   29.333545][    T1]  </TASK>
[   29.336557][    T1] Modules linked in:
[   29.340653][    T1] ---[ end trace 0000000000000000 ]---
[   29.346320][    T1] RIP: 0010:do_raw_spin_lock+0x6e/0x2b0
[   29.351867][    T1] Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
[   29.371529][    T1] RSP: 0000:ffffc90000067b28 EFLAGS: 00010247
[   29.380525][    T1] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   29.388593][    T1] RDX: 0000000000000000 RSI: ffffffff8ae8fc60 RDI: 0000000000000004
[   29.396657][    T1] RBP: 1ffff9200000cf66 R08: 0000000000000000 R09: fffffbfff1d9ba3a
[   29.405013][    T1] R10: ffffffff8ecdd1d7 R11: ffffffff8a3cdc9d R12: 0000000000000000
[   29.413142][    T1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000680000
[   29.421293][    T1] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   29.430837][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.437428][    T1] CR2: 00007ffc17ddb229 CR3: 0000000026fb0000 CR4: 00000000003506e0
[   29.445508][    T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.453478][    T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.461546][    T1] Kernel panic - not syncing: Fatal exception
[   29.467789][    T1] Kernel Offset: disabled
[   29.472099][    T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build503812671=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at b81ca3f66
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230822-122036'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230822-122036'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230822-122036'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=11f109eba80000


Tested on:

commit:         28c736b0 Add linux-next specific files for 20230822
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=20999f779fa96017
dashboard link: https://syzkaller.appspot.com/bug?extid=f25c61df1ec3d235d52f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=159e79b0680000

Re: [syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

   T1] RPL Segment Routing with IPv6
[   22.143888][    T1] In-situ OAM (IOAM) with IPv6
[   22.150994][    T1] mip6: Mobile IPv6
[   22.161364][    T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[   22.179155][    T1] ip6_gre: GRE over IPv6 tunneling driver
[   22.191706][    T1] NET: Registered PF_PACKET protocol family
[   22.199145][    T1] NET: Registered PF_KEY protocol family
[   22.205140][    T1] Bridge firewalling registered
[   22.210671][    T1] NET: Registered PF_X25 protocol family
[   22.216780][    T1] X25: Linux Version 0.2
[   22.296503][    T1] NET: Registered PF_NETROM protocol family
[   22.377913][    T1] NET: Registered PF_ROSE protocol family
[   22.387790][    T1] NET: Registered PF_AX25 protocol family
[   22.393849][    T1] can: controller area network core
[   22.399609][    T1] NET: Registered PF_CAN protocol family
[   22.405627][    T1] can: raw protocol
[   22.409851][    T1] can: broadcast manager protocol
[   22.415185][    T1] can: netlink gateway - max_hops=1
[   22.420907][    T1] can: SAE J1939
[   22.424586][    T1] can: isotp protocol (max_pdu_size 8300)
[   22.431307][    T1] Bluetooth: RFCOMM TTY layer initialized
[   22.437283][    T1] Bluetooth: RFCOMM socket layer initialized
[   22.443663][    T1] Bluetooth: RFCOMM ver 1.11
[   22.449206][    T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[   22.455555][    T1] Bluetooth: BNEP filters: protocol multicast
[   22.462111][    T1] Bluetooth: BNEP socket layer initialized
[   22.468496][    T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[   22.474693][    T1] Bluetooth: CMTP socket layer initialized
[   22.480545][    T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[   22.487463][    T1] Bluetooth: HIDP socket layer initialized
[   22.497445][    T1] NET: Registered PF_RXRPC protocol family
[   22.503428][    T1] Key type rxrpc registered
[   22.508789][    T1] Key type rxrpc_s registered
[   22.514308][    T1] NET: Registered PF_KCM protocol family
[   22.520678][    T1] lec:lane_module_init: lec.c: initialized
[   22.526588][    T1] mpoa:atm_mpoa_init: mpc.c: initialized
[   22.532594][    T1] l2tp_core: L2TP core driver, V2.0
[   22.538346][    T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[   22.544240][    T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[   22.550976][    T1] l2tp_netlink: L2TP netlink interface
[   22.556596][    T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[   22.563621][    T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[   22.571468][    T1] NET: Registered PF_PHONET protocol family
[   22.578014][    T1] 8021q: 802.1Q VLAN Support v1.8
[   22.598850][    T1] DCCP: Activated CCID 2 (TCP-like)
[   22.604774][    T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[   22.612016][    T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   22.623666][    T1] sctp: Hash tables configured (bind 32/56)
[   22.631042][    T1] NET: Registered PF_RDS protocol family
[   22.637590][    T1] Registered RDS/infiniband transport
[   22.643554][    T1] Registered RDS/tcp transport
[   22.648634][    T1] tipc: Activated (version 2.0.0)
[   22.654067][    T1] NET: Registered PF_TIPC protocol family
[   22.660718][    T1] tipc: Started in single node mode
[   22.666750][    T1] NET: Registered PF_SMC protocol family
[   22.672715][    T1] 9pnet: Installing 9P2000 support
[   22.678148][    T1] NET: Registered PF_CAIF protocol family
[   22.691455][    T1] NET: Registered PF_IEEE802154 protocol family
[   22.698427][    T1] Key type dns_resolver registered
[   22.703574][    T1] Key type ceph registered
[   22.708510][    T1] libceph: loaded (mon/osd proto 15/24)
[   22.715393][    T1] batman_adv: B.A.T.M.A.N. advanced 2023.3 (compatibility version 15) loaded
[   22.724699][    T1] openvswitch: Open vSwitch switching datapath
[   22.734037][    T1] NET: Registered PF_VSOCK protocol family
[   22.740995][    T1] mpls_gso: MPLS GSO support
[   22.754002][    T1] start plist test
[   22.761434][    T1] end plist test
[   22.774743][    T1] IPI shorthand broadcast: enabled
[   22.780393][    T1] AVX2 version of gcm_enc/dec engaged.
[   22.786114][    T1] AES CTR mode by8 optimization enabled
[   24.907765][    T1] sched_clock: Marking stable (24860021136, 46836333)->(24908384501, -1527032)
[   24.929653][    T1] registered taskstats version 1
[   24.948815][    T1] Loading compiled-in X.509 certificates
[   24.959723][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: b076a2c54e475ca22371b28873485011e7dd859f'
[   24.975272][    T1] zswap: loaded using pool lzo/zbud
[   25.211781][    T1] debug_vm_pgtable: [debug_vm_pgtable         ]: Validating architecture page table helpers
[   28.158064][    T1] Key type .fscrypt registered
[   28.162837][    T1] Key type fscrypt-provisioning registered
[   28.177370][    T1] kAFS: Red Hat AFS client v0.1 registering.
[   28.201312][    T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[   28.209912][    T1] Key type big_key registered
[   28.217693][    T1] Key type encrypted registered
[   28.222659][    T1] AppArmor: AppArmor sha1 policy hashing enabled
[   28.229280][    T1] ima: No TPM chip found, activating TPM-bypass!
[   28.235739][    T1] Loading compiled-in module X.509 certificates
[   28.246592][    T1] Loaded X.509 cert 'Build time autogenerated kernel key: b076a2c54e475ca22371b28873485011e7dd859f'
[   28.257470][    T1] ima: Allocated hash algorithm: sha256
[   28.263308][    T1] ima: No architecture policies found
[   28.269223][    T1] evm: Initialising EVM extended attributes:
[   28.275766][    T1] evm: security.selinux (disabled)
[   28.281188][    T1] evm: security.SMACK64 (disabled)
[   28.286370][    T1] evm: security.SMACK64EXEC (disabled)
[   28.292383][    T1] evm: security.SMACK64TRANSMUTE (disabled)
[   28.298408][    T1] evm: security.SMACK64MMAP (disabled)
[   28.303943][    T1] evm: security.apparmor
[   28.308199][    T1] evm: security.ima
[   28.311986][    T1] evm: security.capability
[   28.316938][    T1] evm: HMAC attrs: 0x1
[   28.323242][    T1] PM:   Magic number: 3:393:366
[   28.331352][    T1] printk: console [netcon0] enabled
[   28.336951][    T1] netconsole: network logging started
[   28.343286][    T1] gtp: GTP module loaded (pdp ctx size 104 bytes)
[   28.351710][    T1] rdma_rxe: loaded
[   28.356689][    T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   28.368757][    T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   28.376230][ T2518] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   28.386651][ T2518] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[   28.387079][    T1] clk: Disabling unused clocks
[   28.400702][    T1] ALSA device list:
[   28.404510][    T1]   #0: Dummy 1
[   28.408586][    T1]   #1: Loopback 1
[   28.412475][    T1]   #2: Virtual MIDI Card 1
[   28.419437][    T1] md: Waiting for all devices to be available before autodetect
[   28.427528][    T1] md: If you don't use raid, use raid=noautodetect
[   28.434064][    T1] md: Autodetecting RAID arrays.
[   28.439026][    T1] md: autorun ...
[   28.443095][    T1] md: ... autorun DONE.
[   28.518373][    T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[   28.532156][    T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[   28.544130][    T1] devtmpfs: mounted
[   28.705830][    T1] Freeing unused kernel image (initmem) memory: 3396K
[   28.712759][    T1] Write protecting the kernel read-only data: 188416k
[   28.722628][    T1] Freeing unused kernel image (rodata/data gap) memory: 700K
[   28.850831][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   28.862668][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   28.872769][    T1] Run /sbin/init as init process
[   28.878031][    T1]   with arguments:
[   28.881875][    T1]     /sbin/init
[   28.885406][    T1]   with environment:
[   28.889432][    T1]     HOME=/
[   28.892622][    T1]     TERM=linux
[   28.896156][    T1]     spec_store_bypass_disable=prctl
[   28.901656][    T1]     BOOT_IMAGE=/boot/bzImage
[   28.923260][    T1] general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN
[   28.935261][    T1] KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]
[   28.944174][    T1] CPU: 1 PID: 1 Comm: init Not tainted 6.5.0-rc7-next-20230822-syzkaller-dirty #0
[   28.953449][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[   28.963636][    T1] RIP: 0010:do_raw_spin_lock+0x6e/0x2b0
[   28.969485][    T1] Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
[   28.989805][    T1] RSP: 0000:ffffc90000067b28 EFLAGS: 00010203
[   28.996053][    T1] RAX: dffffc0000000000 RBX: 0000000000000080 RCX: 0000000000000000
[   29.004565][    T1] RDX: 0000000000000010 RSI: ffffffff8ae8fc60 RDI: 0000000000000084
[   29.012980][    T1] RBP: 1ffff9200000cf66 R08: 0000000000000000 R09: fffffbfff1d9ba3a
[   29.021053][    T1] R10: ffffffff8ecdd1d7 R11: ffffffff8a3cdc9d R12: 0000000000000001
[   29.030158][    T1] R13: 0000000000000080 R14: 0000000000000080 R15: 0000000000680000
[   29.038224][    T1] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   29.048195][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.054876][    T1] CR2: 00007ffcfc6d3c19 CR3: 0000000029462000 CR4: 00000000003506e0
[   29.062944][    T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.070919][    T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.078911][    T1] Call Trace:
[   29.082255][    T1]  <TASK>
[   29.085186][    T1]  ? show_regs+0x8f/0xa0
[   29.089548][    T1]  ? die_addr+0x4f/0xd0
[   29.093887][    T1]  ? exc_general_protection+0x154/0x230
[   29.099564][    T1]  ? asm_exc_general_protection+0x26/0x30
[   29.105314][    T1]  ? syscall_exit_to_user_mode+0x1d/0x60
[   29.110958][    T1]  ? do_raw_spin_lock+0x6e/0x2b0
[   29.116445][    T1]  ? spin_bug+0x1d0/0x1d0
[   29.121142][    T1]  ? lock_release+0x4bf/0x680
[   29.125833][    T1]  ? dput+0x251/0xfd0
[   29.129836][    T1]  list_lru_add+0xce/0x540
[   29.134390][    T1]  ? dput+0x39/0xfd0
[   29.138402][    T1]  dput+0x87f/0xfd0
[   29.142254][    T1]  proc_kill_sb+0x6d/0x100
[   29.146689][    T1]  deactivate_locked_super+0x19c/0x2d0
[   29.152353][    T1]  deactivate_super+0xde/0x100
[   29.157227][    T1]  cleanup_mnt+0x222/0x3d0
[   29.161657][    T1]  mntput_no_expire+0x864/0xbc0
[   29.166632][    T1]  ? do_raw_spin_unlock+0x173/0x230
[   29.171874][    T1]  ? _raw_spin_unlock+0x28/0x40
[   29.176855][    T1]  ? mnt_get_count+0x1e0/0x1e0
[   29.181899][    T1]  ? _raw_spin_unlock+0x28/0x40
[   29.186955][    T1]  mntput+0x6b/0x90
[   29.190962][    T1]  __fput+0x560/0xa70
[   29.195145][    T1]  task_work_run+0x14d/0x240
[   29.199756][    T1]  ? task_work_cancel+0x30/0x30
[   29.204622][    T1]  ? kernel_execve+0x3f9/0x4e0
[   29.209830][    T1]  exit_to_user_mode_prepare+0x210/0x240
[   29.215568][    T1]  syscall_exit_to_user_mode+0x1d/0x60
[   29.221126][    T1]  ? rest_init+0x2b0/0x2b0
[   29.225547][    T1]  ret_from_fork_asm+0x11/0x20
[   29.230361][    T1]  </TASK>
[   29.233475][    T1] Modules linked in:
[   29.237562][    T1] ---[ end trace 0000000000000000 ]---
[   29.243328][    T1] RIP: 0010:do_raw_spin_lock+0x6e/0x2b0
[   29.249089][    T1] Code: 81 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 04 f3 f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e3
[   29.269244][    T1] RSP: 0000:ffffc90000067b28 EFLAGS: 00010203
[   29.276026][    T1] RAX: dffffc0000000000 RBX: 0000000000000080 RCX: 0000000000000000
[   29.284590][    T1] RDX: 0000000000000010 RSI: ffffffff8ae8fc60 RDI: 0000000000000084
[   29.293010][    T1] RBP: 1ffff9200000cf66 R08: 0000000000000000 R09: fffffbfff1d9ba3a
[   29.301669][    T1] R10: ffffffff8ecdd1d7 R11: ffffffff8a3cdc9d R12: 0000000000000001
[   29.309787][    T1] R13: 0000000000000080 R14: 0000000000000080 R15: 0000000000680000
[   29.318102][    T1] FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[   29.327776][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.334660][    T1] CR2: 00007ffcfc6d3c19 CR3: 0000000029462000 CR4: 00000000003506e0
[   29.342695][    T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   29.350892][    T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   29.359108][    T1] Kernel panic - not syncing: Fatal exception
[   29.365720][    T1] Kernel Offset: disabled
[   29.370311][    T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1047880574=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at b81ca3f66
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230822-122036'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230822-122036'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230822-122036'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14283c87a80000


Tested on:

commit:         28c736b0 Add linux-next specific files for 20230822
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=20999f779fa96017
dashboard link: https://syzkaller.appspot.com/bug?extid=f25c61df1ec3d235d52f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17809340680000

Re: [syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in kernfs_test_super

==================================================================
BUG: KASAN: slab-use-after-free in kernfs_test_super+0x122/0x150 fs/kernfs/mount.c:295
Read of size 8 at addr ffff88807559d608 by task syz-executor.3/5904

CPU: 0 PID: 5904 Comm: syz-executor.3 Not tainted 6.5.0-rc7-next-20230822-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 kernfs_test_super+0x122/0x150 fs/kernfs/mount.c:295
 sget_fc+0x582/0x9b0 fs/super.c:776
 kernfs_get_tree+0x198/0x9a0 fs/kernfs/mount.c:346
 sysfs_get_tree+0x41/0x140 fs/sysfs/mount.c:31
 vfs_get_tree+0x8c/0x370 fs/super.c:1711
 do_new_mount fs/namespace.c:3335 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3662
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount fs/namespace.c:3861 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fbfa307cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbfa3e170c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fbfa319bf80 RCX: 00007fbfa307cae9
RDX: 0000000020000300 RSI: 0000000020000080 RDI: 0000000000000000
RBP: 00007fbfa30c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fbfa319bf80 R15: 00007ffccce39108
 </TASK>

Allocated by task 5895:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:599 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 kernfs_get_tree+0x78/0x9a0 fs/kernfs/mount.c:337
 sysfs_get_tree+0x41/0x140 fs/sysfs/mount.c:31
 vfs_get_tree+0x8c/0x370 fs/super.c:1711
 do_new_mount fs/namespace.c:3335 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3662
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount fs/namespace.c:3861 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5409:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
 sysfs_kill_sb+0x21/0x30 fs/sysfs/mount.c:86
 deactivate_locked_super+0xa0/0x2d0 fs/super.c:454
 deactivate_super+0xde/0x100 fs/super.c:504
 cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254
 task_work_run+0x14d/0x240 kernel/task_work.c:179
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
 syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:297
 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88807559d600
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 8 bytes inside of
 freed 64-byte region [ffff88807559d600, ffff88807559d640)

The buggy address belongs to the physical page:
page:ffffea0001d56740 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7559d
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888012c41640 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 4495, tgid 4495 (udevd), ts 112776006479, free_ts 112762382812
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1530
 prep_new_page mm/page_alloc.c:1537 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3213
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4469
 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab+0x251/0x380 mm/slub.c:2017
 new_slab mm/slub.c:2070 [inline]
 ___slab_alloc+0x8be/0x1570 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1022 [inline]
 __kmalloc+0x4f/0x100 mm/slab_common.c:1036
 kmalloc include/linux/slab.h:603 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 tomoyo_encode2+0x100/0x3d0 security/tomoyo/realpath.c:45
 tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80
 tomoyo_realpath_from_path+0x196/0x710 security/tomoyo/realpath.c:283
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x2aa/0x3b0 security/tomoyo/file.c:771
 tomoyo_file_open security/tomoyo/tomoyo.c:332 [inline]
 tomoyo_file_open+0xa8/0xd0 security/tomoyo/tomoyo.c:327
 security_file_open+0x6a/0xe0 security/security.c:2836
 do_dentry_open+0x538/0x1730 fs/open.c:916
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1130 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2342
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2435
 __unfreeze_partials+0x21d/0x240 mm/slub.c:2655
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x18b/0x1d0 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook mm/slab.h:762 [inline]
 slab_alloc_node mm/slub.c:3478 [inline]
 __kmem_cache_alloc_node+0x19b/0x350 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1022 [inline]
 __kmalloc+0x4f/0x100 mm/slab_common.c:1036
 kmalloc include/linux/slab.h:603 [inline]
 tomoyo_realpath_from_path+0xb9/0x710 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_number_perm+0x243/0x590 security/tomoyo/file.c:723
 security_file_ioctl+0x72/0xb0 security/security.c:2647
 __do_sys_ioctl fs/ioctl.c:865 [inline]
 __se_sys_ioctl fs/ioctl.c:857 [inline]
 __x64_sys_ioctl+0xbb/0x210 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff88807559d500: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88807559d580: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88807559d600: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                      ^
 ffff88807559d680: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88807559d700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit:         28c736b0 Add linux-next specific files for 20230822
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=145d11e0680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=20999f779fa96017
dashboard link: https://syzkaller.appspot.com/bug?extid=f25c61df1ec3d235d52f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1570f187a80000

[syzbot] [kernfs?] KASAN: slab-use-after-free Read in kernfs_test_super

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    28c736b0e92e Add linux-next specific files for 20230822
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15515d53a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=20999f779fa96017
dashboard link: https://syzkaller.appspot.com/bug?extid=f25c61df1ec3d235d52f
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15783640680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=164da860680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/37bc881cd0b2/disk-28c736b0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4512f7892b3d/vmlinux-28c736b0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/052fe1287e05/bzImage-28c736b0.xz

The issue was bisected to:

commit 2c18a63b760a0f68f14cb8bb4c3840bb0b63b73e
Author: Christian Brauner <brauner@kernel.org>
Date:   Fri Aug 18 14:00:51 2023 +0000

    super: wait until we passed kill super

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14e6a360680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=16e6a360680000
console output: https://syzkaller.appspot.com/x/log.txt?x=12e6a360680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f25c61df1ec3d235d52f@syzkaller.appspotmail.com
Fixes: 2c18a63b760a ("super: wait until we passed kill super")

==================================================================
BUG: KASAN: slab-use-after-free in kernfs_test_super+0x122/0x150 fs/kernfs/mount.c:295
Read of size 8 at addr ffff88807249d808 by task syz-executor493/5717

CPU: 1 PID: 5717 Comm: syz-executor493 Not tainted 6.5.0-rc7-next-20230822-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 kernfs_test_super+0x122/0x150 fs/kernfs/mount.c:295
 sget_fc+0x582/0x9b0 fs/super.c:778
 kernfs_get_tree+0x198/0x9a0 fs/kernfs/mount.c:346
 sysfs_get_tree+0x41/0x140 fs/sysfs/mount.c:31
 vfs_get_tree+0x8c/0x370 fs/super.c:1713
 do_new_mount fs/namespace.c:3335 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3662
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount fs/namespace.c:3861 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f126c3d79c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff40e973e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f126c3d79c9
RDX: 0000000020000300 RSI: 0000000020000080 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fff40e9741c
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff40e9741c
R13: 0000000000000069 R14: 431bde82d7b634db R15: 00007fff40e97450
 </TASK>

Allocated by task 5716:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:599 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 kernfs_get_tree+0x78/0x9a0 fs/kernfs/mount.c:337
 sysfs_get_tree+0x41/0x140 fs/sysfs/mount.c:31
 vfs_get_tree+0x8c/0x370 fs/super.c:1713
 do_new_mount fs/namespace.c:3335 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3662
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount fs/namespace.c:3861 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5053:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
 sysfs_kill_sb+0x21/0x30 fs/sysfs/mount.c:86
 deactivate_locked_super+0xa0/0x2d0 fs/super.c:454
 deactivate_super+0xde/0x100 fs/super.c:504
 cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254
 task_work_run+0x14d/0x240 kernel/task_work.c:179
 ptrace_notify+0x10c/0x130 kernel/signal.c:2387
 ptrace_report_syscall include/linux/ptrace.h:411 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
 syscall_exit_work kernel/entry/common.c:252 [inline]
 syscall_exit_to_user_mode_prepare+0x120/0x220 kernel/entry/common.c:279
 __syscall_exit_to_user_mode_work kernel/entry/common.c:284 [inline]
 syscall_exit_to_user_mode+0xd/0x60 kernel/entry/common.c:297
 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88807249d800
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 8 bytes inside of
 freed 64-byte region [ffff88807249d800, ffff88807249d840)

The buggy address belongs to the physical page:
page:ffffea0001c92740 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7249d
anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888012c41640 ffffea0000a28500 dead000000000005
raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY), pid 4493, tgid 4493 (udevd), ts 94419071514, free_ts 94405327131
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1530
 prep_new_page mm/page_alloc.c:1537 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3213
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4469
 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab+0x251/0x380 mm/slub.c:2017
 new_slab mm/slub.c:2070 [inline]
 ___slab_alloc+0x8be/0x1570 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1022 [inline]
 __kmalloc+0x4f/0x100 mm/slab_common.c:1036
 kmalloc include/linux/slab.h:603 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 tomoyo_encode2+0x100/0x3d0 security/tomoyo/realpath.c:45
 tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80
 tomoyo_realpath_from_path+0x196/0x710 security/tomoyo/realpath.c:283
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x271/0x450 security/tomoyo/file.c:822
 security_inode_getattr+0xf1/0x150 security/security.c:2153
 vfs_getattr fs/stat.c:206 [inline]
 vfs_statx+0x180/0x430 fs/stat.c:281
 vfs_fstatat+0x90/0xb0 fs/stat.c:315
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1130 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2342
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2435
 mm_free_pgd kernel/fork.c:803 [inline]
 __mmdrop+0xd7/0x490 kernel/fork.c:921
 mmdrop include/linux/sched/mm.h:54 [inline]
 __mmput+0x409/0x4d0 kernel/fork.c:1367
 mmput+0x62/0x70 kernel/fork.c:1378
 exit_mm kernel/exit.c:567 [inline]
 do_exit+0x9b4/0x2a20 kernel/exit.c:861
 do_group_exit+0xd4/0x2a0 kernel/exit.c:1024
 __do_sys_exit_group kernel/exit.c:1035 [inline]
 __se_sys_exit_group kernel/exit.c:1033 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1033
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff88807249d700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88807249d780: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88807249d800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                      ^
 ffff88807249d880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88807249d900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup