* KASAN: use-after-free Read in btrfs_scan_one_device
@ 2020-09-20 14:12 syzbot
2020-09-21 5:38 ` syzbot
2020-09-30 16:57 ` David Sterba
0 siblings, 2 replies; 12+ messages in thread
From: syzbot @ 2020-09-20 14:12 UTC (permalink / raw)
To: clm, dsterba, josef, linux-btrfs, linux-kernel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10a0a8bb900000
kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180
dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
compiler: gcc (GCC) 10.1.0-syz 20200507
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in btrfs_printk+0x38b/0x40c fs/btrfs/super.c:245
Read of size 8 at addr ffff8880637006a8 by task syz-executor.2/15287
CPU: 1 PID: 15287 Comm: syz-executor.2 Not tainted 5.9.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
btrfs_printk+0x38b/0x40c fs/btrfs/super.c:245
device_list_add.cold+0x58/0x2d2 fs/btrfs/volumes.c:943
btrfs_scan_one_device+0x339/0x4a0 fs/btrfs/volumes.c:1359
btrfs_mount_root+0x4d5/0xbb0 fs/btrfs/super.c:1634
legacy_get_tree+0x105/0x220 fs/fs_context.c:592
vfs_get_tree+0x89/0x2f0 fs/super.c:1547
fc_mount fs/namespace.c:978 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1008
vfs_kern_mount+0x3c/0x60 fs/namespace.c:995
btrfs_mount+0x234/0xaa0 fs/btrfs/super.c:1732
legacy_get_tree+0x105/0x220 fs/fs_context.c:592
vfs_get_tree+0x89/0x2f0 fs/super.c:1547
do_new_mount fs/namespace.c:2875 [inline]
path_mount+0x1387/0x20a0 fs/namespace.c:3192
do_mount fs/namespace.c:3205 [inline]
__do_sys_mount fs/namespace.c:3413 [inline]
__se_sys_mount fs/namespace.c:3390 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x46004a
Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da 89 fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007f50d2ce8a88 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f50d2ce8b20 RCX: 000000000046004a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f50d2ce8ae0
RBP: 00007f50d2ce8ae0 R08: 00007f50d2ce8b20 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 0000000020001d40 R15: 0000000020000040
Allocated by task 15246:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
kmalloc_node include/linux/slab.h:577 [inline]
kvmalloc_node+0xb4/0xf0 mm/util.c:574
kvmalloc include/linux/mm.h:757 [inline]
kvzalloc include/linux/mm.h:765 [inline]
btrfs_mount_root+0x117/0xbb0 fs/btrfs/super.c:1613
legacy_get_tree+0x105/0x220 fs/fs_context.c:592
vfs_get_tree+0x89/0x2f0 fs/super.c:1547
fc_mount fs/namespace.c:978 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1008
vfs_kern_mount+0x3c/0x60 fs/namespace.c:995
btrfs_mount+0x234/0xaa0 fs/btrfs/super.c:1732
legacy_get_tree+0x105/0x220 fs/fs_context.c:592
vfs_get_tree+0x89/0x2f0 fs/super.c:1547
do_new_mount fs/namespace.c:2875 [inline]
path_mount+0x1387/0x20a0 fs/namespace.c:3192
do_mount fs/namespace.c:3205 [inline]
__do_sys_mount fs/namespace.c:3413 [inline]
__se_sys_mount fs/namespace.c:3390 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 15246:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
__cache_free mm/slab.c:3418 [inline]
kfree+0x10e/0x2b0 mm/slab.c:3756
kvfree+0x42/0x50 mm/util.c:603
deactivate_locked_super+0x94/0x160 fs/super.c:335
btrfs_mount_root+0x772/0xbb0 fs/btrfs/super.c:1678
legacy_get_tree+0x105/0x220 fs/fs_context.c:592
vfs_get_tree+0x89/0x2f0 fs/super.c:1547
fc_mount fs/namespace.c:978 [inline]
vfs_kern_mount.part.0+0xd3/0x170 fs/namespace.c:1008
vfs_kern_mount+0x3c/0x60 fs/namespace.c:995
btrfs_mount+0x234/0xaa0 fs/btrfs/super.c:1732
legacy_get_tree+0x105/0x220 fs/fs_context.c:592
vfs_get_tree+0x89/0x2f0 fs/super.c:1547
do_new_mount fs/namespace.c:2875 [inline]
path_mount+0x1387/0x20a0 fs/namespace.c:3192
do_mount fs/namespace.c:3205 [inline]
__do_sys_mount fs/namespace.c:3413 [inline]
__se_sys_mount fs/namespace.c:3390 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff888063700000
which belongs to the cache kmalloc-16k of size 16384
The buggy address is located 1704 bytes inside of
16384-byte region [ffff888063700000, ffff888063704000)
The buggy address belongs to the page:
page:00000000e0472e19 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x63700
head:00000000e0472e19 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00024a4c08 ffffea000150ce08 ffff8880aa040b00
raw: 0000000000000000 ffff888063700000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888063700580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888063700600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888063700680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888063700700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888063700780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-09-20 14:12 KASAN: use-after-free Read in btrfs_scan_one_device syzbot
@ 2020-09-21 5:38 ` syzbot
2020-09-21 8:22 ` Johannes Thumshirn
2020-09-21 8:53 ` Johannes Thumshirn
2020-09-30 16:57 ` David Sterba
1 sibling, 2 replies; 12+ messages in thread
From: syzbot @ 2020-09-21 5:38 UTC (permalink / raw)
To: clm, dsterba, josef, linux-btrfs, linux-kernel, syzkaller-bugs
syzbot has found a reproducer for the following issue on:
HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1512df53900000
kernel config: https://syzkaller.appspot.com/x/.config?x=6a8a2ae52ed737db
dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12366f8b900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e6929b900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068
CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d6/0x29e lib/dump_stack.c:118
print_address_description+0x66/0x620 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report+0x132/0x1d0 mm/kasan/report.c:530
btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943
btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359
btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634
legacy_get_tree+0xea/0x180 fs/fs_context.c:592
vfs_get_tree+0x88/0x270 fs/super.c:1547
fc_mount fs/namespace.c:978 [inline]
vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
legacy_get_tree+0xea/0x180 fs/fs_context.c:592
vfs_get_tree+0x88/0x270 fs/super.c:1547
do_new_mount fs/namespace.c:2875 [inline]
path_mount+0x179d/0x29e0 fs/namespace.c:3192
do_mount fs/namespace.c:3205 [inline]
__do_sys_mount fs/namespace.c:3413 [inline]
__se_sys_mount+0x126/0x180 fs/namespace.c:3390
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44840a
Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630
RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a
R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003
Allocated by task 6945:
kasan_save_stack mm/kasan/common.c:48 [inline]
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
kmalloc_node include/linux/slab.h:577 [inline]
kvmalloc_node+0x81/0x110 mm/util.c:574
kvmalloc include/linux/mm.h:757 [inline]
kvzalloc include/linux/mm.h:765 [inline]
btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613
legacy_get_tree+0xea/0x180 fs/fs_context.c:592
vfs_get_tree+0x88/0x270 fs/super.c:1547
fc_mount fs/namespace.c:978 [inline]
vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
legacy_get_tree+0xea/0x180 fs/fs_context.c:592
vfs_get_tree+0x88/0x270 fs/super.c:1547
do_new_mount fs/namespace.c:2875 [inline]
path_mount+0x179d/0x29e0 fs/namespace.c:3192
do_mount fs/namespace.c:3205 [inline]
__do_sys_mount fs/namespace.c:3413 [inline]
__se_sys_mount+0x126/0x180 fs/namespace.c:3390
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 6945:
kasan_save_stack mm/kasan/common.c:48 [inline]
kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
__cache_free mm/slab.c:3418 [inline]
kfree+0x113/0x200 mm/slab.c:3756
deactivate_locked_super+0xa7/0xf0 fs/super.c:335
btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678
legacy_get_tree+0xea/0x180 fs/fs_context.c:592
vfs_get_tree+0x88/0x270 fs/super.c:1547
fc_mount fs/namespace.c:978 [inline]
vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
legacy_get_tree+0xea/0x180 fs/fs_context.c:592
vfs_get_tree+0x88/0x270 fs/super.c:1547
do_new_mount fs/namespace.c:2875 [inline]
path_mount+0x179d/0x29e0 fs/namespace.c:3192
do_mount fs/namespace.c:3205 [inline]
__do_sys_mount fs/namespace.c:3413 [inline]
__se_sys_mount+0x126/0x180 fs/namespace.c:3390
do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8880878e0000
which belongs to the cache kmalloc-16k of size 16384
The buggy address is located 1704 bytes inside of
16384-byte region [ffff8880878e0000, ffff8880878e4000)
The buggy address belongs to the page:
page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0
head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00
raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-09-21 5:38 ` syzbot
@ 2020-09-21 8:22 ` Johannes Thumshirn
2020-09-21 8:53 ` Johannes Thumshirn
1 sibling, 0 replies; 12+ messages in thread
From: Johannes Thumshirn @ 2020-09-21 8:22 UTC (permalink / raw)
To: syzbot, clm, dsterba, josef, linux-btrfs, linux-kernel, syzkaller-bugs
On 21/09/2020 07:38, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1512df53900000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6a8a2ae52ed737db
> dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12366f8b900000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e6929b900000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
> Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068
>
> CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1d6/0x29e lib/dump_stack.c:118
> print_address_description+0x66/0x620 mm/kasan/report.c:383
> __kasan_report mm/kasan/report.c:513 [inline]
> kasan_report+0x132/0x1d0 mm/kasan/report.c:530
> btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
> device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943
> btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359
> btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> fc_mount fs/namespace.c:978 [inline]
> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> do_new_mount fs/namespace.c:2875 [inline]
> path_mount+0x179d/0x29e0 fs/namespace.c:3192
> do_mount fs/namespace.c:3205 [inline]
> __do_sys_mount fs/namespace.c:3413 [inline]
> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x44840a
> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00
> RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630
> RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a
> R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003
>
> Allocated by task 6945:
> kasan_save_stack mm/kasan/common.c:48 [inline]
> kasan_set_track mm/kasan/common.c:56 [inline]
> __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
> kmalloc_node include/linux/slab.h:577 [inline]
> kvmalloc_node+0x81/0x110 mm/util.c:574
> kvmalloc include/linux/mm.h:757 [inline]
> kvzalloc include/linux/mm.h:765 [inline]
> btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> fc_mount fs/namespace.c:978 [inline]
> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> do_new_mount fs/namespace.c:2875 [inline]
> path_mount+0x179d/0x29e0 fs/namespace.c:3192
> do_mount fs/namespace.c:3205 [inline]
> __do_sys_mount fs/namespace.c:3413 [inline]
> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Freed by task 6945:
> kasan_save_stack mm/kasan/common.c:48 [inline]
> kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
> kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
> __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
> __cache_free mm/slab.c:3418 [inline]
> kfree+0x113/0x200 mm/slab.c:3756
> deactivate_locked_super+0xa7/0xf0 fs/super.c:335
> btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> fc_mount fs/namespace.c:978 [inline]
> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> do_new_mount fs/namespace.c:2875 [inline]
> path_mount+0x179d/0x29e0 fs/namespace.c:3192
> do_mount fs/namespace.c:3205 [inline]
> __do_sys_mount fs/namespace.c:3413 [inline]
> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> The buggy address belongs to the object at ffff8880878e0000
> which belongs to the cache kmalloc-16k of size 16384
> The buggy address is located 1704 bytes inside of
> 16384-byte region [ffff8880878e0000, ffff8880878e4000)
> The buggy address belongs to the page:
> page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0
> head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0
> flags: 0xfffe0000010200(slab|head)
> raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00
> raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
Could reporoduce this one, working on it
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-09-21 5:38 ` syzbot
2020-09-21 8:22 ` Johannes Thumshirn
@ 2020-09-21 8:53 ` Johannes Thumshirn
2020-09-21 8:53 ` syzbot
2020-09-21 8:53 ` syzbot
1 sibling, 2 replies; 12+ messages in thread
From: Johannes Thumshirn @ 2020-09-21 8:53 UTC (permalink / raw)
To: syzbot, clm, dsterba, josef, linux-btrfs, linux-kernel, syzkaller-bugs
On 21/09/2020 07:38, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1512df53900000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6a8a2ae52ed737db
> dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12366f8b900000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e6929b900000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
> Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068
>
> CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1d6/0x29e lib/dump_stack.c:118
> print_address_description+0x66/0x620 mm/kasan/report.c:383
> __kasan_report mm/kasan/report.c:513 [inline]
> kasan_report+0x132/0x1d0 mm/kasan/report.c:530
> btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
> device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943
> btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359
> btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> fc_mount fs/namespace.c:978 [inline]
> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> do_new_mount fs/namespace.c:2875 [inline]
> path_mount+0x179d/0x29e0 fs/namespace.c:3192
> do_mount fs/namespace.c:3205 [inline]
> __do_sys_mount fs/namespace.c:3413 [inline]
> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x44840a
> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00
> RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a
> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630
> RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a
> R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003
>
> Allocated by task 6945:
> kasan_save_stack mm/kasan/common.c:48 [inline]
> kasan_set_track mm/kasan/common.c:56 [inline]
> __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
> kmalloc_node include/linux/slab.h:577 [inline]
> kvmalloc_node+0x81/0x110 mm/util.c:574
> kvmalloc include/linux/mm.h:757 [inline]
> kvzalloc include/linux/mm.h:765 [inline]
> btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> fc_mount fs/namespace.c:978 [inline]
> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> do_new_mount fs/namespace.c:2875 [inline]
> path_mount+0x179d/0x29e0 fs/namespace.c:3192
> do_mount fs/namespace.c:3205 [inline]
> __do_sys_mount fs/namespace.c:3413 [inline]
> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Freed by task 6945:
> kasan_save_stack mm/kasan/common.c:48 [inline]
> kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
> kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
> __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
> __cache_free mm/slab.c:3418 [inline]
> kfree+0x113/0x200 mm/slab.c:3756
> deactivate_locked_super+0xa7/0xf0 fs/super.c:335
> btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> fc_mount fs/namespace.c:978 [inline]
> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
> vfs_get_tree+0x88/0x270 fs/super.c:1547
> do_new_mount fs/namespace.c:2875 [inline]
> path_mount+0x179d/0x29e0 fs/namespace.c:3192
> do_mount fs/namespace.c:3205 [inline]
> __do_sys_mount fs/namespace.c:3413 [inline]
> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> The buggy address belongs to the object at ffff8880878e0000
> which belongs to the cache kmalloc-16k of size 16384
> The buggy address is located 1704 bytes inside of
> 16384-byte region [ffff8880878e0000, ffff8880878e4000)
> The buggy address belongs to the page:
> page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0
> head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0
> flags: 0xfffe0000010200(slab|head)
> raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00
> raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
#syz test: btrfs: Fix missing close devices
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-09-21 8:53 ` Johannes Thumshirn
@ 2020-09-21 8:53 ` syzbot
2020-09-21 8:53 ` syzbot
1 sibling, 0 replies; 12+ messages in thread
From: syzbot @ 2020-09-21 8:53 UTC (permalink / raw)
To: Johannes Thumshirn
Cc: Johannes.Thumshirn, clm, dsterba, josef, linux-btrfs,
linux-kernel, syzkaller-bugs
> On 21/09/2020 07:38, syzbot wrote:
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1512df53900000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=6a8a2ae52ed737db
>> dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
>> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12366f8b900000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e6929b900000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
>> Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068
>>
>> CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x1d6/0x29e lib/dump_stack.c:118
>> print_address_description+0x66/0x620 mm/kasan/report.c:383
>> __kasan_report mm/kasan/report.c:513 [inline]
>> kasan_report+0x132/0x1d0 mm/kasan/report.c:530
>> btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
>> device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943
>> btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359
>> btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> fc_mount fs/namespace.c:978 [inline]
>> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
>> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> do_new_mount fs/namespace.c:2875 [inline]
>> path_mount+0x179d/0x29e0 fs/namespace.c:3192
>> do_mount fs/namespace.c:3205 [inline]
>> __do_sys_mount fs/namespace.c:3413 [inline]
>> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
>> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
>> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> RIP: 0033:0x44840a
>> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00
>> RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
>> RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a
>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630
>> RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a
>> R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003
>>
>> Allocated by task 6945:
>> kasan_save_stack mm/kasan/common.c:48 [inline]
>> kasan_set_track mm/kasan/common.c:56 [inline]
>> __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
>> kmalloc_node include/linux/slab.h:577 [inline]
>> kvmalloc_node+0x81/0x110 mm/util.c:574
>> kvmalloc include/linux/mm.h:757 [inline]
>> kvzalloc include/linux/mm.h:765 [inline]
>> btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> fc_mount fs/namespace.c:978 [inline]
>> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
>> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> do_new_mount fs/namespace.c:2875 [inline]
>> path_mount+0x179d/0x29e0 fs/namespace.c:3192
>> do_mount fs/namespace.c:3205 [inline]
>> __do_sys_mount fs/namespace.c:3413 [inline]
>> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
>> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
>> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> Freed by task 6945:
>> kasan_save_stack mm/kasan/common.c:48 [inline]
>> kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
>> kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
>> __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
>> __cache_free mm/slab.c:3418 [inline]
>> kfree+0x113/0x200 mm/slab.c:3756
>> deactivate_locked_super+0xa7/0xf0 fs/super.c:335
>> btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> fc_mount fs/namespace.c:978 [inline]
>> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
>> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> do_new_mount fs/namespace.c:2875 [inline]
>> path_mount+0x179d/0x29e0 fs/namespace.c:3192
>> do_mount fs/namespace.c:3205 [inline]
>> __do_sys_mount fs/namespace.c:3413 [inline]
>> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
>> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
>> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> The buggy address belongs to the object at ffff8880878e0000
>> which belongs to the cache kmalloc-16k of size 16384
>> The buggy address is located 1704 bytes inside of
>> 16384-byte region [ffff8880878e0000, ffff8880878e4000)
>> The buggy address belongs to the page:
>> page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0
>> head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0
>> flags: 0xfffe0000010200(slab|head)
>> raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00
>> raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ^
>> ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>
> #syz test: btrfs: Fix missing close devices
want 2 args (repo, branch), got 5
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-09-21 8:53 ` Johannes Thumshirn
2020-09-21 8:53 ` syzbot
@ 2020-09-21 8:53 ` syzbot
1 sibling, 0 replies; 12+ messages in thread
From: syzbot @ 2020-09-21 8:53 UTC (permalink / raw)
To: Johannes Thumshirn
Cc: Johannes.Thumshirn, clm, dsterba, josef, linux-btrfs,
linux-kernel, syzkaller-bugs
> On 21/09/2020 07:38, syzbot wrote:
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew)
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1512df53900000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=6a8a2ae52ed737db
>> dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
>> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12366f8b900000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e6929b900000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
>> Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068
>>
>> CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x1d6/0x29e lib/dump_stack.c:118
>> print_address_description+0x66/0x620 mm/kasan/report.c:383
>> __kasan_report mm/kasan/report.c:513 [inline]
>> kasan_report+0x132/0x1d0 mm/kasan/report.c:530
>> btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245
>> device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943
>> btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359
>> btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> fc_mount fs/namespace.c:978 [inline]
>> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
>> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> do_new_mount fs/namespace.c:2875 [inline]
>> path_mount+0x179d/0x29e0 fs/namespace.c:3192
>> do_mount fs/namespace.c:3205 [inline]
>> __do_sys_mount fs/namespace.c:3413 [inline]
>> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
>> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
>> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> RIP: 0033:0x44840a
>> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00
>> RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5
>> RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a
>> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630
>> RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a
>> R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003
>>
>> Allocated by task 6945:
>> kasan_save_stack mm/kasan/common.c:48 [inline]
>> kasan_set_track mm/kasan/common.c:56 [inline]
>> __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
>> kmalloc_node include/linux/slab.h:577 [inline]
>> kvmalloc_node+0x81/0x110 mm/util.c:574
>> kvmalloc include/linux/mm.h:757 [inline]
>> kvzalloc include/linux/mm.h:765 [inline]
>> btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> fc_mount fs/namespace.c:978 [inline]
>> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
>> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> do_new_mount fs/namespace.c:2875 [inline]
>> path_mount+0x179d/0x29e0 fs/namespace.c:3192
>> do_mount fs/namespace.c:3205 [inline]
>> __do_sys_mount fs/namespace.c:3413 [inline]
>> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
>> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
>> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> Freed by task 6945:
>> kasan_save_stack mm/kasan/common.c:48 [inline]
>> kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
>> kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
>> __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
>> __cache_free mm/slab.c:3418 [inline]
>> kfree+0x113/0x200 mm/slab.c:3756
>> deactivate_locked_super+0xa7/0xf0 fs/super.c:335
>> btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> fc_mount fs/namespace.c:978 [inline]
>> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008
>> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732
>> legacy_get_tree+0xea/0x180 fs/fs_context.c:592
>> vfs_get_tree+0x88/0x270 fs/super.c:1547
>> do_new_mount fs/namespace.c:2875 [inline]
>> path_mount+0x179d/0x29e0 fs/namespace.c:3192
>> do_mount fs/namespace.c:3205 [inline]
>> __do_sys_mount fs/namespace.c:3413 [inline]
>> __se_sys_mount+0x126/0x180 fs/namespace.c:3390
>> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
>> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> The buggy address belongs to the object at ffff8880878e0000
>> which belongs to the cache kmalloc-16k of size 16384
>> The buggy address is located 1704 bytes inside of
>> 16384-byte region [ffff8880878e0000, ffff8880878e4000)
>> The buggy address belongs to the page:
>> page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0
>> head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0
>> flags: 0xfffe0000010200(slab|head)
>> raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00
>> raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>> ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ^
>> ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>
> #syz test: btrfs: Fix missing close devices
want 2 args (repo, branch), got 5
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/SN4PR0401MB3598EE548546274CFDD618AA9B3A0%40SN4PR0401MB3598.namprd04.prod.outlook.com.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-09-20 14:12 KASAN: use-after-free Read in btrfs_scan_one_device syzbot
2020-09-21 5:38 ` syzbot
@ 2020-09-30 16:57 ` David Sterba
2020-09-30 18:05 ` David Sterba
1 sibling, 1 reply; 12+ messages in thread
From: David Sterba @ 2020-09-30 16:57 UTC (permalink / raw)
To: syzbot; +Cc: clm, dsterba, josef, linux-btrfs, linux-kernel, syzkaller-bugs
On Sun, Sep 20, 2020 at 07:12:14AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10a0a8bb900000
> kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180
> dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
> compiler: gcc (GCC) 10.1.0-syz 20200507
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
#syz fix: btrfs: fix overflow when copying corrupt csums for a message
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-09-30 16:57 ` David Sterba
@ 2020-09-30 18:05 ` David Sterba
2020-10-01 13:05 ` Dmitry Vyukov
0 siblings, 1 reply; 12+ messages in thread
From: David Sterba @ 2020-09-30 18:05 UTC (permalink / raw)
To: dsterba, syzbot, clm, dsterba, josef, linux-btrfs, linux-kernel,
syzkaller-bugs
On Wed, Sep 30, 2020 at 06:57:56PM +0200, David Sterba wrote:
> On Sun, Sep 20, 2020 at 07:12:14AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10a0a8bb900000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180
> > dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
> > compiler: gcc (GCC) 10.1.0-syz 20200507
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
>
> #syz fix: btrfs: fix overflow when copying corrupt csums for a message
Johannes spotted that this is not the right fix for this report, I don't
know how to tell syzbot to revert the 'fix:' command, there isn't
'unfix' (like there's 'undup').
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-09-30 18:05 ` David Sterba
@ 2020-10-01 13:05 ` Dmitry Vyukov
2020-10-01 13:08 ` Dmitry Vyukov
0 siblings, 1 reply; 12+ messages in thread
From: Dmitry Vyukov @ 2020-10-01 13:05 UTC (permalink / raw)
To: dsterba, syzbot, Chris Mason, dsterba, Josef Bacik, linux-btrfs,
LKML, syzkaller-bugs
On Wed, Sep 30, 2020 at 8:06 PM David Sterba <dsterba@suse.cz> wrote:
>
> On Wed, Sep 30, 2020 at 06:57:56PM +0200, David Sterba wrote:
> > On Sun, Sep 20, 2020 at 07:12:14AM -0700, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=10a0a8bb900000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
> > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
> >
> > #syz fix: btrfs: fix overflow when copying corrupt csums for a message
>
> Johannes spotted that this is not the right fix for this report, I don't
> know how to tell syzbot to revert the 'fix:' command, there isn't
> 'unfix' (like there's 'undup').
Hi David,
I've added "unfix" command:
https://github.com/google/syzkaller/pull/2156
Let's give it a try:
#syz unfix
Thanks
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-10-01 13:05 ` Dmitry Vyukov
@ 2020-10-01 13:08 ` Dmitry Vyukov
2020-10-01 13:35 ` David Sterba
0 siblings, 1 reply; 12+ messages in thread
From: Dmitry Vyukov @ 2020-10-01 13:08 UTC (permalink / raw)
To: dsterba, syzbot, Chris Mason, dsterba, Josef Bacik, linux-btrfs,
LKML, syzkaller-bugs
On Thu, Oct 1, 2020 at 3:05 PM Dmitry Vyukov <dvyukov@google.com> wrote:
>
> On Wed, Sep 30, 2020 at 8:06 PM David Sterba <dsterba@suse.cz> wrote:
> >
> > On Wed, Sep 30, 2020 at 06:57:56PM +0200, David Sterba wrote:
> > > On Sun, Sep 20, 2020 at 07:12:14AM -0700, syzbot wrote:
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu..
> > > > git tree: upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10a0a8bb900000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
> > > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > > >
> > > > Unfortunately, I don't have any reproducer for this issue yet.
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
> > >
> > > #syz fix: btrfs: fix overflow when copying corrupt csums for a message
> >
> > Johannes spotted that this is not the right fix for this report, I don't
> > know how to tell syzbot to revert the 'fix:' command, there isn't
> > 'unfix' (like there's 'undup').
>
> Hi David,
>
> I've added "unfix" command:
> https://github.com/google/syzkaller/pull/2156
>
> Let's give it a try:
> #syz unfix
>
> Thanks
Voilà! Unfixed:
https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-10-01 13:08 ` Dmitry Vyukov
@ 2020-10-01 13:35 ` David Sterba
2020-10-12 20:56 ` Rustam Kovhaev
0 siblings, 1 reply; 12+ messages in thread
From: David Sterba @ 2020-10-01 13:35 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: dsterba, syzbot, Chris Mason, dsterba, Josef Bacik, linux-btrfs,
LKML, syzkaller-bugs
On Thu, Oct 01, 2020 at 03:08:34PM +0200, Dmitry Vyukov wrote:
> On Thu, Oct 1, 2020 at 3:05 PM Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > On Wed, Sep 30, 2020 at 8:06 PM David Sterba <dsterba@suse.cz> wrote:
> > >
> > > On Wed, Sep 30, 2020 at 06:57:56PM +0200, David Sterba wrote:
> > > > On Sun, Sep 20, 2020 at 07:12:14AM -0700, syzbot wrote:
> > > > > Hello,
> > > > >
> > > > > syzbot found the following issue on:
> > > > >
> > > > > HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu..
> > > > > git tree: upstream
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10a0a8bb900000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
> > > > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > > > >
> > > > > Unfortunately, I don't have any reproducer for this issue yet.
> > > > >
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
> > > >
> > > > #syz fix: btrfs: fix overflow when copying corrupt csums for a message
> > >
> > > Johannes spotted that this is not the right fix for this report, I don't
> > > know how to tell syzbot to revert the 'fix:' command, there isn't
> > > 'unfix' (like there's 'undup').
> >
> > Hi David,
> >
> > I've added "unfix" command:
> > https://github.com/google/syzkaller/pull/2156
> >
> > Let's give it a try:
> > #syz unfix
> >
> > Thanks
>
> Voilà! Unfixed:
> https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
Thanks!
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: KASAN: use-after-free Read in btrfs_scan_one_device
2020-10-01 13:35 ` David Sterba
@ 2020-10-12 20:56 ` Rustam Kovhaev
0 siblings, 0 replies; 12+ messages in thread
From: Rustam Kovhaev @ 2020-10-12 20:56 UTC (permalink / raw)
To: dsterba, Dmitry Vyukov, Chris Mason, dsterba, Josef Bacik,
linux-btrfs, LKML, syzkaller-bugs
Cc: gregkh
On Thu, Oct 01, 2020 at 03:35:46PM +0200, David Sterba wrote:
> On Thu, Oct 01, 2020 at 03:08:34PM +0200, Dmitry Vyukov wrote:
> > On Thu, Oct 1, 2020 at 3:05 PM Dmitry Vyukov <dvyukov@google.com> wrote:
> > >
> > > On Wed, Sep 30, 2020 at 8:06 PM David Sterba <dsterba@suse.cz> wrote:
> > > >
> > > > On Wed, Sep 30, 2020 at 06:57:56PM +0200, David Sterba wrote:
> > > > > On Sun, Sep 20, 2020 at 07:12:14AM -0700, syzbot wrote:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following issue on:
> > > > > >
> > > > > > HEAD commit: eb5f95f1 Merge tag 's390-5.9-6' of git://git.kernel.org/pu..
> > > > > > git tree: upstream
> > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10a0a8bb900000
> > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ffe85b197a57c180
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
> > > > > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > > > > >
> > > > > > Unfortunately, I don't have any reproducer for this issue yet.
> > > > > >
> > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > > Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
> > > > >
> > > > > #syz fix: btrfs: fix overflow when copying corrupt csums for a message
> > > >
> > > > Johannes spotted that this is not the right fix for this report, I don't
> > > > know how to tell syzbot to revert the 'fix:' command, there isn't
> > > > 'unfix' (like there's 'undup').
> > >
> > > Hi David,
> > >
> > > I've added "unfix" command:
> > > https://github.com/google/syzkaller/pull/2156
> > >
> > > Let's give it a try:
> > > #syz unfix
> > >
> > > Thanks
> >
> > Voilà ! Unfixed:
> > https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0
>
> Thanks!
the problem is that btrfs_kill_super() frees *fs_info while it is still
being referenced by btrfs_scan_one_device() on behalf of another
concurrent mount syscall
a very simple and dumb fix is to remove that printk that references
*fs_info:
https://syzkaller.appspot.com/text?tag=Patch&x=123537fb900000
but instead, i think proper synchronization is needed here
any advice or pointers would be highly appreciated
tyvm!
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2020-10-12 20:55 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-20 14:12 KASAN: use-after-free Read in btrfs_scan_one_device syzbot
2020-09-21 5:38 ` syzbot
2020-09-21 8:22 ` Johannes Thumshirn
2020-09-21 8:53 ` Johannes Thumshirn
2020-09-21 8:53 ` syzbot
2020-09-21 8:53 ` syzbot
2020-09-30 16:57 ` David Sterba
2020-09-30 18:05 ` David Sterba
2020-10-01 13:05 ` Dmitry Vyukov
2020-10-01 13:08 ` Dmitry Vyukov
2020-10-01 13:35 ` David Sterba
2020-10-12 20:56 ` Rustam Kovhaev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).