logfs: GPF in logfs_init_inode

From: Dmitry Vyukov
Date: Sat Sep 03 2016 - 09:17:15 EST


Hello,

The following program trigger GPF in logfs_init_inode:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>

int main()
{
mknodat(AT_FDCWD, "./bus", S_IFBLK, makedev(1, 0));
mount("./bus", "./bus", "logfs", MS_RELATIME, 0);
return 0;
}


general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 3 PID: 14978 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006a6c2180 task.stack: ffff880062f08000
RIP: 0010:[<ffffffff8213c531>] [< inline >] i_uid_write
include/linux/fs.h:1464
RIP: 0010:[<ffffffff8213c531>] [<ffffffff8213c531>]
logfs_init_inode.isra.6+0x111/0x470 fs/logfs/inode.c:212
RSP: 0018:ffff880062f0fae8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff880050bab9d0 RCX: ffffc900021d0000
RDX: 000000000000011b RSI: ffff88006a6c29c0 RDI: 00000000000008d8
RBP: ffff880062f0fb10 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff880050babde8
R13: 0000000000000000 R14: ffff8800681fb400 R15: ffff88006bea29c0
FS: 00007f008ad88700(0000) GS:ffff88006d300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000000387a3000 CR4: 00000000000006e0
DR0: 000000000000001e DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Stack:
ffff8800667fca00 ffffffff8213c890 ffff880050bab9d0 ffffffff8213c890
ffff88006bea2a00 ffff880062f0fb28 ffffffff8213c8c0 ffff8800667fca00
ffff880062f0fb48 ffffffff818bc211 ffff8800667fca00 0000000000000000
Call Trace:
[<ffffffff8213c8c0>] logfs_alloc_inode+0x30/0x40 fs/logfs/inode.c:234
[<ffffffff818bc211>] alloc_inode+0x61/0x180 fs/inode.c:205
[<ffffffff818c29e7>] new_inode_pseudo+0x17/0xe0 fs/inode.c:887
[<ffffffff818c2acc>] new_inode+0x1c/0x40 fs/inode.c:916
[<ffffffff8213d0f1>] logfs_new_meta_inode+0x21/0x120 fs/logfs/inode.c:267
[<ffffffff82156ac2>] logfs_init_mapping+0x42/0x150 fs/logfs/segment.c:912
[< inline >] logfs_read_sb fs/logfs/super.c:446
[< inline >] logfs_get_sb_device fs/logfs/super.c:546
[<ffffffff82159859>] logfs_mount+0x549/0x1b40 fs/logfs/super.c:600
[<ffffffff8186e8cb>] mount_fs+0x9b/0x2f0 fs/super.c:1177
[<ffffffff818ce5da>] vfs_kern_mount+0x7a/0x3e0 fs/namespace.c:948
[< inline >] do_new_mount fs/namespace.c:2393
[<ffffffff818d63e5>] do_mount+0x3d5/0x26b0 fs/namespace.c:2715
[< inline >] SYSC_mount fs/namespace.c:2907
[<ffffffff818d90fb>] SyS_mount+0xab/0x120 fs/namespace.c:2884
[<ffffffff810088ff>] do_syscall_64+0x1df/0x640 arch/x86/entry/common.c:288
[<ffffffff86e107c3>] entry_SYSCALL64_slow_path+0x25/0x25

On commit 0f98f121e1670eaa2a2fbb675e07d6ba7f0e146f of linux-next.