Re: KASAN: invalid-access Read in kmem_cache_destroy

From: Dmitry Vyukov
Date: Mon May 03 2021 - 04:30:35 EST


On Thu, Jan 28, 2021 at 2:25 PM Vincenzo Frascino
<vincenzo.frascino@xxxxxxx> wrote:
> On 1/28/21 12:43 PM, Dmitry Vyukov wrote:
> > On Thu, Jan 28, 2021 at 1:30 PM Vincenzo Frascino
> > <vincenzo.frascino@xxxxxxx> wrote:
> >>
> >> On 1/27/21 7:50 PM, Andrey Konovalov wrote:
> >>> On Wed, Jan 27, 2021 at 6:44 PM Mark Brown <broonie@xxxxxxxxxx> wrote:
> >>>>
> >>>> On Wed, Jan 27, 2021 at 06:14:13PM +0100, Dmitry Vyukov wrote:
> >>>>> On Wed, Jan 27, 2021 at 5:58 PM syzbot
> >>>>> <syzbot+2a52b6c31dbefb1e9d9f@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >>>>>>
> >>>>>> Hello,
> >>>>>>
> >>>>>> syzbot found the following issue on:
> >>>>>>
> >>>>>> HEAD commit: 2ab38c17 mailmap: remove the "repo-abbrev" comment
> >>>>>> git tree: upstream
> >>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=12eb4ad8d00000
> >>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=ad43be24faf1194c
> >>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=2a52b6c31dbefb1e9d9f
> >>>>>> userspace arch: arm64
> >>>>>>
> >>>>>> Unfortunately, I don't have any reproducer for this issue yet.
> >>>>>>
> >>>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >>>>>> Reported-by: syzbot+2a52b6c31dbefb1e9d9f@xxxxxxxxxxxxxxxxxxxxxxxxx
> >>>>>
> >>>>> This happens on arm64 instance with MTE enabled.
> >>>>> I don't see any corresponding reports on x86_64. So I would assume
> >>>>> it's a generic latent bug, or probably more likely a bug in MTE
> >>>>> support.
> >>>>
> >>>> Copying in Vincenso who's done a bunch of MTE stuff recently.
> >>>
> >>> Could be the same issue as:
> >>>
> >>> https://lkml.org/lkml/2021/1/27/1109
> >>>
> >>
> >> I had a look at the trace and I agree with Andrey it seems the same issue.
> >
> >
> > #syz fix: Revert "mm/slub: fix a memory leak in sysfs_slab_add()"
> >
>
> Thanks for the confirmation.


This was also just detected by KFENCE:
https://lore.kernel.org/lkml/0000000000003f654905c168b09d@xxxxxxxxxx/
I think it's a real bug in F2FS and MTE report was correct, but we mis-read it.