Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in test_bdev_super_fc

From: Christoph Hellwig
Date: Fri Aug 04 2023 - 06:15:02 EST


FYI, I can reproduce this trivially locally, but even after spending a
significant time with the trace I'm still puzzled at what is going
on. I've started trying to make sense of the lockdep report about
returning to userspace with s_umount held, originall locked in
get_tree_bdev and am still missing how it could happen.

On Thu, Aug 03, 2023 at 03:14:58PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: d7b3af5a77e8 Add linux-next specific files for 20230728
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=15a26181a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=62dd327c382e3fe
> dashboard link: https://syzkaller.appspot.com/bug?extid=2faac0423fdc9692822b
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f98b26a80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14fb7009a80000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/5efa5e68267f/disk-d7b3af5a.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/b1f5d3e10263/vmlinux-d7b3af5a.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/57cab469d186/bzImage-d7b3af5a.xz
>
> The issue was bisected to:
>
> commit 1dbd9ceb390c4c61d28cf2c9251dd2015946ce51
> Author: Jan Kara <jack@xxxxxxx>
> Date: Mon Jul 24 17:51:45 2023 +0000
>
> fs: open block device after superblock creation
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=173870c5a80000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=14b870c5a80000
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b870c5a80000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+2faac0423fdc9692822b@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 1dbd9ceb390c ("fs: open block device after superblock creation")
>
> MTD: Attempt to mount non-MTD device "/dev/nullb0"
> ==================================================================
> BUG: KASAN: slab-use-after-free in test_bdev_super_fc+0x10a/0x110 fs/super.c:1242
> Read of size 8 at addr ffff88807887e058 by task syz-executor798/5042
>
> CPU: 1 PID: 5042 Comm: syz-executor798 Not tainted 6.5.0-rc3-next-20230728-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
> print_address_description mm/kasan/report.c:364 [inline]
> print_report+0xc4/0x620 mm/kasan/report.c:475
> kasan_report+0xda/0x110 mm/kasan/report.c:588
> test_bdev_super_fc+0x10a/0x110 fs/super.c:1242
> sget_fc+0x584/0x860 fs/super.c:574
> get_tree_bdev+0x13e/0x6a0 fs/super.c:1323
> romfs_get_tree fs/romfs/super.c:561 [inline]
> romfs_get_tree+0x4e/0x60 fs/romfs/super.c:552
> vfs_get_tree+0x88/0x350 fs/super.c:1521
> do_new_mount fs/namespace.c:3335 [inline]
> path_mount+0x1492/0x1ed0 fs/namespace.c:3662
> do_mount fs/namespace.c:3675 [inline]
> __do_sys_mount fs/namespace.c:3884 [inline]
> __se_sys_mount fs/namespace.c:3861 [inline]
> __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7f8cfb721359
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fffc0205068 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00007fffc02050b0 RCX: 00007f8cfb721359
> RDX: 0000000020000040 RSI: 0000000020000080 RDI: 00000000200000c0
> RBP: 0000000000000000 R08: 0000000000000000 R09: 00000000000f4240
> R10: 0000000000000005 R11: 0000000000000246 R12: 00000000000f4240
> R13: 00007fffc0205338 R14: 00007fffc020509c R15: 00007f8cfb76a06a
> </TASK>
>
> Allocated by task 5038:
> kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
> kasan_set_track+0x25/0x30 mm/kasan/common.c:52
> ____kasan_kmalloc mm/kasan/common.c:374 [inline]
> __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
> kmalloc include/linux/slab.h:599 [inline]
> kzalloc include/linux/slab.h:720 [inline]
> alloc_super+0x52/0xb40 fs/super.c:202
> sget_fc+0x142/0x860 fs/super.c:580
> get_tree_bdev+0x13e/0x6a0 fs/super.c:1323
> romfs_get_tree fs/romfs/super.c:561 [inline]
> romfs_get_tree+0x4e/0x60 fs/romfs/super.c:552
> vfs_get_tree+0x88/0x350 fs/super.c:1521
> do_new_mount fs/namespace.c:3335 [inline]
> path_mount+0x1492/0x1ed0 fs/namespace.c:3662
> do_mount fs/namespace.c:3675 [inline]
> __do_sys_mount fs/namespace.c:3884 [inline]
> __se_sys_mount fs/namespace.c:3861 [inline]
> __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Freed by task 4776:
> kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
> kasan_set_track+0x25/0x30 mm/kasan/common.c:52
> kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
> ____kasan_slab_free mm/kasan/common.c:236 [inline]
> ____kasan_slab_free+0x15e/0x1b0 mm/kasan/common.c:200
> kasan_slab_free include/linux/kasan.h:162 [inline]
> slab_free_hook mm/slub.c:1800 [inline]
> slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
> slab_free mm/slub.c:3809 [inline]
> __kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
> process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2603
> worker_thread+0x687/0x1110 kernel/workqueue.c:2754
> kthread+0x33a/0x430 kernel/kthread.c:389
> ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
>
> Last potentially related work creation:
> kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
> __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492
> insert_work+0x4a/0x330 kernel/workqueue.c:1559
> __queue_work+0x5f5/0x1040 kernel/workqueue.c:1720
> queue_work_on+0xed/0x110 kernel/workqueue.c:1750
> rcu_do_batch kernel/rcu/tree.c:2139 [inline]
> rcu_core+0x7fb/0x1bb0 kernel/rcu/tree.c:2403
> __do_softirq+0x218/0x965 kernel/softirq.c:553
>
> Second to last potentially related work creation:
> kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
> __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492
> __call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:2653
> __put_super fs/super.c:345 [inline]
> put_super fs/super.c:309 [inline]
> deactivate_locked_super+0x144/0x170 fs/super.c:341
> get_tree_bdev+0x4c7/0x6a0 fs/super.c:1347
> romfs_get_tree fs/romfs/super.c:561 [inline]
> romfs_get_tree+0x4e/0x60 fs/romfs/super.c:552
> vfs_get_tree+0x88/0x350 fs/super.c:1521
> do_new_mount fs/namespace.c:3335 [inline]
> path_mount+0x1492/0x1ed0 fs/namespace.c:3662
> do_mount fs/namespace.c:3675 [inline]
> __do_sys_mount fs/namespace.c:3884 [inline]
> __se_sys_mount fs/namespace.c:3861 [inline]
> __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> The buggy address belongs to the object at ffff88807887e000
> which belongs to the cache kmalloc-4k of size 4096
> The buggy address is located 88 bytes inside of
> freed 4096-byte region [ffff88807887e000, ffff88807887f000)
>
> The buggy address belongs to the physical page:
> page:ffffea0001e21e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78878
> head:ffffea0001e21e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: 0xffffffff()
> raw: 00fff00000010200 ffff888012842140 dead000000000122 0000000000000000
> raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5038, tgid 5038 (syz-executor798), ts 42876874060, free_ts 42820208731
> set_page_owner include/linux/page_owner.h:31 [inline]
> post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1569
> prep_new_page mm/page_alloc.c:1576 [inline]
> get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3256
> __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4512
> alloc_pages+0x1a9/0x270 mm/mempolicy.c:2279
> alloc_slab_page mm/slub.c:1870 [inline]
> allocate_slab+0x24e/0x380 mm/slub.c:2017
> new_slab mm/slub.c:2070 [inline]
> ___slab_alloc+0x8bc/0x1570 mm/slub.c:3223
> __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
> __slab_alloc_node mm/slub.c:3375 [inline]
> slab_alloc_node mm/slub.c:3468 [inline]
> __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517
> __do_kmalloc_node mm/slab_common.c:1023 [inline]
> __kmalloc+0x4f/0x100 mm/slab_common.c:1037
> kmalloc include/linux/slab.h:603 [inline]
> tomoyo_realpath_from_path+0xb9/0x710 security/tomoyo/realpath.c:251
> tomoyo_mount_acl+0x1af/0x880 security/tomoyo/mount.c:105
> tomoyo_mount_permission+0x16d/0x410 security/tomoyo/mount.c:237
> security_sb_mount+0x86/0xd0 security/security.c:1361
> path_mount+0x129/0x1ed0 fs/namespace.c:3604
> do_mount fs/namespace.c:3675 [inline]
> __do_sys_mount fs/namespace.c:3884 [inline]
> __se_sys_mount fs/namespace.c:3861 [inline]
> __x64_sys_mount+0x293/0x310 fs/namespace.c:3861
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> page last free stack trace:
> reset_page_owner include/linux/page_owner.h:24 [inline]
> free_pages_prepare mm/page_alloc.c:1160 [inline]
> free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2383
> free_unref_page+0x33/0x3b0 mm/page_alloc.c:2478
> __unfreeze_partials+0x21d/0x240 mm/slub.c:2655
> qlink_free mm/kasan/quarantine.c:166 [inline]
> qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
> kasan_quarantine_reduce+0x18b/0x1d0 mm/kasan/quarantine.c:292
> __kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
> kasan_slab_alloc include/linux/kasan.h:186 [inline]
> slab_post_alloc_hook mm/slab.h:762 [inline]
> slab_alloc_node mm/slub.c:3478 [inline]
> slab_alloc mm/slub.c:3486 [inline]
> __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
> kmem_cache_alloc+0x172/0x3b0 mm/slub.c:3502
> kmem_cache_zalloc include/linux/slab.h:710 [inline]
> locks_alloc_lock fs/locks.c:271 [inline]
> flock_lock_inode+0xb7f/0xfe0 fs/locks.c:1039
> flock_lock_inode_wait fs/locks.c:2018 [inline]
> locks_lock_inode_wait+0x1c7/0x450 fs/locks.c:2045
> locks_lock_file_wait include/linux/filelock.h:346 [inline]
> __do_sys_flock+0x403/0x4c0 fs/locks.c:2115
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Memory state around the buggy address:
> ffff88807887df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff88807887df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >ffff88807887e000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88807887e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88807887e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to change bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
---end quoted text---