Re: [syzbot] [nilfs?] [mm?] KASAN: slab-use-after-free Read in lru_add_fn

From: syzbot
Date: Thu Jun 13 2024 - 07:27:11 EST

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

rtificates
[ 27.498273][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 4a58c6313a714cb9b62e9bbc978ba4e72aaa8139'
[ 28.076996][ T1] zswap: loaded using pool lzo/zsmalloc
[ 28.085428][ T1] Demotion targets for Node 0: null
[ 28.089493][ T1] Demotion targets for Node 1: null
[ 28.093331][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 28.129195][ T1] Key type .fscrypt registered
[ 28.132498][ T1] Key type fscrypt-provisioning registered
[ 28.149209][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 28.176975][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 28.183012][ T1] Key type big_key registered
[ 28.195418][ T4643] cryptomgr_probe (4643) used greatest stack depth: 26640 bytes left
[ 28.203402][ T1] Key type encrypted registered
[ 28.208063][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 28.213408][ T1] Loading compiled-in module X.509 certificates
[ 28.223552][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 4a58c6313a714cb9b62e9bbc978ba4e72aaa8139'
[ 28.231885][ T1] ima: Allocated hash algorithm: sha256
[ 28.237241][ T1] ima: No architecture policies found
[ 28.241738][ T1] evm: Initialising EVM extended attributes:
[ 28.245792][ T1] evm: security.selinux
[ 28.248896][ T1] evm: security.SMACK64 (disabled)
[ 28.252724][ T1] evm: security.SMACK64EXEC (disabled)
[ 28.256489][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 28.261651][ T1] evm: security.SMACK64MMAP (disabled)
[ 28.266334][ T1] evm: security.apparmor (disabled)
[ 28.270097][ T1] evm: security.ima
[ 28.272869][ T1] evm: security.capability
[ 28.275934][ T1] evm: HMAC attrs: 0x1
[ 28.283244][ T1] PM: Magic number: 12:860:276
[ 28.287484][ T1] usb usb16: hash matches
[ 28.290744][ T1] usb usb1-port4: hash matches
[ 28.294300][ T1] tty ttyy4: hash matches
[ 28.297451][ T1] tty tty13: hash matches
[ 28.301166][ T1] printk: legacy console [netcon0] enabled
[ 28.305399][ T1] netconsole: network logging started
[ 28.309897][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 28.315953][ T1] rdma_rxe: loaded
[ 28.320305][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 28.330077][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 28.336293][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 28.342579][ T1] clk: Disabling unused clocks
[ 28.344843][ T57] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 28.345671][ T1] ALSA device list:
[ 28.352355][ T57] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 28.354733][ T1] #0: Dummy 1
[ 28.363206][ T1] #1: Loopback 1
[ 28.365609][ T1] #2: Virtual MIDI Card 1
[ 28.374509][ T1] md: Waiting for all devices to be available before autodetect
[ 28.377950][ T1] md: If you don't use raid, use raid=noautodetect
[ 28.380791][ T1] md: Autodetecting RAID arrays.
[ 28.383158][ T1] md: autorun ...
[ 28.384821][ T1] md: ... autorun DONE.
[ 28.430411][ T1] EXT4-fs (sda1): mounted filesystem 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 ro with ordered data mode. Quota mode: none.
[ 28.438090][ T1] VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
[ 28.445428][ T1] devtmpfs: mounted
[ 28.550661][ T1] Freeing unused kernel image (initmem) memory: 26024K
[ 28.554436][ T1] Write protecting the kernel read-only data: 204800k
[ 28.587539][ T1] Freeing unused kernel image (rodata/data gap) memory: 1656K
[ 28.749059][ T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 28.762706][ T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[ 28.769324][ T1] Run /sbin/init as init process
[ 29.111224][ T1] SELinux: Class mctp_socket not defined in policy.
[ 29.114525][ T1] SELinux: Class anon_inode not defined in policy.
[ 29.117531][ T1] SELinux: Class io_uring not defined in policy.
[ 29.120566][ T1] SELinux: Class user_namespace not defined in policy.
[ 29.123879][ T1] SELinux: the above unknown classes and permissions will be denied
[ 29.262598][ T1] SELinux: policy capability network_peer_controls=1
[ 29.265456][ T1] SELinux: policy capability open_perms=1
[ 29.268086][ T1] SELinux: policy capability extended_socket_class=1
[ 29.271171][ T1] SELinux: policy capability always_check_network=0
[ 29.274533][ T1] SELinux: policy capability cgroup_seclabel=1
[ 29.277510][ T1] SELinux: policy capability nnp_nosuid_transition=1
[ 29.280588][ T1] SELinux: policy capability genfs_seclabel_symlinks=0
[ 29.283870][ T1] SELinux: policy capability ioctl_skip_cloexec=0
[ 29.286828][ T1] SELinux: policy capability userspace_initial_context=0
[ 29.445219][ T1] ------------[ cut here ]------------
[ 29.447605][ T1] WARNING: CPU: 3 PID: 1 at fs/super.c:111 super_lock+0x25a/0x3f0
[ 29.450968][ T1] Modules linked in:
[ 29.452766][ T1] CPU: 3 PID: 1 Comm: init Not tainted 6.10.0-rc3-syzkaller-g2ccbdf43d5e7-dirty #0
[ 29.456852][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 29.461336][ T1] RIP: 0010:super_lock+0x25a/0x3f0
[ 29.463998][ T1] Code: 00 00 00 be ff ff ff ff e8 23 fd ed 08 bf 01 00 00 00 89 c5 89 c6 e8 a5 e3 93 ff 83 fd 01 0f 85 5e fe ff ff e8 97 e8 93 ff 90 <0f> 0b 90 e9 50 fe ff ff e8 89 e8 93 ff 48 89 ef e8 c1 bf 6d ff b9
[ 29.472303][ T1] RSP: 0018:ffffc90000047940 EFLAGS: 00010293
[ 29.474836][ T1] RAX: 0000000000000000 RBX: ffff88801d7c2000 RCX: ffffffff81f9fcab
[ 29.478733][ T1] RDX: ffff8880166f8000 RSI: ffffffff81f9fcb9 RDI: 0000000000000005
[ 29.482754][ T1] RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000001
[ 29.486209][ T1] R10: 0000000000000001 R11: 0000000000000003 R12: 0000000000000000
[ 29.489719][ T1] R13: ffff88801d7c2108 R14: ffffffff843c8000 R15: 0000000000000001
[ 29.493572][ T1] FS: 00007fa990752500(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
[ 29.497349][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 29.499994][ T1] CR2: 0000000000000000 CR3: 000000002d31c000 CR4: 0000000000350ef0
[ 29.503268][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 29.506485][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 29.510003][ T1] Call Trace:
[ 29.511547][ T1] <TASK>
[ 29.513131][ T1] ? show_regs+0x8c/0xa0
[ 29.515097][ T1] ? __warn+0xe5/0x3c0
[ 29.517449][ T1] ? super_lock+0x25a/0x3f0
[ 29.519930][ T1] ? report_bug+0x3c0/0x580
[ 29.522377][ T1] ? handle_bug+0x3d/0x70
[ 29.524428][ T1] ? exc_invalid_op+0x17/0x50
[ 29.526474][ T1] ? asm_exc_invalid_op+0x1a/0x20
[ 29.528544][ T1] ? __pfx_delayed_superblock_init+0x10/0x10
[ 29.531076][ T1] ? super_lock+0x24b/0x3f0
[ 29.533337][ T1] ? super_lock+0x259/0x3f0
[ 29.535613][ T1] ? super_lock+0x25a/0x3f0
[ 29.537958][ T1] ? __pfx_super_lock+0x10/0x10
[ 29.539985][ T1] ? __pfx_lock_release+0x10/0x10
[ 29.542146][ T1] ? do_raw_spin_lock+0x12d/0x2c0
[ 29.544241][ T1] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 29.546860][ T1] ? __pfx_delayed_superblock_init+0x10/0x10
[ 29.549606][ T1] iterate_supers+0xb9/0x240
[ 29.551299][ T1] selinux_policy_commit+0x8cf/0xb50
[ 29.553913][ T1] ? __pfx_selinux_policy_commit+0x10/0x10
[ 29.556233][ T1] sel_write_load+0xc17/0x1c60
[ 29.558255][ T1] ? __pfx_sel_write_load+0x10/0x10
[ 29.560434][ T1] ? __pfx_lock_acquire+0x10/0x10
[ 29.562504][ T1] ? __pfx_down_read_trylock+0x10/0x10
[ 29.565016][ T1] ? __pfx_sel_write_load+0x10/0x10
[ 29.567861][ T1] vfs_write+0x30e/0x11e0
[ 29.569822][ T1] ? __pfx_vfs_write+0x10/0x10
[ 29.572138][ T1] ? do_sys_openat2+0xb1/0x1e0
[ 29.574299][ T1] ? __pfx_do_sys_openat2+0x10/0x10
[ 29.576739][ T1] ? __fget_light+0x173/0x210
[ 29.578933][ T1] ksys_write+0x12f/0x260
[ 29.581014][ T1] ? __pfx_ksys_write+0x10/0x10
[ 29.583566][ T1] do_syscall_64+0xcd/0x250
[ 29.585811][ T1] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 29.588505][ T1] RIP: 0033:0x7fa9908a6bf2
[ 29.590427][ T1] Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83
[ 29.599851][ T1] RSP: 002b:00007fff0724f798 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 29.603501][ T1] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 00007fa9908a6bf2
[ 29.607062][ T1] RDX: 00000000000415ce RSI: 00007fa990673000 RDI: 0000000000000004
[ 29.610435][ T1] RBP: 0000000000000004 R08: 0000000000000005 R09: 0000000000000000
[ 29.614021][ T1] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa990673000
[ 29.617946][ T1] R13: 00000000000415ce R14: 00007fa990673000 R15: 00007fa9906ec16d
[ 29.621423][ T1] </TASK>
[ 29.622972][ T1] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 29.626195][ T1] CPU: 3 PID: 1 Comm: init Not tainted 6.10.0-rc3-syzkaller-g2ccbdf43d5e7-dirty #0
[ 29.630064][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 29.634065][ T1] Call Trace:
[ 29.635583][ T1] <TASK>
[ 29.637030][ T1] dump_stack_lvl+0x3d/0x1f0
[ 29.639218][ T1] panic+0x6f5/0x7a0
[ 29.641169][ T1] ? __pfx_panic+0x10/0x10
[ 29.643238][ T1] ? show_trace_log_lvl+0x363/0x500
[ 29.645594][ T1] ? check_panic_on_warn+0x1f/0xb0
[ 29.647902][ T1] ? super_lock+0x25a/0x3f0
[ 29.649860][ T1] check_panic_on_warn+0xab/0xb0
[ 29.652103][ T1] __warn+0xf1/0x3c0
[ 29.653742][ T1] ? super_lock+0x25a/0x3f0
[ 29.655782][ T1] report_bug+0x3c0/0x580
[ 29.657433][ T1] handle_bug+0x3d/0x70
[ 29.658883][ T1] exc_invalid_op+0x17/0x50
[ 29.660432][ T1] asm_exc_invalid_op+0x1a/0x20
[ 29.662230][ T1] RIP: 0010:super_lock+0x25a/0x3f0
[ 29.664395][ T1] Code: 00 00 00 be ff ff ff ff e8 23 fd ed 08 bf 01 00 00 00 89 c5 89 c6 e8 a5 e3 93 ff 83 fd 01 0f 85 5e fe ff ff e8 97 e8 93 ff 90 <0f> 0b 90 e9 50 fe ff ff e8 89 e8 93 ff 48 89 ef e8 c1 bf 6d ff b9
[ 29.671842][ T1] RSP: 0018:ffffc90000047940 EFLAGS: 00010293
[ 29.674411][ T1] RAX: 0000000000000000 RBX: ffff88801d7c2000 RCX: ffffffff81f9fcab
[ 29.677961][ T1] RDX: ffff8880166f8000 RSI: ffffffff81f9fcb9 RDI: 0000000000000005
[ 29.681331][ T1] RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000001
[ 29.684832][ T1] R10: 0000000000000001 R11: 0000000000000003 R12: 0000000000000000
[ 29.687874][ T1] R13: ffff88801d7c2108 R14: ffffffff843c8000 R15: 0000000000000001
[ 29.691398][ T1] ? __pfx_delayed_superblock_init+0x10/0x10
[ 29.693916][ T1] ? super_lock+0x24b/0x3f0
[ 29.695826][ T1] ? super_lock+0x259/0x3f0
[ 29.697741][ T1] ? __pfx_super_lock+0x10/0x10
[ 29.699789][ T1] ? __pfx_lock_release+0x10/0x10
[ 29.701976][ T1] ? do_raw_spin_lock+0x12d/0x2c0
[ 29.703627][ T1] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 29.705590][ T1] ? __pfx_delayed_superblock_init+0x10/0x10
[ 29.708029][ T1] iterate_supers+0xb9/0x240
[ 29.709711][ T1] selinux_policy_commit+0x8cf/0xb50
[ 29.711603][ T1] ? __pfx_selinux_policy_commit+0x10/0x10
[ 29.713750][ T1] sel_write_load+0xc17/0x1c60
[ 29.715547][ T1] ? __pfx_sel_write_load+0x10/0x10
[ 29.717449][ T1] ? __pfx_lock_acquire+0x10/0x10
[ 29.719811][ T1] ? __pfx_down_read_trylock+0x10/0x10
[ 29.722372][ T1] ? __pfx_sel_write_load+0x10/0x10
[ 29.724678][ T1] vfs_write+0x30e/0x11e0
[ 29.726426][ T1] ? __pfx_vfs_write+0x10/0x10
[ 29.728360][ T1] ? do_sys_openat2+0xb1/0x1e0
[ 29.729992][ T1] ? __pfx_do_sys_openat2+0x10/0x10
[ 29.731819][ T1] ? __fget_light+0x173/0x210
[ 29.733440][ T1] ksys_write+0x12f/0x260
[ 29.734819][ T1] ? __pfx_ksys_write+0x10/0x10
[ 29.736566][ T1] do_syscall_64+0xcd/0x250
[ 29.738441][ T1] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 29.740554][ T1] RIP: 0033:0x7fa9908a6bf2
[ 29.742049][ T1] Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83
[ 29.748513][ T1] RSP: 002b:00007fff0724f798 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 29.751715][ T1] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 00007fa9908a6bf2
[ 29.754465][ T1] RDX: 00000000000415ce RSI: 00007fa990673000 RDI: 0000000000000004
[ 29.757170][ T1] RBP: 0000000000000004 R08: 0000000000000005 R09: 0000000000000000
[ 29.760005][ T1] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa990673000
[ 29.762865][ T1] R13: 00000000000415ce R14: 00007fa990673000 R15: 00007fa9906ec16d
[ 29.765759][ T1] </TASK>
[ 29.767583][ T1] Kernel Offset: disabled
[ 29.769327][ T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3794894381=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at c2e072610
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c2e0726105cc811a456d900c62443159acc29c32 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240516-163404'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c2e0726105cc811a456d900c62443159acc29c32 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240516-163404'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"c2e0726105cc811a456d900c62443159acc29c32\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16473b02980000


Tested on:

commit: 2ccbdf43 Merge tag 'for-linus' of git://git.kernel.org..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=b8786f381e62940f
dashboard link: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=132d1b36980000