Re: [syzbot] [kvm?] KASAN: wild-memory-access Read in __timer_delete_sync
From: Sean Christopherson
Date: Fri Aug 16 2024 - 14:31:51 EST
On Mon, May 27, 2024, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 1613e604df0c Linux 6.10-rc1
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10672b3f180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=733cc7a95171d8e7
> dashboard link: https://syzkaller.appspot.com/bug?extid=d74d6f2cf5cb486c708f
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: i386
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-1613e604.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/bdfe02141e4c/vmlinux-1613e604.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/9e655c2629f1/bzImage-1613e604.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d74d6f2cf5cb486c708f@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> bcachefs (loop0): shutting down
> bcachefs (loop0): shutdown complete
> ==================================================================
> BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
> BUG: KASAN: wild-memory-access in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
> BUG: KASAN: wild-memory-access in __lock_acquire+0xeba/0x3b30 kernel/locking/lockdep.c:5107
> Read of size 8 at addr 1fffffff8763e898 by task syz-executor.0/11675
>
> CPU: 0 PID: 11675 Comm: syz-executor.0 Not tainted 6.10.0-rc1-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
> kasan_report+0xd9/0x110 mm/kasan/report.c:601
> check_region_inline mm/kasan/generic.c:183 [inline]
> kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
> instrument_atomic_read include/linux/instrumented.h:68 [inline]
> _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
> __lock_acquire+0xeba/0x3b30 kernel/locking/lockdep.c:5107
> lock_acquire kernel/locking/lockdep.c:5754 [inline]
> lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
> __timer_delete_sync+0x152/0x1b0 kernel/time/timer.c:1647
> del_timer_sync include/linux/timer.h:185 [inline]
> cleanup_srcu_struct+0x124/0x520 kernel/rcu/srcutree.c:659
> bch2_fs_btree_iter_exit+0x46e/0x630 fs/bcachefs/btree_iter.c:3410
> __bch2_fs_free fs/bcachefs/super.c:556 [inline]
> bch2_fs_release+0x11b/0x810 fs/bcachefs/super.c:603
> kobject_cleanup lib/kobject.c:689 [inline]
> kobject_release lib/kobject.c:720 [inline]
> kref_put include/linux/kref.h:65 [inline]
> kobject_put+0x1fa/0x5b0 lib/kobject.c:737
> deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
> deactivate_super+0xde/0x100 fs/super.c:506
> cleanup_mnt+0x222/0x450 fs/namespace.c:1267
> task_work_run+0x14e/0x250 kernel/task_work.c:180
> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
> exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
> syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
> __do_fast_syscall_32+0x80/0x120 arch/x86/entry/common.c:389
> do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
> entry_SYSENTER_compat_after_hwframe+0x84/0x8e
> RIP: 0023:0xf731b579
> Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> RSP: 002b:00000000ffc4e538 EFLAGS: 00000292 ORIG_RAX: 0000000000000034
> RAX: 0000000000000000 RBX: 00000000ffc4e5e0 RCX: 0000000000000009
> RDX: 00000000f7471ff4 RSI: 00000000f73c2361 RDI: 00000000ffc4f684
> RBP: 00000000ffc4e5e0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> </TASK>
> ==================================================================
Re-labeling this to bcachefs, as only one of the splats directly involves KVM,
there were past failures in KVM that were likely caused by bcachesfs, and in the
one splat that hit KVM, squashfs complained about possible data corruption between
bcachefs unmounting and KVM dying (see below).
#syz set subsystems: bcachefs
[ 212.712001][ T5229] bcachefs (loop2): shutting down
[ 212.714390][ T5229] bcachefs (loop2): going read-only
[ 212.716673][ T5229] bcachefs (loop2): finished waiting for writes to stop
[ 212.724653][ T5229] bcachefs (loop2): flushing journal and stopping allocators, journal seq 12
[ 212.740723][ T5229] bcachefs (loop2): flushing journal and stopping allocators complete, journal seq 14
[ 212.746964][ T5229] bcachefs (loop2): shutdown complete, journal seq 15
[ 212.750429][ T5229] bcachefs (loop2): marking filesystem clean
...
[ 212.875663][ T9117] loop1: detected capacity change from 0 to 8
[ 212.899637][ T9117] SQUASHFS error: zlib decompression failed, data probably corrupt
[ 212.903051][ T9117] SQUASHFS error: Failed to read block 0x4e8: -5
[ 213.053013][ T9115] ==================================================================
[ 213.056197][ T9115] BUG: KASAN: wild-memory-access in __lock_acquire+0xeba/0x3b30
[ 213.059059][ T9115] Read of size 8 at addr 1fffffff905a0b18 by task syz-executor.1/9115
[ 213.061962][ T9115]
[ 213.062917][ T9115] CPU: 2 PID: 9115 Comm: syz-executor.1 Not tainted 6.10.0-rc5-syzkaller-00012-g626737a5791b #0
[ 213.068867][ T9115] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 213.072893][ T9115] Call Trace:
[ 213.074033][ T9115] <TASK>
[ 213.075190][ T9115] dump_stack_lvl+0x116/0x1f0
[ 213.076947][ T9115] kasan_report+0xd9/0x110
[ 213.082231][ T9115] kasan_check_range+0xef/0x1a0
[ 213.083875][ T9115] __lock_acquire+0xeba/0x3b30
[ 213.089050][ T9115] lock_acquire+0x1b1/0x560
[ 213.096435][ T9115] __timer_delete_sync+0x152/0x1b0
[ 213.100058][ T9115] cleanup_srcu_struct+0x124/0x520
[ 213.102146][ T9115] kvm_put_kvm+0x8d3/0xb80
[ 213.105999][ T9115] kvm_vm_release+0x42/0x60
[ 213.107840][ T9115] __fput+0x408/0xbb0
[ 213.109579][ T9115] __fput_sync+0x47/0x50
[ 213.111404][ T9115] __ia32_sys_close+0x86/0x100
[ 213.113458][ T9115] __do_fast_syscall_32+0x73/0x120
[ 213.115472][ T9115] do_fast_syscall_32+0x32/0x80
[ 213.117549][ T9115] entry_SYSENTER_compat_after_hwframe+0x84/0x8e
[ 213.146118][ T9115] </TASK>
[ 213.147157][ T9115] ==================================================================