Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in debugfs_u32_get

From: syzbot
Date: Thu Dec 26 2024 - 20:42:10 EST

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

T11] ? __lock_acquire+0x15a9/0x3c40
[ 73.253407][ T11] ? __pfx___lock_acquire+0x10/0x10
[ 73.258607][ T11] lock_acquire.part.0+0x11b/0x380
[ 73.263722][ T11] ? lockref_get+0x15/0x50
[ 73.268145][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 73.273863][ T11] ? rcu_is_watching+0x12/0xc0
[ 73.278633][ T11] ? trace_lock_acquire+0x14e/0x1f0
[ 73.283930][ T11] ? lockref_get+0x15/0x50
[ 73.288359][ T11] ? lock_acquire+0x2f/0xb0
[ 73.292861][ T11] ? lockref_get+0x15/0x50
[ 73.297287][ T11] _raw_spin_lock+0x2e/0x40
[ 73.301800][ T11] ? lockref_get+0x15/0x50
[ 73.306219][ T11] lockref_get+0x15/0x50
[ 73.310464][ T11] simple_recursive_removal+0x45/0x8e0
[ 73.315922][ T11] ? __pfx_remove_one+0x10/0x10
[ 73.320787][ T11] ? mntput+0x10/0x90
[ 73.324767][ T11] debugfs_remove+0x5d/0x80
[ 73.329278][ T11] nsim_destroy+0x6a/0x6b0
[ 73.333699][ T11] __nsim_dev_port_del+0x189/0x240
[ 73.338818][ T11] nsim_dev_reload_destroy+0x158/0x540
[ 73.344671][ T11] nsim_dev_reload_down+0x6e/0xd0
[ 73.349704][ T11] devlink_reload+0x17f/0x760
[ 73.354385][ T11] ? __pfx_devlink_reload+0x10/0x10
[ 73.359590][ T11] ? devlinks_xa_find_get+0x39/0x260
[ 73.364883][ T11] devlink_pernet_pre_exit+0x1a1/0x2b0
[ 73.370347][ T11] ? __pfx_devlink_pernet_pre_exit+0x10/0x10
[ 73.376332][ T11] ? up_write+0x1b2/0x520
[ 73.380750][ T11] ? kobject_put+0xab/0x5a0
[ 73.385257][ T11] ? __pfx_devlink_pernet_pre_exit+0x10/0x10
[ 73.391241][ T11] cleanup_net+0x488/0xbd0
[ 73.395667][ T11] ? __pfx_cleanup_net+0x10/0x10
[ 73.400620][ T11] ? lock_acquire+0x2f/0xb0
[ 73.405125][ T11] ? process_one_work+0x8bb/0x1b30
[ 73.410423][ T11] process_one_work+0x958/0x1b30
[ 73.415361][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 73.420992][ T11] ? __pfx_process_one_work+0x10/0x10
[ 73.426364][ T11] ? rcu_is_watching+0x12/0xc0
[ 73.431135][ T11] ? assign_work+0x1a0/0x250
[ 73.435742][ T11] worker_thread+0x6c8/0xf00
[ 73.440332][ T11] ? __pfx_worker_thread+0x10/0x10
[ 73.445443][ T11] kthread+0x2c1/0x3a0
[ 73.449601][ T11] ? _raw_spin_unlock_irq+0x23/0x50
[ 73.454797][ T11] ? __pfx_kthread+0x10/0x10
[ 73.459394][ T11] ret_from_fork+0x45/0x80
[ 73.463809][ T11] ? __pfx_kthread+0x10/0x10
[ 73.468399][ T11] ret_from_fork_asm+0x1a/0x30
[ 73.473173][ T11] </TASK>
[ 73.476187][ T11]
[ 73.478512][ T11] Allocated by task 5866:
[ 73.482828][ T11] kasan_save_stack+0x33/0x60
[ 73.487513][ T11] kasan_save_track+0x14/0x30
[ 73.492189][ T11] __kasan_slab_alloc+0x89/0x90
[ 73.497052][ T11] kmem_cache_alloc_lru_noprof+0x1c8/0x3b0
[ 73.502950][ T11] __d_alloc+0x35/0x8c0
[ 73.507109][ T11] d_alloc+0x4a/0x1e0
[ 73.511095][ T11] d_alloc_parallel+0xe9/0x12b0
[ 73.515951][ T11] __lookup_slow+0x194/0x460
[ 73.520548][ T11] lookup_one_len+0x181/0x1b0
[ 73.525318][ T11] start_creating.part.0+0x12f/0x3a0
[ 73.530652][ T11] __debugfs_create_file+0xa5/0x660
[ 73.535944][ T11] debugfs_create_file_full+0x6d/0xa0
[ 73.541328][ T11] nsim_create+0x372/0xb20
[ 73.545749][ T11] __nsim_dev_port_add+0x3bf/0x700
[ 73.550864][ T11] nsim_drv_probe+0xdbf/0x1490
[ 73.555634][ T11] really_probe+0x23e/0xa90
[ 73.560147][ T11] __driver_probe_device+0x1de/0x440
[ 73.565435][ T11] driver_probe_device+0x4c/0x1b0
[ 73.570466][ T11] __device_attach_driver+0x1df/0x310
[ 73.575880][ T11] bus_for_each_drv+0x157/0x1e0
[ 73.580732][ T11] __device_attach+0x1e8/0x4b0
[ 73.585497][ T11] bus_probe_device+0x17f/0x1c0
[ 73.590350][ T11] device_add+0x114b/0x1a70
[ 73.594857][ T11] new_device_store+0x41d/0x730
[ 73.599708][ T11] bus_attr_store+0x71/0xb0
[ 73.604211][ T11] sysfs_kf_write+0x117/0x170
[ 73.608893][ T11] kernfs_fop_write_iter+0x33d/0x500
[ 73.614186][ T11] vfs_write+0x5ae/0x1150
[ 73.618534][ T11] ksys_write+0x12b/0x250
[ 73.622971][ T11] do_syscall_64+0xcd/0x250
[ 73.627486][ T11] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 73.633411][ T11]
[ 73.635737][ T11] Freed by task 16:
[ 73.639535][ T11] kasan_save_stack+0x33/0x60
[ 73.644221][ T11] kasan_save_track+0x14/0x30
[ 73.648898][ T11] kasan_save_free_info+0x3b/0x60
[ 73.653921][ T11] __kasan_slab_free+0x51/0x70
[ 73.658686][ T11] kmem_cache_free+0x152/0x4c0
[ 73.663538][ T11] rcu_core+0x79d/0x14d0
[ 73.667785][ T11] handle_softirqs+0x213/0x8f0
[ 73.672552][ T11] run_ksoftirqd+0x3a/0x60
[ 73.676972][ T11] smpboot_thread_fn+0x661/0xa30
[ 73.681928][ T11] kthread+0x2c1/0x3a0
[ 73.686021][ T11] ret_from_fork+0x45/0x80
[ 73.690446][ T11] ret_from_fork_asm+0x1a/0x30
[ 73.695223][ T11]
[ 73.697582][ T11] Last potentially related work creation:
[ 73.703289][ T11] kasan_save_stack+0x33/0x60
[ 73.707970][ T11] __kasan_record_aux_stack+0xba/0xd0
[ 73.713341][ T11] __call_rcu_common.constprop.0+0x99/0x7a0
[ 73.719236][ T11] dentry_free+0xc2/0x160
[ 73.723579][ T11] __dentry_kill+0x498/0x600
[ 73.728177][ T11] dput.part.0+0x4b1/0x9b0
[ 73.732598][ T11] dput+0x1f/0x30
[ 73.736237][ T11] simple_recursive_removal+0x131/0x8e0
[ 73.741784][ T11] debugfs_remove+0x5d/0x80
[ 73.746317][ T11] nsim_dev_reload_destroy+0xa1/0x540
[ 73.751728][ T11] nsim_dev_reload_down+0x6e/0xd0
[ 73.756756][ T11] devlink_reload+0x17f/0x760
[ 73.761439][ T11] devlink_pernet_pre_exit+0x1a1/0x2b0
[ 73.766985][ T11] cleanup_net+0x488/0xbd0
[ 73.771404][ T11] process_one_work+0x958/0x1b30
[ 73.776379][ T11] worker_thread+0x6c8/0xf00
[ 73.780965][ T11] kthread+0x2c1/0x3a0
[ 73.785207][ T11] ret_from_fork+0x45/0x80
[ 73.789619][ T11] ret_from_fork_asm+0x1a/0x30
[ 73.794473][ T11]
[ 73.796792][ T11] The buggy address belongs to the object at ffff88806345da70
[ 73.796792][ T11] which belongs to the cache dentry of size 312
[ 73.810432][ T11] The buggy address is located 208 bytes inside of
[ 73.810432][ T11] freed 312-byte region [ffff88806345da70, ffff88806345dba8)
[ 73.824332][ T11]
[ 73.826756][ T11] The buggy address belongs to the physical page:
[ 73.833168][ T11] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6345c
[ 73.841931][ T11] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 73.850425][ T11] memcg:ffff888034732a01
[ 73.854745][ T11] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 73.862281][ T11] page_type: f5(slab)
[ 73.866292][ T11] raw: 00fff00000000040 ffff88801baff8c0 dead000000000122 0000000000000000
[ 73.874892][ T11] raw: 0000000000000000 0000000000150015 00000001f5000000 ffff888034732a01
[ 73.883473][ T11] head: 00fff00000000040 ffff88801baff8c0 dead000000000122 0000000000000000
[ 73.892232][ T11] head: 0000000000000000 0000000000150015 00000001f5000000 ffff888034732a01
[ 73.900903][ T11] head: 00fff00000000001 ffffea00018d1701 ffffffffffffffff 0000000000000000
[ 73.909572][ T11] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[ 73.918234][ T11] page dumped because: kasan: bad access detected
[ 73.924649][ T11] page_owner tracks the page as allocated
[ 73.930360][ T11] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5866, tgid 5866 (syz-executor), ts 72492801701, free_ts 19664769086
[ 73.953550][ T11] post_alloc_hook+0x2d1/0x350
[ 73.958334][ T11] get_page_from_freelist+0xfce/0x2f80
[ 73.963798][ T11] __alloc_pages_noprof+0x223/0x25b0
[ 73.969095][ T11] alloc_pages_mpol_noprof+0x2c9/0x610
[ 73.974566][ T11] new_slab+0x2c9/0x410
[ 73.978721][ T11] ___slab_alloc+0xce2/0x1650
[ 73.983484][ T11] __slab_alloc.constprop.0+0x56/0xb0
[ 73.988854][ T11] kmem_cache_alloc_lru_noprof+0xf0/0x3b0
[ 73.994575][ T11] __d_alloc+0x35/0x8c0
[ 73.998734][ T11] d_alloc+0x4a/0x1e0
[ 74.002734][ T11] d_alloc_parallel+0xe9/0x12b0
[ 74.007592][ T11] __lookup_slow+0x194/0x460
[ 74.012233][ T11] lookup_one_len+0x181/0x1b0
[ 74.016920][ T11] start_creating.part.0+0x12f/0x3a0
[ 74.022215][ T11] __debugfs_create_file+0xa5/0x660
[ 74.027430][ T11] debugfs_create_bool+0x70/0xa0
[ 74.032377][ T11] page last free pid 1 tgid 1 stack trace:
[ 74.038171][ T11] free_unref_page+0x661/0x1080
[ 74.043026][ T11] free_contig_range+0x133/0x3f0
[ 74.047964][ T11] destroy_args+0x802/0xa50
[ 74.052471][ T11] debug_vm_pgtable+0x16d8/0x3230
[ 74.057498][ T11] do_one_initcall+0x128/0x630
[ 74.062264][ T11] kernel_init_freeable+0x58f/0x8b0
[ 74.067461][ T11] kernel_init+0x1c/0x2b0
[ 74.071796][ T11] ret_from_fork+0x45/0x80
[ 74.076236][ T11] ret_from_fork_asm+0x1a/0x30
[ 74.081002][ T11]
[ 74.083315][ T11] Memory state around the buggy address:
[ 74.088935][ T11] ffff88806345da00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
[ 74.096991][ T11] ffff88806345da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.105047][ T11] >ffff88806345db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.113184][ T11] ^
[ 74.119412][ T11] ffff88806345db80: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
[ 74.127556][ T11] ffff88806345dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.135715][ T11] ==================================================================
[ 74.143793][ T11] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 74.151069][ T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.13.0-rc4-syzkaller-gd6ef8b40d075-dirty #0
[ 74.161758][ T11] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 74.171817][ T11] Workqueue: netns cleanup_net
[ 74.176618][ T11] Call Trace:
[ 74.179893][ T11] <TASK>
[ 74.182819][ T11] dump_stack_lvl+0x3d/0x1f0
[ 74.187421][ T11] panic+0x71d/0x800
[ 74.191322][ T11] ? __pfx_panic+0x10/0x10
[ 74.195742][ T11] ? rcu_is_watching+0x12/0xc0
[ 74.200518][ T11] ? __pfx_lock_release+0x10/0x10
[ 74.205542][ T11] ? check_panic_on_warn+0x1f/0xb0
[ 74.210659][ T11] check_panic_on_warn+0xab/0xb0
[ 74.215610][ T11] end_report+0x117/0x180
[ 74.219957][ T11] kasan_report+0xe9/0x110
[ 74.224376][ T11] ? __lock_acquire+0x2d90/0x3c40
[ 74.229399][ T11] ? __lock_acquire+0x2d90/0x3c40
[ 74.234421][ T11] __lock_acquire+0x2d90/0x3c40
[ 74.239269][ T11] ? hlock_class+0x4e/0x130
[ 74.243775][ T11] ? __lock_acquire+0x15a9/0x3c40
[ 74.248800][ T11] ? __pfx___lock_acquire+0x10/0x10
[ 74.254087][ T11] lock_acquire.part.0+0x11b/0x380
[ 74.259197][ T11] ? lockref_get+0x15/0x50
[ 74.263621][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 74.269256][ T11] ? rcu_is_watching+0x12/0xc0
[ 74.274027][ T11] ? trace_lock_acquire+0x14e/0x1f0
[ 74.279231][ T11] ? lockref_get+0x15/0x50
[ 74.283651][ T11] ? lock_acquire+0x2f/0xb0
[ 74.288155][ T11] ? lockref_get+0x15/0x50
[ 74.292589][ T11] _raw_spin_lock+0x2e/0x40
[ 74.297089][ T11] ? lockref_get+0x15/0x50
[ 74.301508][ T11] lockref_get+0x15/0x50
[ 74.305759][ T11] simple_recursive_removal+0x45/0x8e0
[ 74.311228][ T11] ? __pfx_remove_one+0x10/0x10
[ 74.316086][ T11] ? mntput+0x10/0x90
[ 74.320070][ T11] debugfs_remove+0x5d/0x80
[ 74.324667][ T11] nsim_destroy+0x6a/0x6b0
[ 74.329086][ T11] __nsim_dev_port_del+0x189/0x240
[ 74.334203][ T11] nsim_dev_reload_destroy+0x158/0x540
[ 74.339673][ T11] nsim_dev_reload_down+0x6e/0xd0
[ 74.344702][ T11] devlink_reload+0x17f/0x760
[ 74.349434][ T11] ? __pfx_devlink_reload+0x10/0x10
[ 74.354638][ T11] ? devlinks_xa_find_get+0x39/0x260
[ 74.359925][ T11] devlink_pernet_pre_exit+0x1a1/0x2b0
[ 74.365391][ T11] ? __pfx_devlink_pernet_pre_exit+0x10/0x10
[ 74.371461][ T11] ? up_write+0x1b2/0x520
[ 74.375797][ T11] ? kobject_put+0xab/0x5a0
[ 74.380315][ T11] ? __pfx_devlink_pernet_pre_exit+0x10/0x10
[ 74.386298][ T11] cleanup_net+0x488/0xbd0
[ 74.390727][ T11] ? __pfx_cleanup_net+0x10/0x10
[ 74.395705][ T11] ? lock_acquire+0x2f/0xb0
[ 74.400211][ T11] ? process_one_work+0x8bb/0x1b30
[ 74.405320][ T11] process_one_work+0x958/0x1b30
[ 74.410308][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 74.415943][ T11] ? __pfx_process_one_work+0x10/0x10
[ 74.421325][ T11] ? rcu_is_watching+0x12/0xc0
[ 74.426099][ T11] ? assign_work+0x1a0/0x250
[ 74.431048][ T11] worker_thread+0x6c8/0xf00
[ 74.435650][ T11] ? __pfx_worker_thread+0x10/0x10
[ 74.440765][ T11] kthread+0x2c1/0x3a0
[ 74.444852][ T11] ? _raw_spin_unlock_irq+0x23/0x50
[ 74.450053][ T11] ? __pfx_kthread+0x10/0x10
[ 74.454716][ T11] ret_from_fork+0x45/0x80
[ 74.459144][ T11] ? __pfx_kthread+0x10/0x10
[ 74.463741][ T11] ret_from_fork_asm+0x1a/0x30
[ 74.468521][ T11] </TASK>
[ 74.471810][ T11] Kernel Offset: disabled
[ 74.476133][ T11] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1782442588=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 7cbfbb3ab4
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=7cbfbb3ab457b0a8ecf525a27a65a2078c5dcaa8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241213-162906'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"7cbfbb3ab457b0a8ecf525a27a65a2078c5dcaa8\"
/usr/bin/ld: /tmp/ccPml299.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=138892f8580000


Tested on:

commit: d6ef8b40 Merge tag 'sound-6.13-rc5' of git://git.kerne..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c078001e66e4a17e
dashboard link: https://syzkaller.appspot.com/bug?extid=d59601b9136ebc356300
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1075dadf980000