Hello,
I found the following issue using syzkaller on:
HEAD commit : e60276b8c11ab4a8be23807bc67b04
8cfb937dfa (v6.0.8)
git tree: stable
C Reproducer : https://gist.github.com/oswalpalash/113c274067bc9c4c653a6dd09fb2e456
Kernel .config :
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb
Console log :
==================================================================
BUG: KASAN: use-after-free in ntfs_trim_fs+0x84e/0x960
Read of size 2 at addr ffff888104fea640 by task syz-executor.0/8081
CPU: 1 PID: 8081 Comm: syz-executor.0 Not tainted 6.0.8-pasta #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
print_report.cold+0xe5/0x63a
kasan_report+0x8a/0x1b0
ntfs_trim_fs+0x84e/0x960
ntfs_ioctl_fitrim+0x23e/0x340
ntfs_ioctl+0x9c/0xd0
__x64_sys_ioctl+0x193/0x200
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fac7f88eacd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fac805f9bf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fac7f9bbf80 RCX: 00007fac7f88eacd
RDX: 0000000020000040 RSI: 00000000c0185879 RDI: 0000000000000003
RBP: 00007fac7f8fcb05 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcb363e05f R14: 00007ffcb363e200 R15: 00007fac805f9d80
</TASK>
Allocated by task 8074:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0xa6/0xd0
__kmalloc+0x349/0xd40
tomoyo_encode2.part.0+0xec/0x3b0
tomoyo_encode+0x28/0x50
tomoyo_realpath_from_path+0x186/0x620
tomoyo_path_perm+0x219/0x420
security_inode_getattr+0xcf/0x140
vfs_getattr+0x22/0x60
vfs_fstat+0x49/0x90
__do_sys_newfstat+0x81/0x100
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 8074:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0xf5/0x180
kfree+0x15e/0x540
tomoyo_path_perm+0x240/0x420
security_inode_getattr+0xcf/0x140
vfs_getattr+0x22/0x60
vfs_fstat+0x49/0x90
__do_sys_newfstat+0x81/0x100
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff888104fea640
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 0 bytes inside of
32-byte region [ffff888104fea640, ffff888104fea660)
The buggy address belongs to the physical page:
page:ffffea000413fa80 refcount:1 mapcount:0 mapping:0000000000000000
index:0xffff888104feafc1 pfn:0x104fea
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
raw: 057ff00000000200 ffffea00043f1b88 ffffea000414bec8 ffff888011840100
raw: ffff888104feafc1 ffff888104fea000 000000010000003d 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE),
pid 6509, tgid 6509 (syz-executor.3), ts 50269499850, free_ts
50269456139
prep_new_page+0x2c6/0x350
get_page_from_freelist+0xae9/0x3a80
__alloc_pages+0x321/0x710
cache_grow_begin+0x75/0x360
kmem_cache_alloc_node_trace+0xbe2/0xd40
__kmalloc_node+0x38/0x60
__vmalloc_node_range+0x3d3/0x1320
vzalloc+0x67/0x80
alloc_counters.isra.0+0x5d/0x6f0
do_ipt_get_ctl+0x5de/0x980
nf_getsockopt+0x72/0xd0
ip_getsockopt+0x164/0x1c0
tcp_getsockopt+0x86/0xd0
__sys_getsockopt+0x216/0x690
__x64_sys_getsockopt+0xba/0x150
do_syscall_64+0x35/0xb0
page last free stack trace:
free_pcp_prepare+0x5ab/0xd00
free_unref_page+0x19/0x410
__vunmap+0x6ff/0xaa0
__vfree+0x3c/0xd0
vfree+0x5a/0x90
do_ipt_get_ctl+0x7b2/0x980
nf_getsockopt+0x72/0xd0
ip_getsockopt+0x164/0x1c0
tcp_getsockopt+0x86/0xd0
__sys_getsockopt+0x216/0x690
__x64_sys_getsockopt+0xba/0x150
do_syscall_64+0x35/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff888104fea500: fa fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc
ffff888104fea580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
>ffff888104fea600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
^
ffff888104fea680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
ffff888104fea700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc
==================================================================
Hi,
IIUC, this was long since fixed at the time of your v6.0.8 report.
The mainline fix is 557d19675a470bb0a98beccec38c5dc3735c20fa, which was
backported to stable (v6.0.16) via
7e686013b7071f4c16644cfad8808e76097724c4.
Please try to check more recent kernels prior to reporting.
Cheers, David