2024-05-20 05:54:22

by Marius Fleischer

[permalink] [raw]
Subject: BUG: corrupted list in fscache_free_cookie

Hi,

We would like to report the following bug which has been found by our
modified version of syzkaller.

======================================================
description: BUG: corrupted list in fscache_free_cookie
affected file: fs/fscache/cookie.c
kernel version: 5.15.159
kernel commit: a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6
git tree: upstream
kernel config: attached
crash reproducer: attached
======================================================
Crash log:
kernel BUG at lib/list_debug.c:49!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 92464 Comm: syz-executor.3 Not tainted 5.15.159 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__list_del_entry_valid.cold+0x45/0x6c lib/list_debug.c:49
Code: e8 ca 1e f2 ff 0f 0b 4c 89 e2 48 89 ee 48 c7 c7 80 af e4 89 e8
b6 1e f2 ff 0f 0b 48 89 ee 48 c7 c7 60 ae e4 89 e8 a5 1e f2 ff <0f> 0b
4c 89 ea 48 89 ee 48 c7 c7 20 af e4 89 e8 91 1e f2 ff 0f 0b
RSP: 0018:ffffc90005edfa00 EFLAGS: 00010282
RAX: 0000000000000033 RBX: ffffffff89cb2a40 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815f20ca RDI: fffff52000bdbf32
RBP: ffff888016110b70 R08: 0000000000000033 R09: ffff88823bc33f47
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88807eb178c0
FS: 00007fd192dd4640(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa35e5d1f88 CR3: 000000004b0aa000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
__list_del_entry include/linux/list.h:132 [inline]
list_del include/linux/list.h:146 [inline]
fscache_free_cookie.part.0+0x32/0x2d0 fs/fscache/cookie.c:71
fscache_free_cookie fs/fscache/cookie.c:196 [inline]
fscache_alloc_cookie+0x6af/0x7d0 fs/fscache/cookie.c:195
__fscache_acquire_cookie fs/fscache/cookie.c:296 [inline]
__fscache_acquire_cookie+0x176/0x590 fs/fscache/cookie.c:257
fscache_acquire_cookie include/linux/fscache.h:334 [inline]
v9fs_cache_session_get_cookie+0xf2/0x2f0 fs/9p/cache.c:60
v9fs_session_init+0xe57/0x17f0 fs/9p/v9fs.c:473
v9fs_mount+0x79/0x9d0 fs/9p/vfs_super.c:126
legacy_get_tree+0x105/0x220 fs/fs_context.c:611
vfs_get_tree+0x89/0x2f0 fs/super.c:1517
do_new_mount fs/namespace.c:3005 [inline]
path_mount+0x6a5/0x2010 fs/namespace.c:3335
do_mount fs/namespace.c:3348 [inline]
__do_sys_mount fs/namespace.c:3556 [inline]
__se_sys_mount fs/namespace.c:3533 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3533
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fd194864dad
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd192dd4028 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fd1949a1f80 RCX: 00007fd194864dad
RDX: 0000000020000140 RSI: 0000000020000100 RDI: 0000000020010000
RBP: 00007fd192dd40a0 R08: 0000000020000040 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007fd1949a1f80 R15: 00007fd192db4000
</TASK>
Modules linked in:
---[ end trace a5d403d13a71a5dc ]---
RIP: 0010:__list_del_entry_valid.cold+0x45/0x6c lib/list_debug.c:49
Code: e8 ca 1e f2 ff 0f 0b 4c 89 e2 48 89 ee 48 c7 c7 80 af e4 89 e8
b6 1e f2 ff 0f 0b 48 89 ee 48 c7 c7 60 ae e4 89 e8 a5 1e f2 ff <0f> 0b
4c 89 ea 48 89 ee 48 c7 c7 20 af e4 89 e8 91 1e f2 ff 0f 0b
RSP: 0018:ffffc90005edfa00 EFLAGS: 00010282
RAX: 0000000000000033 RBX: ffffffff89cb2a40 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815f20ca RDI: fffff52000bdbf32
RBP: ffff888016110b70 R08: 0000000000000033 R09: ffff88823bc33f47
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88807eb178c0
FS: 00007fd192dd4640(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa35e5d1f88 CR3: 000000004b0aa000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
======================================================

The attached reproducer is in syzlang format. Please find instructions
on how to execute the reproducer here:
https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
Here is also the command we used to execute the reproducer:
/syz-execprog -executor=./syz-executor -procs=8 -repeat=0 repro.syz

Wishing you a nice start to the week!

Kind regards,
Marius


Attachments:
repro.syz (381.00 B)
config-5.15.159 (221.75 kB)
Download all attachments