Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: WARNING in __brelse
affected file: fs/buffer.c
kernel version: 5.15.159
kernel commit: 83655231580bc07485a4ac2a6c971c3a175dd27d
git tree: upstream
kernel config: attached
crash reproducer: attached
======================================================
Crash log:
VFS: brelse: Trying to free free buffer
WARNING: CPU: 1 PID: 51571 at fs/buffer.c:1148 __brelse
fs/buffer.c:1148 [inline]
WARNING: CPU: 1 PID: 51571 at fs/buffer.c:1148 __brelse+0x67/0xa0
fs/buffer.c:1142
Modules linked in:
CPU: 1 PID: 51571 Comm: syz-executor.6 Not tainted 5.15.159 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__brelse fs/buffer.c:1148 [inline]
RIP: 0010:__brelse+0x67/0xa0 fs/buffer.c:1142
Code: 7c 04 84 d2 75 4e 44 8b 63 60 31 ff 44 89 e6 e8 4f ec 9b ff 45
85 e4 75 1c e8 d5 f3 9b ff 48 c7 c7 a0 68 9a 89 e8 ef d9 13 07 <0f> 0b
5b 5d 41 5c e9 be f3 9b ff e8 b9 f3 9b ff be 04 00 00 00 48
RSP: 0018:ffffc90015137990 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880ae4753a0 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815f20ca RDI: fffff52002a26f24
RBP: ffff8880ae475400 R08: 0000000000000001 R09: ffff88823bc27a5b
R10: 0000000000000000 R11: 000000003a534656 R12: 0000000000000000
R13: ffff8880ae4753a0 R14: ffff88807d7df028 R15: ffff8881564907c0
FS: 00007f67652c2640(0000) GS:ffff88823bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2dc67f4e00 CR3: 000000001b532000 CR4: 0000000000750ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
brelse include/linux/buffer_head.h:325 [inline]
udf_rename+0x919/0x1260 fs/udf/namei.c:1214
vfs_rename+0xe36/0x16d0 fs/namei.c:4832
do_renameat2+0xb0c/0xd20 fs/namei.c:4985
__do_sys_renameat2 fs/namei.c:5018 [inline]
__se_sys_renameat2 fs/namei.c:5015 [inline]
__x64_sys_renameat2+0xe7/0x120 fs/namei.c:5015
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f6766d52dad
Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f67652c2028 EFLAGS: 00000246 ORIG_RAX: 000000000000013c
RAX: ffffffffffffffda RBX: 00007f6766e8ff80 RCX: 00007f6766d52dad
RDX: ffffffffffffff9c RSI: 0000000020000440 RDI: ffffffffffffff9c
RBP: 00007f67652c20a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000480 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007f6766e8ff80 R15: 00007f67652a2000
</TASK>
======================================================
Please let us know if we should provide additional information.
Wishing you a nice day!
Best,
Marius
Hi,
Please excuse us for forgetting to attach the following information to
the previous email.
This bug seems to be related to a bug previously found by syzbot
(https://syzkaller.appspot.com/bug?extid=7902cd7684bc35306224)
and fixed (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c791730f2554a9ebb8f18df9368dc27d4ebc38c2).
The fixing commit is present in the kernel version that we analyzed,
yet the reproducer is still able to trigger the bug.
I hope this information helps in further debugging this issue!
Best,
Marius