Hello,
syzbot found the following issue on:
HEAD commit: f7dc24b34138 Add linux-next specific files for 20230807
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12a0862ba80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179704c9a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17868ba9a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/24eb0299fcf6/disk-f7dc24b3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d1dc5212ed72/vmlinux-f7dc24b3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/062c8c075e0c/bzImage-f7dc24b3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/8e4e0cc06a40/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: slab-use-after-free in btrfs_open_devices+0xb8/0xc0 fs/btrfs/volumes.c:1281
Read of size 4 at addr ffff8880293c8d30 by task syz-executor243/5048
CPU: 0 PID: 5048 Comm: syz-executor243 Not tainted 6.5.0-rc5-next-20230807-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
btrfs_open_devices+0xb8/0xc0 fs/btrfs/volumes.c:1281
btrfs_mount_root+0x681/0xda0 fs/btrfs/super.c:1505
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1578
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fc50e075e9a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd2e2532d8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd2e2532f0 RCX: 00007fc50e075e9a
RDX: 00000000200051c0 RSI: 0000000020005200 RDI: 00007ffd2e2532f0
RBP: 0000000000000004 R08: 00007ffd2e253330 R09: 00000000000051a5
R10: 0000000001000008 R11: 0000000000000282 R12: 0000000001000008
R13: 00007ffd2e253330 R14: 0000000000000003 R15: 0000000001000000
</TASK>
Allocated by task 5043:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
alloc_fs_devices+0x54/0x2b0 fs/btrfs/volumes.c:375
device_list_add.constprop.0+0x3eb/0x1db0 fs/btrfs/volumes.c:807
btrfs_scan_one_device+0x1b7/0x2a0 fs/btrfs/volumes.c:1405
btrfs_mount_root+0x4a8/0xda0 fs/btrfs/super.c:1482
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1578
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5043:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15e/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
btrfs_close_devices+0x4cd/0x610 fs/btrfs/volumes.c:1207
open_ctree+0x1c1/0x5710 fs/btrfs/disk-io.c:3612
btrfs_fill_super fs/btrfs/super.c:1158 [inline]
btrfs_mount_root+0x976/0xda0 fs/btrfs/super.c:1520
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1578
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8880293c8c00
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 304 bytes inside of
freed 512-byte region [ffff8880293c8c00, ffff8880293c8e00)
The buggy address belongs to the physical page:
page:ffffea0000a4f200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x293c8
head:ffffea0000a4f200 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000010200 ffff888012841c80 ffffea00008f2d00 dead000000000002
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4147, tgid 4147 (kworker/u4:3), ts 10970429937, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1567
prep_new_page mm/page_alloc.c:1574 [inline]
get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3253
__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4509
alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298
alloc_slab_page mm/slub.c:1870 [inline]
allocate_slab+0x24e/0x380 mm/slub.c:2017
new_slab mm/slub.c:2070 [inline]
___slab_alloc+0x8bc/0x1570 mm/slub.c:3223
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
__slab_alloc_node mm/slub.c:3375 [inline]
slab_alloc_node mm/slub.c:3468 [inline]
__kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517
kmalloc_trace+0x25/0xe0 mm/slab_common.c:1114
kmalloc include/linux/slab.h:599 [inline]
kzalloc include/linux/slab.h:720 [inline]
alloc_bprm+0x51/0xaf0 fs/exec.c:1514
kernel_execve+0xaf/0x4e0 fs/exec.c:1989
call_usermodehelper_exec_async+0x256/0x4c0 kernel/umh.c:110
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880293c8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880293c8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880293c8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880293c8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880293c8e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot has bisected this issue to:
commit 066d64b26a21a5b5c500a30f27f3e4b1959aac9e
Author: Christoph Hellwig <[email protected]>
Date: Wed Aug 2 15:41:23 2023 +0000
btrfs: open block devices after superblock creation
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15493371a80000
start commit: f7dc24b34138 Add linux-next specific files for 20230807
git tree: linux-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=17493371a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=13493371a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179704c9a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17868ba9a80000
Reported-by: [email protected]
Fixes: 066d64b26a21 ("btrfs: open block devices after superblock creation")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in btrfs_close_devices
BTRFS info (device loop2): using xxhash64 (xxhash64-generic) checksum algorithm
BTRFS info (device loop2): force clearing of disk cache
BTRFS info (device loop2): setting nodatasum
BTRFS error (device loop2): unrecognized mount option 'rescan '
list_del corruption, ffff888065d38c20->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5647 Comm: syz-executor.2 Not tainted 6.5.0-rc5-next-20230807-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:__list_del_entry_valid+0xfd/0x1b0 lib/list_debug.c:53
Code: 18 c3 48 c7 c7 80 8f c8 8a e8 9f 70 43 fd 0f 0b 48 c7 c7 e0 8f c8 8a e8 91 70 43 fd 0f 0b 48 c7 c7 40 90 c8 8a e8 83 70 43 fd <0f> 0b 48 89 ca 48 c7 c7 a0 90 c8 8a e8 72 70 43 fd 0f 0b 48 89 c2
RSP: 0018:ffffc90002f7f700 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff888065d38c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816a9732 RDI: 0000000000000005
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888065d38d30
R13: ffffc90002f7f758 R14: ffff888065d38c20 R15: ffff888065d38c28
FS: 00007f38da2476c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbe2639d988 CR3: 0000000064991000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry include/linux/list.h:134 [inline]
list_del include/linux/list.h:148 [inline]
btrfs_close_devices+0x460/0x790 fs/btrfs/volumes.c:1208
open_ctree+0x1c1/0x5700 fs/btrfs/disk-io.c:3612
btrfs_fill_super fs/btrfs/super.c:1158 [inline]
btrfs_mount_root+0x9af/0xeb0 fs/btrfs/super.c:1521
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1584
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f38d947e1ea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f38da246ee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f38da246f80 RCX: 00007f38d947e1ea
RDX: 00000000200051c0 RSI: 0000000020005200 RDI: 00007f38da246f40
RBP: 00000000200051c0 R08: 00007f38da246f80 R09: 0000000001000008
R10: 0000000001000008 R11: 0000000000000246 R12: 0000000020005200
R13: 00007f38da246f40 R14: 00000000000051ab R15: 0000000020000280
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid+0xfd/0x1b0 lib/list_debug.c:53
Code: 18 c3 48 c7 c7 80 8f c8 8a e8 9f 70 43 fd 0f 0b 48 c7 c7 e0 8f c8 8a e8 91 70 43 fd 0f 0b 48 c7 c7 40 90 c8 8a e8 83 70 43 fd <0f> 0b 48 89 ca 48 c7 c7 a0 90 c8 8a e8 72 70 43 fd 0f 0b 48 89 c2
RSP: 0018:ffffc90002f7f700 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff888065d38c00 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816a9732 RDI: 0000000000000005
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888065d38d30
R13: ffffc90002f7f758 R14: ffff888065d38c20 R15: ffff888065d38c28
FS: 00007f38da2476c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0f6962e3b0 CR3: 0000000064991000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: f7dc24b3 Add linux-next specific files for 20230807
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=170b2395a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14e4981ba80000
Yes, probably. The lifetimes looked fishy to me to start with, but
this might have made things worse.
On Tue, Aug 08, 2023 at 05:50:02PM +0200, Christian Brauner wrote:
> On Mon, Aug 07, 2023 at 08:24:36PM -0700, syzbot wrote:
> > syzbot has bisected this issue to:
> >
> > commit 066d64b26a21a5b5c500a30f27f3e4b1959aac9e
> > Author: Christoph Hellwig <[email protected]>
> > Date: Wed Aug 2 15:41:23 2023 +0000
> >
> > btrfs: open block devices after superblock creation
> >
> > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15493371a80000
> > start commit: f7dc24b34138 Add linux-next specific files for 20230807
> > git tree: linux-next
> > final oops: https://syzkaller.appspot.com/x/report.txt?x=17493371a80000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=13493371a80000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
> > dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179704c9a80000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17868ba9a80000
> >
> > Reported-by: [email protected]
> > Fixes: 066d64b26a21 ("btrfs: open block devices after superblock creation")
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> I think the issue might be that before your patch the lifetime of:
> @device was aligned with @device->s_fs_info but now that you're dropping
> the uuid mutex after btrfs_scan_one_device() that isn't true anymore. So
> it feels like:
>
> P1 P2
> lock_uuid_mutex;
> device = btrfs_scan_one_device();
> fs_devices = device->fs_devices;
> unlock_uuid_mutex;
> // earlier mount that gets cleaned up
> lock_uuid_mutex;
> btrfs_close_devices(fs_devices);
> unlock_uuid_mutex;
>
> lock_uuid_mutex;
> btrfs_open_devices(fs_devices); // UAF
> unlock_uuid_mutex;
>
> But I'm not entirely sure.
---end quoted text---
On Mon, Aug 07, 2023 at 08:24:36PM -0700, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 066d64b26a21a5b5c500a30f27f3e4b1959aac9e
> Author: Christoph Hellwig <[email protected]>
> Date: Wed Aug 2 15:41:23 2023 +0000
>
> btrfs: open block devices after superblock creation
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15493371a80000
> start commit: f7dc24b34138 Add linux-next specific files for 20230807
> git tree: linux-next
> final oops: https://syzkaller.appspot.com/x/report.txt?x=17493371a80000
> console output: https://syzkaller.appspot.com/x/log.txt?x=13493371a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
> dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179704c9a80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17868ba9a80000
>
> Reported-by: [email protected]
> Fixes: 066d64b26a21 ("btrfs: open block devices after superblock creation")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
I think the issue might be that before your patch the lifetime of:
@device was aligned with @device->s_fs_info but now that you're dropping
the uuid mutex after btrfs_scan_one_device() that isn't true anymore. So
it feels like:
P1 P2
lock_uuid_mutex;
device = btrfs_scan_one_device();
fs_devices = device->fs_devices;
unlock_uuid_mutex;
// earlier mount that gets cleaned up
lock_uuid_mutex;
btrfs_close_devices(fs_devices);
unlock_uuid_mutex;
lock_uuid_mutex;
btrfs_open_devices(fs_devices); // UAF
unlock_uuid_mutex;
But I'm not entirely sure.
On Tue, Aug 08, 2023 at 06:35:04PM +0200, Christian Brauner wrote:
> On Tue, Aug 08, 2023 at 06:01:41PM +0200, Christoph Hellwig wrote:
> > Yes, probably. The lifetimes looked fishy to me to start with, but
> > this might have made things worse.
>
> It looks like we should be able to just drop that patch.
> Ok, are you fixing this or should I drop this patch?
I plan to fix it, but you can drop it for. If we want to go on top
drop get_super like the preview series I sent you we'll eventually need
something like this patch back, though.
On Tue, Aug 08, 2023 at 06:01:41PM +0200, Christoph Hellwig wrote:
> Yes, probably. The lifetimes looked fishy to me to start with, but
> this might have made things worse.
It looks like we should be able to just drop that patch.
Ok, are you fixing this or should I drop this patch?
>
> On Tue, Aug 08, 2023 at 05:50:02PM +0200, Christian Brauner wrote:
> > On Mon, Aug 07, 2023 at 08:24:36PM -0700, syzbot wrote:
> > > syzbot has bisected this issue to:
> > >
> > > commit 066d64b26a21a5b5c500a30f27f3e4b1959aac9e
> > > Author: Christoph Hellwig <[email protected]>
> > > Date: Wed Aug 2 15:41:23 2023 +0000
> > >
> > > btrfs: open block devices after superblock creation
> > >
> > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=15493371a80000
> > > start commit: f7dc24b34138 Add linux-next specific files for 20230807
> > > git tree: linux-next
> > > final oops: https://syzkaller.appspot.com/x/report.txt?x=17493371a80000
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=13493371a80000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=179704c9a80000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17868ba9a80000
> > >
> > > Reported-by: [email protected]
> > > Fixes: 066d64b26a21 ("btrfs: open block devices after superblock creation")
> > >
> > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> >
> > I think the issue might be that before your patch the lifetime of:
> > @device was aligned with @device->s_fs_info but now that you're dropping
> > the uuid mutex after btrfs_scan_one_device() that isn't true anymore. So
> > it feels like:
> >
> > P1 P2
> > lock_uuid_mutex;
> > device = btrfs_scan_one_device();
> > fs_devices = device->fs_devices;
> > unlock_uuid_mutex;
> > // earlier mount that gets cleaned up
> > lock_uuid_mutex;
> > btrfs_close_devices(fs_devices);
> > unlock_uuid_mutex;
> >
> > lock_uuid_mutex;
> > btrfs_open_devices(fs_devices); // UAF
> > unlock_uuid_mutex;
> >
> > But I'm not entirely sure.
> ---end quoted text---
On Tue, Aug 08, 2023 at 06:01:41PM +0200, Christoph Hellwig wrote:
> Yes, probably. The lifetimes looked fishy to me to start with, but
> this might have made things worse.
The locking rules for device structures are not following any commonly
found patterns so it's easy to break it. We've spent a lot of time
chasing races reported by syzbot, so please hold on with this patch
before a final merge. Keeping it in for-next for testing is OK.
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in btrfs_mount_root
==================================================================
BUG: KASAN: use-after-free in btrfs_mount_root+0xf1b/0xf70 fs/btrfs/super.c:1539
Read of size 8 at addr ffff8880636d1110 by task syz-executor.2/5580
CPU: 1 PID: 5580 Comm: syz-executor.2 Not tainted 6.5.0-rc5-next-20230807-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
btrfs_mount_root+0xf1b/0xf70 fs/btrfs/super.c:1539
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1586
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fa214e7e1ea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa215c9aee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fa215c9af80 RCX: 00007fa214e7e1ea
RDX: 00000000200051c0 RSI: 0000000020005200 RDI: 00007fa215c9af40
RBP: 00000000200051c0 R08: 00007fa215c9af80 R09: 0000000001000008
R10: 0000000001000008 R11: 0000000000000246 R12: 0000000020005200
R13: 00007fa215c9af40 R14: 00000000000051ab R15: 0000000020000280
</TASK>
The buggy address belongs to the physical page:
page:ffffea00018db440 refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x636d1
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 ffffffff00000201 0000000000000000
raw: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x102000(__GFP_NOWARN|__GFP_HARDWALL), pid 5580, tgid 5579 (syz-executor.2), ts 76159898184, free_ts 76159901250
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1567
prep_new_page mm/page_alloc.c:1574 [inline]
get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3253
__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4509
alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298
__stack_depot_save+0x3c2/0x510 lib/stackdepot.c:410
kasan_save_stack+0x43/0x50 mm/kasan/common.c:46
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15e/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
list_lru_destroy mm/list_lru.c:598 [inline]
list_lru_destroy+0x153/0x700 mm/list_lru.c:589
deactivate_locked_super+0xb2/0x170 fs/super.c:338
btrfs_mount_root+0x625/0xf70 fs/btrfs/super.c:1534
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1158 [inline]
free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2380
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2475
__stack_depot_save+0x193/0x510 lib/stackdepot.c:443
kasan_save_stack+0x43/0x50 mm/kasan/common.c:46
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15e/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1800 [inline]
slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
slab_free mm/slub.c:3809 [inline]
__kmem_cache_free+0xb8/0x2f0 mm/slub.c:3822
list_lru_destroy mm/list_lru.c:598 [inline]
list_lru_destroy+0x153/0x700 mm/list_lru.c:589
deactivate_locked_super+0xb2/0x170 fs/super.c:338
btrfs_mount_root+0x625/0xf70 fs/btrfs/super.c:1534
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
Memory state around the buggy address:
ffff8880636d1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880636d1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880636d1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880636d1180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880636d1200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: f7dc24b3 Add linux-next specific files for 20230807
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=121811fda80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=163b52eda80000
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: corrupted list in btrfs_close_devices
list_del corruption, ffff88801bc63020->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5637 Comm: syz-executor.5 Not tainted 6.5.0-rc5-next-20230807-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:__list_del_entry_valid+0xfd/0x1b0 lib/list_debug.c:53
Code: 18 c3 48 c7 c7 80 8f c8 8a e8 5f 71 43 fd 0f 0b 48 c7 c7 e0 8f c8 8a e8 51 71 43 fd 0f 0b 48 c7 c7 40 90 c8 8a e8 43 71 43 fd <0f> 0b 48 89 ca 48 c7 c7 a0 90 c8 8a e8 32 71 43 fd 0f 0b 48 89 c2
RSP: 0018:ffffc9000558f8d0 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff88801bc63000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816a9732 RDI: 0000000000000005
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801bc63130
R13: ffffc9000558f928 R14: ffff88801bc63020 R15: ffff88801bc63028
FS: 00007fe3739386c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560da64aa048 CR3: 000000006a4e0000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry include/linux/list.h:134 [inline]
list_del include/linux/list.h:148 [inline]
btrfs_close_devices+0x460/0x790 fs/btrfs/volumes.c:1208
btrfs_mount_root+0x6a0/0xe70 fs/btrfs/super.c:1542
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1588
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe372c7e1ea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe373937ee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fe373937f80 RCX: 00007fe372c7e1ea
RDX: 00000000200051c0 RSI: 0000000020005200 RDI: 00007fe373937f40
RBP: 00000000200051c0 R08: 00007fe373937f80 R09: 0000000001000008
R10: 0000000001000008 R11: 0000000000000246 R12: 0000000020005200
R13: 00007fe373937f40 R14: 00000000000051ab R15: 0000000020000280
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid+0xfd/0x1b0 lib/list_debug.c:53
Code: 18 c3 48 c7 c7 80 8f c8 8a e8 5f 71 43 fd 0f 0b 48 c7 c7 e0 8f c8 8a e8 51 71 43 fd 0f 0b 48 c7 c7 40 90 c8 8a e8 43 71 43 fd <0f> 0b 48 89 ca 48 c7 c7 a0 90 c8 8a e8 32 71 43 fd 0f 0b 48 89 c2
RSP: 0018:ffffc9000558f8d0 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff88801bc63000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff816a9732 RDI: 0000000000000005
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801bc63130
R13: ffffc9000558f928 R14: ffff88801bc63020 R15: ffff88801bc63028
FS: 00007fe3739386c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2d90255290 CR3: 000000006a4e0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Tested on:
commit: f7dc24b3 Add linux-next specific files for 20230807
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1292aea5a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1230fea5a80000
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in percpu_counter_destroy
BTRFS error (device loop3): open_ctree failed
==================================================================
BUG: KASAN: use-after-free in percpu_counter_destroy+0x47/0x50 lib/percpu_counter.c:182
Read of size 8 at addr ffff88807307d030 by task syz-executor.3/5615
CPU: 0 PID: 5615 Comm: syz-executor.3 Not tainted 6.5.0-rc5-next-20230807-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
percpu_counter_destroy+0x47/0x50 lib/percpu_counter.c:182
btrfs_free_fs_info+0x1c/0x380 fs/btrfs/disk-io.c:1246
btrfs_mount_root+0x3ea/0xe60 fs/btrfs/super.c:1544
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1587
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f8b6847e1ea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8b691f0ee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f8b691f0f80 RCX: 00007f8b6847e1ea
RDX: 00000000200051c0 RSI: 0000000020005200 RDI: 00007f8b691f0f40
RBP: 00000000200051c0 R08: 00007f8b691f0f80 R09: 0000000001000008
R10: 0000000001000008 R11: 0000000000000246 R12: 0000000020005200
R13: 00007f8b691f0f40 R14: 00000000000051ab R15: 0000000020000280
</TASK>
The buggy address belongs to the physical page:
page:ffffea0001cc1f40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x7307d
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 ffffffff00000201 0000000000000000
raw: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x152dc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5615, tgid 5614 (syz-executor.3), ts 74051625164, free_ts 74183131126
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1567
prep_new_page mm/page_alloc.c:1574 [inline]
get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3253
__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4509
__alloc_pages_node include/linux/gfp.h:237 [inline]
alloc_pages_node include/linux/gfp.h:260 [inline]
__kmalloc_large_node+0x87/0x1c0 mm/slab_common.c:1164
__do_kmalloc_node mm/slab_common.c:1011 [inline]
__kmalloc_node.cold+0x5/0xdd mm/slab_common.c:1030
kmalloc_node include/linux/slab.h:619 [inline]
kvmalloc_node+0x6f/0x1a0 mm/util.c:604
kvmalloc include/linux/slab.h:737 [inline]
kvzalloc include/linux/slab.h:745 [inline]
btrfs_mount_root+0xf4/0xe60 fs/btrfs/super.c:1462
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1587
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1158 [inline]
free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2380
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2475
kvfree+0x47/0x50 mm/util.c:650
deactivate_locked_super+0x9a/0x170 fs/super.c:330
btrfs_mount_root+0x62d/0xe60 fs/btrfs/super.c:1533
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1587
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88807307cf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807307cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88807307d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807307d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807307d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: f7dc24b3 Add linux-next specific files for 20230807
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10e4c645a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15c512b3a80000
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in btrfs_test_super
==================================================================
BUG: KASAN: use-after-free in btrfs_test_super+0x9b/0xa0 fs/btrfs/super.c:1346
Read of size 8 at addr ffff88802a975110 by task syz-executor.3/5661
CPU: 1 PID: 5661 Comm: syz-executor.3 Not tainted 6.5.0-rc5-next-20230807-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
btrfs_test_super+0x9b/0xa0 fs/btrfs/super.c:1346
sget+0x3de/0x610 fs/super.c:663
btrfs_mount_root+0x220/0xd50 fs/btrfs/super.c:1475
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1578
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0d83a7e1ea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0d847a2ee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f0d847a2f80 RCX: 00007f0d83a7e1ea
RDX: 00000000200051c0 RSI: 0000000020005200 RDI: 00007f0d847a2f40
RBP: 00000000200051c0 R08: 00007f0d847a2f80 R09: 0000000001000008
R10: 0000000001000008 R11: 0000000000000246 R12: 0000000020005200
R13: 00007f0d847a2f40 R14: 00000000000051ab R15: 0000000020000280
</TASK>
The buggy address belongs to the physical page:
page:ffffea0000aa5d40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x4 pfn:0x2a975
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 0000000000000000 ffffffff00000201 0000000000000000
raw: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x152dc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5641, tgid 5640 (syz-executor.0), ts 80709504641, free_ts 80731761534
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1567
prep_new_page mm/page_alloc.c:1574 [inline]
get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3253
__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4509
__alloc_pages_node include/linux/gfp.h:237 [inline]
alloc_pages_node include/linux/gfp.h:260 [inline]
__kmalloc_large_node+0x87/0x1c0 mm/slab_common.c:1164
__do_kmalloc_node mm/slab_common.c:1011 [inline]
__kmalloc_node.cold+0x5/0xdd mm/slab_common.c:1030
kmalloc_node include/linux/slab.h:619 [inline]
kvmalloc_node+0x6f/0x1a0 mm/util.c:604
kvmalloc include/linux/slab.h:737 [inline]
kvzalloc include/linux/slab.h:745 [inline]
btrfs_mount_root+0xe8/0xd50 fs/btrfs/super.c:1461
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1578
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1158 [inline]
free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2380
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2475
kvfree+0x47/0x50 mm/util.c:650
btrfs_mount_root+0x591/0xd50 fs/btrfs/super.c:1535
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
fc_mount fs/namespace.c:1112 [inline]
vfs_kern_mount.part.0+0xcb/0x170 fs/namespace.c:1142
vfs_kern_mount+0x3f/0x60 fs/namespace.c:1129
btrfs_mount+0x292/0xb10 fs/btrfs/super.c:1578
legacy_get_tree+0x109/0x220 fs/fs_context.c:611
vfs_get_tree+0x88/0x350 fs/super.c:1544
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x1492/0x1ed0 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88802a975000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88802a975080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88802a975100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88802a975180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88802a975200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: f7dc24b3 Add linux-next specific files for 20230807
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14a2c5aba80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=128199aba80000
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: f7dc24b3 Add linux-next specific files for 20230807
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14cda407a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=d7847c9dca13d6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=26860029a4d562566231
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=112db1a5a80000
Note: testing is done by a robot and is best-effort only.