Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2976571pxk; Mon, 21 Sep 2020 01:55:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJybsTG6Ip/Dl03dh3Z4Y9T7qL/Es2jvG4MdJWoNYA7DjY5jIylb9byca4oDpVU1XMULnKa7 X-Received: by 2002:a17:906:4a81:: with SMTP id x1mr45985863eju.541.1600678531518; Mon, 21 Sep 2020 01:55:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600678531; cv=none; d=google.com; s=arc-20160816; b=mvI3OH4UK0rgxOT7ofptQxWJBTcGFyhUuIDUKi4u2Z9quIOMkk6HAu6G35qw4OLOOm Xki0Fekm/bTauVkoCwPpKWvwsJaO5h6z+STRG2baWz6u00It/PjA+mm0ysUOr7RiWzvq Z7j+0Qca76Pylp7bp6gG0mEwfjJNWC1L16k+YFL+8HibQkykQPYic9WMeJGe39tqgnxW PtrX6hPTU2369rSC2zjJ6SZdUWcggjBQyev4lSHOAkqE3y3RQu4ti8ZNWknhYq8tn/Sz qV9ukztVThxC7HSBW2JQRKvSTF1Tmaluwjnw1Dl21em7I1/fPzPSpn10JLD2BeetnnvM 0eCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:in-reply-to:date :mime-version; bh=fCHmC3TSgQZQIB3wf3u+kvzmX/lSxDim1wntoBYjtzw=; b=lWOdg9+MeWPtyygRQAGgSLYCZSIMonridZrS73oyg4dl9BTxoN+xQfZOaxMjjF8+US whIp051YiwoJWoHx/UYrDi+5gdbblsNhU4alKNU/JoMKS6IFR8X8Thm4PK4BJhkyLrLO Bz2XsUVZb01gCBEQIfS0f5LSxbWYG+WIPD1TXP5ao653QC0f/fHY7MKlUT4f7b89dRya 07eb+iNHo94TOXohTi3KpdT4lYKP7OfemSpmAlC165twms7/bmWUNpEf3Vh+a2YdBrkY SHp4bJ8d66XE1Rk/laVrJeCu8yIwGEUcyty1fqL24/ipJflD6eapk/wCIs+GXk1dZPNZ vciA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i7si10199602ejo.706.2020.09.21.01.55.08; Mon, 21 Sep 2020 01:55:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=appspotmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726532AbgIUIxU (ORCPT + 99 others); Mon, 21 Sep 2020 04:53:20 -0400 Received: from mail-il1-f200.google.com ([209.85.166.200]:52358 "EHLO mail-il1-f200.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726334AbgIUIxR (ORCPT ); Mon, 21 Sep 2020 04:53:17 -0400 Received: by mail-il1-f200.google.com with SMTP id m1so10477007iln.19 for ; Mon, 21 Sep 2020 01:53:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:in-reply-to:message-id:subject :from:to:cc; bh=fCHmC3TSgQZQIB3wf3u+kvzmX/lSxDim1wntoBYjtzw=; b=mr7svqLQUFs+SMQsWgPv9ACKdR/NznrLc+I5towijmN2/N4wLPRJPGJRaC0ez1wmtU f0ktgi8nSZjphMQZ5umSdGS2NOwT45KDpIIxmGxGUcPh44p+6i+rrdQGQKgcoSQN25RL 1u7Lmt1f75il1TMtwr00miaLYavaE3Tolt+qaY7fzzK7nWMn6TN9WT9DEBloL0FTd6as 6vtijA1BdI+6UmhcTxuStJdu8Gh4Vmb5MTjy8NEHuJbu992I68Q4HD9A1bM6gDp1yIiv 748VV/htVHY3756DXG1+uzv1hCg/ThqzDtyt0tXLLnsbe/y5IwilIWmeRpdXcVEx4409 4fCw== X-Gm-Message-State: AOAM533cllHnEz/7YwrhE9flMQZb1rPOBWEZov48Y2Evc3UBM6Zig3Ck /De2PWYAlDByhPQpydrQaP2XN03haZGrx17A+ejYu2UKCsov MIME-Version: 1.0 X-Received: by 2002:a02:7785:: with SMTP id g127mr39823121jac.27.1600678395720; Mon, 21 Sep 2020 01:53:15 -0700 (PDT) Date: Mon, 21 Sep 2020 01:53:15 -0700 In-Reply-To: X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <0000000000002d3b9d05afcefb40@google.com> Subject: Re: Re: KASAN: use-after-free Read in btrfs_scan_one_device From: syzbot To: Johannes Thumshirn Cc: Johannes.Thumshirn@wdc.com, clm@fb.com, dsterba@suse.com, josef@toxicpanda.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On 21/09/2020 07:38, syzbot wrote: >> syzbot has found a reproducer for the following issue on: >> >> HEAD commit: 325d0eab Merge branch 'akpm' (patches from Andrew) >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=1512df53900000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=6a8a2ae52ed737db >> dashboard link: https://syzkaller.appspot.com/bug?extid=582e66e5edf36a22c7b0 >> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12366f8b900000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14e6929b900000 >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com >> >> ================================================================== >> BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245 >> Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068 >> >> CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 >> Call Trace: >> __dump_stack lib/dump_stack.c:77 [inline] >> dump_stack+0x1d6/0x29e lib/dump_stack.c:118 >> print_address_description+0x66/0x620 mm/kasan/report.c:383 >> __kasan_report mm/kasan/report.c:513 [inline] >> kasan_report+0x132/0x1d0 mm/kasan/report.c:530 >> btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245 >> device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943 >> btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359 >> btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634 >> legacy_get_tree+0xea/0x180 fs/fs_context.c:592 >> vfs_get_tree+0x88/0x270 fs/super.c:1547 >> fc_mount fs/namespace.c:978 [inline] >> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 >> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 >> legacy_get_tree+0xea/0x180 fs/fs_context.c:592 >> vfs_get_tree+0x88/0x270 fs/super.c:1547 >> do_new_mount fs/namespace.c:2875 [inline] >> path_mount+0x179d/0x29e0 fs/namespace.c:3192 >> do_mount fs/namespace.c:3205 [inline] >> __do_sys_mount fs/namespace.c:3413 [inline] >> __se_sys_mount+0x126/0x180 fs/namespace.c:3390 >> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 >> entry_SYSCALL_64_after_hwframe+0x44/0xa9 >> RIP: 0033:0x44840a >> Code: b8 08 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 cd a2 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 aa a2 fb ff c3 66 0f 1f 84 00 00 00 00 00 >> RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 >> RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a >> RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630 >> RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000 >> R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a >> R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 >> >> Allocated by task 6945: >> kasan_save_stack mm/kasan/common.c:48 [inline] >> kasan_set_track mm/kasan/common.c:56 [inline] >> __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461 >> kmalloc_node include/linux/slab.h:577 [inline] >> kvmalloc_node+0x81/0x110 mm/util.c:574 >> kvmalloc include/linux/mm.h:757 [inline] >> kvzalloc include/linux/mm.h:765 [inline] >> btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613 >> legacy_get_tree+0xea/0x180 fs/fs_context.c:592 >> vfs_get_tree+0x88/0x270 fs/super.c:1547 >> fc_mount fs/namespace.c:978 [inline] >> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 >> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 >> legacy_get_tree+0xea/0x180 fs/fs_context.c:592 >> vfs_get_tree+0x88/0x270 fs/super.c:1547 >> do_new_mount fs/namespace.c:2875 [inline] >> path_mount+0x179d/0x29e0 fs/namespace.c:3192 >> do_mount fs/namespace.c:3205 [inline] >> __do_sys_mount fs/namespace.c:3413 [inline] >> __se_sys_mount+0x126/0x180 fs/namespace.c:3390 >> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 >> entry_SYSCALL_64_after_hwframe+0x44/0xa9 >> >> Freed by task 6945: >> kasan_save_stack mm/kasan/common.c:48 [inline] >> kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 >> kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 >> __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422 >> __cache_free mm/slab.c:3418 [inline] >> kfree+0x113/0x200 mm/slab.c:3756 >> deactivate_locked_super+0xa7/0xf0 fs/super.c:335 >> btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678 >> legacy_get_tree+0xea/0x180 fs/fs_context.c:592 >> vfs_get_tree+0x88/0x270 fs/super.c:1547 >> fc_mount fs/namespace.c:978 [inline] >> vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 >> btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 >> legacy_get_tree+0xea/0x180 fs/fs_context.c:592 >> vfs_get_tree+0x88/0x270 fs/super.c:1547 >> do_new_mount fs/namespace.c:2875 [inline] >> path_mount+0x179d/0x29e0 fs/namespace.c:3192 >> do_mount fs/namespace.c:3205 [inline] >> __do_sys_mount fs/namespace.c:3413 [inline] >> __se_sys_mount+0x126/0x180 fs/namespace.c:3390 >> do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 >> entry_SYSCALL_64_after_hwframe+0x44/0xa9 >> >> The buggy address belongs to the object at ffff8880878e0000 >> which belongs to the cache kmalloc-16k of size 16384 >> The buggy address is located 1704 bytes inside of >> 16384-byte region [ffff8880878e0000, ffff8880878e4000) >> The buggy address belongs to the page: >> page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0 >> head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0 >> flags: 0xfffe0000010200(slab|head) >> raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00 >> raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000 >> page dumped because: kasan: bad access detected >> >> Memory state around the buggy address: >> ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >>> ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ^ >> ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >> ================================================================== >> >> > > #syz test: btrfs: Fix missing close devices want 2 args (repo, branch), got 5