Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp2220712pxm; Fri, 4 Mar 2022 11:41:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJyd9M9kByxmk6aOGmto45W7nlmSRfLp73QZTsas9Nkkb5Gbc+RDplcnYaIjoZ4Bt0a5IwU5 X-Received: by 2002:a62:7e06:0:b0:4e0:f0f8:9b86 with SMTP id z6-20020a627e06000000b004e0f0f89b86mr214354pfc.26.1646422863586; Fri, 04 Mar 2022 11:41:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646422863; cv=none; d=google.com; s=arc-20160816; b=e0dVBB36qiw2hc7HufON+AwqTjJA0PvsJ3KtADjksHGiYQ31GiW3/AIsvkIAS8dzZw Yt2WW0dNO73qW2kEVSexOpxIvtxi8UgBXHlQy4EBpfxP7inp/kiG8lIWiqKDQ3S1QAJQ zfFZw5WO7hl5QXUOapFodvGrrBnVskCYerms/yHKQZTOBaZw+07tJWVlhzEWiUWodzjL 29VybQ4rW5lLgC2afpjZE2U75o36a/d3ZPG7Pp5pktrrd75q+NYFrIeS+X/3y/EjHCsP JJnP7+JF9qG8R09x/azCz5+DhbyvrYinZigAAYkCOEw6oZbY4aPkr4jskIiePU6sy6rq a0xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:mail-followup-to:reply-to:message-id :subject:cc:to:from:date:dkim-signature:dkim-signature; bh=5ojJkgZ/ddB58OQgN/NYh5ruO/krR/mrHhfqpKf+jmU=; b=EAy+n5+hFYaOAXiU4YPb/vJU9ZrZpxbSqqUIWdKK2UG35MwZoVuU4BoTzGBz+PfT3Y hZU5394DU1+skQAdjvEMiwMz55Wf0RdW4Q6UVEArFwxSo0eyVEYKHCGEvXtk9JFPlW/4 srNaJU+X2TQ/vHUl0MPVFc9pjPqzv7CWmdcOEe1TA7m0llVmnMwIt74HI6h2Qjfy8w76 LU64RdJxzoS0eH3gPDAl59v6QSGNrcInHWXzIyDXR0rT+bRckbOJyiWbgNVCB5zgZSsM 1ICMPuQQ3Ce0fCU7l5TPilVHQZCSZlWaloP5prCjcrYW+7mePSH6A6LEi7+64xtj1CPI gHig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=EET0Oi3m; dkim=neutral (no key) header.i=@suse.cz; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id a12-20020a65604c000000b00376ae198334si5674109pgp.638.2022.03.04.11.41.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Mar 2022 11:41:03 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=EET0Oi3m; dkim=neutral (no key) header.i=@suse.cz; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C818A22D66D; Fri, 4 Mar 2022 11:16:37 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239152AbiCDOMf (ORCPT + 99 others); Fri, 4 Mar 2022 09:12:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231820AbiCDOMd (ORCPT ); Fri, 4 Mar 2022 09:12:33 -0500 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59D6D1BA917; Fri, 4 Mar 2022 06:11:46 -0800 (PST) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 171F521118; Fri, 4 Mar 2022 14:11:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1646403105; h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to: cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=5ojJkgZ/ddB58OQgN/NYh5ruO/krR/mrHhfqpKf+jmU=; b=EET0Oi3mZDuTG3j+s40BhVBQZ+bEF+SIeHgIW2YrY0bmvNDijaTpgCHAnFa0SUQ1dTc0YX jT3HpEOMKOugKDsL4mpsgcIjOkQyoz1yzX7hYMws5iAvsyiDYfoZh/Ct1Co+Xa1/WGYEfi 8uJCnB5kNIT9V0rpAgl+IIn3gDMKYgg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1646403105; h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to: cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=5ojJkgZ/ddB58OQgN/NYh5ruO/krR/mrHhfqpKf+jmU=; b=N19f4fz5Uaxf41D2zPH8itQq+SRuUA1DAa/1Eo1lwFlkd1uy3Y3Xev7GuMDwv9M0lnxVkw jXRAyXkMsRE3tLDA== Received: from ds.suse.cz (ds.suse.cz [10.100.12.205]) by relay2.suse.de (Postfix) with ESMTP id 10117A3B81; Fri, 4 Mar 2022 14:11:45 +0000 (UTC) Received: by ds.suse.cz (Postfix, from userid 10065) id 20D08DA80E; Fri, 4 Mar 2022 15:07:51 +0100 (CET) Date: Fri, 4 Mar 2022 15:07:51 +0100 From: David Sterba To: Dongliang Mu Cc: Chris Mason , Josef Bacik , David Sterba , Dongliang Mu , syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] btrfs: don't access possibly stale fs_info data in device_list_add Message-ID: <20220304140751.GZ12643@twin.jikos.cz> Reply-To: dsterba@suse.cz Mail-Followup-To: dsterba@suse.cz, Dongliang Mu , Chris Mason , Josef Bacik , David Sterba , Dongliang Mu , syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org References: <20220303144027.1981835-1-dzm91@hust.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220303144027.1981835-1-dzm91@hust.edu.cn> User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 03, 2022 at 10:40:27PM +0800, Dongliang Mu wrote: > From: Dongliang Mu > > Syzbot reported a possible use-after-free in printing information > in device_list_add. > > Very similar with the bug fixed by commit 0697d9a61099 ("btrfs: don't > access possibly stale fs_info data for printing duplicate device"), > but this time the use occurs in btrfs_info_in_rcu. > > ============================================================ > Call Trace: > kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 > btrfs_printk+0x395/0x425 fs/btrfs/super.c:244 > device_list_add.cold+0xd7/0x2ed fs/btrfs/volumes.c:957 > btrfs_scan_one_device+0x4c7/0x5c0 fs/btrfs/volumes.c:1387 > btrfs_control_ioctl+0x12a/0x2d0 fs/btrfs/super.c:2409 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:874 [inline] > __se_sys_ioctl fs/ioctl.c:860 [inline] > __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae > ============================================================ > > Fix this by modifying device->fs_info to NULL too. > > Reported-and-tested-by: syzbot+82650a4e0ed38f218363@syzkaller.appspotmail.com > Signed-off-by: Dongliang Mu Added to misc-next, thanks.