Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp343819lqp;
        Fri, 12 Apr 2024 22:48:31 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUMTaro7BdMFjIP0QIDXmCspO0Tvzr2frM1yVDaEGBIHF+pO59J2nnQjBGiTa1HYJh42LazhbRWdmtNUpHK8lagHdv4QH201y2j2IEg/A==
X-Google-Smtp-Source: AGHT+IEkgw8U+qK256Xrqcu4jsFDogoVzkS+QEJk/47SYtrwzCZjMSftKezKktSr8axLASOX0ePI
X-Received: by 2002:a05:620a:470b:b0:78e:d158:fb40 with SMTP id bs11-20020a05620a470b00b0078ed158fb40mr4898837qkb.4.1712987311609;
        Fri, 12 Apr 2024 22:48:31 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712987311; cv=pass;
        d=google.com; s=arc-20160816;
        b=tXH0ts+RJbSIllnhc+RmZ8CKre8S3T2AMi07GtoHU4OAC0w2BsBY0/KE4jDh71y0LJ
         wc2ugrGXIXVlRNUPekJqIERXG+N9CrwlOpHMMIrCk+vjiM7Bg2X9PzsQXGsHisDOS6Qq
         HawmS8p37kfdm4yh3u6wax/o8nxSUha0mT/IxAsez8KeCOcwnMF3nz+4uNjLfjRikTyj
         O5mwqXWeHZhG9C9FhoyCd9Q2mph4lj3t70ZP8VjwJV8CRcgZeYhmEDrzo8YzZbAkdMzn
         2/qT8yJ2olxLirL2SuaOrseUd3xrG2M2g5afa5WImt4AszxyGV7ga+1ygm6NQoWqrFWG
         DIew==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:date
         :subject:cc:to:from:message-id:dkim-signature;
        bh=Oh0zkVJaY6wf49fbeUnHcgU5M6hHHm+Wn+/3kIS7Zcg=;
        fh=oxspTTk7tAvpzTVV1RnsukYfL/yBCNL51rlxvivWU3I=;
        b=D9jQUZ7U8ynAceXbjq571DhlBHaWtY4s0pF3uxdyO+BZCmfxrYieov3EfRfu3N2fl/
         ++g9JlB8Z02/EU5zbKYze4lqBqjRs3IgKRIGljnoOSYci+aP+dHO+q8Mg3950Lz07Kdo
         78lur1aoUO6uUVFXrSOGHrDE0v/2Uwps+3rSwIoW0OYgdXUqq8F/wbqm/w+XhA6NFEK7
         EBs8563X9NdZhOaH3oeiFMq7et2PM9nsGRgoef49ibZmVMJzxSHbY7/wUrm2l6A8c/AY
         Zd+edU3PpjZkm30UhPieM7oaHAN1rczSNfXk82ZU02jZru2oGQ2DTBbnV02GL14gnT8T
         WUpg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=NRuEffM+;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-143589-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-143589-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Return-Path: <linux-kernel+bounces-143589-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id t10-20020a05620a0b0a00b0078d7738682fsi5345486qkg.107.2024.04.12.22.48.31
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 12 Apr 2024 22:48:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-143589-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@qq.com header.s=s201512 header.b=NRuEffM+;
       arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com);
       spf=pass (google.com: domain of linux-kernel+bounces-143589-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-143589-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 0CEE01C21E9F
	for <linux.lists.archive@gmail.com>; Sat, 13 Apr 2024 05:48:31 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 0073D1CD29;
	Sat, 13 Apr 2024 05:48:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="NRuEffM+"
Received: from out162-62-58-216.mail.qq.com (out162-62-58-216.mail.qq.com [162.62.58.216])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C5D41CD02
	for <linux-kernel@vger.kernel.org>; Sat, 13 Apr 2024 05:48:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.58.216
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712987304; cv=none; b=fHWkRMBhcOJFNXlgjdAiH4SUvdvPcOWUWy4FhGjny6MtGg+XgI7umjv3AY2pYSS+DcwK1q5x0+tOIGiAjUmpxd8gEswJCkQ7ra/rlaVUdiI7ksACFk+HBwrlhi9LrBRXBY43m/frraJ5jWik7LrNtd5/S1UBOTVsdx2q64BrGqk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712987304; c=relaxed/simple;
	bh=Y4BFVp6nyddlIhzK1wcJhlAfkvM9MhdHQSUVR5BItCg=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version; b=ptaEZiIyv/zlquS3wFtMb6DAUcAPSQP3qCFQY1Vb266TwWEx0aR94JjqR1UXJIthjTVwQ57yJeBqKWCH8wdJ+scRdO5SoIS1PQYLmgELjlgTw7i1wOHP7/sr52P7eJNxVdoadgp41HZIK9bf0LD3GL+dpM6zFfftgUWp68OyQxk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=NRuEffM+; arc=none smtp.client-ip=162.62.58.216
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1712987286; bh=Oh0zkVJaY6wf49fbeUnHcgU5M6hHHm+Wn+/3kIS7Zcg=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=NRuEffM+Ib5/NRpsmrKjtVBcHfDN0YVaUdveHv8Ut+JEF1vG8P6HOl9/gDupK2/DV
	 IrmPVnBRZVwbUomncnH+lNN1PXTLz6DhLRHHvpN1Ff48BhBhKuCYNn6udRM/ai0pgz
	 exuEhmffz+4IZxbtZ4YBRgagx9/zkc8NgRJeod3g=
Received: from pek-lxu-l1.wrs.com ([111.198.228.153])
	by newxmesmtplogicsvrsza15-0.qq.com (NewEsmtp) with SMTP
	id A770020C; Sat, 13 Apr 2024 13:41:55 +0800
X-QQ-mid: xmsmtpt1712986915tq1bofvmj
Message-ID: <tencent_2E487A6E6D182D096F0097E4EA8AEDFACC0A@qq.com>
X-QQ-XMAILINFO: MmPNY57tR1Xn0bG6a/PZp+7Q/QjdG42sixtr2YbVKC2Zv18XAXG3+uDMaERWaW
	 Vk6bsIn0q8d13Oya2pr+A9T0LKLxxAOii4xqm/2RhR8lkszQZVOD5roezomT83ENa6y/ZK7QobJq
	 xG1ABR+3w6IbsaXc8CpYhg3eF26aDk5uH5Qfz3EoqbYboxZuyco36jMQptlIot+x5/+5dJjz53wc
	 7rUQhUC8DyTd+tfc2mpnhjcx+qHg91WFwH4vwzTYrjUcNXSPCt6udyKZE0BRSESIdBY/wx+qtne7
	 y6AWIYB14hMXObpKJbCBCHy84mhUXQcWKgeJH/3LUCSN9O9ddqcKg9nRcx7sAFVfNiak0liol4x5
	 WgbvPWeQ9DOgwQ03cLK1U7YzAOR/zlx2QxdevvwmgX4t7uJ6Jcv4+O2UUbJKewV9rmJtx1uYPiVd
	 oex0vmdRhNJdvKzxT4cIYYkVDKP+1/+Z4sw97JzHUYKo7nvTEn+yZiFkIwpQOm+/1dVH29qFZPaf
	 RJ+jXtOU2EXzcof5Zo8nA+GX65wIghyDmzMXuP5/gGfNj9G7TWnswcvZbDwOjq4LR0NcPcQKaH1l
	 EVClh0mQnz+9Cl2vp+cJgesoWUxJzLliIT8vgZE/H7jRkDplnqkT0Q3EXCdf81+FRsTS/S64C8SZ
	 7qR48Zqgo/2TTSdeDOWs1OGX1F5wT12nlanLwUBarfhjd8pl3EaUjJv8he2GobHLAxHzHXte6N/H
	 Et1JRpDzUlIMTs/TxTgp7MQA292HrxdUpHaR/41x0HctQ6Rvy3rQ4EoWDOBnWZP1aF1xw0mVEnrj
	 Rt21XQGSr2Zv6K0nlUQaEc42bQI2nANGduV8Rf5vrSbQPKE/cHSOFOQjmklGE1mQwKmUCnEPPygz
	 Qk9p8FSJvppyVwi+hHNOwp0S6IztLW53gg8hUB+NINNJwN5WLJ00LXAETOA+wqKVNz/TFSZ/Jn
X-QQ-XMRINFO: Nq+8W0+stu50PRdwbJxPCL0=
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+3a36aeabd31497d63f6e@syzkaller.appspotmail.com
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [gfs2?] KASAN: slab-use-after-free Read in gfs2_invalidate_folio
Date: Sat, 13 Apr 2024 13:41:55 +0800
X-OQ-MSGID: <20240413054154.1998625-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <0000000000004f557c0615d47e6d@google.com>
References: <0000000000004f557c0615d47e6d@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

please test uaf in gfs2_invalidate_folio

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e8c39d0f57f3

diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 8cddf955ebc0..5585f92e4319 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -1007,6 +1007,7 @@ static void trans_drain(struct gfs2_trans *tr)
 {
 	struct gfs2_bufdata *bd;
 	struct list_head *head;
+	struct buffer_head *bh;
 
 	if (!tr)
 		return;
@@ -1022,6 +1023,8 @@ static void trans_drain(struct gfs2_trans *tr)
 	head = &tr->tr_databuf;
 	while (!list_empty(head)) {
 		bd = list_first_entry(head, struct gfs2_bufdata, bd_list);
+		bh = container_of(bd, struct buffer_head, b_private);
+		bh->b_private = NULL;
 		list_del_init(&bd->bd_list);
 		if (!list_empty(&bd->bd_ail_st_list))
 			gfs2_remove_from_ail(bd);