Received: by 2002:ab2:69cc:0:b0:1f4:be93:e15a with SMTP id n12csp843251lqp; Sun, 14 Apr 2024 02:02:16 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCV9zyKBdFZ6lozTK+L0zJLCnCXC59YmaNisgI9FAHedWiOTJOO9jPqQn1C4b3w6pvpGhlUyECgKntBmcnqagZO7T1m4DkzCO0yui7ELvg== X-Google-Smtp-Source: AGHT+IFmAqeyHVc7U6942tRMEiWQSl48GdTH9qg1nc7JUUNE7Xn6rWCxQCZn+wzon5JwIJlObzIv X-Received: by 2002:a92:c26f:0:b0:36a:32b3:55c with SMTP id h15-20020a92c26f000000b0036a32b3055cmr9378837ild.1.1713085335767; Sun, 14 Apr 2024 02:02:15 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713085335; cv=pass; d=google.com; s=arc-20160816; b=qvDLCZ8tj7dRwhnVVRmLZ8Dk0Gj+DuBrJm+G8jghNG1+4f+LUiKpmZ7YEa8SE62UbK bEhq6faONWwjUuiZfCUDj1r4xioHUD3AqZdDScn+CwO2Biur92WEfnMuk4fUjDSxCjS4 LRi9fUznoWqzWWjxDsliUoB81WjeEsJox2RGW07ThO305w/QsRWZUQ5aEAYQeNfUHdKl KAU1RctKzWXG43rSpeb42gze5KgaiOO0zOF39PggegcUNQqw10jwzOpe2sSLOw+NePSb pZlnuAAIQZS82RT4BdiOwVGxP5away6p3IHbzYAaKchTAEvsbbOuaptqbG6v6PI1te4w YD/A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date :subject:cc:to:from:message-id:dkim-signature; bh=60YJCoNW7ZRMSOrWG6OmlZL5ShYvKrJT+AUIpwBsk0g=; fh=oxspTTk7tAvpzTVV1RnsukYfL/yBCNL51rlxvivWU3I=; b=BNiExDw30ICAjs8UJy3N5ub2pneE6nfktwupzsEtm4vVxa3BSRizfQ1iqNfbKqn+Q3 cP68X8xDauUENH4g2wZV9ROXHWYgVUJ0ZGh6g3wCjaS6Z9vcqYjPNbQHbbMLqyElx8F5 7a2cCfISfvWIrCn/J42jWp8Qw5SRXwDKmL2u6YpeDF5xmW5RaRodJ/1BZTSvfi7wVBuc wSYVrdN8ik1gRLfvzKl/ZpDnConKZKGT4rsGzXFXM250K+X26BA4kRf7M0KtxJEiHRHN DfOLybXtC5YBvgjlJ6xAedhkO46C04Fx/3mwmYGzQyOCtKEkLSHGuuEg4c0uWSKper5P yRkQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=vMOUkO8s; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-144061-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-144061-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 18-20020a630112000000b005dc957fe128si6084262pgb.74.2024.04.14.02.02.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Apr 2024 02:02:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-144061-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=vMOUkO8s; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-144061-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-144061-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 69792281E51 for ; Sun, 14 Apr 2024 09:02:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AE4D8225CE; Sun, 14 Apr 2024 09:02:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="vMOUkO8s" Received: from out162-62-58-216.mail.qq.com (out162-62-58-216.mail.qq.com [162.62.58.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7385621A06 for ; Sun, 14 Apr 2024 09:02:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.58.216 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713085329; cv=none; b=c9NyLM2Vh6yONl9ao8icu001dnT0qdiqGf3bv1uIJeFVyuRf58DaCTOpIgQTVe+iC9udxzK9BGTX+wuWXVu15PdcRRneavKTrb8kL9VrDTeqrQLNEqQb4qc32TybI3g/rMsSadJIaf7Fijl0XM/nvIY6gEb16f0Kwvn53mFjJZA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713085329; c=relaxed/simple; bh=GdeCl7lKpAyyip9hUe6EaLrBefz1GP2x8c4rjj9MlPk=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=d+P1SJsQttHaSYU3dCnazmSIBqnd1TYpTsNdfTgguB1QiFfgj6PBIXGIWIPWFRA2G6o2nClIiWfRP5yu1s9NcHn3M/7dxuGoDi0Y+/R/NlvW5H0CDuJl84bEy4OGzP8NYkRYqUKYTt9tDDQ7X6m39KNSFU1jg76EwtDhDehdKwM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=vMOUkO8s; arc=none smtp.client-ip=162.62.58.216 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1713085015; bh=60YJCoNW7ZRMSOrWG6OmlZL5ShYvKrJT+AUIpwBsk0g=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=vMOUkO8sZHWfZBfcJfGu3bggjxA2j8fdiEJNO/M2pfVNRYh4tqyN7+yCS4f3pqlO9 zNM+OgJWJtNLBx/FCmGiWw2eCOtNgzXD5HERA98mZcSDtglJ/nOxV8F4cajyqiiEYs ihzsETJKMFsZNRwDNROdNfzJzXRLBojwJaBQs4nE= Received: from pek-lxu-l1.wrs.com ([111.198.228.153]) by newxmesmtplogicsvrszb9-0.qq.com (NewEsmtp) with SMTP id E351729D; Sun, 14 Apr 2024 16:56:53 +0800 X-QQ-mid: xmsmtpt1713085013tscbeo3ln Message-ID: X-QQ-XMAILINFO: MtZ4zLDUQmWfHhVPAy5cf+nncrGR9sQ6J9UKFoM8tfIsz5TLTpcPWZ+nLMfVVP WyFVdgsrqKLqCtYEfVibwlnJBi+EQoqQltZdDE+BH1AuBrfDkg+tyGyQo7VNiixhcMxLH3/EHYfD y9uCiGy9YORGcwbvrJLPR8aKMamTusDWUsdGN56bvU1Te2uLHTeoV3r+e0N4yiAJRFtz22QCRJfd T4q9T7a1mdRCdz6um+UiZ0Ht/TiZG59Vr5vERPdmByhs8SR++xEwE+xFyYUZbdYTVHziA0EtDgNl LwSnxnVBPeshINd4k91jmpYf03nVFJuMfPtpXAiKguRJP8gbclCXOb7VZNG7mBnY5E7FXkBcGsMF FIEsBZ+J56+afbhJTMKXnX3BGBJqOFggrfCekMoF9r3xByzKFs6IwmUWksl1LR8iRCcyn27kPnBo QVoPZCUnRzfhvjqXcTWMZAJY9XmmHZFCzZQqQP/1yqSLpcejSI67B1Pe1KkuJNDP9PZrTNcqSQIc vrVWCvsczjspyfUPWKY28Oa0D3LVu8B/N9b5Cs+MYs4A/icRKpN8akyvRyTWabbnGjhM+kLi2Gh3 SPxNAxpYWIvjJHyoOR5EMvN7Qx2CUgsv7rLpJLijUvPvKJARSFOsuu4FNaR0AW7THIsbkRJVJSXC +VdSSiG5zc2v1h+A5aGtkNOH7C9kjxDn3oVJXZr81FajhIsu/gnzWNJWC0kc+5am6KSnA+IdczyP hVKAbFYlGmaB+MbEsFMz2yGMV/ShXn446Ef+Fjwf7JsV3hxkNiIVURbn48N8h1sdPNWxQxn3Q6tH L8JeEPGgZWnHYZm+hoUzx39GzEI9ZtQIODmZ7ZR1hBV5Z09LeF8LLpFv9wfwyvITh8iuoe0NqtWF A/kx8PTJaq7z6V7LV2L487PD8abl77v3aivTTRntE7hjZWnjdUbfHn2uC6MhMVam8lDqYuM3sVD2 r/dRI+ynA= X-QQ-XMRINFO: NS+P29fieYNw95Bth2bWPxk= From: Edward Adam Davis To: syzbot+3a36aeabd31497d63f6e@syzkaller.appspotmail.com Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [gfs2?] KASAN: slab-use-after-free Read in gfs2_invalidate_folio Date: Sun, 14 Apr 2024 16:56:54 +0800 X-OQ-MSGID: <20240414085653.3441364-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <0000000000004f557c0615d47e6d@google.com> References: <0000000000004f557c0615d47e6d@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit please test uaf in gfs2_invalidate_folio #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e8c39d0f57f3 diff --git a/fs/gfs2/aops.c b/fs/gfs2/aops.c index 974aca9c8ea8..4ae5e73b6992 100644 --- a/fs/gfs2/aops.c +++ b/fs/gfs2/aops.c @@ -613,6 +613,7 @@ static void gfs2_discard(struct gfs2_sbd *sdp, struct buffer_head *bh) gfs2_log_lock(sdp); clear_buffer_dirty(bh); bd = bh->b_private; + printk("bh: %p, bd: %p, %s\n", bh, bd, __func__); if (bd) { if (!list_empty(&bd->bd_list) && !buffer_pinned(bh)) list_del_init(&bd->bd_list); diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c index aa1626955b2c..d9092692c2fe 100644 --- a/fs/gfs2/bmap.c +++ b/fs/gfs2/bmap.c @@ -78,7 +78,9 @@ static int gfs2_unstuffer_folio(struct gfs2_inode *ip, struct buffer_head *dibh, map_bh(bh, inode->i_sb, block); set_buffer_uptodate(bh); + printk("1.inode: %p, bh: %p, bd: %p, %s\n", ip, bh, bh->b_private, __func__); gfs2_trans_add_data(ip->i_gl, bh); + printk("2.inode: %p, bh: %p, bd: %p, %s\n", ip, bh, bh->b_private, __func__); } else { folio_mark_dirty(folio); gfs2_ordered_add_inode(ip); @@ -105,6 +107,7 @@ static int __gfs2_unstuff_inode(struct gfs2_inode *ip, struct folio *folio) unsigned int n = 1; error = gfs2_alloc_blocks(ip, &block, &n, 0); + printk("1,inode: %p, n: %d, err: %d, %s\n", ip, n, error, __func__); if (error) goto out_brelse; if (isdir) { @@ -117,6 +120,7 @@ static int __gfs2_unstuff_inode(struct gfs2_inode *ip, struct folio *folio) brelse(bh); } else { error = gfs2_unstuffer_folio(ip, dibh, block, folio); + printk("2,inode: %p, n: %d, err: %d, %s\n", ip, n, error, __func__); if (error) goto out_brelse; } diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c index 8cddf955ebc0..6a65e7f5991a 100644 --- a/fs/gfs2/log.c +++ b/fs/gfs2/log.c @@ -1007,6 +1007,7 @@ static void trans_drain(struct gfs2_trans *tr) { struct gfs2_bufdata *bd; struct list_head *head; + struct buffer_head *bh; if (!tr) return; @@ -1022,6 +1023,8 @@ static void trans_drain(struct gfs2_trans *tr) head = &tr->tr_databuf; while (!list_empty(head)) { bd = list_first_entry(head, struct gfs2_bufdata, bd_list); + bh = container_of((void *)bd, struct buffer_head, b_private); + printk("bh: %p, bd: %p, %s\n", bh, bd, __func__); list_del_init(&bd->bd_list); if (!list_empty(&bd->bd_ail_st_list)) gfs2_remove_from_ail(bd); diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c index aa9cf0102848..3f18b066cc0d 100644 --- a/fs/gfs2/quota.c +++ b/fs/gfs2/quota.c @@ -1007,6 +1007,7 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda) gfs2_glock_dq_uninit(&ghs[qx]); inode_unlock(&ip->i_inode); kfree(ghs); + printk("err: %d, %s\n", error, __func__); gfs2_log_flush(ip->i_gl->gl_name.ln_sbd, ip->i_gl, GFS2_LOG_HEAD_FLUSH_NORMAL | GFS2_LFC_DO_SYNC); if (!error) { diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c index 26d6c1eea559..2b291270817c 100644 --- a/fs/gfs2/rgrp.c +++ b/fs/gfs2/rgrp.c @@ -2236,7 +2236,9 @@ static void gfs2_alloc_extent(const struct gfs2_rbm *rbm, bool dinode, *n = 1; block = gfs2_rbm_to_block(rbm); + printk("1. bh: %p, bd: %p, %s\n", rbm_bi(rbm)->bi_bh, rbm_bi(rbm)->bi_bh->b_private, __func__); gfs2_trans_add_meta(rbm->rgd->rd_gl, rbm_bi(rbm)->bi_bh); + printk("2. bh: %p, bd: %p, %s\n", rbm_bi(rbm)->bi_bh, rbm_bi(rbm)->bi_bh->b_private, __func__); gfs2_setbit(rbm, true, dinode ? GFS2_BLKST_DINODE : GFS2_BLKST_USED); block++; while (*n < elen) { diff --git a/fs/gfs2/trans.c b/fs/gfs2/trans.c index 192213c7359a..d2353d052d34 100644 --- a/fs/gfs2/trans.c +++ b/fs/gfs2/trans.c @@ -205,10 +205,14 @@ void gfs2_trans_add_data(struct gfs2_glock *gl, struct buffer_head *bh) if (bd == NULL) { gfs2_log_unlock(sdp); unlock_buffer(bh); - if (bh->b_private == NULL) + if (bh->b_private == NULL) { bd = gfs2_alloc_bufdata(gl, bh); - else + printk("1bh: %p, bd: %p, %s\n", bh, bd, __func__); + } + else { bd = bh->b_private; + printk("2bh: %p, bd: %p, %s\n", bh, bd, __func__); + } lock_buffer(bh); gfs2_log_lock(sdp); } @@ -247,10 +251,14 @@ void gfs2_trans_add_meta(struct gfs2_glock *gl, struct buffer_head *bh) gfs2_log_unlock(sdp); unlock_buffer(bh); lock_page(bh->b_page); - if (bh->b_private == NULL) + if (bh->b_private == NULL) { bd = gfs2_alloc_bufdata(gl, bh); - else + printk("1bh: %p, bd: %p, %s\n", bh, bd, __func__); + } + else { bd = bh->b_private; + printk("2bh: %p, bd: %p, %s\n", bh, bd, __func__); + } unlock_page(bh->b_page); lock_buffer(bh); gfs2_log_lock(sdp);