Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp9699828rwp; Thu, 20 Jul 2023 08:31:05 -0700 (PDT) X-Google-Smtp-Source: APBJJlGY+iQ5wTs9dO1Akj1nFpFSQhg12jpH+2f/hfOYtYUW8Okqqv8u3yLYFDB4Mqe1HSl0uOjM X-Received: by 2002:a17:906:2da:b0:997:e9a3:9c59 with SMTP id 26-20020a17090602da00b00997e9a39c59mr5299389ejk.6.1689867065358; Thu, 20 Jul 2023 08:31:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689867065; cv=none; d=google.com; s=arc-20160816; b=zT222dahPjNbcvNdy6zwrbghkEegGHB/rxMzZD3cuMmL6mtxDliRSnu0so8daQN6iq c5ZLkJ5HYHvrZqczzxYmT6Zn3o3Nm/uj57/XF3TjnKc29DS5wjsAtJOePyxgDluWTLCa UTjg3ENNMWvQ+rk1/VgkTlXhcywPWocNVEyMicWtI0qetQgMiflgXu5DV4s784J25pfD XXcon5SC9A2eXdP09g9e/oMNGpCAz0LXfNlxu2crRxRZuCYD9+vRFKpQOGW87C5LTufb uFCKNYPEDDsIA/pMmmX6rP7z8/Dvn8QCfHiQuVfgqKfTIS28F/lleIw4PJZC/liFx/1c 6t4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=eJ0NbXFA9avjbEQfqJk/EA+XEw1aR3Ivofcz45w0LCA=; fh=isXuPLARwnSy2fsnR7BlCm510UAuu6V+TqnbHQX8+Po=; b=jztZio2n3OXnMqBoLk9DKm1oss8Mvlaga9aLsme043V+jwEn5B5gZZgGhsGWolyUPt SoTbTCb25j7QqLfOv5OJpNmSuv2yvd2Tf1CJfnbWOpQud9fhdCTIr4NSh92zFV4vjI4G XPUzNgfyOPdM+diQ/APN8IRypqevEOdFZraHZLu0528GFm2XTi0ZBAZoZFxDaKljGRz+ KGoQv1GByxQCVnT4AcOhydo7JChi4BWjYNK35hOqS6GeSXu+zYCAmf5zsDAVgtEY+BCw /lZWOeDBM0zVDOa2Dx1iWGDrqna09OVzltOZnPOOKTnR2xavRts0Ht6zNyX97PVxC2jn y90A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=4zsWWvMQ; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g15-20020a170906520f00b00993ebae9927si775433ejm.784.2023.07.20.08.30.38; Thu, 20 Jul 2023 08:31:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=4zsWWvMQ; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232486AbjGTPSI (ORCPT + 99 others); Thu, 20 Jul 2023 11:18:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232080AbjGTPSH (ORCPT ); Thu, 20 Jul 2023 11:18:07 -0400 Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB3AC26BA for ; Thu, 20 Jul 2023 08:18:00 -0700 (PDT) Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-3fbd200d354so75485e9.1 for ; Thu, 20 Jul 2023 08:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689866279; x=1690471079; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eJ0NbXFA9avjbEQfqJk/EA+XEw1aR3Ivofcz45w0LCA=; b=4zsWWvMQRf761GwK0wlm8TqRImyAgBmtAtAiwi/z6R4ikcmlrCgZeNryjNAsaY6aBw 2xPyQvkr8OVjDsAeSX0KbunAkAiDMK9gY0BP7VU9Kj907wT5RhuNe+d0CzQL9Vn61TMs BRnYLDdR5ER4vQe8luRVGrvaF+FnjyOJdqIPE0EbxqCBCWz9LpIfd+EMC5sK2Nepmn/f IIX9JWOG4xBkPdkWSk1XhYF/rkeVzXfSE5QTakqIKeQswJXucB8+v891O+2Na6jiOG6Z Dy0vhEgm3Sb74sQmVsDJU+qxHPacRi0QJElpxSpLpmcxMZnJz8xk7rlaoMZG/W1xm88P aL3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689866279; x=1690471079; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eJ0NbXFA9avjbEQfqJk/EA+XEw1aR3Ivofcz45w0LCA=; b=BDdYa/pEhQwBwrbNwAwrUfHMURLFOeZ9cexQeEpC7p4rWZu6lmFqs62HHuDTHBL4an IFPssSEdSOp4KAS2xVrlCUedeD3MwPFfHN445jRB4sqMEV7rLyoyZDNv7G/N4bvx3nHc qzXGubWvffSTisgBt4UU52mAVkiLkVHMvPV/jOQy16P5GwySgntola9CgBq28oTfxZKI pKyXk/a2+qGyEra3Es6NLBAPJ2PRad3hJvRz6owfuQzlQ9JDa0s21shHVlylNUnQp/Vt FldVGAjiI5c40fcKc/EGXNqFqP+PsK1ilynZp/JGukTpwzREK5eYvOsnuPo05zgIDP+2 lk+Q== X-Gm-Message-State: ABy/qLZk0C1FFWtCtUbLcFsTFXDsF69s45fpmZq+lkKlOzUr6r4lRHb8 gwARm2X37zPq8Q6nOHzu7mlQycro/biem7nJr2vbm+VSxg4PUu5RsOA= X-Received: by 2002:a05:600c:4745:b0:3fd:e15:41e3 with SMTP id w5-20020a05600c474500b003fd0e1541e3mr120394wmo.2.1689866279099; Thu, 20 Jul 2023 08:17:59 -0700 (PDT) MIME-Version: 1.0 References: <0000000000006a74dd05e9931449@google.com> <000000000000073a4a05ed620676@google.com> <8c3757ae-1aeb-49a4-47af-598d1d4737ea@redhat.com> In-Reply-To: From: Dmitry Vyukov Date: Thu, 20 Jul 2023 17:17:46 +0200 Message-ID: Subject: Re: [syzbot] KASAN: slab-out-of-bounds Read in ext4_enable_quotas To: "Theodore Ts'o" Cc: Waiman Long , syzbot , adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, nathan@kernel.org, ndesaulniers@google.com, syzkaller-bugs@googlegroups.com, trix@redhat.com, Jaegeuk Kim , Chao Yu , Peter Zijlstra , Ingo Molnar , Boqun Feng Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Mon, 14 Nov 2022 at 18:53, Theodore Ts'o wrote: > > On Mon, Nov 14, 2022 at 11:21:33AM -0500, Waiman Long wrote: > > > > lockdep_set_subclass() should be translated into a call to > > lockdep_init_map_type(): > > > > #define lockdep_set_subclass(lock, sub) \ > > lockdep_init_map_type(&(lock)->dep_map, #lock, (lock)->dep_map.key, > > sub,\ > > (lock)->dep_map.wait_type_inner, \ > > (lock)->dep_map.wait_type_outer, \ > > (lock)->dep_map.lock_type) > > > > All memory access should be within the bound of the given "&ei->i_data_sem". > > Also lockdep_init_map_type() is not in the stack trace. So it is not a > > problem within this lockdep_init_map_type() function. So is it possible that > > the given inode pointer is invalid? > > Well, the inode pointer would be coming from iget(). And since this > is coming from ext4 mount operation, we would be getting a fresh inode > that should be freshly allocated. So the possibilities which comes to > mind is some kind of use-after-free (probbly in f2fs) that was > smashing the inode itself, such that ei->i_data_sem was pointing off > into la-la-land, or in the inode cache's internal data srtuctures. > > The reason why I would assume it would be in f2fs is I *assume* > syzkaller would have pruned down the test case enough to remove the > messing around with mounting the invalid f2fs file system. But the > other mystery here is why didn't KASAN report the use-after-free (if > that it is what it was) in the thousands of f2fs mount and > unmount operations before it finally triggered? > > Anyway, I plan to ignore this Syzkaller unless report Syzkaller (or > someone else) can come up with a more minimal/reliable reproducer. (I > mean, we could open a bug, but with kind of reproducer, it would get > prioritized P3 or P4 and ignored for years until it finally got closed > in a buganizer bankruptcy, so I figured I would just skip a few steps. :-) Let's set the subsystem then, so it's in the f2fs bucket rather than in ext4: #syz set subsystems: f2fs