Re: [syzbot] [gfs2?] KASAN: use-after-free Read in qd

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2)
       [not found] <0000000000002b5e2405f14e860f@google.com>
@ 2023-07-26 15:03 ` syzbot
  2023-07-26 15:09   ` Aleksandr Nogikh
  2023-07-26 16:14   ` Bob Peterson
  0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2023-07-26 15:03 UTC (permalink / raw)
  To: agruenba, andersson, cluster-devel, dmitry.baryshkov, eadavis,
	konrad.dybcio, linux-fsdevel, linux-kernel, rpeterso,
	syzkaller-bugs

syzbot suspects this issue was fixed by commit:

commit 41a37d157a613444c97e8f71a5fb2a21116b70d7
Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date:   Mon Dec 26 04:21:51 2022 +0000

    arm64: dts: qcom: qcs404: use symbol names for PCIe resets

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=17b48111a80000
start commit:   [unknown] 
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=fe56f7d193926860
dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1209f878c80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=111a48ab480000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: arm64: dts: qcom: qcs404: use symbol names for PCIe resets

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2)
  2023-07-26 15:03 ` [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2) syzbot
@ 2023-07-26 15:09   ` Aleksandr Nogikh
  2023-07-26 15:45     ` Dmitry Baryshkov
  2023-07-26 16:14   ` Bob Peterson
  1 sibling, 1 reply; 5+ messages in thread
From: Aleksandr Nogikh @ 2023-07-26 15:09 UTC (permalink / raw)
  To: syzbot
  Cc: agruenba, andersson, cluster-devel, dmitry.baryshkov, eadavis,
	konrad.dybcio, linux-fsdevel, linux-kernel, rpeterso,
	syzkaller-bugs

On Wed, Jul 26, 2023 at 5:03 PM syzbot
<syzbot+3f6a670108ce43356017@syzkaller.appspotmail.com> wrote:
>
> syzbot suspects this issue was fixed by commit:
>
> commit 41a37d157a613444c97e8f71a5fb2a21116b70d7
> Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> Date:   Mon Dec 26 04:21:51 2022 +0000
>
>     arm64: dts: qcom: qcs404: use symbol names for PCIe resets
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=17b48111a80000
> start commit:   [unknown]
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fe56f7d193926860
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1209f878c80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=111a48ab480000
>
> If the result looks correct, please mark the issue as fixed by replying with:

No, it's quite unlikely.

>
> #syz fix: arm64: dts: qcom: qcs404: use symbol names for PCIe resets
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000009655cc060165265f%40google.com.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2)
  2023-07-26 15:09   ` Aleksandr Nogikh
@ 2023-07-26 15:45     ` Dmitry Baryshkov
  2023-07-27  1:09       ` Theodore Ts'o
  0 siblings, 1 reply; 5+ messages in thread
From: Dmitry Baryshkov @ 2023-07-26 15:45 UTC (permalink / raw)
  To: Aleksandr Nogikh
  Cc: syzbot, agruenba, andersson, cluster-devel, eadavis,
	konrad.dybcio, linux-fsdevel, linux-kernel, rpeterso,
	syzkaller-bugs

On Wed, 26 Jul 2023 at 18:09, Aleksandr Nogikh <nogikh@google.com> wrote:
>
> On Wed, Jul 26, 2023 at 5:03 PM syzbot
> <syzbot+3f6a670108ce43356017@syzkaller.appspotmail.com> wrote:
> >
> > syzbot suspects this issue was fixed by commit:
> >
> > commit 41a37d157a613444c97e8f71a5fb2a21116b70d7
> > Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> > Date:   Mon Dec 26 04:21:51 2022 +0000
> >
> >     arm64: dts: qcom: qcs404: use symbol names for PCIe resets
> >
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=17b48111a80000
> > start commit:   [unknown]
> > git tree:       upstream
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=fe56f7d193926860
> > dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1209f878c80000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=111a48ab480000
> >
> > If the result looks correct, please mark the issue as fixed by replying with:
>
> No, it's quite unlikely.

I highly suspect that the bisect was wrong here. The only thing that
was changed by the mentioned commit is the device tree for the pretty
obscure platform, which is not 'Google Compute Engine'.

>
> >
> > #syz fix: arm64: dts: qcom: qcs404: use symbol names for PCIe resets
> >
> > For information about bisection process see: https://goo.gl/tpsmEJ#bisection

-- 
With best wishes
Dmitry

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2)
  2023-07-26 15:03 ` [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2) syzbot
  2023-07-26 15:09   ` Aleksandr Nogikh
@ 2023-07-26 16:14   ` Bob Peterson
  1 sibling, 0 replies; 5+ messages in thread
From: Bob Peterson @ 2023-07-26 16:14 UTC (permalink / raw)
  To: syzbot, agruenba, andersson, cluster-devel, dmitry.baryshkov,
	eadavis, konrad.dybcio, linux-fsdevel, linux-kernel,
	syzkaller-bugs

On 7/26/23 10:03 AM, syzbot wrote:
> syzbot suspects this issue was fixed by commit:
> 
> commit 41a37d157a613444c97e8f71a5fb2a21116b70d7
> Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> Date:   Mon Dec 26 04:21:51 2022 +0000
> 
>      arm64: dts: qcom: qcs404: use symbol names for PCIe resets
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=17b48111a80000
> start commit:   [unknown]
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=fe56f7d193926860
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1209f878c80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=111a48ab480000
> 
> If the result looks correct, please mark the issue as fixed by replying with:
> 
> #syz fix: arm64: dts: qcom: qcs404: use symbol names for PCIe resets
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
> 
The bisect is very likely to be wrong.

I have a lot of patches to gfs2's quota code in linux-gfs2/bobquota that 
I hope to get into the next merge window, but the critical patch has 
already been merged. I'm still working on others.

Regards,

Bob Peterson
gfs2 file system


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2)
  2023-07-26 15:45     ` Dmitry Baryshkov
@ 2023-07-27  1:09       ` Theodore Ts'o
  0 siblings, 0 replies; 5+ messages in thread
From: Theodore Ts'o @ 2023-07-27  1:09 UTC (permalink / raw)
  To: Dmitry Baryshkov
  Cc: Aleksandr Nogikh, syzbot, agruenba, andersson, cluster-devel,
	eadavis, konrad.dybcio, linux-fsdevel, linux-kernel, rpeterso,
	syzkaller-bugs

On Wed, Jul 26, 2023 at 06:45:55PM +0300, Dmitry Baryshkov wrote:
> > > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=17b48111a80000
  ...
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=3f6a670108ce43356017

> I highly suspect that the bisect was wrong here. The only thing that
> was changed by the mentioned commit is the device tree for the pretty
> obscure platform, which is not 'Google Compute Engine'.

Yeah, it's not even close.  If you take a look at the bisection log
(which is *always* a good idea before you put any faith in the syzbot
bisection), you'd see the following:

testing commit e1c04510f521e853019afeca2a5991a5ef8d6a5b gcc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: f262f513a4ba5708b69a5fdd8c218746223996a8b2134a22f2916d16f23d01e8
run #0: crashed: unregister_netdevice: waiting for DEV to become free
run #1: crashed: unregister_netdevice: waiting for DEV to become free
run #2: crashed: unregister_netdevice: waiting for DEV to become free
run #3: crashed: unregister_netdevice: waiting for DEV to become free
run #4: crashed: unregister_netdevice: waiting for DEV to become free
run #5: crashed: unregister_netdevice: waiting for DEV to become free
run #6: crashed: unregister_netdevice: waiting for DEV to become free
run #7: crashed: unregister_netdevice: waiting for DEV to become free
run #8: crashed: unregister_netdevice: waiting for DEV to become free

This is *nothing* like the problem reported on the dashboard, which is:

BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:72 [inline]
BUG: KASAN: use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: use-after-free in qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
Read of size 8 at addr ffff888073997090 by task syz-executor221/5069

where the dereference had a stack trace which looked like this:

 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 qd_unlock+0x30/0x2d0 fs/gfs2/quota.c:490
 gfs2_quota_sync+0x768/0x8b0 fs/gfs2/quota.c:1325
 gfs2_sync_fs+0x49/0xb0 fs/gfs2/super.c:650
 sync_filesystem+0xe8/0x220 fs/sync.c:56
 generic_shutdown_super+0x6b/0x310 fs/super.c:474
 kill_block_super+0x79/0xd0 fs/super.c:1386
 deactivate_locked_super+0xa7/0xf0 fs/super.c:332
 cleanup_mnt+0x494/0x520 fs/namespace.c:1291
 task_work_run+0x243/0x300 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x644/0x2150 kernel/exit.c:867

and the memory was allocated via this stack trace:

 kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
 kmem_cache_zalloc include/linux/slab.h:710 [inline]
 qd_alloc+0x51/0x250 fs/gfs2/quota.c:216
 gfs2_quota_init+0x7c4/0x10e0 fs/gfs2/quota.c:1415
 gfs2_make_fs_rw+0x48e/0x590 fs/gfs2/super.c:153
 gfs2_fill_super+0x2357/0x2700 fs/gfs2/ops_fstype.c:1274
 get_tree_bdev+0x400/0x620 fs/super.c:1282
 gfs2_get_tree+0x50/0x210 fs/gfs2/ops_fstype.c:1330
 vfs_get_tree+0x88/0x270 fs/super.c:1489
 do_new_mount+0x289/0xad0 fs/namespace.c:3145
 do_mount fs/namespace.c:3488 [inline]
 __do_sys_mount fs/namespace.c:3697 [inline]
 __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80

(And the memory was freed from an RCU path)

					- Ted

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-07-27  1:10 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <0000000000002b5e2405f14e860f@google.com>
2023-07-26 15:03 ` [syzbot] [gfs2?] KASAN: use-after-free Read in qd_unlock (2) syzbot
2023-07-26 15:09   ` Aleksandr Nogikh
2023-07-26 15:45     ` Dmitry Baryshkov
2023-07-27  1:09       ` Theodore Ts'o
2023-07-26 16:14   ` Bob Peterson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).