From: Leon Romanovsky <leon@kernel.org>
To: pr-tracker-bot@kernel.org, Christian Brauner <brauner@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [GIT PULL] vfs mount
Date: Tue, 1 Apr 2025 20:07:15 +0300 [thread overview]
Message-ID: <20250401170715.GA112019@unreal> (raw)
In-Reply-To: <174285005920.4171303.15547772549481189907.pr-tracker-bot@kernel.org>
On Mon, Mar 24, 2025 at 09:00:59PM +0000, pr-tracker-bot@kernel.org wrote:
> The pull request you sent on Sat, 22 Mar 2025 11:13:18 +0100:
>
> > git@gitolite.kernel.org:pub/scm/linux/kernel/git/vfs/vfs tags/vfs-6.15-rc1.mount
>
> has been merged into torvalds/linux.git:
> https://git.kernel.org/torvalds/c/fd101da676362aaa051b4f5d8a941bd308603041
I didn't bisect, but this PR looks like the most relevant candidate.
The latest Linus's master generates the following slab-use-after-free:
[ 1845.404658] ==================================================================
[ 1845.405460] BUG: KASAN: slab-use-after-free in clone_private_mount+0x309/0x390
[ 1845.406205] Read of size 8 at addr ffff8881507b5ab0 by task dockerd/8697
[ 1845.406847]
[ 1845.407081] CPU: 5 UID: 0 PID: 8697 Comm: dockerd Not tainted 6.14.0master_fbece6d #1 NONE
[ 1845.407086] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 1845.407097] Call Trace:
[ 1845.407102] <TASK>
[ 1845.407104] dump_stack_lvl+0x69/0xa0
[ 1845.407114] print_report+0x156/0x523
[ 1845.407120] ? __virt_addr_valid+0x1de/0x3c0
[ 1845.407124] ? clone_private_mount+0x309/0x390
[ 1845.407128] kasan_report+0xc1/0xf0
[ 1845.407134] ? clone_private_mount+0x309/0x390
[ 1845.407138] clone_private_mount+0x309/0x390
[ 1845.407144] ovl_fill_super+0x2965/0x59e0 [overlay]
[ 1845.407165] ? ovl_workdir_create+0x900/0x900 [overlay]
[ 1845.407177] ? wait_for_completion_io_timeout+0x20/0x20
[ 1845.407182] ? lockdep_init_map_type+0x58/0x220
[ 1845.407186] ? lockdep_init_map_type+0x58/0x220
[ 1845.407189] ? shrinker_register+0x177/0x200
[ 1845.407194] ? sget_fc+0x449/0xb30
[ 1845.407199] ? ovl_workdir_create+0x900/0x900 [overlay]
[ 1845.407211] ? get_tree_nodev+0xa5/0x130
[ 1845.407214] get_tree_nodev+0xa5/0x130
[ 1845.407218] ? cap_capable+0xd0/0x320
[ 1845.407223] vfs_get_tree+0x83/0x2e0
[ 1845.407227] ? ns_capable+0x55/0xb0
[ 1845.407232] path_mount+0x891/0x1aa0
[ 1845.407237] ? finish_automount+0x860/0x860
[ 1845.407240] ? kmem_cache_free+0x14c/0x4f0
[ 1845.407245] ? user_path_at+0x3d/0x50
[ 1845.407250] __x64_sys_mount+0x2d4/0x3a0
[ 1845.407254] ? path_mount+0x1aa0/0x1aa0
[ 1845.407259] do_syscall_64+0x6d/0x140
[ 1845.407263] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1845.407267] RIP: 0033:0x55e3487f1fea
[ 1845.407274] Code: e8 1b 96 fa ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48
[ 1845.407278] RSP: 002b:000000c000b563b8 EFLAGS: 00000212 ORIG_RAX: 00000000000000a5
[ 1845.407282] RAX: ffffffffffffffda RBX: 000000c00006c000 RCX: 000055e3487f1fea
[ 1845.407285] RDX: 000000c0012cf7d8 RSI: 000000c0012616c0 RDI: 000000c0012cf7d0
[ 1845.407287] RBP: 000000c000b56458 R08: 000000c0004fa600 R09: 0000000000000000
[ 1845.407289] R10: 0000000000000000 R11: 0000000000000212 R12: 000000c0012cf7d0
[ 1845.407291] R13: 0000000000000000 R14: 000000c00098b6c0 R15: ffffffffffffffff
[ 1845.407296] </TASK>
[ 1845.407297]
[ 1845.431635] Allocated by task 17044:
[ 1845.432033] kasan_save_stack+0x1e/0x40
[ 1845.432463] kasan_save_track+0x10/0x30
[ 1845.432882] __kasan_slab_alloc+0x62/0x70
[ 1845.433308] kmem_cache_alloc_noprof+0x1a0/0x4a0
[ 1845.433781] alloc_vfsmnt+0x23/0x6c0
[ 1845.434195] vfs_create_mount+0x82/0x4a0
[ 1845.434623] path_mount+0x939/0x1aa0
[ 1845.435018] __x64_sys_mount+0x2d4/0x3a0
[ 1845.435440] do_syscall_64+0x6d/0x140
[ 1845.435842] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1845.436355]
[ 1845.436601] Freed by task 0:
[ 1845.436945] kasan_save_stack+0x1e/0x40
[ 1845.437354] kasan_save_track+0x10/0x30
[ 1845.437770] kasan_save_free_info+0x37/0x60
[ 1845.438217] __kasan_slab_free+0x33/0x40
[ 1845.438646] kmem_cache_free+0x14c/0x4f0
[ 1845.439068] rcu_core+0x605/0x1d50
[ 1845.439451] handle_softirqs+0x192/0x810
[ 1845.439880] irq_exit_rcu+0x106/0x190
[ 1845.440280] sysvec_apic_timer_interrupt+0x7c/0xb0
[ 1845.440785] asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 1845.441300]
[ 1845.441544] Last potentially related work creation:
[ 1845.442048] kasan_save_stack+0x1e/0x40
[ 1845.442465] kasan_record_aux_stack+0x97/0xa0
[ 1845.442921] __call_rcu_common.constprop.0+0x6d/0xb40
[ 1845.443437] task_work_run+0x111/0x1f0
[ 1845.443851] syscall_exit_to_user_mode+0x1df/0x1f0
[ 1845.444337] do_syscall_64+0x79/0x140
[ 1845.444758] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1845.445272]
[ 1845.445505] Second to last potentially related work creation:
[ 1845.446078] kasan_save_stack+0x1e/0x40
[ 1845.446494] kasan_record_aux_stack+0x97/0xa0
[ 1845.446947] task_work_add+0x178/0x250
[ 1845.447356] mntput_no_expire+0x4fc/0x9f0
[ 1845.447789] path_umount+0x4ed/0x10d0
[ 1845.448190] __x64_sys_umount+0xfb/0x120
[ 1845.448617] do_syscall_64+0x6d/0x140
[ 1845.449016] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1845.449529]
[ 1845.449766] The buggy address belongs to the object at ffff8881507b5a40
[ 1845.449766] which belongs to the cache mnt_cache of size 368
[ 1845.450898] The buggy address is located 112 bytes inside of
[ 1845.450898] freed 368-byte region [ffff8881507b5a40, ffff8881507b5bb0)
[ 1845.452009]
[ 1845.452250] The buggy address belongs to the physical page:
[ 1845.452808] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1507b4
[ 1845.453595] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1845.454363] anon flags: 0x200000000000040(head|node=0|zone=2)
[ 1845.454936] page_type: f5(slab)
[ 1845.455300] raw: 0200000000000040 ffff8881009f5680 0000000000000000 dead000000000001
[ 1845.456077] raw: 0000000000000000 0000000080240024 00000000f5000000 0000000000000000
[ 1845.456857] head: 0200000000000040 ffff8881009f5680 0000000000000000 dead000000000001
[ 1845.457616] head: 0000000000000000 0000000080240024 00000000f5000000 0000000000000000
[ 1845.458399] head: 0200000000000002 ffffea000541ed01 ffffffffffffffff 0000000000000000
[ 1845.459169] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 1845.459945] page dumped because: kasan: bad access detected
[ 1845.460506]
[ 1845.460745] Memory state around the buggy address:
[ 1845.461228] ffff8881507b5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 1845.461963] ffff8881507b5a00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1845.462759] >ffff8881507b5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1845.463480] ^
[ 1845.463968] ffff8881507b5b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1845.464704] ffff8881507b5b80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 1845.465430] ==================================================================
[ 1845.466181] Disabling lock debugging due to kernel taint
[ 1845.466717] ==================================================================
[ 1845.467443] BUG: KASAN: slab-use-after-free in clone_private_mount+0x313/0x390
[ 1845.468192] Read of size 8 at addr ffff8881507b5a58 by task dockerd/8697
[ 1845.468837]
[ 1845.469072] CPU: 5 UID: 0 PID: 8697 Comm: dockerd Tainted: G B 6.14.0master_fbece6d #1 NONE
[ 1845.469078] Tainted: [B]=BAD_PAGE
[ 1845.469079] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 1845.469082] Call Trace:
[ 1845.469084] <TASK>
[ 1845.469086] dump_stack_lvl+0x69/0xa0
[ 1845.469093] print_report+0x156/0x523
[ 1845.469098] ? __virt_addr_valid+0x1de/0x3c0
[ 1845.469103] ? clone_private_mount+0x313/0x390
[ 1845.469107] kasan_report+0xc1/0xf0
[ 1845.469112] ? clone_private_mount+0x313/0x390
[ 1845.469116] clone_private_mount+0x313/0x390
[ 1845.469121] ovl_fill_super+0x2965/0x59e0 [overlay]
[ 1845.469140] ? ovl_workdir_create+0x900/0x900 [overlay]
[ 1845.469152] ? wait_for_completion_io_timeout+0x20/0x20
[ 1845.469157] ? lockdep_init_map_type+0x58/0x220
[ 1845.469161] ? lockdep_init_map_type+0x58/0x220
[ 1845.469164] ? shrinker_register+0x177/0x200
[ 1845.469169] ? sget_fc+0x449/0xb30
[ 1845.469174] ? ovl_workdir_create+0x900/0x900 [overlay]
[ 1845.469185] ? get_tree_nodev+0xa5/0x130
[ 1845.469189] get_tree_nodev+0xa5/0x130
[ 1845.469192] ? cap_capable+0xd0/0x320
[ 1845.469198] vfs_get_tree+0x83/0x2e0
[ 1845.469202] ? ns_capable+0x55/0xb0
[ 1845.469206] path_mount+0x891/0x1aa0
[ 1845.469210] ? finish_automount+0x860/0x860
[ 1845.469217] ? kmem_cache_free+0x14c/0x4f0
[ 1845.469221] ? user_path_at+0x3d/0x50
[ 1845.469227] __x64_sys_mount+0x2d4/0x3a0
[ 1845.469231] ? path_mount+0x1aa0/0x1aa0
[ 1845.469235] do_syscall_64+0x6d/0x140
[ 1845.469239] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1845.469242] RIP: 0033:0x55e3487f1fea
[ 1845.469246] Code: e8 1b 96 fa ff 48 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 4c 8b 54 24 28 4c 8b 44 24 30 4c 8b 4c 24 38 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 40 ff ff ff ff 48 c7 44 24 48
[ 1845.469249] RSP: 002b:000000c000b563b8 EFLAGS: 00000212 ORIG_RAX: 00000000000000a5
[ 1845.469253] RAX: ffffffffffffffda RBX: 000000c00006c000 RCX: 000055e3487f1fea
[ 1845.469256] RDX: 000000c0012cf7d8 RSI: 000000c0012616c0 RDI: 000000c0012cf7d0
[ 1845.469260] RBP: 000000c000b56458 R08: 000000c0004fa600 R09: 0000000000000000
[ 1845.469261] R10: 0000000000000000 R11: 0000000000000212 R12: 000000c0012cf7d0
[ 1845.469263] R13: 0000000000000000 R14: 000000c00098b6c0 R15: ffffffffffffffff
[ 1845.469268] </TASK>
[ 1845.469269]
[ 1845.494368] Allocated by task 17044:
[ 1845.494768] kasan_save_stack+0x1e/0x40
[ 1845.495185] kasan_save_track+0x10/0x30
[ 1845.495594] __kasan_slab_alloc+0x62/0x70
[ 1845.496024] kmem_cache_alloc_noprof+0x1a0/0x4a0
[ 1845.496518] alloc_vfsmnt+0x23/0x6c0
[ 1845.496911] vfs_create_mount+0x82/0x4a0
[ 1845.497333] path_mount+0x939/0x1aa0
[ 1845.497728] __x64_sys_mount+0x2d4/0x3a0
[ 1845.498167] do_syscall_64+0x6d/0x140
[ 1845.498563] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1845.499064]
[ 1845.499295] Freed by task 0:
[ 1845.499636] kasan_save_stack+0x1e/0x40
[ 1845.500052] kasan_save_track+0x10/0x30
[ 1845.500494] kasan_save_free_info+0x37/0x60
[ 1845.500934] __kasan_slab_free+0x33/0x40
[ 1845.501355] kmem_cache_free+0x14c/0x4f0
[ 1845.501774] rcu_core+0x605/0x1d50
[ 1845.502162] handle_softirqs+0x192/0x810
[ 1845.502587] irq_exit_rcu+0x106/0x190
[ 1845.502995] sysvec_apic_timer_interrupt+0x7c/0xb0
[ 1845.503487] asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 1845.504002]
[ 1845.504236] Last potentially related work creation:
[ 1845.504748] kasan_save_stack+0x1e/0x40
[ 1845.505164] kasan_record_aux_stack+0x97/0xa0
[ 1845.505621] __call_rcu_common.constprop.0+0x6d/0xb40
[ 1845.506136] task_work_run+0x111/0x1f0
[ 1845.506545] syscall_exit_to_user_mode+0x1df/0x1f0
[ 1845.507038] do_syscall_64+0x79/0x140
[ 1845.507439] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1845.507949]
[ 1845.508187] Second to last potentially related work creation:
[ 1845.508760] kasan_save_stack+0x1e/0x40
[ 1845.509175] kasan_record_aux_stack+0x97/0xa0
[ 1845.509630] task_work_add+0x178/0x250
[ 1845.510040] mntput_no_expire+0x4fc/0x9f0
[ 1845.510468] path_umount+0x4ed/0x10d0
[ 1845.510870] __x64_sys_umount+0xfb/0x120
[ 1845.511298] do_syscall_64+0x6d/0x140
[ 1845.511700] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 1845.512210]
[ 1845.512442] The buggy address belongs to the object at ffff8881507b5a40
[ 1845.512442] which belongs to the cache mnt_cache of size 368
[ 1845.513553] The buggy address is located 24 bytes inside of
[ 1845.513553] freed 368-byte region [ffff8881507b5a40, ffff8881507b5bb0)
[ 1845.514650]
[ 1845.514883] The buggy address belongs to the physical page:
[ 1845.515436] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1507b4
[ 1845.516221] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1845.516986] anon flags: 0x200000000000040(head|node=0|zone=2)
[ 1845.517549] page_type: f5(slab)
[ 1845.517912] raw: 0200000000000040 ffff8881009f5680 0000000000000000 dead000000000001
[ 1845.518684] raw: 0000000000000000 0000000080240024 00000000f5000000 0000000000000000
[ 1845.519445] head: 0200000000000040 ffff8881009f5680 0000000000000000 dead000000000001
[ 1845.520220] head: 0000000000000000 0000000080240024 00000000f5000000 0000000000000000
[ 1845.521006] head: 0200000000000002 ffffea000541ed01 ffffffffffffffff 0000000000000000
[ 1845.521812] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 1845.522581] page dumped because: kasan: bad access detected
[ 1845.523131]
[ 1845.523362] Memory state around the buggy address:
[ 1845.523851] ffff8881507b5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1845.524588] ffff8881507b5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 1845.525321] >ffff8881507b5a00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1845.526059] ^
[ 1845.526651] ffff8881507b5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1845.527378] ffff8881507b5b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1845.528095] ==================================================================
>
> Thank you!
>
> --
> Deet-doot-dot, I am a bot.
> https://korg.docs.kernel.org/prtracker.html
next prev parent reply other threads:[~2025-04-01 17:07 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-22 10:13 [GIT PULL] vfs mount Christian Brauner
2025-03-24 21:00 ` pr-tracker-bot
2025-04-01 17:07 ` Leon Romanovsky [this message]
2025-04-03 8:29 ` Christian Brauner
2025-04-03 15:15 ` Christian Brauner
2025-04-03 15:34 ` James Bottomley
2025-04-03 17:21 ` Mateusz Guzik
2025-04-03 18:09 ` Linus Torvalds
2025-04-03 19:17 ` Mateusz Guzik
2025-04-04 8:28 ` Christoph Hellwig
2025-04-04 14:19 ` Linus Torvalds
2025-04-07 8:51 ` Christoph Hellwig
2025-04-07 16:00 ` Linus Torvalds
2025-04-08 5:06 ` Christoph Hellwig
2025-04-07 11:22 ` Christian Brauner
2025-04-03 18:24 ` Leon Romanovsky
2025-04-03 19:18 ` Linus Torvalds
2025-04-03 19:45 ` Christian Brauner
2025-04-03 19:55 ` Christian Brauner
2025-04-04 6:16 ` Leon Romanovsky
2025-04-03 19:38 ` James Bottomley
-- strict thread matches above, loose matches on Subject: below --
2025-01-18 13:06 Christian Brauner
2025-01-20 0:10 ` Sasha Levin
2025-01-20 12:21 ` Christian Brauner
2025-01-20 18:59 ` pr-tracker-bot
2024-09-13 14:41 Christian Brauner
2024-09-14 2:33 ` Stephen Rothwell
2024-09-16 11:09 ` pr-tracker-bot
2024-05-10 11:46 Christian Brauner
2024-05-13 19:38 ` pr-tracker-bot
2023-06-23 11:03 [GIT PULL] vfs: mount Christian Brauner
2023-06-26 17:34 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250401170715.GA112019@unreal \
--to=leon@kernel.org \
--cc=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pr-tracker-bot@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).