| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Apr 2024 15:23:46 +0200
From: Jan Kara <jack@...e.cz>
To: Christian Brauner <brauner@...nel.org>
Cc: Jan Kara <jack@...e.cz>, Kemeng Shi <shikemeng@...weicloud.com>,
gregkh@...uxfoundation.org, konishi.ryusuke@...il.com,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-nilfs@...r.kernel.org, syzkaller-bugs@...glegroups.com,
tj@...nel.org, viro@...iv.linux.org.uk
Subject: Re: [syzbot] [nilfs?] KASAN: slab-out-of-bounds Read in wb_writeback
On Fri 05-04-24 13:05:59, Christian Brauner wrote:
> On Wed, Apr 03, 2024 at 11:47:17AM +0200, Jan Kara wrote:
> > On Tue 02-04-24 07:38:25, syzbot wrote:
> > > syzbot has found a reproducer for the following issue on:
> > >
> > > HEAD commit: c0b832517f62 Add linux-next specific files for 20240402
> > > git tree: linux-next
> > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=14af7dd9180000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=afcaf46d374cec8c
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=7b219b86935220db6dd8
> > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1729f003180000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17fa4341180000
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/0d36ec76edc7/disk-c0b83251.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/6f9bb4e37dd0/vmlinux-c0b83251.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/2349287b14b7/bzImage-c0b83251.xz
> > > mounted in repro: https://storage.googleapis.com/syzbot-assets/9760c52a227c/mount_0.gz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+7b219b86935220db6dd8@...kaller.appspotmail.com
> > >
> > > ==================================================================
> > > BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x78/0x1fd0 kernel/locking/lockdep.c:5005
> > > Read of size 8 at addr ffff888020485fa8 by task kworker/u8:2/35
> >
> > Looks like the writeback cleanups are causing some use-after-free issues.
> > The code KASAN is complaining about is:
> >
> > /*
> > * Nothing written. Wait for some inode to
> > * become available for writeback. Otherwise
> > * we'll just busyloop.
> > */
> > trace_writeback_wait(wb, work);
> > inode = wb_inode(wb->b_more_io.prev);
> > >>>>> spin_lock(&inode->i_lock); <<<<<<
> > spin_unlock(&wb->list_lock);
> > /* This function drops i_lock... */
> > inode_sleep_on_writeback(inode);
> >
> > in wb_writeback(). Now looking at the changes indeed the commit
> > 167d6693deb ("fs/writeback: bail out if there is no more inodes for IO and
> > queued once") is buggy because it will result in trying to fetch 'inode'
> > from empty b_more_io list and thus we'll corrupt memory. I think instead of
> > modifying the condition:
> >
> > if (list_empty(&wb->b_more_io)) {
> >
> > we should do:
> >
> > - if (progress) {
> > + if (progress || !queued) {
> > spin_unlock(&wb->list_lock);
> > continue;
> > }
> >
> > Kemeng?
>
> Fwiw, I observed this on xfstest too the last few days and tracked it
> down to this series. Here's the splat I got in case it helps:
OK, since this is apparently causing more issues and Kemeng didn't reply
yet, here's a fix in the form of the patch. It has passed some basic
testing. Feel free to fold it into Kemeng's patch so that we don't keep
linux-next broken longer than necessary. Thanks!
Honza
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
View attachment "0001-writeback-Fix-memory-corruption-in-writeback-code.patch" of type "text/x-patch" (1850 bytes)
Powered by blists - more mailing lists