lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <bfb89482-8c38-4e40-adb1-a7c60a335679@gmx.com>
Date: Fri, 27 Jun 2025 09:31:34 +0930
From: Qu Wenruo <quwenruo.btrfs@....com>
To: syzbot <syzbot+772bdfe41846e057fa83@...kaller.appspotmail.com>,
 clm@...com, dsterba@...e.com, josef@...icpanda.com,
 linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
 syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [btrfs?] KASAN: slab-use-after-free Read in
 close_fs_devices



在 2025/6/27 03:05, syzbot 写道:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    ecb259c4f70d Add linux-next specific files for 20250626

This head already includes the latest v5 update, so it's not a goode 
news to me.

> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=11147182580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f0c48ed70f20d0d2
> dashboard link: https://syzkaller.appspot.com/bug?extid=772bdfe41846e057fa83
> compiler:       Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/a6a71f1563ce/disk-ecb259c4.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/914a0673e6a0/vmlinux-ecb259c4.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/87f7194e2a0e/bzImage-ecb259c4.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+772bdfe41846e057fa83@...kaller.appspotmail.com
> 
> BTRFS: device fsid a6a605fc-d5f1-4e66-8595-3726e2b761d6 devid 1 transid 8 /dev/loop4 (7:4) scanned by syz.4.616 (8589)
> ==================================================================
> BUG: KASAN: slab-use-after-free in close_fs_devices+0x81f/0x870 fs/btrfs/volumes.c:1182
> Read of size 4 at addr ffff88802fe14930 by task syz.4.616/8589
> 
> CPU: 0 UID: 0 PID: 8589 Comm: syz.4.616 Not tainted 6.16.0-rc3-next-20250626-syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> Call Trace:
>   <TASK>
>   dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
>   print_address_description mm/kasan/report.c:408 [inline]
>   print_report+0xd2/0x2b0 mm/kasan/report.c:521
>   kasan_report+0x118/0x150 mm/kasan/report.c:634
>   close_fs_devices+0x81f/0x870 fs/btrfs/volumes.c:1182
>   btrfs_close_devices+0xc5/0x560 fs/btrfs/volumes.c:1201
>   btrfs_free_fs_info+0x4f/0x3c0 fs/btrfs/disk-io.c:1250
>   deactivate_locked_super+0xbc/0x130 fs/super.c:474
>   btrfs_get_tree_super fs/btrfs/super.c:-1 [inline]

If syzbot can provide a better line number for inlined function, it will 
be very helpful.

But so far it looks that btrfs_open_devices() failed, thus 
deactive_locked_super() is called to free the whole fs_devices.

However since btrfs_open_fs_devices() failed, we are not holding the 
fs_devices opened, and after we release uuid_mutex, the fs_devices can 
be freed by someone else.

I believe we need extra error handling for this particular case.

Thanks a lot for catching this rare error path.

Thanks,
Qu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ