[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <bfb89482-8c38-4e40-adb1-a7c60a335679@gmx.com>
Date: Fri, 27 Jun 2025 09:31:34 +0930
From: Qu Wenruo <quwenruo.btrfs@....com>
To: syzbot <syzbot+772bdfe41846e057fa83@...kaller.appspotmail.com>,
clm@...com, dsterba@...e.com, josef@...icpanda.com,
linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [btrfs?] KASAN: slab-use-after-free Read in
close_fs_devices
在 2025/6/27 03:05, syzbot 写道:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: ecb259c4f70d Add linux-next specific files for 20250626
This head already includes the latest v5 update, so it's not a goode
news to me.
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=11147182580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f0c48ed70f20d0d2
> dashboard link: https://syzkaller.appspot.com/bug?extid=772bdfe41846e057fa83
> compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/a6a71f1563ce/disk-ecb259c4.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/914a0673e6a0/vmlinux-ecb259c4.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/87f7194e2a0e/bzImage-ecb259c4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+772bdfe41846e057fa83@...kaller.appspotmail.com
>
> BTRFS: device fsid a6a605fc-d5f1-4e66-8595-3726e2b761d6 devid 1 transid 8 /dev/loop4 (7:4) scanned by syz.4.616 (8589)
> ==================================================================
> BUG: KASAN: slab-use-after-free in close_fs_devices+0x81f/0x870 fs/btrfs/volumes.c:1182
> Read of size 4 at addr ffff88802fe14930 by task syz.4.616/8589
>
> CPU: 0 UID: 0 PID: 8589 Comm: syz.4.616 Not tainted 6.16.0-rc3-next-20250626-syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> Call Trace:
> <TASK>
> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:408 [inline]
> print_report+0xd2/0x2b0 mm/kasan/report.c:521
> kasan_report+0x118/0x150 mm/kasan/report.c:634
> close_fs_devices+0x81f/0x870 fs/btrfs/volumes.c:1182
> btrfs_close_devices+0xc5/0x560 fs/btrfs/volumes.c:1201
> btrfs_free_fs_info+0x4f/0x3c0 fs/btrfs/disk-io.c:1250
> deactivate_locked_super+0xbc/0x130 fs/super.c:474
> btrfs_get_tree_super fs/btrfs/super.c:-1 [inline]
If syzbot can provide a better line number for inlined function, it will
be very helpful.
But so far it looks that btrfs_open_devices() failed, thus
deactive_locked_super() is called to free the whole fs_devices.
However since btrfs_open_fs_devices() failed, we are not holding the
fs_devices opened, and after we release uuid_mutex, the fs_devices can
be freed by someone else.
I believe we need extra error handling for this particular case.
Thanks a lot for catching this rare error path.
Thanks,
Qu
Powered by blists - more mailing lists