| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3d164a94-b643-411b-9f22-3bb02af4e4f0@redhat.com>
Date: Thu, 24 Jul 2025 12:38:41 +0100
From: Andrew Price <anprice@...hat.com>
To: syzbot <syzbot+42a37bf8045847d8f9d2@...kaller.appspotmail.com>
Cc: agruenba@...hat.com, gfs2@...ts.linux.dev, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [gfs2?] KASAN: slab-use-after-free Write in
gfs2_qd_dealloc (3)
On 23/07/2025 21:49, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 01a412d06bc5 Merge tag 'pull-ufs-fix' of git://git.kernel...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=150e6fd4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8adfe52da0de2761
> dashboard link: https://syzkaller.appspot.com/bug?extid=42a37bf8045847d8f9d2
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132aff22580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=144380a2580000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-01a412d0.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/8229e4edb67d/vmlinux-01a412d0.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/8e07d86da9da/bzImage-01a412d0.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/5c2db4a05d12/mount_0.gz
> fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=110e6fd4580000)
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+42a37bf8045847d8f9d2@...kaller.appspotmail.com
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> BUG: KASAN: slab-use-after-free in gfs2_qd_dealloc+0x81/0xe0 fs/gfs2/quota.c:112
> Write of size 4 at addr ffff888036404a80 by task pool_workqueue_/3
>
> CPU: 0 UID: 0 PID: 3 Comm: pool_workqueue_ Not tainted 6.16.0-rc7-syzkaller-00018-g01a412d06bc5 #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Call Trace:
> <IRQ>
> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:378 [inline]
> print_report+0xca/0x230 mm/kasan/report.c:480
> kasan_report+0x118/0x150 mm/kasan/report.c:593
> check_region_inline mm/kasan/generic.c:-1 [inline]
> kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
> atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline]
> gfs2_qd_dealloc+0x81/0xe0 fs/gfs2/quota.c:112
> rcu_do_batch kernel/rcu/tree.c:2576 [inline]
> rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2832
> handle_softirqs+0x286/0x870 kernel/softirq.c:579
> __do_softirq kernel/softirq.c:613 [inline]
> invoke_softirq kernel/softirq.c:453 [inline]
> __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
> irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
> sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
> </IRQ>
#syz test
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -66,6 +66,8 @@ void free_sbd(struct gfs2_sbd *sdp)
{
struct super_block *sb = sdp->sd_vfs;
+ /* Wait for rcu_call(gfs2_qd_dealloc) */
+ rcu_barrier();
free_percpu(sdp->sd_lkstats);
sb->s_fs_info = NULL;
kfree(sdp);
Powered by blists - more mailing lists