| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <A1612BD1-D5C3-4466-AE70-F2557CEF4BBE@psu.edu> Date: Mon, 27 Oct 2025 01:31:35 +0000 From: "Bai, Shuangpeng" <SJB7183@....EDU> To: "agruenba@...hat.com" <agruenba@...hat.com> CC: "gfs2@...ts.linux.dev" <gfs2@...ts.linux.dev>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "syzkaller@...glegroups.com" <syzkaller@...glegroups.com> Subject: [BUG] KASAN: slab-use-after-free in gfs2_hole_size in v6.18-rc3 Hi Kernel Maintainers, Our tool found a new kernel bug KASAN: slab-use-after-free in gfs2_hole_size. Please see the details below. Kernel commit: v6.18-rc3 Kernel config: attachment C/Syz reproducer: attachment I’m happy to test debug patches or provide additional information. Reported-by: Shuangpeng Bai <SJB7183@....edu> [ 94.703142][T11104] BUG: KASAN: slab-use-after-free in gfs2_hole_size (fs/gfs2/bmap.c:562 fs/gfs2/bmap.c:500 fs/gfs2/bmap.c:592) [ 94.703846][T11104] Read of size 8 at addr ffff888179287000 by task syz.0.20/11104 [ 94.704503][T11104] [ 94.704716][T11104] CPU: 1 UID: 0 PID: 11104 Comm: syz.0.20 Not tainted 6.18.0-rc3-dirty #5 PREEMPT(full) [ 94.704727][T11104] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 94.704733][T11104] Call Trace: [ 94.704737][T11104] <TASK> [ 94.704741][T11104] dump_stack_lvl (lib/dump_stack.c:122) [ 94.704757][T11104] ? __pfx_dump_stack_lvl (lib/dump_stack.c:104) [ 94.704768][T11104] ? __virt_addr_valid (./include/linux/rcupdate.h:331 ./include/linux/rcupdate.h:958 ./include/linux/mmzone.h:2187 arch/x86/mm/physaddr.c:65) [ 94.704781][T11104] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) [ 94.704790][T11104] ? __virt_addr_valid (./include/linux/rcupdate.h:331 ./include/linux/rcupdate.h:958 ./include/linux/mmzone.h:2187 arch/x86/mm/physaddr.c:65) [ 94.704801][T11104] ? lock_release (./include/trace/events/lock.h:69 kernel/locking/lockdep.c:5879) [ 94.704813][T11104] ? __virt_addr_valid (./include/linux/rcupdate.h:331 ./include/linux/rcupdate.h:958 ./include/linux/mmzone.h:2187 arch/x86/mm/physaddr.c:65) [ 94.704824][T11104] ? __virt_addr_valid (./include/linux/rcupdate.h:331 ./include/linux/rcupdate.h:958 ./include/linux/mmzone.h:2187 arch/x86/mm/physaddr.c:65) [ 94.704834][T11104] ? __virt_addr_valid (arch/x86/mm/physaddr.c:65) [ 94.704846][T11104] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 94.704856][T11104] ? __virt_addr_valid (./include/linux/rcupdate.h:331 ./include/linux/rcupdate.h:958 ./include/linux/mmzone.h:2187 arch/x86/mm/physaddr.c:65) [ 94.704867][T11104] ? __virt_addr_valid (./include/linux/rcupdate.h:331 ./include/linux/rcupdate.h:958 ./include/linux/mmzone.h:2187 arch/x86/mm/physaddr.c:65) [ 94.704877][T11104] ? __virt_addr_valid (arch/x86/mm/physaddr.c:65) [ 94.704888][T11104] ? __phys_addr (arch/x86/mm/physaddr.c:31) [ 94.704899][T11104] ? gfs2_hole_size (fs/gfs2/bmap.c:562 fs/gfs2/bmap.c:500 fs/gfs2/bmap.c:592) [ 94.704911][T11104] kasan_report (mm/kasan/report.c:597) [ 94.704922][T11104] ? gfs2_hole_size (fs/gfs2/bmap.c:562 fs/gfs2/bmap.c:500 fs/gfs2/bmap.c:592) [ 94.704935][T11104] gfs2_hole_size (fs/gfs2/bmap.c:562 fs/gfs2/bmap.c:500 fs/gfs2/bmap.c:592) [ 94.704952][T11104] ? __pfx_gfs2_hole_size (fs/gfs2/bmap.c:586) [ 94.704965][T11104] ? __pfx_gfs2_meta_buffer (fs/gfs2/meta_io.c:488) [ 94.704978][T11104] ? __fillup_metapath (fs/gfs2/bmap.c:?) [ 94.704991][T11104] __gfs2_iomap_get (fs/gfs2/bmap.c:?) [ 94.705006][T11104] ? __pfx___gfs2_iomap_get (fs/gfs2/bmap.c:843) [ 94.705017][T11104] ? __lock_acquire (kernel/locking/lockdep.c:?) [ 94.705029][T11104] gfs2_iomap_begin (fs/gfs2/bmap.c:1109) [ 94.705043][T11104] ? percpu_ref_get_many (./include/linux/rcupdate.h:331 ./include/linux/rcupdate.h:867 ./include/linux/percpu-refcount.h:202) [ 94.705055][T11104] ? __pfx_gfs2_iomap_begin (fs/gfs2/bmap.c:1100) [ 94.705066][T11104] ? __memcg_slab_post_alloc_hook (mm/slab.h:536 mm/memcontrol.c:3194) [ 94.705080][T11104] iomap_iter (fs/iomap/iter.c:108) [ 94.705088][T11104] ? __pfx_gfs2_iomap_begin (fs/gfs2/bmap.c:1100) [ 94.705102][T11104] iomap_readahead (fs/iomap/buffered-io.c:543) [ 94.705112][T11104] ? __lock_acquire (kernel/locking/lockdep.c:?) [ 94.705123][T11104] ? __pfx_iomap_readahead (fs/iomap/buffered-io.c:531) [ 94.705135][T11104] ? __folio_batch_add_and_move (mm/swap.c:?) [ 94.705147][T11104] ? blk_start_plug (block/blk-core.c:1137 block/blk-core.c:1175) [ 94.705156][T11104] read_pages (mm/readahead.c:165) [ 94.705167][T11104] ? folio_add_lru (mm/swap.c:?) [ 94.705176][T11104] ? filemap_add_folio (mm/filemap.c:?) [ 94.705187][T11104] ? __pfx_read_pages (mm/readahead.c:150) [ 94.705202][T11104] page_cache_ra_unbounded (mm/readahead.c:?) [ 94.705218][T11104] filemap_get_pages (mm/filemap.c:2639) [ 94.705230][T11104] ? gfs2_glock_dq_uninit (./fs/gfs2/glock.h:286 fs/gfs2/glock.c:1289 fs/gfs2/glock.c:1709) [ 94.705247][T11104] ? __pfx_filemap_get_pages (mm/filemap.c:2612) [ 94.705260][T11104] ? rcu_read_lock_any_held (kernel/rcu/update.c:388) [ 94.705268][T11104] ? __pfx_rcu_read_lock_any_held (kernel/rcu/update.c:381) [ 94.705276][T11104] ? __pfx___might_resched (kernel/sched/core.c:8882) [ 94.705292][T11104] filemap_read (mm/filemap.c:2748) [ 94.705309][T11104] ? __pfx_filemap_read (mm/filemap.c:2713) [ 94.705326][T11104] ? generic_file_read_iter (mm/filemap.c:?) [ 94.705338][T11104] ? inode_go_held (fs/gfs2/glops.c:?) [ 94.705352][T11104] gfs2_file_read_iter (fs/gfs2/file.c:989) [ 94.705365][T11104] ? __pfx_gfs2_file_read_iter (fs/gfs2/file.c:950) [ 94.705378][T11104] ? __kernel_read (fs/read_write.c:530) [ 94.705386][T11104] ? kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:69 mm/kasan/common.c:78) [ 94.705394][T11104] ? kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:77) [ 94.705402][T11104] ? __kasan_kmalloc (mm/kasan/common.c:421) [ 94.705411][T11104] ? ima_calc_file_hash (./include/linux/slab.h:? ./include/linux/slab.h:1094 security/integrity/ima/ima_crypto.c:473 security/integrity/ima/ima_crypto.c:511 security/integrity/ima/ima_crypto.c:568) [ 94.705424][T11104] ? iov_iter_kvec (lib/iov_iter.c:683) [ 94.705436][T11104] __kernel_read (fs/read_write.c:530) [ 94.705445][T11104] ? __pfx___kernel_read (fs/read_write.c:507) [ 94.705459][T11104] integrity_kernel_read (security/integrity/iint.c:28) [ 94.705468][T11104] ? __pfx_integrity_kernel_read (security/integrity/iint.c:27) [ 94.705476][T11104] ? __kmalloc_cache_noprof (./include/linux/kasan.h:? mm/slub.c:5763) [ 94.705488][T11104] ? ima_calc_file_hash (./include/linux/slab.h:? ./include/linux/slab.h:1094 security/integrity/ima/ima_crypto.c:473 security/integrity/ima/ima_crypto.c:511 security/integrity/ima/ima_crypto.c:568) [ 94.705497][T11104] ? __asan_memcpy (mm/kasan/shadow.c:105) [ 94.705506][T11104] ima_calc_file_hash (security/integrity/ima/ima_crypto.c:480 security/integrity/ima/ima_crypto.c:511 security/integrity/ima/ima_crypto.c:568) [ 94.705519][T11104] ? __lock_acquire (kernel/locking/lockdep.c:?) [ 94.705529][T11104] ? __pfx_ima_calc_file_hash (security/integrity/ima/ima_crypto.c:532) [ 94.705547][T11104] ? gfs2_getattr (fs/gfs2/inode.c:?) [ 94.705558][T11104] ? __pfx_gfs2_getattr (fs/gfs2/inode.c:2136) [ 94.705567][T11104] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116) [ 94.705580][T11104] ima_collect_measurement (security/integrity/ima/ima_api.c:?) [ 94.705590][T11104] ? lockref_put_or_lock (lib/lockref.c:119) [ 94.705603][T11104] ? __pfx_ima_collect_measurement (security/integrity/ima/ima_api.c:244) [ 94.705613][T11104] ? gfs2_xattr_get (fs/gfs2/xattr.c:?) [ 94.705624][T11104] ? __pfx_gfs2_xattr_get (fs/gfs2/xattr.c:610) [ 94.705633][T11104] ? __mutex_lock (./arch/x86/include/asm/preempt.h:104 kernel/locking/mutex.c:608 kernel/locking/mutex.c:760) [ 94.705658][T11104] ? __pfx_ima_get_hash_algo (security/integrity/ima/ima_appraise.c:181) [ 94.705669][T11104] process_measurement (security/integrity/ima/ima_main.c:405) [ 94.705683][T11104] ? __pfx_process_measurement (security/integrity/ima/ima_main.c:239) [ 94.705694][T11104] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:101 kernel/locking/spinlock_debug.c:141) [ 94.705708][T11104] ? __pfx_gfs2_open (fs/gfs2/file.c:676) [ 94.705721][T11104] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:101 kernel/locking/spinlock_debug.c:141) [ 94.705729][T11104] ? fsnotify_open_perm_and_set_mode (./include/linux/fs.h:3233 fs/notify/fsnotify.c:681) [ 94.705741][T11104] ? apparmor_current_getlsmprop_subj (security/apparmor/lsm.c:997) [ 94.705755][T11104] ima_file_check (security/integrity/ima/ima_main.c:633) [ 94.705764][T11104] ? __pfx_ima_file_check (security/integrity/ima/ima_main.c:629) [ 94.705776][T11104] security_file_post_open (security/security.c:3199) [ 94.705789][T11104] path_openat (fs/namei.c:3977 fs/namei.c:4134) [ 94.705803][T11104] ? __pfx_stack_trace_save (kernel/stacktrace.c:114) [ 94.705814][T11104] ? stack_depot_save_flags (lib/stackdepot.c:659) [ 94.705831][T11104] ? kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:69 mm/kasan/common.c:78) [ 94.705840][T11104] ? getname_flags (fs/namei.c:147) [ 94.705851][T11104] ? __pfx_path_openat (fs/namei.c:4116) [ 94.705867][T11104] do_filp_open (fs/namei.c:4162) [ 94.705879][T11104] ? __pfx_do_filp_open (fs/namei.c:4155) [ 94.705891][T11104] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116) [ 94.705907][T11104] do_sys_openat2 (fs/open.c:1437) [ 94.705920][T11104] ? __pfx_do_sys_openat2 (fs/open.c:1422) [ 94.705934][T11104] __x64_sys_openat (fs/open.c:1463) [ 94.705945][T11104] ? __pfx___x64_sys_openat (fs/open.c:1463) [ 94.705958][T11104] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:124 arch/x86/entry/syscall_64.c:90) [ 94.705971][T11104] do_syscall_64 (arch/x86/entry/syscall_64.c:?) [ 94.705982][T11104] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 94.705992][T11104] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 94.706000][T11104] RIP: 0033:0x7fde1afae49d [ 94.706009][T11104] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 8 Code starting with the faulting instruction =========================================== 0: 02 b8 ff ff ff ff add -0x1(%rax),%bh 6: c3 ret 7: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) d: f3 0f 1e fa endbr64 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 28: 0f 08 invd [ 94.706016][T11104] RSP: 002b:00007fde1bdecf98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 94.706027][T11104] RAX: ffffffffffffffda RBX: 00007fde1b225fa0 RCX: 00007fde1afae49d [ 94.706033][T11104] RDX: 0000000000000000 RSI: 0000200000000080 RDI: ffffffffffffff9c [ 94.706040][T11104] RBP: 00007fde1b048268 R08: 0000000000000000 R09: 0000000000000000 [ 94.706045][T11104] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 94.706050][T11104] R13: 00007fde1b226038 R14: 00007fde1b225fa0 R15: 00007fde1bdcd000 [ 94.706060][T11104] </TASK> [ 94.706064][T11104] [ 94.760751][T11104] Allocated by task 10772: [ 94.761148][T11104] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:77) [ 94.761569][T11104] __kasan_slab_alloc (mm/kasan/common.c:371) [ 94.762004][T11104] kmem_cache_alloc_noprof (./include/linux/kasan.h:252 mm/slub.c:4970 mm/slub.c:5280 mm/slub.c:5287) [ 94.762487][T11104] prepare_kernel_cred (kernel/cred.c:588) [ 94.762938][T11104] call_usermodehelper_exec_async (kernel/umh.c:89) [ 94.763468][T11104] ret_from_fork (arch/x86/kernel/process.c:?) [ 94.763882][T11104] ret_from_fork_asm (arch/x86/entry/entry_64.S:255) [ 94.764312][T11104] [ 94.764528][T11104] Freed by task 23: [ 94.764870][T11104] kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:77) [ 94.765288][T11104] __kasan_save_free_info (mm/kasan/generic.c:590) [ 94.765753][T11104] __kasan_slab_free (mm/kasan/common.c:286) [ 94.766179][T11104] kmem_cache_free (mm/slub.c:6630 mm/slub.c:6740) [ 94.766602][T11104] rcu_core (./include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) [ 94.766994][T11104] handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:623) [ 94.767422][T11104] run_ksoftirqd (kernel/softirq.c:479 kernel/softirq.c:1064) [ 94.767828][T11104] smpboot_thread_fn (kernel/smpboot.c:?) [ 94.768271][T11104] kthread (kernel/kthread.c:464) [ 94.768636][T11104] ret_from_fork (arch/x86/kernel/process.c:?) [ 94.769046][T11104] ret_from_fork_asm (arch/x86/entry/entry_64.S:255) [ 94.769472][T11104] [ 94.769694][T11104] Last potentially related work creation: [ 94.770198][T11104] kasan_save_stack (mm/kasan/common.c:57) [ 94.770623][T11104] kasan_record_aux_stack (mm/kasan/generic.c:559) [ 94.771105][T11104] call_rcu (./arch/x86/include/asm/irqflags.h:19 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:127 kernel/rcu/tree.c:3125 kernel/rcu/tree.c:3243) [ 94.771483][T11104] exit_creds (./include/linux/cred.h:?) [ 94.771874][T11104] __put_task_struct (./include/linux/delayacct.h:116 kernel/fork.c:745) [ 94.772323][T11104] rcu_core (./include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) [ 94.772702][T11104] handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:623) [ 94.773122][T11104] run_ksoftirqd (kernel/softirq.c:479 kernel/softirq.c:1064) [ 94.773521][T11104] smpboot_thread_fn (kernel/smpboot.c:?) [ 94.773957][T11104] kthread (kernel/kthread.c:464) [ 94.774326][T11104] ret_from_fork (arch/x86/kernel/process.c:?) [ 94.774743][T11104] ret_from_fork_asm (arch/x86/entry/entry_64.S:255) [ 94.775182][T11104] [ 94.775400][T11104] The buggy address belongs to the object at ffff888179287000 [ 94.775400][T11104] which belongs to the cache cred of size 184 [ 94.776561][T11104] The buggy address is located 0 bytes inside of [ 94.776561][T11104] freed 184-byte region [ffff888179287000, ffff8881792870b8) [ 94.777744][T11104] [ 94.777962][T11104] The buggy address belongs to the physical page: [ 94.778530][T11104] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x179287 [ 94.779315][T11104] memcg:ffff88812822b701 [ 94.779696][T11104] flags: 0x17ff00000000000(node=0|zone=2|lastcpupid=0x7ff) [ 94.780337][T11104] page_type: f5(slab) [ 94.780701][T11104] raw: 017ff00000000000 ffff8881012983c0 dead000000000122 0000000000000000 [ 94.781468][T11104] raw: 0000000000000000 0000000000100010 00000000f5000000 ffff88812822b701 [ 94.782227][T11104] page dumped because: kasan: bad access detected [ 94.782805][T11104] page_owner tracks the page as allocated [ 94.783326][T11104] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 13 [ 94.785029][T11104] post_alloc_hook (./include/linux/page_owner.h:? mm/page_alloc.c:1850) [ 94.785469][T11104] get_page_from_freelist (mm/page_alloc.c:? mm/page_alloc.c:3884) [ 94.785973][T11104] __alloc_frozen_pages_noprof (mm/page_alloc.c:5183) [ 94.786506][T11104] alloc_pages_mpol (mm/mempolicy.c:2416) [ 94.786967][T11104] allocate_slab (mm/slub.c:3055 mm/slub.c:3228) [ 94.787382][T11104] ___slab_alloc (mm/slub.c:3282 mm/slub.c:4651) [ 94.787812][T11104] __slab_alloc (mm/slub.c:4770) [ 94.788223][T11104] kmem_cache_alloc_noprof (mm/slub.c:4846 mm/slub.c:5268 mm/slub.c:5287) [ 94.788720][T11104] prepare_kernel_cred (kernel/cred.c:588) [ 94.789179][T11104] call_usermodehelper_exec_async (kernel/umh.c:89) [ 94.789713][T11104] ret_from_fork (arch/x86/kernel/process.c:?) [ 94.790119][T11104] ret_from_fork_asm (arch/x86/entry/entry_64.S:255) [ 94.790544][T11104] page last free pid 24 tgid 24 stack trace: [ 94.791088][T11104] __free_frozen_pages (./include/linux/page_owner.h:? mm/page_alloc.c:1394 mm/page_alloc.c:2906) [ 94.791570][T11104] vfree (mm/vmalloc.c:3441) [ 94.791935][T11104] delayed_vfree_work (mm/vmalloc.c:3358) [ 94.792383][T11104] process_scheduled_works (kernel/workqueue.c:? kernel/workqueue.c:3346) [ 94.792889][T11104] worker_thread (./include/linux/list.h:381 kernel/workqueue.c:952 kernel/workqueue.c:3428) [ 94.793316][T11104] kthread (kernel/kthread.c:464) [ 94.793692][T11104] ret_from_fork (arch/x86/kernel/process.c:?) [ 94.794118][T11104] ret_from_fork_asm (arch/x86/entry/entry_64.S:255) [ 94.794560][T11104] [ 94.794781][T11104] Memory state around the buggy address: [ 94.795294][T11104] ffff888179286f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 94.796012][T11104] ffff888179286f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 94.796740][T11104] >ffff888179287000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 94.797465][T11104] ^ [ 94.797838][T11104] ffff888179287080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc [ 94.798569][T11104] ffff888179287100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 94.799303][T11104] ================================================================== [ 94.822447][T11104] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 94.823128][T11104] CPU: 1 UID: 0 PID: 11104 Comm: syz.0.20 Not tainted 6.18.0-rc3-dirty #5 PREEMPT(full) [ 94.823974][T11104] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 94.824758][T11104] Call Trace: [ 94.825050][T11104] <TASK> [ 94.825310][T11104] dump_stack_lvl (lib/dump_stack.c:122) [ 94.825729][T11104] ? __pfx_dump_stack_lvl (lib/dump_stack.c:104) [ 94.826183][T11104] ? __pfx__printk (kernel/printk/printk.c:2443) [ 94.826668][T11104] ? panic_try_start (kernel/panic.c:315) [ 94.827105][T11104] ? vscnprintf (lib/vsprintf.c:2997) [ 94.827483][T11104] vpanic (kernel/panic.c:?) [ 94.827835][T11104] ? __pfx_vpanic (kernel/panic.c:429) [ 94.828228][T11104] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472) [ 94.828697][T11104] panic (??:?) [ 94.829034][T11104] ? __pfx_panic (kernel/panic.c:622) [ 94.829431][T11104] ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) [ 94.829959][T11104] ? check_panic_on_warn (kernel/panic.c:375) [ 94.830404][T11104] check_panic_on_warn (kernel/panic.c:380) [ 94.830853][T11104] ? gfs2_hole_size (fs/gfs2/bmap.c:562 fs/gfs2/bmap.c:500 fs/gfs2/bmap.c:592) [ 94.831303][T11104] end_report (mm/kasan/report.c:228) [ 94.831686][T11104] kasan_report (mm/kasan/report.c:?) [ 94.832091][T11104] ? gfs2_hole_size (fs/gfs2/bmap.c:562 fs/gfs2/bmap.c:500 fs/gfs2/bmap.c:592) [ 94.832526][T11104] gfs2_hole_size (fs/gfs2/bmap.c:562 fs/gfs2/bmap.c:500 fs/gfs2/bmap.c:592) [ 94.832953][T11104] ? __pfx_gfs2_hole_size (fs/gfs2/bmap.c:586) [ 94.833410][T11104] ? __pfx_gfs2_meta_buffer (fs/gfs2/meta_io.c:488) [ 94.833895][T11104] ? __fillup_metapath (fs/gfs2/bmap.c:?) [ 94.834352][T11104] __gfs2_iomap_get (fs/gfs2/bmap.c:?) [ 94.834796][T11104] ? __pfx___gfs2_iomap_get (fs/gfs2/bmap.c:843) [ 94.835277][T11104] ? __lock_acquire (kernel/locking/lockdep.c:?) [ 94.835711][T11104] gfs2_iomap_begin (fs/gfs2/bmap.c:1109) [ 94.836147][T11104] ? percpu_ref_get_many (./include/linux/rcupdate.h:331 ./include/linux/rcupdate.h:867 ./include/linux/percpu-refcount.h:202) [ 94.836601][T11104] ? __pfx_gfs2_iomap_begin (fs/gfs2/bmap.c:1100) [ 94.837064][T11104] ? __memcg_slab_post_alloc_hook (mm/slab.h:536 mm/memcontrol.c:3194) [ 94.837594][T11104] iomap_iter (fs/iomap/iter.c:108) [ 94.837975][T11104] ? __pfx_gfs2_iomap_begin (fs/gfs2/bmap.c:1100) [ 94.838442][T11104] iomap_readahead (fs/iomap/buffered-io.c:543) [ 94.838869][T11104] ? __lock_acquire (kernel/locking/lockdep.c:?) [ 94.839300][T11104] ? __pfx_iomap_readahead (fs/iomap/buffered-io.c:531) [ 94.839758][T11104] ? __folio_batch_add_and_move (mm/swap.c:?) [ 94.840267][T11104] ? blk_start_plug (block/blk-core.c:1137 block/blk-core.c:1175) [ 94.840681][T11104] read_pages (mm/readahead.c:165) [ 94.841065][T11104] ? folio_add_lru (mm/swap.c:?) [ 94.841480][T11104] ? filemap_add_folio (mm/filemap.c:?) [ 94.841927][T11104] ? __pfx_read_pages (mm/readahead.c:150) [ 94.842355][T11104] page_cache_ra_unbounded (mm/readahead.c:?) [ 94.842839][T11104] filemap_get_pages (mm/filemap.c:2639) [ 94.843291][T11104] ? gfs2_glock_dq_uninit (./fs/gfs2/glock.h:286 fs/gfs2/glock.c:1289 fs/gfs2/glock.c:1709) [ 94.843753][T11104] ? __pfx_filemap_get_pages (mm/filemap.c:2612) [ 94.844232][T11104] ? rcu_read_lock_any_held (kernel/rcu/update.c:388) [ 94.844706][T11104] ? __pfx_rcu_read_lock_any_held (kernel/rcu/update.c:381) [ 94.845222][T11104] ? __pfx___might_resched (kernel/sched/core.c:8882) [ 94.845685][T11104] filemap_read (mm/filemap.c:2748) [ 94.846096][T11104] ? __pfx_filemap_read (mm/filemap.c:2713) [ 94.846539][T11104] ? generic_file_read_iter (mm/filemap.c:?) [ 94.847020][T11104] ? inode_go_held (fs/gfs2/glops.c:?) [ 94.847434][T11104] gfs2_file_read_iter (fs/gfs2/file.c:989) [ 94.847883][T11104] ? __pfx_gfs2_file_read_iter (fs/gfs2/file.c:950) [ 94.848371][T11104] ? __kernel_read (fs/read_write.c:530) [ 94.848786][T11104] ? kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:69 mm/kasan/common.c:78) [ 94.849208][T11104] ? kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:77) [ 94.849631][T11104] ? __kasan_kmalloc (mm/kasan/common.c:421) [ 94.850050][T11104] ? ima_calc_file_hash (./include/linux/slab.h:? ./include/linux/slab.h:1094 security/integrity/ima/ima_crypto.c:473 security/integrity/ima/ima_crypto.c:511 security/integrity/ima/ima_crypto.c:568) [ 94.850515][T11104] ? iov_iter_kvec (lib/iov_iter.c:683) [ 94.850933][T11104] __kernel_read (fs/read_write.c:530) [ 94.851338][T11104] ? __pfx___kernel_read (fs/read_write.c:507) [ 94.851787][T11104] integrity_kernel_read (security/integrity/iint.c:28) [ 94.852241][T11104] ? __pfx_integrity_kernel_read (security/integrity/iint.c:27) [ 94.852746][T11104] ? __kmalloc_cache_noprof (./include/linux/kasan.h:? mm/slub.c:5763) [ 94.853225][T11104] ? ima_calc_file_hash (./include/linux/slab.h:? ./include/linux/slab.h:1094 security/integrity/ima/ima_crypto.c:473 security/integrity/ima/ima_crypto.c:511 security/integrity/ima/ima_crypto.c:568) [ 94.853690][T11104] ? __asan_memcpy (mm/kasan/shadow.c:105) [ 94.854093][T11104] ima_calc_file_hash (security/integrity/ima/ima_crypto.c:480 security/integrity/ima/ima_crypto.c:511 security/integrity/ima/ima_crypto.c:568) [ 94.854550][T11104] ? __lock_acquire (kernel/locking/lockdep.c:?) [ 94.854990][T11104] ? __pfx_ima_calc_file_hash (security/integrity/ima/ima_crypto.c:532) [ 94.855476][T11104] ? gfs2_getattr (fs/gfs2/inode.c:?) [ 94.855886][T11104] ? __pfx_gfs2_getattr (fs/gfs2/inode.c:2136) [ 94.856318][T11104] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116) [ 94.856752][T11104] ima_collect_measurement (security/integrity/ima/ima_api.c:?) [ 94.857220][T11104] ? lockref_put_or_lock (lib/lockref.c:119) [ 94.857664][T11104] ? __pfx_ima_collect_measurement (security/integrity/ima/ima_api.c:244) [ 94.858177][T11104] ? gfs2_xattr_get (fs/gfs2/xattr.c:?) [ 94.858598][T11104] ? __pfx_gfs2_xattr_get (fs/gfs2/xattr.c:610) [ 94.859052][T11104] ? __mutex_lock (./arch/x86/include/asm/preempt.h:104 kernel/locking/mutex.c:608 kernel/locking/mutex.c:760) [ 94.859473][T11104] ? __pfx_ima_get_hash_algo (security/integrity/ima/ima_appraise.c:181) [ 94.859940][T11104] process_measurement (security/integrity/ima/ima_main.c:405) [ 94.860396][T11104] ? __pfx_process_measurement (security/integrity/ima/ima_main.c:239) [ 94.860878][T11104] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:101 kernel/locking/spinlock_debug.c:141) [ 94.861323][T11104] ? __pfx_gfs2_open (fs/gfs2/file.c:676) [ 94.861738][T11104] ? do_raw_spin_unlock (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 ./include/asm-generic/qspinlock.h:57 kernel/locking/spinlock_debug.c:101 kernel/locking/spinlock_debug.c:141) [ 94.862179][T11104] ? fsnotify_open_perm_and_set_mode (./include/linux/fs.h:3233 fs/notify/fsnotify.c:681) [ 94.862719][T11104] ? apparmor_current_getlsmprop_subj (security/apparmor/lsm.c:997) [ 94.863274][T11104] ima_file_check (security/integrity/ima/ima_main.c:633) [ 94.863676][T11104] ? __pfx_ima_file_check (security/integrity/ima/ima_main.c:629) [ 94.864126][T11104] security_file_post_open (security/security.c:3199) [ 94.864590][T11104] path_openat (fs/namei.c:3977 fs/namei.c:4134) [ 94.864996][T11104] ? __pfx_stack_trace_save (kernel/stacktrace.c:114) [ 94.865461][T11104] ? stack_depot_save_flags (lib/stackdepot.c:659) [ 94.865936][T11104] ? kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:69 mm/kasan/common.c:78) [ 94.866357][T11104] ? getname_flags (fs/namei.c:147) [ 94.866768][T11104] ? __pfx_path_openat (fs/namei.c:4116) [ 94.867213][T11104] do_filp_open (fs/namei.c:4162) [ 94.867611][T11104] ? __pfx_do_filp_open (fs/namei.c:4155) [ 94.868051][T11104] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116) [ 94.868494][T11104] do_sys_openat2 (fs/open.c:1437) [ 94.868905][T11104] ? __pfx_do_sys_openat2 (fs/open.c:1422) [ 94.869359][T11104] __x64_sys_openat (fs/open.c:1463) [ 94.869784][T11104] ? __pfx___x64_sys_openat (fs/open.c:1463) [ 94.870250][T11104] ? do_syscall_64 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 ./include/linux/entry-common.h:124 arch/x86/entry/syscall_64.c:90) [ 94.870661][T11104] do_syscall_64 (arch/x86/entry/syscall_64.c:?) [ 94.871066][T11104] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 94.871589][T11104] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 94.872099][T11104] RIP: 0033:0x7fde1afae49d [ 94.872493][T11104] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 8 Code starting with the faulting instruction =========================================== 0: 02 b8 ff ff ff ff add -0x1(%rax),%bh 6: c3 ret 7: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) d: f3 0f 1e fa endbr64 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 28: 0f 08 invd [ 94.874114][T11104] RSP: 002b:00007fde1bdecf98 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 94.874828][T11104] RAX: ffffffffffffffda RBX: 00007fde1b225fa0 RCX: 00007fde1afae49d [ 94.875492][T11104] RDX: 0000000000000000 RSI: 0000200000000080 RDI: ffffffffffffff9c [ 94.876147][T11104] RBP: 00007fde1b048268 R08: 0000000000000000 R09: 0000000000000000 [ 94.876808][T11104] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 94.877479][T11104] R13: 00007fde1b226038 R14: 00007fde1b225fa0 R15: 00007fde1bdcd000 [ 94.878154][T11104] </TASK> [ 94.878623][T11104] Kernel Offset: disabled Best, Shuangpeng Download attachment "ATT96590.config" of type "application/octet-stream" (276055 bytes) Download attachment "repro.c" of type "application/octet-stream" (2 bytes)
Powered by blists - more mailing lists