KASAN: slab-use-after-free Read in hfs_bnode

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-use-after-free Read in hfs_bnode_unhash (2) hfs				1	108d	104d	0/28	auto-obsoleted due to no activity on 2024/09/10 06:09
==================================================================
BUG: KASAN: slab-use-after-free in hfs_bnode_unhash+0x1ba/0x1f0 fs/hfs/bnode.c:308
Read of size 8 at addr ffff888052fa1300 by task kswapd0/108

CPU: 0 PID: 108 Comm: kswapd0 Not tainted 6.7.0-rc6-syzkaller-00248-g5254c0cbc92d #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 hfs_bnode_unhash+0x1ba/0x1f0 fs/hfs/bnode.c:308
 hfs_release_folio+0x429/0x570 fs/hfs/inode.c:122
 filemap_release_folio+0x1f1/0x270 mm/filemap.c:4076
 shrink_folio_list+0x2991/0x3f00 mm/vmscan.c:1368
 evict_folios+0x6e7/0x1b90 mm/vmscan.c:4499
 try_to_shrink_lruvec+0x638/0xa10 mm/vmscan.c:4704
 shrink_one+0x3e6/0x7a0 mm/vmscan.c:4743
 shrink_many mm/vmscan.c:4808 [inline]
 lru_gen_shrink_node mm/vmscan.c:4923 [inline]
 shrink_node+0x211c/0x3710 mm/vmscan.c:5863
 kswapd_shrink_node mm/vmscan.c:6668 [inline]
 balance_pgdat+0x9d2/0x1a90 mm/vmscan.c:6858
 kswapd+0x5be/0xbf0 mm/vmscan.c:7118
 kthread+0x2c6/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>

Allocated by task 30481:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1007 [inline]
 __kmalloc+0x59/0x90 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 __hfs_bnode_create+0x108/0x850 fs/hfs/bnode.c:259
 hfs_bnode_find+0x2cf/0xcb0 fs/hfs/bnode.c:335
 hfs_brec_find+0x2af/0x510 fs/hfs/bfind.c:126
 hfs_brec_read+0x26/0x120 fs/hfs/bfind.c:165
 hfs_lookup+0x205/0x320 fs/hfs/dir.c:32
 lookup_open.isra.0+0x926/0x13b0 fs/namei.c:3455
 open_last_lookups fs/namei.c:3546 [inline]
 path_openat+0x922/0x2c50 fs/namei.c:3776
 do_filp_open+0x1de/0x430 fs/namei.c:3809
 do_sys_openat2+0x176/0x1e0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_creat fs/open.c:1528 [inline]
 __se_sys_creat fs/open.c:1522 [inline]
 __ia32_sys_creat+0xcc/0x120 fs/open.c:1522
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x62/0xe0 arch/x86/entry/common.c:321
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:346
 entry_SYSENTER_compat_after_hwframe+0x70/0x7a

Freed by task 31584:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:164 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
 slab_free mm/slub.c:3809 [inline]
 __kmem_cache_free+0xc0/0x180 mm/slub.c:3822
 hfs_btree_close+0xac/0x390 fs/hfs/btree.c:154
 hfs_mdb_put+0xbf/0x380 fs/hfs/mdb.c:360
 generic_shutdown_super+0x161/0x3d0 fs/super.c:696
 kill_block_super+0x3b/0x90 fs/super.c:1667
 deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
 deactivate_super+0xde/0x100 fs/super.c:517
 cleanup_mnt+0x222/0x450 fs/namespace.c:1256
 task_work_run+0x14d/0x240 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x217/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1e/0x60 kernel/entry/common.c:296
 __do_fast_syscall_32+0x6f/0xe0 arch/x86/entry/common.c:324
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:346
 entry_SYSENTER_compat_after_hwframe+0x70/0x7a

The buggy address belongs to the object at ffff888052fa1300
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 freed 192-byte region [ffff888052fa1300, ffff888052fa13c0)

The buggy address belongs to the physical page:
page:ffffea00014be840 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52fa1
flags: 0x4fff00000000800(slab|node=1|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 04fff00000000800 ffff888013042a00 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 15673, tgid 15671 (syz-executor.1), ts 882213308524, free_ts 881475117963
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0xa25/0x36d0 mm/page_alloc.c:3312
 __alloc_pages+0x22e/0x2420 mm/page_alloc.c:4568
 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab mm/slub.c:2017 [inline]
 new_slab+0x283/0x3c0 mm/slub.c:2070
 ___slab_alloc+0x979/0x1500 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
 kmalloc_trace+0x25/0x60 mm/slab_common.c:1098
 kmalloc include/linux/slab.h:600 [inline]
 __iomap_dio_rw+0x2a7/0x1bc0 fs/iomap/direct-io.c:563
 iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:748
 ext4_dio_read_iter fs/ext4/file.c:94 [inline]
 ext4_file_read_iter+0x4dd/0x6c0 fs/ext4/file.c:145
 call_read_iter include/linux/fs.h:2014 [inline]
 copy_splice_read+0x418/0x8f0 fs/splice.c:364
 vfs_splice_read fs/splice.c:992 [inline]
 vfs_splice_read+0x2ea/0x3b0 fs/splice.c:962
 splice_direct_to_actor+0x2a5/0xa30 fs/splice.c:1069
 do_splice_direct+0x1af/0x280 fs/splice.c:1194
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1137 [inline]
 free_unref_page_prepare+0x4fa/0xaa0 mm/page_alloc.c:2347
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2487
 __folio_put_small mm/swap.c:106 [inline]
 __folio_put+0xc3/0x110 mm/swap.c:129
 folio_put include/linux/mm.h:1483 [inline]
 put_page include/linux/mm.h:1552 [inline]
 free_page_and_swap_cache+0x25a/0x2d0 mm/swap_state.c:304
 __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:154 [inline]
 tlb_remove_table_rcu+0x89/0xe0 mm/mmu_gather.c:209
 rcu_do_batch kernel/rcu/tree.c:2158 [inline]
 rcu_core+0x819/0x1680 kernel/rcu/tree.c:2431
 __do_softirq+0x21a/0x8de kernel/softirq.c:553

Memory state around the buggy address:
 ffff888052fa1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888052fa1280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888052fa1300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888052fa1380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888052fa1400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================