syzbot


KASAN: use-after-free Read in btrfs_scan_one_device

Status: fixed on 2021/03/10 01:49
Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com
Fix commit: 0697d9a61099 btrfs: don't access possibly stale fs_info data for printing duplicate device
First crash: 653d, last: 583d

Cause bisection: failed (bisect log)
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in btrfs_scan_one_device C done 43 577d 653d 1/1 fixed on 2020/12/31 01:42
upstream KASAN: use-after-free Read in btrfs_scan_one_device (2) C 2 124d 120d 21/22 upstream: reported C repro on 2022/03/03 10:35
Patch testing requests:
Created Duration User Patch Repo Result
2020/10/18 12:52 13m foxhlchen@gmail.com upstream report log
2020/10/12 18:55 17m rkovhaev@gmail.com patch upstream OK
2020/10/11 16:11 10m rkovhaev@gmail.com upstream report log
2020/10/11 15:57 9m rkovhaev@gmail.com upstream report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in btrfs_printk+0x421/0x46b fs/btrfs/super.c:245
Read of size 8 at addr ffff8880125d86a0 by task systemd-udevd/8840

CPU: 0 PID: 8840 Comm: systemd-udevd Not tainted 5.10.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x137/0x1be lib/dump_stack.c:118
 print_address_description+0x6c/0x660 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report+0x136/0x1e0 mm/kasan/report.c:562
 btrfs_printk+0x421/0x46b fs/btrfs/super.c:245
 device_list_add+0x1a94/0x1d60 fs/btrfs/volumes.c:943
 btrfs_scan_one_device+0x2e1/0x460 fs/btrfs/volumes.c:1366
 btrfs_control_ioctl+0xd1/0x210 fs/btrfs/super.c:2327
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f7f3d4fc017
Code: 00 00 00 48 8b 05 81 7e 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 51 7e 2b 00 f7 d8 64 89 01 48
RSP: 002b:00007ffce37aa1d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7f3d4fc017
RDX: 00007ffce37aa1f0 RSI: 0000000090009427 RDI: 000000000000000f
RBP: 00007ffce37aa1f0 R08: 0000000000000000 R09: 0000000000000210
R10: 0000000000000001 R11: 0000000000000246 R12: 000000000000000f
R13: 0000000000000000 R14: 0000563cd0a326d0 R15: 0000563cd0a21060

The buggy address belongs to the page:
page:00000000af59a781 refcount:1 mapcount:0 mapping:0000000014b997b1 index:0x12 pfn:0x125d8
aops:def_blk_aops ino:0
flags: 0xfff00000020016(referenced|uptodate|lru|mappedtodisk)
raw: 00fff00000020016 ffffea00004e33c8 ffffea0000497648 ffff888142ad2b00
raw: 0000000000000012 0000000000000000 00000001ffffffff ffff8880110f0000
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8880110f0000

Memory state around the buggy address:
 ffff8880125d8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880125d8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880125d8680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                               ^
 ffff8880125d8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880125d8780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (70):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2020/11/06 20:30 upstream 521b619acdc8 64069d48 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/11/06 19:11 upstream 521b619acdc8 64069d48 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/13 07:06 upstream bbf5c979011a d32b0bbf .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/10/12 11:57 upstream 3dd0130f2430 4a77ae0b .config log report syz C
ci-upstream-kasan-gce-root 2020/10/11 21:29 upstream da690031a5d6 4a77ae0b .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/10/11 19:34 upstream da690031a5d6 4a77ae0b .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/11 07:35 upstream da690031a5d6 4a77ae0b .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/10/08 09:42 upstream c85fb28b6f99 1880b4a9 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/08 03:11 upstream c85fb28b6f99 1880b4a9 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/07 18:54 upstream c85fb28b6f99 1880b4a9 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/10/01 04:03 upstream 02de58b24d2e 8516f6d3 .config log report syz C
ci-upstream-kasan-gce-root 2020/10/01 03:13 upstream 02de58b24d2e 8516f6d3 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/30 11:27 upstream ccc1d052eff9 5abc3f1a .config log report syz C
ci-upstream-kasan-gce-root 2020/09/29 17:36 upstream fb0155a09b02 1b88c6d5 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/28 21:01 upstream a1b8638ba132 6bfdbe89 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/27 21:45 upstream eeddbe6841cd 5dd8aee8 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2020/09/26 22:12 upstream 7c7ec3226f5f 2d5ea0cb .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/26 21:59 upstream 7c7ec3226f5f 2d5ea0cb .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/25 12:44 upstream 171d4ff79f96 54289b08 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/24 17:13 upstream c9c9e6a49f89 54289b08 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/24 01:58 upstream 805c6d3c1921 287cd75a .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/21 05:37 upstream 325d0eab4f31 9564d2e9 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/11/02 03:55 linux-next 4e78c578cb98 8bc4594f .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/11/01 18:45 linux-next 4e78c578cb98 8bc4594f .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/11/01 05:43 linux-next 4e78c578cb98 8bc4594f .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2020/11/01 02:55 linux-next 4e78c578cb98 8bc4594f .config log report syz C
ci-upstream-kasan-gce-root 2020/11/25 13:02 upstream 127c501a03d5 1a1f4bd8 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/11/24 23:26 upstream 80145ac2f739 e34b696c .config log report info
ci-upstream-kasan-gce-selinux-root 2020/11/21 08:35 upstream 27bba9c532a8 68068804 .config log report info
ci-upstream-kasan-gce-smack-root 2020/11/19 01:55 upstream c2e7554e1b85 0767f13f .config log report info
ci-upstream-kasan-gce-selinux-root 2020/11/16 14:29 upstream 09162bc32c88 1bf9a662 .config log report info
ci-upstream-kasan-gce-smack-root 2020/11/15 03:41 upstream e28c0d7c92c8 1bf9a662 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/11/14 09:41 upstream f01c30de86f1 1bf9a662 .config log report info
ci-upstream-kasan-gce-root 2020/11/13 23:19 upstream 585e5b17b92d e1140d25 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/11/11 10:40 upstream eccc87672492 cca87986 .config log report info
ci-upstream-kasan-gce-smack-root 2020/11/08 07:24 upstream 4429f14aeea9 64069d48 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/11/02 02:02 upstream 3cea11cd5e3b 8bc4594f .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/02 21:24 upstream 472e5b056f00 4969d6ca .config log report info
ci-upstream-kasan-gce-root 2020/09/30 21:34 upstream 02de58b24d2e 8516f6d3 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/30 01:40 upstream ccc1d052eff9 5abc3f1a .config log report info
ci-upstream-kasan-gce-root 2020/09/30 01:17 upstream ccc1d052eff9 5abc3f1a .config log report info
ci-upstream-kasan-gce-root 2020/09/29 10:04 upstream fb0155a09b02 1b88c6d5 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/09/28 16:36 upstream a1b8638ba132 6bfdbe89 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/09/28 14:45 upstream a1b8638ba132 6bfdbe89 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/28 13:49 upstream a1b8638ba132 6bfdbe89 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/28 04:20 upstream a1bffa48745a 5dd8aee8 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/26 11:32 upstream 7c7ec3226f5f 4a006f63 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/25 21:38 upstream 171d4ff79f96 4a006f63 .config log report info
ci-upstream-kasan-gce-root 2020/09/25 17:59 upstream 171d4ff79f96 4a006f63 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/09/25 04:48 upstream 171d4ff79f96 54289b08 .config log report info
ci-upstream-kasan-gce-root 2020/09/23 22:20 upstream 805c6d3c1921 287cd75a .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/23 16:22 upstream 805c6d3c1921 287cd75a .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/23 06:27 upstream eff48ddeab78 3e8f6c27 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/23 06:25 upstream eff48ddeab78 3e8f6c27 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/22 01:54 upstream ba4f184e126b 9e1fa68e .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/21 16:48 upstream ba4f184e126b 9e1fa68e .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/21 16:21 upstream ba4f184e126b 9e1fa68e .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/21 03:47 upstream 325d0eab4f31 9564d2e9 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/09/20 00:35 upstream eb5f95f1593f 53ce8104 .config log report info
ci-upstream-kasan-gce-selinux-root 2020/09/20 00:33 upstream eb5f95f1593f 53ce8104 .config log report info
ci-upstream-kasan-gce-root 2020/09/19 00:37 upstream 10b82d517648 53ce8104 .config log report info
ci-upstream-kasan-gce-root 2020/09/17 01:32 upstream 5925fa68fe82 8247808b .config log report info
ci-upstream-kasan-gce-root 2020/09/16 14:06 upstream fc4f28bb3daf 18d7d030 .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/11/02 16:17 linux-next b49976d8ef64 8bc4594f .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/10/08 06:17 linux-next 8b787da7ba8c 1880b4a9 .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/09/30 02:28 linux-next 49e7e3e905e4 5abc3f1a .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/09/29 05:11 linux-next 663b07a45f97 1b88c6d5 .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/09/24 20:33 linux-next d1d2220c7f39 54289b08 .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/09/24 11:57 linux-next dcf2427baa64 54289b08 .config log report info
ci-upstream-linux-next-kasan-gce-root 2020/09/21 16:03 linux-next b10b8ad86211 9e1fa68e .config log report info