bisecting fixing commit since 521b619acdc8f1f5acdac15b84f81fd9515b2aff building syzkaller on 64069d48f293e0be98d4a78a6f7be23861cc1e06 testing commit 521b619acdc8f1f5acdac15b84f81fd9515b2aff with gcc (GCC) 8.1.0 kernel signature: c3170a3c2f7882bae17ef50c24a30abf188753178215edddb274652cb4cacf0f run #0: crashed: BUG: unable to handle kernel paging request in btrfs_scan_one_device run #1: crashed: no output from test machine run #2: crashed: no output from test machine run #3: crashed: no output from test machine run #4: crashed: no output from test machine run #5: crashed: no output from test machine run #6: crashed: no output from test machine run #7: crashed: no output from test machine run #8: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor238714221" "root@10.128.0.157:./syz-executor238714221"]: exit status 1 ssh: connect to host 10.128.0.157 port 22: Connection timed out lost connection run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor572226024" "root@10.128.10.47:./syz-executor572226024"]: exit status 1 ssh: connect to host 10.128.10.47 port 22: Connection timed out lost connection testing current HEAD 0477e92881850d44910a7e94fc2c46f96faa131f testing commit 0477e92881850d44910a7e94fc2c46f96faa131f with gcc (GCC) 8.1.0 kernel signature: 7327e427b4d3808b4205bbbce3b6a169b05e50425afbd7ab18e7b499fa093497 all runs: OK # git bisect start 0477e92881850d44910a7e94fc2c46f96faa131f 521b619acdc8f1f5acdac15b84f81fd9515b2aff Bisecting: 949 revisions left to test after this (roughly 10 steps) [3be28e93cd88fbcbe97cabcbe92b1ccc9f830450] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 3be28e93cd88fbcbe97cabcbe92b1ccc9f830450 with gcc (GCC) 8.1.0 kernel signature: 48935f8a8e6e62a4ed74be4675629d480b00439eed5bef6a065134a77681d514 run #0: basic kernel testing failed: BUG: sleeping function called from invalid context in sta_info_move_state run #1: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #2: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #3: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #4: crashed: BUG: sleeping function called from invalid context in sta_info_move_state run #5: crashed: no output from test machine run #6: crashed: no output from test machine run #7: crashed: no output from test machine run #8: crashed: no output from test machine run #9: crashed: no output from test machine # git bisect good 3be28e93cd88fbcbe97cabcbe92b1ccc9f830450 Bisecting: 471 revisions left to test after this (roughly 9 steps) [d41e9b22eb871a7a7060964db9ce1ceb1c6e5b57] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit d41e9b22eb871a7a7060964db9ce1ceb1c6e5b57 with gcc (GCC) 8.1.0 kernel signature: 929c9e1a17c2d7f5a164dd9f572bca137f2a68bfd174de51b112bc54359e93be run #0: crashed: BUG: unable to handle kernel paging request in btrfs_scan_one_device run #1: crashed: no output from test machine run #2: crashed: no output from test machine run #3: crashed: no output from test machine run #4: crashed: no output from test machine run #5: crashed: no output from test machine run #6: crashed: no output from test machine run #7: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor302523542" "root@10.128.10.17:./syz-executor302523542"]: exit status 1 ssh: connect to host 10.128.10.17 port 22: Connection timed out lost connection run #8: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor701500157" "root@10.128.10.55:./syz-executor701500157"]: exit status 1 ssh: connect to host 10.128.10.55 port 22: Connection timed out lost connection run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor228406328" "root@10.128.10.58:./syz-executor228406328"]: exit status 1 ssh: connect to host 10.128.10.58 port 22: Connection timed out lost connection # git bisect good d41e9b22eb871a7a7060964db9ce1ceb1c6e5b57 Bisecting: 239 revisions left to test after this (roughly 8 steps) [2c6ffa9e9b11bdfa267fe05ad1e98d3491b4224f] Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost testing commit 2c6ffa9e9b11bdfa267fe05ad1e98d3491b4224f with gcc (GCC) 8.1.0 kernel signature: 377124cb7b7e293c9f736fd59031cad093052c5728bd7add5621411b5da2aa51 all runs: OK # git bisect bad 2c6ffa9e9b11bdfa267fe05ad1e98d3491b4224f Bisecting: 102 revisions left to test after this (roughly 7 steps) [303bc934722b53163bfb1c25da7db5d35c0e51b6] Merge tag 'arm-soc-fixes-v5.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 303bc934722b53163bfb1c25da7db5d35c0e51b6 with gcc (GCC) 8.1.0 kernel signature: 652d5179371527c5b7385b3476f544ff864a65adb02e9b853aa2b1b3397b2e32 all runs: OK # git bisect bad 303bc934722b53163bfb1c25da7db5d35c0e51b6 Bisecting: 63 revisions left to test after this (roughly 6 steps) [a060133c2058bcc5bf2f82e1135ce76b4bc9865b] Merge branch 'devlink-port-attribute-fixes' testing commit a060133c2058bcc5bf2f82e1135ce76b4bc9865b with gcc (GCC) 8.1.0 kernel signature: e222d576ec6be82ce89e369eb58f03fa18d1dc105078df715b28f9f48d678cab run #0: crashed: BUG: unable to handle kernel paging request in btrfs_scan_one_device run #1: crashed: no output from test machine run #2: crashed: no output from test machine run #3: crashed: no output from test machine run #4: crashed: no output from test machine run #5: crashed: no output from test machine run #6: crashed: no output from test machine run #7: crashed: no output from test machine run #8: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor272530736" "root@10.128.10.39:./syz-executor272530736"]: exit status 1 ssh: connect to host 10.128.10.39 port 22: Connection timed out lost connection run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor834476239" "root@10.128.15.200:./syz-executor834476239"]: exit status 1 ssh: connect to host 10.128.15.200 port 22: Connection timed out lost connection # git bisect good a060133c2058bcc5bf2f82e1135ce76b4bc9865b Bisecting: 31 revisions left to test after this (roughly 5 steps) [79c0c1f0389db60f3c83ec91585a39d16e036f21] Merge tag 'net-5.10-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 79c0c1f0389db60f3c83ec91585a39d16e036f21 with gcc (GCC) 8.1.0 kernel signature: 652d5179371527c5b7385b3476f544ff864a65adb02e9b853aa2b1b3397b2e32 all runs: OK # git bisect bad 79c0c1f0389db60f3c83ec91585a39d16e036f21 Bisecting: 16 revisions left to test after this (roughly 4 steps) [9223e74f9960778bd3edd39e15edd5532708b7fb] Merge tag 'io_uring-5.10-2020-11-27' of git://git.kernel.dk/linux-block testing commit 9223e74f9960778bd3edd39e15edd5532708b7fb with gcc (GCC) 8.1.0 kernel signature: e8754afd83ec146e4a85ec98387e9dbd410a246b10d343e9db0bdd5f61947dbf all runs: OK # git bisect bad 9223e74f9960778bd3edd39e15edd5532708b7fb Bisecting: 7 revisions left to test after this (roughly 3 steps) [7aa6d359845a9dbf7ad90b0b1b6347ef4764621f] btrfs: do nofs allocations when adding and removing qgroup relations testing commit 7aa6d359845a9dbf7ad90b0b1b6347ef4764621f with gcc (GCC) 8.1.0 kernel signature: 96ab6f4c2089eff1bc1bddf7024d1ff2d0ebf66473aa42e0ce4329b723420a18 all runs: OK # git bisect bad 7aa6d359845a9dbf7ad90b0b1b6347ef4764621f Bisecting: 3 revisions left to test after this (roughly 2 steps) [1a49a97df657c63a4e8ffcd1ea9b6ed95581789b] btrfs: tree-checker: add missing return after error in root_item testing commit 1a49a97df657c63a4e8ffcd1ea9b6ed95581789b with gcc (GCC) 8.1.0 kernel signature: 20dbf2f0cb7026cb573ae62e860649d274e015d46669de69a0f4c1ea7d3a9954 run #0: crashed: no output from test machine run #1: crashed: no output from test machine run #2: crashed: no output from test machine run #3: crashed: no output from test machine run #4: crashed: no output from test machine run #5: crashed: no output from test machine run #6: crashed: no output from test machine run #7: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor199374852" "root@10.128.10.57:./syz-executor199374852"]: exit status 1 ssh: connect to host 10.128.10.57 port 22: Connection timed out lost connection run #8: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor740902803" "root@10.128.10.58:./syz-executor740902803"]: exit status 1 ssh: connect to host 10.128.10.58 port 22: Connection timed out lost connection run #9: basic kernel testing failed: failed to copy test binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/syzkaller/jobs/linux/workdir/image/key" "/tmp/syz-executor846196182" "root@10.128.10.22:./syz-executor846196182"]: exit status 1 ssh: connect to host 10.128.10.22 port 22: Connection timed out lost connection # git bisect good 1a49a97df657c63a4e8ffcd1ea9b6ed95581789b Bisecting: 1 revision left to test after this (roughly 1 step) [6d06b0ad94d3dd7e3503d8ad39c39c4634884611] btrfs: tree-checker: add missing returns after data_ref alignment checks testing commit 6d06b0ad94d3dd7e3503d8ad39c39c4634884611 with gcc (GCC) 8.1.0 kernel signature: e6d7f1c94b4e9e91aba2e8d56d7b76ff476b10d9c1320ef58809de42c66e3d00 all runs: OK # git bisect bad 6d06b0ad94d3dd7e3503d8ad39c39c4634884611 Bisecting: 0 revisions left to test after this (roughly 0 steps) [0697d9a610998b8bdee6b2390836cb2391d8fd1a] btrfs: don't access possibly stale fs_info data for printing duplicate device testing commit 0697d9a610998b8bdee6b2390836cb2391d8fd1a with gcc (GCC) 8.1.0 kernel signature: 4b02f7f8b94e34b37ac999aaed7dda67c3448e460f9b076d012bb5feb1397e7c all runs: OK # git bisect bad 0697d9a610998b8bdee6b2390836cb2391d8fd1a 0697d9a610998b8bdee6b2390836cb2391d8fd1a is the first bad commit commit 0697d9a610998b8bdee6b2390836cb2391d8fd1a Author: Johannes Thumshirn Date: Wed Nov 18 18:03:26 2020 +0900 btrfs: don't access possibly stale fs_info data for printing duplicate device Syzbot reported a possible use-after-free when printing a duplicate device warning device_list_add(). At this point it can happen that a btrfs_device::fs_info is not correctly setup yet, so we're accessing stale data, when printing the warning message using the btrfs_printk() wrappers. ================================================================== BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245 Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068 CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d6/0x29e lib/dump_stack.c:118 print_address_description+0x66/0x620 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report+0x132/0x1d0 mm/kasan/report.c:530 btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245 device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943 btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359 btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x44840a RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630 RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 Allocated by task 6945: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461 kmalloc_node include/linux/slab.h:577 [inline] kvmalloc_node+0x81/0x110 mm/util.c:574 kvmalloc include/linux/mm.h:757 [inline] kvzalloc include/linux/mm.h:765 [inline] btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 6945: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422 __cache_free mm/slab.c:3418 [inline] kfree+0x113/0x200 mm/slab.c:3756 deactivate_locked_super+0xa7/0xf0 fs/super.c:335 btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8880878e0000 which belongs to the cache kmalloc-16k of size 16384 The buggy address is located 1704 bytes inside of 16384-byte region [ffff8880878e0000, ffff8880878e4000) The buggy address belongs to the page: page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0 head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00 raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== The syzkaller reproducer for this use-after-free crafts a filesystem image and loop mounts it twice in a loop. The mount will fail as the crafted image has an invalid chunk tree. When this happens btrfs_mount_root() will call deactivate_locked_super(), which then cleans up fs_info and fs_info::sb. If a second thread now adds the same block-device to the filesystem, it will get detected as a duplicate device and device_list_add() will reject the duplicate and print a warning. But as the fs_info pointer passed in is non-NULL this will result in a use-after-free. Instead of printing possibly uninitialized or already freed memory in btrfs_printk(), explicitly pass in a NULL fs_info so the printing of the device name will be skipped altogether. There was a slightly different approach discussed in https://lore.kernel.org/linux-btrfs/20200114060920.4527-1-anand.jain@oracle.com/t/#u Link: https://lore.kernel.org/linux-btrfs/000000000000c9e14b05afcc41ba@google.com Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com CC: stable@vger.kernel.org # 4.19+ Reviewed-by: Nikolay Borisov Reviewed-by: Anand Jain Signed-off-by: Johannes Thumshirn Reviewed-by: David Sterba Signed-off-by: David Sterba fs/btrfs/volumes.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) culprit signature: 4b02f7f8b94e34b37ac999aaed7dda67c3448e460f9b076d012bb5feb1397e7c parent signature: 20dbf2f0cb7026cb573ae62e860649d274e015d46669de69a0f4c1ea7d3a9954 revisions tested: 13, total time: 3h10m36.693398617s (build: 57m49.698054078s, test: 2h11m16.159813353s) first good commit: 0697d9a610998b8bdee6b2390836cb2391d8fd1a btrfs: don't access possibly stale fs_info data for printing duplicate device recipients (to): ["anand.jain@oracle.com" "dsterba@suse.com" "johannes.thumshirn@wdc.com" "nborisov@suse.com"] recipients (cc): []