bisecting fixing commit since 0c88e405c97ed1828443b67891e6d4bb6e56cd4e building syzkaller on 3c7136c000d478908c0d17b38cf6ae8e2e2164c3 testing commit 0c88e405c97ed1828443b67891e6d4bb6e56cd4e with gcc (GCC) 8.1.0 kernel signature: 352ecfb26a5b7001902091f8da7d29ac4a583bb69a0f8d00ad7279e83b91e1f5 all runs: crashed: KASAN: use-after-free Read in btrfs_scan_one_device testing current HEAD 3207316b3beec7e38e5dbe2f463df0cec71e0b97 testing commit 3207316b3beec7e38e5dbe2f463df0cec71e0b97 with gcc (GCC) 8.1.0 kernel signature: bb3ed4c168fdad1ba7f13c7f69c1b31608a433fdd329dfa67206e76fc66c359e all runs: OK # git bisect start 3207316b3beec7e38e5dbe2f463df0cec71e0b97 0c88e405c97ed1828443b67891e6d4bb6e56cd4e Bisecting: 237 revisions left to test after this (roughly 8 steps) [373eac79ec767237cc4634785761bb3d29b553ab] x86/mm/ident_map: Check for errors from ident_pud_init() testing commit 373eac79ec767237cc4634785761bb3d29b553ab with gcc (GCC) 8.1.0 kernel signature: ad8ae4576bd61568229beacaa8965894f1d621ec513dcf70c1b2e3ca9aa1f204 all runs: OK # git bisect bad 373eac79ec767237cc4634785761bb3d29b553ab Bisecting: 118 revisions left to test after this (roughly 7 steps) [234b432c7b6184b2d6c5ba2c55f0dd5023c0edf0] spi: Introduce device-managed SPI controller allocation testing commit 234b432c7b6184b2d6c5ba2c55f0dd5023c0edf0 with gcc (GCC) 8.1.0 kernel signature: 9d6b42268c3330adde597dc979a1879df859e78f0a554b277636b2a57311a403 all runs: OK # git bisect bad 234b432c7b6184b2d6c5ba2c55f0dd5023c0edf0 Bisecting: 59 revisions left to test after this (roughly 6 steps) [716cd2eba30d7737fd140abd00e1667c76b32fc5] ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init testing commit 716cd2eba30d7737fd140abd00e1667c76b32fc5 with gcc (GCC) 8.1.0 kernel signature: f5a2054c5a1a38e29ebb48d724e574c1dfe06fa15f1366ce67657e55fc01936a all runs: OK # git bisect bad 716cd2eba30d7737fd140abd00e1667c76b32fc5 Bisecting: 29 revisions left to test after this (roughly 5 steps) [fbcca50fd598d7043c44a4bfed8a231306821739] batman-adv: set .owner to THIS_MODULE testing commit fbcca50fd598d7043c44a4bfed8a231306821739 with gcc (GCC) 8.1.0 kernel signature: d1656a8f33d9c0c97c237728d5809c56324e2dc955ab6252178a47290b4ff91f all runs: OK # git bisect bad fbcca50fd598d7043c44a4bfed8a231306821739 Bisecting: 14 revisions left to test after this (roughly 4 steps) [af13df79a0a006585e644a1c954fc9ad079fea2e] HID: add support for Sega Saturn testing commit af13df79a0a006585e644a1c954fc9ad079fea2e with gcc (GCC) 8.1.0 kernel signature: e624a4c67c43e53ef60a5e97d1d8c65325a6df39dd7221b58b437af3cd496efb all runs: OK # git bisect bad af13df79a0a006585e644a1c954fc9ad079fea2e Bisecting: 6 revisions left to test after this (roughly 3 steps) [f6d579d770d50d21d5ad26d3dbdafe2237967766] KVM: x86: handle !lapic_in_kernel case in kvm_cpu_*_extint testing commit f6d579d770d50d21d5ad26d3dbdafe2237967766 with gcc (GCC) 8.1.0 kernel signature: 0cdad5e4ce5a33eefe1032c136dc4997e50e714c5a4543dd2b638556802faeee all runs: OK # git bisect bad f6d579d770d50d21d5ad26d3dbdafe2237967766 Bisecting: 3 revisions left to test after this (roughly 2 steps) [aec62fa475afe706ae210c28eca38ef62ac19dbc] btrfs: don't access possibly stale fs_info data for printing duplicate device testing commit aec62fa475afe706ae210c28eca38ef62ac19dbc with gcc (GCC) 8.1.0 kernel signature: f18efde2f25fff3a5a787fc41cba8317efdc902358b89c6c5cd8a1503f51ff75 all runs: OK # git bisect bad aec62fa475afe706ae210c28eca38ef62ac19dbc Bisecting: 0 revisions left to test after this (roughly 1 step) [5460d62d661c0fc53bfe83493821b1dc3dc969f4] netfilter: clear skb->next in NF_HOOK_LIST() testing commit 5460d62d661c0fc53bfe83493821b1dc3dc969f4 with gcc (GCC) 8.1.0 kernel signature: 45d0f955a1f66c7ec144afaf82c534a6a8586d49e8dc8496724e3c003ad089fe all runs: crashed: KASAN: use-after-free Read in btrfs_scan_one_device # git bisect good 5460d62d661c0fc53bfe83493821b1dc3dc969f4 aec62fa475afe706ae210c28eca38ef62ac19dbc is the first bad commit commit aec62fa475afe706ae210c28eca38ef62ac19dbc Author: Johannes Thumshirn Date: Wed Nov 18 18:03:26 2020 +0900 btrfs: don't access possibly stale fs_info data for printing duplicate device commit 0697d9a610998b8bdee6b2390836cb2391d8fd1a upstream. Syzbot reported a possible use-after-free when printing a duplicate device warning device_list_add(). At this point it can happen that a btrfs_device::fs_info is not correctly setup yet, so we're accessing stale data, when printing the warning message using the btrfs_printk() wrappers. ================================================================== BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245 Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068 CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d6/0x29e lib/dump_stack.c:118 print_address_description+0x66/0x620 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report+0x132/0x1d0 mm/kasan/report.c:530 btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245 device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943 btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359 btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x44840a RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630 RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 Allocated by task 6945: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461 kmalloc_node include/linux/slab.h:577 [inline] kvmalloc_node+0x81/0x110 mm/util.c:574 kvmalloc include/linux/mm.h:757 [inline] kvzalloc include/linux/mm.h:765 [inline] btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 6945: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422 __cache_free mm/slab.c:3418 [inline] kfree+0x113/0x200 mm/slab.c:3756 deactivate_locked_super+0xa7/0xf0 fs/super.c:335 btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8880878e0000 which belongs to the cache kmalloc-16k of size 16384 The buggy address is located 1704 bytes inside of 16384-byte region [ffff8880878e0000, ffff8880878e4000) The buggy address belongs to the page: page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0 head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00 raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== The syzkaller reproducer for this use-after-free crafts a filesystem image and loop mounts it twice in a loop. The mount will fail as the crafted image has an invalid chunk tree. When this happens btrfs_mount_root() will call deactivate_locked_super(), which then cleans up fs_info and fs_info::sb. If a second thread now adds the same block-device to the filesystem, it will get detected as a duplicate device and device_list_add() will reject the duplicate and print a warning. But as the fs_info pointer passed in is non-NULL this will result in a use-after-free. Instead of printing possibly uninitialized or already freed memory in btrfs_printk(), explicitly pass in a NULL fs_info so the printing of the device name will be skipped altogether. There was a slightly different approach discussed in https://lore.kernel.org/linux-btrfs/20200114060920.4527-1-anand.jain@oracle.com/t/#u Link: https://lore.kernel.org/linux-btrfs/000000000000c9e14b05afcc41ba@google.com Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com CC: stable@vger.kernel.org # 4.19+ Reviewed-by: Nikolay Borisov Reviewed-by: Anand Jain Signed-off-by: Johannes Thumshirn Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman fs/btrfs/volumes.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) culprit signature: f18efde2f25fff3a5a787fc41cba8317efdc902358b89c6c5cd8a1503f51ff75 parent signature: 45d0f955a1f66c7ec144afaf82c534a6a8586d49e8dc8496724e3c003ad089fe revisions tested: 10, total time: 2h58m50.824030473s (build: 1h22m34.921281036s, test: 1h35m12.167222588s) first good commit: aec62fa475afe706ae210c28eca38ef62ac19dbc btrfs: don't access possibly stale fs_info data for printing duplicate device recipients (to): ["anand.jain@oracle.com" "dsterba@suse.com" "gregkh@linuxfoundation.org" "johannes.thumshirn@wdc.com" "nborisov@suse.com"] recipients (cc): []