[Bug 214655] New: BUG: unable to handle kernel paging request in __dquot_free_space

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.kernel.org/show_bug.cgi?id=214655

            Bug ID: 214655
           Summary: BUG: unable to handle kernel paging request in
                    __dquot_free_space
           Product: File System
           Version: 2.5
    Kernel Version: 5.15-rc-ksmbd-part2
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx
          Reporter: 6201613047@xxxxxxxxxxxxxxxxxxx
        Regression: No

Created attachment 299143
  --> https://bugzilla.kernel.org/attachment.cgi?id=299143&action=edit
poc

Find it by something like Syzkaller and I think this is a BUG.
And POC is attached here.
Looking forward to your reply.

-----------------------------------
EXT4-fs error (device loop0): ext4_empty_dir:3011: inode #12: block 80: comm
syz-executor.0: bad entry in directory: rec_len is smaller than minimal -
offset=0, inode=0, rec_len=0, size=4096 fake=0
EXT4-fs warning (device loop0): ext4_empty_dir:3013: inode #12: comm
syz-executor.0: directory missing '.'
BUG: unable to handle page fault for address: fffffbfff6b3012c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 9fffeb067 P4D 9fffeb067 PUD 9ffe0f067 PMD 0 
Oops: 0000 [#1] SMP KASAN PTI
CPU: 3 PID: 26685 Comm: syz-executor.0 Not tainted 5.14.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x13d/0x200 mm/kasan/generic.c:189
Code: 83 c0 01 48 89 d8 49 39 d8 74 0f 41 80 38 00 74 ee 4b 8d 04 0c 4d 85 c0
75 4b 48 89 eb 48 29 c3 e9 42 ff ff ff 48 85 db 74 2e <41> 80 39 00 75 32 48 b8
01 00 00 00 00 fc ff df 49 01 d9 49 01 c0
RSP: 0018:ffff88812dd8f4c8 EFLAGS: 00010202
RAX: fffffbfff6b3012c RBX: 0000000000000002 RCX: ffffffffb2e0a1f6
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffb5980967
RBP: fffffbfff6b3012e R08: 1ffffffff6b3012c R09: fffffbfff6b3012c
R10: ffffffffb598096a R11: fffffbfff6b3012d R12: ffff88812dd8f5d8
R13: ffff8881ac734b28 R14: 0000000000010000 R15: ffffffffb5980907
FS:  00007f0f2b188700(0000) GS:ffff8889d7380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff6b3012c CR3: 0000000156d9a001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:511
[inline]
 queued_spin_lock include/asm-generic/qspinlock.h:82 [inline]
 do_raw_spin_lock include/linux/spinlock.h:187 [inline]
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x66/0xd0 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:363 [inline]
 __dquot_free_space+0x211/0x7c0 fs/quota/dquot.c:1874
 dquot_free_space_nodirty include/linux/quotaops.h:376 [inline]
 dquot_free_space include/linux/quotaops.h:381 [inline]
 dquot_free_block include/linux/quotaops.h:392 [inline]
 ext4_free_blocks+0x1430/0x1940 fs/ext4/mballoc.c:6084
 ext4_remove_blocks fs/ext4/extents.c:2488 [inline]
 ext4_ext_rm_leaf fs/ext4/extents.c:2672 [inline]
 ext4_ext_remove_space+0x299c/0x3590 fs/ext4/extents.c:2920
 ext4_ext_truncate+0x195/0x200 fs/ext4/extents.c:4382
 ext4_truncate+0xa2b/0xe80 fs/ext4/inode.c:4268
 ext4_evict_inode+0x8af/0x13c0 fs/ext4/inode.c:287
 evict+0x2d3/0x5b0 fs/inode.c:586
 iput_final fs/inode.c:1662 [inline]
 iput fs/inode.c:1688 [inline]
 iput+0x4ba/0x710 fs/inode.c:1674
 dentry_unlink_inode+0x314/0x4d0 fs/dcache.c:376
 d_delete fs/dcache.c:2505 [inline]
 d_delete+0x152/0x1a0 fs/dcache.c:2494
 vfs_rmdir fs/namei.c:3984 [inline]
 vfs_rmdir+0x438/0x570 fs/namei.c:3948
 do_rmdir+0x1c2/0x3a0 fs/namei.c:4032
 __do_sys_unlinkat fs/namei.c:4211 [inline]
 __se_sys_unlinkat fs/namei.c:4205 [inline]
 __x64_sys_unlinkat+0xcc/0x100 fs/namei.c:4205
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4698d9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f2b187c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004698d9
RDX: 0000000000000200 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00000000004d26c2 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdbd022e40
Modules linked in:
CR2: fffffbfff6b3012c
---[ end trace 337a23afd90599f5 ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x13d/0x200 mm/kasan/generic.c:189
Code: 83 c0 01 48 89 d8 49 39 d8 74 0f 41 80 38 00 74 ee 4b 8d 04 0c 4d 85 c0
75 4b 48 89 eb 48 29 c3 e9 42 ff ff ff 48 85 db 74 2e <41> 80 39 00 75 32 48 b8
01 00 00 00 00 fc ff df 49 01 d9 49 01 c0
RSP: 0018:ffff88812dd8f4c8 EFLAGS: 00010202
RAX: fffffbfff6b3012c RBX: 0000000000000002 RCX: ffffffffb2e0a1f6
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffb5980967
RBP: fffffbfff6b3012e R08: 1ffffffff6b3012c R09: fffffbfff6b3012c
R10: ffffffffb598096a R11: fffffbfff6b3012d R12: ffff88812dd8f5d8
R13: ffff8881ac734b28 R14: 0000000000010000 R15: ffffffffb5980907
FS:  00007f0f2b188700(0000) GS:ffff8889d7380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff6b3012c CR3: 0000000156d9a001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
netlink: 72 bytes leftover after parsing attributes in process
`syz-executor.7'.
==================================================================
BUG: KASAN: use-after-free in owner_on_cpu kernel/locking/rwsem.c:605 [inline]
BUG: KASAN: use-after-free in rwsem_can_spin_on_owner
kernel/locking/rwsem.c:626 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_slowpath+0xade/0xfe0
kernel/locking/rwsem.c:1026
Read of size 4 at addr ffff88812eaf4534 by task syz-executor.0/26792

CPU: 3 PID: 26792 Comm: syz-executor.0 Tainted: G      D           5.14.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x4c/0x64 lib/dump_stack.c:106
 print_address_description.constprop.9+0x21/0x150 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold.14+0x7f/0x11b mm/kasan/report.c:459
 owner_on_cpu kernel/locking/rwsem.c:605 [inline]
 rwsem_can_spin_on_owner kernel/locking/rwsem.c:626 [inline]
 rwsem_down_write_slowpath+0xade/0xfe0 kernel/locking/rwsem.c:1026
 __down_write_common kernel/locking/rwsem.c:1262 [inline]
 __down_write_common kernel/locking/rwsem.c:1259 [inline]
 __down_write kernel/locking/rwsem.c:1271 [inline]
 down_write+0xd2/0x120 kernel/locking/rwsem.c:1516
 inode_lock include/linux/fs.h:786 [inline]
 chown_common+0x1ea/0x400 fs/open.c:675
 do_fchownat+0xef/0x180 fs/open.c:709
 __do_sys_lchown fs/open.c:734 [inline]
 __se_sys_lchown fs/open.c:732 [inline]
 __x64_sys_lchown+0x7a/0xc0 fs/open.c:732
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4698d9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01
c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f2b166c48 EFLAGS: 00000246 ORIG_RAX: 000000000000005e
RAX: ffffffffffffffda RBX: 000000000077c038 RCX: 00000000004698d9
RDX: 0000000000000000 RSI: 000000000000ee00 RDI: 00000000200002c0
RBP: 00000000004d26c2 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077c038
R13: 0000000000000000 R14: 000000000077c038 R15: 00007ffdbd022e40
netlink: 72 bytes leftover after parsing attributes in process
`syz-executor.7'.

Allocated by task 26666:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x68/0x80 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3206 [inline]
 kmem_cache_alloc_node+0xd2/0x200 mm/slub.c:3242
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct kernel/fork.c:883 [inline]
 copy_process+0x1717/0x67c0 kernel/fork.c:2026
 kernel_clone+0xbd/0x970 kernel/fork.c:2584
 __do_sys_clone+0xde/0x120 kernel/fork.c:2701
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 26778:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xe2/0x110 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1700 [inline]
 slab_free_freelist_hook mm/slub.c:1725 [inline]
 slab_free mm/slub.c:3483 [inline]
 kmem_cache_free+0x74/0x280 mm/slub.c:3499
 __put_task_struct+0x22a/0x4f0 kernel/fork.c:760
 put_task_struct include/linux/sched/task.h:113 [inline]
 delayed_put_task_struct+0x11d/0x160 kernel/exit.c:173
 rcu_do_batch kernel/rcu/tree.c:2508 [inline]
 rcu_core+0x555/0x14b0 kernel/rcu/tree.c:2743
 __do_softirq+0x17f/0x53f kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa3/0xb0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:2987 [inline]
 call_rcu+0x77/0x8f0 kernel/rcu/tree.c:3067
 put_task_struct_rcu_user+0x61/0x90 kernel/exit.c:179
 finish_task_switch+0x48e/0x670 kernel/sched/core.c:4854
 schedule_tail+0x7/0xa0 kernel/sched/core.c:4876
 ret_from_fork+0x8/0x30 arch/x86/entry/entry_64.S:280

Second to last potentially related work creation:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa3/0xb0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:2987 [inline]
 call_rcu+0x77/0x8f0 kernel/rcu/tree.c:3067
 put_task_struct_rcu_user+0x61/0x90 kernel/exit.c:179
 finish_task_switch+0x48e/0x670 kernel/sched/core.c:4854
 context_switch kernel/sched/core.c:4943 [inline]
 __schedule+0x882/0x1710 kernel/sched/core.c:6287
 schedule+0xbd/0x250 kernel/sched/core.c:6366
 freezable_schedule include/linux/freezer.h:172 [inline]
 futex_wait_queue_me+0x24b/0x430 kernel/futex.c:2821
 futex_wait+0x1cb/0x620 kernel/futex.c:2922
 do_futex+0x337/0x17e0 kernel/futex.c:3932
 __do_sys_futex kernel/futex.c:4009 [inline]
 __se_sys_futex kernel/futex.c:3990 [inline]
 __x64_sys_futex+0x189/0x400 kernel/futex.c:3990
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88812eaf4500
 which belongs to the cache task_struct of size 5576
The buggy address is located 52 bytes inside of
 5576-byte region [ffff88812eaf4500, ffff88812eaf5ac8)
The buggy address belongs to the page:
page:0000000082bf4bc1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
pfn:0x12eaf0
head:0000000082bf4bc1 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100178b40
raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88812eaf4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88812eaf4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812eaf4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88812eaf4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812eaf4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:   83 c0 01                add    $0x1,%eax
   3:   48 89 d8                mov    %rbx,%rax
   6:   49 39 d8                cmp    %rbx,%r8
   9:   74 0f                   je     0x1a
   b:   41 80 38 00             cmpb   $0x0,(%r8)
   f:   74 ee                   je     0xffffffff
  11:   4b 8d 04 0c             lea    (%r12,%r9,1),%rax
  15:   4d 85 c0                test   %r8,%r8
  18:   75 4b                   jne    0x65
  1a:   48 89 eb                mov    %rbp,%rbx
  1d:   48 29 c3                sub    %rax,%rbx
  20:   e9 42 ff ff ff          jmpq   0xffffff67
  25:   48 85 db                test   %rbx,%rbx
  28:   74 2e                   je     0x58
* 2a:   41 80 39 00             cmpb   $0x0,(%r9) <-- trapping instruction
  2e:   75 32                   jne    0x62
  30:   48 b8 01 00 00 00 00    movabs $0xdffffc0000000001,%rax
  37:   fc ff df
  3a:   49 01 d9                add    %rbx,%r9
  3d:   49 01 c0                add    %rax,%r8

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.



[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux