On Thu, Dec 12, 2024 at 12:23:31PM +0530, Bhupesh wrote: > Once we are inside the 'ext4_xattr_delete_inode' function and trying > to delete the inode, the 'xattr_sem' should be unlocked. > > We need trylock here to avoid false-positive warning from lockdep > about reclaim circular dependency. > > This fixes the following KASAN reported issue: > > ================================================================== > BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 > Read of size 4 at addr ffff888012c120c4 by task repro/2065 > > CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 > Call Trace: > <TASK> > dump_stack_lvl+0x1fd/0x300 > ? tcp_gro_dev_warn+0x260/0x260 > ? _printk+0xc0/0x100 > ? read_lock_is_recursive+0x10/0x10 > ? irq_work_queue+0x72/0xf0 > ? __virt_addr_valid+0x17b/0x4b0 > print_address_description+0x78/0x390 > print_report+0x107/0x1f0 > ? __virt_addr_valid+0x17b/0x4b0 > ? __virt_addr_valid+0x3ff/0x4b0 > ? __phys_addr+0xb5/0x160 > ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 > kasan_report+0xcc/0x100 > ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 > ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 > ? ext4_xattr_delete_inode+0xd30/0xd30 > ? __ext4_journal_ensure_credits+0x5f0/0x5f0 > ? __ext4_journal_ensure_credits+0x2b/0x5f0 > ? inode_update_timestamps+0x410/0x410 > ext4_xattr_delete_inode+0xb64/0xd30 > ? ext4_truncate+0xb70/0xdc0 > ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 > ? __ext4_mark_inode_dirty+0x670/0x670 > ? ext4_journal_check_start+0x16f/0x240 > ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 > ext4_evict_inode+0xc8c/0xff0 > ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 > ? do_raw_spin_unlock+0x53/0x8a0 > ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 > evict+0x4ac/0x950 > ? proc_nr_inodes+0x310/0x310 > ? trace_ext4_drop_inode+0xa2/0x220 > ? _raw_spin_unlock+0x1a/0x30 > ? iput+0x4cb/0x7e0 > do_unlinkat+0x495/0x7c0 > ? try_break_deleg+0x120/0x120 > ? 0xffffffff81000000 > ? __check_object_size+0x15a/0x210 > ? strncpy_from_user+0x13e/0x250 > ? getname_flags+0x1dc/0x530 > __x64_sys_unlinkat+0xc8/0xf0 > do_syscall_64+0x65/0x110 > entry_SYSCALL_64_after_hwframe+0x67/0x6f > RIP: 0033:0x434ffd > Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 > RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 > RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd > RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 > RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 > R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 > </TASK> > > The buggy address belongs to the object at ffff888012c12000 > which belongs to the cache filp of size 360 > The buggy address is located 196 bytes inside of > freed 360-byte region [ffff888012c12000, ffff888012c12168) > > The buggy address belongs to the physical page: > page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 > head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > flags: 0x40(head|node=0|zone=0) > page_type: f5(slab) > raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 > raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 > head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 > head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 > head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 > head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc > ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > Reported-by: syzbot+b244bda78289b00204ed@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed > Signed-off-by: Bhupesh <bhupesh@xxxxxxxxxx> > --- > fs/ext4/xattr.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c > index 7647e9f6e190..e1d29aa76165 100644 > --- a/fs/ext4/xattr.c > +++ b/fs/ext4/xattr.c > @@ -2926,7 +2926,20 @@ int ext4_xattr_delete_inode(handle_t *handle, struct inode *inode, > struct ext4_iloc iloc = { .bh = NULL }; > struct ext4_xattr_entry *entry; > struct inode *ea_inode; > - int error; > + int error = 0; > + > + /* > + * We are the only ones holding inode reference. The xattr_sem should > + * better be unlocked! We could as well just not acquire xattr_sem at > + * all but this makes the code more futureproof. OTOH we need trylock > + * here to avoid false-positive warning from lockdep about reclaim > + * circular dependency. > + */ > + if (WARN_ON_ONCE(!down_write_trylock(&EXT4_I(inode)->xattr_sem))) > + return error; > + > + if (!EXT4_I(inode)->i_file_acl) > + goto cleanup; > This is ignoring the case where attributes are all in the inode, not in the separate ACL block. That's why this apparently fixes the problem. ext4_xattr_inode_dec_ref_all is never called anymore. Cascardo. > error = ext4_journal_ensure_credits(handle, extra_credits, > ext4_free_metadata_revoke_credits(inode->i_sb, 1)); > @@ -3015,6 +3028,7 @@ int ext4_xattr_delete_inode(handle_t *handle, struct inode *inode, > cleanup: > brelse(iloc.bh); > brelse(bh); > + up_write(&EXT4_I(inode)->xattr_sem); > return error; > } > > -- > 2.38.1 > >