fs/jfs/jfs_imap.c | 1 + 1 file changed, 1 insertion(+)
syzbot found an invalid-free in diUnmount:
BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]
BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674
Free of addr ffff88806f410000 by task syz-executor131/3632
CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460
____kasan_slab_free+0xfb/0x120
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x71/0x110 mm/slub.c:3674
diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195
jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63
jfs_put_super+0x86/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x310 fs/super.c:492
kill_block_super+0x79/0xd0 fs/super.c:1428
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1186
task_work_run+0x243/0x300 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x664/0x2070 kernel/exit.c:820
do_group_exit+0x1fd/0x2b0 kernel/exit.c:950
__do_sys_exit_group kernel/exit.c:961 [inline]
__se_sys_exit_group kernel/exit.c:959 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.
If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().
JFS_IP(ipimap)->i_imap will be freed once again.
Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.
Reported-by: syzbot+90a11e6b1e810785c6ff@syzkaller.appspotmail.com
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
---
fs/jfs/jfs_imap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 799d3837e7c2..4899663996d8 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -193,6 +193,7 @@ int diUnmount(struct inode *ipimap, int mounterror)
* free in-memory control structure
*/
kfree(imap);
+ JFS_IP(ipimap)->i_imap = NULL;
return (0);
}
--
2.25.1+Tested-by: Andrew Kanner <andrew.kanner@gmail.com>
for https://lore.kernel.org/all/20221201124628.603505-1-liushixin2@huawei.com/T/
The next change complements the patch from Liu Shixin (see above).
Two patches for fs/jfs/jfs_{imap,dmap}.c fix syzkaller issues:
Link: https://syzkaller.appspot.com/bug?extid=9f06ddd18bf059dff2ad
Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9
Link: https://syzkaller.appspot.com/bug?extid=90a11e6b1e810785c6ff
Link: https://syzkaller.appspot.com/bug?extid=47366a6b503c7edf6bbb
And Similar bugs from the other branches:
Link: https://syzkaller.appspot.com/bug?extid=cfff8c52c283dd09bf27
Link: https://syzkaller.appspot.com/bug?extid=e8f9034a130a66a2b351
Link: https://syzkaller.appspot.com/bug?extid=5c604c1cc148275ab8a6
Link: https://syzkaller.appspot.com/bug?extid=ea731a6641531af62f80
Link: https://syzkaller.appspot.com/bug?extid=b212249c28280daa4576
Andrew Kanner (1):
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
fs/jfs/jfs_dmap.c | 1 +
1 file changed, 1 insertion(+)
--
2.39.3
Syzkaller reported the following issue:
==================================================================
BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]
BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800
Free of addr ffff888086408000 by task syz-executor.4/12750
[...]
Call Trace:
<TASK>
[...]
kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482
____kasan_slab_free+0xfb/0x120
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0x71/0x110 mm/slub.c:3800
dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264
jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87
jfs_put_super+0x86/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x130/0x310 fs/super.c:492
kill_block_super+0x79/0xd0 fs/super.c:1386
deactivate_locked_super+0xa7/0xf0 fs/super.c:332
cleanup_mnt+0x494/0x520 fs/namespace.c:1291
task_work_run+0x243/0x300 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171
exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296
do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
</TASK>
Allocated by task 13352:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:371 [inline]
__kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
kmalloc include/linux/slab.h:580 [inline]
dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164
jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121
jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556
mount_bdev+0x26c/0x3a0 fs/super.c:1359
legacy_get_tree+0xea/0x180 fs/fs_context.c:610
vfs_get_tree+0x88/0x270 fs/super.c:1489
do_new_mount+0x289/0xad0 fs/namespace.c:3145
do_mount fs/namespace.c:3488 [inline]
__do_sys_mount fs/namespace.c:3697 [inline]
__se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 13352:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x3d/0x60 mm/kasan/common.c:52
kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0x71/0x110 mm/slub.c:3800
dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264
jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247
jfs_remount+0x3db/0x710 fs/jfs/super.c:454
reconfigure_super+0x3bc/0x7b0 fs/super.c:935
vfs_fsconfig_locked fs/fsopen.c:254 [inline]
__do_sys_fsconfig fs/fsopen.c:439 [inline]
__se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in
dbUnmount().
Syzkaller uses faultinject to reproduce this KASAN double-free
warning. The issue is triggered if either diMount() or dbMount() fail
in jfs_remount(), since diUnmount() or dbUnmount() already happened in
such a case - they will do double-free on next execution: jfs_umount
or jfs_remount.
Tested on both upstream and jfs-next by syzkaller.
Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/
Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9
Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
---
fs/jfs/jfs_dmap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a14a0f18a4c4..88afd108c2dd 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror)
/* free the memory for the in-memory bmap. */
kfree(bmp);
+ JFS_SBI(ipbmap->i_sb)->bmap = NULL;
return (0);
}
--
2.39.3On Sat, Jul 01, 2023 at 05:05:42PM +0300, Andrew Kanner wrote: > Syzkaller reported the following issue: > ================================================================== > BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] > BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 > Free of addr ffff888086408000 by task syz-executor.4/12750 > [...] > Call Trace: > <TASK> > [...] > kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 > ____kasan_slab_free+0xfb/0x120 > kasan_slab_free include/linux/kasan.h:177 [inline] > slab_free_hook mm/slub.c:1781 [inline] > slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 > slab_free mm/slub.c:3787 [inline] > __kmem_cache_free+0x71/0x110 mm/slub.c:3800 > dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 > jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 > jfs_put_super+0x86/0x190 fs/jfs/super.c:194 > generic_shutdown_super+0x130/0x310 fs/super.c:492 > kill_block_super+0x79/0xd0 fs/super.c:1386 > deactivate_locked_super+0xa7/0xf0 fs/super.c:332 > cleanup_mnt+0x494/0x520 fs/namespace.c:1291 > task_work_run+0x243/0x300 kernel/task_work.c:179 > resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] > exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 > exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 > __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] > syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 > do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > [...] > </TASK> > > Allocated by task 13352: > kasan_save_stack mm/kasan/common.c:45 [inline] > kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 > ____kasan_kmalloc mm/kasan/common.c:371 [inline] > __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 > kmalloc include/linux/slab.h:580 [inline] > dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 > jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 > jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 > mount_bdev+0x26c/0x3a0 fs/super.c:1359 > legacy_get_tree+0xea/0x180 fs/fs_context.c:610 > vfs_get_tree+0x88/0x270 fs/super.c:1489 > do_new_mount+0x289/0xad0 fs/namespace.c:3145 > do_mount fs/namespace.c:3488 [inline] > __do_sys_mount fs/namespace.c:3697 [inline] > __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Freed by task 13352: > kasan_save_stack mm/kasan/common.c:45 [inline] > kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 > kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 > ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 > kasan_slab_free include/linux/kasan.h:177 [inline] > slab_free_hook mm/slub.c:1781 [inline] > slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 > slab_free mm/slub.c:3787 [inline] > __kmem_cache_free+0x71/0x110 mm/slub.c:3800 > dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 > jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 > jfs_remount+0x3db/0x710 fs/jfs/super.c:454 > reconfigure_super+0x3bc/0x7b0 fs/super.c:935 > vfs_fsconfig_locked fs/fsopen.c:254 [inline] > __do_sys_fsconfig fs/fsopen.c:439 [inline] > __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > [...] > > JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in > dbUnmount(). > > Syzkaller uses faultinject to reproduce this KASAN double-free > warning. The issue is triggered if either diMount() or dbMount() fail > in jfs_remount(), since diUnmount() or dbUnmount() already happened in > such a case - they will do double-free on next execution: jfs_umount > or jfs_remount. > > Tested on both upstream and jfs-next by syzkaller. > > Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ > Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 > Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com> > --- > fs/jfs/jfs_dmap.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c > index a14a0f18a4c4..88afd108c2dd 100644 > --- a/fs/jfs/jfs_dmap.c > +++ b/fs/jfs/jfs_dmap.c > @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) > > /* free the memory for the in-memory bmap. */ > kfree(bmp); > + JFS_SBI(ipbmap->i_sb)->bmap = NULL; > > return (0); > } > -- > 2.39.3 > Hi, Dave. Are there any objections? Or maybe suggestions on how to test both my patch and the patch from Liu Shixin (some corner cases)?
On 7/18/23 10:39AM, Andrew Kanner wrote: > On Sat, Jul 01, 2023 at 05:05:42PM +0300, Andrew Kanner wrote: >> Syzkaller reported the following issue: >> ================================================================== >> BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] >> BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 >> Free of addr ffff888086408000 by task syz-executor.4/12750 >> [...] >> Call Trace: >> <TASK> >> [...] >> kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 >> ____kasan_slab_free+0xfb/0x120 >> kasan_slab_free include/linux/kasan.h:177 [inline] >> slab_free_hook mm/slub.c:1781 [inline] >> slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 >> slab_free mm/slub.c:3787 [inline] >> __kmem_cache_free+0x71/0x110 mm/slub.c:3800 >> dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 >> jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 >> jfs_put_super+0x86/0x190 fs/jfs/super.c:194 >> generic_shutdown_super+0x130/0x310 fs/super.c:492 >> kill_block_super+0x79/0xd0 fs/super.c:1386 >> deactivate_locked_super+0xa7/0xf0 fs/super.c:332 >> cleanup_mnt+0x494/0x520 fs/namespace.c:1291 >> task_work_run+0x243/0x300 kernel/task_work.c:179 >> resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] >> exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 >> exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 >> __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] >> syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 >> do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> [...] >> </TASK> >> >> Allocated by task 13352: >> kasan_save_stack mm/kasan/common.c:45 [inline] >> kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 >> ____kasan_kmalloc mm/kasan/common.c:371 [inline] >> __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 >> kmalloc include/linux/slab.h:580 [inline] >> dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 >> jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 >> jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 >> mount_bdev+0x26c/0x3a0 fs/super.c:1359 >> legacy_get_tree+0xea/0x180 fs/fs_context.c:610 >> vfs_get_tree+0x88/0x270 fs/super.c:1489 >> do_new_mount+0x289/0xad0 fs/namespace.c:3145 >> do_mount fs/namespace.c:3488 [inline] >> __do_sys_mount fs/namespace.c:3697 [inline] >> __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> >> Freed by task 13352: >> kasan_save_stack mm/kasan/common.c:45 [inline] >> kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 >> kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 >> ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 >> kasan_slab_free include/linux/kasan.h:177 [inline] >> slab_free_hook mm/slub.c:1781 [inline] >> slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 >> slab_free mm/slub.c:3787 [inline] >> __kmem_cache_free+0x71/0x110 mm/slub.c:3800 >> dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 >> jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 >> jfs_remount+0x3db/0x710 fs/jfs/super.c:454 >> reconfigure_super+0x3bc/0x7b0 fs/super.c:935 >> vfs_fsconfig_locked fs/fsopen.c:254 [inline] >> __do_sys_fsconfig fs/fsopen.c:439 [inline] >> __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> [...] >> >> JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in >> dbUnmount(). >> >> Syzkaller uses faultinject to reproduce this KASAN double-free >> warning. The issue is triggered if either diMount() or dbMount() fail >> in jfs_remount(), since diUnmount() or dbUnmount() already happened in >> such a case - they will do double-free on next execution: jfs_umount >> or jfs_remount. >> >> Tested on both upstream and jfs-next by syzkaller. >> >> Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9@syzkaller.appspotmail.com >> Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ >> Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 >> Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com> >> --- >> fs/jfs/jfs_dmap.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c >> index a14a0f18a4c4..88afd108c2dd 100644 >> --- a/fs/jfs/jfs_dmap.c >> +++ b/fs/jfs/jfs_dmap.c >> @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) >> >> /* free the memory for the in-memory bmap. */ >> kfree(bmp); >> + JFS_SBI(ipbmap->i_sb)->bmap = NULL; >> >> return (0); >> } >> -- >> 2.39.3 >> > > Hi, Dave. > Are there any objections? > Or maybe suggestions on how to test both my patch and the patch from > Liu Shixin (some corner cases)? Sorry. I got behind. I'll try to catch up on these today (or very soon if something more urgent pops up). Shaggy
On 7/18/23 10:39AM, Andrew Kanner wrote: > On Sat, Jul 01, 2023 at 05:05:42PM +0300, Andrew Kanner wrote: >> Syzkaller reported the following issue: >> ================================================================== >> BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] >> BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 >> Free of addr ffff888086408000 by task syz-executor.4/12750 >> [...] >> Call Trace: >> <TASK> >> [...] >> kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 >> ____kasan_slab_free+0xfb/0x120 >> kasan_slab_free include/linux/kasan.h:177 [inline] >> slab_free_hook mm/slub.c:1781 [inline] >> slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 >> slab_free mm/slub.c:3787 [inline] >> __kmem_cache_free+0x71/0x110 mm/slub.c:3800 >> dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 >> jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 >> jfs_put_super+0x86/0x190 fs/jfs/super.c:194 >> generic_shutdown_super+0x130/0x310 fs/super.c:492 >> kill_block_super+0x79/0xd0 fs/super.c:1386 >> deactivate_locked_super+0xa7/0xf0 fs/super.c:332 >> cleanup_mnt+0x494/0x520 fs/namespace.c:1291 >> task_work_run+0x243/0x300 kernel/task_work.c:179 >> resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] >> exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 >> exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 >> __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] >> syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 >> do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> [...] >> </TASK> >> >> Allocated by task 13352: >> kasan_save_stack mm/kasan/common.c:45 [inline] >> kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 >> ____kasan_kmalloc mm/kasan/common.c:371 [inline] >> __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 >> kmalloc include/linux/slab.h:580 [inline] >> dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 >> jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 >> jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 >> mount_bdev+0x26c/0x3a0 fs/super.c:1359 >> legacy_get_tree+0xea/0x180 fs/fs_context.c:610 >> vfs_get_tree+0x88/0x270 fs/super.c:1489 >> do_new_mount+0x289/0xad0 fs/namespace.c:3145 >> do_mount fs/namespace.c:3488 [inline] >> __do_sys_mount fs/namespace.c:3697 [inline] >> __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> >> Freed by task 13352: >> kasan_save_stack mm/kasan/common.c:45 [inline] >> kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 >> kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 >> ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 >> kasan_slab_free include/linux/kasan.h:177 [inline] >> slab_free_hook mm/slub.c:1781 [inline] >> slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 >> slab_free mm/slub.c:3787 [inline] >> __kmem_cache_free+0x71/0x110 mm/slub.c:3800 >> dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 >> jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 >> jfs_remount+0x3db/0x710 fs/jfs/super.c:454 >> reconfigure_super+0x3bc/0x7b0 fs/super.c:935 >> vfs_fsconfig_locked fs/fsopen.c:254 [inline] >> __do_sys_fsconfig fs/fsopen.c:439 [inline] >> __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> [...] >> >> JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in >> dbUnmount(). >> >> Syzkaller uses faultinject to reproduce this KASAN double-free >> warning. The issue is triggered if either diMount() or dbMount() fail >> in jfs_remount(), since diUnmount() or dbUnmount() already happened in >> such a case - they will do double-free on next execution: jfs_umount >> or jfs_remount. >> >> Tested on both upstream and jfs-next by syzkaller. >> >> Reported-and-tested-by: syzbot+6a93efb725385bc4b2e9@syzkaller.appspotmail.com >> Closes: https://lore.kernel.org/all/000000000000471f2d05f1ce8bad@google.com/T/ >> Link: https://syzkaller.appspot.com/bug?extid=6a93efb725385bc4b2e9 >> Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com> >> --- >> fs/jfs/jfs_dmap.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c >> index a14a0f18a4c4..88afd108c2dd 100644 >> --- a/fs/jfs/jfs_dmap.c >> +++ b/fs/jfs/jfs_dmap.c >> @@ -269,6 +269,7 @@ int dbUnmount(struct inode *ipbmap, int mounterror) >> >> /* free the memory for the in-memory bmap. */ >> kfree(bmp); >> + JFS_SBI(ipbmap->i_sb)->bmap = NULL; >> >> return (0); >> } >> -- >> 2.39.3 >> > > Hi, Dave. > Are there any objections? > Or maybe suggestions on how to test both my patch and the patch from > Liu Shixin (some corner cases)? Looks good. Applied. Thanks, Shaggy
© 2016 - 2025 Red Hat, Inc.