KASAN: slab-use-after-free in jfs_readdir
From: Shuangpeng Bai
Date: Tue May 21 2024 - 23:37:42 EST
Hi Kernel Maintainers,
Our tool found a kernel bug KASAN: slab-use-after-free in jfs_readdir. Please see the details below.
Kernel commit: v6.9 (Commits on May 12, 2024)
Kernel config: attachment
C/Syz reproducer: attachment
Please let me know for anything I can help.
Best,
Shuangpeng
[ 99.923868][ T8134] ==================================================================
[ 99.927244][ T8134] BUG: KASAN: slab-use-after-free in jfs_readdir (fs/jfs/jfs_dtree.c:2867)
[ 99.930329][ T8134] Read of size 8 at addr ffff888015b4b030 by task a.out/8134
[ 99.932158][ T8134]
[ 99.932758][ T8134] CPU: 0 PID: 8134 Comm: a.out Not tainted 6.9.0 #8
[ 99.934454][ T8134] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 99.936720][ T8134] Call Trace:
[ 99.937548][ T8134] <TASK>
[ 99.938278][ T8134] dump_stack_lvl (lib/dump_stack.c:117)
[ 99.940734][ T8134] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)
[ 99.941776][ T8134] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4))
[ 99.942884][ T8134] ? jfs_readdir (fs/jfs/jfs_dtree.c:2867)
[ 99.944073][ T8134] kasan_report (mm/kasan/report.c:603)
[ 99.945162][ T8134] ? jfs_readdir (fs/jfs/jfs_dtree.c:2867)
[ 99.946340][ T8134] jfs_readdir (fs/jfs/jfs_dtree.c:2867)
[ 99.947428][ T8134] ? __x64_sys_openat (fs/open.c:1432)
[ 99.948441][ T8134] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 99.949671][ T8134] ? __pfx_path_openat (fs/namei.c:3781)
[ 99.950690][ T8134] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
[ 99.951849][ T8134] ? page_table_check_set (mm/page_table_check.c:126 mm/page_table_check.c:97)
[ 99.952953][ T8134] ? __pfx_jfs_readdir (fs/jfs/jfs_dtree.c:2701)
[ 99.954027][ T8134] ? debug_check_no_obj_freed (lib/debugobjects.c:1000 lib/debugobjects.c:1019)
[ 99.955184][ T8134] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/linux/atomic/atomic-arch-fallback.h:2170 /include/linux/atomic/atomic-instrumented.h:1302 /include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 /include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 99.956205][ T8134] ? putname (fs/namei.c:274)
[ 99.957098][ T8134] ? down_write (./arch/x86/include/asm/preempt.h:103 kernel/locking/rwsem.c:1309 kernel/locking/rwsem.c:1315 kernel/locking/rwsem.c:1580)
[ 99.958044][ T8134] ? __pfx_down_write (kernel/locking/rwsem.c:1577)
[ 99.959308][ T8134] ? down_read_killable (./arch/x86/include/asm/preempt.h:103 kernel/locking/rwsem.c:1257 kernel/locking/rwsem.c:1273 kernel/locking/rwsem.c:1551)
[ 99.960630][ T8134] ? __pfx_down_read_killable (kernel/locking/rwsem.c:1547)
[ 99.961940][ T8134] ? selinux_file_permission (security/selinux/hooks.c:3643)
[ 99.963309][ T8134] ? __pfx_jfs_readdir (fs/jfs/jfs_dtree.c:2701)
[ 99.964537][ T8134] wrap_directory_iterator (fs/readdir.c:67)
[ 99.965930][ T8134] iterate_dir (fs/readdir.c:111)
[ 99.967099][ T8134] __x64_sys_getdents64 (fs/readdir.c:410 fs/readdir.c:394 fs/readdir.c:394)
[ 99.968427][ T8134] ? __pfx___x64_sys_getdents64 (fs/readdir.c:394)
[ 99.969867][ T8134] ? mutex_unlock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4329 /include/linux/atomic/atomic-long.h:1506 /include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:181 kernel/locking/mutex.c:545)
[ 99.970927][ T8134] ? __pfx_filldir64 (fs/readdir.c:352)
[ 99.972073][ T8134] ? fpregs_assert_state_consistent (arch/x86/kernel/fpu/context.h:38 arch/x86/kernel/fpu/core.c:822)
[ 99.973562][ T8134] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 99.974580][ T8134] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 99.975780][ T8134] RIP: 0033:0x7fd5a43b473d
[ 99.976695][ T8134] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 78
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 90 nop
d: f3 0f 1e fa endbr64
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 78 .byte 0x78
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 78 .byte 0x78
[ 99.980674][ T8134] RSP: 002b:00007ffc8e81ca28 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9
[ 99.982594][ T8134] RAX: ffffffffffffffda RBX: 00005616907c2360 RCX: 00007fd5a43b473d
[ 99.984540][ T8134] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 99.986532][ T8134] RBP: 00007ffc8e81ca40 R08: 00007ffc8e81cb30 R09: 00007ffc8e81cb30
[ 99.988451][ T8134] R10: 00007ffc8e81cb30 R11: 0000000000000203 R12: 00005616907c03c0
[ 99.990408][ T8134] R13: 00007ffc8e81cb30 R14: 0000000000000000 R15: 0000000000000000
[ 99.992446][ T8134] </TASK>
[ 99.993198][ T8134]
[ 99.993769][ T8134] Allocated by task 8101:
[ 99.994870][ T8134] kasan_save_stack (mm/kasan/common.c:48)
[ 99.996017][ T8134] kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 99.997094][ T8134] __kasan_slab_alloc (mm/kasan/common.c:341)
[ 99.998119][ T8134] kmem_cache_alloc (mm/slub.c:3805 mm/slub.c:3851 mm/slub.c:3858)
[ 99.999428][ T8134] mempool_alloc (mm/mempool.c:409)
[ 100.001222][ T8134] __get_metapage (fs/jfs/jfs_metapage.c:178 fs/jfs/jfs_metapage.c:651)
[ 100.003051][ T8134] dtSplitRoot (fs/jfs/jfs_dtree.c:1908 (discriminator 3))
[ 100.004820][ T8134] dtSplitUp (fs/jfs/jfs_dtree.c:992)
[ 100.006625][ T8134] dtInsert (fs/jfs/jfs_dtree.c:868)
[ 100.008164][ T8134] jfs_create (fs/jfs/namei.c:137)
[ 100.009763][ T8134] path_openat (fs/namei.c:3499 fs/namei.c:3566 fs/namei.c:3796)
[ 100.011622][ T8134] do_filp_open (fs/namei.c:3827)
[ 100.013413][ T8134] do_sys_openat2 (fs/open.c:1407)
[ 100.015181][ T8134] __x64_sys_openat (fs/open.c:1432)
[ 100.016978][ T8134] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 100.018664][ T8134] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 100.020899][ T8134]
[ 100.021806][ T8134] Freed by task 8134:
[ 100.023259][ T8134] kasan_save_stack (mm/kasan/common.c:48)
[ 100.025141][ T8134] kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 100.027001][ T8134] kasan_save_free_info (mm/kasan/generic.c:582)
[ 100.028923][ T8134] __kasan_slab_free (mm/kasan/common.c:274)
[ 100.030752][ T8134] kmem_cache_free (mm/slub.c:4286 mm/slub.c:4350)
[ 100.032665][ T8134] mempool_free (mm/mempool.c:555)
[ 100.034385][ T8134] release_metapage (fs/jfs/jfs_metapage.c:788)
[ 100.036318][ T8134] jfs_readdir (fs/jfs/jfs_dtree.c:3172 fs/jfs/jfs_dtree.c:2860)
[ 100.038083][ T8134] wrap_directory_iterator (fs/readdir.c:67)
[ 100.040219][ T8134] iterate_dir (fs/readdir.c:111)
[ 100.042567][ T8134] __x64_sys_getdents64 (fs/readdir.c:410 fs/readdir.c:394 fs/readdir.c:394)
[ 100.044639][ T8134] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 100.046310][ T8134] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 100.048685][ T8134]
[ 100.049566][ T8134] The buggy address belongs to the object at ffff888015b4b000
[ 100.049566][ T8134] which belongs to the cache jfs_mp of size 128
[ 100.054906][ T8134] The buggy address is located 48 bytes inside of
[ 100.054906][ T8134] freed 128-byte region [ffff888015b4b000, ffff888015b4b080)
[ 100.059909][ T8134]
[ 100.060839][ T8134] The buggy address belongs to the physical page:
[ 100.063438][ T8134] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x15b4b
[ 100.066660][ T8134] flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 100.069588][ T8134] page_type: 0xffffffff()
[ 100.071264][ T8134] raw: 00fff00000000800 ffff8881462b5140 dead000000000122 0000000000000000
[ 100.074666][ T8134] raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
[ 100.077860][ T8134] page dumped because: kasan: bad access detected
[ 100.084408][ T8134] page_owner tracks the page as allocated
[ 100.085611][ T8134] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x92800(GFP_NOWAIT|__GFP_NORETRY|__GFP_NOMEMALLOC), pid 8101, tgid 8101 (a.out), ts 85516
[ 100.089422][ T8134] post_alloc_hook (./include/linux/page_owner.h:32 mm/page_alloc.c:1534)
[ 100.090456][ T8134] get_page_from_freelist (mm/page_alloc.c:1543 mm/page_alloc.c:3317)
[ 100.091556][ T8134] __alloc_pages (mm/page_alloc.c:4576)
[ 100.092516][ T8134] allocate_slab (mm/slub.c:2181 mm/slub.c:2343)
[ 100.094078][ T8134] ___slab_alloc (mm/slub.c:3531)
[ 100.095051][ T8134] __slab_alloc.constprop.0 (mm/slub.c:3615)
[ 100.096199][ T8134] kmem_cache_alloc (mm/slub.c:3668 mm/slub.c:3841 mm/slub.c:3858)
[ 100.097220][ T8134] mempool_alloc (mm/mempool.c:409)
[ 100.098198][ T8134] __get_metapage (fs/jfs/jfs_metapage.c:178 fs/jfs/jfs_metapage.c:651)
[ 100.099189][ T8134] dtSplitRoot (fs/jfs/jfs_dtree.c:1908 (discriminator 3))
[ 100.100170][ T8134] dtSplitUp (fs/jfs/jfs_dtree.c:992)
[ 100.101104][ T8134] dtInsert (fs/jfs/jfs_dtree.c:868)
[ 100.101958][ T8134] jfs_create (fs/jfs/namei.c:137)
[ 100.102871][ T8134] path_openat (fs/namei.c:3499 fs/namei.c:3566 fs/namei.c:3796)
[ 100.103852][ T8134] do_filp_open (fs/namei.c:3827)
[ 100.104830][ T8134] do_sys_openat2 (fs/open.c:1407)
[ 100.105871][ T8134] page last free pid 8101 tgid 8101 stack trace:
[ 100.107227][ T8134] free_unref_page_prepare (./include/linux/page_owner.h:25 mm/page_alloc.c:1141 mm/page_alloc.c:2347)
[ 100.108596][ T8134] free_unref_folios (mm/page_alloc.c:2536)
[ 100.109856][ T8134] folios_put_refs (mm/swap.c:1034)
[ 100.111000][ T8134] free_pages_and_swap_cache (mm/swap_state.c:329)
[ 100.112311][ T8134] __tlb_batch_free_encoded_pages (mm/mmu_gather.c:137)
[ 100.113623][ T8134] tlb_finish_mmu (mm/mmu_gather.c:148 mm/mmu_gather.c:366 mm/mmu_gather.c:373 mm/mmu_gather.c:465)
[ 100.114741][ T8134] unmap_region (mm/mmap.c:2303 (discriminator 8))
[ 100.115892][ T8134] do_vmi_align_munmap (./include/linux/instrumented.h:96 /include/linux/atomic/atomic-instrumented.h:435 /include/linux/maple_tree.h:719 ./include/linux/maple_tree.h:739 /include/linux/maple_tree.h:754 mm/mmap.c:2631)
[ 100.117053][ T8134] do_vmi_munmap (mm/mmap.c:2696)
[ 100.118168][ T8134] __vm_munmap (mm/mmap.c:2973)
[ 100.119257][ T8134] __x64_sys_munmap (mm/mmap.c:2986)
[ 100.120429][ T8134] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 100.121550][ T8134] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 100.123223][ T8134]
[ 100.123801][ T8134] Memory state around the buggy address:
[ 100.125169][ T8134] ffff888015b4af00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 100.126886][ T8134] ffff888015b4af80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 100.128502][ T8134] >ffff888015b4b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 100.130113][ T8134] ^
[ 100.131238][ T8134] ffff888015b4b080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 100.133164][ T8134] ffff888015b4b100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 100.134828][ T8134] ==================================================================
[ 100.151463][ T8134] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 100.153291][ T8134] CPU: 1 PID: 8134 Comm: a.out Not tainted 6.9.0 #8
[ 100.154827][ T8134] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 100.167902][ T8134] Call Trace:
[ 100.168696][ T8134] <TASK>
[ 100.169393][ T8134] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4))
[ 100.170478][ T8134] panic (kernel/panic.c:348)
[ 100.171389][ T8134] ? __pfx_panic (kernel/panic.c:282)
[ 100.172412][ T8134] ? preempt_schedule_thunk (arch/x86/entry/thunk_64.S:12)
[ 100.173697][ T8134] ? preempt_schedule_common (./arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6927)
[ 100.175009][ T8134] ? check_panic_on_warn (kernel/panic.c:240)
[ 100.176172][ T8134] ? jfs_readdir (fs/jfs/jfs_dtree.c:2867)
[ 100.177262][ T8134] check_panic_on_warn (kernel/panic.c:241)
[ 100.178420][ T8134] end_report (mm/kasan/report.c:226)
[ 100.179385][ T8134] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606)
[ 100.180334][ T8134] ? jfs_readdir (fs/jfs/jfs_dtree.c:2867)
[ 100.181430][ T8134] jfs_readdir (fs/jfs/jfs_dtree.c:2867)
[ 100.182446][ T8134] ? __x64_sys_openat (fs/open.c:1432)
[ 100.183564][ T8134] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 100.184891][ T8134] ? __pfx_path_openat (fs/namei.c:3781)
[ 100.185956][ T8134] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
[ 100.187271][ T8134] ? page_table_check_set (mm/page_table_check.c:126 mm/page_table_check.c:97)
[ 100.188421][ T8134] ? __pfx_jfs_readdir (fs/jfs/jfs_dtree.c:2701)
[ 100.189486][ T8134] ? debug_check_no_obj_freed (lib/debugobjects.c:1000 lib/debugobjects.c:1019)
[ 100.190742][ T8134] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 /include/linux/atomic/atomic-arch-fallback.h:2170 /include/linux/atomic/atomic-instrumented.h:1302 /include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 /include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 100.191793][ T8134] ? putname (fs/namei.c:274)
[ 100.192661][ T8134] ? down_write (./arch/x86/include/asm/preempt.h:103 kernel/locking/rwsem.c:1309 kernel/locking/rwsem.c:1315 kernel/locking/rwsem.c:1580)
[ 100.193513][ T8134] ? __pfx_down_write (kernel/locking/rwsem.c:1577)
[ 100.194537][ T8134] ? down_read_killable (./arch/x86/include/asm/preempt.h:103 kernel/locking/rwsem.c:1257 kernel/locking/rwsem.c:1273 kernel/locking/rwsem.c:1551)
[ 100.195660][ T8134] ? __pfx_down_read_killable (kernel/locking/rwsem.c:1547)
[ 100.196844][ T8134] ? selinux_file_permission (security/selinux/hooks.c:3643)
[ 100.198212][ T8134] ? __pfx_jfs_readdir (fs/jfs/jfs_dtree.c:2701)
[ 100.199278][ T8134] wrap_directory_iterator (fs/readdir.c:67)
[ 100.200487][ T8134] iterate_dir (fs/readdir.c:111)
[ 100.201542][ T8134] __x64_sys_getdents64 (fs/readdir.c:410 fs/readdir.c:394 fs/readdir.c:394)
[ 100.202668][ T8134] ? __pfx___x64_sys_getdents64 (fs/readdir.c:394)
[ 100.204027][ T8134] ? mutex_unlock (./arch/x86/include/asm/atomic64_64.h:109 /include/linux/atomic/atomic-arch-fallback.h:4329 /include/linux/atomic/atomic-long.h:1506 /include/linux/atomic/atomic-instrumented.h:4481 kernel/locking/mutex.c:181 kernel/locking/mutex.c:545)
[ 100.205107][ T8134] ? __pfx_filldir64 (fs/readdir.c:352)
[ 100.206145][ T8134] ? fpregs_assert_state_consistent (arch/x86/kernel/fpu/context.h:38 arch/x86/kernel/fpu/core.c:822)
[ 100.207628][ T8134] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 100.208698][ T8134] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 100.210104][ T8134] RIP: 0033:0x7fd5a43b473d
[ 100.211167][ T8134] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 78
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 90 nop
d: f3 0f 1e fa endbr64
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 78 .byte 0x78
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 78 .byte 0x78
[ 100.216055][ T8134] RSP: 002b:00007ffc8e81ca28 EFLAGS: 00000203 ORIG_RAX: 00000000000000d9
[ 100.218175][ T8134] RAX: ffffffffffffffda RBX: 00005616907c2360 RCX: 00007fd5a43b473d
[ 100.220331][ T8134] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
[ 100.222587][ T8134] RBP: 00007ffc8e81ca40 R08: 00007ffc8e81cb30 R09: 00007ffc8e81cb30
[ 100.224629][ T8134] R10: 00007ffc8e81cb30 R11: 0000000000000203 R12: 00005616907c03c0
[ 100.226728][ T8134] R13: 00007ffc8e81cb30 R14: 0000000000000000 R15: 0000000000000000
[ 100.228901][ T8134] </TASK>
[ 100.230006][ T8134] Kernel Offset: disabled
Attachment:
.config
Description: Binary data
Attachment:
repro.c
Description: Binary data