[syzbot] [mm?] KASAN: slab-use-after-free Read in move_to_new_folio

From: syzbot
Date: Mon Jul 10 2023 - 03:43:11 EST

Hello,

syzbot found the following issue on:

HEAD commit: 03275585cabd afs: Fix accidental truncation when storing d..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17a74308a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=656155ea96f6ea1d
dashboard link: https://syzkaller.appspot.com/bug?extid=009d9721acf40a64eab9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-03275585.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d7fbd69351b6/vmlinux-03275585.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ca0f98a100ed/bzImage-03275585.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+009d9721acf40a64eab9@xxxxxxxxxxxxxxxxxxxxxxxxx

==================================================================
BUG: KASAN: slab-use-after-free in move_to_new_folio+0x64a/0x6e0 mm/migrate.c:957
Read of size 8 at addr ffff88803374aee8 by task kcompactd0/44

CPU: 1 PID: 44 Comm: kcompactd0 Not tainted 6.4.0-syzkaller-11472-g03275585cabd #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:364
print_report mm/kasan/report.c:475 [inline]
kasan_report+0x11d/0x130 mm/kasan/report.c:588
move_to_new_folio+0x64a/0x6e0 mm/migrate.c:957
migrate_folio_move mm/migrate.c:1272 [inline]
migrate_pages_batch+0x1bcf/0x2cc0 mm/migrate.c:1757
migrate_pages_sync mm/migrate.c:1823 [inline]
migrate_pages+0x1962/0x2490 mm/migrate.c:1927
compact_zone+0x18d1/0x3bc0 mm/compaction.c:2484
proactive_compact_node+0x103/0x1b0 mm/compaction.c:2749
kcompactd+0x837/0xcc0 mm/compaction.c:3069
kthread+0x344/0x440 kernel/kthread.c:389
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>

Allocated by task 4548:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:750 [inline]
slab_alloc_node mm/slab.c:3237 [inline]
slab_alloc mm/slab.c:3246 [inline]
__kmem_cache_alloc_lru mm/slab.c:3423 [inline]
kmem_cache_alloc+0x14e/0x3f0 mm/slab.c:3432
gfs2_glock_get+0x203/0x1320 fs/gfs2/glock.c:1167
gfs2_inode_lookup+0x258/0x8a0 fs/gfs2/inode.c:135
gfs2_dir_search+0x213/0x2d0 fs/gfs2/dir.c:1664
gfs2_lookupi+0x481/0x640 fs/gfs2/inode.c:332
gfs2_jindex_hold fs/gfs2/ops_fstype.c:608 [inline]
init_journal fs/gfs2/ops_fstype.c:750 [inline]
init_inodes+0x768/0x2b60 fs/gfs2/ops_fstype.c:885
gfs2_fill_super+0x1a26/0x2aa0 fs/gfs2/ops_fstype.c:1248
get_tree_bdev+0x43e/0x7d0 fs/super.c:1318
gfs2_get_tree+0x4e/0x270 fs/gfs2/ops_fstype.c:1333
vfs_get_tree+0x8d/0x350 fs/super.c:1519
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x136e/0x1e70 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:491
__call_rcu_common.constprop.0+0x99/0x7e0 kernel/rcu/tree.c:2649
gfs2_glock_free+0x6f3/0x10f0 fs/gfs2/glock.c:177
gfs2_glock_put+0x33/0x40 fs/gfs2/glock.c:307
gfs2_glock_put_eventually fs/gfs2/super.c:1278 [inline]
gfs2_evict_inode+0x5cd/0x1c60 fs/gfs2/super.c:1560
evict+0x2ed/0x6b0 fs/inode.c:665
iput_final fs/inode.c:1789 [inline]
iput.part.0+0x50a/0x740 fs/inode.c:1815
iput+0x5c/0x80 fs/inode.c:1805
gfs2_jindex_free+0x391/0x560 fs/gfs2/super.c:75
init_journal fs/gfs2/ops_fstype.c:867 [inline]
init_inodes+0x1202/0x2b60 fs/gfs2/ops_fstype.c:885
gfs2_fill_super+0x1a26/0x2aa0 fs/gfs2/ops_fstype.c:1248
get_tree_bdev+0x43e/0x7d0 fs/super.c:1318
gfs2_get_tree+0x4e/0x270 fs/gfs2/ops_fstype.c:1333
vfs_get_tree+0x8d/0x350 fs/super.c:1519
do_new_mount fs/namespace.c:3335 [inline]
path_mount+0x136e/0x1e70 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3861
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:491
insert_work+0x48/0x360 kernel/workqueue.c:1553
__queue_work+0x625/0x1120 kernel/workqueue.c:1714
__queue_delayed_work+0x1c8/0x270 kernel/workqueue.c:1864
queue_delayed_work_on+0x109/0x120 kernel/workqueue.c:1900
queue_delayed_work include/linux/workqueue.h:521 [inline]
__gfs2_glock_queue_work+0x2a/0xb0 fs/gfs2/glock.c:252
gfs2_glock_queue_work fs/gfs2/glock.c:266 [inline]
do_xmote+0x98b/0xd70 fs/gfs2/glock.c:801
run_queue+0x3cf/0x660 fs/gfs2/glock.c:844
glock_work_func+0xc2/0x3b0 fs/gfs2/glock.c:1076
process_one_work+0xa34/0x16f0 kernel/workqueue.c:2597
worker_thread+0x67d/0x10c0 kernel/workqueue.c:2748
kthread+0x344/0x440 kernel/kthread.c:389
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

The buggy address belongs to the object at ffff88803374aa90
which belongs to the cache gfs2_glock(aspace) of size 1224
The buggy address is located 1112 bytes inside of
freed 1224-byte region [ffff88803374aa90, ffff88803374af58)

The buggy address belongs to the physical page:
page:ffffea0000cdd280 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803374affd pfn:0x3374a
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0x1()
raw: 00fff00000000200 ffff888105198800 ffffea0000ba3050 ffffea0000cba510
raw: ffff88803374affd ffff88803374a000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x342040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 4244, tgid 4243 (syz-executor.2), ts 2200319898346, free_ts 2200315160610
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2db/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xfed/0x2d30 mm/page_alloc.c:3221
__alloc_pages+0x1cb/0x4a0 mm/page_alloc.c:4477
__alloc_pages_node include/linux/gfp.h:237 [inline]
kmem_getpages mm/slab.c:1356 [inline]
cache_grow_begin+0x9b/0x3b0 mm/slab.c:2550
cache_alloc_refill+0x289/0x3a0 mm/slab.c:2923
____cache_alloc mm/slab.c:2999 [inline]
____cache_alloc mm/slab.c:2982 [inline]
__do_cache_alloc mm/slab.c:3182 [inline]
slab_alloc_node mm/slab.c:3230 [inline]
slab_alloc mm/slab.c:3246 [inline]
__kmem_cache_alloc_lru mm/slab.c:3423 [inline]
kmem_cache_alloc+0x397/0x3f0 mm/slab.c:3432
gfs2_glock_get+0x203/0x1320 fs/gfs2/glock.c:1167
gfs2_inode_lookup+0x258/0x8a0 fs/gfs2/inode.c:135
gfs2_dir_search+0x213/0x2d0 fs/gfs2/dir.c:1664
gfs2_lookupi+0x481/0x640 fs/gfs2/inode.c:332
gfs2_lookup_simple+0x9d/0xe0 fs/gfs2/inode.c:273
init_inodes+0x129e/0x2b60 fs/gfs2/ops_fstype.c:891
gfs2_fill_super+0x1a26/0x2aa0 fs/gfs2/ops_fstype.c:1248
get_tree_bdev+0x43e/0x7d0 fs/super.c:1318
gfs2_get_tree+0x4e/0x270 fs/gfs2/ops_fstype.c:1333
vfs_get_tree+0x8d/0x350 fs/super.c:1519
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x62e/0xcb0 mm/page_alloc.c:2348
free_unref_page_list+0xe3/0xa70 mm/page_alloc.c:2489
release_pages+0xcd8/0x1380 mm/swap.c:1042
__folio_batch_release+0x77/0xe0 mm/swap.c:1062
folio_batch_release include/linux/pagevec.h:83 [inline]
truncate_inode_pages_range+0x2ec/0xf10 mm/truncate.c:372
inode_go_inval+0x385/0x420 fs/gfs2/glops.c:380
do_xmote+0x73d/0xd70 fs/gfs2/glock.c:733
run_queue+0x3cf/0x660 fs/gfs2/glock.c:844
glock_work_func+0xc2/0x3b0 fs/gfs2/glock.c:1076
process_one_work+0xa34/0x16f0 kernel/workqueue.c:2597
worker_thread+0x67d/0x10c0 kernel/workqueue.c:2748
kthread+0x344/0x440 kernel/kthread.c:389
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

Memory state around the buggy address:
ffff88803374ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803374ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88803374ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88803374af00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
ffff88803374af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup