| Message ID | 20221109095018.4108726-1-liushixin2@huawei.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp228741wru;
Wed, 9 Nov 2022 01:06:45 -0800 (PST)
X-Google-Smtp-Source:
AMsMyM6UglMlvXVXNnNetdwmteUyDi6/eQINnXrRz4TAgZhYfFHY1DPvttyX/UMyqRjy6OhTKOpn
X-Received: by 2002:a17:906:9bcd:b0:7ae:2679:c47 with SMTP id
de13-20020a1709069bcd00b007ae26790c47mr27192468ejc.353.1667984805102;
Wed, 09 Nov 2022 01:06:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1667984805; cv=none;
d=google.com; s=arc-20160816;
b=AI9SW/9jS6RgT3tfTcPhnQr6NPDCARKPZVD/JjhPV1OYHXIXdz0LlS9V82N0xTYxb9
gcyOxxzFzRtYSC7KqxveqYwAGqRDjAKeqQbGSNsxOi9HlCjviOgCL4sjF5keM56qdtxE
73VydHlAz0q7g65NQxRaVDstlNTPKPvQUjc51gNa3WJlJCWuZalahgZ88NbAt+UNEMwz
hxalEZ3pWMHC/XdWsztFlsf1qwQ1R9+pe/ZEoOuQdKrNpwIjrej2oS+d+SiY2wPFtZlP
18qEvkezBQPhIuZiK2xMDv7dXEwMIgCN29C/t4nS5Ri5HRN6d1LQmI53SI59IfQAbBrY
M6LQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=znmxng7RQ4r7aZwkLFfH+t7c7B+miPKOZbpOqBTi/9o=;
b=GYVG95FNWmLmGxcL6wU17aM/qHtMIpgGEJuGvBczESnvIJ9j/h4K0iAGQbJYOBrK4O
fXjvS2O4IOU5LhNyJyF75WFiGDPHCYHxIlHAbBrNAtvC3sZUAvQP5d4h5BFCNrXRqoYQ
eC7fuzdrFTE3tuSo5EJRDE2fX2FLzI1k68wQ+NgG7gP7VzkveDRzdpf5DXDMrATLGA1K
Vx8GtKx1Yi2ffEHtlqyiT9TyEyTW+ZVK6ove66rE79Gf0wWqIU6tNI/1ASgZY6oijh3j
vcPyqzDosJkcrC95sjtz1IQTzZuxBIBcHGplNN40OuNP0h9wdQRsqCOJuxR7eUpYFR2S
4ZBg==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
k17-20020a05640212d100b00461a7962c26si12788538edx.527.2022.11.09.01.06.17;
Wed, 09 Nov 2022 01:06:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230240AbiKIJCq (ORCPT <rfc822;dexuan.linux@gmail.com>
+ 99 others); Wed, 9 Nov 2022 04:02:46 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39342 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230237AbiKIJCe (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 9 Nov 2022 04:02:34 -0500
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 205831F9E5;
Wed, 9 Nov 2022 01:02:31 -0800 (PST)
Received: from dggpemm500024.china.huawei.com (unknown [172.30.72.54])
by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4N6f9S5GrjzHvfB;
Wed, 9 Nov 2022 17:02:04 +0800 (CST)
Received: from dggpemm100009.china.huawei.com (7.185.36.113) by
dggpemm500024.china.huawei.com (7.185.36.203) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.1.2375.31; Wed, 9 Nov 2022 17:02:29 +0800
Received: from huawei.com (10.175.113.32) by dggpemm100009.china.huawei.com
(7.185.36.113) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 9 Nov
2022 17:02:28 +0800
From: Liu Shixin <liushixin2@huawei.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>
CC: <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
"Liu Shixin" <liushixin2@huawei.com>
Subject: [PATCH] fs/buffer: fix a NULL pointer dereference in drop_buffers()
Date: Wed, 9 Nov 2022 17:50:18 +0800
Message-ID: <20221109095018.4108726-1-liushixin2@huawei.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [10.175.113.32]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
dggpemm100009.china.huawei.com (7.185.36.113)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1749008834926979000?=
X-GMAIL-MSGID: =?utf-8?q?1749008834926979000?=
|
| Series |
fs/buffer: fix a NULL pointer dereference in drop_buffers()
|
|
Commit Message
Liu Shixin
Nov. 9, 2022, 9:50 a.m. UTC
syzbot found a null-ptr-deref by KASAN:
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
BUG: KASAN: null-ptr-deref in buffer_busy fs/buffer.c:2856 [inline]
BUG: KASAN: null-ptr-deref in drop_buffers+0x61/0x2f0 fs/buffer.c:2868
Read of size 4 at addr 0000000000000060 by task syz-executor.5/24786
CPU: 0 PID: 24786 Comm: syz-executor.5 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_report+0xf1/0x220 mm/kasan/report.c:436
kasan_report+0xfb/0x130 mm/kasan/report.c:495
kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
buffer_busy fs/buffer.c:2856 [inline]
drop_buffers+0x61/0x2f0 fs/buffer.c:2868
try_to_free_buffers+0x2b1/0x640 fs/buffer.c:2898
[...]
We use folio_has_private() to decide whether call filemap_release_folio(),
which may call try_to_free_buffers() then. folio_has_private() return true
for both PG_private and PG_private_2. We should only call try_to_free_buffers()
for case PG_private. So we should recheck PG_private in try_to_free_buffers().
Reported-by: syzbot+fbdb4ec578ebdcfb9ed2@syzkaller.appspotmail.com
Fixes: 266cf658efcf ("FS-Cache: Recruit a page flags for cache management")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
---
fs/buffer.c | 3 +++
1 file changed, 3 insertions(+)
Comments
On Wed, Nov 09, 2022 at 05:50:18PM +0800, Liu Shixin wrote: > syzbot found a null-ptr-deref by KASAN: > > BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] > BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] > BUG: KASAN: null-ptr-deref in buffer_busy fs/buffer.c:2856 [inline] > BUG: KASAN: null-ptr-deref in drop_buffers+0x61/0x2f0 fs/buffer.c:2868 > Read of size 4 at addr 0000000000000060 by task syz-executor.5/24786 > > CPU: 0 PID: 24786 Comm: syz-executor.5 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 > print_report+0xf1/0x220 mm/kasan/report.c:436 > kasan_report+0xfb/0x130 mm/kasan/report.c:495 > kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 > instrument_atomic_read include/linux/instrumented.h:71 [inline] > atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] > buffer_busy fs/buffer.c:2856 [inline] > drop_buffers+0x61/0x2f0 fs/buffer.c:2868 > try_to_free_buffers+0x2b1/0x640 fs/buffer.c:2898 > [...] > > We use folio_has_private() to decide whether call filemap_release_folio(), > which may call try_to_free_buffers() then. folio_has_private() return true > for both PG_private and PG_private_2. We should only call try_to_free_buffers() > for case PG_private. So we should recheck PG_private in try_to_free_buffers(). > > Reported-by: syzbot+fbdb4ec578ebdcfb9ed2@syzkaller.appspotmail.com > Fixes: 266cf658efcf ("FS-Cache: Recruit a page flags for cache management") but this can only happen for a filesystem which uses both bufferheads and PG_private_2. afaik there aren't any of those in the tree. so this bug can't actually happen. if you have your own filesystem that does, you need to submit it.
On 2022/11/18 13:30, Matthew Wilcox wrote: > On Wed, Nov 09, 2022 at 05:50:18PM +0800, Liu Shixin wrote: >> syzbot found a null-ptr-deref by KASAN: >> >> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] >> BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] >> BUG: KASAN: null-ptr-deref in buffer_busy fs/buffer.c:2856 [inline] >> BUG: KASAN: null-ptr-deref in drop_buffers+0x61/0x2f0 fs/buffer.c:2868 >> Read of size 4 at addr 0000000000000060 by task syz-executor.5/24786 >> >> CPU: 0 PID: 24786 Comm: syz-executor.5 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 >> Call Trace: >> <TASK> >> __dump_stack lib/dump_stack.c:88 [inline] >> dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 >> print_report+0xf1/0x220 mm/kasan/report.c:436 >> kasan_report+0xfb/0x130 mm/kasan/report.c:495 >> kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 >> instrument_atomic_read include/linux/instrumented.h:71 [inline] >> atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] >> buffer_busy fs/buffer.c:2856 [inline] >> drop_buffers+0x61/0x2f0 fs/buffer.c:2868 >> try_to_free_buffers+0x2b1/0x640 fs/buffer.c:2898 >> [...] >> >> We use folio_has_private() to decide whether call filemap_release_folio(), >> which may call try_to_free_buffers() then. folio_has_private() return true >> for both PG_private and PG_private_2. We should only call try_to_free_buffers() >> for case PG_private. So we should recheck PG_private in try_to_free_buffers(). >> >> Reported-by: syzbot+fbdb4ec578ebdcfb9ed2@syzkaller.appspotmail.com >> Fixes: 266cf658efcf ("FS-Cache: Recruit a page flags for cache management") > but this can only happen for a filesystem which uses both bufferheads > and PG_private_2. afaik there aren't any of those in the tree. so > this bug can't actually happen. > > if you have your own filesystem that does, you need to submit it. This null-ptr-deref is found by syzbot, not by my own filesystem. I review the related code and found no other possible cause. There are lock protection all the place calling try_to_free_buffers(). So I only thought of this one possibility. I'm also trying to reproduce the problem but haven't been successful. If this can't actually happen, maybe I'm missing something when review the code. I'll keep trying to see if I can reproduce the problem. Thanks, Liu Shixin . > > > . >
On Fri, Nov 18, 2022 at 03:54:54PM +0800, Liu Shixin wrote: > On 2022/11/18 13:30, Matthew Wilcox wrote: > > On Wed, Nov 09, 2022 at 05:50:18PM +0800, Liu Shixin wrote: > >> syzbot found a null-ptr-deref by KASAN: > >> > >> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] > >> BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] > >> BUG: KASAN: null-ptr-deref in buffer_busy fs/buffer.c:2856 [inline] > >> BUG: KASAN: null-ptr-deref in drop_buffers+0x61/0x2f0 fs/buffer.c:2868 > >> Read of size 4 at addr 0000000000000060 by task syz-executor.5/24786 > >> > >> CPU: 0 PID: 24786 Comm: syz-executor.5 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0 > >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 > >> Call Trace: > >> <TASK> > >> __dump_stack lib/dump_stack.c:88 [inline] > >> dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 > >> print_report+0xf1/0x220 mm/kasan/report.c:436 > >> kasan_report+0xfb/0x130 mm/kasan/report.c:495 > >> kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 > >> instrument_atomic_read include/linux/instrumented.h:71 [inline] > >> atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] > >> buffer_busy fs/buffer.c:2856 [inline] > >> drop_buffers+0x61/0x2f0 fs/buffer.c:2868 > >> try_to_free_buffers+0x2b1/0x640 fs/buffer.c:2898 > >> [...] > >> > >> We use folio_has_private() to decide whether call filemap_release_folio(), > >> which may call try_to_free_buffers() then. folio_has_private() return true > >> for both PG_private and PG_private_2. We should only call try_to_free_buffers() > >> for case PG_private. So we should recheck PG_private in try_to_free_buffers(). > >> > >> Reported-by: syzbot+fbdb4ec578ebdcfb9ed2@syzkaller.appspotmail.com > >> Fixes: 266cf658efcf ("FS-Cache: Recruit a page flags for cache management") > > but this can only happen for a filesystem which uses both bufferheads > > and PG_private_2. afaik there aren't any of those in the tree. so > > this bug can't actually happen. > > > > if you have your own filesystem that does, you need to submit it. > This null-ptr-deref is found by syzbot, not by my own filesystem. I review the related code and > found no other possible cause. There are lock protection all the place calling try_to_free_buffers(). > So I only thought of this one possibility. I'm also trying to reproduce the problem but haven't > been successful. > > If this can't actually happen, maybe I'm missing something when review the code. I'll keep trying > to see if I can reproduce the problem. perhaps you could include more information, like the rest of the call stack so we can see what filesystem is involved?
On 2022/11/18 15:58, Matthew Wilcox wrote: > On Fri, Nov 18, 2022 at 03:54:54PM +0800, Liu Shixin wrote: >> On 2022/11/18 13:30, Matthew Wilcox wrote: >>> On Wed, Nov 09, 2022 at 05:50:18PM +0800, Liu Shixin wrote: >>>> syzbot found a null-ptr-deref by KASAN: >>>> >>>> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] >>>> BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] >>>> BUG: KASAN: null-ptr-deref in buffer_busy fs/buffer.c:2856 [inline] >>>> BUG: KASAN: null-ptr-deref in drop_buffers+0x61/0x2f0 fs/buffer.c:2868 >>>> Read of size 4 at addr 0000000000000060 by task syz-executor.5/24786 >>>> >>>> CPU: 0 PID: 24786 Comm: syz-executor.5 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0 >>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 >>>> Call Trace: >>>> <TASK> >>>> __dump_stack lib/dump_stack.c:88 [inline] >>>> dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 >>>> print_report+0xf1/0x220 mm/kasan/report.c:436 >>>> kasan_report+0xfb/0x130 mm/kasan/report.c:495 >>>> kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 >>>> instrument_atomic_read include/linux/instrumented.h:71 [inline] >>>> atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] >>>> buffer_busy fs/buffer.c:2856 [inline] >>>> drop_buffers+0x61/0x2f0 fs/buffer.c:2868 >>>> try_to_free_buffers+0x2b1/0x640 fs/buffer.c:2898 >>>> [...] >>>> >>>> We use folio_has_private() to decide whether call filemap_release_folio(), >>>> which may call try_to_free_buffers() then. folio_has_private() return true >>>> for both PG_private and PG_private_2. We should only call try_to_free_buffers() >>>> for case PG_private. So we should recheck PG_private in try_to_free_buffers(). >>>> >>>> Reported-by: syzbot+fbdb4ec578ebdcfb9ed2@syzkaller.appspotmail.com >>>> Fixes: 266cf658efcf ("FS-Cache: Recruit a page flags for cache management") >>> but this can only happen for a filesystem which uses both bufferheads >>> and PG_private_2. afaik there aren't any of those in the tree. so >>> this bug can't actually happen. >>> >>> if you have your own filesystem that does, you need to submit it. >> This null-ptr-deref is found by syzbot, not by my own filesystem. I review the related code and >> found no other possible cause. There are lock protection all the place calling try_to_free_buffers(). >> So I only thought of this one possibility. I'm also trying to reproduce the problem but haven't >> been successful. >> >> If this can't actually happen, maybe I'm missing something when review the code. I'll keep trying >> to see if I can reproduce the problem. > perhaps you could include more information, like the rest of the call > stack so we can see what filesystem is involved? This is the original link about the bug: https://groups.google.com/g/syzkaller-bugs/c/sqeWJ62OEsc/m/kr6FRxXqBAAJ > > . >
diff --git a/fs/buffer.c b/fs/buffer.c index d9c6d1fbb6dd..c302b578e437 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -2822,6 +2822,9 @@ bool try_to_free_buffers(struct folio *folio) if (folio_test_writeback(folio)) return false; + if (!folio_test_private(folio)) + return false; + if (mapping == NULL) { /* can this still happen? */ ret = drop_buffers(folio, &buffers_to_free); goto out;