Bug 201189

Summary: KASAN: use-after-free in btrfs_evict_inode
Product: File System Reporter: higuita (higuita)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: dsterba
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.18.7 Subsystem:
Regression: No Bisected commit-id:

Description higuita 2018-09-19 22:42:14 UTC 
Just got this while browsing the web:

[307322.025146] ==================================================================
[307322.025155] BUG: KASAN: use-after-free in btrfs_evict_inode+0x29a/0x800
[307322.025158] Read of size 4 at addr ffff8802574be4a4 by task launcher/20549

[307322.025163] CPU: 2 PID: 20549 Comm: launcher Tainted: G        W         4.18.7-slack #7
[307322.025164] Hardware name: System manufacturer System Product Name/A88X-PLUS, BIOS 3003 03/10/2016
[307322.025165] Call Trace:
[307322.025170]  dump_stack+0x71/0xa7
[307322.025174]  print_address_description+0x65/0x22e
[307322.025177]  kasan_report.cold.6+0x243/0x2ff
[307322.025179]  ? btrfs_evict_inode+0x29a/0x800
[307322.025182]  btrfs_evict_inode+0x29a/0x800
[307322.025185]  ? btrfs_setattr+0x850/0x850
[307322.025188]  ? _raw_spin_lock+0x13/0x30
[307322.025191]  ? lockref_put_or_lock+0x13b/0x170
[307322.025195]  evict+0x192/0x2d0
[307322.025198]  do_unlinkat+0x389/0x490
[307322.025200]  ? __ia32_sys_rmdir+0x20/0x20
[307322.025202]  ? getname_flags+0x80/0x2c0
[307322.025205]  ? check_stack_object+0x30/0x80
[307322.025208]  ? __check_object_size+0x17e/0x232
[307322.025211]  ? strncpy_from_user+0xba/0x1d0
[307322.025214]  ? getname_flags+0x10d/0x2c0
[307322.025217]  do_syscall_64+0x73/0x160
[307322.025220]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[307322.025223] RIP: 0033:0x7fae3faa5dd7
[307322.025224] Code: f0 ff ff 73 01 c3 48 8b 0d ae 60 2d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 60 2d 00 f7 d8 64 89 01 48 
[307322.025253] RSP: 002b:00007fae0a2b8a18 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
[307322.025256] RAX: ffffffffffffffda RBX: 00007fadf4ae6180 RCX: 00007fae3faa5dd7
[307322.025257] RDX: 0000000000000021 RSI: 0000000000000002 RDI: 00007fadf4ae6180
[307322.025259] RBP: 00007fae0a2b8c50 R08: 0000000000000000 R09: 00007fae3fb0027e
[307322.025260] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fadf4ae6180
[307322.025261] R13: 00007fadf48557e0 R14: 00000000ffffffff R15: 00007fae0a2b9220

[307322.025264] Allocated by task 20549:
[307322.025268]  kasan_kmalloc+0xee/0x100
[307322.025270]  kmem_cache_alloc+0x119/0x250
[307322.025273]  alloc_extent_state+0x34/0x170
[307322.025275]  __set_extent_bit+0x3f2/0x7d0
[307322.025277]  lock_extent_bits+0xd8/0x2b0
[307322.025279]  __extent_readpages+0x3bd/0x520
[307322.025282]  extent_readpages+0x18c/0x410
[307322.025285]  read_pages+0xe3/0x300
[307322.025287]  __do_page_cache_readahead+0x1f7/0x290
[307322.025289]  ondemand_readahead+0x32f/0x470
[307322.025291]  generic_file_read_iter+0xb54/0x11d0
[307322.025293]  __vfs_read+0x324/0x390
[307322.025295]  vfs_read+0xbd/0x1d0
[307322.025297]  ksys_read+0xbe/0x160
[307322.025299]  do_syscall_64+0x73/0x160
[307322.025301]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[307322.025303] Freed by task 18187:
[307322.025305]  __kasan_slab_free+0x123/0x170
[307322.025307]  kmem_cache_free+0xf9/0x230
[307322.025309]  merge_state.part.44+0x206/0x210
[307322.025311]  clear_state_bit+0x211/0x2a0
[307322.025313]  __clear_extent_bit+0x2e8/0x520
[307322.025316]  endio_readpage_release_extent+0xd5/0x160
[307322.025318]  end_bio_extent_readpage+0x472/0x900
[307322.025320]  normal_work_helper+0xe3/0x560
[307322.025323]  process_one_work+0x4cc/0x7d0
[307322.025325]  worker_thread+0x6e/0x720
[307322.025327]  kthread+0x1a0/0x1c0
[307322.025329]  ret_from_fork+0x22/0x40

[307322.025331] The buggy address belongs to the object at ffff8802574be460
                 which belongs to the cache btrfs_extent_state of size 80
[307322.025333] The buggy address is located 68 bytes inside of
                 80-byte region [ffff8802574be460, ffff8802574be4b0)
[307322.025334] The buggy address belongs to the page:
[307322.025336] page:ffffea00095d2f80 count:1 mapcount:0 mapping:ffff88053d597880 index:0x0
[307322.093086] flags: 0x4000000000000100(slab)
[307322.128812] raw: 4000000000000100 dead000000000100 dead000000000200 ffff88053d597880
[307322.194383] raw: 0000000000000000 0000000000240024 00000001ffffffff 0000000000000000
[307322.259952] page dumped because: kasan: bad access detected

[307322.307325] Memory state around the buggy address:
[307322.307330]  ffff8802574be380: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fb fb
[307322.307332]  ffff8802574be400: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
[307322.307334] >ffff8802574be480: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb
[307322.307335]                                ^
[307322.307337]  ffff8802574be500: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
[307322.307339]  ffff8802574be580: fb fb fc fc fc fc fb fb fb fb fb fb fb fb fb fb
[307322.307340] ==================================================================
[307322.307341] Disabling lock debugging due to kernel taint

kernel 4.18.7, slackware64 -current, gcc 8.2.0
Comment 1 David Sterba 2019-05-21 12:23:03 UTC 
Thanks for the report. Fixed by 421f0922a2cfb0c7 "Btrfs: fix use-after-free during inode eviction", in 4.20.