Bug 214655

Summary: BUG: unable to handle kernel paging request in __dquot_free_space
Product: File System Reporter: 6201613047
Component: ext4Assignee: fs_ext4 (fs_ext4)
Status: RESOLVED CODE_FIX    
Severity: normal CC: jack
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.15-rc-ksmbd-part2 Subsystem:
Regression: No Bisected commit-id:
Attachments: poc

Description 6201613047 2021-10-09 01:16:02 UTC 
Created attachment 299143 [details]
poc

Find it by something like Syzkaller and I think this is a BUG.
And POC is attached here.
Looking forward to your reply.

-----------------------------------
EXT4-fs error (device loop0): ext4_empty_dir:3011: inode #12: block 80: comm syz-executor.0: bad entry in directory: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, size=4096 fake=0
EXT4-fs warning (device loop0): ext4_empty_dir:3013: inode #12: comm syz-executor.0: directory missing '.'
BUG: unable to handle page fault for address: fffffbfff6b3012c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 9fffeb067 P4D 9fffeb067 PUD 9ffe0f067 PMD 0 
Oops: 0000 [#1] SMP KASAN PTI
CPU: 3 PID: 26685 Comm: syz-executor.0 Not tainted 5.14.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x13d/0x200 mm/kasan/generic.c:189
Code: 83 c0 01 48 89 d8 49 39 d8 74 0f 41 80 38 00 74 ee 4b 8d 04 0c 4d 85 c0 75 4b 48 89 eb 48 29 c3 e9 42 ff ff ff 48 85 db 74 2e <41> 80 39 00 75 32 48 b8 01 00 00 00 00 fc ff df 49 01 d9 49 01 c0
RSP: 0018:ffff88812dd8f4c8 EFLAGS: 00010202
RAX: fffffbfff6b3012c RBX: 0000000000000002 RCX: ffffffffb2e0a1f6
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffb5980967
RBP: fffffbfff6b3012e R08: 1ffffffff6b3012c R09: fffffbfff6b3012c
R10: ffffffffb598096a R11: fffffbfff6b3012d R12: ffff88812dd8f5d8
R13: ffff8881ac734b28 R14: 0000000000010000 R15: ffffffffb5980907
FS:  00007f0f2b188700(0000) GS:ffff8889d7380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff6b3012c CR3: 0000000156d9a001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:511 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:82 [inline]
 do_raw_spin_lock include/linux/spinlock.h:187 [inline]
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x66/0xd0 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:363 [inline]
 __dquot_free_space+0x211/0x7c0 fs/quota/dquot.c:1874
 dquot_free_space_nodirty include/linux/quotaops.h:376 [inline]
 dquot_free_space include/linux/quotaops.h:381 [inline]
 dquot_free_block include/linux/quotaops.h:392 [inline]
 ext4_free_blocks+0x1430/0x1940 fs/ext4/mballoc.c:6084
 ext4_remove_blocks fs/ext4/extents.c:2488 [inline]
 ext4_ext_rm_leaf fs/ext4/extents.c:2672 [inline]
 ext4_ext_remove_space+0x299c/0x3590 fs/ext4/extents.c:2920
 ext4_ext_truncate+0x195/0x200 fs/ext4/extents.c:4382
 ext4_truncate+0xa2b/0xe80 fs/ext4/inode.c:4268
 ext4_evict_inode+0x8af/0x13c0 fs/ext4/inode.c:287
 evict+0x2d3/0x5b0 fs/inode.c:586
 iput_final fs/inode.c:1662 [inline]
 iput fs/inode.c:1688 [inline]
 iput+0x4ba/0x710 fs/inode.c:1674
 dentry_unlink_inode+0x314/0x4d0 fs/dcache.c:376
 d_delete fs/dcache.c:2505 [inline]
 d_delete+0x152/0x1a0 fs/dcache.c:2494
 vfs_rmdir fs/namei.c:3984 [inline]
 vfs_rmdir+0x438/0x570 fs/namei.c:3948
 do_rmdir+0x1c2/0x3a0 fs/namei.c:4032
 __do_sys_unlinkat fs/namei.c:4211 [inline]
 __se_sys_unlinkat fs/namei.c:4205 [inline]
 __x64_sys_unlinkat+0xcc/0x100 fs/namei.c:4205
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4698d9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f2b187c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004698d9
RDX: 0000000000000200 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00000000004d26c2 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdbd022e40
Modules linked in:
CR2: fffffbfff6b3012c
---[ end trace 337a23afd90599f5 ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x13d/0x200 mm/kasan/generic.c:189
Code: 83 c0 01 48 89 d8 49 39 d8 74 0f 41 80 38 00 74 ee 4b 8d 04 0c 4d 85 c0 75 4b 48 89 eb 48 29 c3 e9 42 ff ff ff 48 85 db 74 2e <41> 80 39 00 75 32 48 b8 01 00 00 00 00 fc ff df 49 01 d9 49 01 c0
RSP: 0018:ffff88812dd8f4c8 EFLAGS: 00010202
RAX: fffffbfff6b3012c RBX: 0000000000000002 RCX: ffffffffb2e0a1f6
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffb5980967
RBP: fffffbfff6b3012e R08: 1ffffffff6b3012c R09: fffffbfff6b3012c
R10: ffffffffb598096a R11: fffffbfff6b3012d R12: ffff88812dd8f5d8
R13: ffff8881ac734b28 R14: 0000000000010000 R15: ffffffffb5980907
FS:  00007f0f2b188700(0000) GS:ffff8889d7380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff6b3012c CR3: 0000000156d9a001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
netlink: 72 bytes leftover after parsing attributes in process `syz-executor.7'.
==================================================================
BUG: KASAN: use-after-free in owner_on_cpu kernel/locking/rwsem.c:605 [inline]
BUG: KASAN: use-after-free in rwsem_can_spin_on_owner kernel/locking/rwsem.c:626 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_slowpath+0xade/0xfe0 kernel/locking/rwsem.c:1026
Read of size 4 at addr ffff88812eaf4534 by task syz-executor.0/26792

CPU: 3 PID: 26792 Comm: syz-executor.0 Tainted: G      D           5.14.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x4c/0x64 lib/dump_stack.c:106
 print_address_description.constprop.9+0x21/0x150 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold.14+0x7f/0x11b mm/kasan/report.c:459
 owner_on_cpu kernel/locking/rwsem.c:605 [inline]
 rwsem_can_spin_on_owner kernel/locking/rwsem.c:626 [inline]
 rwsem_down_write_slowpath+0xade/0xfe0 kernel/locking/rwsem.c:1026
 __down_write_common kernel/locking/rwsem.c:1262 [inline]
 __down_write_common kernel/locking/rwsem.c:1259 [inline]
 __down_write kernel/locking/rwsem.c:1271 [inline]
 down_write+0xd2/0x120 kernel/locking/rwsem.c:1516
 inode_lock include/linux/fs.h:786 [inline]
 chown_common+0x1ea/0x400 fs/open.c:675
 do_fchownat+0xef/0x180 fs/open.c:709
 __do_sys_lchown fs/open.c:734 [inline]
 __se_sys_lchown fs/open.c:732 [inline]
 __x64_sys_lchown+0x7a/0xc0 fs/open.c:732
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4698d9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f2b166c48 EFLAGS: 00000246 ORIG_RAX: 000000000000005e
RAX: ffffffffffffffda RBX: 000000000077c038 RCX: 00000000004698d9
RDX: 0000000000000000 RSI: 000000000000ee00 RDI: 00000000200002c0
RBP: 00000000004d26c2 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077c038
R13: 0000000000000000 R14: 000000000077c038 R15: 00007ffdbd022e40
netlink: 72 bytes leftover after parsing attributes in process `syz-executor.7'.

Allocated by task 26666:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x68/0x80 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3206 [inline]
 kmem_cache_alloc_node+0xd2/0x200 mm/slub.c:3242
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct kernel/fork.c:883 [inline]
 copy_process+0x1717/0x67c0 kernel/fork.c:2026
 kernel_clone+0xbd/0x970 kernel/fork.c:2584
 __do_sys_clone+0xde/0x120 kernel/fork.c:2701
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 26778:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xe2/0x110 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1700 [inline]
 slab_free_freelist_hook mm/slub.c:1725 [inline]
 slab_free mm/slub.c:3483 [inline]
 kmem_cache_free+0x74/0x280 mm/slub.c:3499
 __put_task_struct+0x22a/0x4f0 kernel/fork.c:760
 put_task_struct include/linux/sched/task.h:113 [inline]
 delayed_put_task_struct+0x11d/0x160 kernel/exit.c:173
 rcu_do_batch kernel/rcu/tree.c:2508 [inline]
 rcu_core+0x555/0x14b0 kernel/rcu/tree.c:2743
 __do_softirq+0x17f/0x53f kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa3/0xb0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:2987 [inline]
 call_rcu+0x77/0x8f0 kernel/rcu/tree.c:3067
 put_task_struct_rcu_user+0x61/0x90 kernel/exit.c:179
 finish_task_switch+0x48e/0x670 kernel/sched/core.c:4854
 schedule_tail+0x7/0xa0 kernel/sched/core.c:4876
 ret_from_fork+0x8/0x30 arch/x86/entry/entry_64.S:280

Second to last potentially related work creation:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa3/0xb0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:2987 [inline]
 call_rcu+0x77/0x8f0 kernel/rcu/tree.c:3067
 put_task_struct_rcu_user+0x61/0x90 kernel/exit.c:179
 finish_task_switch+0x48e/0x670 kernel/sched/core.c:4854
 context_switch kernel/sched/core.c:4943 [inline]
 __schedule+0x882/0x1710 kernel/sched/core.c:6287
 schedule+0xbd/0x250 kernel/sched/core.c:6366
 freezable_schedule include/linux/freezer.h:172 [inline]
 futex_wait_queue_me+0x24b/0x430 kernel/futex.c:2821
 futex_wait+0x1cb/0x620 kernel/futex.c:2922
 do_futex+0x337/0x17e0 kernel/futex.c:3932
 __do_sys_futex kernel/futex.c:4009 [inline]
 __se_sys_futex kernel/futex.c:3990 [inline]
 __x64_sys_futex+0x189/0x400 kernel/futex.c:3990
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88812eaf4500
 which belongs to the cache task_struct of size 5576
The buggy address is located 52 bytes inside of
 5576-byte region [ffff88812eaf4500, ffff88812eaf5ac8)
The buggy address belongs to the page:
page:0000000082bf4bc1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12eaf0
head:0000000082bf4bc1 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100178b40
raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88812eaf4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88812eaf4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812eaf4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88812eaf4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812eaf4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	83 c0 01             	add    $0x1,%eax
   3:	48 89 d8             	mov    %rbx,%rax
   6:	49 39 d8             	cmp    %rbx,%r8
   9:	74 0f                	je     0x1a
   b:	41 80 38 00          	cmpb   $0x0,(%r8)
   f:	74 ee                	je     0xffffffff
  11:	4b 8d 04 0c          	lea    (%r12,%r9,1),%rax
  15:	4d 85 c0             	test   %r8,%r8
  18:	75 4b                	jne    0x65
  1a:	48 89 eb             	mov    %rbp,%rbx
  1d:	48 29 c3             	sub    %rax,%rbx
  20:	e9 42 ff ff ff       	jmpq   0xffffff67
  25:	48 85 db             	test   %rbx,%rbx
  28:	74 2e                	je     0x58
* 2a:	41 80 39 00          	cmpb   $0x0,(%r9) <-- trapping instruction
  2e:	75 32                	jne    0x62
  30:	48 b8 01 00 00 00 00 	movabs $0xdffffc0000000001,%rax
  37:	fc ff df
  3a:	49 01 d9             	add    %rbx,%r9
  3d:	49 01 c0             	add    %rax,%r8
Comment 1 Jan Kara 2021-10-20 16:43:16 UTC 
Thanks for report. I'll try to reproduce this in my test VM. I have recently merged some fixes for detecting corrupted quota files from Zhang Yi so maybe this is already fixed but let's see...
Comment 2 Jan Kara 2021-10-20 17:00:36 UTC 
Indeed, I can reproduce the problem with current Linus' kernel but I cannot reproduce anymore with the fixes I have queued in my tree. Namely:

d0e36a62bd4c "quota: correct error number in free_dqentry()"
9bf3d2033129 "quota: check block number when reading the block in quota file"

So closing this as fixed.