github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/pkg/report/testdata/linux/guilty/51 (about) 1 FILE: fs/f2fs/recovery.c 2 3 ================================================================== 4 BUG: KASAN: invalid-access in kmem_cache_destroy+0x34/0x174 mm/slab_common.c:492 5 Read at addr fdff000022c9c040 by task syz-executor.0/5059 6 Pointer tag: [fd], memory tag: [fe] 7 8 CPU: 0 PID: 5059 Comm: syz-executor.0 Not tainted 5.11.0-rc6-syzkaller #0 9 Hardware name: linux,dummy-virt (DT) 10 Call trace: 11 dump_backtrace+0x0/0x1b0 arch/arm64/kernel/stacktrace.c:117 12 show_stack+0x1c/0x70 arch/arm64/kernel/stacktrace.c:196 13 __dump_stack lib/dump_stack.c:79 [inline] 14 dump_stack+0xd0/0x12c lib/dump_stack.c:120 15 print_address_description+0x70/0x29c mm/kasan/report.c:230 16 __kasan_report mm/kasan/report.c:396 [inline] 17 kasan_report+0x104/0x200 mm/kasan/report.c:413 18 report_tag_fault arch/arm64/mm/fault.c:311 [inline] 19 do_tag_recovery arch/arm64/mm/fault.c:325 [inline] 20 __do_kernel_fault+0x17c/0x1c0 arch/arm64/mm/fault.c:369 21 do_bad_area arch/arm64/mm/fault.c:462 [inline] 22 do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:717 23 do_mem_abort+0x44/0xbc arch/arm64/mm/fault.c:793 24 el1_abort+0x40/0x6c arch/arm64/kernel/entry-common.c:118 25 el1_sync_handler+0xb0/0xcc arch/arm64/kernel/entry-common.c:209 26 el1_sync+0x70/0x100 arch/arm64/kernel/entry.S:656 27 kmem_cache_destroy+0x34/0x174 mm/slab_common.c:492 28 f2fs_recover_fsync_data+0x60c/0x1cc0 fs/f2fs/recovery.c:869 29 f2fs_fill_super+0x174c/0x1e8c fs/f2fs/super.c:3804 30 mount_bdev+0x1c4/0x1f0 fs/super.c:1366 31 f2fs_mount+0x1c/0x30 fs/f2fs/super.c:3962 32 legacy_get_tree+0x34/0x64 fs/fs_context.c:592 33 vfs_get_tree+0x2c/0xf0 fs/super.c:1496 34 do_new_mount fs/namespace.c:2881 [inline] 35 path_mount+0x3e8/0xaf0 fs/namespace.c:3211 36 do_mount fs/namespace.c:3224 [inline] 37 __do_sys_mount fs/namespace.c:3432 [inline] 38 __se_sys_mount fs/namespace.c:3409 [inline] 39 __arm64_sys_mount+0x1a8/0x2fc fs/namespace.c:3409 40 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] 41 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] 42 el0_svc_common.constprop.0+0x74/0x190 arch/arm64/kernel/syscall.c:159 43 do_el0_svc+0x78/0x90 arch/arm64/kernel/syscall.c:198 44 el0_svc+0x14/0x20 arch/arm64/kernel/entry-common.c:365 45 el0_sync_handler+0x1a8/0x1b0 arch/arm64/kernel/entry-common.c:381 46 el0_sync+0x190/0x1c0 arch/arm64/kernel/entry.S:699 47 48 Allocated by task 5059: 49 stack_trace_save+0x50/0x80 kernel/stacktrace.c:121 50 kasan_save_stack+0x2c/0x60 mm/kasan/common.c:38 51 kasan_set_track mm/kasan/common.c:46 [inline] 52 set_alloc_info mm/kasan/common.c:401 [inline] 53 ____kasan_kmalloc+0xe8/0x160 mm/kasan/common.c:429 54 __kasan_slab_alloc+0x20/0x30 mm/kasan/common.c:437 55 kasan_slab_alloc include/linux/kasan.h:209 [inline] 56 slab_post_alloc_hook mm/slab.h:512 [inline] 57 slab_alloc_node mm/slub.c:2892 [inline] 58 slab_alloc mm/slub.c:2900 [inline] 59 kmem_cache_alloc+0x1b0/0x310 mm/slub.c:2905 60 kmem_cache_zalloc include/linux/slab.h:672 [inline] 61 create_cache mm/slab_common.c:246 [inline] 62 kmem_cache_create_usercopy+0x148/0x2ac mm/slab_common.c:352 63 kmem_cache_create+0x20/0x30 mm/slab_common.c:410 64 f2fs_kmem_cache_create fs/f2fs/f2fs.h:2411 [inline] 65 f2fs_recover_fsync_data+0x7c/0x1cc0 fs/f2fs/recovery.c:790 66 f2fs_fill_super+0x174c/0x1e8c fs/f2fs/super.c:3804 67 mount_bdev+0x1c4/0x1f0 fs/super.c:1366 68 f2fs_mount+0x1c/0x30 fs/f2fs/super.c:3962 69 legacy_get_tree+0x34/0x64 fs/fs_context.c:592 70 vfs_get_tree+0x2c/0xf0 fs/super.c:1496 71 do_new_mount fs/namespace.c:2881 [inline] 72 path_mount+0x3e8/0xaf0 fs/namespace.c:3211 73 do_mount fs/namespace.c:3224 [inline] 74 __do_sys_mount fs/namespace.c:3432 [inline] 75 __se_sys_mount fs/namespace.c:3409 [inline] 76 __arm64_sys_mount+0x1a8/0x2fc fs/namespace.c:3409 77 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] 78 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] 79 el0_svc_common.constprop.0+0x74/0x190 arch/arm64/kernel/syscall.c:159 80 do_el0_svc+0x78/0x90 arch/arm64/kernel/syscall.c:198 81 el0_svc+0x14/0x20 arch/arm64/kernel/entry-common.c:365 82 el0_sync_handler+0x1a8/0x1b0 arch/arm64/kernel/entry-common.c:381 83 el0_sync+0x190/0x1c0 arch/arm64/kernel/entry.S:699 84 85 Freed by task 5053: 86 stack_trace_save+0x50/0x80 kernel/stacktrace.c:121 87 kasan_save_stack+0x2c/0x60 mm/kasan/common.c:38 88 kasan_set_track+0x2c/0x40 mm/kasan/common.c:46 89 kasan_set_free_info+0x24/0x30 mm/kasan/hw_tags.c:178 90 ____kasan_slab_free.constprop.0+0x184/0x1c0 mm/kasan/common.c:362 91 __kasan_slab_free+0x14/0x20 mm/kasan/common.c:369 92 kasan_slab_free include/linux/kasan.h:192 [inline] 93 slab_free_hook mm/slub.c:1547 [inline] 94 slab_free_freelist_hook+0x9c/0x190 mm/slub.c:1580 95 slab_free mm/slub.c:3143 [inline] 96 kmem_cache_free+0xa0/0x460 mm/slub.c:3159 97 slab_kmem_cache_release+0x34/0x4c mm/slab_common.c:479 98 kmem_cache_release+0x18/0x24 mm/slub.c:5535 99 kobject_cleanup lib/kobject.c:705 [inline] 100 kobject_release lib/kobject.c:736 [inline] 101 kref_put include/linux/kref.h:65 [inline] 102 kobject_put+0x74/0x11c lib/kobject.c:753 103 sysfs_slab_release+0x2c/0x40 mm/slub.c:5657 104 shutdown_cache mm/slab_common.c:466 [inline] 105 kmem_cache_destroy+0x134/0x174 mm/slab_common.c:498 106 f2fs_recover_fsync_data+0x60c/0x1cc0 fs/f2fs/recovery.c:869 107 f2fs_fill_super+0x174c/0x1e8c fs/f2fs/super.c:3804 108 mount_bdev+0x1c4/0x1f0 fs/super.c:1366 109 f2fs_mount+0x1c/0x30 fs/f2fs/super.c:3962 110 legacy_get_tree+0x34/0x64 fs/fs_context.c:592 111 vfs_get_tree+0x2c/0xf0 fs/super.c:1496 112 do_new_mount fs/namespace.c:2881 [inline] 113 path_mount+0x3e8/0xaf0 fs/namespace.c:3211 114 do_mount fs/namespace.c:3224 [inline] 115 __do_sys_mount fs/namespace.c:3432 [inline] 116 __se_sys_mount fs/namespace.c:3409 [inline] 117 __arm64_sys_mount+0x1a8/0x2fc fs/namespace.c:3409 118 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] 119 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline] 120 el0_svc_common.constprop.0+0x74/0x190 arch/arm64/kernel/syscall.c:159 121 do_el0_svc+0x78/0x90 arch/arm64/kernel/syscall.c:198 122 el0_svc+0x14/0x20 arch/arm64/kernel/entry-common.c:365 123 el0_sync_handler+0x1a8/0x1b0 arch/arm64/kernel/entry-common.c:381 124 el0_sync+0x190/0x1c0 arch/arm64/kernel/entry.S:699 125 126 The buggy address belongs to the object at ffff000022c9c000 127 which belongs to the cache kmem_cache of size 216 128 The buggy address is located 64 bytes inside of 129 216-byte region [ffff000022c9c000, ffff000022c9c0d8) 130 The buggy address belongs to the page: 131 page:00000000645d0634 refcount:1 mapcount:0 mapping:0000000000000000 index:0xfdff000022c9c000 pfn:0x62c9c 132 flags: 0x1ffffc000000200(slab) 133 raw: 01ffffc000000200 dead000000000100 dead000000000122 f6ff000004001000 134 raw: fdff000022c9c000 000000008010000f 00000001ffffffff 0000000000000000 135 page dumped because: kasan: bad access detected 136 137 Memory state around the buggy address: 138 ffff000022c9be00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 139 ffff000022c9bf00: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 140 >ffff000022c9c000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 141 ^ 142 ffff000022c9c100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 143 ffff000022c9c200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe 144 ==================================================================