Re: [syzbot] [btrfs?] KASAN: slab-use-after-free Read in close_fs_devices

From: Qu Wenruo
Date: Thu Jun 26 2025 - 20:09:53 EST

Next message: Josh Poimboeuf: "[PATCH v3 09/64] modpost: Ignore unresolved section bounds symbols"
Previous message: Edgecombe, Rick P: "Re: [PATCH v3 6/6] KVM: TDX: Explicitly do WBINVD upon reboot notifier"
In reply to: syzbot: "[syzbot] [btrfs?] KASAN: slab-use-after-free Read in close_fs_devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

在 2025/6/27 03:05, syzbot 写道:

Hello,

syzbot found the following issue on:

HEAD commit: ecb259c4f70d Add linux-next specific files for 20250626

This head already includes the latest v5 update, so it's not a goode news to me.

git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11147182580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f0c48ed70f20d0d2
dashboard link: https://syzkaller.appspot.com/bug?extid=772bdfe41846e057fa83
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a6a71f1563ce/disk-ecb259c4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/914a0673e6a0/vmlinux-ecb259c4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/87f7194e2a0e/bzImage-ecb259c4.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+772bdfe41846e057fa83@xxxxxxxxxxxxxxxxxxxxxxxxx

BTRFS: device fsid a6a605fc-d5f1-4e66-8595-3726e2b761d6 devid 1 transid 8 /dev/loop4 (7:4) scanned by syz.4.616 (8589)
==================================================================
BUG: KASAN: slab-use-after-free in close_fs_devices+0x81f/0x870 fs/btrfs/volumes.c:1182
Read of size 4 at addr ffff88802fe14930 by task syz.4.616/8589

CPU: 0 UID: 0 PID: 8589 Comm: syz.4.616 Not tainted 6.16.0-rc3-next-20250626-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
close_fs_devices+0x81f/0x870 fs/btrfs/volumes.c:1182
btrfs_close_devices+0xc5/0x560 fs/btrfs/volumes.c:1201
btrfs_free_fs_info+0x4f/0x3c0 fs/btrfs/disk-io.c:1250
deactivate_locked_super+0xbc/0x130 fs/super.c:474
btrfs_get_tree_super fs/btrfs/super.c:-1 [inline]

If syzbot can provide a better line number for inlined function, it will be very helpful.

But so far it looks that btrfs_open_devices() failed, thus deactive_locked_super() is called to free the whole fs_devices.

However since btrfs_open_fs_devices() failed, we are not holding the fs_devices opened, and after we release uuid_mutex, the fs_devices can be freed by someone else.

I believe we need extra error handling for this particular case.

Thanks a lot for catching this rare error path.

Thanks,
Qu

Next message: Josh Poimboeuf: "[PATCH v3 09/64] modpost: Ignore unresolved section bounds symbols"
Previous message: Edgecombe, Rick P: "Re: [PATCH v3 6/6] KVM: TDX: Explicitly do WBINVD upon reboot notifier"
In reply to: syzbot: "[syzbot] [btrfs?] KASAN: slab-use-after-free Read in close_fs_devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]