Dear Maintainers,
When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (11th)was triggered. HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2 git tree: upstream Output:https:https://github.com/pghk13/Kernel-Bug/blob/main/1220_6.13rc_KASAN/2.%E5%9B%9E%E5%BD%92-11/11-KASAN_%20slab-use-after-free%20Read%20in%20move_to_new_folio/11call_trace.txt Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/config.txt C reproducer:https:https://github.com/pghk13/Kernel-Bug/blob/main/1220_6.13rc_KASAN/2.%E5%9B%9E%E5%BD%92-11/11-KASAN_%20slab-use-after-free%20Read%20in%20move_to_new_folio/11repro.c Syzlang reproducer: https://github.com/pghk13/Kernel-Bug/blob/main/1220_6.13rc_KASAN/2.%E5%9B%9E%E5%BD%92-11/11-KASAN_%20slab-use-after-free%20Read%20in%20move_to_new_folio/11repro.txt The error is located on line 592 of the fs/bcachefs/super.c file, in the bch2_fs_release function. Based on the error message and the call stack, the problem is that all reserved resources are not properly released when the bcachefs file system is down. We have reproduced this issue several times on 6.15-rc1 again. If you fix this issue, please add the following tag to the commit: Reported-by: Kun Hu <[email protected]>, Jiaji Qin <[email protected]>, Shuoran Bai <[email protected]> ================================================================== online_reserved not 0 at shutdown: 1 WARNING: CPU: 1 PID: 13366 at fs/bcachefs/super.c:592 bch2_fs_release+0x735/0x8b0 Modules linked in: CPU: 1 UID: 0 PID: 13366 Comm: syz.1.45 Not tainted 6.15.0-rc1 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:bch2_fs_release+0x735/0x8b0 Code: 89 ef e8 be 4f d1 ff e9 86 fa ff ff e8 e4 ae 54 fd 90 0f 0b e8 dc ae 54 fd 90 48 c7 c7 a0 87 e6 8b 4c 89 e6 e8 cc 31 14 fd 90 <0f> 0b 90 90 48 b8 00 00 00 00 00 fc ff df 48 8b 54 24 10 48 c1 ea RSP: 0018:ffffc900026c7358 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff888075e00068 RCX: ffffffff817a9669 RDX: 0000000000000001 RSI: ffff88801fba4900 RDI: 0000000000000002 RBP: ffff888075e00000 R08: fffffbfff1c4bb00 R09: ffffed100fdc47ba R10: ffffed100fdc47b9 R11: ffff88807ee23dcb R12: 0000000000000001 R13: 0000607f1491e148 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007fcb10ebf700(0000) GS:ffff8880eb36b000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f93c5d4c000 CR3: 000000006c2e6000 CR4: 0000000000750ef0 PKRU: 00000000 Call Trace: <TASK> kobject_put+0x1b2/0x4c0 bch2_fs_alloc+0xcfe/0x29b0 bch2_fs_open+0x945/0x1160 bch2_fs_get_tree+0x3c9/0x20c0 vfs_get_tree+0x93/0x340 path_mount+0x1270/0x1b90 do_mount+0xb3/0x110 __x64_sys_mount+0x193/0x230 do_syscall_64+0xcf/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcb0ffaf51e Code: ff ff ff 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcb10ebe9b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000005905 RCX: 00007fcb0ffaf51e RDX: 00000000200058c0 RSI: 0000000020005900 RDI: 00007fcb10ebea10 RBP: 00007fcb10ebea50 R08: 00007fcb10ebea50 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000200058c0 R13: 0000000020005900 R14: 00007fcb10ebea10 R15: 00000000200001c0 thanks, Kun Hu
