[Android 6.1] KASAN: use-after-free Read in ext4_find_extent
8 views
Skip to first unread message
syzbot
Jun 18, 2023, 6:55:15 AM6/18/23
Hello,
syzbot found the following issue on:
HEAD commit: 35fe0d393f80 ANDROID: 6/16/2023 KMI update
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=145278ff280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f3a6e543620145da
dashboard link: https://syzkaller.appspot.com/bug?extid=466b2a18226770691edf
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153eeadf280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1686e8f3280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/682d3b9ce14d/disk-35fe0d39.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/690d4f00078f/vmlinux-35fe0d39.xz
kernel image: https://storage.googleapis.com/syzbot-assets/156328070aae/bzImage-35fe0d39.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/93726b4446b2/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:953
Read of size 4 at addr ffff8881206d045c by task kworker/u4:0/8
CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 6.1.25-syzkaller-00099-g35fe0d393f80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x158/0x4e0 mm/kasan/report.c:395
kasan_report+0x13c/0x170 mm/kasan/report.c:495
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:953
ext4_ext_map_blocks+0x255/0x71e0 fs/ext4/extents.c:4103
ext4_map_blocks+0xa42/0x1ce0 fs/ext4/inode.c:651
mpage_map_one_extent fs/ext4/inode.c:2421 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2474 [inline]
ext4_writepages+0x178c/0x3fb0 fs/ext4/inode.c:2842
do_writepages+0x385/0x620 mm/page-writeback.c:2472
__writeback_single_inode+0xdc/0xb80 fs/fs-writeback.c:1590
writeback_sb_inodes+0xb33/0x18f0 fs/fs-writeback.c:1881
wb_writeback+0x3b9/0x9f0 fs/fs-writeback.c:2055
wb_do_writeback fs/fs-writeback.c:2198 [inline]
wb_workfn+0x399/0x1030 fs/fs-writeback.c:2238
process_one_work+0x73d/0xcb0 kernel/workqueue.c:2296
worker_thread+0xa60/0x1260 kernel/workqueue.c:2443
kthread+0x26d/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The buggy address belongs to the physical page:
page:ffffea000481b400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1206d0
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea000481e388 ffffea000481b3c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_WRITE), pid 305, tgid 305 (syz-executor221), ts 20703607314, free_ts 20788875962
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x213/0x220 mm/page_alloc.c:2574
prep_new_page mm/page_alloc.c:2581 [inline]
get_page_from_freelist+0x2527/0x2600 mm/page_alloc.c:4374
__alloc_pages+0x3a1/0x780 mm/page_alloc.c:5651
__folio_alloc+0x15/0x40 mm/page_alloc.c:5683
__folio_alloc_node include/linux/gfp.h:245 [inline]
folio_alloc include/linux/gfp.h:274 [inline]
filemap_alloc_folio include/linux/pagemap.h:474 [inline]
__filemap_get_folio+0x6c0/0x970 mm/filemap.c:1976
pagecache_get_page+0x2f/0x110 mm/folio-compat.c:110
grab_cache_page_write_begin+0x42/0x60 mm/folio-compat.c:122
ext4_write_begin+0x257/0xfb0 fs/ext4/inode.c:1195
ext4_da_write_begin+0x2ff/0x920 fs/ext4/inode.c:2987
generic_perform_write+0x2f9/0x5c0 mm/filemap.c:3765
ext4_buffered_write_iter+0x360/0x640 fs/ext4/file.c:285
ext4_file_write_iter+0x194/0x1cf0
do_iter_write+0x6e6/0xc50 fs/read_write.c:861
vfs_iter_write+0x7c/0xa0 fs/read_write.c:902
iter_file_splice_write+0x7f8/0xf90 fs/splice.c:686
do_splice_from fs/splice.c:764 [inline]
direct_splice_actor+0xff/0x130 fs/splice.c:931
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1486 [inline]
free_pcp_prepare mm/page_alloc.c:1560 [inline]
free_unref_page_prepare+0x83d/0x850 mm/page_alloc.c:3473
free_unref_page_list+0xf6/0x6c0 mm/page_alloc.c:3615
release_pages+0xf7f/0xfe0 mm/swap.c:1055
__pagevec_release+0x84/0x100 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
truncate_inode_pages_range+0x465/0xf10 mm/truncate.c:375
truncate_inode_pages mm/truncate.c:457 [inline]
truncate_inode_pages_final+0x83/0x90 mm/truncate.c:496
ext4_evict_inode+0x657/0x1510 fs/ext4/inode.c:210
evict+0x2a3/0x630 fs/inode.c:664
dispose_list fs/inode.c:697 [inline]
evict_inodes+0x5d1/0x650 fs/inode.c:747
generic_shutdown_super+0x97/0x370 fs/super.c:482
kill_block_super+0x7e/0xe0 fs/super.c:1452
deactivate_locked_super+0xa5/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
Memory state around the buggy address:
ffff8881206d0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881206d0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881206d0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881206d0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881206d0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: comm kworker/u4:0: lblock 0 mapped to illegal pblock 0 (length 6)
EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 6 with error 117
EXT4-fs (loop0): This should not happen!! Data will be lost
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Corrupt filesystem
EXT4-fs error (device loop0): __ext4_ext_dirty:202: inode #16: comm kworker/u4:0: mark_inode_dirty error
EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117
EXT4-fs (loop0): This should not happen!! Data will be lost
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Corrupt filesystem
EXT4-fs error (device loop0): __ext4_ext_dirty:202: inode #16: comm kworker/u4:0: mark_inode_dirty error
EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117
EXT4-fs (loop0): This should not happen!! Data will be lost
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 35fe0d393f80 ANDROID: 6/16/2023 KMI update
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=145278ff280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f3a6e543620145da
dashboard link: https://syzkaller.appspot.com/bug?extid=466b2a18226770691edf
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153eeadf280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1686e8f3280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/682d3b9ce14d/disk-35fe0d39.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/690d4f00078f/vmlinux-35fe0d39.xz
kernel image: https://storage.googleapis.com/syzbot-assets/156328070aae/bzImage-35fe0d39.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/93726b4446b2/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:953
Read of size 4 at addr ffff8881206d045c by task kworker/u4:0/8
CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 6.1.25-syzkaller-00099-g35fe0d393f80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x158/0x4e0 mm/kasan/report.c:395
kasan_report+0x13c/0x170 mm/kasan/report.c:495
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:350
ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:953
ext4_ext_map_blocks+0x255/0x71e0 fs/ext4/extents.c:4103
ext4_map_blocks+0xa42/0x1ce0 fs/ext4/inode.c:651
mpage_map_one_extent fs/ext4/inode.c:2421 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2474 [inline]
ext4_writepages+0x178c/0x3fb0 fs/ext4/inode.c:2842
do_writepages+0x385/0x620 mm/page-writeback.c:2472
__writeback_single_inode+0xdc/0xb80 fs/fs-writeback.c:1590
writeback_sb_inodes+0xb33/0x18f0 fs/fs-writeback.c:1881
wb_writeback+0x3b9/0x9f0 fs/fs-writeback.c:2055
wb_do_writeback fs/fs-writeback.c:2198 [inline]
wb_workfn+0x399/0x1030 fs/fs-writeback.c:2238
process_one_work+0x73d/0xcb0 kernel/workqueue.c:2296
worker_thread+0xa60/0x1260 kernel/workqueue.c:2443
kthread+0x26d/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
The buggy address belongs to the physical page:
page:ffffea000481b400 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1206d0
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea000481e388 ffffea000481b3c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_WRITE), pid 305, tgid 305 (syz-executor221), ts 20703607314, free_ts 20788875962
set_page_owner include/linux/page_owner.h:33 [inline]
post_alloc_hook+0x213/0x220 mm/page_alloc.c:2574
prep_new_page mm/page_alloc.c:2581 [inline]
get_page_from_freelist+0x2527/0x2600 mm/page_alloc.c:4374
__alloc_pages+0x3a1/0x780 mm/page_alloc.c:5651
__folio_alloc+0x15/0x40 mm/page_alloc.c:5683
__folio_alloc_node include/linux/gfp.h:245 [inline]
folio_alloc include/linux/gfp.h:274 [inline]
filemap_alloc_folio include/linux/pagemap.h:474 [inline]
__filemap_get_folio+0x6c0/0x970 mm/filemap.c:1976
pagecache_get_page+0x2f/0x110 mm/folio-compat.c:110
grab_cache_page_write_begin+0x42/0x60 mm/folio-compat.c:122
ext4_write_begin+0x257/0xfb0 fs/ext4/inode.c:1195
ext4_da_write_begin+0x2ff/0x920 fs/ext4/inode.c:2987
generic_perform_write+0x2f9/0x5c0 mm/filemap.c:3765
ext4_buffered_write_iter+0x360/0x640 fs/ext4/file.c:285
ext4_file_write_iter+0x194/0x1cf0
do_iter_write+0x6e6/0xc50 fs/read_write.c:861
vfs_iter_write+0x7c/0xa0 fs/read_write.c:902
iter_file_splice_write+0x7f8/0xf90 fs/splice.c:686
do_splice_from fs/splice.c:764 [inline]
direct_splice_actor+0xff/0x130 fs/splice.c:931
page last free stack trace:
reset_page_owner include/linux/page_owner.h:26 [inline]
free_pages_prepare mm/page_alloc.c:1486 [inline]
free_pcp_prepare mm/page_alloc.c:1560 [inline]
free_unref_page_prepare+0x83d/0x850 mm/page_alloc.c:3473
free_unref_page_list+0xf6/0x6c0 mm/page_alloc.c:3615
release_pages+0xf7f/0xfe0 mm/swap.c:1055
__pagevec_release+0x84/0x100 mm/swap.c:1075
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
truncate_inode_pages_range+0x465/0xf10 mm/truncate.c:375
truncate_inode_pages mm/truncate.c:457 [inline]
truncate_inode_pages_final+0x83/0x90 mm/truncate.c:496
ext4_evict_inode+0x657/0x1510 fs/ext4/inode.c:210
evict+0x2a3/0x630 fs/inode.c:664
dispose_list fs/inode.c:697 [inline]
evict_inodes+0x5d1/0x650 fs/inode.c:747
generic_shutdown_super+0x97/0x370 fs/super.c:482
kill_block_super+0x7e/0xe0 fs/super.c:1452
deactivate_locked_super+0xa5/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:179
Memory state around the buggy address:
ffff8881206d0300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881206d0380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881206d0400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881206d0480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881206d0500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_map_blocks:731: inode #16: comm kworker/u4:0: lblock 0 mapped to illegal pblock 0 (length 6)
EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 6 with error 117
EXT4-fs (loop0): This should not happen!! Data will be lost
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Corrupt filesystem
EXT4-fs error (device loop0): __ext4_ext_dirty:202: inode #16: comm kworker/u4:0: mark_inode_dirty error
EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117
EXT4-fs (loop0): This should not happen!! Data will be lost
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Corrupt filesystem
EXT4-fs error (device loop0): __ext4_ext_dirty:202: inode #16: comm kworker/u4:0: mark_inode_dirty error
EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 16 with error 117
EXT4-fs (loop0): This should not happen!! Data will be lost
EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 790638693 in block_group 0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Dec 12, 2024, 4:32:07 AM12/12/24
syzbot suspects this issue was fixed by commit:
commit 863ca59e21eb262f78e1dd3f626e6ebe448501a1
Author: Jan Kara <[email protected]>
Date: Wed Feb 7 18:12:15 2024 +0000
quota: Detect loops in quota tree
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1050acdf980000
start commit: cd94fe67fd33 ANDROID: ABI: Update symbols to qcom whitelist
git tree: android14-6.1
kernel config: https://syzkaller.appspot.com/x/.config?x=c5b8b7a65c87c651
dashboard link: https://syzkaller.appspot.com/bug?extid=466b2a18226770691edf
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d4dfec680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ab6bfc680000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: quota: Detect loops in quota tree
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 863ca59e21eb262f78e1dd3f626e6ebe448501a1
Author: Jan Kara <[email protected]>
Date: Wed Feb 7 18:12:15 2024 +0000
quota: Detect loops in quota tree
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1050acdf980000
start commit: cd94fe67fd33 ANDROID: ABI: Update symbols to qcom whitelist
git tree: android14-6.1
kernel config: https://syzkaller.appspot.com/x/.config?x=c5b8b7a65c87c651
dashboard link: https://syzkaller.appspot.com/bug?extid=466b2a18226770691edf
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12d4dfec680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ab6bfc680000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: quota: Detect loops in quota tree
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Feb 4, 2025, 7:57:19 AMFeb 4
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
syzbot
Feb 14, 2025, 12:05:29 AMFeb 14
Hello,
syzbot found the following issue on:
HEAD commit: 39762b7a60e9 UPSTREAM: dma-buf: heaps: Fix off-by-one in C..
syzbot found the following issue on:
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=10edf718580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9bcfb44d32c96d73
dashboard link: https://syzkaller.appspot.com/bug?extid=b951e8947d1ece5cb2e9
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d4a1a4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=104c99b0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d320dcef8c4b/disk-39762b7a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c1ee74b00260/vmlinux-39762b7a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7165b7949e29/bzImage-39762b7a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b2d2adb61b5f/mount_4.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=15d4a1a4580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
EXT4-fs (loop0): mounted filesystem without journal. Opts: discard,nodiscard,noquota,noinit_itable,stripe=0x0000000000000079,resgid=0x0000000000000000,sysvgroups,delalloc,delalloc,,errors=continue
ext4 filesystem being mounted at /0/file1 supports timestamps until (%ptR?) (0x7fffffff)
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:864 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xba2/0xda0 fs/ext4/extents.c:980
Read of size 4 at addr ffff8881d9eebccc by task syz-executor426/364
CPU: 1 PID: 364 Comm: syz-executor426 Not tainted 5.4.289-syzkaller-00011-g39762b7a60e9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x600 mm/kasan/report.c:384
__kasan_report+0xf3/0x120 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
ext4_ext_binsearch fs/ext4/extents.c:864 [inline]
ext4_find_extent+0xba2/0xda0 fs/ext4/extents.c:980
ext4_ext_remove_space+0x339/0x4ba0 fs/ext4/extents.c:3021
ext4_punch_hole+0x6ac/0xad0 fs/ext4/inode.c:4492
ext4_fallocate+0x265/0x570 fs/ext4/extents.c:4949
vfs_fallocate+0x551/0x6b0 fs/open.c:309
ksys_fallocate fs/open.c:332 [inline]
__do_sys_fallocate fs/open.c:340 [inline]
__se_sys_fallocate fs/open.c:338 [inline]
__x64_sys_fallocate+0xb9/0x100 fs/open.c:338
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7fe64e436669
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe64e3ed168 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00007fe64e4bf728 RCX: 00007fe64e436669
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005
RBP: 00007fe64e4bf720 R08: 00007fe64e3ed6c0 R09: 0000000000000000
R10: 0000000000001a00 R11: 0000000000000246 R12: 00007fe64e4bf72c
R13: 0000000000000006 R14: 00007ffd59e68ee0 R15: 00007ffd59e68fc8
The buggy address belongs to the page:
page:ffffea000767bac0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0x8000000000000000()
raw: 8000000000000000 ffffea000767bb08 ffffea000767ba88 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d9eebc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881d9eebc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881d9eebd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881d9eebd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
------------[ cut here ]------------
kernel BUG at fs/ext4/extents.c:3374!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 364 Comm: syz-executor426 Tainted: G B 5.4.289-syzkaller-00011-g39762b7a60e9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:ext4_split_extent_at+0xc54/0x1110 fs/ext4/extents.c:3374
Code: ff e8 80 a2 a1 ff 4c 89 ef 48 8d b4 24 00 01 00 00 e8 60 3e 00 00 e9 2c fa ff ff b0 01 84 c0 0f 84 27 f6 ff ff e8 5c a2 a1 ff <0f> 0b 89 d9 80 e1 07 fe c1 38 c1 0f 8c be f4 ff ff 48 89 df e8 53
RSP: 0018:ffff8881ee1f7900 EFLAGS: 00010293
RAX: ffffffff81c2a814 RBX: 0000000000000001 RCX: ffff8881f0cfbf00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff8881ee1f7a70 R08: ffffffff81c29e1f R09: ffff8881ee1f7a00
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fe64e3ed6c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8a5e14bed8 CR3: 00000001dfe74000 CR4: 00000000003406b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_force_split_extent_at fs/ext4/extents.c:308 [inline]
ext4_ext_remove_space+0x6f3/0x4ba0 fs/ext4/extents.c:3067
ext4_punch_hole+0x6ac/0xad0 fs/ext4/inode.c:4492
ext4_fallocate+0x265/0x570 fs/ext4/extents.c:4949
vfs_fallocate+0x551/0x6b0 fs/open.c:309
ksys_fallocate fs/open.c:332 [inline]
__do_sys_fallocate fs/open.c:340 [inline]
__se_sys_fallocate fs/open.c:338 [inline]
__x64_sys_fallocate+0xb9/0x100 fs/open.c:338
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
RIP: 0033:0x7fe64e436669
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe64e3ed168 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00007fe64e4bf728 RCX: 00007fe64e436669
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005
RBP: 00007fe64e4bf720 R08: 00007fe64e3ed6c0 R09: 0000000000000000
R10: 0000000000001a00 R11: 0000000000000246 R12: 00007fe64e4bf72c
R13: 0000000000000006 R14: 00007ffd59e68ee0 R15: 00007ffd59e68fc8
Modules linked in:
---[ end trace b4a6d822cfff3d9d ]---
RIP: 0010:ext4_split_extent_at+0xc54/0x1110 fs/ext4/extents.c:3374
Code: ff e8 80 a2 a1 ff 4c 89 ef 48 8d b4 24 00 01 00 00 e8 60 3e 00 00 e9 2c fa ff ff b0 01 84 c0 0f 84 27 f6 ff ff e8 5c a2 a1 ff <0f> 0b 89 d9 80 e1 07 fe c1 38 c1 0f 8c be f4 ff ff 48 89 df e8 53
RSP: 0018:ffff8881ee1f7900 EFLAGS: 00010293
RAX: ffffffff81c2a814 RBX: 0000000000000001 RCX: ffff8881f0cfbf00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff8881ee1f7a70 R08: ffffffff81c29e1f R09: ffff8881ee1f7a00
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fe64e3ed6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559965d246a0 CR3: 00000001dfe74000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
(See the list of subsystem names on the web dashboard)
Reply all
Reply to author
Forward
0 new messages