syzbot


KASAN: use-after-free Read in ext4_find_extent

Status: upstream: reported C repro on 2022/12/26 07:59
Bug presence: origin:lts
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+0827b4b52b5ebf65f219@syzkaller.appspotmail.com
First crash: 670d, last: 8d22h
Cause bisection: failed (error log, bisect log)
  
Discussions (2)
Title Replies (including bot) Last reply
[PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent 6 (6) 2023/01/02 05:41
[PATCH] ext4: Fix possible use-after-free in ext4_find_extent 2 (2) 2022/12/29 22:40
Bug presence (2)
Date Name Commit Repro Result
2023/09/22 lts (merge base) aff03380bda4 C [report] kernel BUG in ext4_writepages
2023/09/22 upstream (ToT) 27bbf45eae9c C Didn't crash
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 C error inconclusive 22 18d 648d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent missing-backport origin:lts C error 3 41d 474d 0/2 upstream: reported C repro on 2023/06/18 03:55
linux-5.15 KASAN: use-after-free Read in ext4_find_extent origin:lts-only C inconclusive 4 1h19m 443d 0/3 upstream: reported C repro on 2023/07/19 14:49
upstream KASAN: use-after-free Read in ext4_find_extent ext4 2 1080d 1141d 0/28 auto-closed as invalid on 2022/02/17 05:19
linux-6.1 KASAN: use-after-free Read in ext4_find_extent origin:upstream missing-backport C done 1 158d 382d 0/3 upstream: reported C repro on 2023/09/19 00:11
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 C error 2 519d 643d 22/28 fixed on 2023/06/08 14:41
upstream KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4 C error done 31 283d 465d 25/28 fixed on 2024/01/30 23:26
android-54 KASAN: slab-out-of-bounds Read in ext4_find_extent ext4 C 1 463d 648d 0/2 auto-obsoleted due to no activity on 2023/10/08 03:20
Last patch testing requests (11)
Created Duration User Patch Repo Result
2024/09/26 05:32 5m retest repro android13-5.15-lts report log
2024/08/30 06:16 10m retest repro android13-5.15-lts report log
2024/08/14 07:42 1h15m retest repro android13-5.15-lts report log
2024/08/14 07:42 1h13m retest repro android13-5.15-lts report log
2024/08/14 07:42 5m retest repro android13-5.15-lts report log
2024/08/14 07:42 5m retest repro android13-5.15-lts report log
2024/07/31 03:06 8m retest repro android13-5.15-lts report log
2024/07/17 01:42 1h14m retest repro android13-5.15-lts report log
2022/12/28 14:25 13m tudor.ambarus@linaro.org https://github.com/ambarus/linux.git 5ee4e1b578324fdfde35eaf5ceb30a19336c97f6 OK log
2022/12/28 13:48 7m tudor.ambarus@linaro.org upstream report log
2022/12/28 13:47 13m tudor.ambarus@linaro.org https://github.com/ambarus/linux.git f3c76c42a554367d313d2e315676b19535089ac3 OK log
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2024/05/16 00:06 40m bisect fix android13-5.15-lts OK (0) job log log
2023/10/23 19:44 42m bisect fix android13-5.15-lts OK (0) job log log
2023/07/31 02:16 55m bisect fix android13-5.15-lts OK (0) job log log
2023/06/01 08:00 16m bisect fix android13-5.15-lts OK (0) job log log
2023/05/01 12:38 18m bisect fix android13-5.15-lts OK (0) job log log
2023/03/04 00:47 18m bisect fix android13-5.15-lts OK (0) job log log
2023/02/01 21:22 28m bisect fix android13-5.15-lts OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:827 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:946
Read of size 4 at addr ffff88811a234058 by task kworker/u4:0/8

CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.15.131-syzkaller-00653-gea586874d2f9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 ext4_ext_binsearch fs/ext4/extents.c:827 [inline]
 ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:946
 ext4_ext_map_blocks+0x254/0x7250 fs/ext4/extents.c:4103
 ext4_map_blocks+0xaa7/0x1e00 fs/ext4/inode.c:646
 mpage_map_one_extent fs/ext4/inode.c:2409 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2462 [inline]
 ext4_writepages+0x1628/0x4000 fs/ext4/inode.c:2830
 do_writepages+0x40e/0x670 mm/page-writeback.c:2366
 __writeback_single_inode+0xdf/0xa70 fs/fs-writeback.c:1625
 writeback_sb_inodes+0xb2e/0x1910 fs/fs-writeback.c:1908
 wb_writeback+0x3b9/0x9e0 fs/fs-writeback.c:2082
 wb_do_writeback fs/fs-writeback.c:2225 [inline]
 wb_workfn+0x3d9/0x1110 fs/fs-writeback.c:2266
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2317
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2464
 kthread+0x421/0x510 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>

The buggy address belongs to the page:
page:ffffea0004688d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11a234
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0004688cc8 ffffea0004688588 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 235, ts 15347230371, free_ts 15359232221
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2602
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2608
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4482
 __alloc_pages+0x206/0x5e0 mm/page_alloc.c:5773
 __alloc_pages_node include/linux/gfp.h:591 [inline]
 alloc_pages_node include/linux/gfp.h:605 [inline]
 alloc_pages include/linux/gfp.h:618 [inline]
 do_anonymous_page mm/memory.c:4000 [inline]
 handle_pte_fault+0xe1f/0x2340 mm/memory.c:4835
 do_handle_mm_fault+0x1fed/0x2330 mm/memory.c:5240
 handle_mm_fault include/linux/mm.h:1836 [inline]
 do_user_addr_fault arch/x86/mm/fault.c:1458 [inline]
 handle_page_fault arch/x86/mm/fault.c:1549 [inline]
 exc_page_fault+0x3b5/0x830 arch/x86/mm/fault.c:1605
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1469 [inline]
 free_pcp_prepare mm/page_alloc.c:1541 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3531
 free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3668
 release_pages+0x1310/0x1370 mm/swap.c:1009
 free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
 exit_mmap+0x3ef/0x6f0 mm/mmap.c:3211
 __mmput+0x95/0x310 kernel/fork.c:1171
 mmput+0x5b/0x170 kernel/fork.c:1194
 exit_mm kernel/exit.c:551 [inline]
 do_exit+0xbb4/0x2b60 kernel/exit.c:862
 do_group_exit+0x141/0x310 kernel/exit.c:997
 __do_sys_exit_group kernel/exit.c:1008 [inline]
 __se_sys_exit_group kernel/exit.c:1006 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1006
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff88811a233f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811a233f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811a234000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                    ^
 ffff88811a234080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811a234100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_map_blocks:716: inode #16: block 79475419405449: comm kworker/u4:0: lblock 0 mapped to illegal pblock 79475419405449 (length 23)
EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 23 with error 117
EXT4-fs (loop0): This should not happen!! Data will be lost

------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2421!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8 Comm: kworker/u4:0 Tainted: G    B             5.15.131-syzkaller-00653-gea586874d2f9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Workqueue: writeback wb_workfn (flush-7:0)
RIP: 0010:mpage_map_one_extent fs/ext4/inode.c:2421 [inline]
RIP: 0010:mpage_map_and_submit_extent fs/ext4/inode.c:2462 [inline]
RIP: 0010:ext4_writepages+0x3f4b/0x4000 fs/ext4/inode.c:2830
Code: 00 74 08 48 89 df e8 44 f4 c9 ff 48 8b 3b 48 8b 74 24 48 48 8b 54 24 28 44 89 e9 45 89 f8 e8 8c 27 08 00 eb 58 e8 85 08 88 ff <0f> 0b e8 7e 08 88 ff eb 3b e8 77 08 88 ff eb 72 e8 70 08 88 ff 31
RSP: 0018:ffffc90000087000 EFLAGS: 00010293
RAX: ffffffff81e7ecfb RBX: dffffc0000000000 RCX: ffff888100263b40
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000087410 R08: ffffffff81e7c6bb R09: ffffed10217c8541
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffc900000872e0 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555560286f8 CR3: 000000011de72000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 do_writepages+0x40e/0x670 mm/page-writeback.c:2366
 __writeback_single_inode+0xdf/0xa70 fs/fs-writeback.c:1625
 writeback_sb_inodes+0xb2e/0x1910 fs/fs-writeback.c:1908
 wb_writeback+0x3b9/0x9e0 fs/fs-writeback.c:2082
 wb_do_writeback fs/fs-writeback.c:2225 [inline]
 wb_workfn+0x3d9/0x1110 fs/fs-writeback.c:2266
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2317
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2464
 kthread+0x421/0x510 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>
Modules linked in:
---[ end trace 8a6cd6bc4a726ba4 ]---
RIP: 0010:mpage_map_one_extent fs/ext4/inode.c:2421 [inline]
RIP: 0010:mpage_map_and_submit_extent fs/ext4/inode.c:2462 [inline]
RIP: 0010:ext4_writepages+0x3f4b/0x4000 fs/ext4/inode.c:2830
Code: 00 74 08 48 89 df e8 44 f4 c9 ff 48 8b 3b 48 8b 74 24 48 48 8b 54 24 28 44 89 e9 45 89 f8 e8 8c 27 08 00 eb 58 e8 85 08 88 ff <0f> 0b e8 7e 08 88 ff eb 3b e8 77 08 88 ff eb 72 e8 70 08 88 ff 31
RSP: 0018:ffffc90000087000 EFLAGS: 00010293
RAX: ffffffff81e7ecfb RBX: dffffc0000000000 RCX: ffff888100263b40
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000087410 R08: ffffffff81e7c6bb R09: ffffed10217c8541
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffffc900000872e0 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555560286f8 CR3: 000000010c4ed000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/22 15:16 android13-5.15-lts ea586874d2f9 0b6a67ac .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/06/16 06:36 android13-5.15-lts 19c0ed55a470 f3921d4d .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/04/01 06:28 android13-5.15-lts 7364b7abbafb f325deb0 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/03/19 02:20 android13-5.15-lts 5448b2fda85f 7939252e .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2022/12/14 02:48 android13-5.15-lts 7048384c9872 f6511626 .config strace log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2022/12/12 18:12 android13-5.15-lts 7048384c9872 67be1ae7 .config strace log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2022/12/04 17:22 android13-5.15-lts 92f701cae0bc e080de16 .config strace log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2022/12/26 07:49 android13-5.15-lts c73b4619ad86 9da18ae8 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/06/17 10:21 android13-5.15-lts 36f4f6fb72d5 f3921d4d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
* Struck through repros no longer work on HEAD.