Title | Replies (including bot) | Last reply |
---|---|---|
[PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent | 6 (6) | 2023/01/02 05:41 |
[PATCH] ext4: Fix possible use-after-free in ext4_find_extent | 2 (2) | 2022/12/29 22:40 |
syzbot |
sign-in | mailing list | source | docs |
Title | Replies (including bot) | Last reply |
---|---|---|
[PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent | 6 (6) | 2023/01/02 05:41 |
[PATCH] ext4: Fix possible use-after-free in ext4_find_extent | 2 (2) | 2022/12/29 22:40 |
Date | Name | Commit | Repro | Result |
---|---|---|---|---|
2023/09/22 | lts (merge base) | aff03380bda4 | C | [report] kernel BUG in ext4_writepages |
2023/09/22 | upstream (ToT) | 27bbf45eae9c | C | Didn't crash |
Created | Duration | User | Patch | Repo | Result |
---|---|---|---|---|---|
2024/10/23 23:31 | 14m | retest repro | android13-5.15-lts | report log | |
2024/10/23 23:31 | 8m | retest repro | android13-5.15-lts | report log | |
2024/10/23 23:31 | 9m | retest repro | android13-5.15-lts | report log | |
2024/10/23 23:31 | 9m | retest repro | android13-5.15-lts | report log | |
2024/10/11 07:48 | 6m | retest repro | android13-5.15-lts | report log | |
2024/09/26 05:32 | 5m | retest repro | android13-5.15-lts | report log | |
2024/08/30 06:16 | 10m | retest repro | android13-5.15-lts | report log | |
2024/08/14 07:42 | 1h15m | retest repro | android13-5.15-lts | report log | |
2024/08/14 07:42 | 1h13m | retest repro | android13-5.15-lts | report log | |
2022/12/28 14:25 | 13m | tudor.ambarus@linaro.org | https://github.com/ambarus/linux.git 5ee4e1b578324fdfde35eaf5ceb30a19336c97f6 | OK log | |
2022/12/28 13:48 | 7m | tudor.ambarus@linaro.org | upstream | report log | |
2022/12/28 13:47 | 13m | tudor.ambarus@linaro.org | https://github.com/ambarus/linux.git f3c76c42a554367d313d2e315676b19535089ac3 | OK log |
Created | Duration | User | Patch | Repo | Result |
---|---|---|---|---|---|
2024/05/16 00:06 | 40m | bisect fix | android13-5.15-lts | OK (0) job log log | |
2023/10/23 19:44 | 42m | bisect fix | android13-5.15-lts | OK (0) job log log | |
2023/07/31 02:16 | 55m | bisect fix | android13-5.15-lts | OK (0) job log log | |
2023/06/01 08:00 | 16m | bisect fix | android13-5.15-lts | OK (0) job log log | |
2023/05/01 12:38 | 18m | bisect fix | android13-5.15-lts | OK (0) job log log | |
2023/03/04 00:47 | 18m | bisect fix | android13-5.15-lts | OK (0) job log log | |
2023/02/01 21:22 | 28m | bisect fix | android13-5.15-lts | OK (0) job log log |
================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:827 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:946 Read of size 4 at addr ffff88811a234058 by task kworker/u4:0/8 CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.15.131-syzkaller-00653-gea586874d2f9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description+0x87/0x3b0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:427 [inline] kasan_report+0x179/0x1c0 mm/kasan/report.c:444 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308 ext4_ext_binsearch fs/ext4/extents.c:827 [inline] ext4_find_extent+0xbab/0xdb0 fs/ext4/extents.c:946 ext4_ext_map_blocks+0x254/0x7250 fs/ext4/extents.c:4103 ext4_map_blocks+0xaa7/0x1e00 fs/ext4/inode.c:646 mpage_map_one_extent fs/ext4/inode.c:2409 [inline] mpage_map_and_submit_extent fs/ext4/inode.c:2462 [inline] ext4_writepages+0x1628/0x4000 fs/ext4/inode.c:2830 do_writepages+0x40e/0x670 mm/page-writeback.c:2366 __writeback_single_inode+0xdf/0xa70 fs/fs-writeback.c:1625 writeback_sb_inodes+0xb2e/0x1910 fs/fs-writeback.c:1908 wb_writeback+0x3b9/0x9e0 fs/fs-writeback.c:2082 wb_do_writeback fs/fs-writeback.c:2225 [inline] wb_workfn+0x3d9/0x1110 fs/fs-writeback.c:2266 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2317 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2464 kthread+0x421/0x510 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK> The buggy address belongs to the page: page:ffffea0004688d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11a234 flags: 0x4000000000000000(zone=1) raw: 4000000000000000 ffffea0004688cc8 ffffea0004688588 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 235, ts 15347230371, free_ts 15359232221 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2602 prep_new_page+0x1b/0x110 mm/page_alloc.c:2608 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4482 __alloc_pages+0x206/0x5e0 mm/page_alloc.c:5773 __alloc_pages_node include/linux/gfp.h:591 [inline] alloc_pages_node include/linux/gfp.h:605 [inline] alloc_pages include/linux/gfp.h:618 [inline] do_anonymous_page mm/memory.c:4000 [inline] handle_pte_fault+0xe1f/0x2340 mm/memory.c:4835 do_handle_mm_fault+0x1fed/0x2330 mm/memory.c:5240 handle_mm_fault include/linux/mm.h:1836 [inline] do_user_addr_fault arch/x86/mm/fault.c:1458 [inline] handle_page_fault arch/x86/mm/fault.c:1549 [inline] exc_page_fault+0x3b5/0x830 arch/x86/mm/fault.c:1605 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1469 [inline] free_pcp_prepare mm/page_alloc.c:1541 [inline] free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3531 free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3668 release_pages+0x1310/0x1370 mm/swap.c:1009 free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:240 [inline] tlb_flush_mmu mm/mmu_gather.c:247 [inline] tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338 exit_mmap+0x3ef/0x6f0 mm/mmap.c:3211 __mmput+0x95/0x310 kernel/fork.c:1171 mmput+0x5b/0x170 kernel/fork.c:1194 exit_mm kernel/exit.c:551 [inline] do_exit+0xbb4/0x2b60 kernel/exit.c:862 do_group_exit+0x141/0x310 kernel/exit.c:997 __do_sys_exit_group kernel/exit.c:1008 [inline] __se_sys_exit_group kernel/exit.c:1006 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1006 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb Memory state around the buggy address: ffff88811a233f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811a233f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88811a234000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88811a234080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811a234100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== EXT4-fs error (device loop0): ext4_map_blocks:716: inode #16: block 79475419405449: comm kworker/u4:0: lblock 0 mapped to illegal pblock 79475419405449 (length 23) EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 23 with error 117 EXT4-fs (loop0): This should not happen!! Data will be lost ------------[ cut here ]------------ kernel BUG at fs/ext4/inode.c:2421! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 8 Comm: kworker/u4:0 Tainted: G B 5.15.131-syzkaller-00653-gea586874d2f9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Workqueue: writeback wb_workfn (flush-7:0) RIP: 0010:mpage_map_one_extent fs/ext4/inode.c:2421 [inline] RIP: 0010:mpage_map_and_submit_extent fs/ext4/inode.c:2462 [inline] RIP: 0010:ext4_writepages+0x3f4b/0x4000 fs/ext4/inode.c:2830 Code: 00 74 08 48 89 df e8 44 f4 c9 ff 48 8b 3b 48 8b 74 24 48 48 8b 54 24 28 44 89 e9 45 89 f8 e8 8c 27 08 00 eb 58 e8 85 08 88 ff <0f> 0b e8 7e 08 88 ff eb 3b e8 77 08 88 ff eb 72 e8 70 08 88 ff 31 RSP: 0018:ffffc90000087000 EFLAGS: 00010293 RAX: ffffffff81e7ecfb RBX: dffffc0000000000 RCX: ffff888100263b40 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90000087410 R08: ffffffff81e7c6bb R09: ffffed10217c8541 R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 R13: ffffc900000872e0 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555560286f8 CR3: 000000011de72000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> do_writepages+0x40e/0x670 mm/page-writeback.c:2366 __writeback_single_inode+0xdf/0xa70 fs/fs-writeback.c:1625 writeback_sb_inodes+0xb2e/0x1910 fs/fs-writeback.c:1908 wb_writeback+0x3b9/0x9e0 fs/fs-writeback.c:2082 wb_do_writeback fs/fs-writeback.c:2225 [inline] wb_workfn+0x3d9/0x1110 fs/fs-writeback.c:2266 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2317 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2464 kthread+0x421/0x510 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK> Modules linked in: ---[ end trace 8a6cd6bc4a726ba4 ]--- RIP: 0010:mpage_map_one_extent fs/ext4/inode.c:2421 [inline] RIP: 0010:mpage_map_and_submit_extent fs/ext4/inode.c:2462 [inline] RIP: 0010:ext4_writepages+0x3f4b/0x4000 fs/ext4/inode.c:2830 Code: 00 74 08 48 89 df e8 44 f4 c9 ff 48 8b 3b 48 8b 74 24 48 48 8b 54 24 28 44 89 e9 45 89 f8 e8 8c 27 08 00 eb 58 e8 85 08 88 ff <0f> 0b e8 7e 08 88 ff eb 3b e8 77 08 88 ff eb 72 e8 70 08 88 ff 31 RSP: 0018:ffffc90000087000 EFLAGS: 00010293 RAX: ffffffff81e7ecfb RBX: dffffc0000000000 RCX: ffff888100263b40 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90000087410 R08: ffffffff81e7c6bb R09: ffffed10217c8541 R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 R13: ffffc900000872e0 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555560286f8 CR3: 000000010c4ed000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2023/09/22 15:16 | android13-5.15-lts | ea586874d2f9 | 0b6a67ac | .config | strace log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent | |
2023/06/16 06:36 | android13-5.15-lts | 19c0ed55a470 | f3921d4d | .config | strace log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent | |
2023/04/01 06:28 | android13-5.15-lts | 7364b7abbafb | f325deb0 | .config | strace log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent | |
2023/03/19 02:20 | android13-5.15-lts | 5448b2fda85f | 7939252e | .config | strace log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent | |
2022/12/14 02:48 | android13-5.15-lts | 7048384c9872 | f6511626 | .config | strace log | report | syz | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent | ||
2022/12/12 18:12 | android13-5.15-lts | 7048384c9872 | 67be1ae7 | .config | strace log | report | syz | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent | ||
2022/12/04 17:22 | android13-5.15-lts | 92f701cae0bc | e080de16 | .config | strace log | report | syz | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent | ||
2022/12/26 07:49 | android13-5.15-lts | c73b4619ad86 | 9da18ae8 | .config | strace log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent | |
2023/06/17 10:21 | android13-5.15-lts | 36f4f6fb72d5 | f3921d4d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-5-15 | KASAN: use-after-free Read in ext4_find_extent |