syzbot


KASAN: use-after-free Read in ext4_find_extent

Status: upstream: reported C repro on 2022/12/26 07:59
Bug presence: origin:lts
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+0827b4b52b5ebf65f219@syzkaller.appspotmail.com
First crash: 870d, last: 8d05h
Cause bisection: failed (error log, bisect log)
  
Discussions (2)
Title Replies (including bot) Last reply
[PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent 6 (6) 2023/01/02 05:41
[PATCH] ext4: Fix possible use-after-free in ext4_find_extent 2 (2) 2022/12/29 22:40
Bug presence (2)
Date Name Commit Repro Result
2023/09/22 lts (merge base) aff03380bda4 C [report] kernel BUG in ext4_writepages
2023/09/22 upstream (ToT) 27bbf45eae9c C Didn't crash
Similar bugs (10)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in ext4_find_extent C 1 54d 68d 0/2 upstream: reported C repro on 2025/02/13 21:05
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 C error inconclusive 30 4d02h 848d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent missing-backport C error done 3 177d 674d 0/2 auto-obsoleted due to no activity on 2025/02/04 04:57
linux-5.15 KASAN: use-after-free Read in ext4_find_extent origin:lts-only C inconclusive 5 59d 643d 0/3 upstream: reported C repro on 2023/07/19 14:49
upstream KASAN: use-after-free Read in ext4_find_extent ext4 2 1280d 1341d 0/28 auto-closed as invalid on 2022/02/17 05:19
linux-6.1 KASAN: use-after-free Read in ext4_find_extent origin:upstream missing-backport C done 1 358d 581d 0/3 upstream: reported C repro on 2023/09/19 00:11
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 C error 2 718d 843d 22/28 fixed on 2023/06/08 14:41
upstream KASAN: use-after-free Read in ext4_find_extent (4) ext4 C done 30 6d13h 113d 0/28 upstream: reported C repro on 2024/12/30 20:06
upstream KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4 C error done 31 483d 665d 25/28 fixed on 2024/01/30 23:26
android-54 KASAN: slab-out-of-bounds Read in ext4_find_extent ext4 C 1 662d 848d 0/2 auto-obsoleted due to no activity on 2023/10/08 03:20
Last patch testing requests (11)
Created Duration User Patch Repo Result
2025/04/14 17:34 6m retest repro android13-5.15-lts report log
2025/03/31 12:28 6m retest repro android13-5.15-lts report log
2025/03/16 14:20 5m retest repro android13-5.15-lts report log
2025/03/16 14:20 1h04m retest repro android13-5.15-lts report log
2025/03/16 14:20 5m retest repro android13-5.15-lts report log
2025/03/16 14:20 6m retest repro android13-5.15-lts report log
2025/03/01 03:20 20m retest repro android13-5.15-lts report log
2025/02/14 10:12 5m retest repro android13-5.15-lts report log
2022/12/28 14:25 13m tudor.ambarus@linaro.org https://github.com/ambarus/linux.git 5ee4e1b578324fdfde35eaf5ceb30a19336c97f6 OK log
2022/12/28 13:48 7m tudor.ambarus@linaro.org upstream report log
2022/12/28 13:47 13m tudor.ambarus@linaro.org https://github.com/ambarus/linux.git f3c76c42a554367d313d2e315676b19535089ac3 OK log
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2024/05/16 00:06 40m bisect fix android13-5.15-lts OK (0) job log log
2023/10/23 19:44 42m bisect fix android13-5.15-lts OK (0) job log log
2023/07/31 02:16 55m bisect fix android13-5.15-lts OK (0) job log log
2023/06/01 08:00 16m bisect fix android13-5.15-lts OK (0) job log log
2023/05/01 12:38 18m bisect fix android13-5.15-lts OK (0) job log log
2023/03/04 00:47 18m bisect fix android13-5.15-lts OK (0) job log log
2023/02/01 21:22 28m bisect fix android13-5.15-lts OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:827 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xbea/0xe30 fs/ext4/extents.c:946
Read of size 4 at addr ffff88812324ec14 by task kworker/u4:0/8

CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.15.178-syzkaller-00034-g5e1b899f19c3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: writeback wb_workfn (flush-7:4)
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1c0 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:308
 ext4_ext_binsearch fs/ext4/extents.c:827 [inline]
 ext4_find_extent+0xbea/0xe30 fs/ext4/extents.c:946
 ext4_ext_map_blocks+0x269/0x7450 fs/ext4/extents.c:4165
 ext4_map_blocks+0xa60/0x1c70 fs/ext4/inode.c:673
 mpage_map_one_extent fs/ext4/inode.c:2420 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2473 [inline]
 ext4_writepages+0x1628/0x4000 fs/ext4/inode.c:2841
 do_writepages+0x40e/0x670 mm/page-writeback.c:2388
 __writeback_single_inode+0xdf/0xa70 fs/fs-writeback.c:1647
 writeback_sb_inodes+0xb2a/0x1920 fs/fs-writeback.c:1930
 __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:2001
 wb_writeback+0x3da/0x9f0 fs/fs-writeback.c:2108
 wb_check_background_flush fs/fs-writeback.c:2178 [inline]
 wb_do_writeback fs/fs-writeback.c:2266 [inline]
 wb_workfn+0xc12/0x1110 fs/fs-writeback.c:2294
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2325
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2472
 kthread+0x421/0x510 kernel/kthread.c:337
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

The buggy address belongs to the page:
page:ffffea00048c9380 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12324e
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea00048c93c8 ffffea00048c9348 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x101cca(GFP_HIGHUSER_MOVABLE|__GFP_WRITE), pid 538, ts 30453639745, free_ts 30574608672
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2605
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2611
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4485
 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5780
 __alloc_pages_node include/linux/gfp.h:591 [inline]
 alloc_pages_node include/linux/gfp.h:605 [inline]
 alloc_pages include/linux/gfp.h:618 [inline]
 __page_cache_alloc include/linux/pagemap.h:305 [inline]
 pagecache_get_page+0xb18/0xeb0 mm/filemap.c:1946
 grab_cache_page_write_begin+0x5d/0xa0 mm/filemap.c:3811
 ext4_da_write_begin+0x5ae/0xc30 fs/ext4/inode.c:3014
 generic_perform_write+0x2de/0x750 mm/filemap.c:3857
 ext4_buffered_write_iter+0x48a/0x610 fs/ext4/file.c:270
 ext4_file_write_iter+0x454/0x1660 fs/ext4/file.c:-1
 call_write_iter include/linux/fs.h:2204 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0xd5d/0x1110 fs/read_write.c:594
 ksys_write+0x199/0x2c0 fs/read_write.c:647
 __do_sys_write fs/read_write.c:659 [inline]
 __se_sys_write fs/read_write.c:656 [inline]
 __x64_sys_write+0x7b/0x90 fs/read_write.c:656
 x64_sys_call+0x2f/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1472 [inline]
 free_pcp_prepare mm/page_alloc.c:1544 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3534
 free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3671
 release_pages+0x1310/0x1370 mm/swap.c:1009
 __pagevec_release+0x84/0x100 mm/swap.c:1029
 pagevec_release include/linux/pagevec.h:81 [inline]
 truncate_inode_pages_range+0x482/0x1160 mm/truncate.c:329
 truncate_inode_pages mm/truncate.c:425 [inline]
 truncate_pagecache+0x6c/0x90 mm/truncate.c:735
 ext4_setattr+0xe4a/0x1940 fs/ext4/inode.c:5578
 notify_change+0xc7a/0xf30 fs/attr.c:505
 do_truncate+0x21c/0x300 fs/open.c:66
 handle_truncate fs/namei.c:3265 [inline]
 do_open fs/namei.c:3612 [inline]
 path_openat+0x28ed/0x2f40 fs/namei.c:3742
 do_filp_open+0x21c/0x460 fs/namei.c:3769
 do_sys_openat2+0x13f/0x820 fs/open.c:1234
 do_sys_open fs/open.c:1250 [inline]
 __do_sys_openat fs/open.c:1266 [inline]
 __se_sys_openat fs/open.c:1261 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1261
 x64_sys_call+0x6bf/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:258
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff88812324eb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812324eb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88812324ec00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                         ^
 ffff88812324ec80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812324ed00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (11):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/03/31 16:29 android13-5.15-lts 5e1b899f19c3 d3999433 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/09/22 15:16 android13-5.15-lts ea586874d2f9 0b6a67ac .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/06/16 06:36 android13-5.15-lts 19c0ed55a470 f3921d4d .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/04/01 06:28 android13-5.15-lts 7364b7abbafb f325deb0 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/03/19 02:20 android13-5.15-lts 5448b2fda85f 7939252e .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2022/12/14 02:48 android13-5.15-lts 7048384c9872 f6511626 .config strace log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2022/12/12 18:12 android13-5.15-lts 7048384c9872 67be1ae7 .config strace log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2022/12/04 17:22 android13-5.15-lts 92f701cae0bc e080de16 .config strace log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2022/12/26 07:49 android13-5.15-lts c73b4619ad86 9da18ae8 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2025/03/31 14:49 android13-5.15-lts 5e1b899f19c3 d3999433 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
2023/06/17 10:21 android13-5.15-lts 36f4f6fb72d5 f3921d4d .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Read in ext4_find_extent
* Struck through repros no longer work on HEAD.