syzbot


KASAN: use-after-free Read in sysv_new_block

Status: upstream: reported C repro on 2022/12/08 01:50
Reported-by: syzbot+386af4de52c85d48c289@syzkaller.appspotmail.com
First crash: 676d, last: 592d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in sysv_new_block sysv C error 4 655d 684d 0/1 upstream: reported C repro on 2022/11/30 03:11
upstream KASAN: use-after-free Read in sysv_new_block fs C error done 21 31d 683d 0/28 upstream: reported C repro on 2022/12/01 12:49
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/03/02 04:33 33m bisect fix linux-4.14.y OK (0) job log log
2023/01/30 01:16 25m bisect fix linux-4.14.y OK (0) job log log

Sample crash report:
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
sysv_free_block: flc_count > flc_size
==================================================================
BUG: KASAN: use-after-free in sysv_new_block+0x6e2/0x8c0 fs/sysv/balloc.c:113
Read of size 4 at addr ffff88808bf700c8 by task syz-executor367/8020

CPU: 0 PID: 8020 Comm: syz-executor367 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load4_noabort+0x68/0x70 mm/kasan/report.c:429
 sysv_new_block+0x6e2/0x8c0 fs/sysv/balloc.c:113
 alloc_branch fs/sysv/itree.c:134 [inline]
 get_block+0x379/0x1230 fs/sysv/itree.c:251
 __block_write_begin_int+0x35c/0x11d0 fs/buffer.c:2038
 __block_write_begin fs/buffer.c:2088 [inline]
 block_write_begin+0x58/0x270 fs/buffer.c:2147
 sysv_write_begin+0x35/0xc0 fs/sysv/itree.c:485
 generic_perform_write+0x1d5/0x430 mm/filemap.c:3055
 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3180
 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208
 call_write_iter include/linux/fs.h:1780 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x44c/0x630 fs/read_write.c:482
 vfs_write+0x17f/0x4d0 fs/read_write.c:544
 SYSC_write fs/read_write.c:590 [inline]
 SyS_write+0xf2/0x210 fs/read_write.c:582
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

The buggy address belongs to the page:
page:ffffea00022fdc00 count:0 mapcount:0 mapping:          (null) index:0x1
flags: 0xfff00000000000()
raw: 00fff00000000000 0000000000000000 0000000000000001 00000000ffffffff
raw: ffffea00022fdc60 ffffea00022fdbe0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808bf6ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88808bf70000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88808bf70080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff88808bf70100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88808bf70180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/12/08 01:49 linux-4.14.y 179ef7fe8677 d88f3abb .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: use-after-free Read in sysv_new_block
* Struck through repros no longer work on HEAD.