syzbot


KASAN: use-after-free Read in udf_finalize_lvid

Status: fixed on 2024/03/20 11:33
Subsystems: udf
[Documentation on labels]
Reported-by: syzbot+46073c22edd7f242c028@syzkaller.appspotmail.com
Fix commit: 6f861765464f fs: Block writes to mounted block devices
First crash: 541d, last: 334d
Cause bisection: the cause commit could be any of (bisect log):
  614644676394 udf: Update header files to UDF 2.60
  871b9b14c673 udf: Move OSTA Identifier Suffix macros from ecma_167.h to osta_udf.h
  a4a8b99ec819 udf: Fix free space reporting for metadata and virtual partitions
  49be68c4931d udf: Fix meaning of ENTITYID_FLAGS_* macros to be really bitwise-or flags
  800552ceecc7 udf: Fix spelling in EXT_NEXT_EXTENT_ALLOCDESCS
  57debb815459 udf: Disallow R/W mode for disk with Metadata partition
  d9e9866803f7 ext2: Adjust indentation in ext2_fill_super
  15fb05fd286a udf: Allow writing to 'Rewritable' partitions
  1ead083ae147 quota: avoid time_t in v1_disk_dqblk definition
  356557be8670 udf: Clarify meaning of f_files in udf_statfs
  4d5c1adaf893 reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
  5474ca7da6f3 reiserfs: Fix memory leak of journal device string
  ed21c58eefa7 fs/quota: remove unused macro
  154a4dcfc95f fs/reiserfs: remove unused macros
  34e92542da96 ext2: set proper errno in error case of ext2_fill_super()
  0196be12aab2 Merge tag 'for_v5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (8)
Title Replies (including bot) Last reply
[syzbot] [udf?] KASAN: use-after-free Read in udf_finalize_lvid 1 (3) 2024/03/06 17:04
[syzbot] Monthly udf report (Jan 2024) 0 (1) 2024/01/10 20:36
[syzbot] Monthly udf report (Dec 2023) 0 (1) 2023/12/11 09:40
[PATCH] fs: udf: super.c: Fix a use-after-free issue in udf_finalize_lvid 6 (6) 2023/11/03 08:45
[syzbot] Monthly udf report (Oct 2023) 0 (1) 2023/10/09 09:23
[syzbot] Monthly udf report (Sep 2023) 0 (1) 2023/09/08 14:11
[syzbot] Monthly udf report (Aug 2023) 0 (1) 2023/08/07 12:43
[syzbot] Monthly udf report (Jul 2023) 0 (1) 2023/07/07 12:42
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/02/02 16:44 24m retest repro upstream OK log
2024/02/02 16:44 23m retest repro upstream OK log
2024/02/02 16:44 22m retest repro upstream OK log
2024/02/02 16:44 21m retest repro upstream OK log
2024/02/02 16:44 22m retest repro upstream OK log
2024/01/26 19:31 23m retest repro upstream OK log
2024/01/26 19:31 21m retest repro linux-next OK log
2024/01/26 19:31 21m retest repro linux-next OK log
2024/01/26 19:31 29m retest repro upstream OK log
2024/01/25 23:10 19m retest repro upstream OK log
Cause bisection attempts (2)
Created Duration User Patch Repo Result
2023/09/19 02:57 9h44m bisect linux-next OK (16) job log
2023/06/15 19:49 8h48m bisect upstream error job log
marked invalid by nogikh@google.com

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in crc_itu_t+0xd7/0xe0 lib/crc-itu-t.c:60
Read of size 1 at addr ffff88807faf2000 by task syz-executor298/5055

CPU: 1 PID: 5055 Comm: syz-executor298 Not tainted 6.7.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 crc_itu_t+0xd7/0xe0 lib/crc-itu-t.c:60
 udf_finalize_lvid+0xf2/0x1f0 fs/udf/super.c:1984
 udf_sync_fs+0xea/0x150 fs/udf/super.c:2340
 sync_filesystem+0x109/0x280 fs/sync.c:56
 generic_shutdown_super+0x7e/0x3d0 fs/super.c:669
 kill_block_super+0x3b/0x90 fs/super.c:1667
 deactivate_locked_super+0xbc/0x1a0 fs/super.c:484
 deactivate_super+0xde/0x100 fs/super.c:517
 cleanup_mnt+0x222/0x450 fs/namespace.c:1256
 task_work_run+0x14d/0x240 kernel/task_work.c:180
 ptrace_notify+0x10d/0x130 kernel/signal.c:2399
 ptrace_report_syscall include/linux/ptrace.h:411 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline]
 syscall_exit_work kernel/entry/common.c:251 [inline]
 syscall_exit_to_user_mode_prepare+0x126/0x230 kernel/entry/common.c:278
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0xe/0x60 kernel/entry/common.c:296
 do_syscall_64+0x4d/0x110 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fb8a5744547
Code: 09 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffe57296f08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fb8a5744547
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffe57296fc0
RBP: 00007ffe57296fc0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000202 R12: 00007ffe57298030
R13: 00005555572ee6c0 R14: 431bde82d7b634db R15: 00007ffe57298050
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001febc80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7faf2
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001c40788 ffffea0001cd1088 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5056, tgid 5056 (syz-executor298), ts 74222370651, free_ts 74268579702
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0xa25/0x36d0 mm/page_alloc.c:3312
 __alloc_pages+0x22e/0x2420 mm/page_alloc.c:4568
 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
 vma_alloc_folio+0xad/0x220 mm/mempolicy.c:2172
 do_anonymous_page mm/memory.c:4172 [inline]
 do_pte_missing mm/memory.c:3729 [inline]
 handle_pte_fault mm/memory.c:5039 [inline]
 __handle_mm_fault+0xe07/0x3d70 mm/memory.c:5180
 handle_mm_fault+0x47a/0xa10 mm/memory.c:5345
 do_user_addr_fault+0x30b/0x1000 arch/x86/mm/fault.c:1364
 handle_page_fault arch/x86/mm/fault.c:1505 [inline]
 exc_page_fault+0x5d/0xc0 arch/x86/mm/fault.c:1561
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1137 [inline]
 free_unref_page_prepare+0x4fa/0xaa0 mm/page_alloc.c:2347
 free_unref_page_list+0xe6/0xb40 mm/page_alloc.c:2533
 release_pages+0x32a/0x14f0 mm/swap.c:1042
 tlb_batch_pages_flush+0x9a/0x190 mm/mmu_gather.c:98
 tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
 tlb_flush_mmu mm/mmu_gather.c:300 [inline]
 tlb_finish_mmu+0x14b/0x6f0 mm/mmu_gather.c:392
 unmap_region.constprop.0+0x2e6/0x3b0 mm/mmap.c:2341
 do_vmi_align_munmap+0xde6/0x1600 mm/mmap.c:2657
 do_vmi_munmap+0x20e/0x450 mm/mmap.c:2725
 __vm_munmap+0x144/0x390 mm/mmap.c:3012
 __do_sys_munmap mm/mmap.c:3029 [inline]
 __se_sys_munmap mm/mmap.c:3026 [inline]
 __x64_sys_munmap+0x62/0x80 mm/mmap.c:3026
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Memory state around the buggy address:
 ffff88807faf1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88807faf1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807faf2000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88807faf2080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88807faf2100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (39):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/12/25 22:51 upstream 861deac3b092 fb427a07 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in udf_finalize_lvid
2023/12/18 20:10 upstream ceb6a6f023fd 3222d10c .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in udf_finalize_lvid
2023/12/06 01:00 upstream bee0e7762ad2 f819d6f7 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in udf_finalize_lvid
2023/11/01 11:12 upstream 89ed67ef126c 69904c9f .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in udf_finalize_lvid
2023/06/27 08:52 upstream c0a572d9d32f 4cd5bb25 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/06/23 16:12 upstream 8a28a0b6f1a1 09ffe269 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/06/22 23:56 upstream dad9774deaf1 09ffe269 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/06/17 06:53 upstream 40f71e7cd3c6 f3921d4d .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/06/15 05:36 upstream b6dad5178cea 76decb82 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/09/04 06:08 linux-next a47fc304d2b6 696ea0d2 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/08/09 21:07 linux-next 21ef7b1e17d0 13ca4cd6 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/08/06 18:43 linux-next bdffb18b5dd8 4ffcc9ef .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/08/03 03:31 linux-next 626c67169f99 39a91c18 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/08/02 18:35 linux-next 626c67169f99 39a91c18 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/08/01 03:52 linux-next ec8939156379 2a0d0f29 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/07/31 02:32 linux-next d7b3af5a77e8 2a0d0f29 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/07/19 03:08 linux-next aeba456828b4 022df2bb .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/12/28 11:52 upstream f5837722ffec fb427a07 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-selinux-root KASAN: slab-out-of-bounds Read in udf_finalize_lvid
2023/12/05 10:33 upstream bee0e7762ad2 f819d6f7 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-selinux-root KASAN: slab-use-after-free Read in udf_finalize_lvid
2024/01/08 12:19 upstream 0dd3ee311255 4c0fd4bb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2024/01/05 22:24 upstream 6d0dc8559c84 d0304e9c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in udf_finalize_lvid
2023/12/26 01:21 upstream fbafc3e621c3 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in udf_finalize_lvid
2023/12/18 10:58 upstream ceb6a6f023fd 3222d10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in udf_finalize_lvid
2023/12/07 14:28 upstream bee0e7762ad2 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/12/03 16:22 upstream 33cc938e65a9 f819d6f7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/11/25 20:25 upstream b46ae77f6787 5b429f39 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/11/07 04:12 upstream be3ca57cfb77 78fae24e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/10/23 13:33 upstream 05d3ef8bba77 989a3687 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in udf_finalize_lvid
2023/10/15 00:23 upstream 70f8c6f8f880 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in udf_finalize_lvid
2023/09/24 02:44 upstream 3aba70aed91f 0b6a67ac .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in udf_finalize_lvid
2023/09/06 03:29 upstream 7733171926cc 8bc9053e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/12/23 22:09 upstream 3f82f1c3a036 fb427a07 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in udf_finalize_lvid
2023/12/13 20:38 upstream 5bd7ef53ffe5 ce0359fb .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in udf_finalize_lvid
2023/12/17 19:09 upstream 0e389834672c 3222d10c .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: use-after-free Read in udf_finalize_lvid
2023/10/13 11:48 upstream 10a6e5feccb8 6388bc36 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: use-after-free Read in udf_finalize_lvid
2023/09/23 05:39 upstream 8018e02a8703 0b6a67ac .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 KASAN: use-after-free Read in udf_finalize_lvid
2023/08/20 11:25 upstream b320441c04c9 d216d8a0 .config console log report info ci-upstream-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/07/18 06:46 linux-next aeba456828b4 20f8b3c2 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in udf_finalize_lvid
2023/10/05 23:08 upstream f291209eca5e db17ad9f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: slab-use-after-free Read in udf_finalize_lvid
* Struck through repros no longer work on HEAD.