syzbot


KASAN: use-after-free Read in do_garbage_collect

Status: fixed on 2023/04/04 21:06
Reported-by: syzbot+4eedd68d161eacf7f7c9@syzkaller.appspotmail.com
Fix commit: e5142a4935c1 f2fs: fix to do sanity check on i_extra_isize in is_alive()
First crash: 539d, last: 510d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in do_garbage_collect f2fs C inconclusive 2 516d 515d 22/26 fixed on 2023/02/24 13:50
android-5-15 KASAN: use-after-free Read in do_garbage_collect C error 2 378d 539d 2/2 fixed on 2023/04/04 21:07

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in data_blkaddr fs/f2fs/f2fs.h:2699 [inline]
BUG: KASAN: use-after-free in is_alive fs/f2fs/gc.c:1030 [inline]
BUG: KASAN: use-after-free in gc_data_segment fs/f2fs/gc.c:1448 [inline]
BUG: KASAN: use-after-free in do_garbage_collect+0x5b28/0x7160 fs/f2fs/gc.c:1653
Read of size 4 at addr ffff8881dcc45568 by task kworker/u4:2/172

CPU: 0 PID: 172 Comm: kworker/u4:2 Not tainted 5.4.210-syzkaller-00003-g5a34019eb955 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18e/0x1d5 lib/dump_stack.c:118
 print_address_description+0x8c/0x630 mm/kasan/report.c:384
 __kasan_report+0xf6/0x130 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 data_blkaddr fs/f2fs/f2fs.h:2699 [inline]
 is_alive fs/f2fs/gc.c:1030 [inline]
 gc_data_segment fs/f2fs/gc.c:1448 [inline]
 do_garbage_collect+0x5b28/0x7160 fs/f2fs/gc.c:1653
 f2fs_gc+0x872/0x17f0 fs/f2fs/gc.c:1745
 f2fs_balance_fs+0x2c2/0x340 fs/f2fs/segment.c:528
 f2fs_write_inode+0x694/0x730 fs/f2fs/inode.c:722
 write_inode+0xf1/0x360 fs/fs-writeback.c:1326
 __writeback_single_inode+0x3bf/0x840 fs/fs-writeback.c:1524
 writeback_sb_inodes+0x9a9/0x19d0 fs/fs-writeback.c:1730
 wb_writeback+0x3c2/0xc20 fs/fs-writeback.c:1905
 wb_do_writeback+0x181/0xaf0 fs/fs-writeback.c:2050
 wb_workfn+0xf8/0x450 fs/fs-writeback.c:2091
 process_one_work+0x6ca/0xc40 kernel/workqueue.c:2287
 worker_thread+0xae0/0x1440 kernel/workqueue.c:2433
 kthread+0x2d8/0x360 kernel/kthread.c:288
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the page:
page:ffffea0007731140 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 ffffea0007731188 ffffea0007731108 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881dcc45400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881dcc45480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881dcc45500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff8881dcc45580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881dcc45600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/11/13 10:40 android12-5.4 5a34019eb955 f42ee5d8 .config strace log report syz C [mounted in repro] ci2-android-5-4-kasan KASAN: use-after-free Read in do_garbage_collect
2022/10/20 17:08 android12-5.4 ff63a5f5cdf6 b31320fc .config strace log report syz C [disk image] [vmlinux] [mounted in repro] ci2-android-5-4-kasan KASAN: use-after-free Read in do_garbage_collect
2022/11/05 18:12 android12-5.4 d87b38e6be0f 6d752409 .config console log report info ci2-android-5-4-kasan KASAN: use-after-free Read in do_garbage_collect
2022/11/19 13:19 android12-5.4 e9f865cb240f 5bb70014 .config console log report info ci2-android-5-4-kasan KASAN: slab-out-of-bounds Read in do_garbage_collect
* Struck through repros no longer work on HEAD.