syzbot

 sign-in | mailing list | source | docs
🐞 Open [1499]
Subsystems
🐞 Fixed [6527]
🐞 Invalid [16620]
Missing Backports [205]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: global-out-of-bounds Read in z_erofs_decompress_queue

Status: upstream: reported C repro on 2025/08/22 18:55
Subsystems: erofs
[Documentation on labels]
Reported-by: syzbot+5a398eb460ddaa6f242f@syzkaller.appspotmail.com
First crash: 1d14h, last: 1d05h
Cause bisection: introduced by (bisect log) :
commit df0ce6cefa453d2236381645e529a27ef2f0a573
Author: Chao Yu <chao@kernel.org>
Date: Mon Jul 21 02:13:52 2025 +0000

  erofs: support to readahead dirent blocks in erofs_readdir()

Crash: KASAN: global-out-of-bounds Read in z_erofs_decompress_queue (log)
Repro: C syz .config
  
Discussions (3)
Title Replies (including bot) Last reply
[syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue 3 (8) 2025/08/23 10:07
[PATCH] erofs: Prohibit access to excessive algorithmformat 2 (2) 2025/08/23 09:40
[PATCH] erofs: fix invalid algorithm for encoded extents 1 (1) 2025/08/23 09:30
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 BUG: unable to handle kernel paging request in z_erofs_decompress_queue 8 C 2 15d 219d 0/2 upstream: reported C repro on 2025/01/16 10:37
android-5-15 BUG: unable to handle kernel paging request in z_erofs_decompress_queue 8 C error error 1 854d 1025d 0/2 auto-obsoleted due to no activity on 2023/08/20 19:05
upstream KASAN: slab-use-after-free Read in z_erofs_decompress_queue erofs 19 6 243d 265d 28/29 fixed on 2025/05/06 15:33
Last patch testing requests (3)
Created Duration User Patch Repo Result
2025/08/23 09:37 21m hsiangkao@linux.alibaba.com git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test OK log
2025/08/23 01:22 23m eadavis@qq.com patch upstream OK log
2025/08/23 00:54 14m eadavis@qq.com patch upstream report log

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in z_erofs_decompress_pcluster fs/erofs/zdata.c:1274 [inline]
BUG: KASAN: global-out-of-bounds in z_erofs_decompress_queue+0x341/0x3580 fs/erofs/zdata.c:1411
Read of size 8 at addr ffffffff8e05df10 by task kworker/u9:1/5152

CPU: 1 UID: 0 PID: 5152 Comm: kworker/u9:1 Tainted: G        W           syzkaller #0 PREEMPT_{RT,(full)} 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: erofs_worker z_erofs_decompressqueue_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 z_erofs_decompress_pcluster fs/erofs/zdata.c:1274 [inline]
 z_erofs_decompress_queue+0x341/0x3580 fs/erofs/zdata.c:1411
 z_erofs_decompressqueue_work+0x82/0xd0 fs/erofs/zdata.c:1423
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the variable:
 z_erofs_decomp+0x30/0xe0

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xe05d
flags: 0x80000000002000(reserved|node=0|zone=1)
raw: 0080000000002000 ffffea0000381748 ffffea0000381748 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff8e05de00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff8e05de80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff8e05df00: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
                         ^
 ffffffff8e05df80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff8e05e000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/08/22 16:11 upstream 3957a5720157 bf27483f .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: global-out-of-bounds Read in z_erofs_decompress_queue
2025/08/22 14:39 upstream 3957a5720157 bf27483f .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: global-out-of-bounds Read in z_erofs_decompress_queue
2025/08/22 13:04 upstream 3957a5720157 bf27483f .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: global-out-of-bounds Read in z_erofs_decompress_queue
2025/08/22 11:41 upstream 3957a5720157 bf27483f .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: global-out-of-bounds Read in z_erofs_decompress_queue
2025/08/22 09:42 upstream 3957a5720157 bf27483f .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs KASAN: global-out-of-bounds Read in z_erofs_decompress_queue
2025/08/22 07:31 upstream 3957a5720157 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: global-out-of-bounds Read in z_erofs_decompress_queue
* Struck through repros no longer work on HEAD.