syzbot


KASAN: use-after-free Read in dbJoin

Status: upstream: reported C repro on 2022/10/10 07:35
Subsystems: jfs
[Documentation on labels]
Reported-by: syzbot+667a6d667592227b1452@syzkaller.appspotmail.com
First crash: 854d, last: 8h11m
Cause bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] KASAN: use-after-free Read in dbJoin 0 (2) 2022/11/06 20:02
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in dbJoin C 2 719d 867d 0/1 upstream: reported C repro on 2022/09/26 07:12
linux-4.19 KASAN: use-after-free Read in dbJoin C error 1 867d 867d 0/1 upstream: reported C repro on 2022/09/26 15:15
linux-6.1 UBSAN: array-index-out-of-bounds in dbJoin origin:upstream C error 51 42d 271d 0/3 upstream: reported C repro on 2024/05/14 08:42
linux-5.15 UBSAN: array-index-out-of-bounds in dbJoin origin:upstream C 76 6h24m 277d 0/3 upstream: reported C repro on 2024/05/08 02:35
Last patch testing requests (8)
Created Duration User Patch Repo Result
2024/05/30 13:27 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci error
2024/05/30 11:23 43m retest repro upstream error
2024/04/10 06:55 22m retest repro upstream error
2024/03/10 10:07 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/02/25 09:33 11m retest repro upstream report log
2024/01/24 23:38 18m retest repro upstream OK log
2024/01/22 12:09 17m retest repro upstream OK log
2023/09/09 13:33 12m retest repro upstream report log
Fix bisection attempts (9)
Created Duration User Patch Repo Result
2024/04/25 21:02 1h46m bisect fix upstream OK (0) job log log
2023/11/15 21:07 1h10m bisect fix upstream OK (0) job log log
2023/10/16 05:41 1h32m bisect fix upstream OK (0) job log log
2023/07/01 10:06 45m bisect fix upstream OK (0) job log log
2023/06/01 03:25 42m bisect fix upstream OK (0) job log log
2023/05/01 13:22 44m bisect fix upstream OK (0) job log log
2023/03/31 17:41 38m bisect fix upstream OK (0) job log log
2023/03/01 16:31 1h09m bisect fix upstream OK (0) job log log
2023/01/23 11:44 42m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in dbJoin+0x295/0x2b0 fs/jfs/jfs_dmap.c:2805
Read of size 1 at addr ffff8881788e1061 by task jfsCommit/112

CPU: 1 PID: 112 Comm: jfsCommit Not tainted 6.9.0-syzkaller-01768-ga5131c3fdf26 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 dbJoin+0x295/0x2b0 fs/jfs/jfs_dmap.c:2805
 dbFreeBits+0x15c/0x8f0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap+0x62/0x1b0 fs/jfs/jfs_dmap.c:2087
 dbFree+0x266/0x550 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x788/0xe60 fs/jfs/jfs_txnmgr.c:2515
 xtTruncate+0x1e57/0x2c80 fs/jfs/jfs_xtree.c:2467
 jfs_free_zero_link+0x372/0x4f0 fs/jfs/namei.c:759
 jfs_evict_inode+0x423/0x4b0 fs/jfs/inode.c:153
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 txUpdateMap+0xaf3/0xd20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x5e6/0xb20 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2c4/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1788e1
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 057ff00000000000 ffffea0005e23848 ffffea0005e23848 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881788e0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881788e0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881788e1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff8881788e1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881788e1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2900:31
index -3 is out of range for type 's8 [1365]'
CPU: 1 PID: 112 Comm: jfsCommit Tainted: G    B              6.9.0-syzkaller-01768-ga5131c3fdf26 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:114
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x110/0x150 lib/ubsan.c:429
 dbAdjTree+0x383/0x3d0 fs/jfs/jfs_dmap.c:2900
 dbJoin+0x24b/0x2b0 fs/jfs/jfs_dmap.c:2841
 dbFreeBits+0x15c/0x8f0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap+0x62/0x1b0 fs/jfs/jfs_dmap.c:2087
 dbFree+0x266/0x550 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x788/0xe60 fs/jfs/jfs_txnmgr.c:2515
 xtTruncate+0x1e57/0x2c80 fs/jfs/jfs_xtree.c:2467
 jfs_free_zero_link+0x372/0x4f0 fs/jfs/namei.c:759
 jfs_evict_inode+0x423/0x4b0 fs/jfs/inode.c:153
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 txUpdateMap+0xaf3/0xd20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x5e6/0xb20 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2c4/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
---[ end trace ]---

Crashes (995):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/14 22:01 upstream a5131c3fdf26 fdb4c10c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2025/01/04 02:45 upstream 63676eefb7a0 f3558dbf .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/11/10 20:36 upstream a9cda7c0ffed 6b856513 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/11/10 08:04 upstream de2f378f2b77 6b856513 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/29 22:11 upstream e42b1a9a2557 66aeb999 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/15 17:20 upstream eca631b8fe80 7eb57b4a .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/03/25 18:47 upstream fe46a7dd189e 0ea90952 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/01/31 05:20 upstream 2a6526c4f389 7f400fcb .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2025/02/07 15:09 upstream bb066fe812d6 a4f327c2 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/02/07 13:22 upstream bb066fe812d6 a4f327c2 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/02/01 19:21 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 41bccc98fb79 81024119 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in dbJoin
2023/12/09 14:45 upstream f2e8a57ee903 28b24332 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2022/11/06 20:01 upstream b208b9fbbcba 6d752409 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/23 11:06 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/10/22 17:15 upstream c2ee9f594da8 9d74f456 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/05/14 02:56 upstream 6d1346f1bcbf c97f7904 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in dbJoin
2022/10/09 08:45 linux-next aaa11ce2ffc8 aea5da89 .config console log report info [disk image] [vmlinux] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in dbJoin
2025/01/21 15:22 upstream 95ec54a420b8 6e87cfa2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2025/01/21 15:16 upstream 95ec54a420b8 6e87cfa2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/30 22:39 upstream ccb98ccef0e5 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/30 20:31 upstream fc033cf25e61 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/30 16:36 upstream fc033cf25e61 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/30 12:24 upstream fc033cf25e61 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/30 11:11 upstream fc033cf25e61 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/30 09:04 upstream fc033cf25e61 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/30 04:07 upstream 4099a71718b0 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/29 22:33 upstream 4099a71718b0 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/29 19:32 upstream 4099a71718b0 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/29 19:32 upstream 4099a71718b0 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/29 07:31 upstream 059dd502b263 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/29 03:47 upstream 059dd502b263 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/29 00:21 upstream 059dd502b263 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/28 23:18 upstream 059dd502b263 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/28 21:44 upstream fd0584d220fe d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/28 21:39 upstream fd0584d220fe d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/12/14 07:46 upstream f932fb9b4074 7cbfbb3a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:47 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2025/02/09 07:36 upstream 9946eaf552b1 ef44b750 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/02/06 03:18 upstream 92514ef226f5 577d049b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/02/02 18:18 upstream 69e858e0b8b2 568559e4 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/29 09:00 upstream 805ba04cb7cc 865ef71e .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/29 03:35 upstream 805ba04cb7cc 865ef71e .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/27 08:34 upstream c2da8b3f914f 9fbd772e .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/25 14:45 upstream b46c89c08f41 9fbd772e .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/23 09:36 upstream df60eac9efe8 9d4f14f8 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/21 22:21 upstream 95ec54a420b8 da72ac06 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/19 11:26 upstream fda5e3f28400 f2cb035c .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/18 21:22 upstream 595523945be0 f2cb035c .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/15 17:09 upstream 619f0b6fad52 968edaf4 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/07 04:00 upstream fbfd64d25c7a f3558dbf .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/04 05:17 upstream 63676eefb7a0 f3558dbf .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2025/01/03 13:32 upstream 0bc21e701a6f 96d578a3 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/22 23:34 upstream bcde95ce32b6 b4fbdbd4 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/20 14:30 upstream 8faabc041a00 49cfeac8 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/17 10:02 upstream f44d154d6e3d f93b2b55 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/15 13:45 upstream 2d8308bf5b67 7cbfbb3a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/15 04:38 upstream 2d8308bf5b67 7cbfbb3a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/14 23:54 upstream a446e965a188 7cbfbb3a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/10 11:12 upstream 7cb1b4663150 cfc402b4 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/08 06:54 upstream 7503345ac5f5 9ac0fdc6 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/29 04:24 upstream 65ae975e97d5 5df23865 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/28 11:27 upstream b86545e02e8c 5df23865 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/23 09:18 upstream 06afb0f36106 68da6d95 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/21 20:54 upstream 43fb83c17ba2 4b25d554 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/16 07:49 upstream 33e02dc69afb ef5d53ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2024/05/16 07:44 upstream 33e02dc69afb ef5d53ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2024/10/30 13:13 linux-next 86e3904dcdc7 66aeb999 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
* Struck through repros no longer work on HEAD.