syzbot


KASAN: out-of-bounds Read in ext4_ext_remove_space

Status: fixed on 2024/02/16 19:40
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+6e5f2db05775244c73b7@syzkaller.appspotmail.com
Fix commit: 6f861765464f fs: Block writes to mounted block devices
First crash: 378d, last: 200d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (7)
Title Replies (including bot) Last reply
[syzbot] [ext4?] KASAN: out-of-bounds Read in ext4_ext_remove_space 2 (4) 2024/02/12 13:27
[RFC] ext4: don't remove already removed extent 5 (5) 2023/10/08 21:10
Re: [RFC] ext4: don't remove already removed extent 1 (1) 2023/09/11 09:57
[RFC] ext4: don't remove already removed extent 1 (1) 2023/09/11 09:24
[RFC] ext4: don't' remove already removed extent 1 (1) 2023/09/11 09:13
Re: [syzbot] [ext4?] KASAN: out-of-bounds Read in ext4_ext_remove_space 1 (1) 2023/09/07 13:27
[syzbot] Monthly ext4 report (Aug 2023) 0 (1) 2023/08/07 07:27
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: out-of-bounds Read in ext4_ext_remove_space origin:upstream missing-backport C error error 6 3d23h 353d 0/2 upstream: reported C repro on 2023/08/04 22:38
android-5-10 KASAN: out-of-bounds Read in ext4_ext_remove_space C 2 29d 324d 0/2 upstream: reported C repro on 2023/09/02 13:17
android-6-1 KASAN: out-of-bounds Read in ext4_ext_remove_space origin:upstream missing-backport C error error 6 13h07m 343d 0/2 upstream: reported C repro on 2023/08/14 17:29
linux-5.15 KASAN: out-of-bounds Read in ext4_ext_remove_space origin:upstream missing-backport C error 3 57d 183d 0/3 upstream: reported C repro on 2024/01/21 16:07
linux-6.1 KASAN: out-of-bounds Read in ext4_ext_remove_space origin:upstream missing-backport C 2 2d23h 201d 0/3 upstream: reported C repro on 2024/01/03 15:27
Last patch testing requests (11)
Created Duration User Patch Repo Result
2024/01/18 14:31 23m retest repro upstream OK log
2024/01/18 14:31 22m retest repro upstream OK log
2024/01/18 14:31 19m retest repro upstream OK log
2024/01/04 11:39 19m retest repro upstream report log
2024/01/04 11:39 14m retest repro upstream report log
2023/11/03 19:07 29m retest repro upstream report log
2023/11/03 19:07 11m retest repro upstream report log
2023/11/03 19:07 44m retest repro upstream report log
2023/09/07 13:00 20m usama.anjum@collabora.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master report log
2023/08/25 15:01 29m retest repro upstream report log
2023/08/25 15:01 26m retest repro upstream report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2024/02/11 08:21 5h32m bisect fix upstream OK (1) job log
2023/12/04 15:59 1h57m bisect fix upstream OK (0) job log log
2023/10/03 22:56 1h49m bisect fix upstream OK (0) job log log
Cause bisection attempts (4)
Created Duration User Patch Repo Result
2023/09/08 01:57 12h10m bisect upstream error job log
2023/08/31 05:13 12h05m bisect upstream error job log
marked invalid by nogikh@google.com
2023/08/23 14:32 12h03m bisect upstream error job log
marked invalid by nogikh@google.com
2023/07/10 16:07 12h05m bisect upstream error job log
marked invalid by nogikh@google.com

Sample crash report:
==================================================================
BUG: KASAN: out-of-bounds in ext4_ext_rm_leaf fs/ext4/extents.c:2736 [inline]
BUG: KASAN: out-of-bounds in ext4_ext_remove_space+0x2482/0x4da0 fs/ext4/extents.c:2958
Read of size 18446744073709551508 at addr ffff888078c75078 by task syz-executor216/11044

CPU: 1 PID: 11044 Comm: syz-executor216 Not tainted 6.7.0-rc6-syzkaller-00044-g1a44b0073b92 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:475
 kasan_report+0x142/0x170 mm/kasan/report.c:588
 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
 __asan_memmove+0x29/0x70 mm/kasan/shadow.c:94
 ext4_ext_rm_leaf fs/ext4/extents.c:2736 [inline]
 ext4_ext_remove_space+0x2482/0x4da0 fs/ext4/extents.c:2958
 ext4_punch_hole+0x780/0xbc0 fs/ext4/inode.c:4019
 ext4_fallocate+0x311/0x1f60 fs/ext4/extents.c:4707
 vfs_fallocate+0x551/0x6b0 fs/open.c:324
 do_vfs_ioctl+0x22da/0x2b40 fs/ioctl.c:850
 __do_sys_ioctl fs/ioctl.c:869 [inline]
 __se_sys_ioctl+0x81/0x170 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f6c25a82f49
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6c25a3f218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6c25b0a6c8 RCX: 00007f6c25a82f49
RDX: 0000000020000080 RSI: 000000004030582b RDI: 0000000000000004
RBP: 00007f6c25b0a6c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6c25ad7578
R13: 636f6c6c615f6164 R14: 00007f6c25ad706b R15: 6f6f6c2f7665642f
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001e31d40 refcount:2 mapcount:0 mapping:ffff888148dafb78 index:0x2b pfn:0x78c75
memcg:ffff888016262000
aops:def_blk_aops ino:700004
flags: 0xfff0000000812c(referenced|uptodate|lru|active|private|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff0000000812c ffffea0001b68848 ffffea00005cec08 ffff888148dafb78
raw: 000000000000002b ffff88807695c570 00000002ffffffff ffff888016262000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Movable, gfp_mask 0x40c48(GFP_NOFS|__GFP_COMP|__GFP_MOVABLE), pid 11044, tgid 11043 (syz-executor216), ts 638742466270, free_ts 638688954403
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0x33ea/0x3570 mm/page_alloc.c:3312
 __alloc_pages+0x255/0x680 mm/page_alloc.c:4568
 alloc_pages_mpol+0x3de/0x640 mm/mempolicy.c:2133
 alloc_pages mm/mempolicy.c:2204 [inline]
 folio_alloc+0x12a/0x330 mm/mempolicy.c:2211
 filemap_alloc_folio+0xde/0x500 mm/filemap.c:974
 __filemap_get_folio+0x431/0xbb0 mm/filemap.c:1918
 grow_dev_page fs/buffer.c:1041 [inline]
 grow_buffers fs/buffer.c:1106 [inline]
 __getblk_slow fs/buffer.c:1133 [inline]
 bdev_getblk+0x243/0x6d0 fs/buffer.c:1429
 sb_getblk_gfp include/linux/buffer_head.h:370 [inline]
 ext4_ext_grow_indepth fs/ext4/extents.c:1334 [inline]
 ext4_ext_create_new_leaf fs/ext4/extents.c:1435 [inline]
 ext4_ext_insert_extent+0xfe3/0x4f00 fs/ext4/extents.c:2102
 ext4_ext_map_blocks+0x2062/0x7150 fs/ext4/extents.c:4306
 ext4_map_blocks+0xa2f/0x1cd0 fs/ext4/inode.c:621
 _ext4_get_block+0x238/0x6a0 fs/ext4/inode.c:763
 ext4_block_write_begin+0x537/0x1850 fs/ext4/inode.c:1053
 ext4_write_begin+0x619/0x10b0
 ext4_da_write_begin+0x300/0xa50 fs/ext4/inode.c:2875
 generic_perform_write+0x31b/0x630 mm/filemap.c:3918
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1137 [inline]
 free_unref_page_prepare+0x931/0xa60 mm/page_alloc.c:2347
 free_unref_page_list+0x5a0/0x840 mm/page_alloc.c:2533
 release_pages+0x2117/0x2400 mm/swap.c:1042
 tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
 tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
 tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
 unmap_region+0x300/0x350 mm/mmap.c:2341
 do_vmi_align_munmap+0x1223/0x1860 mm/mmap.c:2657
 do_vmi_munmap+0x24d/0x2d0 mm/mmap.c:2725
 __vm_munmap+0x230/0x450 mm/mmap.c:3012
 __do_sys_munmap mm/mmap.c:3029 [inline]
 __se_sys_munmap mm/mmap.c:3026 [inline]
 __x64_sys_munmap+0x69/0x80 mm/mmap.c:3026
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x45/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Memory state around the buggy address:
 ffff888078c74f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888078c74f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888078c75000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                ^
 ffff888078c75080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888078c75100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/12/21 11:30 upstream 1a44b0073b92 4f9530a3 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: out-of-bounds Read in ext4_ext_remove_space
2023/12/18 15:22 upstream ceb6a6f023fd 3222d10c .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: out-of-bounds Read in ext4_ext_remove_space
2023/08/05 06:34 upstream e6fda526d9db cdae481e .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: out-of-bounds Read in ext4_ext_remove_space
2023/07/31 03:34 upstream d31e3792919e 2a0d0f29 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: out-of-bounds Read in ext4_ext_remove_space
2023/07/14 14:19 upstream 4b810bf037e5 d624500f .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: out-of-bounds Read in ext4_ext_remove_space
2023/07/10 14:24 upstream 06c2afb862f9 d47e94ee .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: out-of-bounds Read in ext4_ext_remove_space
2023/08/02 15:23 upstream 5d0c230f1de8 b178af49 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: out-of-bounds Read in ext4_ext_remove_space
2023/07/10 11:37 upstream 06c2afb862f9 d47e94ee .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: out-of-bounds Read in ext4_ext_remove_space
* Struck through repros no longer work on HEAD.