syzbot


KASAN: use-after-free Read in __ext4_check_dir_entry

Status: upstream: reported C repro on 2024/06/28 13:26
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+949ce2b0353c996c1882@syzkaller.appspotmail.com
First crash: 30d, last: 2d15h
Bug presence (2)
Date Name Commit Repro Result
2024/06/28 lts (merge base) 80efc6265290 C [report] KASAN: use-after-free Read in __ext4_check_dir_entry
2024/06/28 upstream (ToT) 5bbd9b249880 C [report] KASAN: use-after-free Read in __ext4_check_dir_entry
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in __ext4_check_dir_entry C inconclusive 6 1390d 1494d 0/1 upstream: reported C repro on 2020/06/12 02:23
upstream KASAN: use-after-free Read in __ext4_check_dir_entry (2) ext4 C error 1 51d 61d 0/27 closed as dup on 2024/06/26 08:39
linux-5.15 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream C 10 8d07h 42d 0/3 upstream: reported C repro on 2024/06/03 01:15
upstream KASAN: use-after-free Read in __ext4_check_dir_entry ext4 C 8 2294d 2297d 22/27 closed as dup on 2018/03/31 22:38
android-5-10 KASAN: use-after-free Read in __ext4_check_dir_entry C 1 15d 65d 0/2 upstream: reported C repro on 2024/05/10 09:19
android-6-1 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream C 4 7d01h 64d 0/2 upstream: reported C repro on 2024/05/11 11:53
linux-6.1 KASAN: use-after-free Read in __ext4_check_dir_entry 15 5d09h 42d 0/3 upstream: reported on 2024/06/03 01:12
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/07/12 13:57 17m retest repro android13-5.15-lts report log

Sample crash report:
EXT4-fs error (device loop0): make_indexed_dir:2284: inode #2: block 255: comm syz-executor242: bad entry in directory: rec_len is smaller than minimal - offset=1024, inode=5120, rec_len=0, size=993 fake=0
EXT4-fs warning (device loop0): dx_probe:832: inode #2: comm syz-executor242: Unrecognised inode hash code 49
EXT4-fs warning (device loop0): dx_probe:965: inode #2: comm syz-executor242: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
Read of size 2 at addr ffff88811d6ca003 by task syz-executor242/298

CPU: 1 PID: 298 Comm: syz-executor242 Not tainted 5.15.150-syzkaller-00330-g9044d25b8ff5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
 __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
 ext4_readdir+0x1490/0x38d0 fs/ext4/dir.c:258
 iterate_dir+0x265/0x610
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354
 __x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f3d06e270e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff4f057368 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3d06e270e9
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000000 R08: 00007fff4f05739c R09: 00007fff4f05739c
R10: 00007fff4f05739c R11: 0000000000000246 R12: 00007fff4f05739c
R13: 0000000000000001 R14: 431bde82d7b634db R15: 00007fff4f0573d0
 </TASK>

The buggy address belongs to the page:
page:ffffea000475b280 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11d6ca
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea000475b2c8 ffffea000478a008 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 236, ts 16085646426, free_ts 16087143754
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2610
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484
 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776
 __alloc_pages_node include/linux/gfp.h:591 [inline]
 alloc_pages_node include/linux/gfp.h:605 [inline]
 alloc_pages include/linux/gfp.h:618 [inline]
 do_anonymous_page mm/memory.c:4032 [inline]
 handle_pte_fault+0xea0/0x24d0 mm/memory.c:4869
 do_handle_mm_fault+0x1ea9/0x23a0 mm/memory.c:5293
 handle_mm_fault include/linux/mm.h:1836 [inline]
 do_user_addr_fault arch/x86/mm/fault.c:1458 [inline]
 handle_page_fault arch/x86/mm/fault.c:1549 [inline]
 exc_page_fault+0x3b5/0x830 arch/x86/mm/fault.c:1605
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1471 [inline]
 free_pcp_prepare mm/page_alloc.c:1543 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3533
 free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3670
 release_pages+0x1310/0x1370 mm/swap.c:1009
 free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
 unmap_region+0x304/0x350 mm/mmap.c:2691
 __do_munmap+0x1421/0x1a90 mm/mmap.c:2925
 __vm_munmap+0x166/0x2a0 mm/mmap.c:2948
 __do_sys_munmap mm/mmap.c:2974 [inline]
 __se_sys_munmap mm/mmap.c:2970 [inline]
 __x64_sys_munmap+0x6b/0x80 mm/mmap.c:2970
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff88811d6c9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88811d6c9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88811d6ca000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88811d6ca080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88811d6ca100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_readdir:260: inode #2: block 255: comm syz-executor242: path /root/syzkaller.foR9l2/1/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/28 13:23 android13-5.15-lts 9044d25b8ff5 6ef39602 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in __ext4_check_dir_entry
2024/06/20 00:32 android13-5.15-lts 85445b5a2107 41b7e219 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in __ext4_check_dir_entry
2024/06/14 16:49 android13-5.15-lts 85445b5a2107 8d849073 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Read in __ext4_check_dir_entry
* Struck through repros no longer work on HEAD.