syzbot

 sign-in | mailing list | source | docs
🐞 Open [245] 🐞 Fixed [22] 🐞 Invalid [72] 📈 Kernel Health 📈 Bugs/Month 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 📈 Coverage 💬 Send us feedback

KASAN: use-after-free Read in __ext4_check_dir_entry

Status: premoderation: reported syz repro on 2024/06/14 16:50
Bug presence: origin:downstream
[Documentation on labels]
Reported-by: syzbot+7411ff498403814c63d8@syzkaller.appspotmail.com
First crash: 12d, last: 6d17h
Bug presence (3)
Date Name Commit Repro Result
2024/06/22 android13-5.15-lts (ToT) 85445b5a2107 C [report] lost connection to test machine
2024/06/22 lts (merge base) f4fab74cb83c C Didn't crash
2024/06/22 upstream (ToT) 35bb670d65fc C Didn't crash
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in __ext4_check_dir_entry C inconclusive 6 1371d 1475d 0/1 upstream: reported C repro on 2020/06/12 02:23
upstream KASAN: use-after-free Read in __ext4_check_dir_entry (2) ext4 C error 1 33d 43d 0/27 closed as dup on 2024/06/26 08:39
linux-5.15 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream C 8 17d 23d 0/3 upstream: reported C repro on 2024/06/03 01:15
upstream KASAN: use-after-free Read in __ext4_check_dir_entry ext4 C 8 2276d 2278d 22/27 closed as dup on 2018/03/31 22:38
android-5-10 KASAN: use-after-free Read in __ext4_check_dir_entry C 1 33d 47d 0/2 upstream: reported C repro on 2024/05/10 09:19
android-6-1 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream C 4 25d 46d 0/2 upstream: reported C repro on 2024/05/11 11:53
linux-6.1 KASAN: use-after-free Read in __ext4_check_dir_entry 6 17d 23d 0/3 upstream: reported on 2024/06/03 01:12

Sample crash report:
EXT4-fs warning (device loop1): dx_probe:892: inode #2: comm syz-executor.1: dx entry: limit 0 != root limit 124
EXT4-fs warning (device loop1): dx_probe:965: inode #2: comm syz-executor.1: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
Read of size 2 at addr ffff88812be80003 by task syz-executor.1/1664

CPU: 0 PID: 1664 Comm: syz-executor.1 Not tainted 5.15.149-syzkaller-00165-g85445b5a2107 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
 __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
 ext4_readdir+0x1490/0x38d0 fs/ext4/dir.c:258
 iterate_dir+0x265/0x610
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354
 __x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f26f832df29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f26f7eb00c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f26f8464f80 RCX: 00007f26f832df29
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 00007f26f839d074 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f26f8464f80 R15: 00007ffed6260cf8
 </TASK>

The buggy address belongs to the page:
page:ffffea0004afa000 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12be80
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 ffffea0004af7ac8 ffffea0004872088 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 1621, ts 237729045312, free_ts 243419414560
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2604
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2610
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4484
 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5776
 __alloc_pages_node include/linux/gfp.h:591 [inline]
 alloc_pages_node include/linux/gfp.h:605 [inline]
 alloc_pages include/linux/gfp.h:618 [inline]
 do_cow_fault mm/memory.c:4540 [inline]
 do_fault mm/memory.c:4658 [inline]
 handle_pte_fault+0xa0c/0x24d0 mm/memory.c:4871
 do_handle_mm_fault+0x1ea9/0x23a0 mm/memory.c:5293
 handle_mm_fault include/linux/mm.h:1836 [inline]
 do_user_addr_fault arch/x86/mm/fault.c:1458 [inline]
 handle_page_fault arch/x86/mm/fault.c:1549 [inline]
 exc_page_fault+0x3b5/0x830 arch/x86/mm/fault.c:1605
 asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1471 [inline]
 free_pcp_prepare mm/page_alloc.c:1543 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3533
 free_unref_page_list+0x14b/0xa60 mm/page_alloc.c:3670
 release_pages+0x1310/0x1370 mm/swap.c:1009
 free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:320
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:338
 exit_mmap+0x40d/0x940 mm/mmap.c:3218
 __mmput+0x95/0x310 kernel/fork.c:1179
 mmput+0x5b/0x170 kernel/fork.c:1202
 exit_mm kernel/exit.c:552 [inline]
 do_exit+0xb9c/0x2ca0 kernel/exit.c:865
 do_group_exit+0x141/0x310 kernel/exit.c:1000
 __do_sys_exit_group kernel/exit.c:1011 [inline]
 __se_sys_exit_group kernel/exit.c:1009 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1009
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb

Memory state around the buggy address:
 ffff88812be7ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88812be7ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88812be80000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff88812be80080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88812be80100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop1): ext4_readdir:260: inode #2: block 59: comm syz-executor.1: path (unknown): bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=86, rec_len=0, size=1024 fake=0

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/20 00:32 android13-5.15-lts 85445b5a2107 41b7e219 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-15 KASAN: use-after-free Read in __ext4_check_dir_entry
2024/06/14 16:49 android13-5.15-lts 85445b5a2107 8d849073 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-15 KASAN: use-after-free Read in __ext4_check_dir_entry
* Struck through repros no longer work on HEAD.