syzbot


KASAN: use-after-free Read in get_max_inline_xattr_value_size

Status: fixed on 2023/06/07 17:22
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+83f4272d07a60d313711@syzkaller.appspotmail.com
Fix commit: 8aad0253b5e6 ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
First crash: 504d, last: 425d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: slab-out-of-bounds Read in get_max_inline_xattr_value_size ext4 C error 4 424d 504d 2/2 fixed on 2023/06/07 17:22
upstream KASAN: slab-out-of-bounds Read in get_max_inline_xattr_value_size ext4 C 21 383d 421d 22/26 fixed on 2023/07/01 16:05
android-54 KASAN: use-after-free Read in get_max_inline_xattr_value_size (2) C 3 306d 314d 0/2 auto-obsoleted due to no activity on 2023/10/31 04:10
android-6-1 KASAN: use-after-free Read in get_max_inline_xattr_value_size origin:lts C error done 10 225d 314d 0/2 auto-obsoleted due to no activity on 2024/01/19 14:48
android-5-15 KASAN: use-after-free Read in get_max_inline_xattr_value_size ext4 C error 4 425d 504d 2/2 fixed on 2023/06/07 17:22
linux-4.19 KASAN: slab-out-of-bounds Read in get_max_inline_xattr_value_size ext4 C error 1 483d 483d 0/1 upstream: reported C repro on 2023/01/27 02:26

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in get_max_inline_xattr_value_size+0x369/0x510 fs/ext4/inline.c:61
Read of size 4 at addr ffff8881de2a4084 by task syz-executor369/300

CPU: 1 PID: 300 Comm: syz-executor369 Not tainted 5.4.225-syzkaller-00008-g07edbcca3d39 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 get_max_inline_xattr_value_size+0x369/0x510 fs/ext4/inline.c:61
 ext4_get_max_inline_size+0x134/0x1f0 fs/ext4/inline.c:112
 ext4_da_write_inline_data_begin+0x1e6/0xbe0 fs/ext4/inline.c:900
 ext4_da_write_begin+0x52b/0xfe0 fs/ext4/inode.c:3134
 generic_perform_write+0x2c7/0x560 mm/filemap.c:3311
 __generic_file_write_iter+0x239/0x490 mm/filemap.c:3440
 ext4_file_write_iter+0x499/0x10e0 fs/ext4/file.c:270
 call_write_iter include/linux/fs.h:1981 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0x5d3/0x750 fs/read_write.c:496
 vfs_write+0x206/0x4e0 fs/read_write.c:558
 ksys_write+0x199/0x2c0 fs/read_write.c:611
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Allocated by task 300:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x130/0x1d0 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd0/0x220 mm/slub.c:2842
 mempool_alloc+0x11f/0x530 mm/mempool.c:393
 bio_alloc_bioset+0x1e0/0x650 block/bio.c:483
 bio_alloc include/linux/bio.h:401 [inline]
 submit_bh_wbc+0x1c6/0x7a0 fs/buffer.c:3042
 submit_bh+0x21/0x30 fs/buffer.c:3076
 read_mmp_block+0x1a2/0x8a0 fs/ext4/mmp.c:91
 ext4_multi_mount_protect+0x1d4/0xa50 fs/ext4/mmp.c:291
 ext4_fill_super+0x5c96/0x8d10 fs/ext4/super.c:4435
 mount_bdev+0x22e/0x340 fs/super.c:1417
 legacy_get_tree+0xdf/0x170 fs/fs_context.c:647
 vfs_get_tree+0x85/0x260 fs/super.c:1547
 do_new_mount+0x292/0x570 fs/namespace.c:2843
 do_mount+0x688/0xdd0 fs/namespace.c:3163
 ksys_mount+0xc2/0xf0 fs/namespace.c:3372
 __do_sys_mount fs/namespace.c:3386 [inline]
 __se_sys_mount fs/namespace.c:3383 [inline]
 __x64_sys_mount+0xb1/0xc0 fs/namespace.c:3383
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 16:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x178/0x230 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook mm/slub.c:1494 [inline]
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0xd5/0x290 mm/slub.c:3096
 req_bio_endio block/blk-core.c:247 [inline]
 blk_update_request+0x311/0xdb0 block/blk-core.c:1478
 blk_mq_end_request+0x3a/0x70 block/blk-mq.c:571
 blk_done_softirq+0x2d6/0x350 block/blk-softirq.c:37
 __do_softirq+0x22e/0x630 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881de2a4000
 which belongs to the cache bio-0 of size 200
The buggy address is located 132 bytes inside of
 200-byte region [ffff8881de2a4000, ffff8881de2a40c8)
The buggy address belongs to the page:
page:ffffea000778a900 refcount:1 mapcount:0 mapping:ffff8881f36d8a00 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f36d8a00
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x92880(GFP_NOWAIT|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
 get_page_from_freelist+0x2ce8/0x2d70 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3c0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x440 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x2fe/0x490 mm/slub.c:2667
 __slab_alloc+0x5a/0x90 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x100/0x220 mm/slub.c:2842
 mempool_alloc+0x11f/0x530 mm/mempool.c:393
 bio_alloc_bioset+0x1e0/0x650 block/bio.c:483
 bio_alloc include/linux/bio.h:401 [inline]
 mpage_alloc fs/mpage.c:115 [inline]
 do_mpage_readpage+0x1357/0x1950 fs/mpage.c:342
 mpage_readpages+0x36e/0x500 fs/mpage.c:440
 read_pages+0x119/0x400 mm/readahead.c:126
 __do_page_cache_readahead+0x448/0x4f0 mm/readahead.c:212
 force_page_cache_readahead mm/readahead.c:243 [inline]
 page_cache_sync_readahead+0x306/0x380 mm/readahead.c:522
 generic_file_buffered_read mm/filemap.c:2070 [inline]
 generic_file_read_iter+0x5db/0x2100 mm/filemap.c:2343
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881de2a3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881de2a4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881de2a4080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
                   ^
 ffff8881de2a4100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8881de2a4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (20):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/03/26 09:12 android12-5.4 07edbcca3d39 fbf0499a .config console log report syz C [mounted in repro] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/16 07:27 android12-5.4 a0eae55f26a0 a63719e7 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/06 07:47 android12-5.4 4a947285bcca 1dac8c7a .config console log report syz C [mounted in repro] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/23 16:34 android12-5.4 57b9129d0863 9dfcf09c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/23 12:49 android12-5.4 57b9129d0863 44388686 .config console log report info ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/22 10:17 android12-5.4 a0eae55f26a0 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/21 23:57 android12-5.4 a0eae55f26a0 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/21 16:09 android12-5.4 a0eae55f26a0 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/21 03:12 android12-5.4 a0eae55f26a0 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/21 01:21 android12-5.4 a0eae55f26a0 cc0f9968 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/19 21:52 android12-5.4 a0eae55f26a0 71197f3a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/19 09:30 android12-5.4 a0eae55f26a0 66fca3ae .config console log report info ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/19 05:17 android12-5.4 a0eae55f26a0 4620c2d9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/18 14:00 android12-5.4 a0eae55f26a0 4620c2d9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/18 11:31 android12-5.4 a0eae55f26a0 4620c2d9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/17 18:52 android12-5.4 a0eae55f26a0 42660d9e .config console log report info ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/16 18:05 android12-5.4 a0eae55f26a0 a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/16 06:53 android12-5.4 a0eae55f26a0 a63719e7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/13 05:36 android12-5.4 a0eae55f26a0 96166539 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
2023/01/06 07:26 android12-5.4 4a947285bcca 1dac8c7a .config console log report info ci2-android-5-4-kasan KASAN: use-after-free Read in get_max_inline_xattr_value_size
* Struck through repros no longer work on HEAD.