syzbot


UBSAN: array-index-out-of-bounds in jfs_readdir

Status: upstream: reported C repro on 2024/04/01 00:20
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+86aff299c9c99b870520@syzkaller.appspotmail.com
First crash: 316d, last: 5d10h
Fix bisection: failed (error log, bisect log)
  
Bug presence (2)
Date Name Commit Repro Result
2025/01/02 linux-5.15.y (ToT) 91786f140358 C [report] KASAN: slab-out-of-bounds Read in jfs_readdir
2025/01/02 upstream (ToT) 56e6a3499e14 C Didn't crash
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in jfs_readdir jfs C error done 17 400d 761d 25/28 fixed on 2024/03/20 11:33
linux-6.1 UBSAN: array-index-out-of-bounds in jfs_readdir origin:upstream missing-backport C error 48 2d16h 316d 0/3 upstream: reported C repro on 2024/04/01 00:16
upstream UBSAN: array-index-out-of-bounds in jfs_readdir jfs C inconclusive 89 64d 316d 28/28 fixed on 2024/12/16 09:50
linux-4.14 KASAN: slab-out-of-bounds Read in jfs_readdir jfs 1 761d 761d 0/1 upstream: reported on 2023/01/12 07:34
upstream KASAN: slab-use-after-free Read in jfs_readdir jfs C unreliable 10 2d08h 40d 0/28 upstream: reported C repro on 2025/01/02 02:02
linux-4.19 KASAN: slab-out-of-bounds Read in jfs_readdir jfs 2 761d 761d 0/1 upstream: reported on 2023/01/12 07:27
Last patch testing requests (7)
Created Duration User Patch Repo Result
2025/02/06 01:58 14m retest repro linux-5.15.y report log
2025/02/06 01:58 1h27m retest repro linux-5.15.y report log
2025/02/06 01:58 1h19m retest repro linux-5.15.y report log
2025/02/06 01:58 15m retest repro linux-5.15.y report log
2025/02/06 01:58 16m retest repro linux-5.15.y report log
2024/12/27 05:01 17m retest repro linux-5.15.y OK log
2024/12/27 05:01 12m retest repro linux-5.15.y report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2025/01/05 04:22 1m fix candidate upstream error job log
2024/05/18 08:40 0m bisect fix linux-5.15.y error job log

Sample crash report:
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in jfs_readdir+0x1698/0x3030 fs/jfs/jfs_dtree.c:3200
Read of size 1 at addr ffff0000e1e4f9f5 by task syz-executor223/4041

CPU: 0 PID: 4041 Comm: syz-executor223 Not tainted 5.15.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x174/0x1e4 mm/kasan/report.c:451
 __asan_report_load1_noabort+0x44/0x50 mm/kasan/report_generic.c:306
 jfs_readdir+0x1698/0x3030 fs/jfs/jfs_dtree.c:3200
 iterate_dir+0x1f4/0x4ec
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __arm64_sys_getdents64+0x1c4/0x4c4 fs/readdir.c:354
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 4041:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x74/0x3f4 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x1dc/0x45c mm/slub.c:3233
 jfs_alloc_inode+0x24/0x60 fs/jfs/super.c:105
 alloc_inode fs/inode.c:236 [inline]
 iget_locked+0x180/0x720 fs/inode.c:1283
 jfs_iget+0x30/0x364 fs/jfs/inode.c:29
 jfs_fill_super+0x65c/0xa08 fs/jfs/super.c:585
 mount_bdev+0x274/0x370 fs/super.c:1400
 jfs_do_mount+0x44/0x58 fs/jfs/super.c:675
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:611
 vfs_get_tree+0x90/0x274 fs/super.c:1530
 do_new_mount+0x278/0x8fc fs/namespace.c:3012
 path_mount+0x594/0x101c fs/namespace.c:3342
 do_mount fs/namespace.c:3355 [inline]
 __do_sys_mount fs/namespace.c:3563 [inline]
 __se_sys_mount fs/namespace.c:3540 [inline]
 __arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3540
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the object at ffff0000e1e4ef00
 which belongs to the cache jfs_ip of size 2240
The buggy address is located 565 bytes to the right of
 2240-byte region [ffff0000e1e4ef00, ffff0000e1e4f7c0)
The buggy address belongs to the page:
page:00000000ca2ae40c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121e48
head:00000000ca2ae40c order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c6639380
raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000e1e4f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000e1e4f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000e1e4f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                             ^
 ffff0000e1e4fa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000e1e4fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0

ERROR: (device loop0): remounting filesystem as read-only
read_mapping_page failed!
bread failed!

Crashes (40):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/01/19 22:05 linux-5.15.y 4735586da88e f2cb035c .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2025/01/19 20:17 linux-5.15.y 4735586da88e f2cb035c .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2025/01/19 17:40 linux-5.15.y 4735586da88e f2cb035c .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2025/01/19 15:20 linux-5.15.y 4735586da88e f2cb035c .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2025/01/19 13:53 linux-5.15.y 4735586da88e f2cb035c .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2025/01/19 12:42 linux-5.15.y 4735586da88e f2cb035c .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2025/01/19 11:34 linux-5.15.y 4735586da88e f2cb035c .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2024/11/24 10:03 linux-5.15.y 0a51d2d4527b 68da6d95 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2024/12/03 09:59 linux-5.15.y 0a51d2d4527b 578925bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in jfs_readdir
2024/12/03 09:58 linux-5.15.y 0a51d2d4527b 578925bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in jfs_readdir
2024/11/30 16:12 linux-5.15.y 0a51d2d4527b 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in jfs_readdir
2024/11/30 16:12 linux-5.15.y 0a51d2d4527b 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in jfs_readdir
2024/11/28 00:19 linux-5.15.y 0a51d2d4527b 5df23865 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in jfs_readdir
2024/11/28 00:19 linux-5.15.y 0a51d2d4527b 5df23865 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in jfs_readdir
2024/12/12 09:10 linux-5.15.y 0a51d2d4527b 6f1b0fa8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/12/03 08:31 linux-5.15.y 0a51d2d4527b 578925bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/12/03 08:31 linux-5.15.y 0a51d2d4527b 578925bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/11/30 16:04 linux-5.15.y 0a51d2d4527b 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/11/28 01:13 linux-5.15.y 0a51d2d4527b 5df23865 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/11/28 01:12 linux-5.15.y 0a51d2d4527b 5df23865 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/17 01:03 linux-5.15.y fa3df276cd36 18f6e127 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/14 02:33 linux-5.15.y fa3df276cd36 c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/14 02:33 linux-5.15.y fa3df276cd36 c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/14 02:33 linux-5.15.y fa3df276cd36 c8349e48 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/03 02:49 linux-5.15.y 9465fef4ae35 7925100d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/02 22:44 linux-5.15.y 9465fef4ae35 eb2966c4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/02 21:14 linux-5.15.y 9465fef4ae35 eb2966c4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/02 14:34 linux-5.15.y 9465fef4ae35 eb2966c4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/02 14:34 linux-5.15.y 9465fef4ae35 eb2966c4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/01 20:51 linux-5.15.y 9465fef4ae35 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/01 15:45 linux-5.15.y 9465fef4ae35 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/01 15:18 linux-5.15.y 9465fef4ae35 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/01 04:28 linux-5.15.y 9465fef4ae35 6baf5069 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/01 00:51 linux-5.15.y 9465fef4ae35 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2024/04/01 00:19 linux-5.15.y 9465fef4ae35 6baf5069 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in jfs_readdir
2025/01/23 01:26 linux-5.15.y 4735586da88e a44b0418 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: use-after-free Read in jfs_readdir
2025/01/19 07:44 linux-5.15.y 4735586da88e f2cb035c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in jfs_readdir
2025/01/12 14:41 linux-5.15.y 4735586da88e 6dbc6a9b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
2025/01/07 20:28 linux-5.15.y 91786f140358 f3558dbf .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: use-after-free Read in jfs_readdir
2024/11/24 09:28 linux-5.15.y 0a51d2d4527b 68da6d95 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in jfs_readdir
* Struck through repros no longer work on HEAD.