syzbot

 sign-in | mailing list | source | docs
🐞 Open [112]
🐞 Fixed [70]
🐞 Invalid [149]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
💬 Send us feedback

KASAN: use-after-free Read in __ext4_check_dir_entry

Status: upstream: reported C repro on 2024/05/10 09:19
Reported-by: syzbot+8f42da1dbf662eb1d6f0@syzkaller.appspotmail.com
First crash: 113d, last: 27d
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in __ext4_check_dir_entry C inconclusive 6 1438d 1542d 0/1 upstream: reported C repro on 2020/06/12 02:23
upstream KASAN: use-after-free Read in __ext4_check_dir_entry (2) ext4 C error 1 99d 109d 0/27 closed as dup on 2024/06/26 08:39
linux-5.15 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream C 10 13d 90d 0/3 upstream: reported C repro on 2024/06/03 01:15
android-5-15 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream missing-backport C 3 19d 64d 0/2 upstream: reported C repro on 2024/06/28 13:26
upstream KASAN: use-after-free Read in __ext4_check_dir_entry ext4 C 8 2342d 2345d 22/27 closed as dup on 2018/03/31 22:38
android-6-1 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream missing-backport C 4 22d 112d 0/2 upstream: reported C repro on 2024/05/11 11:53
linux-6.1 KASAN: use-after-free Read in __ext4_check_dir_entry 15 53d 90d 0/3 upstream: reported on 2024/06/03 01:12
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/05/24 10:17 4m retest repro android13-5.10-lts report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2024/08/04 13:35 47m bisect fix android13-5.10-lts OK (0) job log log
2024/06/29 12:27 36m bisect fix android13-5.10-lts OK (0) job log log

Sample crash report:
EXT4-fs error (device loop0): make_indexed_dir:2245: inode #2: block 255: comm syz-executor320: bad entry in directory: rec_len is smaller than minimal - offset=1024, inode=5120, rec_len=0, size=993 fake=0
EXT4-fs warning (device loop0): dx_probe:805: inode #2: comm syz-executor320: Unrecognised inode hash code 49
EXT4-fs warning (device loop0): dx_probe:945: inode #2: comm syz-executor320: Corrupt directory, running e2fsck is recommended
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
Read of size 2 at addr ffff888116f28003 by task syz-executor320/321

CPU: 0 PID: 321 Comm: syz-executor320 Not tainted 5.10.210-syzkaller-00394-g70b6ab09a34b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x81/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:435 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:452
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:307
 __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
 ext4_readdir+0x1402/0x37c0 fs/ext4/dir.c:258
 iterate_dir+0x265/0x580
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354
 __x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7fe88ee8e0e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc23661ba8 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe88ee8e0e9
RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000000 R08: 00007ffc23661bdc R09: 00007ffc23661bdc
R10: 00007ffc23661bdc R11: 0000000000000246 R12: 00007ffc23661bdc
R13: 000000000000000a R14: 431bde82d7b634db R15: 00007ffc23661c10

The buggy address belongs to the page:
page:ffffea00045bca00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x1 pfn:0x116f28
flags: 0x4000000000000000()
raw: 4000000000000000 ffffea00045bd6c8 ffffea0004431488 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x8100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|0x8000000), pid 230, ts 14510620823, free_ts 14512075758
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2456 [inline]
 prep_new_page+0x166/0x180 mm/page_alloc.c:2462
 get_page_from_freelist+0x2d8c/0x2f30 mm/page_alloc.c:4254
 __alloc_pages_nodemask+0x435/0xaf0 mm/page_alloc.c:5346
 __alloc_pages include/linux/gfp.h:544 [inline]
 __alloc_pages_node include/linux/gfp.h:557 [inline]
 alloc_pages_node include/linux/gfp.h:571 [inline]
 alloc_pages include/linux/gfp.h:590 [inline]
 do_anonymous_page mm/memory.c:3934 [inline]
 handle_pte_fault+0x174f/0x3de0 mm/memory.c:4757
 __handle_mm_fault mm/memory.c:4915 [inline]
 handle_mm_fault+0x11d6/0x1a10 mm/memory.c:5329
 do_user_addr_fault arch/x86/mm/fault.c:1396 [inline]
 handle_page_fault arch/x86/mm/fault.c:1462 [inline]
 exc_page_fault+0x2a6/0x5b0 arch/x86/mm/fault.c:1518
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:571
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1349 [inline]
 free_pcp_prepare mm/page_alloc.c:1421 [inline]
 free_unref_page_prepare+0x2ae/0x2d0 mm/page_alloc.c:3336
 free_unref_page_list+0x122/0xb20 mm/page_alloc.c:3443
 release_pages+0xea0/0xef0 mm/swap.c:1103
 free_pages_and_swap_cache+0x8a/0xa0 mm/swap_state.c:356
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu mm/mmu_gather.c:247 [inline]
 tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:326
 unmap_region+0x31c/0x370 mm/mmap.c:2807
 __do_munmap+0x699/0x8c0 mm/mmap.c:3036
 __vm_munmap mm/mmap.c:3059 [inline]
 __do_sys_munmap mm/mmap.c:3085 [inline]
 __se_sys_munmap+0x120/0x1a0 mm/mmap.c:3081
 __x64_sys_munmap+0x5b/0x70 mm/mmap.c:3081
 do_syscall_64+0x34/0x70
 entry_SYSCALL_64_after_hwframe+0x61/0xc6

Memory state around the buggy address:
 ffff888116f27f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888116f27f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888116f28000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888116f28080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888116f28100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_readdir:260: inode #2: block 255: comm syz-executor320: path /root/syzkaller.u2Naqf/10/file0: bad entry in directory: rec_len is smaller than minimal - offset=1023, inode=0, rec_len=0, size=1024 fake=0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/10 09:18 android13-5.10-lts 70b6ab09a34b de979bc2 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-10 KASAN: use-after-free Read in __ext4_check_dir_entry
* Struck through repros no longer work on HEAD.