syzbot


KASAN: use-after-free Read in ext4_search_dir

Status: upstream: reported C repro on 2024/04/15 06:47
Reported-by: syzbot+a133fb1e9618ba1cc23d@syzkaller.appspotmail.com
First crash: 173d, last: 4d14h
Similar bugs (7)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: slab-out-of-bounds Read in ext4_search_dir origin:upstream missing-backport C 2 7d17h 323d 0/2 upstream: reported C repro on 2023/11/17 09:38
linux-5.15 KASAN: use-after-free Read in ext4_search_dir origin:upstream C 3 1d20h 477d 0/3 upstream: reported C repro on 2023/06/16 15:52
upstream KASAN: use-after-free Read in ext4_search_dir prio:low ext4 C error done 20 272d 513d 25/28 fixed on 2024/02/21 18:23
android-6-1 KASAN: use-after-free Read in ext4_search_dir origin:upstream C error 23 9d22h 349d 0/2 upstream: reported C repro on 2023/10/22 16:55
android-5-10 KASAN: slab-out-of-bounds Read in ext4_search_dir C error 9 2h13m 323d 0/2 upstream: reported C repro on 2023/11/17 09:38
linux-6.1 KASAN: use-after-free Read in ext4_search_dir origin:upstream missing-backport C done 1 14d 475d 0/3 upstream: reported C repro on 2023/06/18 19:29
upstream KASAN: use-after-free Read in ext4_search_dir (2) ext4 C 5 23d 47d 27/28 upstream: reported C repro on 2024/08/19 07:42
Last patch testing requests (3)
Created Duration User Patch Repo Result
2024/10/01 06:40 6m retest repro android12-5.4 report log
2024/07/23 05:45 5m retest repro android12-5.4 report log
2024/05/14 05:06 9m retest repro android12-5.4 report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xee/0x1b0 fs/ext4/namei.c:1504
Read of size 1 at addr ffff8881dcecd6e3 by task syz-executor424/362

CPU: 0 PID: 362 Comm: syz-executor424 Not tainted 5.4.268-syzkaller-00012-gd0d34dcb02cc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x600 mm/kasan/report.c:384
 __kasan_report+0xf3/0x120 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 ext4_search_dir+0xee/0x1b0 fs/ext4/namei.c:1504
 ext4_find_inline_entry+0x4b6/0x5e0 fs/ext4/inline.c:1698
 __ext4_find_entry+0x2a9/0x1b50 fs/ext4/namei.c:1577
 ext4_lookup_entry fs/ext4/namei.c:1730 [inline]
 ext4_lookup+0x3c6/0xaa0 fs/ext4/namei.c:1798
 lookup_open fs/namei.c:3308 [inline]
 do_last fs/namei.c:3421 [inline]
 path_openat+0x159a/0x3480 fs/namei.c:3634
 do_filp_open+0x20b/0x450 fs/namei.c:3664
 do_sys_open+0x39c/0x810 fs/open.c:1113
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

The buggy address belongs to the page:
page:ffffea000773b340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1
flags: 0x8000000000000000()
raw: 8000000000000000 ffffea000773b388 ffffea000773b308 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881dcecd580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881dcecd600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881dcecd680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff8881dcecd700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881dcecd780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop0): ext4_find_dest_de:2063: inode #12: block 5: comm syz-executor424: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=1375716473, rec_len=40042, size=56 fake=0

Crashes (17):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/15 06:45 android12-5.4 d0d34dcb02cc c8349e48 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/05/30 04:03 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/05/30 04:03 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/05/30 04:02 android12-5.4 8322246edffa 34889ee3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/05/27 02:35 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/05/27 02:35 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/05/27 02:35 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/05/20 21:21 android12-5.4 51cf29fc2bfc c0f1611a .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/05/15 16:54 android12-5.4 51cf29fc2bfc 94b087b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/04/30 05:05 android12-5.4 2d5d8240a7cb f10afd69 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/04/30 05:05 android12-5.4 2d5d8240a7cb f10afd69 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/04/28 00:58 android12-5.4 2d5d8240a7cb 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/04/27 06:03 android12-5.4 2d5d8240a7cb 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/04/27 06:02 android12-5.4 2d5d8240a7cb 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/04/27 06:01 android12-5.4 2d5d8240a7cb 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/04/27 06:01 android12-5.4 2d5d8240a7cb 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
2024/04/18 19:42 android12-5.4 2d5d8240a7cb af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: use-after-free Read in ext4_search_dir
* Struck through repros no longer work on HEAD.