| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [jfs?] KASAN: slab-use-after-free Read in jfs_readdir | 0 (2) | 2025/01/02 03:10 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [jfs?] KASAN: slab-use-after-free Read in jfs_readdir | 0 (2) | 2025/01/02 03:10 |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-out-of-bounds Read in jfs_readdir jfs | C | error | done | 17 | 362d | 723d | 25/28 | fixed on 2024/03/20 11:33 |
| upstream | UBSAN: array-index-out-of-bounds in jfs_readdir jfs | C | inconclusive | 89 | 26d | 278d | 28/28 | fixed on 2024/12/16 09:50 | |
| linux-5.15 | UBSAN: array-index-out-of-bounds in jfs_readdir origin:lts-only | C | error | 29 | 2d08h | 278d | 0/3 | upstream: reported C repro on 2024/04/01 00:20 | |
| linux-6.1 | UBSAN: array-index-out-of-bounds in jfs_readdir origin:upstream missing-backport | C | error | 46 | 14d | 278d | 0/3 | upstream: reported C repro on 2024/04/01 00:16 | |
| linux-4.14 | KASAN: slab-out-of-bounds Read in jfs_readdir jfs | 1 | 723d | 723d | 0/1 | upstream: reported on 2023/01/12 07:34 | |||
| linux-4.19 | KASAN: slab-out-of-bounds Read in jfs_readdir jfs | 2 | 723d | 723d | 0/1 | upstream: reported on 2023/01/12 07:27 |
================================================================== BUG: KASAN: slab-use-after-free in jfs_readdir+0x1361/0x3c50 fs/jfs/jfs_dtree.c:2869 Read of size 8 at addr ffff88807510a128 by task syz-executor140/5820 CPU: 0 UID: 0 PID: 5820 Comm: syz-executor140 Not tainted 6.13.0-rc5-syzkaller-00006-g56e6a3499e14 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 jfs_readdir+0x1361/0x3c50 fs/jfs/jfs_dtree.c:2869 wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65 iterate_dir+0x571/0x800 fs/readdir.c:108 __do_sys_getdents fs/readdir.c:322 [inline] __se_sys_getdents+0x1fd/0x4e0 fs/readdir.c:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5da6b29199 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffef1871898 EFLAGS: 00000246 ORIG_RAX: 000000000000004e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5da6b29199 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 0000000000000000 R08: 00007ffef18718d0 R09: 00007ffef18718d0 R10: 00007ffef18718d0 R11: 0000000000000246 R12: 00007ffef18718d0 R13: 00007ffef1871b58 R14: 431bde82d7b634db R15: 00007f5da6b7203b </TASK> Allocated by task 5820: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4119 [inline] slab_alloc_node mm/slub.c:4168 [inline] kmem_cache_alloc_noprof+0x1d9/0x380 mm/slub.c:4175 mempool_alloc_noprof+0x197/0x5a0 mm/mempool.c:402 alloc_metapage fs/jfs/jfs_metapage.c:182 [inline] __get_metapage+0x5f4/0xdc0 fs/jfs/jfs_metapage.c:652 dtSplitRoot+0x2af/0x1930 fs/jfs/jfs_dtree.c:1909 dtSplitUp fs/jfs/jfs_dtree.c:992 [inline] dtInsert+0x12cd/0x6c10 fs/jfs/jfs_dtree.c:870 jfs_mkdir+0x7fb/0xba0 fs/jfs/namei.c:270 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4311 do_mkdirat+0x264/0x3a0 fs/namei.c:4334 __do_sys_mkdir fs/namei.c:4354 [inline] __se_sys_mkdir fs/namei.c:4352 [inline] __x64_sys_mkdir+0x6c/0x80 fs/namei.c:4352 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5820: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kmem_cache_free+0x195/0x410 mm/slub.c:4715 free_metapage fs/jfs/jfs_metapage.c:197 [inline] drop_metapage fs/jfs/jfs_metapage.c:234 [inline] release_metapage+0x831/0xa90 fs/jfs/jfs_metapage.c:784 dtReadNext fs/jfs/jfs_dtree.c:3189 [inline] jfs_readdir+0x102d/0x3c50 fs/jfs/jfs_dtree.c:2862 wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65 iterate_dir+0x571/0x800 fs/readdir.c:108 __do_sys_getdents fs/readdir.c:322 [inline] __se_sys_getdents+0x1fd/0x4e0 fs/readdir.c:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807510a0f8 which belongs to the cache jfs_mp of size 184 The buggy address is located 48 bytes inside of freed 184-byte region [ffff88807510a0f8, ffff88807510a1b0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7510a flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff8881476dc8c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5820, tgid 5820 (syz-executor140), ts 62287500316, free_ts 55275390556 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1558 prep_new_page mm/page_alloc.c:1566 [inline] get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3476 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4753 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2269 alloc_slab_page+0x6a/0x110 mm/slub.c:2423 allocate_slab+0x5a/0x2b0 mm/slub.c:2589 new_slab mm/slub.c:2642 [inline] ___slab_alloc+0xc27/0x14a0 mm/slub.c:3830 __slab_alloc+0x58/0xa0 mm/slub.c:3920 __slab_alloc_node mm/slub.c:3995 [inline] slab_alloc_node mm/slub.c:4156 [inline] kmem_cache_alloc_noprof+0x268/0x380 mm/slub.c:4175 mempool_alloc_noprof+0x197/0x5a0 mm/mempool.c:402 alloc_metapage fs/jfs/jfs_metapage.c:182 [inline] __get_metapage+0x5f4/0xdc0 fs/jfs/jfs_metapage.c:652 ea_get+0xb6f/0x12e0 fs/jfs/xattr.c:528 __jfs_setxattr+0x4ba/0x1190 fs/jfs/xattr.c:722 jfs_initxattrs+0x128/0x1d0 fs/jfs/xattr.c:1035 security_inode_init_security+0x29c/0x480 security/security.c:1847 jfs_init_security+0xa9/0x110 fs/jfs/xattr.c:1047 page last free pid 5809 tgid 5809 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0xd2c/0x1000 mm/page_alloc.c:2659 __folio_put+0x2b3/0x360 mm/swap.c:112 pipe_buf_release include/linux/pipe_fs_i.h:219 [inline] pipe_update_tail fs/pipe.c:224 [inline] pipe_read+0x6ed/0x13e0 fs/pipe.c:344 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x991/0xb70 fs/read_write.c:565 ksys_read+0x18f/0x2b0 fs/read_write.c:708 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88807510a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807510a080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa >ffff88807510a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807510a180: fb fb fb fb fb fb fc fc fc fc fc fc fc fc 00 00 ffff88807510a200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/01/02 03:09 | upstream | 56e6a3499e14 | d3ccff63 | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-upstream-fs | KASAN: slab-use-after-free Read in jfs_readdir | |
| 2025/01/02 02:01 | upstream | 56e6a3499e14 | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-upstream-fs | KASAN: slab-use-after-free Read in jfs_readdir | ||
| 2025/01/02 02:00 | upstream | 56e6a3499e14 | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-upstream-fs | KASAN: slab-use-after-free Read in jfs_readdir | ||
| 2024/12/24 13:56 | upstream | f07044dd0df0 | 444551c4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-upstream-fs | KASAN: slab-use-after-free Read in jfs_readdir | ||
| 2024/12/21 09:45 | upstream | 499551201b5f | d7f584ee | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-use-after-free Read in jfs_readdir | ||
| 2024/12/29 03:21 | upstream | 059dd502b263 | d3ccff63 | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: slab-use-after-free Read in jfs_readdir | |||
| 2025/01/03 13:05 | linux-next | 8155b4ef3466 | d3ccff63 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in jfs_readdir |