syzbot


KASAN: slab-out-of-bounds Read in dbAllocDmapLev

Status: upstream: reported C repro on 2022/12/30 09:33
Subsystems: jfs
[Documentation on labels]
Reported-by: syzbot+b46ab054f59083b0c64a@syzkaller.appspotmail.com
First crash: 704d, last: 640d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Read in dbAllocDmapLev jfs C error 1 701d 701d 0/1 upstream: reported C repro on 2023/01/02 11:38
upstream UBSAN: array-index-out-of-bounds in dbAllocDmapLev jfs C error 2 538d 711d 23/28 fixed on 2023/10/12 12:48
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2023/03/04 16:08 23m bisect fix linux-4.14.y OK (0) job log log
2023/02/02 15:31 36m bisect fix linux-4.14.y OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in dbAllocDmapLev+0x233/0x280 fs/jfs/jfs_dmap.c:2030
Read of size 1 at addr ffff888098a98fcd by task syz-executor331/7971

CPU: 1 PID: 7971 Comm: syz-executor331 Not tainted 4.14.302-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
 dbAllocDmapLev+0x233/0x280 fs/jfs/jfs_dmap.c:2030
 dbAllocCtl+0x426/0x680 fs/jfs/jfs_dmap.c:1874
 dbAllocAG+0x684/0x9f0 fs/jfs/jfs_dmap.c:1415
 dbAlloc+0x415/0x980 fs/jfs/jfs_dmap.c:871
 dtSplitUp+0x316/0x47d0 fs/jfs/jfs_dtree.c:986
 dtInsert+0x77c/0x9e0 fs/jfs/jfs_dtree.c:875
 jfs_create.part.0+0x364/0x800 fs/jfs/namei.c:150
 jfs_create+0x35/0x50 fs/jfs/namei.c:90
 lookup_open+0x77a/0x1750 fs/namei.c:3241
 do_last fs/namei.c:3334 [inline]
 path_openat+0xe08/0x2970 fs/namei.c:3571
 do_filp_open+0x179/0x3c0 fs/namei.c:3605
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f17f07db7e9
RSP: 002b:00007ffd49983bc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f17f07db7e9
RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
RBP: 00007f17f079b080 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f17f079b110
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 1:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
 kmem_cache_zalloc include/linux/slab.h:651 [inline]
 get_empty_filp+0x86/0x3f0 fs/file_table.c:123
 path_openat+0x84/0x2970 fs/namei.c:3547
 do_filp_open+0x179/0x3c0 fs/namei.c:3605
 do_sys_open+0x296/0x410 fs/open.c:1081
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3

Freed by task 7:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
 __rcu_reclaim kernel/rcu/rcu.h:195 [inline]
 rcu_do_batch kernel/rcu/tree.c:2699 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline]
 rcu_process_callbacks+0x780/0x1180 kernel/rcu/tree.c:2946
 __do_softirq+0x24d/0x9ff kernel/softirq.c:288

The buggy address belongs to the object at ffff888098a98d00
 which belongs to the cache filp of size 456
The buggy address is located 261 bytes to the right of
 456-byte region [ffff888098a98d00, ffff888098a98ec8)
The buggy address belongs to the page:
page:ffffea000262a600 count:1 mapcount:0 mapping:ffff888098a98080 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff888098a98080 0000000000000000 0000000100000006
raw: ffffea000262a5a0 ffffea00025fe460 ffff8880b60c9080 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888098a98e80: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
 ffff888098a98f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888098a98f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff888098a99000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888098a99080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/12/30 09:33 linux-4.14.y c4215ee4771b 44712fbc .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-4-14 KASAN: slab-out-of-bounds Read in dbAllocDmapLev
* Struck through repros no longer work on HEAD.