syzbot |
sign-in | mailing list | source | docs |
loop4: detected capacity change from 0 to 512 ================================================================== BUG: KASAN: use-after-free in __ext4_iget+0x2ee/0x3ee0 fs/ext4/inode.c:4835 Read of size 8 at addr ffff888070ad4d80 by task syz.4.2208/15624 CPU: 0 PID: 15624 Comm: syz.4.2208 Not tainted 6.1.109-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:395 kasan_report+0x136/0x160 mm/kasan/report.c:495 __ext4_iget+0x2ee/0x3ee0 fs/ext4/inode.c:4835 ext4_quota_enable fs/ext4/super.c:6991 [inline] ext4_enable_quotas+0x54f/0xd40 fs/ext4/super.c:7027 __ext4_fill_super fs/ext4/super.c:5518 [inline] ext4_fill_super+0x81e6/0x8b50 fs/ext4/super.c:5664 get_tree_bdev+0x3fe/0x620 fs/super.c:1366 vfs_get_tree+0x88/0x270 fs/super.c:1573 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051 do_mount fs/namespace.c:3394 [inline] __do_sys_mount fs/namespace.c:3602 [inline] __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7fed0577f69a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fed064ede68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fed064edef0 RCX: 00007fed0577f69a RDX: 00000000200004c0 RSI: 0000000020000500 RDI: 00007fed064edeb0 RBP: 00000000200004c0 R08: 00007fed064edef0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000500 R13: 00007fed064edeb0 R14: 00000000000004b2 R15: 0000000020000240 </TASK> Allocated by task 14396: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x52/0x3a0 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc_lru+0x10c/0x2d0 mm/slub.c:3429 alloc_inode_sb include/linux/fs.h:3198 [inline] f2fs_alloc_inode+0x171/0x540 fs/f2fs/super.c:1419 alloc_inode fs/inode.c:261 [inline] new_inode_pseudo+0x61/0x1d0 fs/inode.c:1055 new_inode+0x25/0x1d0 fs/inode.c:1083 f2fs_new_inode+0x11d/0x1020 fs/f2fs/namei.c:191 __f2fs_tmpfile+0xa5/0x380 fs/f2fs/namei.c:856 f2fs_create_whiteout fs/f2fs/namei.c:936 [inline] f2fs_rename fs/f2fs/namei.c:986 [inline] f2fs_rename2+0xa20/0x2940 fs/f2fs/namei.c:1325 vfs_rename+0xd32/0x10f0 fs/namei.c:4876 ovl_do_rename fs/overlayfs/overlayfs.h:297 [inline] ovl_check_rename_whiteout fs/overlayfs/super.c:1303 [inline] ovl_make_workdir fs/overlayfs/super.c:1424 [inline] ovl_get_workdir+0xaf3/0x17b0 fs/overlayfs/super.c:1539 ovl_fill_super+0x1b85/0x2a20 fs/overlayfs/super.c:2095 mount_nodev+0x52/0xe0 fs/super.c:1489 legacy_get_tree+0xeb/0x180 fs/fs_context.c:632 vfs_get_tree+0x88/0x270 fs/super.c:1573 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051 do_mount fs/namespace.c:3394 [inline] __do_sys_mount fs/namespace.c:3602 [inline] __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2845 destroy_inode fs/inode.c:316 [inline] evict+0x87d/0x930 fs/inode.c:716 __dentry_kill+0x436/0x650 fs/dcache.c:611 dentry_kill+0xbb/0x290 dput+0xfb/0x1d0 fs/dcache.c:918 ovl_check_rename_whiteout fs/overlayfs/super.c:1320 [inline] ovl_make_workdir fs/overlayfs/super.c:1424 [inline] ovl_get_workdir+0xc91/0x17b0 fs/overlayfs/super.c:1539 ovl_fill_super+0x1b85/0x2a20 fs/overlayfs/super.c:2095 mount_nodev+0x52/0xe0 fs/super.c:1489 legacy_get_tree+0xeb/0x180 fs/fs_context.c:632 vfs_get_tree+0x88/0x270 fs/super.c:1573 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051 do_mount fs/namespace.c:3394 [inline] __do_sys_mount fs/namespace.c:3602 [inline] __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Second to last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2845 destroy_inode fs/inode.c:316 [inline] evict+0x87d/0x930 fs/inode.c:716 f2fs_put_super+0x61c/0xc00 fs/f2fs/super.c:1647 generic_shutdown_super+0x130/0x340 fs/super.c:501 kill_block_super+0x7a/0xe0 fs/super.c:1470 kill_f2fs_super+0x2ff/0x3c0 fs/f2fs/super.c:4674 deactivate_locked_super+0xa0/0x110 fs/super.c:332 cleanup_mnt+0x490/0x520 fs/namespace.c:1186 task_work_run+0x246/0x300 kernel/task_work.c:203 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:177 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline] syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:303 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff888070ad4700 which belongs to the cache f2fs_inode_cache of size 2144 The buggy address is located 1664 bytes inside of 2144-byte region [ffff888070ad4700, ffff888070ad4f60) The buggy address belongs to the physical page: page:ffffea0001c2b400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888070ad58c0 pfn:0x70ad0 head:ffffea0001c2b400 order:3 compound_mapcount:0 compound_pincount:0 memcg:ffff888026ba7501 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000001 ffff88801c382500 raw: ffff888070ad58c0 00000000800e0009 00000001ffffffff ffff888026ba7501 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 4964, tgid 4963 (syz.4.320), ts 232239822733, free_ts 204177995071 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2517 prep_new_page mm/page_alloc.c:2524 [inline] get_page_from_freelist+0x322e/0x33b0 mm/page_alloc.c:4290 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5558 alloc_slab_page+0x6a/0x150 mm/slub.c:1794 allocate_slab mm/slub.c:1939 [inline] new_slab+0x84/0x2d0 mm/slub.c:1992 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc_lru+0x1a5/0x2d0 mm/slub.c:3429 alloc_inode_sb include/linux/fs.h:3198 [inline] f2fs_alloc_inode+0x171/0x540 fs/f2fs/super.c:1419 alloc_inode fs/inode.c:261 [inline] new_inode_pseudo+0x61/0x1d0 fs/inode.c:1055 new_inode+0x25/0x1d0 fs/inode.c:1083 f2fs_new_inode+0x11d/0x1020 fs/f2fs/namei.c:191 f2fs_mkdir+0x123/0x520 fs/f2fs/namei.c:760 vfs_mkdir+0x3b6/0x590 fs/namei.c:4108 do_mkdirat+0x225/0x360 fs/namei.c:4133 __do_sys_mkdirat fs/namei.c:4148 [inline] __se_sys_mkdirat fs/namei.c:4146 [inline] __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4146 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1444 [inline] free_pcp_prepare mm/page_alloc.c:1494 [inline] free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3369 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3464 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x52/0x3a0 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x10c/0x2d0 mm/slub.c:3422 kmem_cache_zalloc include/linux/slab.h:683 [inline] jbd2_alloc_handle include/linux/jbd2.h:1602 [inline] new_handle fs/jbd2/transaction.c:476 [inline] jbd2__journal_start+0x144/0x5c0 fs/jbd2/transaction.c:503 __ext4_journal_start_sb+0x19b/0x410 fs/ext4/ext4_jbd2.c:105 __ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline] ext4_dirty_inode+0x8b/0x100 fs/ext4/inode.c:6083 __mark_inode_dirty+0x331/0xf80 fs/fs-writeback.c:2433 generic_update_time fs/inode.c:1938 [inline] inode_update_time fs/inode.c:1951 [inline] __file_update_time+0x221/0x240 fs/inode.c:2139 file_update_time+0x34c/0x3c0 fs/inode.c:2170 ext4_page_mkwrite+0x1c4/0x10d0 fs/ext4/inode.c:6204 do_page_mkwrite+0x1a1/0x5f0 mm/memory.c:2992 wp_page_shared+0x164/0x380 mm/memory.c:3341 Memory state around the buggy address: ffff888070ad4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888070ad4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888070ad4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888070ad4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888070ad4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2024/09/12 07:26 | linux-6.1.y | 5ca5b389fddf | d94c83d8 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in __ext4_iget | ||
2024/08/01 04:59 | linux-6.1.y | c1cec4dad96b | 1e9c4cf3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: use-after-free Read in __ext4_iget |