syzbot


KASAN: use-after-free Read in __ext4_iget

Status: upstream: reported on 2024/08/01 05:00
Reported-by: syzbot+bcd4b927df3621d9fea9@syzkaller.appspotmail.com
First crash: 112d, last: 70d
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in __ext4_iget 12 23d 295d 0/3 upstream: reported on 2024/01/31 03:06
upstream KASAN: slab-use-after-free Read in __ext4_iget fs reiserfs 278 296d 533d 0/28 auto-obsoleted due to no activity on 2024/04/09 13:42
android-5-15 KASAN: use-after-free Read in __ext4_iget origin:lts syz 98 21h31m 512d 0/2 premoderation: reported syz repro on 2023/06/28 10:27
linux-5.15 KASAN: slab-out-of-bounds Read in __ext4_iget 6 400d 444d 0/3 auto-obsoleted due to no activity on 2024/01/25 22:09
android-54 KASAN: use-after-free Read in __ext4_iget 13 272d 479d 0/2 auto-obsoleted due to no activity on 2024/05/22 19:07
android-5-10 KASAN: use-after-free Read in __ext4_iget syz 112 2d00h 512d 0/2 premoderation: reported syz repro on 2023/06/28 15:01
android-54 KASAN: use-after-free Read in __ext4_iget (2) 4 155d 173d 0/2 auto-obsoleted due to no activity on 2024/09/17 10:19
linux-6.1 KASAN: slab-out-of-bounds Read in __ext4_iget 14 234d 490d 0/3 auto-obsoleted due to no activity on 2024/07/09 19:10

Sample crash report:
loop4: detected capacity change from 0 to 512
==================================================================
BUG: KASAN: use-after-free in __ext4_iget+0x2ee/0x3ee0 fs/ext4/inode.c:4835
Read of size 8 at addr ffff888070ad4d80 by task syz.4.2208/15624

CPU: 0 PID: 15624 Comm: syz.4.2208 Not tainted 6.1.109-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 __ext4_iget+0x2ee/0x3ee0 fs/ext4/inode.c:4835
 ext4_quota_enable fs/ext4/super.c:6991 [inline]
 ext4_enable_quotas+0x54f/0xd40 fs/ext4/super.c:7027
 __ext4_fill_super fs/ext4/super.c:5518 [inline]
 ext4_fill_super+0x81e6/0x8b50 fs/ext4/super.c:5664
 get_tree_bdev+0x3fe/0x620 fs/super.c:1366
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fed0577f69a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fed064ede68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fed064edef0 RCX: 00007fed0577f69a
RDX: 00000000200004c0 RSI: 0000000020000500 RDI: 00007fed064edeb0
RBP: 00000000200004c0 R08: 00007fed064edef0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000500
R13: 00007fed064edeb0 R14: 00000000000004b2 R15: 0000000020000240
 </TASK>

Allocated by task 14396:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 __kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x52/0x3a0 mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc_lru+0x10c/0x2d0 mm/slub.c:3429
 alloc_inode_sb include/linux/fs.h:3198 [inline]
 f2fs_alloc_inode+0x171/0x540 fs/f2fs/super.c:1419
 alloc_inode fs/inode.c:261 [inline]
 new_inode_pseudo+0x61/0x1d0 fs/inode.c:1055
 new_inode+0x25/0x1d0 fs/inode.c:1083
 f2fs_new_inode+0x11d/0x1020 fs/f2fs/namei.c:191
 __f2fs_tmpfile+0xa5/0x380 fs/f2fs/namei.c:856
 f2fs_create_whiteout fs/f2fs/namei.c:936 [inline]
 f2fs_rename fs/f2fs/namei.c:986 [inline]
 f2fs_rename2+0xa20/0x2940 fs/f2fs/namei.c:1325
 vfs_rename+0xd32/0x10f0 fs/namei.c:4876
 ovl_do_rename fs/overlayfs/overlayfs.h:297 [inline]
 ovl_check_rename_whiteout fs/overlayfs/super.c:1303 [inline]
 ovl_make_workdir fs/overlayfs/super.c:1424 [inline]
 ovl_get_workdir+0xaf3/0x17b0 fs/overlayfs/super.c:1539
 ovl_fill_super+0x1b85/0x2a20 fs/overlayfs/super.c:2095
 mount_nodev+0x52/0xe0 fs/super.c:1489
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486
 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2845
 destroy_inode fs/inode.c:316 [inline]
 evict+0x87d/0x930 fs/inode.c:716
 __dentry_kill+0x436/0x650 fs/dcache.c:611
 dentry_kill+0xbb/0x290
 dput+0xfb/0x1d0 fs/dcache.c:918
 ovl_check_rename_whiteout fs/overlayfs/super.c:1320 [inline]
 ovl_make_workdir fs/overlayfs/super.c:1424 [inline]
 ovl_get_workdir+0xc91/0x17b0 fs/overlayfs/super.c:1539
 ovl_fill_super+0x1b85/0x2a20 fs/overlayfs/super.c:2095
 mount_nodev+0x52/0xe0 fs/super.c:1489
 legacy_get_tree+0xeb/0x180 fs/fs_context.c:632
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x2ba/0xb40 fs/namespace.c:3051
 do_mount fs/namespace.c:3394 [inline]
 __do_sys_mount fs/namespace.c:3602 [inline]
 __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3579
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Second to last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486
 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2845
 destroy_inode fs/inode.c:316 [inline]
 evict+0x87d/0x930 fs/inode.c:716
 f2fs_put_super+0x61c/0xc00 fs/f2fs/super.c:1647
 generic_shutdown_super+0x130/0x340 fs/super.c:501
 kill_block_super+0x7a/0xe0 fs/super.c:1470
 kill_f2fs_super+0x2ff/0x3c0 fs/f2fs/super.c:4674
 deactivate_locked_super+0xa0/0x110 fs/super.c:332
 cleanup_mnt+0x490/0x520 fs/namespace.c:1186
 task_work_run+0x246/0x300 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:303
 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff888070ad4700
 which belongs to the cache f2fs_inode_cache of size 2144
The buggy address is located 1664 bytes inside of
 2144-byte region [ffff888070ad4700, ffff888070ad4f60)

The buggy address belongs to the physical page:
page:ffffea0001c2b400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888070ad58c0 pfn:0x70ad0
head:ffffea0001c2b400 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff888026ba7501
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000001 ffff88801c382500
raw: ffff888070ad58c0 00000000800e0009 00000001ffffffff ffff888026ba7501
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 4964, tgid 4963 (syz.4.320), ts 232239822733, free_ts 204177995071
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2517
 prep_new_page mm/page_alloc.c:2524 [inline]
 get_page_from_freelist+0x322e/0x33b0 mm/page_alloc.c:4290
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5558
 alloc_slab_page+0x6a/0x150 mm/slub.c:1794
 allocate_slab mm/slub.c:1939 [inline]
 new_slab+0x84/0x2d0 mm/slub.c:1992
 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180
 __slab_alloc mm/slub.c:3279 [inline]
 slab_alloc_node mm/slub.c:3364 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc_lru+0x1a5/0x2d0 mm/slub.c:3429
 alloc_inode_sb include/linux/fs.h:3198 [inline]
 f2fs_alloc_inode+0x171/0x540 fs/f2fs/super.c:1419
 alloc_inode fs/inode.c:261 [inline]
 new_inode_pseudo+0x61/0x1d0 fs/inode.c:1055
 new_inode+0x25/0x1d0 fs/inode.c:1083
 f2fs_new_inode+0x11d/0x1020 fs/f2fs/namei.c:191
 f2fs_mkdir+0x123/0x520 fs/f2fs/namei.c:760
 vfs_mkdir+0x3b6/0x590 fs/namei.c:4108
 do_mkdirat+0x225/0x360 fs/namei.c:4133
 __do_sys_mkdirat fs/namei.c:4148 [inline]
 __se_sys_mkdirat fs/namei.c:4146 [inline]
 __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4146
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1444 [inline]
 free_pcp_prepare mm/page_alloc.c:1494 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3369
 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3464
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x76/0xe0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook+0x52/0x3a0 mm/slab.h:737
 slab_alloc_node mm/slub.c:3398 [inline]
 slab_alloc mm/slub.c:3406 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
 kmem_cache_alloc+0x10c/0x2d0 mm/slub.c:3422
 kmem_cache_zalloc include/linux/slab.h:683 [inline]
 jbd2_alloc_handle include/linux/jbd2.h:1602 [inline]
 new_handle fs/jbd2/transaction.c:476 [inline]
 jbd2__journal_start+0x144/0x5c0 fs/jbd2/transaction.c:503
 __ext4_journal_start_sb+0x19b/0x410 fs/ext4/ext4_jbd2.c:105
 __ext4_journal_start fs/ext4/ext4_jbd2.h:326 [inline]
 ext4_dirty_inode+0x8b/0x100 fs/ext4/inode.c:6083
 __mark_inode_dirty+0x331/0xf80 fs/fs-writeback.c:2433
 generic_update_time fs/inode.c:1938 [inline]
 inode_update_time fs/inode.c:1951 [inline]
 __file_update_time+0x221/0x240 fs/inode.c:2139
 file_update_time+0x34c/0x3c0 fs/inode.c:2170
 ext4_page_mkwrite+0x1c4/0x10d0 fs/ext4/inode.c:6204
 do_page_mkwrite+0x1a1/0x5f0 mm/memory.c:2992
 wp_page_shared+0x164/0x380 mm/memory.c:3341

Memory state around the buggy address:
 ffff888070ad4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888070ad4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888070ad4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888070ad4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888070ad4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/09/12 07:26 linux-6.1.y 5ca5b389fddf d94c83d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in __ext4_iget
2024/08/01 04:59 linux-6.1.y c1cec4dad96b 1e9c4cf3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in __ext4_iget
* Struck through repros no longer work on HEAD.