KASAN: slab-use-after-free Read in dtSearch

Title	Replies (including bot)	Last reply
[syzbot] [jfs?] KASAN: slab-use-after-free Read in dtSearch	0 (1)	2024/04/29 00:37

Title

Replies (including bot)

Last reply

[syzbot] [jfs?] KASAN: slab-use-after-free Read in dtSearch

0 (1)

2024/04/29 00:37

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in dtSearch jfs	C	error	done	33	136d	600d	26/26	fixed on 2024/02/13 12:02
linux-4.14	KASAN: slab-out-of-bounds Read in dtSearch jfs	C			2	442d	600d	0/1	upstream: reported C repro on 2022/09/24 21:35
linux-5.15	KASAN: slab-out-of-bounds Read in dtSearch origin:upstream	C			5	19d	19d	0/3	upstream: reported C repro on 2024/04/28 11:04
linux-4.19	KASAN: slab-out-of-bounds Read in dtSearch	C		error	1	600d	600d	0/1	upstream: reported C repro on 2022/09/24 21:36

loop0: detected capacity change from 0 to 32768 ================================================================== BUG: KASAN: slab-out-of-bounds in dtCompare fs/jfs/jfs_dtree.c:3315 [inline] BUG: KASAN: slab-out-of-bounds in dtSearch+0x1664/0x2520 fs/jfs/jfs_dtree.c:649 Read of size 1 at addr ffff888077222498 by task syz-executor129/5079 CPU: 1 PID: 5079 Comm: syz-executor129 Not tainted 6.9.0-rc5-syzkaller-00042-ge88c4cfcb7b8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 dtCompare fs/jfs/jfs_dtree.c:3315 [inline] dtSearch+0x1664/0x2520 fs/jfs/jfs_dtree.c:649 jfs_lookup+0x17f/0x410 fs/jfs/namei.c:1461 lookup_open fs/namei.c:3475 [inline] open_last_lookups fs/namei.c:3566 [inline] path_openat+0x1033/0x3240 fs/namei.c:3796 do_filp_open+0x235/0x490 fs/namei.c:3826 do_sys_openat2+0x13e/0x1d0 fs/open.c:1406 do_sys_open fs/open.c:1421 [inline] __do_sys_creat fs/open.c:1497 [inline] __se_sys_creat fs/open.c:1491 [inline] __x64_sys_creat+0x123/0x170 fs/open.c:1491 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5f2a737639 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff3ca43838 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 00007fff3ca43a18 RCX: 00007f5f2a737639 RDX: 00007f5f2a737639 RSI: 0000000000000000 RDI: 0000000020000000 RBP: 00007f5f2a7b0610 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000006152 R11: 0000000000000246 R12: 0000000000000001 R13: 00007fff3ca43a08 R14: 0000000000000001 R15: 0000000000000001 </TASK> The buggy address belongs to the object at ffff888077221bc0 which belongs to the cache jfs_ip of size 2240 The buggy address is located 24 bytes to the right of allocated 2240-byte region [ffff888077221bc0, ffff888077222480) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77220 head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff80000000840(slab|head|node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffffff() raw: 00fff80000000840 ffff88801a7f1140 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000 head: 00fff80000000840 ffff88801a7f1140 dead000000000122 0000000000000000 head: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000 head: 00fff80000000003 ffffea0001dc8801 dead000000000122 00000000ffffffff head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5079, tgid 1143321743 (syz-executor129), ts 5079, free_ts 26577297598 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1534 prep_new_page mm/page_alloc.c:1541 [inline] get_page_from_freelist+0x3410/0x35b0 mm/page_alloc.c:3317 __alloc_pages+0x256/0x6c0 mm/page_alloc.c:4575 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page+0x5f/0x160 mm/slub.c:2175 allocate_slab mm/slub.c:2338 [inline] new_slab+0x84/0x2f0 mm/slub.c:2391 ___slab_alloc+0xc73/0x1260 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmem_cache_alloc_lru+0x253/0x350 mm/slub.c:3864 alloc_inode_sb include/linux/fs.h:3091 [inline] jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105 alloc_inode fs/inode.c:261 [inline] new_inode_pseudo+0x69/0x1e0 fs/inode.c:1007 new_inode+0x22/0x1d0 fs/inode.c:1033 diReadSpecial+0x52/0x680 fs/jfs/jfs_imap.c:423 jfs_mount+0x28b/0x830 fs/jfs/jfs_mount.c:138 jfs_fill_super+0x59c/0xc50 fs/jfs/super.c:556 mount_bdev+0x20a/0x2d0 fs/super.c:1658 legacy_get_tree+0xee/0x190 fs/fs_context.c:662 vfs_get_tree+0x90/0x2a0 fs/super.c:1779 page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1141 [inline] free_unref_page_prepare+0x97b/0xaa0 mm/page_alloc.c:2347 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487 free_contig_range+0x9e/0x160 mm/page_alloc.c:6572 destroy_args+0x8a/0x890 mm/debug_vm_pgtable.c:1036 debug_vm_pgtable+0x4be/0x550 mm/debug_vm_pgtable.c:1416 do_one_initcall+0x248/0x880 init/main.c:1245 do_initcall_level+0x157/0x210 init/main.c:1307 do_initcalls+0x3f/0x80 init/main.c:1323 kernel_init_freeable+0x435/0x5d0 init/main.c:1555 kernel_init+0x1d/0x2b0 init/main.c:1444 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Memory state around the buggy address: ffff888077222380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888077222400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888077222480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888077222500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888077222580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (15):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2024/04/25 03:07	upstream	e88c4cfcb7b8	8bdc0f22	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-upstream-fs	KASAN: slab-out-of-bounds Read in dtSearch
2024/04/25 02:43	upstream	e88c4cfcb7b8	8bdc0f22	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-kasan-gce-root	KASAN: slab-out-of-bounds Read in dtSearch
2024/05/04 16:48	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	78186bd77b47	610f2a54	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-gce-arm64	KASAN: slab-out-of-bounds Read in dtSearch
2024/05/12 22:08	upstream	ba16c1cf11c9	9026e142	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-selinux-root	KASAN: slab-use-after-free Read in dtSearch
2024/05/06 15:08	upstream	dd5a440a31fa	d884b519	.config	console log	report			info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	KASAN: slab-use-after-free Read in dtSearch
2024/04/25 00:28	upstream	e88c4cfcb7b8	a604cf37	.config	console log	report			info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	KASAN: slab-use-after-free Read in dtSearch
2024/05/09 06:44	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	1c9135d29e9e	20bf80e1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: slab-use-after-free Read in dtSearch
2024/05/16 03:37	upstream	1b294a1f3561	0b3dad46	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	KASAN: slab-out-of-bounds Read in dtSearch
2024/05/12 23:30	upstream	ba16c1cf11c9	9026e142	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-root	KMSAN: uninit-value in dtSearch
2024/05/09 09:54	upstream	6d7ddd805123	20bf80e1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: slab-out-of-bounds Read in dtSearch
2024/04/30 05:22	upstream	9e4bc4bcae01	27e33c58	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: slab-out-of-bounds Read in dtSearch
2024/04/25 02:10	upstream	e88c4cfcb7b8	8bdc0f22	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: slab-out-of-bounds Read in dtSearch
2024/04/25 01:57	upstream	e88c4cfcb7b8	8bdc0f22	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-root	KMSAN: uninit-value in dtSearch
2024/05/15 08:23	upstream	101b7a97143a	fdb4c10c	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-386-root	KMSAN: uninit-value in dtSearch
2024/05/01 02:33	upstream	50dffbf77180	9e0e6af1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kmsan-gce-386-root	KMSAN: uninit-value in dtSearch

Crashes (15):

Assets (help?)

2024/04/25 03:07

upstream