syzbot


KASAN: use-after-free Read in ext4_find_extent

Status: upstream: reported C repro on 2023/09/19 00:11
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+d51866deebd5281b2c88@syzkaller.appspotmail.com
First crash: 442d, last: 218d
Fix commit to backport (bisect log) :
tree: upstream
commit a898cb621ac589b0b9e959309689a027e765aa12
Author: Jan Kara <jack@suse.cz>
Date: Wed Feb 7 18:12:15 2024 +0000

  quota: Detect loops in quota tree

[report pending]
  
Fix bisection: the issue occurs on the latest tested release (bisect log)
Crash: KASAN: use-after-free Read in ext4_find_extent (log)
Repro: C syz .config
  
Bug presence (3)
Date Name Commit Repro Result
2024/04/29 linux-6.1.y (ToT) f2295faba5e8 C [report] KASAN: use-after-free Read in ext4_find_extent
2023/09/19 upstream (ToT) 2cf0f7156238 C [report] KASAN: use-after-free Read in ext4_find_extent
2024/04/29 upstream (ToT) e67572cd2204 C Didn't crash
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 C error inconclusive 25 10d 708d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent missing-backport origin:lts C error 3 37d 534d 0/2 upstream: reported C repro on 2023/06/18 03:55
linux-5.15 KASAN: use-after-free Read in ext4_find_extent origin:lts-only C inconclusive 5 36d 503d 0/3 upstream: reported C repro on 2023/07/19 14:49
upstream KASAN: use-after-free Read in ext4_find_extent ext4 2 1140d 1201d 0/28 auto-closed as invalid on 2022/02/17 05:19
android-5-15 KASAN: use-after-free Read in ext4_find_extent ext4 origin:lts C error 9 23d 708d 0/2 upstream: reported C repro on 2022/12/26 07:59
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 C error 2 579d 703d 22/28 fixed on 2023/06/08 14:41
upstream KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4 C error done 31 343d 525d 25/28 fixed on 2024/01/30 23:26
android-54 KASAN: slab-out-of-bounds Read in ext4_find_extent ext4 C 1 522d 708d 0/2 auto-obsoleted due to no activity on 2023/10/08 03:20
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2024/05/17 17:59 4h15m fix candidate upstream OK (1) job log
2024/04/07 08:39 1h19m bisect fix linux-6.1.y OK (0) job log log
2024/03/07 21:47 58m bisect fix linux-6.1.y OK (0) job log log
2024/01/29 10:24 1h33m bisect fix linux-6.1.y OK (0) job log log
2023/12/27 08:41 1h00m bisect fix linux-6.1.y OK (0) job log log
2023/11/26 13:38 56m bisect fix linux-6.1.y OK (0) job log log
2023/10/25 09:50 1h54m bisect fix linux-6.1.y OK (0) job log log

Sample crash report:
ext4 filesystem being mounted at /root/file1 supports timestamps until 2038 (0x7fffffff)
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xbc4/0xdd0 fs/ext4/extents.c:953
Read of size 4 at addr ffff8880719ce89c by task syz-executor200/3550

CPU: 0 PID: 3550 Comm: syz-executor200 Not tainted 6.1.53-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15f/0x4f0 mm/kasan/report.c:395
 kasan_report+0x136/0x160 mm/kasan/report.c:495
 ext4_ext_binsearch fs/ext4/extents.c:837 [inline]
 ext4_find_extent+0xbc4/0xdd0 fs/ext4/extents.c:953
 ext4_ext_map_blocks+0x309/0x77c0 fs/ext4/extents.c:4103
 ext4_map_blocks+0xa3c/0x1ca0 fs/ext4/inode.c:651
 _ext4_get_block+0x23b/0x660 fs/ext4/inode.c:798
 __block_write_begin_int+0x544/0x1a30 fs/buffer.c:1991
 __block_write_begin fs/buffer.c:2041 [inline]
 block_page_mkwrite+0x2f5/0x610 fs/buffer.c:2510
 ext4_page_mkwrite+0x3b5/0x10d0 fs/ext4/inode.c:6255
 do_page_mkwrite+0x1a1/0x5f0 mm/memory.c:2982
 wp_page_shared+0x164/0x380 mm/memory.c:3331
 handle_pte_fault mm/memory.c:5001 [inline]
 __handle_mm_fault mm/memory.c:5125 [inline]
 handle_mm_fault+0x2522/0x5330 mm/memory.c:5246
 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
 handle_page_fault arch/x86/mm/fault.c:1471 [inline]
 exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f59b6bdc60e
Code: 73 00 e9 e3 f7 ff ff 66 c7 04 25 00 01 00 20 2e 00 e9 05 f8 ff ff b8 00 36 00 20 48 8d 35 d2 c3 09 00 b9 25 00 00 00 48 89 c7 <f3> 48 a5 0f b6 06 88 07 e9 15 f8 ff ff 50 b9 00 36 00 20 ba ac 04
RSP: 002b:00007ffec645e0f0 EFLAGS: 00010246
RAX: 0000000020003600 RBX: 0000000000000000 RCX: 0000000000000025
RDX: 72f620fbd449874d RSI: 00007f59b6c789d8 RDI: 0000000020003600
RBP: 0000000000000000 R08: 00007ffec645e1e0 R09: 00007ffec645e1e0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffec645e1e0
R13: 00007ffec645e2c0 R14: 431bde82d7b634db R15: 00007f59b6c5901d
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001c67380 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x719ce
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001cb7848 ffffea0001c0c308 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 3549, tgid 3549 (sshd), ts 50396160614, free_ts 50435179925
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533
 prep_new_page mm/page_alloc.c:2540 [inline]
 get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292
 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5559
 __folio_alloc+0xf/0x30 mm/page_alloc.c:5591
 vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2241
 alloc_page_vma include/linux/gfp.h:284 [inline]
 wp_page_copy+0x292/0x17d0 mm/memory.c:3124
 handle_pte_fault mm/memory.c:5001 [inline]
 __handle_mm_fault mm/memory.c:5125 [inline]
 handle_mm_fault+0x2522/0x5330 mm/memory.c:5246
 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline]
 handle_page_fault arch/x86/mm/fault.c:1471 [inline]
 exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1460 [inline]
 free_pcp_prepare mm/page_alloc.c:1510 [inline]
 free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388
 free_unref_page_list+0x107/0x810 mm/page_alloc.c:3530
 release_pages+0x2836/0x2b40 mm/swap.c:1055
 folios_put include/linux/mm.h:1206 [inline]
 folio_batch_move_lru+0x5ed/0x720 mm/swap.c:253
 lru_add_drain_cpu+0x10a/0x610 mm/swap.c:669
 lru_add_drain+0x79/0x140 mm/swap.c:773
 unmap_region+0xa2/0x2f0 mm/mmap.c:2313
 do_mas_align_munmap+0xe93/0x15c0 mm/mmap.c:2569
 do_brk_munmap mm/mmap.c:3036 [inline]
 __do_sys_brk mm/mmap.c:237 [inline]
 __se_sys_brk+0x7fe/0xbd0 mm/mmap.c:170
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff8880719ce780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880719ce800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880719ce880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                            ^
 ffff8880719ce900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880719ce980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/19 00:10 linux-6.1.y 09045dae0d90 0b6a67ac .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-6-1-kasan KASAN: use-after-free Read in ext4_find_extent
* Struck through repros no longer work on HEAD.