KASAN: use-after-free Read in ext4_find

Date	Name	Commit	Repro	Result
2024/04/29	linux-6.1.y (ToT)	f2295faba5e8	C	[report] KASAN: use-after-free Read in ext4_find_extent
2023/09/19	upstream (ToT)	2cf0f7156238	C	[report] KASAN: use-after-free Read in ext4_find_extent
2024/04/29	upstream (ToT)	e67572cd2204	C	Didn't crash

Date

Name

Commit

Repro

Result

2024/04/29

linux-6.1.y (ToT)

f2295faba5e8

[report] KASAN: use-after-free Read in ext4_find_extent

2023/09/19

upstream (ToT)

2cf0f7156238

[report] KASAN: use-after-free Read in ext4_find_extent

2024/04/29

upstream (ToT)

e67572cd2204

Didn't crash

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
android-5-10	KASAN: use-after-free Read in ext4_find_extent ext4	C	error	inconclusive	24	14d	696d	0/2	upstream: reported C repro on 2022/12/26 07:59
android-6-1	KASAN: use-after-free Read in ext4_find_extent missing-backport origin:lts	C	error		3	25d	522d	0/2	upstream: reported C repro on 2023/06/18 03:55
linux-5.15	KASAN: use-after-free Read in ext4_find_extent origin:lts-only	C		inconclusive	5	24d	491d	0/3	upstream: reported C repro on 2023/07/19 14:49
upstream	KASAN: use-after-free Read in ext4_find_extent ext4				2	1128d	1189d	0/28	auto-closed as invalid on 2022/02/17 05:19
android-5-15	KASAN: use-after-free Read in ext4_find_extent ext4 origin:lts	C	error		9	10d	696d	0/2	upstream: reported C repro on 2022/12/26 07:59
upstream	KASAN: use-after-free Read in ext4_find_extent (2) ext4	C	error		2	566d	691d	22/28	fixed on 2023/06/08 14:41
upstream	KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4	C	error	done	31	331d	513d	25/28	fixed on 2024/01/30 23:26
android-54	KASAN: slab-out-of-bounds Read in ext4_find_extent ext4	C			1	510d	696d	0/2	auto-obsoleted due to no activity on 2023/10/08 03:20

Created	Duration	User	Repo	Result
2024/05/17 17:59	4h15m	fix candidate	upstream	OK (1) job log
2024/04/07 08:39	1h19m	bisect fix	linux-6.1.y	OK (0) job log log
2024/03/07 21:47	58m	bisect fix	linux-6.1.y	OK (0) job log log
2024/01/29 10:24	1h33m	bisect fix	linux-6.1.y	OK (0) job log log
2023/12/27 08:41	1h00m	bisect fix	linux-6.1.y	OK (0) job log log
2023/11/26 13:38	56m	bisect fix	linux-6.1.y	OK (0) job log log
2023/10/25 09:50	1h54m	bisect fix	linux-6.1.y	OK (0) job log log

Created

Duration

User

Patch

Repo

Result

2024/05/17 17:59

4h15m

fix candidate

upstream

OK (1) job log

2024/04/07 08:39

1h19m

bisect fix

linux-6.1.y

OK (0) job log log

2024/03/07 21:47

58m

bisect fix

linux-6.1.y

OK (0) job log log

2024/01/29 10:24

1h33m

bisect fix

linux-6.1.y

OK (0) job log log

2023/12/27 08:41

1h00m

bisect fix

linux-6.1.y

OK (0) job log log

2023/11/26 13:38

56m

bisect fix

linux-6.1.y

OK (0) job log log

2023/10/25 09:50

1h54m

bisect fix

linux-6.1.y

OK (0) job log log

ext4 filesystem being mounted at /root/file1 supports timestamps until 2038 (0x7fffffff) ================================================================== BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:837 [inline] BUG: KASAN: use-after-free in ext4_find_extent+0xbc4/0xdd0 fs/ext4/extents.c:953 Read of size 4 at addr ffff8880719ce89c by task syz-executor200/3550 CPU: 0 PID: 3550 Comm: syz-executor200 Not tainted 6.1.53-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:395 kasan_report+0x136/0x160 mm/kasan/report.c:495 ext4_ext_binsearch fs/ext4/extents.c:837 [inline] ext4_find_extent+0xbc4/0xdd0 fs/ext4/extents.c:953 ext4_ext_map_blocks+0x309/0x77c0 fs/ext4/extents.c:4103 ext4_map_blocks+0xa3c/0x1ca0 fs/ext4/inode.c:651 _ext4_get_block+0x23b/0x660 fs/ext4/inode.c:798 __block_write_begin_int+0x544/0x1a30 fs/buffer.c:1991 __block_write_begin fs/buffer.c:2041 [inline] block_page_mkwrite+0x2f5/0x610 fs/buffer.c:2510 ext4_page_mkwrite+0x3b5/0x10d0 fs/ext4/inode.c:6255 do_page_mkwrite+0x1a1/0x5f0 mm/memory.c:2982 wp_page_shared+0x164/0x380 mm/memory.c:3331 handle_pte_fault mm/memory.c:5001 [inline] __handle_mm_fault mm/memory.c:5125 [inline] handle_mm_fault+0x2522/0x5330 mm/memory.c:5246 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline] handle_page_fault arch/x86/mm/fault.c:1471 [inline] exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 RIP: 0033:0x7f59b6bdc60e Code: 73 00 e9 e3 f7 ff ff 66 c7 04 25 00 01 00 20 2e 00 e9 05 f8 ff ff b8 00 36 00 20 48 8d 35 d2 c3 09 00 b9 25 00 00 00 48 89 c7 <f3> 48 a5 0f b6 06 88 07 e9 15 f8 ff ff 50 b9 00 36 00 20 ba ac 04 RSP: 002b:00007ffec645e0f0 EFLAGS: 00010246 RAX: 0000000020003600 RBX: 0000000000000000 RCX: 0000000000000025 RDX: 72f620fbd449874d RSI: 00007f59b6c789d8 RDI: 0000000020003600 RBP: 0000000000000000 R08: 00007ffec645e1e0 R09: 00007ffec645e1e0 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffec645e1e0 R13: 00007ffec645e2c0 R14: 431bde82d7b634db R15: 00007f59b6c5901d </TASK> The buggy address belongs to the physical page: page:ffffea0001c67380 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x719ce flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001cb7848 ffffea0001c0c308 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 3549, tgid 3549 (sshd), ts 50396160614, free_ts 50435179925 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2533 prep_new_page mm/page_alloc.c:2540 [inline] get_page_from_freelist+0x32ed/0x3480 mm/page_alloc.c:4292 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5559 __folio_alloc+0xf/0x30 mm/page_alloc.c:5591 vma_alloc_folio+0x486/0x990 mm/mempolicy.c:2241 alloc_page_vma include/linux/gfp.h:284 [inline] wp_page_copy+0x292/0x17d0 mm/memory.c:3124 handle_pte_fault mm/memory.c:5001 [inline] __handle_mm_fault mm/memory.c:5125 [inline] handle_mm_fault+0x2522/0x5330 mm/memory.c:5246 do_user_addr_fault arch/x86/mm/fault.c:1380 [inline] handle_page_fault arch/x86/mm/fault.c:1471 [inline] exc_page_fault+0x26f/0x660 arch/x86/mm/fault.c:1527 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1460 [inline] free_pcp_prepare mm/page_alloc.c:1510 [inline] free_unref_page_prepare+0xf63/0x1120 mm/page_alloc.c:3388 free_unref_page_list+0x107/0x810 mm/page_alloc.c:3530 release_pages+0x2836/0x2b40 mm/swap.c:1055 folios_put include/linux/mm.h:1206 [inline] folio_batch_move_lru+0x5ed/0x720 mm/swap.c:253 lru_add_drain_cpu+0x10a/0x610 mm/swap.c:669 lru_add_drain+0x79/0x140 mm/swap.c:773 unmap_region+0xa2/0x2f0 mm/mmap.c:2313 do_mas_align_munmap+0xe93/0x15c0 mm/mmap.c:2569 do_brk_munmap mm/mmap.c:3036 [inline] __do_sys_brk mm/mmap.c:237 [inline] __se_sys_brk+0x7fe/0xbd0 mm/mmap.c:170 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff8880719ce780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880719ce800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880719ce880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880719ce900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880719ce980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2023/09/19 00:10	linux-6.1.y	09045dae0d90	0b6a67ac	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2]	ci2-linux-6-1-kasan	KASAN: use-after-free Read in ext4_find_extent

Crashes (1):

Assets (help?)