syzbot


KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock

Status: upstream: reported C repro on 2023/03/27 11:01
Labels: ext4 (incorrect?)
Reported-by: syzbot+db6caad9ebd2c8022b41@syzkaller.appspotmail.com
First crash: 73d, last: 21d

Cause bisection: failed (error log, bisect log)
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_group_desc_csum 17 (20) 2023/04/30 02:55
[syzbot] [ext4?] KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock 0 (2) 2023/03/28 07:53
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in ext4_convert_inline_data_nolock origin:upstream C 1 12d 12d 0/3 upstream: reported C repro on 2023/05/21 13:36
linux-6.1 KASAN: use-after-free Read in ext4_convert_inline_data_nolock origin:upstream C 2 10d 48d 0/3 upstream: reported C repro on 2023/04/15 09:27
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2023/05/12 15:44 56m bisect fix upstream job log (0) log

Sample crash report:
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_read_inline_data fs/ext4/inline.c:199 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_convert_inline_data_nolock+0x31a/0xd80 fs/ext4/inline.c:1204
Read of size 20 at addr ffff88807645e1a3 by task syz-executor378/5075

CPU: 0 PID: 5075 Comm: syz-executor378 Not tainted 6.3.0-rc4-syzkaller-00025-g3a93e40326c8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:319 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:430
 kasan_report+0x176/0x1b0 mm/kasan/report.c:536
 kasan_check_range+0x283/0x290 mm/kasan/generic.c:187
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 ext4_read_inline_data fs/ext4/inline.c:199 [inline]
 ext4_convert_inline_data_nolock+0x31a/0xd80 fs/ext4/inline.c:1204
 ext4_convert_inline_data+0x4da/0x620 fs/ext4/inline.c:2065
 ext4_fallocate+0x14d/0x2050 fs/ext4/extents.c:4701
 vfs_fallocate+0x54b/0x6b0 fs/open.c:324
 ksys_fallocate fs/open.c:347 [inline]
 __do_sys_fallocate fs/open.c:355 [inline]
 __se_sys_fallocate fs/open.c:353 [inline]
 __x64_sys_fallocate+0xbd/0x100 fs/open.c:353
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb0579425c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdcef99758 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb0579425c9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000003
R10: 0000000000008000 R11: 0000000000000246 R12: 00007ffdcef99790
R13: 00007ffdcef99788 R14: 00007ffdcef99784 R15: 0000000000000003
 </TASK>

Allocated by task 5023:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
 __kasan_slab_alloc+0x66/0x70 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:769
 slab_alloc_node mm/slub.c:3452 [inline]
 slab_alloc mm/slub.c:3460 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3467 [inline]
 kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3476
 mt_alloc_one lib/maple_tree.c:159 [inline]
 mas_alloc_nodes+0x26e/0x780 lib/maple_tree.c:1233
 mas_node_count_gfp lib/maple_tree.c:1318 [inline]
 mas_preallocate+0x131/0x350 lib/maple_tree.c:5717
 vma_iter_prealloc mm/internal.h:972 [inline]
 __split_vma+0x1e0/0x7f0 mm/mmap.c:2177
 mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663
 do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831
 __do_sys_mprotect mm/mprotect.c:852 [inline]
 __se_sys_mprotect mm/mprotect.c:849 [inline]
 __x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 5023:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:521
 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook mm/slub.c:1807 [inline]
 slab_free mm/slub.c:3787 [inline]
 kmem_cache_free+0x297/0x520 mm/slub.c:3809
 mas_destroy+0x1bdc/0x2280 lib/maple_tree.c:5774
 mas_store_prealloc+0x351/0x460 lib/maple_tree.c:5702
 vma_complete+0x1ed/0x970 mm/mmap.c:572
 __split_vma+0x7b9/0x7f0 mm/mmap.c:2214
 mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663
 do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831
 __do_sys_mprotect mm/mprotect.c:852 [inline]
 __se_sys_mprotect mm/mprotect.c:849 [inline]
 __x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88807645e000
 which belongs to the cache maple_node of size 256
The buggy address is located 163 bytes to the right of
 allocated 256-byte region [ffff88807645e000, ffff88807645e100)

The buggy address belongs to the physical page:
page:ffffea0001d91780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7645e
head:ffffea0001d91780 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffff8880124cd000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5023, tgid 5023 (rm), ts 57145564531, free_ts 41308598324
 prep_new_page mm/page_alloc.c:2553 [inline]
 get_page_from_freelist+0x3246/0x33c0 mm/page_alloc.c:4326
 __alloc_pages+0x255/0x670 mm/page_alloc.c:5592
 alloc_slab_page+0x6a/0x160 mm/slub.c:1851
 allocate_slab mm/slub.c:1998 [inline]
 new_slab+0x84/0x2f0 mm/slub.c:2051
 ___slab_alloc+0xa85/0x10a0 mm/slub.c:3193
 __slab_alloc mm/slub.c:3292 [inline]
 __slab_alloc_node mm/slub.c:3345 [inline]
 slab_alloc_node mm/slub.c:3442 [inline]
 slab_alloc mm/slub.c:3460 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3467 [inline]
 kmem_cache_alloc+0x1b9/0x2e0 mm/slub.c:3476
 mt_alloc_one lib/maple_tree.c:159 [inline]
 mas_alloc_nodes+0x26e/0x780 lib/maple_tree.c:1233
 mas_node_count_gfp lib/maple_tree.c:1318 [inline]
 mas_preallocate+0x131/0x350 lib/maple_tree.c:5717
 vma_iter_prealloc mm/internal.h:972 [inline]
 __split_vma+0x1e0/0x7f0 mm/mmap.c:2177
 mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663
 do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831
 __do_sys_mprotect mm/mprotect.c:852 [inline]
 __se_sys_mprotect mm/mprotect.c:849 [inline]
 __x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1454 [inline]
 free_pcp_prepare mm/page_alloc.c:1504 [inline]
 free_unref_page_prepare+0xe2f/0xe70 mm/page_alloc.c:3388
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:3483
 discard_slab mm/slub.c:2098 [inline]
 __unfreeze_partials+0x1b1/0x1f0 mm/slub.c:2637
 put_cpu_partial+0x116/0x180 mm/slub.c:2713
 qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:769
 slab_alloc_node mm/slub.c:3452 [inline]
 slab_alloc mm/slub.c:3460 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3467 [inline]
 kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3476
 vm_area_alloc+0x24/0xe0 kernel/fork.c:458
 mmap_region+0xbfb/0x20c0 mm/mmap.c:2553
 do_mmap+0x8c9/0xf70 mm/mmap.c:1364
 vm_mmap_pgoff+0x1ce/0x2e0 mm/util.c:542
 ksys_mmap_pgoff+0x4f9/0x6d0 mm/mmap.c:1410
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff88807645e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807645e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807645e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff88807645e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807645e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2023/03/28 07:52 upstream 3a93e40326c8 47f3aaf1 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock
2023/03/28 07:26 upstream 3a93e40326c8 47f3aaf1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock
2023/03/21 15:03 upstream 17214b70a159 7939252e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock
2023/04/12 07:34 upstream e62252bc55b6 49faf98d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_convert_inline_data_nolock
2023/04/06 02:38 upstream 99ddf2254feb 8b834965 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_convert_inline_data_nolock
2023/03/24 20:28 upstream 1e760fa3596e 9700afae .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock
* Struck through repros no longer work on HEAD.