syzbot


KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock

Status: fixed on 2024/02/03 12:44
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+db6caad9ebd2c8022b41@syzkaller.appspotmail.com
Fix commit: 6f861765464f fs: Block writes to mounted block devices
First crash: 395d, last: 113d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (3)
Title Replies (including bot) Last reply
[syzbot] [ext4?] KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock 1 (4) 2024/02/01 09:18
[syzbot] Monthly ext4 report (Sep 2023) 0 (1) 2023/09/07 09:25
[syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_group_desc_csum 17 (20) 2023/04/30 02:55
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: use-after-free Read in ext4_convert_inline_data_nolock origin:upstream C 1 30d 335d 0/3 upstream: reported C repro on 2023/05/21 13:36
linux-6.1 KASAN: use-after-free Read in ext4_convert_inline_data_nolock origin:upstream C 2 29d 371d 0/3 upstream: reported C repro on 2023/04/15 09:27
Last patch testing requests (5)
Created Duration User Patch Repo Result
2023/11/28 22:53 14m retest repro upstream report log
2023/10/08 01:12 10m retest repro upstream report log
2023/09/19 20:15 14m retest repro upstream report log
2023/07/19 09:56 0m nogikh@google.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0ecfebd2b52404ae0c54a878c872bb93363ada36 error OK
2023/07/19 09:43 46m nogikh@google.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0ecfebd2b52404ae0c54a878c872bb93363ada36 error OK
Fix bisection attempts (6)
Created Duration User Patch Repo Result
2024/02/01 04:37 3h41m bisect fix upstream job log (1)
2023/12/29 02:43 1h08m bisect fix upstream job log (0) log
2023/11/08 02:16 2h03m bisect fix upstream job log (0) log
2023/07/26 12:41 3h13m (2) bisect fix upstream job log (0) log
2023/06/12 10:36 37m bisect fix upstream job log (0) log
2023/05/12 15:44 56m bisect fix upstream job log (0) log
Cause bisection attempts (2)
Created Duration User Patch Repo Result
2023/07/17 08:51 4h13m bisect upstream error job log (0)
2023/03/28 08:18 8h22m bisect upstream error job log (0)
marked invalid by spm@google.com

Sample crash report:
syz-executor734[5027]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
==================================================================
BUG: KASAN: slab-use-after-free in ext4_read_inline_data fs/ext4/inline.c:209 [inline]
BUG: KASAN: slab-use-after-free in ext4_convert_inline_data_nolock+0x31a/0xd80 fs/ext4/inline.c:1188
Read of size 20 at addr ffff8880254ad1a3 by task syz-executor734/5027

CPU: 1 PID: 5027 Comm: syz-executor734 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:475
 kasan_report+0x175/0x1b0 mm/kasan/report.c:588
 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 ext4_read_inline_data fs/ext4/inline.c:209 [inline]
 ext4_convert_inline_data_nolock+0x31a/0xd80 fs/ext4/inline.c:1188
 ext4_convert_inline_data+0x4da/0x620 fs/ext4/inline.c:2041
 ext4_fallocate+0x14f/0x1f50 fs/ext4/extents.c:4700
 vfs_fallocate+0x551/0x6b0 fs/open.c:324
 ksys_fallocate fs/open.c:347 [inline]
 __do_sys_fallocate fs/open.c:355 [inline]
 __se_sys_fallocate fs/open.c:353 [inline]
 __x64_sys_fallocate+0xbd/0x100 fs/open.c:353
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd7f56f7ed9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc2daf53c8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd7f56f7ed9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007fd7f576c5f0 R08: 00005555565c34c0 R09: 00005555565c34c0
R10: 0000000000008000 R11: 0000000000000246 R12: 00007ffc2daf53f0
R13: 00007ffc2daf5618 R14: 431bde82d7b634db R15: 00007fd7f574103b
 </TASK>

Allocated by task 4921:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
 __kasan_slab_alloc+0x66/0x70 mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook+0x6c/0x3b0 mm/slab.h:762
 slab_alloc_node mm/slub.c:3478 [inline]
 slab_alloc mm/slub.c:3486 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
 kmem_cache_alloc+0x123/0x300 mm/slub.c:3502
 vm_area_dup+0x27/0x280 kernel/fork.c:500
 dup_mmap kernel/fork.c:710 [inline]
 dup_mm kernel/fork.c:1686 [inline]
 copy_mm+0xcea/0x1f10 kernel/fork.c:1735
 copy_process+0x1a0f/0x4290 kernel/fork.c:2501
 kernel_clone+0x22d/0x7b0 kernel/fork.c:2909
 __do_sys_clone kernel/fork.c:3052 [inline]
 __se_sys_clone kernel/fork.c:3036 [inline]
 __x64_sys_clone+0x258/0x2a0 kernel/fork.c:3036
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 4922:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1800 [inline]
 slab_free_freelist_hook mm/slub.c:1826 [inline]
 slab_free mm/slub.c:3809 [inline]
 kmem_cache_free+0x292/0x500 mm/slub.c:3831
 remove_vma mm/mmap.c:146 [inline]
 exit_mmap+0x6bf/0xc50 mm/mmap.c:3234
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exec_mmap+0x669/0x700 fs/exec.c:1037
 begin_new_exec+0x66e/0xf20 fs/exec.c:1296
 load_elf_binary+0x95d/0x2760 fs/binfmt_elf.c:1001
 search_binary_handler fs/exec.c:1739 [inline]
 exec_binprm fs/exec.c:1781 [inline]
 bprm_execve+0x90e/0x1740 fs/exec.c:1856
 do_execveat_common+0x580/0x720 fs/exec.c:1964
 do_execve fs/exec.c:2038 [inline]
 __do_sys_execve fs/exec.c:2114 [inline]
 __se_sys_execve fs/exec.c:2109 [inline]
 __x64_sys_execve+0x92/0xa0 fs/exec.c:2109
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880254ad100
 which belongs to the cache vm_area_struct of size 192
The buggy address is located 163 bytes inside of
 freed 192-byte region [ffff8880254ad100, ffff8880254ad1c0)

The buggy address belongs to the physical page:
page:ffffea0000952b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x254ad
flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff888014a49b40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4921, tgid 4921 (dhcpcd-run-hook), ts 40881524433, free_ts 40360263174
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 prep_new_page mm/page_alloc.c:1543 [inline]
 get_page_from_freelist+0x31ec/0x3370 mm/page_alloc.c:3183
 __alloc_pages+0x255/0x670 mm/page_alloc.c:4439
 alloc_slab_page+0x6a/0x160 mm/slub.c:1870
 allocate_slab mm/slub.c:2017 [inline]
 new_slab+0x84/0x2f0 mm/slub.c:2070
 ___slab_alloc+0xade/0x1100 mm/slub.c:3223
 __slab_alloc mm/slub.c:3322 [inline]
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 slab_alloc mm/slub.c:3486 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
 kmem_cache_alloc+0x1bf/0x300 mm/slub.c:3502
 vm_area_dup+0x27/0x280 kernel/fork.c:500
 dup_mmap kernel/fork.c:710 [inline]
 dup_mm kernel/fork.c:1686 [inline]
 copy_mm+0xcea/0x1f10 kernel/fork.c:1735
 copy_process+0x1a0f/0x4290 kernel/fork.c:2501
 kernel_clone+0x22d/0x7b0 kernel/fork.c:2909
 __do_sys_clone kernel/fork.c:3052 [inline]
 __se_sys_clone kernel/fork.c:3036 [inline]
 __x64_sys_clone+0x258/0x2a0 kernel/fork.c:3036
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page_list+0x596/0x830 mm/page_alloc.c:2451
 release_pages+0x2113/0x23f0 mm/swap.c:1042
 tlb_batch_pages_flush mm/mmu_gather.c:98 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
 tlb_flush_mmu+0x34c/0x4e0 mm/mmu_gather.c:300
 tlb_finish_mmu+0xd4/0x1f0 mm/mmu_gather.c:392
 exit_mmap+0x4d3/0xc50 mm/mmap.c:3223
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x612/0x2290 kernel/exit.c:861
 do_group_exit+0x206/0x2c0 kernel/exit.c:1024
 __do_sys_exit_group kernel/exit.c:1035 [inline]
 __se_sys_exit_group kernel/exit.c:1033 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1033
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff8880254ad080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880254ad100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880254ad180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                               ^
 ffff8880254ad200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880254ad280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/05 19:45 upstream 3f86ed6ec0b3 8bc9053e .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock
2023/03/28 07:52 upstream 3a93e40326c8 47f3aaf1 .config strace log report syz C [mounted in repro] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock
2023/03/28 07:26 upstream 3a93e40326c8 47f3aaf1 .config console log report info ci2-upstream-fs KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock
2023/03/21 15:03 upstream 17214b70a159 7939252e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock
2023/04/12 07:34 upstream e62252bc55b6 49faf98d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_convert_inline_data_nolock
2023/04/06 02:38 upstream 99ddf2254feb 8b834965 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ext4_convert_inline_data_nolock
2023/03/24 20:28 upstream 1e760fa3596e 9700afae .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock
* Struck through repros no longer work on HEAD.