KASAN: slab-use-after-free Read in ext4_convert_inline_data

Title	Replies (including bot)	Last reply
[syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_group_desc_csum	17 (20)	2023/04/30 02:55
[syzbot] [ext4?] KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock	0 (2)	2023/03/28 07:53

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-5.15	KASAN: use-after-free Read in ext4_convert_inline_data_nolock origin:upstream	C			1	12d	12d	0/3	upstream: reported C repro on 2023/05/21 13:36
linux-6.1	KASAN: use-after-free Read in ext4_convert_inline_data_nolock origin:upstream	C			2	10d	48d	0/3	upstream: reported C repro on 2023/04/15 09:27

linux-5.15

KASAN: use-after-free Read in ext4_convert_inline_data_nolock origin:upstream

12d

0/3

upstream: reported C repro on 2023/05/21 13:36

linux-6.1

KASAN: use-after-free Read in ext4_convert_inline_data_nolock origin:upstream

10d

48d

0/3

upstream: reported C repro on 2023/04/15 09:27

Created	Duration	User	Patch	Repo	Result
2023/05/12 15:44	56m	bisect fix		upstream	job log (0) log

Created

Duration

User

Patch

Repo

Result

2023/05/12 15:44

56m

bisect fix

upstream

job log (0) log

EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none. ================================================================== BUG: KASAN: slab-out-of-bounds in ext4_read_inline_data fs/ext4/inline.c:199 [inline] BUG: KASAN: slab-out-of-bounds in ext4_convert_inline_data_nolock+0x31a/0xd80 fs/ext4/inline.c:1204 Read of size 20 at addr ffff88807645e1a3 by task syz-executor378/5075 CPU: 0 PID: 5075 Comm: syz-executor378 Not tainted 6.3.0-rc4-syzkaller-00025-g3a93e40326c8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:319 [inline] print_report+0x163/0x540 mm/kasan/report.c:430 kasan_report+0x176/0x1b0 mm/kasan/report.c:536 kasan_check_range+0x283/0x290 mm/kasan/generic.c:187 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 ext4_read_inline_data fs/ext4/inline.c:199 [inline] ext4_convert_inline_data_nolock+0x31a/0xd80 fs/ext4/inline.c:1204 ext4_convert_inline_data+0x4da/0x620 fs/ext4/inline.c:2065 ext4_fallocate+0x14d/0x2050 fs/ext4/extents.c:4701 vfs_fallocate+0x54b/0x6b0 fs/open.c:324 ksys_fallocate fs/open.c:347 [inline] __do_sys_fallocate fs/open.c:355 [inline] __se_sys_fallocate fs/open.c:353 [inline] __x64_sys_fallocate+0xbd/0x100 fs/open.c:353 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fb0579425c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdcef99758 EFLAGS: 00000246 ORIG_RAX: 000000000000011d RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb0579425c9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000003 R10: 0000000000008000 R11: 0000000000000246 R12: 00007ffdcef99790 R13: 00007ffdcef99788 R14: 00007ffdcef99784 R15: 0000000000000003 </TASK> Allocated by task 5023: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4f/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x66/0x70 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:769 slab_alloc_node mm/slub.c:3452 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3476 mt_alloc_one lib/maple_tree.c:159 [inline] mas_alloc_nodes+0x26e/0x780 lib/maple_tree.c:1233 mas_node_count_gfp lib/maple_tree.c:1318 [inline] mas_preallocate+0x131/0x350 lib/maple_tree.c:5717 vma_iter_prealloc mm/internal.h:972 [inline] __split_vma+0x1e0/0x7f0 mm/mmap.c:2177 mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663 do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831 __do_sys_mprotect mm/mprotect.c:852 [inline] __se_sys_mprotect mm/mprotect.c:849 [inline] __x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 5023: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4f/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:521 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook mm/slub.c:1807 [inline] slab_free mm/slub.c:3787 [inline] kmem_cache_free+0x297/0x520 mm/slub.c:3809 mas_destroy+0x1bdc/0x2280 lib/maple_tree.c:5774 mas_store_prealloc+0x351/0x460 lib/maple_tree.c:5702 vma_complete+0x1ed/0x970 mm/mmap.c:572 __split_vma+0x7b9/0x7f0 mm/mmap.c:2214 mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663 do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831 __do_sys_mprotect mm/mprotect.c:852 [inline] __se_sys_mprotect mm/mprotect.c:849 [inline] __x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88807645e000 which belongs to the cache maple_node of size 256 The buggy address is located 163 bytes to the right of allocated 256-byte region [ffff88807645e000, ffff88807645e100) The buggy address belongs to the physical page: page:ffffea0001d91780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7645e head:ffffea0001d91780 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffff8880124cd000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5023, tgid 5023 (rm), ts 57145564531, free_ts 41308598324 prep_new_page mm/page_alloc.c:2553 [inline] get_page_from_freelist+0x3246/0x33c0 mm/page_alloc.c:4326 __alloc_pages+0x255/0x670 mm/page_alloc.c:5592 alloc_slab_page+0x6a/0x160 mm/slub.c:1851 allocate_slab mm/slub.c:1998 [inline] new_slab+0x84/0x2f0 mm/slub.c:2051 ___slab_alloc+0xa85/0x10a0 mm/slub.c:3193 __slab_alloc mm/slub.c:3292 [inline] __slab_alloc_node mm/slub.c:3345 [inline] slab_alloc_node mm/slub.c:3442 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc+0x1b9/0x2e0 mm/slub.c:3476 mt_alloc_one lib/maple_tree.c:159 [inline] mas_alloc_nodes+0x26e/0x780 lib/maple_tree.c:1233 mas_node_count_gfp lib/maple_tree.c:1318 [inline] mas_preallocate+0x131/0x350 lib/maple_tree.c:5717 vma_iter_prealloc mm/internal.h:972 [inline] __split_vma+0x1e0/0x7f0 mm/mmap.c:2177 mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663 do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831 __do_sys_mprotect mm/mprotect.c:852 [inline] __se_sys_mprotect mm/mprotect.c:849 [inline] __x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1454 [inline] free_pcp_prepare mm/page_alloc.c:1504 [inline] free_unref_page_prepare+0xe2f/0xe70 mm/page_alloc.c:3388 free_unref_page+0x37/0x3f0 mm/page_alloc.c:3483 discard_slab mm/slub.c:2098 [inline] __unfreeze_partials+0x1b1/0x1f0 mm/slub.c:2637 put_cpu_partial+0x116/0x180 mm/slub.c:2713 qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:769 slab_alloc_node mm/slub.c:3452 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3476 vm_area_alloc+0x24/0xe0 kernel/fork.c:458 mmap_region+0xbfb/0x20c0 mm/mmap.c:2553 do_mmap+0x8c9/0xf70 mm/mmap.c:1364 vm_mmap_pgoff+0x1ce/0x2e0 mm/util.c:542 ksys_mmap_pgoff+0x4f9/0x6d0 mm/mmap.c:1410 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88807645e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807645e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88807645e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88807645e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807645e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================

Crashes (6):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets	Manager	Title
2023/03/28 07:52	upstream	3a93e40326c8	47f3aaf1	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-upstream-fs	KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock
2023/03/28 07:26	upstream	3a93e40326c8	47f3aaf1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock
2023/03/21 15:03	upstream	17214b70a159	7939252e	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock
2023/04/12 07:34	upstream	e62252bc55b6	49faf98d	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in ext4_convert_inline_data_nolock
2023/04/06 02:38	upstream	99ddf2254feb	8b834965	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in ext4_convert_inline_data_nolock
2023/03/24 20:28	upstream	1e760fa3596e	9700afae	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: slab-out-of-bounds Read in ext4_convert_inline_data_nolock

Crashes (6):