KASAN: use-after-free Read in ext4_htree_fill

Date	Name	Commit	Repro	Result
2025/01/05	lts (merge base)	b67dc5c9ade9	C	[report] KASAN: use-after-free Read in ext4_htree_fill_tree
2025/01/05	upstream (ToT)	ab75170520d4	C	[report] KASAN: slab-use-after-free Read in ext4_htree_fill_tree

Date

Name

Commit

Repro

Result

2025/01/05

lts (merge base)

b67dc5c9ade9

[report] KASAN: use-after-free Read in ext4_htree_fill_tree

2025/01/05

upstream (ToT)

ab75170520d4

[report] KASAN: slab-use-after-free Read in ext4_htree_fill_tree

Kernel	Title	Repro	Count	Last	Reported	Patched	Status
linux-6.1	KASAN: use-after-free Read in ext4_htree_fill_tree		1	199d	199d	0/3	auto-obsoleted due to no activity on 2024/12/22 07:44
android-5-10	KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree	C	14	8d12h	253d	0/2	upstream: reported C repro on 2024/07/21 20:19
android-5-15	KASAN: use-after-free Read in ext4_htree_fill_tree origin:upstream	C	8	11d	94d	0/2	upstream: reported C repro on 2024/12/27 19:48

linux-6.1

KASAN: use-after-free Read in ext4_htree_fill_tree

199d

0/3

auto-obsoleted due to no activity on 2024/12/22 07:44

android-5-10

KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree

8d12h

253d

0/2

upstream: reported C repro on 2024/07/21 20:19

android-5-15

KASAN: use-after-free Read in ext4_htree_fill_tree origin:upstream

11d

94d

0/2

upstream: reported C repro on 2024/12/27 19:48


Created	Duration	User	Repo	Result
2025/03/27 02:22	6m	retest repro	android14-6.1	report log
2025/03/27 02:22	7m	retest repro	android14-6.1	report log
2025/03/27 02:22	6m	retest repro	android14-6.1	report log
2025/03/27 02:22	6m	retest repro	android14-6.1	report log
2025/03/12 13:49	20m	retest repro	android14-6.1	report log
2025/03/12 13:49	13m	retest repro	android14-6.1	report log

BUG: KASAN: use-after-free in ext4_htree_fill_tree+0x1316/0x13e0 fs/ext4/namei.c:1246 Read of size 1 at addr ffff88811fbb1a67 by task syz-executor424/302 CPU: 0 PID: 302 Comm: syz-executor424 Not tainted 6.1.118-syzkaller-00074-g3e3f2b9e9fca #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:348 ext4_htree_fill_tree+0x1316/0x13e0 fs/ext4/namei.c:1246 ext4_dx_readdir fs/ext4/dir.c:605 [inline] ext4_readdir+0x2e6f/0x3860 fs/ext4/dir.c:142 iterate_dir+0x265/0x600 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354 __x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354 x64_sys_call+0x5ae/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f0d3e0fa523 Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 62 0f fb ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 RSP: 002b:00007fff65c3f188 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 0000555571988730 RCX: 00007f0d3e0fa523 RDX: 0000000000008000 RSI: 0000555571988730 RDI: 0000000000000004 RBP: 0000555571988704 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffb8 R13: 0000000000000010 R14: 0000555571988700 R15: 431bde82d7b634db </TASK> The buggy address belongs to the physical page: page:ffffea00047eec40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fbb1 flags: 0x4000000000000000(zone=1) raw: 4000000000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 229, tgid 229 (sshd), ts 15857888071, free_ts 15857990433 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x213/0x220 mm/page_alloc.c:2590 prep_new_page+0x1b/0x110 mm/page_alloc.c:2597 get_page_from_freelist+0x2f41/0x2fc0 mm/page_alloc.c:4462 __alloc_pages+0x234/0x610 mm/page_alloc.c:5759 __alloc_pages_node include/linux/gfp.h:236 [inline] alloc_pages_node include/linux/gfp.h:259 [inline] alloc_pages include/linux/gfp.h:270 [inline] pipe_write+0x56a/0x1990 fs/pipe.c:501 call_write_iter include/linux/fs.h:2274 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0xaf6/0xed0 fs/read_write.c:584 ksys_write+0x199/0x2c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x7b/0x90 fs/read_write.c:646 x64_sys_call+0x2f/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1498 [inline] free_pcp_prepare mm/page_alloc.c:1572 [inline] free_unref_page_prepare+0x83d/0x850 mm/page_alloc.c:3511 free_unref_page+0xb2/0x5c0 mm/page_alloc.c:3607 __folio_put_small mm/swap.c:105 [inline] __folio_put+0xaa/0xe0 mm/swap.c:128 folio_put include/linux/mm.h:1431 [inline] put_page include/linux/mm.h:1483 [inline] anon_pipe_buf_release+0x187/0x200 fs/pipe.c:138 pipe_buf_release include/linux/pipe_fs_i.h:199 [inline] pipe_read+0x5a6/0x1040 fs/pipe.c:324 call_read_iter include/linux/fs.h:2268 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x801/0xae0 fs/read_write.c:470 ksys_read+0x199/0x2c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x7b/0x90 fs/read_write.c:621 x64_sys_call+0x28/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:1 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Memory state around the buggy address: ffff88811fbb1900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811fbb1980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88811fbb1a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88811fbb1a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811fbb1b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================

Crashes (9):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Assets (help?)	Manager	Title
2024/12/22 22:04	android14-6.1	3e3f2b9e9fca	b4fbdbd4	.config	strace log	report	syz / log	C	[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-android-6-1	KASAN: use-after-free Read in ext4_htree_fill_tree
2024/12/22 19:06	android14-6.1	3e3f2b9e9fca	b4fbdbd4	.config	strace log	report	syz / log	C	[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-android-6-1	KASAN: use-after-free Read in ext4_htree_fill_tree
2024/12/22 20:25	android14-6.1	3e3f2b9e9fca	b4fbdbd4	.config	strace log	report	syz / log	C	[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-android-6-1	KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
2025/02/16 08:09	android14-6.1	ccc915784332	40a34ec9	.config	console log	report	syz / log		[disk image] [vmlinux] [kernel image] [mounted in repro #1 (clean fs)] [mounted in repro #2 (corrupt fs)]	ci2-android-6-1	KASAN: use-after-free Read in ext4_htree_fill_tree
2024/12/22 23:31	android14-6.1	3e3f2b9e9fca	b4fbdbd4	.config	console log	report	syz / log		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-android-6-1	KASAN: use-after-free Read in ext4_htree_fill_tree
2025/03/30 05:47	android14-6.1	c1fd50266bd6	d3999433	.config	console log	report	syz / log		[disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)]	ci2-android-6-1	KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
2025/02/26 11:01	android14-6.1	f27efe75fc87	d34966d1	.config	console log	report	syz / log		[disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)]	ci2-android-6-1	KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
2025/01/28 07:33	android14-6.1	11620ab958c2	18070896	.config	console log	report	syz / log		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-android-6-1	KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
2025/01/11 20:08	android14-6.1	770852bf7d99	6dbc6a9b	.config	console log	report	syz / log		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-android-6-1	KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree

Crashes (9):

Assets (help?)