syzbot


KASAN: use-after-free Read in ext4_htree_fill_tree

Status: upstream: reported C repro on 2024/12/22 19:07
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+e1370dc6128e4079c651@syzkaller.appspotmail.com
First crash: 207d, last: 5h11m
Bug presence (2)
Date Name Commit Repro Result
2025/07/16 lts (merge base) 58485ff1a74f C [report] KASAN: slab-out-of-bounds Read in dx_insert_block
2025/07/16 upstream (ToT) 155a3c003e55 C [report] KASAN: use-after-free Read in dx_insert_block
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: use-after-free Read in ext4_htree_fill_tree 19 1 308d 308d 0/3 auto-obsoleted due to no activity on 2024/12/22 07:44
android-5-10 KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree 19 C 14 5d19h 361d 0/2 upstream: reported C repro on 2024/07/21 20:19
android-5-15 KASAN: use-after-free Read in ext4_htree_fill_tree origin:upstream missing-backport 19 C 9 7d12h 202d 0/2 upstream: reported C repro on 2024/12/27 19:48
Last patch testing requests (1)
Created Duration User Patch Repo Result
2025/07/18 01:58 2h04m retest repro android14-6.1 report log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_htree_fill_tree+0x1316/0x13e0 fs/ext4/namei.c:1246
Read of size 1 at addr ffff888130c3b365 by task syz-executor/1290

CPU: 1 PID: 1290 Comm: syz-executor Not tainted 6.1.124-syzkaller-00008-gccc915784332 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x158/0x4e0 mm/kasan/report.c:427
 kasan_report+0x13c/0x170 mm/kasan/report.c:531
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:348
 ext4_htree_fill_tree+0x1316/0x13e0 fs/ext4/namei.c:1246
 ext4_dx_readdir fs/ext4/dir.c:605 [inline]
 ext4_readdir+0x2e6f/0x3860 fs/ext4/dir.c:142
 iterate_dir+0x265/0x600
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354
 __x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354
 x64_sys_call+0x5ae/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd3eafbf753
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 52 3e f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007fff7ba4de08 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000555559c644e0 RCX: 00007fd3eafbf753
RDX: 0000000000008000 RSI: 0000555559c644e0 RDI: 0000000000000005
RBP: 0000555559c644b4 R08: 0000000000028b61 R09: 0000000000000000
R10: 00007fd3eb17cca0 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000010 R14: 0000555559c644b0 R15: 00007fff7ba500c0
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0004c30ec0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x130c3b
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 374, tgid 374 (syz-executor), ts 56447581733, free_ts 56941707585
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2644
 get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539
 __alloc_pages+0x234/0x610 mm/page_alloc.c:5837
 __vmalloc_area_node mm/vmalloc.c:3074 [inline]
 __vmalloc_node_range+0x8a5/0x1560 mm/vmalloc.c:3246
 vmalloc_user+0x73/0x80 mm/vmalloc.c:3400
 kcov_ioctl+0x59/0x640 kernel/kcov.c:713
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl+0x114/0x190 fs/ioctl.c:856
 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:856
 x64_sys_call+0x98/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1545 [inline]
 free_pcp_prepare mm/page_alloc.c:1619 [inline]
 free_unref_page_prepare+0x9f1/0xa00 mm/page_alloc.c:3581
 free_unref_page+0xb2/0x5c0 mm/page_alloc.c:3677
 free_the_page mm/page_alloc.c:830 [inline]
 __free_pages+0x61/0xf0 mm/page_alloc.c:5926
 __vunmap+0x9c6/0xb80 mm/vmalloc.c:2729
 __vfree mm/vmalloc.c:2778 [inline]
 vfree+0x5c/0x80 mm/vmalloc.c:2809
 kcov_put kernel/kcov.c:437 [inline]
 kcov_close+0x2b/0x50 kernel/kcov.c:533
 __fput+0x1e5/0x870 fs/file_table.c:320
 ____fput+0x15/0x20 fs/file_table.c:348
 task_work_run+0x24d/0x2e0 kernel/task_work.c:203
 exit_task_work include/linux/task_work.h:39 [inline]
 do_exit+0xbd0/0x2b80 kernel/exit.c:877
 do_group_exit+0x21a/0x2d0 kernel/exit.c:1027
 get_signal+0x169d/0x1820 kernel/signal.c:2889
 arch_do_signal_or_restart+0xb0/0x16f0 arch/x86/kernel/signal.c:871
 exit_to_user_mode_loop+0x74/0xa0 kernel/entry/common.c:174
 exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:303

Memory state around the buggy address:
 ffff888130c3b200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888130c3b280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888130c3b300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff888130c3b380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888130c3b400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs error (device loop4): htree_dirblock_to_tree:1112: inode #2: block 20: comm syz-executor: bad entry in directory: inode out of bounds - offset=1024, inode=2033530174, rec_len=1012, size=1024 fake=0
EXT4-fs (loop4): unmounting filesystem.

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/16 08:09 android14-6.1 ccc915784332 40a34ec9 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro #1 (clean fs)] [mounted in repro #2 (corrupt fs)] ci2-android-6-1 KASAN: use-after-free Read in ext4_htree_fill_tree
2024/12/22 23:31 android14-6.1 3e3f2b9e9fca b4fbdbd4 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-6-1 KASAN: use-after-free Read in ext4_htree_fill_tree
2025/03/30 05:47 android14-6.1 c1fd50266bd6 d3999433 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci2-android-6-1 KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
2025/02/26 11:01 android14-6.1 f27efe75fc87 d34966d1 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci2-android-6-1 KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
2025/01/28 07:33 android14-6.1 11620ab958c2 18070896 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-6-1 KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
2025/01/11 20:08 android14-6.1 770852bf7d99 6dbc6a9b .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-6-1 KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
2024/12/22 22:04 android14-6.1 3e3f2b9e9fca b4fbdbd4 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-6-1 KASAN: use-after-free Read in ext4_htree_fill_tree
2024/12/22 19:06 android14-6.1 3e3f2b9e9fca b4fbdbd4 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-6-1 KASAN: use-after-free Read in ext4_htree_fill_tree
2024/12/22 20:25 android14-6.1 3e3f2b9e9fca b4fbdbd4 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-6-1 KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree
* Struck through repros no longer work on HEAD.