syzbot |
sign-in | mailing list | source | docs |
BUG: KASAN: use-after-free in ext4_htree_fill_tree+0x1316/0x13e0 fs/ext4/namei.c:1246 Read of size 1 at addr ffff88811fbb1a67 by task syz-executor424/302 CPU: 0 PID: 302 Comm: syz-executor424 Not tainted 6.1.118-syzkaller-00074-g3e3f2b9e9fca #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:348 ext4_htree_fill_tree+0x1316/0x13e0 fs/ext4/namei.c:1246 ext4_dx_readdir fs/ext4/dir.c:605 [inline] ext4_readdir+0x2e6f/0x3860 fs/ext4/dir.c:142 iterate_dir+0x265/0x600 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0x1c1/0x460 fs/readdir.c:354 __x64_sys_getdents64+0x7b/0x90 fs/readdir.c:354 x64_sys_call+0x5ae/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f0d3e0fa523 Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 62 0f fb ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 RSP: 002b:00007fff65c3f188 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9 RAX: ffffffffffffffda RBX: 0000555571988730 RCX: 00007f0d3e0fa523 RDX: 0000000000008000 RSI: 0000555571988730 RDI: 0000000000000004 RBP: 0000555571988704 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffb8 R13: 0000000000000010 R14: 0000555571988700 R15: 431bde82d7b634db </TASK> The buggy address belongs to the physical page: page:ffffea00047eec40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fbb1 flags: 0x4000000000000000(zone=1) raw: 4000000000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), pid 229, tgid 229 (sshd), ts 15857888071, free_ts 15857990433 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x213/0x220 mm/page_alloc.c:2590 prep_new_page+0x1b/0x110 mm/page_alloc.c:2597 get_page_from_freelist+0x2f41/0x2fc0 mm/page_alloc.c:4462 __alloc_pages+0x234/0x610 mm/page_alloc.c:5759 __alloc_pages_node include/linux/gfp.h:236 [inline] alloc_pages_node include/linux/gfp.h:259 [inline] alloc_pages include/linux/gfp.h:270 [inline] pipe_write+0x56a/0x1990 fs/pipe.c:501 call_write_iter include/linux/fs.h:2274 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0xaf6/0xed0 fs/read_write.c:584 ksys_write+0x199/0x2c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x7b/0x90 fs/read_write.c:646 x64_sys_call+0x2f/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 page last free stack trace: reset_page_owner include/linux/page_owner.h:26 [inline] free_pages_prepare mm/page_alloc.c:1498 [inline] free_pcp_prepare mm/page_alloc.c:1572 [inline] free_unref_page_prepare+0x83d/0x850 mm/page_alloc.c:3511 free_unref_page+0xb2/0x5c0 mm/page_alloc.c:3607 __folio_put_small mm/swap.c:105 [inline] __folio_put+0xaa/0xe0 mm/swap.c:128 folio_put include/linux/mm.h:1431 [inline] put_page include/linux/mm.h:1483 [inline] anon_pipe_buf_release+0x187/0x200 fs/pipe.c:138 pipe_buf_release include/linux/pipe_fs_i.h:199 [inline] pipe_read+0x5a6/0x1040 fs/pipe.c:324 call_read_iter include/linux/fs.h:2268 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x801/0xae0 fs/read_write.c:470 ksys_read+0x199/0x2c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x7b/0x90 fs/read_write.c:621 x64_sys_call+0x28/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:1 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Memory state around the buggy address: ffff88811fbb1900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811fbb1980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88811fbb1a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88811fbb1a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88811fbb1b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2024/12/22 22:04 | android14-6.1 | 3e3f2b9e9fca | b4fbdbd4 | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_htree_fill_tree | |
| 2024/12/22 19:06 | android14-6.1 | 3e3f2b9e9fca | b4fbdbd4 | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_htree_fill_tree | |
| 2024/12/22 20:25 | android14-6.1 | 3e3f2b9e9fca | b4fbdbd4 | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-6-1 | KASAN: slab-out-of-bounds Read in ext4_htree_fill_tree | |
| 2024/12/22 23:31 | android14-6.1 | 3e3f2b9e9fca | b4fbdbd4 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-6-1 | KASAN: use-after-free Read in ext4_htree_fill_tree |