syzbot


UBSAN: array-index-out-of-bounds in diFree

Status: fixed on 2024/09/19 18:24
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+e70704cadcde378004b8@syzkaller.appspotmail.com
Fix commit: 63f7fdf733ad jfs: Fix array-index-out-of-bounds in diFree
First crash: 106d, last: 60d
Fix bisection: fixed by (bisect log) :
commit 63f7fdf733add82f126ea00e2e48f6eba15ac4b9
Author: Jeongjun Park <aha310510@gmail.com>
Date: Thu May 30 13:28:09 2024 +0000

  jfs: Fix array-index-out-of-bounds in diFree

  
Bug presence (3)
Date Name Commit Repro Result
2024/08/15 linux-5.15.y (ToT) 7e89efd3ae1c C [report] UBSAN: array-index-out-of-bounds in diFree
2024/07/01 upstream (ToT) 22a40d14b572 C [report] UBSAN: array-index-out-of-bounds in diFree
2024/08/15 upstream (ToT) 1fb918967b56 C Didn't crash
Similar bugs (11)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in diFree jfs C inconclusive unreliable 110 289d 937d 0/28 auto-obsoleted due to no activity on 2024/03/22 04:27
upstream UBSAN: array-index-out-of-bounds in diFree jfs C inconclusive 226 63d 173d 27/28 fixed on 2024/08/14 03:44
linux-4.19 BUG: unable to handle kernel paging request in diFree C done 18 1184d 1476d 1/1 fixed on 2021/08/17 00:59
linux-4.14 general protection fault in diFree 1 1354d 1354d 0/1 auto-closed as invalid on 2021/05/28 19:31
linux-4.14 general protection fault in diFree (2) C 2 594d 999d 0/1 upstream: reported C repro on 2022/01/18 19:31
linux-5.15 KASAN: use-after-free Read in diFree C error 5 483d 555d 0/3 auto-obsoleted due to no activity on 2023/10/07 20:25
upstream BUG: unable to handle kernel paging request in diFree jfs C done 13 1206d 1477d 20/28 fixed on 2021/11/10 00:50
linux-4.19 KASAN: use-after-free Read in diFree jfs C error 21 624d 1462d 0/1 upstream: reported C repro on 2020/10/13 01:51
linux-4.14 BUG: unable to handle kernel paging request in diFree C 5 602d 1481d 0/1 upstream: reported C repro on 2020/09/23 16:53
linux-6.1 KASAN: use-after-free Read in diFree origin:lts-only C done 7 382d 543d 3/3 fixed on 2023/10/30 11:46
linux-4.14 KASAN: use-after-free Read in diFree jfs C error 3 602d 1475d 0/1 upstream: reported C repro on 2020/09/30 00:31

Sample crash report:
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:886:2
index -134217728 is out of range for type 'struct mutex[128]'
CPU: 0 PID: 276 Comm: jfsCommit Not tainted 5.15.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0x118/0x140 lib/ubsan.c:282
 diFree+0x21bb/0x2fb0 fs/jfs/jfs_imap.c:886
 jfs_evict_inode+0x329/0x440 fs/jfs/inode.c:156
 evict+0x2a4/0x620 fs/inode.c:587
 txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2401
 txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
 jfs_lazycommit+0x470/0xc30 fs/jfs/jfs_txnmgr.c:2766
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
================================================================================
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 0 PID: 276 Comm: jfsCommit Not tainted 5.15.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 panic+0x318/0x860 kernel/panic.c:309
 check_panic_on_warn+0x7e/0xa0 kernel/panic.c:229
 ubsan_epilogue lib/ubsan.c:157 [inline]
 __ubsan_handle_out_of_bounds+0x138/0x140 lib/ubsan.c:282
 diFree+0x21bb/0x2fb0 fs/jfs/jfs_imap.c:886
 jfs_evict_inode+0x329/0x440 fs/jfs/inode.c:156
 evict+0x2a4/0x620 fs/inode.c:587
 txUpdateMap+0x825/0x9e0 fs/jfs/jfs_txnmgr.c:2401
 txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
 jfs_lazycommit+0x470/0xc30 fs/jfs/jfs_txnmgr.c:2766
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/07/21 15:30 linux-5.15.y 7c6d66f0266f b88348e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in diFree
2024/07/21 11:34 linux-5.15.y 7c6d66f0266f b88348e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in diFree
2024/07/21 11:34 linux-5.15.y 7c6d66f0266f b88348e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in diFree
2024/06/30 16:50 linux-5.15.y 4878aadf2d15 757f06b1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in diFree
2024/06/30 08:15 linux-5.15.y 4878aadf2d15 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in diFree
2024/08/10 14:47 linux-5.15.y 7e89efd3ae1c 6f4edef4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in diFree
2024/08/07 09:26 linux-5.15.y 7e89efd3ae1c 1ef9fe42 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in diFree
2024/08/01 23:10 linux-5.15.y 7e89efd3ae1c 1e9c4cf3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in diFree
2024/07/29 09:12 linux-5.15.y 7e89efd3ae1c 46eb10b7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in diFree
2024/07/22 03:54 linux-5.15.y 7c6d66f0266f b88348e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in diFree
2024/07/21 22:52 linux-5.15.y 7c6d66f0266f b88348e9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in diFree
2024/07/17 17:23 linux-5.15.y f45bea23c39c 215bec2d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in diFree
2024/07/14 13:07 linux-5.15.y f45bea23c39c eaeb5c15 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in diFree
* Struck through repros no longer work on HEAD.