syzbot

 sign-in | mailing list | source | docs
🐞 Open [1643]
Subsystems
🐞 Fixed [5949]
🐞 Invalid [14552]
Missing Backports [116]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in ext4_find_extent (4)

Status: upstream: reported C repro on 2024/12/30 20:06
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
First crash: 9d04h, last: 9d03h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) 0 (1) 2024/12/30 20:06
Similar bugs (9)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 C error inconclusive 25 28d 740d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent missing-backport C error done 3 69d 566d 0/2 upstream: reported C repro on 2023/06/18 03:55
linux-5.15 KASAN: use-after-free Read in ext4_find_extent origin:lts-only C inconclusive 5 21d 535d 0/3 upstream: reported C repro on 2023/07/19 14:49
upstream KASAN: use-after-free Read in ext4_find_extent ext4 2 1172d 1233d 0/28 auto-closed as invalid on 2022/02/17 05:19
linux-6.1 KASAN: use-after-free Read in ext4_find_extent origin:upstream missing-backport C done 1 250d 474d 0/3 upstream: reported C repro on 2023/09/19 00:11
android-5-15 KASAN: use-after-free Read in ext4_find_extent ext4 origin:lts C error 9 8h46m 740d 0/2 upstream: reported C repro on 2022/12/26 07:59
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 C error 2 611d 735d 22/28 fixed on 2023/06/08 14:41
upstream KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4 C error done 31 375d 557d 25/28 fixed on 2024/01/30 23:26
android-54 KASAN: slab-out-of-bounds Read in ext4_find_extent ext4 C 1 554d 740d 0/2 auto-obsoleted due to no activity on 2023/10/08 03:20

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955
Read of size 4 at addr ffff0000e2d145a0 by task kworker/u8:4/45

CPU: 1 UID: 0 PID: 45 Comm: kworker/u8:4 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: writeback wb_workfn (flush-7:0)
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:489
 kasan_report+0xd8/0x138 mm/kasan/report.c:602
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
 ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955
 ext4_ext_map_blocks+0x2b0/0x6600 fs/ext4/extents.c:4205
 ext4_map_create_blocks fs/ext4/inode.c:516 [inline]
 ext4_map_blocks+0x710/0x15d0 fs/ext4/inode.c:702
 mpage_map_one_extent fs/ext4/inode.c:2219 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2272 [inline]
 ext4_do_writepages+0x195c/0x318c fs/ext4/inode.c:2735
 ext4_writepages+0x198/0x308 fs/ext4/inode.c:2824
 do_writepages+0x304/0x7d0 mm/page-writeback.c:2702
 __writeback_single_inode+0x15c/0x15a4 fs/fs-writeback.c:1680
 writeback_sb_inodes+0x650/0x1088 fs/fs-writeback.c:1976
 wb_writeback+0x3e0/0xe9c fs/fs-writeback.c:2156
 wb_do_writeback fs/fs-writeback.c:2303 [inline]
 wb_workfn+0x38c/0x1048 fs/fs-writeback.c:2343
 process_one_work+0x7a8/0x15cc kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x97c/0xeec kernel/workqueue.c:3391
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff9b78a pfn:0x122d14
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000ffff9b78a 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000e2d14480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000e2d14500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000e2d14580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                               ^
 ffff0000e2d14600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000e2d14680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/12/26 20:29 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 573067a5a685 d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
2024/12/26 19:55 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 573067a5a685 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ext4_find_extent
* Struck through repros no longer work on HEAD.