syzbot |
sign-in | mailing list | source | docs |
loop1: detected capacity change from 0 to 1024 ================================================================== BUG: KASAN: slab-out-of-bounds in __ext4_iget+0x2ee/0x3ee0 fs/ext4/inode.c:4835 Read of size 8 at addr ffff888056a4ff30 by task syz.1.836/6190 CPU: 0 PID: 6190 Comm: syz.1.836 Not tainted 6.1.128-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:427 kasan_report+0x136/0x160 mm/kasan/report.c:531 __ext4_iget+0x2ee/0x3ee0 fs/ext4/inode.c:4835 __ext4_fill_super fs/ext4/super.c:5390 [inline] ext4_fill_super+0x6ccf/0x8b50 fs/ext4/super.c:5654 get_tree_bdev+0x3fe/0x620 fs/super.c:1366 vfs_get_tree+0x88/0x270 fs/super.c:1573 do_new_mount+0x2ba/0xb40 fs/namespace.c:3056 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount+0x2d5/0x3c0 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f7830f8e54a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7830dfee68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f7830dfeef0 RCX: 00007f7830f8e54a RDX: 0000000020000140 RSI: 00000000200005c0 RDI: 00007f7830dfeeb0 RBP: 0000000020000140 R08: 00007f7830dfeef0 R09: 0000000000018000 R10: 0000000000018000 R11: 0000000000000246 R12: 00000000200005c0 R13: 00007f7830dfeeb0 R14: 000000000000063d R15: 0000000020000000 </TASK> Allocated by task 3622: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 __kasan_slab_alloc+0x65/0x70 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x52/0x3a0 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc_lru+0x10c/0x2d0 mm/slub.c:3429 __d_alloc+0x31/0x710 fs/dcache.c:1774 d_alloc fs/dcache.c:1854 [inline] d_alloc_parallel+0xdd/0x1590 fs/dcache.c:2645 __lookup_slow+0x113/0x3d0 fs/namei.c:1675 lookup_slow+0x53/0x70 fs/namei.c:1707 walk_component fs/namei.c:1998 [inline] link_path_walk+0x9d6/0xee0 fs/namei.c:2325 path_openat+0x23d/0x2e60 fs/namei.c:3779 do_filp_open+0x230/0x480 fs/namei.c:3810 do_sys_openat2+0x13b/0x4f0 fs/open.c:1318 do_sys_open fs/open.c:1334 [inline] __do_sys_openat fs/open.c:1350 [inline] __se_sys_openat fs/open.c:1345 [inline] __x64_sys_openat+0x243/0x290 fs/open.c:1345 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 0: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] kmem_cache_free+0x292/0x510 mm/slub.c:3683 rcu_do_batch kernel/rcu/tree.c:2297 [inline] rcu_core+0xade/0x1820 kernel/rcu/tree.c:2557 handle_softirqs+0x2ee/0xa40 kernel/softirq.c:578 __do_softirq kernel/softirq.c:612 [inline] invoke_softirq kernel/softirq.c:452 [inline] __irq_exit_rcu+0x157/0x240 kernel/softirq.c:661 irq_exit_rcu+0x5/0x20 kernel/softirq.c:673 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691 Last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2845 __dentry_kill+0x4f4/0x650 fs/dcache.c:625 dentry_kill+0xbb/0x290 dput+0xfb/0x1d0 fs/dcache.c:918 lookup_fast+0x39e/0x490 fs/namei.c:1656 walk_component fs/namei.c:1994 [inline] link_path_walk+0x604/0xee0 fs/namei.c:2325 path_openat+0x23d/0x2e60 fs/namei.c:3779 do_filp_open+0x230/0x480 fs/namei.c:3810 do_sys_openat2+0x13b/0x4f0 fs/open.c:1318 do_sys_open fs/open.c:1334 [inline] __do_sys_openat fs/open.c:1350 [inline] __se_sys_openat fs/open.c:1345 [inline] __x64_sys_openat+0x243/0x290 fs/open.c:1345 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Second to last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2845 __dentry_kill+0x4f4/0x650 fs/dcache.c:625 dentry_kill+0xbb/0x290 dput+0xfb/0x1d0 fs/dcache.c:918 handle_mounts fs/namei.c:1551 [inline] step_into+0x44b/0x1070 fs/namei.c:1836 open_last_lookups fs/namei.c:3573 [inline] path_openat+0x1764/0x2e60 fs/namei.c:3780 do_filp_open+0x230/0x480 fs/namei.c:3810 do_sys_openat2+0x13b/0x4f0 fs/open.c:1318 do_sys_open fs/open.c:1334 [inline] __do_sys_openat fs/open.c:1350 [inline] __se_sys_openat fs/open.c:1345 [inline] __x64_sys_openat+0x243/0x290 fs/open.c:1345 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff888056a4fd60 which belongs to the cache dentry of size 312 The buggy address is located 152 bytes to the right of 312-byte region [ffff888056a4fd60, ffff888056a4fe98) The buggy address belongs to the physical page: page:ffffea00015a9380 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x56a4e head:ffffea00015a9380 order:1 compound_mapcount:0 compound_pincount:0 memcg:ffff888030bc8601 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea0001d24800 dead000000000004 ffff888140009780 raw: 0000000000000000 0000000000150015 00000001ffffffff ffff888030bc8601 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 3622, tgid 3622 (udevd), ts 91350801404, free_ts 14576418346 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2532 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4328 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5605 alloc_slab_page+0x6a/0x150 mm/slub.c:1794 allocate_slab mm/slub.c:1939 [inline] new_slab+0x84/0x2d0 mm/slub.c:1992 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc_lru+0x1a5/0x2d0 mm/slub.c:3429 __d_alloc+0x31/0x710 fs/dcache.c:1774 d_alloc fs/dcache.c:1854 [inline] d_alloc_parallel+0xdd/0x1590 fs/dcache.c:2645 lookup_open fs/namei.c:3407 [inline] open_last_lookups fs/namei.c:3550 [inline] path_openat+0x90a/0x2e60 fs/namei.c:3780 do_filp_open+0x230/0x480 fs/namei.c:3810 do_sys_openat2+0x13b/0x4f0 fs/open.c:1318 do_sys_open fs/open.c:1334 [inline] __do_sys_openat fs/open.c:1350 [inline] __se_sys_openat fs/open.c:1345 [inline] __x64_sys_openat+0x243/0x290 fs/open.c:1345 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1459 [inline] free_pcp_prepare mm/page_alloc.c:1509 [inline] free_unref_page_prepare+0x12a6/0x15b0 mm/page_alloc.c:3384 free_unref_page+0x33/0x3e0 mm/page_alloc.c:3479 free_contig_range+0x9a/0x150 mm/page_alloc.c:9565 destroy_args+0xfe/0x997 mm/debug_vm_pgtable.c:1031 debug_vm_pgtable+0x416/0x46b mm/debug_vm_pgtable.c:1354 do_one_initcall+0x265/0x8f0 init/main.c:1298 do_initcall_level+0x157/0x207 init/main.c:1371 do_initcalls+0x49/0x86 init/main.c:1387 kernel_init_freeable+0x45c/0x60f init/main.c:1626 kernel_init+0x19/0x290 init/main.c:1514 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff888056a4fe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888056a4fe80: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888056a4ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888056a4ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888056a50000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/02/01 20:38 | linux-6.1.y | 0cbb5f65e52f | 568559e4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-1-kasan | KASAN: slab-out-of-bounds Read in __ext4_iget |