syzbot


KASAN: slab-out-of-bounds Read in ext4_statfs

Status: auto-obsoleted due to no activity on 2023/07/07 01:21
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+e00de976f53400133de7@syzkaller.appspotmail.com
First crash: 373d, last: 346d

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_test_inode_flag fs/ext4/ext4.h:1924 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_statfs+0x520/0xb0c fs/ext4/super.c:6690
Read of size 8 at addr ffff0000dd547f30 by task syz-executor.4/11468

CPU: 0 PID: 11468 Comm: syz-executor.4 Not tainted 6.3.0-rc1-syzkaller-gfe15c26ee26e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:319 [inline]
 print_report+0x174/0x514 mm/kasan/report.c:430
 kasan_report+0xd4/0x130 mm/kasan/report.c:536
 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:381
 generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline]
 ext4_test_inode_flag fs/ext4/ext4.h:1924 [inline]
 ext4_statfs+0x520/0xb0c fs/ext4/super.c:6690
 statfs_by_dentry fs/statfs.c:66 [inline]
 vfs_statfs+0x140/0x2bc fs/statfs.c:90
 ovl_check_namelen fs/overlayfs/super.c:919 [inline]
 ovl_lower_dir fs/overlayfs/super.c:939 [inline]
 ovl_get_lowerstack+0x1c4/0x1868 fs/overlayfs/super.c:1742
 ovl_fill_super+0x1218/0x2240 fs/overlayfs/super.c:2010
 mount_nodev+0x68/0x104 fs/super.c:1417
 ovl_mount+0x3c/0x50 fs/overlayfs/super.c:2091
 legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
 vfs_get_tree+0x90/0x274 fs/super.c:1501
 do_new_mount+0x25c/0x8c8 fs/namespace.c:3042
 path_mount+0x590/0xe20 fs/namespace.c:3372
 do_mount fs/namespace.c:3385 [inline]
 __do_sys_mount fs/namespace.c:3594 [inline]
 __se_sys_mount fs/namespace.c:3571 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3571
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591

Allocated by task 5996:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:510
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
 kasan_slab_alloc include/linux/kasan.h:186 [inline]
 slab_post_alloc_hook+0x80/0x488 mm/slab.h:769
 slab_alloc_node mm/slub.c:3452 [inline]
 slab_alloc mm/slub.c:3460 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3467 [inline]
 kmem_cache_alloc+0x288/0x37c mm/slub.c:3476
 radix_tree_node_alloc+0x1ac/0x3c0 lib/radix-tree.c:251
 idr_get_free+0x234/0x89c lib/radix-tree.c:1505
 idr_alloc_u32 lib/idr.c:46 [inline]
 idr_alloc_cyclic+0x18c/0x4f4 lib/idr.c:125
 __kernfs_new_node+0x124/0x66c fs/kernfs/dir.c:617
 kernfs_new_node+0x98/0x184 fs/kernfs/dir.c:673
 __kernfs_create_file+0x60/0x2d4 fs/kernfs/file.c:1047
 sysfs_add_file_mode_ns+0x1dc/0x298 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x428/0xbec fs/sysfs/group.c:148
 internal_create_groups fs/sysfs/group.c:188 [inline]
 sysfs_create_groups+0x60/0x130 fs/sysfs/group.c:214
 device_add_groups drivers/base/core.c:2678 [inline]
 device_add_attrs+0x178/0x750 drivers/base/core.c:2798
 device_add+0x5e0/0xf58 drivers/base/core.c:3543
 netdev_register_kobject+0x15c/0x2d8 net/core/net-sysfs.c:2043
 register_netdevice+0xcb8/0x1270 net/core/dev.c:10046
 veth_newlink+0x730/0xb88 drivers/net/veth.c:1837
 rtnl_newlink_create net/core/rtnetlink.c:3440 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3657 [inline]
 rtnl_newlink+0x1174/0x1b1c net/core/rtnetlink.c:3670
 rtnetlink_rcv_msg+0x744/0xdb8 net/core/rtnetlink.c:6174
 netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574
 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6192
 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
 netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
 netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1942
 sock_sendmsg_nosec net/socket.c:722 [inline]
 sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x3b4/0x538 net/socket.c:2145
 __do_sys_sendto net/socket.c:2157 [inline]
 __se_sys_sendto net/socket.c:2153 [inline]
 __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2153
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591

The buggy address belongs to the object at ffff0000dd547c80
 which belongs to the cache radix_tree_node of size 576
The buggy address is located 112 bytes to the right of
 allocated 576-byte region [ffff0000dd547c80, ffff0000dd547ec0)

The buggy address belongs to the physical page:
page:00000000805eca39 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11d544
head:00000000805eca39 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 ffff0000c000d500 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000dd547e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000dd547e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff0000dd547f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                     ^
 ffff0000dd547f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000dd548000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/03/11 15:01 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci fe15c26ee26e 5205ef30 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-out-of-bounds Read in ext4_statfs
2023/04/08 01:21 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 9a03cbd79d3a 71147e29 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in ext4_statfs
* Struck through repros no longer work on HEAD.