syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [297]
🐞 Invalid [838]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ext4_xattr_set_entry (2)

Status: fixed on 2021/10/13 07:23
Reported-by: syzbot+b0fe9558904a8bb778ac@syzkaller.appspotmail.com
Fix commit: c481607ba522 ext4: fix race writing to an inline_data file while its xattrs are changing
First crash: 2014d, last: 1556d
Fix bisection: fixed by (bisect log) :
commit c481607ba522e31e6ed01efefc19cc1d0e0a46fa
Author: Theodore Ts'o <tytso@mit.edu>
Date: Sat Aug 21 03:44:17 2021 +0000

  ext4: fix race writing to an inline_data file while its xattrs are changing

  
Similar bugs (28)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (3) 19 C error 1 1390d 1875d 0/1 upstream: reported C repro on 2020/10/28 15:08
android-5-15 KASAN: out-of-bounds Read in ext4_xattr_set_entry (2) origin:lts 19 C 38 23h08m 167d 0/2 upstream: reported C repro on 2025/07/03 01:48
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 19 6 2238d 2294d 0/1 auto-closed as invalid on 2020/02/28 13:35
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry (2) 19 1 2095d 2095d 0/1 auto-closed as invalid on 2020/07/21 03:20
upstream KASAN: use-after-free Read in ext4_xattr_set_entry ext4 19 1 2699d 2699d 0/29 closed as invalid on 2018/07/29 11:55
upstream KASAN: out-of-bounds Read in ext4_xattr_set_entry ext4 24 C error 5150 39m 451d 0/29 upstream: reported C repro on 2024/09/22 00:16
android-414 KASAN: use-after-free Read in ext4_xattr_set_entry 19 4 2546d 2439d 0/1 auto-closed as invalid on 2019/06/26 01:15
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (5) ext4 19 2 1240d 1299d 0/29 auto-obsoleted due to no activity on 2022/11/22 17:19
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (3) ext4 19 4 1991d 2109d 0/29 auto-closed as invalid on 2020/11/02 08:32
linux-4.19 KASAN: use-after-free Read in ext4_xattr_set_entry 19 syz done 10 2118d 2366d 1/1 fixed on 2020/03/30 09:03
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (4) ext4 24 C error done 21 1394d 1781d 20/29 fixed on 2022/03/28 10:17
upstream KASAN: use-after-free Read in ext4_xattr_set_entry (2) ext4 19 C done 19 2192d 2601d 15/29 fixed on 2020/02/14 01:19
android-54 KASAN: use-after-free Read in ext4_xattr_set_entry 19 6 1958d 2139d 0/2 auto-closed as invalid on 2020/12/04 21:44
linux-6.1 KASAN: out-of-bounds Read in ext4_xattr_set_entry missing-backport origin:lts-only 19 C inconclusive 614 5h19m 943d 0/3 upstream: reported C repro on 2023/05/19 08:42
android-5-10 KASAN: out-of-bounds Read in ext4_xattr_set_entry 19 C inconclusive 42 10d 819d 0/2 upstream: reported C repro on 2023/09/20 02:40
linux-4.14 KASAN: use-after-free Read in ext4_xattr_set_entry 19 C done 9 2146d 2238d 1/1 fixed on 2020/03/01 21:06
android-5-15 general protection fault in ext4_xattr_set_entry 2 C error 1 1020d 1100d 2/2 fixed on 2023/03/28 12:29
android-5-15 KASAN: out-of-bounds Read in ext4_xattr_set_entry 17 1 912d 912d 0/2 auto-obsoleted due to no activity on 2023/09/17 07:02
android-5-10 general protection fault in ext4_xattr_set_entry (4) 2 C error 62 923d 952d 2/2 fixed on 2023/06/07 17:22
android-5-10 general protection fault in ext4_xattr_set_entry (2) ext4 2 C error 423 959d 1158d 2/2 fixed on 2023/05/03 13:06
android-54 KASAN: out-of-bounds Read in ext4_xattr_set_entry ext4 17 C 14 965d 1731d 0/2 auto-obsoleted due to no activity on 2023/08/23 09:06
linux-5.15 KASAN: out-of-bounds Read in ext4_xattr_set_entry origin:upstream 17 C error 29 11h07m 276d 0/3 upstream: reported C repro on 2025/03/15 11:50
android-5-10 general protection fault in ext4_xattr_set_entry (3) 2 C error 9 954d 957d 2/2 fixed on 2023/05/08 19:06
linux-6.6 KASAN: out-of-bounds Read in ext4_xattr_set_entry origin:upstream missing-backport 17 C 618 2h40m 183d 0/2 upstream: reported C repro on 2025/06/17 02:45
android-5-10 general protection fault in ext4_xattr_set_entry 2 C error 2 1181d 1195d 0/2 closed as invalid on 2022/09/26 18:30
linux-4.14 KASAN: out-of-bounds Read in ext4_xattr_set_entry 17 C error 2 1195d 1709d 0/1 upstream: reported C repro on 2021/04/12 14:20
android-6-1 KASAN: out-of-bounds Read in ext4_xattr_set_entry origin:lts 23 C 272 2d08h 582d 0/2 upstream: reported C repro on 2024/05/13 18:18
android-5-10 general protection fault in ext4_xattr_set_entry (5) 2 C done 11 920d 923d 2/2 fixed on 2023/06/13 02:27
Fix bisection attempts (12)
Created Duration User Patch Repo Result
2021/10/12 18:39 3h16m bisect fix linux-4.19.y OK (1) job log
2021/09/12 18:14 23m bisect fix linux-4.19.y OK (0) job log log
2021/08/13 17:50 24m bisect fix linux-4.19.y OK (0) job log log
2021/07/14 17:26 23m bisect fix linux-4.19.y OK (0) job log log
2021/06/14 17:00 25m bisect fix linux-4.19.y OK (0) job log log
2021/05/15 16:33 27m bisect fix linux-4.19.y OK (0) job log log
2021/03/24 22:04 23m bisect fix linux-4.19.y OK (0) job log log
2021/02/20 23:16 23m bisect fix linux-4.19.y OK (0) job log log
2021/02/18 00:41 18m bisect fix linux-4.19.y error job log
2021/02/05 04:21 1m bisect fix linux-4.19.y error job log
2021/01/06 03:54 26m bisect fix linux-4.19.y OK (0) job log log
2020/12/06 23:48 25m bisect fix linux-4.19.y OK (0) job log log

Sample crash report:
EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs error (device loop0): ext4_mb_generate_buddy:744: group 0, block bitmap and bg descriptor inconsistent: 50 vs 25 free clusters
==================================================================
BUG: KASAN: out-of-bounds in memmove include/linux/string.h:392 [inline]
BUG: KASAN: out-of-bounds in ext4_xattr_set_entry+0x2562/0x3750 fs/ext4/xattr.c:1733
Read of size 18446744073709551600 at addr ffff8880abc820d4 by task syz-executor288/8103

CPU: 1 PID: 8103 Comm: syz-executor288 Not tainted 4.19.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report+0x8f/0xa0 mm/kasan/report.c:412
 memmove+0x20/0x50 mm/kasan/kasan.c:293
 memmove include/linux/string.h:392 [inline]
 ext4_xattr_set_entry+0x2562/0x3750 fs/ext4/xattr.c:1733
 ext4_xattr_ibody_inline_set+0x81/0x2a0 fs/ext4/xattr.c:2222
 ext4_destroy_inline_data_nolock+0x22d/0x4f0 fs/ext4/inline.c:434
 ext4_convert_inline_data_nolock+0x145/0xd10 fs/ext4/inline.c:1207
 ext4_convert_inline_data+0x347/0x3a0 fs/ext4/inline.c:2027
 ext4_fallocate+0x137/0x2150 fs/ext4/extents.c:4956
 vfs_fallocate+0x487/0x9a0 fs/open.c:308
 ksys_fallocate fs/open.c:331 [inline]
 __do_sys_fallocate fs/open.c:339 [inline]
 __se_sys_fallocate fs/open.c:337 [inline]
 __x64_sys_fallocate+0xcf/0x140 fs/open.c:337
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x44a649
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6a6cc272f8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00000000004cc410 RCX: 000000000044a649
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007
RBP: 000000000049c0c4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000010000101 R11: 0000000000000246 R12: 000000000049b0c0
R13: 0030656c69662f2e R14: e5d26e84aa4cf3c6 R15: 00000000004cc418

The buggy address belongs to the page:
page:ffffea0002af2080 count:2 mapcount:0 mapping:ffff8880ae106b60 index:0x8
flags: 0xfff0000001107c(referenced|uptodate|dirty|lru|active|private|mappedtodisk)
raw: 00fff0000001107c ffffea0002641888 ffffea0002624d08 ffff8880ae106b60
raw: 0000000000000008 ffff88808df34000 00000002ffffffff ffff8880b59f88c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff8880b59f88c0

Memory state around the buggy address:
 ffff8880abc81f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880abc82000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880abc82080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                 ^
 ffff8880abc82100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880abc82180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/04/11 17:20 linux-4.19.y 830a059cbba6 6a81331a .config console log report syz C ci2-linux-4-19 KASAN: out-of-bounds Read in ext4_xattr_set_entry
2020/11/06 23:19 linux-4.19.y b94de4d19498 cba33199 .config console log report syz C ci2-linux-4-19
2021/04/15 16:15 linux-4.19.y 0f1b4cb77d7f fcdb12ba .config console log report syz ci2-linux-4-19 KASAN: out-of-bounds Read in ext4_xattr_set_entry
2021/02/22 22:04 linux-4.19.y 255b58a2b3af c26fb06b .config console log report info ci2-linux-4-19 KASAN: use-after-free Read in ext4_xattr_set_entry
2020/08/29 22:22 linux-4.19.y f6d5cb9e2c06 d5a3ae1f .config console log report ci2-linux-4-19
2020/06/21 19:47 linux-4.19.y 3fc898571b97 4f2acff9 .config console log report ci2-linux-4-19
2020/06/11 12:56 linux-4.19.y 3fc898571b97 3ab7a05a .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.