syzbot


KASAN: use-after-free Read in ext4_data_block_valid (2)

Status: auto-closed as invalid on 2020/03/21 21:05
Reported-by: syzbot+be1f0dafac98cbd5321e@syzkaller.appspotmail.com
First crash: 1624d, last: 1562d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ext4_data_block_valid 5 1373d 1661d 0/1 auto-closed as invalid on 2020/09/26 20:10
upstream KASAN: use-after-free Read in ext4_data_block_valid ext4 108 1684d 2131d 13/26 fixed on 2019/10/15 23:40
android-414 KASAN: use-after-free Read in ext4_data_block_valid 12 1815d 1786d 0/1 auto-closed as invalid on 2019/09/11 10:38
linux-4.19 KASAN: use-after-free Read in ext4_data_block_valid 2 1620d 1683d 0/1 auto-closed as invalid on 2020/01/24 00:27
android-49 KASAN: use-after-free Read in ext4_data_block_valid 21 1888d 1785d 0/3 auto-closed as invalid on 2019/06/29 18:27
android-49 KASAN: use-after-free Read in ext4_data_block_valid (2) 1 1560d 1560d 0/3 auto-closed as invalid on 2020/03/24 07:08

Sample crash report:
==================================================================
EXT4-fs (sda1): re-mounted. Opts: noblock_validity,data_err=ignore,sb=0x000000000000c0d5,lazytime,jqfmt=vfsold,
BUG: KASAN: use-after-free in ext4_data_block_valid+0x279/0x2d0 fs/ext4/block_validity.c:211
Read of size 8 at addr ffff8881d197ebb0 by task modprobe/13613

CPU: 1 PID: 13613 Comm: modprobe Not tainted 4.14.155-syzkaller #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xe5/0x154 lib/dump_stack.c:58
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 ext4_data_block_valid+0x279/0x2d0 fs/ext4/block_validity.c:211
 __check_block_validity.constprop.0+0xba/0x200 fs/ext4/inode.c:402
 ext4_map_blocks+0xdc9/0x1600 fs/ext4/inode.c:592
 ext4_getblk+0x344/0x420 fs/ext4/inode.c:972
 ext4_bread_batch+0x78/0x340 fs/ext4/inode.c:1042
 __ext4_find_entry+0x447/0xcd0 fs/ext4/namei.c:1516
 ext4_lookup_entry fs/ext4/namei.c:1615 [inline]
 ext4_lookup+0x15e/0x5b0 fs/ext4/namei.c:1683
 lookup_slow+0x226/0x440 fs/namei.c:1794
 walk_component+0x6d0/0xbf0 fs/namei.c:1923
 lookup_last fs/namei.c:2391 [inline]
 path_lookupat.isra.0+0x1ce/0x7e0 fs/namei.c:2441
 filename_lookup+0x1a1/0x3b0 fs/namei.c:2475
 user_path_at include/linux/namei.h:57 [inline]
 SYSC_faccessat fs/open.c:413 [inline]
 SyS_faccessat+0x23a/0x6b0 fs/open.c:362
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f9cc5376267
RSP: 002b:00007ffee83514b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00007f9cc55811c8 RCX: 00007f9cc5376267
RDX: 00007f9cc5360158 RSI: 0000000000000004 RDI: 00007f9cc537ce30
RBP: 00007ffee8351610 R08: 00007f9cc5581770 R09: 0000000000000050
R10: ffffffffffffffb0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffee83fc2f4 R14: 00007f9cc5581bc8 R15: 0000000000000000

Allocated by task 1:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
 slab_post_alloc_hook mm/slab.h:439 [inline]
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2800 [inline]
 kmem_cache_alloc+0xee/0x360 mm/slub.c:2805
 add_system_zone+0x29b/0x530 fs/ext4/block_validity.c:85
 ext4_setup_system_zone+0x2e2/0x470 fs/ext4/block_validity.c:169
 ext4_fill_super+0x65f2/0xb290 fs/ext4/super.c:4452
 mount_bdev+0x2b6/0x360 fs/super.c:1151
 mount_fs+0x277/0x312 fs/super.c:1257
 vfs_kern_mount.part.0+0xc7/0x4a0 fs/namespace.c:1056
 vfs_kern_mount fs/namespace.c:1038 [inline]
 do_new_mount fs/namespace.c:2573 [inline]
 do_mount+0x3f6/0x26a0 fs/namespace.c:2903
 SYSC_mount fs/namespace.c:3119 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3096
 do_mount_root init/do_mounts.c:366 [inline]
 mount_block_root+0x345/0x70a init/do_mounts.c:395
 prepare_namespace+0x1d1/0x20d init/do_mounts.c:599
 kernel_init_freeable+0x393/0x3b0 init/main.c:1116
 kernel_init+0xd/0x164 init/main.c:1023
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:404
 0xffffffffffffffff

Freed by task 13600:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055
 ext4_release_system_zone+0x68/0xe0 fs/ext4/block_validity.c:187
 ext4_setup_system_zone+0x3a3/0x470 fs/ext4/block_validity.c:151
 ext4_remount+0xdfb/0x1d10 fs/ext4/super.c:5408
 do_remount_sb2+0x35a/0x5e0 fs/super.c:880
 do_remount fs/namespace.c:2388 [inline]
 do_mount+0x1305/0x26a0 fs/namespace.c:2894
 SYSC_mount fs/namespace.c:3119 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3096
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

The buggy address belongs to the object at ffff8881d197eb98
 which belongs to the cache ext4_system_zone of size 40
The buggy address is located 24 bytes inside of
 40-byte region [ffff8881d197eb98, ffff8881d197ebc0)
The buggy address belongs to the page:
page:ffffea0007465f80 count:1 mapcount:0 mapping:          (null) index:0xffff8881d197eb60
flags: 0x4000000000000200(slab)
raw: 4000000000000200 0000000000000000 ffff8881d197eb60 0000000180490019
raw: dead000000000100 dead000000000200 ffff8881d4c98400 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d197ea80: fb fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb
 ffff8881d197eb00: fb fb fb fc fc fb fb fb fb fb fc fc fb fb fb fb
>ffff8881d197eb80: fb fc fc fb fb fb fb fb fc fc fc fc fc fc fc fc
                                     ^
 ffff8881d197ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881d197ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/22 21:04 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/22 12:59 android-4.14 7bc77fd33905 598ca6c8 .config console log report ci-android-414-kasan-gce-root
2019/11/22 05:31 android-4.14 7bc77fd33905 8098ea0f .config console log report ci-android-414-kasan-gce-root
2019/11/19 10:06 android-4.14 460dc7c31cef 5bc70212 .config console log report ci-android-414-kasan-gce-root
2019/09/26 00:26 android-4.14 d649ef04c3ed a3355dba .config console log report ci-android-414-kasan-gce-root
2019/09/22 00:14 android-4.14 8ae37de3fa03 d96e88f3 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.