syzbot


KASAN: slab-out-of-bounds Read in dtSplitRoot

Status: upstream: reported C repro on 2022/10/15 22:33
Reported-by: syzbot+33c9105dadf38db104ab@syzkaller.appspotmail.com
First crash: 112d, last: 10d
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Read in dtSplitRoot C error 1 113d 113d 0/1 upstream: reported C repro on 2022/10/14 11:28
upstream UBSAN: array-index-out-of-bounds in dtSplitRoot C error 2 10d 112d 0/24 upstream: reported C repro on 2022/10/15 19:21

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in dtSplitRoot+0x1330/0x14b0 fs/jfs/jfs_dtree.c:1984
Read of size 1 at addr ffff8880a1c3cfc0 by task syz-executor167/8007

CPU: 1 PID: 8007 Comm: syz-executor167 Not tainted 4.14.295-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load1_noabort+0x68/0x70 mm/kasan/report.c:427
 dtSplitRoot+0x1330/0x14b0 fs/jfs/jfs_dtree.c:1984
 dtSplitUp+0xeee/0x47d0 fs/jfs/jfs_dtree.c:997
 dtInsert+0x77c/0x9e0 fs/jfs/jfs_dtree.c:875
 jfs_mkdir.part.0+0x38d/0x7e0 fs/jfs/namei.c:283
 jfs_mkdir+0x35/0x50 fs/jfs/namei.c:223
 vfs_mkdir+0x463/0x6e0 fs/namei.c:3851
 SYSC_mkdirat fs/namei.c:3874 [inline]
 SyS_mkdirat+0x1fd/0x270 fs/namei.c:3858
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fdd0a9b8fb9
RSP: 002b:00007ffd719056e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fdd0a9b8fb9
RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003
RBP: 00007fdd0a978820 R08: 0000000000000000 R09: 00007fdd0a978820
R10: 00005555557682c0 R11: 0000000000000246 R12: 00000000f8008000
R13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000

Allocated by task 4615:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552
 kmem_cache_zalloc include/linux/slab.h:651 [inline]
 fill_pool lib/debugobjects.c:110 [inline]
 __debug_object_init+0x578/0x7a0 lib/debugobjects.c:341
 debug_object_init lib/debugobjects.c:393 [inline]
 debug_object_activate+0x391/0x490 lib/debugobjects.c:474
 debug_rcu_head_queue kernel/rcu/rcu.h:152 [inline]
 __call_rcu.constprop.0+0x31/0x7d0 kernel/rcu/tree.c:3050
 dentry_free+0xab/0x120 fs/dcache.c:363
 __dentry_kill+0x3ff/0x550 fs/dcache.c:605
 shrink_dentry_list+0x2ab/0xac0 fs/dcache.c:1043
 shrink_dcache_sb+0x105/0x1b0 fs/dcache.c:1191
 do_remount_sb+0xdd/0x530 fs/super.c:852
 do_remount fs/namespace.c:2393 [inline]
 do_mount+0x15f3/0x2a30 fs/namespace.c:2896
 SYSC_mount fs/namespace.c:3121 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3098
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb

Freed by task 24:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
 free_obj_work+0x200/0x570 lib/debugobjects.c:207
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff8880a1c3cf50
 which belongs to the cache debug_objects_cache of size 40
The buggy address is located 72 bytes to the right of
 40-byte region [ffff8880a1c3cf50, ffff8880a1c3cf78)
The buggy address belongs to the page:
page:ffffea0002870f00 count:1 mapcount:0 mapping:ffff8880a1c3c000 index:0xffff8880a1c3cfb9
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffff8880a1c3c000 ffff8880a1c3cfb9 0000000100000030
raw: ffffea0002c08d20 ffffea0002d82b20 ffff88813fe6bdc0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a1c3ce80: 00 00 00 fc fc 00 00 00 00 00 fc fc fb fb fb fb
 ffff8880a1c3cf00: fb fc fc fb fb fb fb fb fc fc fb fb fb fb fb fc
>ffff8880a1c3cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff8880a1c3d000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a1c3d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-14 2023/01/25 17:26 linux-4.14.y 3949d1610004 67cb024c .config console log report syz C
ci2-linux-4-14 2022/11/15 01:25 linux-4.14.y e911713e40ca 67cb024c .config console log report syz C
* Struck through repros no longer work on HEAD.
Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-14 2022/10/15 22:32 linux-4.14.y 9d5c0b3a8e1a 67cb024c .config console log report syz C [disk image] [vmlinux] [mounted in repro] KASAN: slab-out-of-bounds Read in dtSplitRoot
* Struck through repros no longer work on HEAD.