syzbot


KASAN: use-after-free Read in ext4_find_extent
Status: auto-closed as invalid on 2022/02/17 05:19
Reported-by: syzbot+333dc3792ca8ce20b80c@syzkaller.appspotmail.com
First crash: 282d, last: 220d

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:785 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae9/0xcc0 fs/ext4/extents.c:905
Read of size 4 at addr ffff88804d40d238 by task kworker/u4:2/28410

CPU: 1 PID: 28410 Comm: kworker/u4:2 Not tainted 5.15.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: writeback wb_workfn (flush-7:3)
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
 print_address_description+0x66/0x3e0 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report+0x19a/0x1f0 mm/kasan/report.c:459
 ext4_ext_binsearch fs/ext4/extents.c:785 [inline]
 ext4_find_extent+0xae9/0xcc0 fs/ext4/extents.c:905
 ext4_ext_map_blocks+0x220/0x7220 fs/ext4/extents.c:4066
 ext4_map_blocks+0xaba/0x1cc0 fs/ext4/inode.c:637
 mpage_map_one_extent fs/ext4/inode.c:2393 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2446 [inline]
 ext4_writepages+0x1727/0x4080 fs/ext4/inode.c:2798
 do_writepages+0x49d/0x760 mm/page-writeback.c:2364
 __writeback_single_inode+0xd4/0x590 fs/fs-writeback.c:1616
 writeback_sb_inodes+0xd29/0x29e0 fs/fs-writeback.c:1881
 wb_writeback+0x41c/0x9b0 fs/fs-writeback.c:2053
 wb_do_writeback fs/fs-writeback.c:2196 [inline]
 wb_workfn+0x41b/0x1430 fs/fs-writeback.c:2237
 process_one_work+0x853/0x1140 kernel/workqueue.c:2297
 worker_thread+0xac1/0x1320 kernel/workqueue.c:2444
 kthread+0x453/0x480 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30

The buggy address belongs to the page:
page:ffffea0001350340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x4d40d
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00013528c8 ffffea00023ba7c8 0000000000000000
raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1101cca(GFP_HIGHUSER_MOVABLE|__GFP_WRITE), pid 13548, ts 356891507738, free_ts 358251311809
 prep_new_page mm/page_alloc.c:2424 [inline]
 get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4153
 __alloc_pages+0x255/0x580 mm/page_alloc.c:5375
 __page_cache_alloc+0x79/0x1c0 mm/filemap.c:1022
 pagecache_get_page+0x7cf/0xe80 mm/filemap.c:1940
 grab_cache_page_write_begin+0x56/0x90 mm/filemap.c:3724
 ext4_da_write_begin+0x561/0x9b0 fs/ext4/inode.c:2961
 generic_perform_write+0x2dd/0x600 mm/filemap.c:3770
 ext4_buffered_write_iter+0x43b/0x5b0 fs/ext4/file.c:269
 ext4_file_write_iter+0x8f7/0x1bb0
 call_write_iter include/linux/fs.h:2163 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0xb11/0xe90 fs/read_write.c:594
 ksys_write+0x18f/0x2c0 fs/read_write.c:647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3315 [inline]
 free_unref_page_list+0x11f/0xa50 mm/page_alloc.c:3431
 release_pages+0x18cb/0x1b00 mm/swap.c:963
 __pagevec_release+0x7d/0xf0 mm/swap.c:983
 pagevec_release include/linux/pagevec.h:81 [inline]
 truncate_inode_pages_range+0x492/0x12d0 mm/truncate.c:329
 ext4_evict_inode+0x424/0xf70 fs/ext4/inode.c:222
 evict+0x2a4/0x620 fs/inode.c:588
 do_unlinkat+0x578/0xa10 fs/namei.c:4176
 __do_sys_unlink fs/namei.c:4217 [inline]
 __se_sys_unlink fs/namei.c:4215 [inline]
 __x64_sys_unlink+0x45/0x50 fs/namei.c:4215
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff88804d40d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804d40d180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88804d40d200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff88804d40d280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804d40d300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2021/10/20 05:19 upstream d9abdee5fd5a 466b7db1 .config log report info KASAN: use-after-free Read in ext4_find_extent
ci-upstream-kasan-gce-smack-root 2021/08/19 00:50 upstream 614cb2751d31 a2fe1cb5 .config log report info KASAN: use-after-free Read in ext4_find_extent