syzbot


KASAN: use-after-free Read in ext4_find_extent

Status: auto-closed as invalid on 2022/02/17 05:19
Subsystems: ext4
[Documentation on labels]
Reported-by: syzbot+333dc3792ca8ce20b80c@syzkaller.appspotmail.com
First crash: 1009d, last: 947d
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] KASAN: use-after-free Read in ext4_find_extent 0 (1) 2021/08/20 09:18
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 C error inconclusive 21 52d 515d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent missing-backport origin:lts C error 3 32d 341d 0/2 upstream: reported C repro on 2023/06/18 03:55
linux-5.15 KASAN: use-after-free Read in ext4_find_extent origin:lts-only C inconclusive 4 15d 309d 0/3 upstream: reported C repro on 2023/07/19 14:49
linux-6.1 KASAN: use-after-free Read in ext4_find_extent origin:upstream missing-backport C done 1 25d 248d 0/3 upstream: reported C repro on 2023/09/19 00:11
android-5-15 KASAN: use-after-free Read in ext4_find_extent ext4 origin:lts C error 9 8d13h 515d 0/2 upstream: reported C repro on 2022/12/26 07:59
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 C error 2 385d 510d 22/26 fixed on 2023/06/08 14:41
upstream KASAN: use-after-free Read in ext4_find_extent (3) prio:low ext4 C error done 31 150d 331d 26/26 fixed on 2024/01/30 23:26
android-54 KASAN: slab-out-of-bounds Read in ext4_find_extent ext4 C 1 329d 515d 0/2 auto-obsoleted due to no activity on 2023/10/08 03:20

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:785 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0xae9/0xcc0 fs/ext4/extents.c:905
Read of size 4 at addr ffff88804d40d238 by task kworker/u4:2/28410

CPU: 1 PID: 28410 Comm: kworker/u4:2 Not tainted 5.15.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: writeback wb_workfn (flush-7:3)
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
 print_address_description+0x66/0x3e0 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report+0x19a/0x1f0 mm/kasan/report.c:459
 ext4_ext_binsearch fs/ext4/extents.c:785 [inline]
 ext4_find_extent+0xae9/0xcc0 fs/ext4/extents.c:905
 ext4_ext_map_blocks+0x220/0x7220 fs/ext4/extents.c:4066
 ext4_map_blocks+0xaba/0x1cc0 fs/ext4/inode.c:637
 mpage_map_one_extent fs/ext4/inode.c:2393 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2446 [inline]
 ext4_writepages+0x1727/0x4080 fs/ext4/inode.c:2798
 do_writepages+0x49d/0x760 mm/page-writeback.c:2364
 __writeback_single_inode+0xd4/0x590 fs/fs-writeback.c:1616
 writeback_sb_inodes+0xd29/0x29e0 fs/fs-writeback.c:1881
 wb_writeback+0x41c/0x9b0 fs/fs-writeback.c:2053
 wb_do_writeback fs/fs-writeback.c:2196 [inline]
 wb_workfn+0x41b/0x1430 fs/fs-writeback.c:2237
 process_one_work+0x853/0x1140 kernel/workqueue.c:2297
 worker_thread+0xac1/0x1320 kernel/workqueue.c:2444
 kthread+0x453/0x480 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30

The buggy address belongs to the page:
page:ffffea0001350340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x4d40d
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00013528c8 ffffea00023ba7c8 0000000000000000
raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1101cca(GFP_HIGHUSER_MOVABLE|__GFP_WRITE), pid 13548, ts 356891507738, free_ts 358251311809
 prep_new_page mm/page_alloc.c:2424 [inline]
 get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4153
 __alloc_pages+0x255/0x580 mm/page_alloc.c:5375
 __page_cache_alloc+0x79/0x1c0 mm/filemap.c:1022
 pagecache_get_page+0x7cf/0xe80 mm/filemap.c:1940
 grab_cache_page_write_begin+0x56/0x90 mm/filemap.c:3724
 ext4_da_write_begin+0x561/0x9b0 fs/ext4/inode.c:2961
 generic_perform_write+0x2dd/0x600 mm/filemap.c:3770
 ext4_buffered_write_iter+0x43b/0x5b0 fs/ext4/file.c:269
 ext4_file_write_iter+0x8f7/0x1bb0
 call_write_iter include/linux/fs.h:2163 [inline]
 new_sync_write fs/read_write.c:507 [inline]
 vfs_write+0xb11/0xe90 fs/read_write.c:594
 ksys_write+0x18f/0x2c0 fs/read_write.c:647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3315 [inline]
 free_unref_page_list+0x11f/0xa50 mm/page_alloc.c:3431
 release_pages+0x18cb/0x1b00 mm/swap.c:963
 __pagevec_release+0x7d/0xf0 mm/swap.c:983
 pagevec_release include/linux/pagevec.h:81 [inline]
 truncate_inode_pages_range+0x492/0x12d0 mm/truncate.c:329
 ext4_evict_inode+0x424/0xf70 fs/ext4/inode.c:222
 evict+0x2a4/0x620 fs/inode.c:588
 do_unlinkat+0x578/0xa10 fs/namei.c:4176
 __do_sys_unlink fs/namei.c:4217 [inline]
 __se_sys_unlink fs/namei.c:4215 [inline]
 __x64_sys_unlink+0x45/0x50 fs/namei.c:4215
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff88804d40d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804d40d180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88804d40d200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff88804d40d280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804d40d300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/10/20 05:19 upstream d9abdee5fd5a 466b7db1 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ext4_find_extent
2021/08/19 00:50 upstream 614cb2751d31 a2fe1cb5 .config console log report info ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ext4_find_extent
* Struck through repros no longer work on HEAD.