syzbot


KASAN: use-after-free Read in dbJoin

Status: upstream: reported C repro on 2022/10/10 07:35
Subsystems: jfs
[Documentation on labels]
Reported-by: syzbot+667a6d667592227b1452@syzkaller.appspotmail.com
First crash: 593d, last: 8d05h
Cause bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] KASAN: use-after-free Read in dbJoin 0 (2) 2022/11/06 20:02
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in dbJoin C 2 458d 606d 0/1 upstream: reported C repro on 2022/09/26 07:12
linux-4.19 KASAN: use-after-free Read in dbJoin C error 1 606d 606d 0/1 upstream: reported C repro on 2022/09/26 15:15
linux-6.1 UBSAN: array-index-out-of-bounds in dbJoin origin:upstream C 5 7d10h 10d 0/3 upstream: reported C repro on 2024/05/14 08:42
linux-5.15 UBSAN: array-index-out-of-bounds in dbJoin origin:upstream C 5 7d01h 16d 0/3 upstream: reported C repro on 2024/05/08 02:35
Last patch testing requests (6)
Created Duration User Patch Repo Result
2024/04/10 06:55 22m retest repro upstream error OK
2024/03/10 10:07 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/02/25 09:33 11m retest repro upstream report log
2024/01/24 23:38 18m retest repro upstream OK log
2024/01/22 12:09 17m retest repro upstream OK log
2023/09/09 13:33 12m retest repro upstream report log
Fix bisection attempts (9)
Created Duration User Patch Repo Result
2024/04/25 21:02 1h46m bisect fix upstream job log (0) log
2023/11/15 21:07 1h10m bisect fix upstream job log (0) log
2023/10/16 05:41 1h32m bisect fix upstream job log (0) log
2023/07/01 10:06 45m bisect fix upstream job log (0) log
2023/06/01 03:25 42m bisect fix upstream job log (0) log
2023/05/01 13:22 44m bisect fix upstream job log (0) log
2023/03/31 17:41 38m bisect fix upstream job log (0) log
2023/03/01 16:31 1h09m bisect fix upstream job log (0) log
2023/01/23 11:44 42m bisect fix upstream job log (0) log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in dbJoin+0x295/0x2b0 fs/jfs/jfs_dmap.c:2805
Read of size 1 at addr ffff8881788e1061 by task jfsCommit/112

CPU: 1 PID: 112 Comm: jfsCommit Not tainted 6.9.0-syzkaller-01768-ga5131c3fdf26 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 dbJoin+0x295/0x2b0 fs/jfs/jfs_dmap.c:2805
 dbFreeBits+0x15c/0x8f0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap+0x62/0x1b0 fs/jfs/jfs_dmap.c:2087
 dbFree+0x266/0x550 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x788/0xe60 fs/jfs/jfs_txnmgr.c:2515
 xtTruncate+0x1e57/0x2c80 fs/jfs/jfs_xtree.c:2467
 jfs_free_zero_link+0x372/0x4f0 fs/jfs/namei.c:759
 jfs_evict_inode+0x423/0x4b0 fs/jfs/inode.c:153
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 txUpdateMap+0xaf3/0xd20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x5e6/0xb20 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2c4/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1788e1
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 057ff00000000000 ffffea0005e23848 ffffea0005e23848 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881788e0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881788e0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881788e1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff8881788e1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881788e1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2900:31
index -3 is out of range for type 's8 [1365]'
CPU: 1 PID: 112 Comm: jfsCommit Tainted: G    B              6.9.0-syzkaller-01768-ga5131c3fdf26 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:114
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x110/0x150 lib/ubsan.c:429
 dbAdjTree+0x383/0x3d0 fs/jfs/jfs_dmap.c:2900
 dbJoin+0x24b/0x2b0 fs/jfs/jfs_dmap.c:2841
 dbFreeBits+0x15c/0x8f0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap+0x62/0x1b0 fs/jfs/jfs_dmap.c:2087
 dbFree+0x266/0x550 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x788/0xe60 fs/jfs/jfs_txnmgr.c:2515
 xtTruncate+0x1e57/0x2c80 fs/jfs/jfs_xtree.c:2467
 jfs_free_zero_link+0x372/0x4f0 fs/jfs/namei.c:759
 jfs_evict_inode+0x423/0x4b0 fs/jfs/inode.c:153
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 txUpdateMap+0xaf3/0xd20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x5e6/0xb20 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2c4/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
---[ end trace ]---

Crashes (106):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/14 22:01 upstream a5131c3fdf26 fdb4c10c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/03/25 18:47 upstream fe46a7dd189e 0ea90952 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/01/31 05:20 upstream 2a6526c4f389 7f400fcb .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/02/01 19:21 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 41bccc98fb79 81024119 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in dbJoin
2023/12/09 14:45 upstream f2e8a57ee903 28b24332 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2022/11/06 20:01 upstream b208b9fbbcba 6d752409 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 12:21 upstream a5131c3fdf26 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/05/14 01:34 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/05/14 02:56 upstream 6d1346f1bcbf c97f7904 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in dbJoin
2024/05/14 01:45 upstream 6d1346f1bcbf c97f7904 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in dbJoin
2024/05/14 01:34 upstream 6d1346f1bcbf c97f7904 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in dbJoin
2024/05/14 01:34 upstream 6d1346f1bcbf c97f7904 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in dbJoin
2022/10/09 08:45 linux-next aaa11ce2ffc8 aea5da89 .config console log report info [disk image] [vmlinux] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in dbJoin
2024/05/14 15:45 upstream a5131c3fdf26 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 15:36 upstream a5131c3fdf26 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:47 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:47 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:45 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:41 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:26 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:26 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:25 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:25 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2024/02/11 08:36 upstream a5b6244cf87c 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/31 04:48 upstream 2a6526c4f389 7f400fcb .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/08 10:49 upstream 0dd3ee311255 d0304e9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/06 11:48 upstream a4ab2706bb12 d0304e9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/05 02:24 upstream 5eff55d725a4 28c42cff .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/04 04:45 upstream ac865f00af29 28c42cff .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/02 02:14 upstream 610a9b8f49fb fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/20 11:07 upstream 55cb5f43689d 3ad490ea .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/19 23:37 upstream 55cb5f43689d 3ad490ea .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/15 04:28 upstream c7402612e2e6 3222d10c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/12 08:38 upstream 26aff849438c 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/09 14:18 upstream f2e8a57ee903 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/05/16 07:49 upstream 33e02dc69afb ef5d53ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2024/05/16 07:44 upstream 33e02dc69afb ef5d53ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2024/05/14 01:51 upstream 6d1346f1bcbf c97f7904 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2024/05/14 01:33 upstream 6d1346f1bcbf c97f7904 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2022/10/23 14:17 upstream d47136c28015 c0b80a55 .config console log report info [disk image] [vmlinux] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2023/01/28 21:56 upstream 5af6ce704936 7374c4e5 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2024/05/16 10:55 linux-next dbd9e2e056d8 ef5d53ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 17:56 linux-next 26dd54d03cd9 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:43 linux-next 6ba6c795dc73 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:38 linux-next 6ba6c795dc73 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:38 linux-next 6ba6c795dc73 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:38 linux-next 6ba6c795dc73 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:36 linux-next 6ba6c795dc73 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:36 linux-next 6ba6c795dc73 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:36 linux-next 6ba6c795dc73 fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
* Struck through repros no longer work on HEAD.