syzbot


KASAN: use-after-free Read in dbJoin

Status: upstream: reported C repro on 2022/10/10 07:35
Subsystems: jfs
[Documentation on labels]
Reported-by: syzbot+667a6d667592227b1452@syzkaller.appspotmail.com
First crash: 804d, last: 1d00h
Cause bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] KASAN: use-after-free Read in dbJoin 0 (2) 2022/11/06 20:02
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in dbJoin C 2 669d 817d 0/1 upstream: reported C repro on 2022/09/26 07:12
linux-4.19 KASAN: use-after-free Read in dbJoin C error 1 816d 816d 0/1 upstream: reported C repro on 2022/09/26 15:15
linux-6.1 UBSAN: array-index-out-of-bounds in dbJoin origin:upstream C error 49 114d 221d 0/3 upstream: reported C repro on 2024/05/14 08:42
linux-5.15 UBSAN: array-index-out-of-bounds in dbJoin origin:upstream C 76 26d 227d 0/3 upstream: reported C repro on 2024/05/08 02:35
Last patch testing requests (8)
Created Duration User Patch Repo Result
2024/05/30 13:27 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci error
2024/05/30 11:23 43m retest repro upstream error
2024/04/10 06:55 22m retest repro upstream error
2024/03/10 10:07 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/02/25 09:33 11m retest repro upstream report log
2024/01/24 23:38 18m retest repro upstream OK log
2024/01/22 12:09 17m retest repro upstream OK log
2023/09/09 13:33 12m retest repro upstream report log
Fix bisection attempts (9)
Created Duration User Patch Repo Result
2024/04/25 21:02 1h46m bisect fix upstream OK (0) job log log
2023/11/15 21:07 1h10m bisect fix upstream OK (0) job log log
2023/10/16 05:41 1h32m bisect fix upstream OK (0) job log log
2023/07/01 10:06 45m bisect fix upstream OK (0) job log log
2023/06/01 03:25 42m bisect fix upstream OK (0) job log log
2023/05/01 13:22 44m bisect fix upstream OK (0) job log log
2023/03/31 17:41 38m bisect fix upstream OK (0) job log log
2023/03/01 16:31 1h09m bisect fix upstream OK (0) job log log
2023/01/23 11:44 42m bisect fix upstream OK (0) job log log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in dbJoin+0x295/0x2b0 fs/jfs/jfs_dmap.c:2805
Read of size 1 at addr ffff8881788e1061 by task jfsCommit/112

CPU: 1 PID: 112 Comm: jfsCommit Not tainted 6.9.0-syzkaller-01768-ga5131c3fdf26 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 dbJoin+0x295/0x2b0 fs/jfs/jfs_dmap.c:2805
 dbFreeBits+0x15c/0x8f0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap+0x62/0x1b0 fs/jfs/jfs_dmap.c:2087
 dbFree+0x266/0x550 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x788/0xe60 fs/jfs/jfs_txnmgr.c:2515
 xtTruncate+0x1e57/0x2c80 fs/jfs/jfs_xtree.c:2467
 jfs_free_zero_link+0x372/0x4f0 fs/jfs/namei.c:759
 jfs_evict_inode+0x423/0x4b0 fs/jfs/inode.c:153
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 txUpdateMap+0xaf3/0xd20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x5e6/0xb20 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2c4/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1788e1
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 057ff00000000000 ffffea0005e23848 ffffea0005e23848 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881788e0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881788e0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881788e1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff8881788e1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881788e1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2900:31
index -3 is out of range for type 's8 [1365]'
CPU: 1 PID: 112 Comm: jfsCommit Tainted: G    B              6.9.0-syzkaller-01768-ga5131c3fdf26 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:114
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x110/0x150 lib/ubsan.c:429
 dbAdjTree+0x383/0x3d0 fs/jfs/jfs_dmap.c:2900
 dbJoin+0x24b/0x2b0 fs/jfs/jfs_dmap.c:2841
 dbFreeBits+0x15c/0x8f0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap+0x62/0x1b0 fs/jfs/jfs_dmap.c:2087
 dbFree+0x266/0x550 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x788/0xe60 fs/jfs/jfs_txnmgr.c:2515
 xtTruncate+0x1e57/0x2c80 fs/jfs/jfs_xtree.c:2467
 jfs_free_zero_link+0x372/0x4f0 fs/jfs/namei.c:759
 jfs_evict_inode+0x423/0x4b0 fs/jfs/inode.c:153
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 txUpdateMap+0xaf3/0xd20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x5e6/0xb20 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2c4/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
---[ end trace ]---

Crashes (910):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/05/14 22:01 upstream a5131c3fdf26 fdb4c10c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/11/10 20:36 upstream a9cda7c0ffed 6b856513 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/11/10 08:04 upstream de2f378f2b77 6b856513 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/29 22:11 upstream e42b1a9a2557 66aeb999 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/15 17:20 upstream eca631b8fe80 7eb57b4a .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/03/25 18:47 upstream fe46a7dd189e 0ea90952 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/01/31 05:20 upstream 2a6526c4f389 7f400fcb .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/02/01 19:21 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 41bccc98fb79 81024119 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in dbJoin
2023/12/09 14:45 upstream f2e8a57ee903 28b24332 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2022/11/06 20:01 upstream b208b9fbbcba 6d752409 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/23 11:06 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/10/22 17:15 upstream c2ee9f594da8 9d74f456 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/10/22 07:37 upstream c2ee9f594da8 a93682b3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/10/21 17:09 upstream 42f7652d3eb5 a93682b3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/10/19 21:24 upstream 9197b73fd7bb cd6fc0a3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/10/17 13:59 upstream c964ced77262 666f77ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root KASAN: use-after-free Read in dbJoin
2024/05/14 02:56 upstream 6d1346f1bcbf c97f7904 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in dbJoin
2022/10/09 08:45 linux-next aaa11ce2ffc8 aea5da89 .config console log report info [disk image] [vmlinux] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in dbJoin
2024/12/14 07:46 upstream f932fb9b4074 7cbfbb3a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/29 23:54 upstream e42b1a9a2557 66aeb999 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/27 00:39 upstream 850925a8133c 65e8686b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/26 21:32 upstream 850925a8133c 65e8686b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/25 21:28 upstream ae90f6a6170d 045e728d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/25 14:00 upstream ae90f6a6170d 045e728d .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/24 02:41 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/23 22:32 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/23 17:24 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/23 08:14 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/23 07:08 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/23 05:49 upstream c2ee9f594da8 15fa2979 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/20 16:49 upstream 715ca9dd687f cd6fc0a3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/19 23:22 upstream 3d5ad2d4eca3 cd6fc0a3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/17 18:11 upstream c964ced77262 666f77ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/17 17:11 upstream c964ced77262 666f77ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/17 08:40 upstream c964ced77262 666f77ed .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/16 14:02 upstream 2f87d0916ce0 bde2d81c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/16 11:58 upstream 2f87d0916ce0 bde2d81c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/16 08:13 upstream 2f87d0916ce0 bde2d81c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/15 16:14 upstream eca631b8fe80 7eb57b4a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/15 09:52 upstream eca631b8fe80 7eb57b4a .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/15 06:32 upstream eca631b8fe80 b01b6661 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/10/15 01:28 upstream eca631b8fe80 b01b6661 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/05/14 01:47 upstream cd97950cbcab fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/20 14:30 upstream 8faabc041a00 49cfeac8 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/17 10:02 upstream f44d154d6e3d f93b2b55 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/15 13:45 upstream 2d8308bf5b67 7cbfbb3a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/15 04:38 upstream 2d8308bf5b67 7cbfbb3a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/14 23:54 upstream a446e965a188 7cbfbb3a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/10 11:12 upstream 7cb1b4663150 cfc402b4 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/12/08 06:54 upstream 7503345ac5f5 9ac0fdc6 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/29 04:24 upstream 65ae975e97d5 5df23865 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/28 11:27 upstream b86545e02e8c 5df23865 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/23 09:18 upstream 06afb0f36106 68da6d95 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/21 20:54 upstream 43fb83c17ba2 4b25d554 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/21 08:07 upstream 8f7c8b88bda4 4b25d554 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/11/19 00:41 upstream 9fb2cfa4635a 571351cb .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/24 12:50 upstream c2ee9f594da8 c08e46d6 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dbJoin
2024/05/16 07:49 upstream 33e02dc69afb ef5d53ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2024/05/16 07:44 upstream 33e02dc69afb ef5d53ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
2024/10/30 13:13 linux-next 86e3904dcdc7 66aeb999 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/18 23:06 linux-next 15e7d45e786a cd6fc0a3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/18 02:31 linux-next 15e7d45e786a 666f77ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/16 20:49 linux-next 15e7d45e786a 666f77ed .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/16 09:18 linux-next 15e7d45e786a bde2d81c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/16 01:16 linux-next b852e1e7a038 bde2d81c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
2024/10/15 11:21 linux-next b852e1e7a038 14943bb8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in dbJoin
* Struck through repros no longer work on HEAD.