syzbot


KASAN: use-after-free Read in dbJoin

Status: upstream: reported C repro on 2022/10/10 07:35
Subsystems: jfs
[Documentation on labels]
Reported-by: syzbot+667a6d667592227b1452@syzkaller.appspotmail.com
First crash: 526d, last: 8d21h
Cause bisection: failed (error log, bisect log)
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] KASAN: use-after-free Read in dbJoin 0 (2) 2022/11/06 20:02
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in dbJoin C 2 391d 540d 0/1 upstream: reported C repro on 2022/09/26 07:12
linux-4.19 KASAN: use-after-free Read in dbJoin C error 1 539d 539d 0/1 upstream: reported C repro on 2022/09/26 15:15
Last patch testing requests (5)
Created Duration User Patch Repo Result
2024/03/10 10:07 21m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2024/02/25 09:33 11m retest repro upstream report log
2024/01/24 23:38 18m retest repro upstream OK log
2024/01/22 12:09 17m retest repro upstream OK log
2023/09/09 13:33 12m retest repro upstream report log
Fix bisection attempts (8)
Created Duration User Patch Repo Result
2023/11/15 21:07 1h10m bisect fix upstream job log (0) log
2023/10/16 05:41 1h32m bisect fix upstream job log (0) log
2023/07/01 10:06 45m bisect fix upstream job log (0) log
2023/06/01 03:25 42m bisect fix upstream job log (0) log
2023/05/01 13:22 44m bisect fix upstream job log (0) log
2023/03/31 17:41 38m bisect fix upstream job log (0) log
2023/03/01 16:31 1h09m bisect fix upstream job log (0) log
2023/01/23 11:44 42m bisect fix upstream job log (0) log

Sample crash report:
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2778:24
index 1621 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.8.0-rc2-syzkaller-00043-g2a6526c4f389 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:347
 dbJoin+0x2e9/0x310 fs/jfs/jfs_dmap.c:2778
 dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap fs/jfs/jfs_dmap.c:2087 [inline]
 dbFree+0x35b/0x670 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
 txUpdateMap+0x342/0x9e0
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x47f/0xb70 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2d3/0x370 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
---[ end trace ]---
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.8.0-rc2-syzkaller-00043-g2a6526c4f389 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 panic+0x349/0x850 kernel/panic.c:344
 check_panic_on_warn+0x82/0xa0 kernel/panic.c:237
 ubsan_epilogue lib/ubsan.c:222 [inline]
 __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:347
 dbJoin+0x2e9/0x310 fs/jfs/jfs_dmap.c:2778
 dbFreeBits+0x4ef/0xdb0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap fs/jfs/jfs_dmap.c:2087 [inline]
 dbFree+0x35b/0x670 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534
 txUpdateMap+0x342/0x9e0
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x47f/0xb70 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2d3/0x370 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (19):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/01/31 05:20 upstream 2a6526c4f389 7f400fcb .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/02/01 19:21 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 41bccc98fb79 81024119 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 UBSAN: array-index-out-of-bounds in dbJoin
2023/12/09 14:45 upstream f2e8a57ee903 28b24332 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2022/11/06 20:01 upstream b208b9fbbcba 6d752409 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2022/10/09 08:45 linux-next aaa11ce2ffc8 aea5da89 .config console log report info [disk image] [vmlinux] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in dbJoin
2024/02/11 08:36 upstream a5b6244cf87c 77b23aa1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/31 04:48 upstream 2a6526c4f389 7f400fcb .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/08 10:49 upstream 0dd3ee311255 d0304e9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/06 11:48 upstream a4ab2706bb12 d0304e9c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/05 02:24 upstream 5eff55d725a4 28c42cff .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/04 04:45 upstream ac865f00af29 28c42cff .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2024/01/02 02:14 upstream 610a9b8f49fb fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/20 11:07 upstream 55cb5f43689d 3ad490ea .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/19 23:37 upstream 55cb5f43689d 3ad490ea .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/15 04:28 upstream c7402612e2e6 3222d10c .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/12 08:38 upstream 26aff849438c 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2023/12/09 14:18 upstream f2e8a57ee903 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs UBSAN: array-index-out-of-bounds in dbJoin
2022/10/23 14:17 upstream d47136c28015 c0b80a55 .config console log report info [disk image] [vmlinux] ci-upstream-kasan-gce-smack-root UBSAN: array-index-out-of-bounds in dbJoin
2023/01/28 21:56 upstream 5af6ce704936 7374c4e5 .config console log report info ci-qemu-upstream-386 BUG: unable to handle kernel paging request in dbJoin
* Struck through repros no longer work on HEAD.