syzbot


KASAN: use-after-free Read in __ext4_check_dir_entry

Status: auto-obsoleted due to no activity on 2024/12/21 14:06
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+3f08b9d4d6ca05d557f8@syzkaller.appspotmail.com
First crash: 240d, last: 116d
Fix bisection: failed (error log, bisect log)
  
Bug presence (5)
Date Name Commit Repro Result
2024/08/09 android14-6.1 (ToT) be8ff39d2e99 C [report] KASAN: use-after-free Read in __ext4_check_dir_entry
2024/05/11 lts (merge base) 883d1a956208 C [report] KASAN: use-after-free Read in __ext4_check_dir_entry
2024/11/17 lts (merge base) aa4cd140bba5 C Didn't crash
2024/05/11 upstream (ToT) cf87f46fd34d C [report] KASAN: use-after-free Read in __ext4_check_dir_entry
2024/08/09 upstream (ToT) ee9a43b7cfe2 C Didn't crash
Similar bugs (8)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in __ext4_check_dir_entry (3) ext4 C inconclusive 6 2d03h 92d 0/28 upstream: reported C repro on 2024/10/06 17:11
linux-4.14 KASAN: use-after-free Read in __ext4_check_dir_entry C inconclusive 6 1566d 1669d 0/1 upstream: reported C repro on 2020/06/12 02:23
upstream KASAN: use-after-free Read in __ext4_check_dir_entry (2) ext4 C error 1 227d 237d 0/28 closed as dup on 2024/06/26 08:39
linux-5.15 KASAN: use-after-free Read in __ext4_check_dir_entry origin:upstream C 10 32d 218d 0/3 upstream: reported C repro on 2024/06/03 01:15
android-5-15 KASAN: use-after-free Read in __ext4_check_dir_entry missing-backport origin:upstream C error 4 68d 192d 0/2 upstream: reported C repro on 2024/06/28 13:26
upstream KASAN: use-after-free Read in __ext4_check_dir_entry ext4 C 8 2470d 2473d 22/28 closed as dup on 2018/03/31 22:38
android-5-10 KASAN: use-after-free Read in __ext4_check_dir_entry C error 2 123d 241d 0/2 auto-obsoleted due to no activity on 2024/12/26 18:56
linux-6.1 KASAN: use-after-free Read in __ext4_check_dir_entry 15 181d 218d 0/3 auto-obsoleted due to no activity on 2024/09/17 20:54
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/05/25 11:55 10m retest repro android14-6.1 report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2024/10/15 02:22 0m bisect fix android14-6.1 error job log
2024/09/12 13:05 1h00m bisect fix android14-6.1 OK (0) job log log
2024/07/08 03:20 42m bisect fix android14-6.1 OK (0) job log log

Sample crash report:
EXT4-fs error (device loop3): ext4_read_inline_dir:1589: inode #12: block 7: comm syz-executor.3: path /root/syzkaller-testdir1225997388/syzkaller.M9PGfP/51/file1/file0: bad entry in directory: rec_len is smaller than minimal - offset=80, inode=0, rec_len=0, size=148 fake=0
==================================================================
BUG: KASAN: use-after-free in __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
Read of size 2 at addr ffff888144a38008 by task syz-executor.3/311

CPU: 0 PID: 311 Comm: syz-executor.3 Not tainted 6.1.78-syzkaller-00132-g92704e00b599 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0x158/0x4e0 mm/kasan/report.c:427
 kasan_report+0x13c/0x170 mm/kasan/report.c:531
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report_generic.c:349
 __ext4_check_dir_entry+0x700/0x880 fs/ext4/dir.c:85
 empty_inline_dir+0x54f/0xa30 fs/ext4/inline.c:1856
 ext4_empty_dir+0x121/0xa10 fs/ext4/namei.c:3079
 ext4_rmdir+0x30b/0xad0 fs/ext4/namei.c:3176
 vfs_rmdir+0x398/0x500 fs/namei.c:4192
 do_rmdir+0x3ab/0x630 fs/namei.c:4253
 __do_sys_unlinkat fs/namei.c:4433 [inline]
 __se_sys_unlinkat fs/namei.c:4427 [inline]
 __x64_sys_unlinkat+0xdf/0xf0 fs/namei.c:4427
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fe5d387c6c7
Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/01 04:43 android14-6.1 92704e00b599 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in __ext4_check_dir_entry
2024/06/01 04:42 android14-6.1 92704e00b599 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in __ext4_check_dir_entry
2024/06/01 04:42 android14-6.1 92704e00b599 3113787f .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1 KASAN: use-after-free Read in __ext4_check_dir_entry
2024/05/11 11:52 android14-6.1 4d55129aea65 9026e142 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-6-1 KASAN: use-after-free Read in __ext4_check_dir_entry
* Struck through repros no longer work on HEAD.