syzbot

 sign-in | mailing list | source | docs
🐞 Open [196]
🐞 Fixed [42]
🐞 Invalid [470]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ext4_data_block_valid

Status: auto-closed as invalid on 2019/06/29 18:27
Reported-by: syzbot+5879b432a850c9a2795a@syzkaller.appspotmail.com
First crash: 2384d, last: 2151d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ext4_data_block_valid 5 1636d 1925d 0/1 auto-closed as invalid on 2020/09/26 20:10
android-414 KASAN: use-after-free Read in ext4_data_block_valid (2) 6 1825d 1887d 0/1 auto-closed as invalid on 2020/03/21 21:05
upstream KASAN: use-after-free Read in ext4_data_block_valid ext4 108 1947d 2394d 13/28 fixed on 2019/10/15 23:40
android-414 KASAN: use-after-free Read in ext4_data_block_valid 12 2078d 2049d 0/1 auto-closed as invalid on 2019/09/11 10:38
linux-4.19 KASAN: use-after-free Read in ext4_data_block_valid 2 1883d 1946d 0/1 auto-closed as invalid on 2020/01/24 00:27
android-49 KASAN: use-after-free Read in ext4_data_block_valid (2) 1 1823d 1823d 0/3 auto-closed as invalid on 2020/03/24 07:08

Sample crash report:
EXT4-fs (sda1): Remounting file system with no journal so ignoring journalled data option
==================================================================
BUG: KASAN: use-after-free in ext4_data_block_valid+0x28d/0x2e0 fs/ext4/block_validity.c:210
Read of size 8 at addr ffff8801d531cbb0 by task syz-executor3/2116

CPU: 0 PID: 2116 Comm: syz-executor3 Not tainted 4.9.148+ #1
 ffff8801a8c073e8 ffffffff81b44d01 0000000000000000 ffffea000754c700
 ffff8801d531cbb0 0000000000000008 ffffffff817bbe2d ffff8801a8c07420
 ffffffff815020d5 0000000000000000 ffff8801d531cbb0 ffff8801d531cbb0
Call Trace:
 [<ffffffff81b44d01>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b44d01>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff815020d5>] print_address_description+0x6f/0x238 mm/kasan/report.c:256
 [<ffffffff8150232a>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff8150232a>] kasan_report mm/kasan/report.c:412 [inline]
 [<ffffffff8150232a>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
 [<ffffffff814f4524>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff817bbe2d>] ext4_data_block_valid+0x28d/0x2e0 fs/ext4/block_validity.c:210
 [<ffffffff816cacc1>] __check_block_validity.constprop.0+0xc1/0x210 fs/ext4/inode.c:378
 [<ffffffff816cc7f7>] ext4_map_blocks+0xdb7/0x1710 fs/ext4/inode.c:568
 [<ffffffff816cf2a7>] ext4_getblk+0x307/0x490 fs/ext4/inode.c:943
 [<ffffffff816fa713>] ext4_find_entry+0xa43/0x12b0 fs/ext4/namei.c:1420
 [<ffffffff816fb0b9>] ext4_lookup fs/ext4/namei.c:1559 [inline]
 [<ffffffff816fb0b9>] ext4_lookup+0x139/0x5e0 fs/ext4/namei.c:1545
 [<ffffffff8152c0cb>] lookup_slow+0x24b/0x480 fs/namei.c:1709
 [<ffffffff8153d3b6>] mountpoint_last fs/namei.c:2698 [inline]
 [<ffffffff8153d3b6>] path_mountpoint+0x376/0x6d0 fs/namei.c:2738
 [<ffffffff81541abf>] filename_mountpoint+0x17f/0x350 fs/namei.c:2758
 [<ffffffff815431ba>] user_path_mountpoint_at+0x3a/0x50 fs/namei.c:2788
 [<ffffffff81579316>] SYSC_umount fs/namespace.c:1722 [inline]
 [<ffffffff81579316>] SyS_umount+0x136/0xd30 fs/namespace.c:1706
 [<ffffffff810056bd>] do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
 [<ffffffff82812993>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 1:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:609
 kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:594
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
 add_system_zone+0x2a4/0x540 fs/ext4/block_validity.c:84
 ext4_setup_system_zone+0x303/0x480 fs/ext4/block_validity.c:168
 ext4_fill_super+0x6c62/0xb7a0 fs/ext4/super.c:4180
 mount_bdev+0x2b8/0x360 fs/super.c:1100
 ext4_mount+0x35/0x40 fs/ext4/super.c:5613
 mount_fs+0x27c/0x380 fs/super.c:1206
 vfs_kern_mount.part.0+0xcd/0x4c0 fs/namespace.c:1000
 vfs_kern_mount fs/namespace.c:982 [inline]
 do_new_mount fs/namespace.c:2549 [inline]
 do_mount+0x3c4/0x2970 fs/namespace.c:2871
 SYSC_mount fs/namespace.c:3087 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3064
 do_mount_root init/do_mounts.c:366 [inline]
 mount_block_root+0x304/0x6bd init/do_mounts.c:396
 mount_root+0x77/0x7a init/do_mounts.c:541
 prepare_namespace+0x1de/0x21d init/do_mounts.c:601
 kernel_init_freeable+0x3a5/0x3c3 init/main.c:1036
 kernel_init+0x12/0x163 init/main.c:946
 ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:373

Freed by task 4787:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 ext4_release_system_zone+0x6f/0xf0 fs/ext4/block_validity.c:186
 ext4_setup_system_zone+0x3c3/0x480 fs/ext4/block_validity.c:150
 ext4_remount+0x7b8/0x1c50 fs/ext4/super.c:5105
 do_remount_sb2+0x340/0x7a0 fs/super.c:825
 do_remount fs/namespace.c:2364 [inline]
 do_mount+0x1368/0x2970 fs/namespace.c:2862
 SYSC_mount fs/namespace.c:3087 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3064
 do_syscall_64+0x1ad/0x570 arch/x86/entry/common.c:285
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the object at ffff8801d531cb98
 which belongs to the cache ext4_system_zone of size 40
The buggy address is located 24 bytes inside of
 40-byte region [ffff8801d531cb98, ffff8801d531cbc0)
The buggy address belongs to the page:
page:ffffea000754c700 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d531ca80: fb fb fb fb fb fc fc fb fb fb fb fb fc fc fb fb
 ffff8801d531cb00: fb fb fb fc fc fb fb fb fb fb fc fc fb fb fb fb
>ffff8801d531cb80: fb fc fc fb fb fb fb fb fc fc fc fc fc fc fc fc
                                     ^
 ffff8801d531cc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d531cc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (21):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/31 18:26 https://android.googlesource.com/kernel/common android-4.9 9f23a833fdcd 2b42fdc8 .config console log report ci-android-49-kasan-gce-root
2018/12/10 05:07 https://android.googlesource.com/kernel/common android-4.9 860c8b893191 96cc4c50 .config console log report ci-android-49-kasan-gce-root
2018/11/25 09:35 https://android.googlesource.com/kernel/common android-4.9 f44ed2c9232d 3d3ec907 .config console log report ci-android-49-kasan-gce-root
2018/11/18 00:21 https://android.googlesource.com/kernel/common android-4.9 109a48ed2f69 adf636a8 .config console log report ci-android-49-kasan-gce-root
2018/09/07 05:20 https://android.googlesource.com/kernel/common android-4.9 dcae9fa1319b e30d3b52 .config console log report ci-android-49-kasan-gce-root
2018/09/04 19:34 https://android.googlesource.com/kernel/common android-4.9 a06ea261bc2a a4718693 .config console log report ci-android-49-kasan-gce-root
2018/09/03 08:07 https://android.googlesource.com/kernel/common android-4.9 a06ea261bc2a a4718693 .config console log report ci-android-49-kasan-gce-root
2018/09/03 01:53 https://android.googlesource.com/kernel/common android-4.9 a06ea261bc2a a4718693 .config console log report ci-android-49-kasan-gce-root
2018/09/02 05:25 https://android.googlesource.com/kernel/common android-4.9 a06ea261bc2a a4718693 .config console log report ci-android-49-kasan-gce-root
2018/09/01 12:20 https://android.googlesource.com/kernel/common android-4.9 a06ea261bc2a a4718693 .config console log report ci-android-49-kasan-gce-root
2018/08/31 14:40 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c a4718693 .config console log report ci-android-49-kasan-gce-root
2018/08/26 14:34 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 758cd203 .config console log report ci-android-49-kasan-gce-root
2018/08/25 13:51 https://android.googlesource.com/kernel/common android-4.9 09eb2ba5ed0c 9be5aa1d .config console log report ci-android-49-kasan-gce-root
2018/07/24 02:43 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 912c93d7 .config console log report ci-android-49-kasan-gce-root
2018/07/23 01:01 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 8cc079c3 .config console log report ci-android-49-kasan-gce-root
2018/07/23 00:41 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 8cc079c3 .config console log report ci-android-49-kasan-gce-root
2018/07/21 05:02 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 af255b09 .config console log report ci-android-49-kasan-gce-root
2018/07/19 23:07 https://android.googlesource.com/kernel/common android-4.9 47bbcd6bf8f9 49f35839 .config console log report ci-android-49-kasan-gce-root
2018/07/15 18:02 https://android.googlesource.com/kernel/common android-4.9 9e7903954483 92a49505 .config console log report ci-android-49-kasan-gce-root
2018/07/14 22:34 https://android.googlesource.com/kernel/common android-4.9 9e7903954483 92a49505 .config console log report ci-android-49-kasan-gce-root
2018/05/13 03:23 https://android.googlesource.com/kernel/common android-4.9 c2f9bce9fee8 e726f42b .config console log report ci-android-49-kasan-gce-root
* Struck through repros no longer work on HEAD.