syzbot

 sign-in | mailing list | source | docs
🐞 Open [92] 🐞 Fixed [21] 🐞 Invalid [235] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Read in ext4_find_extent

Status: upstream: reported C repro on 2022/12/26 07:49
Labels: ext4 (incorrect?)
Reported-by: syzbot+d6e87e18ba4a4e9dae00@syzkaller.appspotmail.com
First crash: 165d, last: 49d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-10 KASAN: use-after-free Read in ext4_find_extent ext4 C error inconclusive 18 18d 165d 0/2 upstream: reported C repro on 2022/12/26 07:59
android-6-1 KASAN: use-after-free Read in ext4_find_extent 1 8d07h 8d07h 0/2 premoderation: reported on 2023/06/01 08:27
upstream KASAN: use-after-free Read in ext4_find_extent 2 597d 658d 0/24 auto-closed as invalid on 2022/02/17 05:19
android-5-15 KASAN: use-after-free Read in ext4_find_extent ext4 origin:lts C error 6 8d07h 165d 0/2 upstream: reported C repro on 2022/12/26 07:59
upstream KASAN: use-after-free Read in ext4_find_extent (2) ext4 C error 2 35d 160d 24/24 fixed on 2023/06/08 14:41
Last patch testing requests (1)
Created Duration User Patch Repo Result
2023/04/21 00:26 23m retest repro android12-5.4 report log

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_ext_binsearch_idx fs/ext4/extents.c:796 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_find_extent+0x7ae/0xdc0 fs/ext4/extents.c:958
Read of size 4 at addr ffff8881e645eda8 by task syz-executor259/298

CPU: 0 PID: 298 Comm: syz-executor259 Not tainted 5.4.219-syzkaller-00012-ga8aad8851131 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 print_address_description+0x8c/0x630 mm/kasan/report.c:384
 __kasan_report+0xf6/0x130 mm/kasan/report.c:516
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 ext4_ext_binsearch_idx fs/ext4/extents.c:796 [inline]
 ext4_find_extent+0x7ae/0xdc0 fs/ext4/extents.c:958
 ext4_clu_mapped+0x9d/0x790 fs/ext4/extents.c:6026
 ext4_insert_delayed_block fs/ext4/inode.c:1830 [inline]
 ext4_da_map_blocks fs/ext4/inode.c:1941 [inline]
 ext4_da_get_block_prep+0x9cc/0x13a0 fs/ext4/inode.c:2005
 __block_write_begin_int+0x6df/0x1810 fs/buffer.c:1980
 ext4_da_convert_inline_data_to_extent fs/ext4/inline.c:844 [inline]
 ext4_da_write_inline_data_begin+0x512/0xbe0 fs/ext4/inline.c:917
 ext4_da_write_begin+0x532/0xf80 fs/ext4/inode.c:3127
 generic_perform_write+0x2f9/0x5a0 mm/filemap.c:3311
 __generic_file_write_iter+0x239/0x490 mm/filemap.c:3440
 ext4_file_write_iter+0x495/0x10e0 fs/ext4/file.c:270
 call_write_iter include/linux/fs.h:1976 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0x5e3/0x780 fs/read_write.c:496
 vfs_write+0x210/0x4f0 fs/read_write.c:558
 ksys_write+0x198/0x2c0 fs/read_write.c:611
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Allocated by task 234:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 __kasan_kmalloc+0x131/0x1e0 mm/kasan/common.c:529
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slub.c:2829 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0xd0/0x210 mm/slub.c:2842
 __d_alloc+0x2a/0x6a0 fs/dcache.c:1690
 d_alloc fs/dcache.c:1769 [inline]
 d_alloc_parallel+0xe6/0x1310 fs/dcache.c:2521
 __lookup_slow+0x15a/0x450 fs/namei.c:1731
 lookup_slow+0x53/0x70 fs/namei.c:1765
 walk_component+0x62a/0xb30 fs/namei.c:1885
 lookup_last fs/namei.c:2348 [inline]
 path_lookupat+0x188/0x3f0 fs/namei.c:2393
 filename_lookup+0x223/0x6a0 fs/namei.c:2423
 user_path_at include/linux/namei.h:49 [inline]
 do_faccessat+0x367/0x780 fs/open.c:398
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1

Freed by task 16:
 save_stack mm/kasan/common.c:70 [inline]
 set_track mm/kasan/common.c:78 [inline]
 kasan_set_free_info mm/kasan/common.c:345 [inline]
 __kasan_slab_free+0x178/0x240 mm/kasan/common.c:487
 slab_free_hook mm/slub.c:1455 [inline]
 slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494
 slab_free mm/slub.c:3080 [inline]
 kmem_cache_free+0xa9/0x1d0 mm/slub.c:3096
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch+0x49e/0xa10 kernel/rcu/tree.c:2167
 rcu_core+0x4ba/0xca0 kernel/rcu/tree.c:2387
 __do_softirq+0x23e/0x643 kernel/softirq.c:292

The buggy address belongs to the object at ffff8881e645ecc0
 which belongs to the cache dentry of size 208
The buggy address is located 24 bytes to the right of
 208-byte region [ffff8881e645ecc0, ffff8881e645ed90)
The buggy address belongs to the page:
page:ffffea0007991780 refcount:1 mapcount:0 mapping:ffff8881f5cf9680 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5cf9680
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x12cd0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_RECLAIMABLE)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:2165 [inline]
 prep_new_page+0x194/0x380 mm/page_alloc.c:2171
 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
 __alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4891
 alloc_slab_page+0x39/0x3e0 mm/slub.c:343
 allocate_slab mm/slub.c:1683 [inline]
 new_slab+0x97/0x450 mm/slub.c:1749
 new_slab_objects mm/slub.c:2505 [inline]
 ___slab_alloc+0x320/0x4a0 mm/slub.c:2667
 __slab_alloc+0x5a/0x90 mm/slub.c:2707
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2837 [inline]
 kmem_cache_alloc+0x100/0x210 mm/slub.c:2842
 __d_alloc+0x2a/0x6a0 fs/dcache.c:1690
 d_alloc fs/dcache.c:1769 [inline]
 d_alloc_parallel+0xe6/0x1310 fs/dcache.c:2521
 lookup_open fs/namei.c:3222 [inline]
 do_last fs/namei.c:3401 [inline]
 path_openat+0x102c/0x3ea0 fs/namei.c:3614
 do_filp_open+0x208/0x450 fs/namei.c:3644
 do_sys_open+0x393/0x7e0 fs/open.c:1113
 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881e645ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8881e645ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881e645ed80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2022/12/26 07:49 android12-5.4 a8aad8851131 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-android-5-4-kasan KASAN: slab-out-of-bounds Read in ext4_find_extent
* Struck through repros no longer work on HEAD.