syzbot |
sign-in | mailing list | source | docs |
Created | Duration | User | Patch | Repo | Result |
---|---|---|---|---|---|
2023/09/08 03:20 | 15m | retest repro | android12-5.4 | OK log | |
2023/06/30 03:07 | 12m | retest repro | android12-5.4 | report log | |
2023/04/21 00:26 | 23m | retest repro | android12-5.4 | report log |
================================================================== BUG: KASAN: slab-out-of-bounds in ext4_ext_binsearch_idx fs/ext4/extents.c:796 [inline] BUG: KASAN: slab-out-of-bounds in ext4_find_extent+0x7ae/0xdc0 fs/ext4/extents.c:958 Read of size 4 at addr ffff8881e645eda8 by task syz-executor259/298 CPU: 0 PID: 298 Comm: syz-executor259 Not tainted 5.4.219-syzkaller-00012-ga8aad8851131 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x630 mm/kasan/report.c:384 __kasan_report+0xf6/0x130 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 ext4_ext_binsearch_idx fs/ext4/extents.c:796 [inline] ext4_find_extent+0x7ae/0xdc0 fs/ext4/extents.c:958 ext4_clu_mapped+0x9d/0x790 fs/ext4/extents.c:6026 ext4_insert_delayed_block fs/ext4/inode.c:1830 [inline] ext4_da_map_blocks fs/ext4/inode.c:1941 [inline] ext4_da_get_block_prep+0x9cc/0x13a0 fs/ext4/inode.c:2005 __block_write_begin_int+0x6df/0x1810 fs/buffer.c:1980 ext4_da_convert_inline_data_to_extent fs/ext4/inline.c:844 [inline] ext4_da_write_inline_data_begin+0x512/0xbe0 fs/ext4/inline.c:917 ext4_da_write_begin+0x532/0xf80 fs/ext4/inode.c:3127 generic_perform_write+0x2f9/0x5a0 mm/filemap.c:3311 __generic_file_write_iter+0x239/0x490 mm/filemap.c:3440 ext4_file_write_iter+0x495/0x10e0 fs/ext4/file.c:270 call_write_iter include/linux/fs.h:1976 [inline] new_sync_write fs/read_write.c:483 [inline] __vfs_write+0x5e3/0x780 fs/read_write.c:496 vfs_write+0x210/0x4f0 fs/read_write.c:558 ksys_write+0x198/0x2c0 fs/read_write.c:611 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Allocated by task 234: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x131/0x1e0 mm/kasan/common.c:529 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2829 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0xd0/0x210 mm/slub.c:2842 __d_alloc+0x2a/0x6a0 fs/dcache.c:1690 d_alloc fs/dcache.c:1769 [inline] d_alloc_parallel+0xe6/0x1310 fs/dcache.c:2521 __lookup_slow+0x15a/0x450 fs/namei.c:1731 lookup_slow+0x53/0x70 fs/namei.c:1765 walk_component+0x62a/0xb30 fs/namei.c:1885 lookup_last fs/namei.c:2348 [inline] path_lookupat+0x188/0x3f0 fs/namei.c:2393 filename_lookup+0x223/0x6a0 fs/namei.c:2423 user_path_at include/linux/namei.h:49 [inline] do_faccessat+0x367/0x780 fs/open.c:398 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Freed by task 16: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] kasan_set_free_info mm/kasan/common.c:345 [inline] __kasan_slab_free+0x178/0x240 mm/kasan/common.c:487 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494 slab_free mm/slub.c:3080 [inline] kmem_cache_free+0xa9/0x1d0 mm/slub.c:3096 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch+0x49e/0xa10 kernel/rcu/tree.c:2167 rcu_core+0x4ba/0xca0 kernel/rcu/tree.c:2387 __do_softirq+0x23e/0x643 kernel/softirq.c:292 The buggy address belongs to the object at ffff8881e645ecc0 which belongs to the cache dentry of size 208 The buggy address is located 24 bytes to the right of 208-byte region [ffff8881e645ecc0, ffff8881e645ed90) The buggy address belongs to the page: page:ffffea0007991780 refcount:1 mapcount:0 mapping:ffff8881f5cf9680 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5cf9680 raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x12cd0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_RECLAIMABLE) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x194/0x380 mm/page_alloc.c:2171 get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4891 alloc_slab_page+0x39/0x3e0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x450 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x320/0x4a0 mm/slub.c:2667 __slab_alloc+0x5a/0x90 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0x100/0x210 mm/slub.c:2842 __d_alloc+0x2a/0x6a0 fs/dcache.c:1690 d_alloc fs/dcache.c:1769 [inline] d_alloc_parallel+0xe6/0x1310 fs/dcache.c:2521 lookup_open fs/namei.c:3222 [inline] do_last fs/namei.c:3401 [inline] path_openat+0x102c/0x3ea0 fs/namei.c:3614 do_filp_open+0x208/0x450 fs/namei.c:3644 do_sys_open+0x393/0x7e0 fs/open.c:1113 do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page_owner free stack trace missing Memory state around the buggy address: ffff8881e645ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8881e645ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881e645ed80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2022/12/26 07:49 | android12-5.4 | a8aad8851131 | 9da18ae8 | .config | console log | report | syz | C | [disk image] [vmlinux] [kernel image] [mounted in repro] | ci2-android-5-4-kasan | KASAN: slab-out-of-bounds Read in ext4_find_extent |