KASAN: use-after-free Write in ext4_mark_inode_dirty

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+1e407c24e65e1fca3ecf@syzkaller.appspotmail.com>
To: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	tytso@mit.edu
Subject: KASAN: use-after-free Write in ext4_mark_inode_dirty
Date: Fri, 29 Nov 2019 00:20:10 -0800	[thread overview]
Message-ID: <000000000000fd1f29059877e56a@google.com> (raw)

Hello,

syzbot found the following crash on:

HEAD commit:    a2d79c71 Merge tag 'for-5.3/io_uring-20190711' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1632a03fa00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=bf58f4f254e2639
dashboard link: https://syzkaller.appspot.com/bug?extid=1e407c24e65e1fca3ecf
compiler:       clang version 9.0.0 (/home/glider/llvm/clang  
80fee25776c2fb61e74c1ecb1a523375c2500b69)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+1e407c24e65e1fca3ecf@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in __ext4_expand_extra_isize  
fs/ext4/inode.c:5948 [inline]
BUG: KASAN: use-after-free in ext4_try_to_expand_extra_isize  
fs/ext4/inode.c:6000 [inline]
BUG: KASAN: use-after-free in ext4_mark_inode_dirty+0x63c/0x790  
fs/ext4/inode.c:6076
Write of size 2147483615 at addr ffff88807da230a0 by task  
syz-executor.3/8139

CPU: 1 PID: 8139 Comm: syz-executor.3 Not tainted 5.2.0+ #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
  print_address_description+0x75/0x5b0 mm/kasan/report.c:351
  __kasan_report+0x14b/0x1c0 mm/kasan/report.c:482
  kasan_report+0x26/0x50 mm/kasan/common.c:612
  check_memory_region_inline mm/kasan/generic.c:182 [inline]
  check_memory_region+0x2cf/0x2e0 mm/kasan/generic.c:192
  memset+0x23/0x40 mm/kasan/common.c:105
  __ext4_expand_extra_isize fs/ext4/inode.c:5948 [inline]
  ext4_try_to_expand_extra_isize fs/ext4/inode.c:6000 [inline]
  ext4_mark_inode_dirty+0x63c/0x790 fs/ext4/inode.c:6076
  ext4_evict_inode+0x1186/0x17e0 fs/ext4/inode.c:282
  evict+0x2a1/0x6c0 fs/inode.c:571
  iput_final fs/inode.c:1560 [inline]
  iput+0x508/0x690 fs/inode.c:1586
  do_unlinkat+0x4b8/0x920 fs/namei.c:4069
  __do_sys_unlink fs/namei.c:4110 [inline]
  __se_sys_unlink fs/namei.c:4108 [inline]
  __x64_sys_unlink+0x49/0x50 fs/namei.c:4108
  do_syscall_64+0xfe/0x140 arch/x86/entry/common.c:296
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459567
Code: 00 66 90 b8 58 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9d ba fb ff c3  
66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 7d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffc1d9e6d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000459567
RDX: 00007fffc1d9e6f0 RSI: 00007fffc1d9e6f0 RDI: 00007fffc1d9e780
RBP: 000000000000094f R08: 0000000000000000 R09: 000000000000000d
R10: 0000000000000006 R11: 0000000000000246 R12: 00007fffc1d9f810
R13: 0000555556beb940 R14: 0000000000000000 R15: 00007fffc1d9f810

The buggy address belongs to the page:
page:ffffea0001f688c0 refcount:2 mapcount:0 mapping:ffff8880a291fb18  
index:0x43e
def_blk_aops
flags: 0x1fffc000000203a(referenced|dirty|lru|active|private)
raw: 01fffc000000203a ffffea0001f6d3c8 ffffea000205bac8 ffff8880a291fb18
raw: 000000000000043e ffff88809481f150 00000002ffffffff ffff888069d500c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff888069d500c0

Memory state around the buggy address:
  ffff88807da23f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff88807da23f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88807da24000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                    ^
  ffff88807da24080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  ffff88807da24100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

next             reply	other threads:[~2019-11-29  8:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-29  8:20 syzbot [this message]
2019-11-29 12:55 ` KASAN: use-after-free Write in ext4_mark_inode_dirty Theodore Y. Ts'o

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000fd1f29059877e56a@google.com \
    --to=syzbot+1e407c24e65e1fca3ecf@syzkaller.appspotmail.com \
    --cc=adilger.kernel@dilger.ca \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.