Re: [syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+5a398eb460ddaa6f242f@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue
Date: Fri, 22 Aug 2025 18:09:04 -0700	[thread overview]
Message-ID: <68a914b0.a00a0220.33401d.02f1.GAE@google.com> (raw)
In-Reply-To: <tencent_2BECEECECC7B926C782CC96EB897BCE8DE0A@qq.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: invalid-free in z_erofs_scan_folio

erofs (device loop0): mounted with root inode @ nid 36.
erofs (device loop0): readahead error at folio 7 @ nid 36
erofs (device loop0): readahead error at folio 6 @ nid 36
erofs (device loop0): readahead error at folio 5 @ nid 36
erofs (device loop0): readahead error at folio 4 @ nid 36
erofs (device loop0): readahead error at folio 3 @ nid 36
==================================================================
BUG: KASAN: invalid-free in z_erofs_free_pcluster fs/erofs/zdata.c:281 [inline]
BUG: KASAN: invalid-free in z_erofs_register_pcluster fs/erofs/zdata.c:804 [inline]
BUG: KASAN: invalid-free in z_erofs_pcluster_begin fs/erofs/zdata.c:840 [inline]
BUG: KASAN: invalid-free in z_erofs_scan_folio+0x1e4a/0x4540 fs/erofs/zdata.c:1056
Free of addr ffff8880565609d8 by task syz.0.17/6607

CPU: 1 UID: 0 PID: 6607 Comm: syz.0.17 Tainted: G        W           syzkaller #0 PREEMPT_{RT,(full)} 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report_invalid_free+0xea/0x110 mm/kasan/report.c:557
 check_slab_allocation+0xe1/0x130 include/linux/page-flags.h:-1
 kasan_slab_pre_free include/linux/kasan.h:198 [inline]
 slab_free_hook mm/slub.c:2362 [inline]
 slab_free mm/slub.c:4680 [inline]
 kmem_cache_free+0x146/0x510 mm/slub.c:4782
 z_erofs_free_pcluster fs/erofs/zdata.c:281 [inline]
 z_erofs_register_pcluster fs/erofs/zdata.c:804 [inline]
 z_erofs_pcluster_begin fs/erofs/zdata.c:840 [inline]
 z_erofs_scan_folio+0x1e4a/0x4540 fs/erofs/zdata.c:1056
 z_erofs_readahead+0x672/0xb40 fs/erofs/zdata.c:1922
 read_pages+0x177/0x580 mm/readahead.c:160
 page_cache_ra_unbounded+0x63b/0x740 mm/readahead.c:297
 page_cache_sync_readahead include/linux/pagemap.h:1369 [inline]
 erofs_readdir+0x567/0x1020 fs/erofs/dir.c:77
 iterate_dir+0x3a2/0x580 fs/readdir.c:108
 __do_sys_getdents fs/readdir.c:326 [inline]
 __se_sys_getdents+0xe4/0x250 fs/readdir.c:312
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2826aaebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2826116038 EFLAGS: 00000246 ORIG_RAX: 000000000000004e
RAX: ffffffffffffffda RBX: 00007f2826cd5fa0 RCX: 00007f2826aaebe9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f2826b31e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2826cd6038 R14: 00007f2826cd5fa0 R15: 00007ffd944ac938
 </TASK>

Allocated by task 6607:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:330 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:356
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_noprof+0x143/0x310 mm/slub.c:4236
 z_erofs_alloc_pcluster fs/erofs/zdata.c:262 [inline]
 z_erofs_register_pcluster fs/erofs/zdata.c:749 [inline]
 z_erofs_pcluster_begin fs/erofs/zdata.c:840 [inline]
 z_erofs_scan_folio+0x162e/0x4540 fs/erofs/zdata.c:1056
 z_erofs_readahead+0x672/0xb40 fs/erofs/zdata.c:1922
 read_pages+0x177/0x580 mm/readahead.c:160
 page_cache_ra_unbounded+0x63b/0x740 mm/readahead.c:297
 page_cache_sync_readahead include/linux/pagemap.h:1369 [inline]
 erofs_readdir+0x567/0x1020 fs/erofs/dir.c:77
 iterate_dir+0x3a2/0x580 fs/readdir.c:108
 __do_sys_getdents fs/readdir.c:326 [inline]
 __se_sys_getdents+0xe4/0x250 fs/readdir.c:312
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880565609d8
 which belongs to the cache erofs_pcluster-128 of size 2392
The buggy address is located 0 bytes inside of
 2392-byte region [ffff8880565609d8, ffff888056561330)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x56560
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88802030f000 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88802030f000 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0001595801 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_RECLAIMABLE|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6607, tgid 6606 (syz.0.17), ts 171069705490, free_ts 99313462986
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x2119/0x21b0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0x8d1/0xdd0 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 kmem_cache_alloc_noprof+0xe6/0x310 mm/slub.c:4236
 z_erofs_alloc_pcluster fs/erofs/zdata.c:262 [inline]
 z_erofs_register_pcluster fs/erofs/zdata.c:749 [inline]
 z_erofs_pcluster_begin fs/erofs/zdata.c:840 [inline]
 z_erofs_scan_folio+0x162e/0x4540 fs/erofs/zdata.c:1056
 z_erofs_readahead+0x672/0xb40 fs/erofs/zdata.c:1922
 read_pages+0x177/0x580 mm/readahead.c:160
 page_cache_ra_unbounded+0x63b/0x740 mm/readahead.c:297
 page_cache_sync_readahead include/linux/pagemap.h:1369 [inline]
 erofs_readdir+0x567/0x1020 fs/erofs/dir.c:77
 iterate_dir+0x3a2/0x580 fs/readdir.c:108
 __do_sys_getdents fs/readdir.c:326 [inline]
 __se_sys_getdents+0xe4/0x250 fs/readdir.c:312
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5917 tgid 5917 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xb59/0xce0 mm/page_alloc.c:2895
 vfree+0x2ad/0x470 mm/vmalloc.c:3434
 kcov_put kernel/kcov.c:439 [inline]
 kcov_close+0x2e/0x60 kernel/kcov.c:535
 __fput+0x45b/0xa80 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x6b5/0x2300 kernel/exit.c:961
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
 get_signal+0x125e/0x1310 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888056560880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888056560900: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>ffff888056560980: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00
                                                    ^
 ffff888056560a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888056560a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


Tested on:

commit:         6debb690 Merge tag 'drm-fixes-2025-08-23-1' of https:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=111d8062580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e1e1566c7726877e
dashboard link: https://syzkaller.appspot.com/bug?extid=5a398eb460ddaa6f242f
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14ce8c42580000

next prev parent reply	other threads:[~2025-08-23  1:09 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-22 18:55 [syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue syzbot
2025-08-22 19:46 ` syzbot
2025-08-23  0:53 ` Edward Adam Davis
2025-08-23  1:09   ` syzbot [this message]
2025-08-23  1:22 ` Edward Adam Davis
2025-08-23  1:53   ` syzbot
2025-08-23  1:53 ` [PATCH] erofs: Prohibit access to excessive algorithmformat Edward Adam Davis
2025-08-23  9:40   ` Gao Xiang
2025-08-23  9:37 ` [syzbot] [erofs?] KASAN: global-out-of-bounds Read in z_erofs_decompress_queue Gao Xiang
2025-08-23 10:07   ` syzbot
2025-08-25  8:30 ` Gao Xiang
2025-08-25 10:57   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=68a914b0.a00a0220.33401d.02f1.GAE@google.com \
    --to=syzbot+5a398eb460ddaa6f242f@syzkaller.appspotmail.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.