From: syzbot <syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr
Date: Mon, 10 Nov 2025 22:02:02 -0800 [thread overview]
Message-ID: <6912d15a.a70a0220.22f260.0129.GAE@google.com> (raw)
In-Reply-To: <20251111044000.2016410-1-kartikey406@gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ocfs2_listxattr
On-disk corruption discovered. Please run fsck.ocfs2 once the filesystem is unmounted.
OCFS2: File system is now read-only.
==================================================================
BUG: KASAN: use-after-free in ocfs2_xattr_get_type fs/ocfs2/ocfs2_fs.h:1114 [inline]
BUG: KASAN: use-after-free in ocfs2_xattr_list_entries fs/ocfs2/xattr.c:934 [inline]
BUG: KASAN: use-after-free in ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:982 [inline]
BUG: KASAN: use-after-free in ocfs2_listxattr+0x408/0xa74 fs/ocfs2/xattr.c:1044
Read of size 1 at addr ffff0000e76a4007 by task syz.0.20/7236
CPU: 1 UID: 0 PID: 7236 Comm: syz.0.20 Not tainted syzkaller #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0xb0/0x110 mm/kasan/report.c:595
__asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
ocfs2_xattr_get_type fs/ocfs2/ocfs2_fs.h:1114 [inline]
ocfs2_xattr_list_entries fs/ocfs2/xattr.c:934 [inline]
ocfs2_xattr_ibody_list fs/ocfs2/xattr.c:982 [inline]
ocfs2_listxattr+0x408/0xa74 fs/ocfs2/xattr.c:1044
vfs_listxattr+0xc0/0x128 fs/xattr.c:493
ovl_listxattr+0xd8/0x49c fs/overlayfs/xattrs.c:123
vfs_listxattr fs/xattr.c:493 [inline]
listxattr+0x10c/0x380 fs/xattr.c:924
filename_listxattr fs/xattr.c:958 [inline]
path_listxattrat+0x15c/0x33c fs/xattr.c:988
__do_sys_listxattr fs/xattr.c:1001 [inline]
__se_sys_listxattr fs/xattr.c:998 [inline]
__arm64_sys_listxattr+0x84/0x98 fs/xattr.c:998
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:746
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffb9581 pfn:0x1276a4
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffdffc3a50548 fffffdffc39dab88 0000000000000000
raw: 0000000ffffb9581 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e76a3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000e76a3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000e76a4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e76a4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e76a4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Tested on:
commit: e424ed99 Merge remote-tracking branch 'will/for-next/p..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=12f30658580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b8b659f0cab27b22
dashboard link: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=1566f17c580000
next parent reply other threads:[~2025-11-11 6:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20251111044000.2016410-1-kartikey406@gmail.com>
2025-11-11 6:02 ` syzbot [this message]
[not found] <20251117091717.9916-1-kartikey406@gmail.com>
2025-11-17 11:32 ` [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_listxattr syzbot
[not found] <20251111060615.2022366-1-kartikey406@gmail.com>
2025-11-11 7:09 ` syzbot
[not found] <20251111042938.2015551-1-kartikey406@gmail.com>
2025-11-11 5:34 ` syzbot
[not found] <20251111013052.1801231-1-kartikey406@gmail.com>
2025-11-11 3:17 ` syzbot
2025-11-10 18:09 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6912d15a.a70a0220.22f260.0129.GAE@google.com \
--to=syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.