[PATCH] bcachefs:fix use-after-free in __bch2_bkey_fsck_err

[PATCH] bcachefs:fix use-after-free in __bch2_bkey_fsck_err

[ssrane_b23]

From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>

When mounting a corrupted bcachefs filesystem, KASAN detects a
use-after-free in the error reporting path. This occurs due to a race
between error reporting and key deletion during fsck.

The sequence of events:

1. extent_ptr_validate() detects an invalid extent pointer with a
   corrupt disk offset
2. It calls __bch2_bkey_fsck_err() to report the error
3. The fsck logic decides to delete the corrupt key
4. Meanwhile, __bch2_bkey_fsck_err() calls bch2_bkey_val_to_text()
5. This traverses the extent entries via bch2_extent_ptr_to_text()
6. sector_to_bucket_and_offset() is called with the corrupt offset
7. Memory access occurs on data being concurrently freed

The crash happens in bch2_extent_ptr_to_text() when it attempts to
validate bucket boundaries using already-freed extent pointer data.

Replace bch2_bkey_val_to_text() with bch2_bpos_to_text() to print
only the key position (inode, offset, snapshot) instead of traversing
potentially corrupt or freed extent metadata. The position is part of
the key header and remains safe to read even as the extent data is
being freed. The specific validation error is still printed in the
subsequent lines, providing sufficient context for debugging.

Tested successfully locally using syzbot provided reproducer

Reported-by: syzbot+564efbe31172fe908429@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=564efbe31172fe908429
Fixes: d97de0d017cd ("bcachefs: Make bkey_fsck_err() a wrapper around fsck_err()")
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
 fs/bcachefs/error.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/bcachefs/error.c b/fs/bcachefs/error.c
index 267e73d9d7e6..b0bf08915aa2 100644
--- a/fs/bcachefs/error.c
+++ b/fs/bcachefs/error.c
@@ -688,7 +688,7 @@ int __bch2_bkey_fsck_err(struct bch_fs *c,
 	bch2_btree_id_to_text(&buf, from.btree);
 	prt_printf(&buf, " level=%u: ", from.level);
 
-	bch2_bkey_val_to_text(&buf, c, k);
+	bch2_bpos_to_text(&buf, k.k->p);
 	prt_newline(&buf);
 
 	va_list args;
-- 
2.34.1

[PATCH] bcachefs:fix use-after-free in __bch2_bkey_fsck_err

[ssrane_b23]

From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>

When mounting a corrupted bcachefs filesystem, KASAN detects a
use-after-free in the error reporting path. This occurs due to a race
between error reporting and key deletion during fsck.

The sequence of events:

1. extent_ptr_validate() detects an invalid extent pointer with a
   corrupt disk offset
2. It calls __bch2_bkey_fsck_err() to report the error
3. The fsck logic decides to delete the corrupt key
4. Meanwhile, __bch2_bkey_fsck_err() calls bch2_bkey_val_to_text()
5. This traverses the extent entries via bch2_extent_ptr_to_text()
6. sector_to_bucket_and_offset() is called with the corrupt offset
7. Memory access occurs on data being concurrently freed

The crash happens in bch2_extent_ptr_to_text() when it attempts to
validate bucket boundaries using already-freed extent pointer data.

Replace bch2_bkey_val_to_text() with bch2_bpos_to_text() to print
only the key position (inode, offset, snapshot) instead of traversing
potentially corrupt or freed extent metadata. The position is part of
the key header and remains safe to read even as the extent data is
being freed. The specific validation error is still printed in the
subsequent lines, providing sufficient context for debugging.

Tested successfully locally using syzbot provided reproducer

Reported-by: syzbot+564efbe31172fe908429@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=564efbe31172fe908429
Fixes: d97de0d017cd ("bcachefs: Make bkey_fsck_err() a wrapper around fsck_err()")
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
 fs/bcachefs/error.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/bcachefs/error.c b/fs/bcachefs/error.c
index 267e73d9d7e6..b0bf08915aa2 100644
--- a/fs/bcachefs/error.c
+++ b/fs/bcachefs/error.c
@@ -688,7 +688,7 @@ int __bch2_bkey_fsck_err(struct bch_fs *c,
 	bch2_btree_id_to_text(&buf, from.btree);
 	prt_printf(&buf, " level=%u: ", from.level);
 
-	bch2_bkey_val_to_text(&buf, c, k);
+	bch2_bpos_to_text(&buf, k.k->p);
 	prt_newline(&buf);
 
 	va_list args;
-- 
2.34.1

Re: [PATCH] bcachefs:fix use-after-free in __bch2_bkey_fsck_err

[Kent Overstreet]

On Sun, Oct 05, 2025 at 09:38:25PM +0530, SHAURYA RANE wrote:
> #syz test:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Instead of having syzbot test your code, please try the ktest syzbot
reproducer test:

https://evilpiepirate.org/git/ktest.git/

build-test-kernel run -I ~/ktest/tests/syzbot-repro.ktest <bug-id>

I get very nervous when people send me patches they've never run
themselves. Always try to have eyes on what your code is doing, try to
look with your eyes and see that it's doing what you think it's doing :)

Re: [PATCH] bcachefs:fix use-after-free in __bch2_bkey_fsck_err

[SHAURYA RANE]

Thanks for the feedback. I’ve tested the patch locally as well using
kselftest, and it passed successfully.



On Mon, Oct 6, 2025 at 3:16 PM SHAURYA RANE <ssrane_b23@ee.vjti.ac.in> wrote:
>
> Thanks for the feedback. I’ve tested the patch locally as well using kselftest, and it passed successfully.
>
> Best regards,
> Shaurya Rane
>
> On Sun, 5 Oct 2025, 23:35 Kent Overstreet, <kent.overstreet@linux.dev> wrote:
>>
>> On Sun, Oct 05, 2025 at 09:38:25PM +0530, SHAURYA RANE wrote:
>> > #syz test:
>> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>>
>> Instead of having syzbot test your code, please try the ktest syzbot
>> reproducer test:
>>
>> https://evilpiepirate.org/git/ktest.git/
>>
>> build-test-kernel run -I ~/ktest/tests/syzbot-repro.ktest <bug-id>
>>
>> I get very nervous when people send me patches they've never run
>> themselves. Always try to have eyes on what your code is doing, try to
>> look with your eyes and see that it's doing what you think it's doing :)