[syzbot] [ext4?] KASAN: use-after-free Read in ext4_find

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
@ 2024-12-30 20:06 syzbot
  2025-03-27 23:44 ` syzbot
                   ` (10 more replies)
  0 siblings, 11 replies; 13+ messages in thread
From: syzbot @ 2024-12-30 20:06 UTC (permalink / raw)
  To: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso

Hello,

syzbot found the following issue on:

HEAD commit:    573067a5a685 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=136d1018580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cd7202b56d469648
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1790a0b0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17ee82c4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d3b5c855aa0/disk-573067a5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0c06fc1ead83/vmlinux-573067a5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3390e59b9e4b/Image-573067a5.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/ef6b4e51a02a/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/1e15bbc4371d/mount_1.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955
Read of size 4 at addr ffff0000e2d145a0 by task kworker/u8:4/45

CPU: 1 UID: 0 PID: 45 Comm: kworker/u8:4 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: writeback wb_workfn (flush-7:0)
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:489
 kasan_report+0xd8/0x138 mm/kasan/report.c:602
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
 ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955
 ext4_ext_map_blocks+0x2b0/0x6600 fs/ext4/extents.c:4205
 ext4_map_create_blocks fs/ext4/inode.c:516 [inline]
 ext4_map_blocks+0x710/0x15d0 fs/ext4/inode.c:702
 mpage_map_one_extent fs/ext4/inode.c:2219 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2272 [inline]
 ext4_do_writepages+0x195c/0x318c fs/ext4/inode.c:2735
 ext4_writepages+0x198/0x308 fs/ext4/inode.c:2824
 do_writepages+0x304/0x7d0 mm/page-writeback.c:2702
 __writeback_single_inode+0x15c/0x15a4 fs/fs-writeback.c:1680
 writeback_sb_inodes+0x650/0x1088 fs/fs-writeback.c:1976
 wb_writeback+0x3e0/0xe9c fs/fs-writeback.c:2156
 wb_do_writeback fs/fs-writeback.c:2303 [inline]
 wb_workfn+0x38c/0x1048 fs/fs-writeback.c:2343
 process_one_work+0x7a8/0x15cc kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x97c/0xeec kernel/workqueue.c:3391
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff9b78a pfn:0x122d14
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000ffff9b78a 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000e2d14480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000e2d14500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000e2d14580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                               ^
 ffff0000e2d14600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000e2d14680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
@ 2025-03-27 23:44 ` syzbot
  2025-03-28 17:10   ` Ojaswin Mujoo
  2025-11-19  7:50 ` Forwarded: " syzbot
                   ` (9 subsequent siblings)
  10 siblings, 1 reply; 13+ messages in thread
From: syzbot @ 2025-03-27 23:44 UTC (permalink / raw)
  To: adilger.kernel, jack, linux-ext4, linux-kernel, ojaswin,
	ritesh.list, syzkaller-bugs, tytso

syzbot has bisected this issue to:

commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9
Author: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Date:   Sat Mar 25 08:13:39 2023 +0000

    ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1566b43f980000
start commit:   1e1ba8d23dae Merge tag 'timers-clocksource-2025-03-26' of ..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1766b43f980000
console output: https://syzkaller.appspot.com/x/log.txt?x=1366b43f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2edddb53537e0320
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1623343f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1123343f980000

Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)
  2025-03-27 23:44 ` syzbot
@ 2025-03-28 17:10   ` Ojaswin Mujoo
  0 siblings, 0 replies; 13+ messages in thread
From: Ojaswin Mujoo @ 2025-03-28 17:10 UTC (permalink / raw)
  To: syzbot
  Cc: adilger.kernel, jack, linux-ext4, linux-kernel, ritesh.list,
	syzkaller-bugs, tytso

On Thu, Mar 27, 2025 at 04:44:03PM -0700, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9
> Author: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> Date:   Sat Mar 25 08:13:39 2023 +0000
> 
>     ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1566b43f980000
> start commit:   1e1ba8d23dae Merge tag 'timers-clocksource-2025-03-26' of ..
> git tree:       upstream
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=1766b43f980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1366b43f980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2edddb53537e0320
> dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1623343f980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1123343f980000
> 
> Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
> Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Okay, so I'm able to replicate this with the patch whereas it does not
hit without it, so the bisect seems right. 

In my environment, at the time UAF hits, I also see the following logs:

[  139.893083][    T9] EXT4-fs error (device loop0): ext4_ext_split:1078: inode #15: comm kworker/u8:0: !
[  139.894260][    T9] EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 17
[  139.894278][    T9] EXT4-fs (loop0): This should not happen!! Data will be lost
[  139.894278][    T9]

[  139.897505][ T1098] EXT4-fs error (device loop4): ext4_map_blocks:730: inode #15: block 131075: comm )
[  139.897607][ T1098] EXT4-fs (loop4): Delayed block allocation failed for inode 15 at logical offset 17
[  139.897624][ T1098] EXT4-fs (loop4): This should not happen!! Data will be lost

ext4_ext4_split:1078 is 	
  
	   if (unlikely(path[depth].p_ext > EXT_MAX_EXTENT(path[depth].p_hdr))) {

and ext4_map_blocks:730 is check_block_validity failure in map blocks.
I'm still trying to make sense of the logs and the UAF and will update
when I have more information.

Regards,
ojaswin



^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
  2025-03-27 23:44 ` syzbot
@ 2025-11-19  7:50 ` syzbot
  2025-11-19 16:32 ` Forwarded: " syzbot
                   ` (8 subsequent siblings)
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-19  7:50 UTC (permalink / raw)
  To: linux-kernel

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: albinbabuvarghese20@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: Re: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
  2025-03-27 23:44 ` syzbot
  2025-11-19  7:50 ` Forwarded: " syzbot
@ 2025-11-19 16:32 ` syzbot
  2025-11-20  0:57 ` Forwarded: " syzbot
                   ` (7 subsequent siblings)
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-19 16:32 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: KASAN: use-after-free Read in ext4_find_extent (4)
Author: albinbabuvarghese20@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
                   ` (2 preceding siblings ...)
  2025-11-19 16:32 ` Forwarded: " syzbot
@ 2025-11-20  0:57 ` syzbot
  2025-11-20  1:39 ` syzbot
                   ` (6 subsequent siblings)
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20  0:57 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eraykrdg1@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
                   ` (3 preceding siblings ...)
  2025-11-20  0:57 ` Forwarded: " syzbot
@ 2025-11-20  1:39 ` syzbot
  2025-11-20 10:37 ` syzbot
                   ` (5 subsequent siblings)
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20  1:39 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eraykrdg1@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
                   ` (4 preceding siblings ...)
  2025-11-20  1:39 ` syzbot
@ 2025-11-20 10:37 ` syzbot
  2025-11-20 13:12 ` syzbot
                   ` (4 subsequent siblings)
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 10:37 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eraykrdg1@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
                   ` (5 preceding siblings ...)
  2025-11-20 10:37 ` syzbot
@ 2025-11-20 13:12 ` syzbot
  2025-11-20 15:46 ` syzbot
                   ` (3 subsequent siblings)
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 13:12 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eraykrdg1@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
                   ` (6 preceding siblings ...)
  2025-11-20 13:12 ` syzbot
@ 2025-11-20 15:46 ` syzbot
  2025-11-20 17:36 ` syzbot
                   ` (2 subsequent siblings)
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 15:46 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eraykrdg1@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
                   ` (7 preceding siblings ...)
  2025-11-20 15:46 ` syzbot
@ 2025-11-20 17:36 ` syzbot
  2025-11-20 18:35 ` syzbot
  2025-11-21 21:19 ` syzbot
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 17:36 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eraykrdg1@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
                   ` (8 preceding siblings ...)
  2025-11-20 17:36 ` syzbot
@ 2025-11-20 18:35 ` syzbot
  2025-11-21 21:19 ` syzbot
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-20 18:35 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eraykrdg1@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

* Forwarded: KASAN: use-after-free Read in ext4_find_extent (4)
  2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
                   ` (9 preceding siblings ...)
  2025-11-20 18:35 ` syzbot
@ 2025-11-21 21:19 ` syzbot
  10 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-11-21 21:19 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eraykrdg1@gmail.com

#syz test

^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2025-11-21 21:19 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-30 20:06 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4) syzbot
2025-03-27 23:44 ` syzbot
2025-03-28 17:10   ` Ojaswin Mujoo
2025-11-19  7:50 ` Forwarded: " syzbot
2025-11-19 16:32 ` Forwarded: " syzbot
2025-11-20  0:57 ` Forwarded: " syzbot
2025-11-20  1:39 ` syzbot
2025-11-20 10:37 ` syzbot
2025-11-20 13:12 ` syzbot
2025-11-20 15:46 ` syzbot
2025-11-20 17:36 ` syzbot
2025-11-20 18:35 ` syzbot
2025-11-21 21:19 ` syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox