[ext4?] KASAN: slab-out-of-bounds Read in ext4_find_extent
11 views
Skip to first unread message
syzbot
Dec 26, 2022, 2:49:37 AM12/26/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a8aad8851131 ANDROID: GKI: enable mulitcolor-led
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=12b28450480000
kernel config: https://syzkaller.appspot.com/x/.config?x=b4f7fdc1fca3154e
dashboard link: https://syzkaller.appspot.com/bug?extid=d6e87e18ba4a4e9dae00
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161871a8480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16483db0480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/71fa3d1afcd2/disk-a8aad885.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d25e2985873/vmlinux-a8aad885.xz
kernel image: https://storage.googleapis.com/syzbot-assets/97866ff1e151/bzImage-a8aad885.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/39632e08d9f1/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6e87e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_ext_binsearch_idx fs/ext4/extents.c:796 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_find_extent+0x7ae/0xdc0 fs/ext4/extents.c:958
Read of size 4 at addr ffff8881e645eda8 by task syz-executor259/298
CPU: 0 PID: 298 Comm: syz-executor259 Not tainted 5.4.219-syzkaller-00012-ga8aad8851131 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x630 mm/kasan/report.c:384
__kasan_report+0xf6/0x130 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
ext4_ext_binsearch_idx fs/ext4/extents.c:796 [inline]
ext4_find_extent+0x7ae/0xdc0 fs/ext4/extents.c:958
ext4_clu_mapped+0x9d/0x790 fs/ext4/extents.c:6026
ext4_insert_delayed_block fs/ext4/inode.c:1830 [inline]
ext4_da_map_blocks fs/ext4/inode.c:1941 [inline]
ext4_da_get_block_prep+0x9cc/0x13a0 fs/ext4/inode.c:2005
__block_write_begin_int+0x6df/0x1810 fs/buffer.c:1980
ext4_da_convert_inline_data_to_extent fs/ext4/inline.c:844 [inline]
ext4_da_write_inline_data_begin+0x512/0xbe0 fs/ext4/inline.c:917
ext4_da_write_begin+0x532/0xf80 fs/ext4/inode.c:3127
generic_perform_write+0x2f9/0x5a0 mm/filemap.c:3311
__generic_file_write_iter+0x239/0x490 mm/filemap.c:3440
ext4_file_write_iter+0x495/0x10e0 fs/ext4/file.c:270
call_write_iter include/linux/fs.h:1976 [inline]
new_sync_write fs/read_write.c:483 [inline]
__vfs_write+0x5e3/0x780 fs/read_write.c:496
vfs_write+0x210/0x4f0 fs/read_write.c:558
ksys_write+0x198/0x2c0 fs/read_write.c:611
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Allocated by task 234:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
__kasan_kmalloc+0x131/0x1e0 mm/kasan/common.c:529
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0xd0/0x210 mm/slub.c:2842
__d_alloc+0x2a/0x6a0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe6/0x1310 fs/dcache.c:2521
__lookup_slow+0x15a/0x450 fs/namei.c:1731
lookup_slow+0x53/0x70 fs/namei.c:1765
walk_component+0x62a/0xb30 fs/namei.c:1885
lookup_last fs/namei.c:2348 [inline]
path_lookupat+0x188/0x3f0 fs/namei.c:2393
filename_lookup+0x223/0x6a0 fs/namei.c:2423
user_path_at include/linux/namei.h:49 [inline]
do_faccessat+0x367/0x780 fs/open.c:398
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Freed by task 16:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
kasan_set_free_info mm/kasan/common.c:345 [inline]
__kasan_slab_free+0x178/0x240 mm/kasan/common.c:487
slab_free_hook mm/slub.c:1455 [inline]
slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494
slab_free mm/slub.c:3080 [inline]
kmem_cache_free+0xa9/0x1d0 mm/slub.c:3096
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch+0x49e/0xa10 kernel/rcu/tree.c:2167
rcu_core+0x4ba/0xca0 kernel/rcu/tree.c:2387
__do_softirq+0x23e/0x643 kernel/softirq.c:292
The buggy address belongs to the object at ffff8881e645ecc0
which belongs to the cache dentry of size 208
The buggy address is located 24 bytes to the right of
208-byte region [ffff8881e645ecc0, ffff8881e645ed90)
The buggy address belongs to the page:
page:ffffea0007991780 refcount:1 mapcount:0 mapping:ffff8881f5cf9680 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5cf9680
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x12cd0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_RECLAIMABLE)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x194/0x380 mm/page_alloc.c:2171
get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4891
alloc_slab_page+0x39/0x3e0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x97/0x450 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x320/0x4a0 mm/slub.c:2667
__slab_alloc+0x5a/0x90 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x100/0x210 mm/slub.c:2842
__d_alloc+0x2a/0x6a0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe6/0x1310 fs/dcache.c:2521
lookup_open fs/namei.c:3222 [inline]
do_last fs/namei.c:3401 [inline]
path_openat+0x102c/0x3ea0 fs/namei.c:3614
do_filp_open+0x208/0x450 fs/namei.c:3644
do_sys_open+0x393/0x7e0 fs/open.c:1113
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881e645ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8881e645ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881e645ed80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: a8aad8851131 ANDROID: GKI: enable mulitcolor-led
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=12b28450480000
kernel config: https://syzkaller.appspot.com/x/.config?x=b4f7fdc1fca3154e
dashboard link: https://syzkaller.appspot.com/bug?extid=d6e87e18ba4a4e9dae00
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=161871a8480000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16483db0480000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/71fa3d1afcd2/disk-a8aad885.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d25e2985873/vmlinux-a8aad885.xz
kernel image: https://storage.googleapis.com/syzbot-assets/97866ff1e151/bzImage-a8aad885.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/39632e08d9f1/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d6e87e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_ext_binsearch_idx fs/ext4/extents.c:796 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_find_extent+0x7ae/0xdc0 fs/ext4/extents.c:958
Read of size 4 at addr ffff8881e645eda8 by task syz-executor259/298
CPU: 0 PID: 298 Comm: syz-executor259 Not tainted 5.4.219-syzkaller-00012-ga8aad8851131 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1d8/0x241 lib/dump_stack.c:118
print_address_description+0x8c/0x630 mm/kasan/report.c:384
__kasan_report+0xf6/0x130 mm/kasan/report.c:516
kasan_report+0x30/0x60 mm/kasan/common.c:653
ext4_ext_binsearch_idx fs/ext4/extents.c:796 [inline]
ext4_find_extent+0x7ae/0xdc0 fs/ext4/extents.c:958
ext4_clu_mapped+0x9d/0x790 fs/ext4/extents.c:6026
ext4_insert_delayed_block fs/ext4/inode.c:1830 [inline]
ext4_da_map_blocks fs/ext4/inode.c:1941 [inline]
ext4_da_get_block_prep+0x9cc/0x13a0 fs/ext4/inode.c:2005
__block_write_begin_int+0x6df/0x1810 fs/buffer.c:1980
ext4_da_convert_inline_data_to_extent fs/ext4/inline.c:844 [inline]
ext4_da_write_inline_data_begin+0x512/0xbe0 fs/ext4/inline.c:917
ext4_da_write_begin+0x532/0xf80 fs/ext4/inode.c:3127
generic_perform_write+0x2f9/0x5a0 mm/filemap.c:3311
__generic_file_write_iter+0x239/0x490 mm/filemap.c:3440
ext4_file_write_iter+0x495/0x10e0 fs/ext4/file.c:270
call_write_iter include/linux/fs.h:1976 [inline]
new_sync_write fs/read_write.c:483 [inline]
__vfs_write+0x5e3/0x780 fs/read_write.c:496
vfs_write+0x210/0x4f0 fs/read_write.c:558
ksys_write+0x198/0x2c0 fs/read_write.c:611
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Allocated by task 234:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
__kasan_kmalloc+0x131/0x1e0 mm/kasan/common.c:529
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0xd0/0x210 mm/slub.c:2842
__d_alloc+0x2a/0x6a0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe6/0x1310 fs/dcache.c:2521
__lookup_slow+0x15a/0x450 fs/namei.c:1731
lookup_slow+0x53/0x70 fs/namei.c:1765
walk_component+0x62a/0xb30 fs/namei.c:1885
lookup_last fs/namei.c:2348 [inline]
path_lookupat+0x188/0x3f0 fs/namei.c:2393
filename_lookup+0x223/0x6a0 fs/namei.c:2423
user_path_at include/linux/namei.h:49 [inline]
do_faccessat+0x367/0x780 fs/open.c:398
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Freed by task 16:
save_stack mm/kasan/common.c:70 [inline]
set_track mm/kasan/common.c:78 [inline]
kasan_set_free_info mm/kasan/common.c:345 [inline]
__kasan_slab_free+0x178/0x240 mm/kasan/common.c:487
slab_free_hook mm/slub.c:1455 [inline]
slab_free_freelist_hook+0x80/0x150 mm/slub.c:1494
slab_free mm/slub.c:3080 [inline]
kmem_cache_free+0xa9/0x1d0 mm/slub.c:3096
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch+0x49e/0xa10 kernel/rcu/tree.c:2167
rcu_core+0x4ba/0xca0 kernel/rcu/tree.c:2387
__do_softirq+0x23e/0x643 kernel/softirq.c:292
The buggy address belongs to the object at ffff8881e645ecc0
which belongs to the cache dentry of size 208
The buggy address is located 24 bytes to the right of
208-byte region [ffff8881e645ecc0, ffff8881e645ed90)
The buggy address belongs to the page:
page:ffffea0007991780 refcount:1 mapcount:0 mapping:ffff8881f5cf9680 index:0x0
flags: 0x8000000000000200(slab)
raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5cf9680
raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Reclaimable, gfp_mask 0x12cd0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_RECLAIMABLE)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x194/0x380 mm/page_alloc.c:2171
get_page_from_freelist+0x524/0x560 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x372/0x860 mm/page_alloc.c:4891
alloc_slab_page+0x39/0x3e0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x97/0x450 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x320/0x4a0 mm/slub.c:2667
__slab_alloc+0x5a/0x90 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x100/0x210 mm/slub.c:2842
__d_alloc+0x2a/0x6a0 fs/dcache.c:1690
d_alloc fs/dcache.c:1769 [inline]
d_alloc_parallel+0xe6/0x1310 fs/dcache.c:2521
lookup_open fs/namei.c:3222 [inline]
do_last fs/namei.c:3401 [inline]
path_openat+0x102c/0x3ea0 fs/namei.c:3614
do_filp_open+0x208/0x450 fs/namei.c:3644
do_sys_open+0x393/0x7e0 fs/open.c:1113
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page_owner free stack trace missing
Memory state around the buggy address:
ffff8881e645ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8881e645ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881e645ed80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Oct 7, 2023, 11:20:52 PM10/7/23
to syzkaller-a...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages