[syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 573067a5a685 Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=136d1018580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cd7202b56d469648
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1790a0b0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ee82c4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9d3b5c855aa0/disk-573067a5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0c06fc1ead83/vmlinux-573067a5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3390e59b9e4b/Image-573067a5.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/ef6b4e51a02a/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/1e15bbc4371d/mount_1.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ee60e5...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
BUG: KASAN: use-after-free in ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955
Read of size 4 at addr ffff0000e2d145a0 by task kworker/u8:4/45

CPU: 1 UID: 0 PID: 45 Comm: kworker/u8:4 Not tainted 6.13.0-rc3-syzkaller-g573067a5a685 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: writeback wb_workfn (flush-7:0)
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x198/0x538 mm/kasan/report.c:489
kasan_report+0xd8/0x138 mm/kasan/report.c:602
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
ext4_ext_binsearch fs/ext4/extents.c:840 [inline]
ext4_find_extent+0x94c/0xb0c fs/ext4/extents.c:955
ext4_ext_map_blocks+0x2b0/0x6600 fs/ext4/extents.c:4205
ext4_map_create_blocks fs/ext4/inode.c:516 [inline]
ext4_map_blocks+0x710/0x15d0 fs/ext4/inode.c:702
mpage_map_one_extent fs/ext4/inode.c:2219 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2272 [inline]
ext4_do_writepages+0x195c/0x318c fs/ext4/inode.c:2735
ext4_writepages+0x198/0x308 fs/ext4/inode.c:2824
do_writepages+0x304/0x7d0 mm/page-writeback.c:2702
__writeback_single_inode+0x15c/0x15a4 fs/fs-writeback.c:1680
writeback_sb_inodes+0x650/0x1088 fs/fs-writeback.c:1976
wb_writeback+0x3e0/0xe9c fs/fs-writeback.c:2156
wb_do_writeback fs/fs-writeback.c:2303 [inline]
wb_workfn+0x38c/0x1048 fs/fs-writeback.c:2343
process_one_work+0x7a8/0x15cc kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x97c/0xeec kernel/workqueue.c:3391
kthread+0x288/0x310 kernel/kthread.c:389
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff9b78a pfn:0x122d14
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000ffff9b78a 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff0000e2d14480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e2d14500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000e2d14580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e2d14600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e2d14680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has bisected this issue to:

commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9
Author: Ojaswin Mujoo <oja...@linux.ibm.com>
Date: Sat Mar 25 08:13:39 2023 +0000

ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1566b43f980000
start commit: 1e1ba8d23dae Merge tag 'timers-clocksource-2025-03-26' of ..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1766b43f980000
console output: https://syzkaller.appspot.com/x/log.txt?x=1366b43f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=2edddb53537e0320
dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1623343f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1123343f980000

Reported-by: syzbot+ee60e5...@syzkaller.appspotmail.com
Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Ojaswin Mujoo]

Okay, so I'm able to replicate this with the patch whereas it does not
hit without it, so the bisect seems right.

In my environment, at the time UAF hits, I also see the following logs:

[ 139.893083][ T9] EXT4-fs error (device loop0): ext4_ext_split:1078: inode #15: comm kworker/u8:0: !
[ 139.894260][ T9] EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 17
[ 139.894278][ T9] EXT4-fs (loop0): This should not happen!! Data will be lost
[ 139.894278][ T9]

[ 139.897505][ T1098] EXT4-fs error (device loop4): ext4_map_blocks:730: inode #15: block 131075: comm )
[ 139.897607][ T1098] EXT4-fs (loop4): Delayed block allocation failed for inode 15 at logical offset 17
[ 139.897624][ T1098] EXT4-fs (loop4): This should not happen!! Data will be lost

ext4_ext4_split:1078 is

if (unlikely(path[depth].p_ext > EXT_MAX_EXTENT(path[depth].p_hdr))) {

and ext4_map_blocks:730 is check_block_validity failure in map blocks.
I'm still trying to make sense of the logs and the UAF and will update
when I have more information.

Regards,
ojaswin

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: KASAN: use-after-free Read in ext4_find_extent (4)
Author: albinbabu...@gmail.com

#syz test

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: KASAN: use-after-free Read in ext4_find_extent (4)
Author: eray...@gmail.com

#syz test

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]

[syzbot]