Hello,
syzbot found the following crash on:
HEAD commit: 4520f06b Linux 4.14.175
git tree: linux-4.14.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=1717e657e00000
kernel config:
https://syzkaller.appspot.com/x/.config?x=93cf891381c0c347
dashboard link:
https://syzkaller.appspot.com/bug?extid=e1f6e4304964f5d37eb7
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by:
syzbot+e1f6e4...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-out-of-bounds in __ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
Read of size 2 at addr ffff8880a4848003 by task syz-executor.5/22211
CPU: 1 PID: 22211 Comm: syz-executor.5 Not tainted 4.14.175-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x13e/0x194 lib/dump_stack.c:58
print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
__ext4_check_dir_entry+0x2f9/0x340 fs/ext4/dir.c:68
ext4_readdir+0x822/0x27f0 fs/ext4/dir.c:240
iterate_dir+0x1a0/0x5e0 fs/readdir.c:52
SYSC_getdents64 fs/readdir.c:355 [inline]
SyS_getdents64+0x130/0x240 fs/readdir.c:336
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c889
RSP: 002b:00007ff3dd003c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007ff3dd0046d4 RCX: 000000000045c889
RDX: 00000000c0000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000000f0 R14: 00000000004c3798 R15: 000000000076bf0c
Allocated by task 3637:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc mm/kasan/kasan.c:551 [inline]
kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
getname_flags fs/namei.c:138 [inline]
getname_flags+0xc8/0x560 fs/namei.c:128
user_path_at_empty+0x2a/0x50 fs/namei.c:2631
user_path_at include/linux/namei.h:57 [inline]
SYSC_faccessat fs/open.c:403 [inline]
SyS_faccessat fs/open.c:353 [inline]
SYSC_access fs/open.c:450 [inline]
SyS_access+0x21a/0x680 fs/open.c:448
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Freed by task 3637:
save_stack+0x32/0xa0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
putname+0xcd/0x110 fs/namei.c:259
filename_lookup+0x23a/0x380 fs/namei.c:2386
user_path_at include/linux/namei.h:57 [inline]
SYSC_faccessat fs/open.c:403 [inline]
SyS_faccessat fs/open.c:353 [inline]
SYSC_access fs/open.c:450 [inline]
SyS_access+0x21a/0x680 fs/open.c:448
do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
The buggy address belongs to the object at ffff8880a4848d40
which belongs to the cache names_cache of size 4096
The buggy address is located 3389 bytes to the left of
4096-byte region [ffff8880a4848d40, ffff8880a4849d40)
The buggy address belongs to the page:
page:ffffea0002921200 count:1 mapcount:0 mapping:ffff8880a4848d40 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff8880a4848d40 0000000000000000 0000000100000001
raw: ffffea000285e1a0 ffffea000134c420 ffff8880aa586e40 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a4847f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880a4847f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a4848000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8880a4848080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a4848100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.