[v6.1] KASAN: use-after-free Read in __ocfs2_flush_truncate_log
0 views
Skip to first unread message
syzbot
4:02 PM (3 hours ago) 4:02 PM
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 228da13e907e Linux 6.1.175
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17ccbb7e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=29caf4bae4b0566f
dashboard link: https://syzkaller.appspot.com/bug?extid=94da2b9a99715122ce75
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15bd0bec580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15fcea56580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bf27a408696a/disk-228da13e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/264d4943ab43/vmlinux-228da13e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a499b0d2a133/Image-228da13e.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/50f00289e861/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=11bd0bec580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+94da2b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
BUG: KASAN: use-after-free in __ocfs2_flush_truncate_log+0x67c/0x10a8 fs/ocfs2/alloc.c:6054
Read of size 4 at addr ffff0000f271d2c0 by task syz-executor/4451
CPU: 1 PID: 4451 Comm: syz-executor Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
print_address_description+0x88/0x218 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:420
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
__ocfs2_flush_truncate_log+0x67c/0x10a8 fs/ocfs2/alloc.c:6054
ocfs2_flush_truncate_log+0x48/0x68 fs/ocfs2/alloc.c:6076
ocfs2_sync_fs+0x100/0x2c0 fs/ocfs2/super.c:402
sync_filesystem+0x1a0/0x218 fs/sync.c:66
generic_shutdown_super+0x70/0x324 fs/super.c:474
kill_block_super+0x70/0xdc fs/super.c:1470
deactivate_locked_super+0xac/0x120 fs/super.c:332
deactivate_super+0xe4/0x104 fs/super.c:363
cleanup_mnt+0x390/0x418 fs/namespace.c:1191
__cleanup_mnt+0x20/0x30 fs/namespace.c:1198
task_work_run+0x1ec/0x278 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x1fa0/0x2aa4 arch/arm64/kernel/signal.c:1151
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the physical page:
page:000000005548ecfe refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x13271d
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0003c9c788 fffffc0003afa608 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000f271d180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000f271d200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000f271d280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000f271d300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000f271d380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
(syz-executor,4451,1):ocfs2_read_blocks:239 ERROR: status = -12
(syz-executor,4451,1):_ocfs2_free_suballoc_bits:2489 ERROR: status = -12
(syz-executor,4451,1):_ocfs2_free_clusters:2583 ERROR: status = -12
(syz-executor,4451,1):ocfs2_replay_truncate_records:5976 ERROR: status = -12
(syz-executor,4451,1):__ocfs2_flush_truncate_log:6057 ERROR: status = -12
(syz-executor,4451,1):ocfs2_sync_fs:404 ERROR: status = -12
------------[ cut here ]------------
kernel BUG at fs/ocfs2/suballoc.c:2479!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4451 Comm: syz-executor Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : _ocfs2_free_suballoc_bits+0xd14/0x10cc fs/ocfs2/suballoc.c:2479
lr : _ocfs2_free_suballoc_bits+0xd14/0x10cc fs/ocfs2/suballoc.c:2479
sp : ffff800021467260
x29: ffff8000214673c0 x28: 00000000e9b39eab x27: dfff800000000000
x26: ffff0000e2bb1478 x25: ffff800009debfe0 x24: ffff70000428ce5c
x23: 0000000000000e00 x22: ffff8000214672e0 x21: 0000000000000e00
x20: 00000004a243a000 x19: 00000000e9b3a05e x18: ffff800011babf60
x17: 1fffe00033ea397e x16: ffff800011a529a8 x15: 0000000000000000
x14: 00000000fffffffc x13: 0000000000ff0100 x12: 0000000000ff0100
x11: ff00800009df1b5c x10: 0000000000000000 x9 : ffff800009df1b5c
x8 : ffff0000d0653800 x7 : 0000000000000000 x6 : ffff800009debfe0
x5 : 00000000e9b39eab x4 : 00000004a243a000 x3 : 00000000000001b3
x2 : ffff0000d86b2e80 x1 : 0000000000000e00 x0 : 00000000e9b3a05e
Call trace:
_ocfs2_free_suballoc_bits+0xd14/0x10cc fs/ocfs2/suballoc.c:2479
_ocfs2_free_clusters+0x50c/0xa1c fs/ocfs2/suballoc.c:2579
ocfs2_free_clusters+0x50/0x68 fs/ocfs2/suballoc.c:2600
ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5971 [inline]
__ocfs2_flush_truncate_log+0x5dc/0x10a8 fs/ocfs2/alloc.c:6054
ocfs2_flush_truncate_log fs/ocfs2/alloc.c:6076 [inline]
ocfs2_truncate_log_shutdown+0x10c/0x280 fs/ocfs2/alloc.c:6320
ocfs2_dismount_volume+0x1fc/0x948 fs/ocfs2/super.c:1884
ocfs2_put_super+0x108/0x388 fs/ocfs2/super.c:1609
generic_shutdown_super+0x130/0x324 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1470
deactivate_locked_super+0xac/0x120 fs/super.c:332
deactivate_super+0xe4/0x104 fs/super.c:363
cleanup_mnt+0x390/0x418 fs/namespace.c:1191
__cleanup_mnt+0x20/0x30 fs/namespace.c:1198
task_work_run+0x1ec/0x278 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x1fa0/0x2aa4 arch/arm64/kernel/signal.c:1151
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 17fffea2 979ae9e5 d4210000 979ae9e3 (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 228da13e907e Linux 6.1.175
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17ccbb7e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=29caf4bae4b0566f
dashboard link: https://syzkaller.appspot.com/bug?extid=94da2b9a99715122ce75
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15bd0bec580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15fcea56580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bf27a408696a/disk-228da13e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/264d4943ab43/vmlinux-228da13e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a499b0d2a133/Image-228da13e.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/50f00289e861/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=11bd0bec580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+94da2b...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
BUG: KASAN: use-after-free in __ocfs2_flush_truncate_log+0x67c/0x10a8 fs/ocfs2/alloc.c:6054
Read of size 4 at addr ffff0000f271d2c0 by task syz-executor/4451
CPU: 1 PID: 4451 Comm: syz-executor Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
print_address_description+0x88/0x218 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:420
kasan_report+0xa8/0xfc mm/kasan/report.c:524
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5959 [inline]
__ocfs2_flush_truncate_log+0x67c/0x10a8 fs/ocfs2/alloc.c:6054
ocfs2_flush_truncate_log+0x48/0x68 fs/ocfs2/alloc.c:6076
ocfs2_sync_fs+0x100/0x2c0 fs/ocfs2/super.c:402
sync_filesystem+0x1a0/0x218 fs/sync.c:66
generic_shutdown_super+0x70/0x324 fs/super.c:474
kill_block_super+0x70/0xdc fs/super.c:1470
deactivate_locked_super+0xac/0x120 fs/super.c:332
deactivate_super+0xe4/0x104 fs/super.c:363
cleanup_mnt+0x390/0x418 fs/namespace.c:1191
__cleanup_mnt+0x20/0x30 fs/namespace.c:1198
task_work_run+0x1ec/0x278 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x1fa0/0x2aa4 arch/arm64/kernel/signal.c:1151
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the physical page:
page:000000005548ecfe refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x13271d
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0003c9c788 fffffc0003afa608 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000f271d180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000f271d200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000f271d280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000f271d300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000f271d380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
(syz-executor,4451,1):ocfs2_read_blocks:239 ERROR: status = -12
(syz-executor,4451,1):_ocfs2_free_suballoc_bits:2489 ERROR: status = -12
(syz-executor,4451,1):_ocfs2_free_clusters:2583 ERROR: status = -12
(syz-executor,4451,1):ocfs2_replay_truncate_records:5976 ERROR: status = -12
(syz-executor,4451,1):__ocfs2_flush_truncate_log:6057 ERROR: status = -12
(syz-executor,4451,1):ocfs2_sync_fs:404 ERROR: status = -12
------------[ cut here ]------------
kernel BUG at fs/ocfs2/suballoc.c:2479!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4451 Comm: syz-executor Tainted: G B syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : _ocfs2_free_suballoc_bits+0xd14/0x10cc fs/ocfs2/suballoc.c:2479
lr : _ocfs2_free_suballoc_bits+0xd14/0x10cc fs/ocfs2/suballoc.c:2479
sp : ffff800021467260
x29: ffff8000214673c0 x28: 00000000e9b39eab x27: dfff800000000000
x26: ffff0000e2bb1478 x25: ffff800009debfe0 x24: ffff70000428ce5c
x23: 0000000000000e00 x22: ffff8000214672e0 x21: 0000000000000e00
x20: 00000004a243a000 x19: 00000000e9b3a05e x18: ffff800011babf60
x17: 1fffe00033ea397e x16: ffff800011a529a8 x15: 0000000000000000
x14: 00000000fffffffc x13: 0000000000ff0100 x12: 0000000000ff0100
x11: ff00800009df1b5c x10: 0000000000000000 x9 : ffff800009df1b5c
x8 : ffff0000d0653800 x7 : 0000000000000000 x6 : ffff800009debfe0
x5 : 00000000e9b39eab x4 : 00000004a243a000 x3 : 00000000000001b3
x2 : ffff0000d86b2e80 x1 : 0000000000000e00 x0 : 00000000e9b3a05e
Call trace:
_ocfs2_free_suballoc_bits+0xd14/0x10cc fs/ocfs2/suballoc.c:2479
_ocfs2_free_clusters+0x50c/0xa1c fs/ocfs2/suballoc.c:2579
ocfs2_free_clusters+0x50/0x68 fs/ocfs2/suballoc.c:2600
ocfs2_replay_truncate_records fs/ocfs2/alloc.c:5971 [inline]
__ocfs2_flush_truncate_log+0x5dc/0x10a8 fs/ocfs2/alloc.c:6054
ocfs2_flush_truncate_log fs/ocfs2/alloc.c:6076 [inline]
ocfs2_truncate_log_shutdown+0x10c/0x280 fs/ocfs2/alloc.c:6320
ocfs2_dismount_volume+0x1fc/0x948 fs/ocfs2/super.c:1884
ocfs2_put_super+0x108/0x388 fs/ocfs2/super.c:1609
generic_shutdown_super+0x130/0x324 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1470
deactivate_locked_super+0xac/0x120 fs/super.c:332
deactivate_super+0xe4/0x104 fs/super.c:363
cleanup_mnt+0x390/0x418 fs/namespace.c:1191
__cleanup_mnt+0x20/0x30 fs/namespace.c:1198
task_work_run+0x1ec/0x278 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x1fa0/0x2aa4 arch/arm64/kernel/signal.c:1151
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 17fffea2 979ae9e5 d4210000 979ae9e3 (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages