[v6.1] KASAN: slab-out-of-bounds Write in diWrite
9 views
Skip to first unread message
syzbot
Feb 8, 2025, 5:36:21 PM2/8/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0cbb5f65e52f Linux 6.1.128
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=110602a4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=88cb0e1f997892a4
dashboard link: https://syzkaller.appspot.com/bug?extid=9761806032c56262cd65
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/acd347d0a419/disk-0cbb5f65.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/08daefc52220/vmlinux-0cbb5f65.xz
kernel image: https://storage.googleapis.com/syzbot-assets/230948781702/Image-0cbb5f65.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+976180...@syzkaller.appspotmail.com
loop8: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
Write of size 32 at addr ffff0000c393b0c0 by task syz.8.631/9059
CPU: 0 PID: 9059 Comm: syz.8.631 Not tainted 6.1.128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:427
kasan_report+0xd4/0x130 mm/kasan/report.c:531
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
txCommit+0x750/0x5574 fs/jfs/jfs_txnmgr.c:1255
add_missing_indices+0x760/0xa8c fs/jfs/jfs_dtree.c:2663
jfs_readdir+0x18ac/0x3030 fs/jfs/jfs_dtree.c:3019
iterate_dir+0x1f4/0x4ec
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64 fs/readdir.c:354 [inline]
__arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:354
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 4421:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace+0x7c/0x94 mm/slab_common.c:1031
kmalloc include/linux/slab.h:563 [inline]
kzalloc include/linux/slab.h:699 [inline]
ref_tracker_alloc+0x130/0x3dc lib/ref_tracker.c:85
__netdev_tracker_alloc include/linux/netdevice.h:4043 [inline]
netdev_hold include/linux/netdevice.h:4072 [inline]
___neigh_create+0xcec/0x25fc net/core/neighbour.c:657
__neigh_create+0x44/0x58 net/core/neighbour.c:737
ip6_finish_output2+0x1990/0x1b54 net/ipv6/ip6_output.c:129
__ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
ip6_finish_output+0x5a4/0x940 net/ipv6/ip6_output.c:216
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x274/0x594 net/ipv6/ip6_output.c:237
dst_output include/net/dst.h:444 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
ndisc_send_skb+0xc38/0x179c net/ipv6/ndisc.c:511
ndisc_send_rs+0x47c/0x5d4 net/ipv6/ndisc.c:721
addrconf_rs_timer+0x300/0x58c net/ipv6/addrconf.c:3982
call_timer_fn+0x1c0/0xa1c kernel/time/timer.c:1504
expire_timers kernel/time/timer.c:1549 [inline]
__run_timers+0x554/0x718 kernel/time/timer.c:1820
run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1833
handle_softirqs+0x318/0xd58 kernel/softirq.c:578
__do_softirq+0x14/0x20 kernel/softirq.c:612
Freed by task 4637:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674
kfree+0xcc/0x1b8 mm/slab_common.c:988
ref_tracker_dir_exit+0x174/0x458 lib/ref_tracker.c:27
free_netdev+0x25c/0x41c net/core/dev.c:10815
netdev_run_todo+0xccc/0xe80 net/core/dev.c:10472
rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:147
default_device_exit_batch+0x9f8/0xa70 net/core/dev.c:11461
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x6b8/0xaec net/core/net_namespace.c:640
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
The buggy address belongs to the object at ffff0000c393b000
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 64 bytes to the right of
128-byte region [ffff0000c393b000, ffff0000c393b080)
The buggy address belongs to the physical page:
page:00000000675d6056 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000c393b800 pfn:0x10393b
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 fffffc00032c7448 fffffc0003330f88 ffff0000c0002300
raw: ffff0000c393b800 000000000010000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c393af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000c393b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000c393b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000c393b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
ffff0000c393b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop8): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0
ERROR: (device loop8): remounting filesystem as read-only
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 0cbb5f65e52f Linux 6.1.128
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=110602a4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=88cb0e1f997892a4
dashboard link: https://syzkaller.appspot.com/bug?extid=9761806032c56262cd65
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/acd347d0a419/disk-0cbb5f65.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/08daefc52220/vmlinux-0cbb5f65.xz
kernel image: https://storage.googleapis.com/syzbot-assets/230948781702/Image-0cbb5f65.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+976180...@syzkaller.appspotmail.com
loop8: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
Write of size 32 at addr ffff0000c393b0c0 by task syz.8.631/9059
CPU: 0 PID: 9059 Comm: syz.8.631 Not tainted 6.1.128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:316 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:427
kasan_report+0xd4/0x130 mm/kasan/report.c:531
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memcpy+0x60/0x90 mm/kasan/shadow.c:66
diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
txCommit+0x750/0x5574 fs/jfs/jfs_txnmgr.c:1255
add_missing_indices+0x760/0xa8c fs/jfs/jfs_dtree.c:2663
jfs_readdir+0x18ac/0x3030 fs/jfs/jfs_dtree.c:3019
iterate_dir+0x1f4/0x4ec
__do_sys_getdents64 fs/readdir.c:369 [inline]
__se_sys_getdents64 fs/readdir.c:354 [inline]
__arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:354
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 4421:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace+0x7c/0x94 mm/slab_common.c:1031
kmalloc include/linux/slab.h:563 [inline]
kzalloc include/linux/slab.h:699 [inline]
ref_tracker_alloc+0x130/0x3dc lib/ref_tracker.c:85
__netdev_tracker_alloc include/linux/netdevice.h:4043 [inline]
netdev_hold include/linux/netdevice.h:4072 [inline]
___neigh_create+0xcec/0x25fc net/core/neighbour.c:657
__neigh_create+0x44/0x58 net/core/neighbour.c:737
ip6_finish_output2+0x1990/0x1b54 net/ipv6/ip6_output.c:129
__ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
ip6_finish_output+0x5a4/0x940 net/ipv6/ip6_output.c:216
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x274/0x594 net/ipv6/ip6_output.c:237
dst_output include/net/dst.h:444 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
ndisc_send_skb+0xc38/0x179c net/ipv6/ndisc.c:511
ndisc_send_rs+0x47c/0x5d4 net/ipv6/ndisc.c:721
addrconf_rs_timer+0x300/0x58c net/ipv6/addrconf.c:3982
call_timer_fn+0x1c0/0xa1c kernel/time/timer.c:1504
expire_timers kernel/time/timer.c:1549 [inline]
__run_timers+0x554/0x718 kernel/time/timer.c:1820
run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1833
handle_softirqs+0x318/0xd58 kernel/softirq.c:578
__do_softirq+0x14/0x20 kernel/softirq.c:612
Freed by task 4637:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674
kfree+0xcc/0x1b8 mm/slab_common.c:988
ref_tracker_dir_exit+0x174/0x458 lib/ref_tracker.c:27
free_netdev+0x25c/0x41c net/core/dev.c:10815
netdev_run_todo+0xccc/0xe80 net/core/dev.c:10472
rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:147
default_device_exit_batch+0x9f8/0xa70 net/core/dev.c:11461
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x6b8/0xaec net/core/net_namespace.c:640
process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
kthread+0x250/0x2d8 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
The buggy address belongs to the object at ffff0000c393b000
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 64 bytes to the right of
128-byte region [ffff0000c393b000, ffff0000c393b080)
The buggy address belongs to the physical page:
page:00000000675d6056 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000c393b800 pfn:0x10393b
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 fffffc00032c7448 fffffc0003330f88 ffff0000c0002300
raw: ffff0000c393b800 000000000010000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c393af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000c393b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000c393b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000c393b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
ffff0000c393b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop8): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0
ERROR: (device loop8): remounting filesystem as read-only
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Feb 8, 2025, 6:14:21 PM2/8/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 0cbb5f65e52f Linux 6.1.128
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=164e02a4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14783df8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/acd347d0a419/disk-0cbb5f65.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/08daefc52220/vmlinux-0cbb5f65.xz
kernel image: https://storage.googleapis.com/syzbot-assets/230948781702/Image-0cbb5f65.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7607fe3cdd59/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1014cbdf980000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+976180...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: use-after-free in diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
Write of size 32 at addr ffff0000d4a090c0 by task syz-executor248/4297
CPU: 1 PID: 4297 Comm: syz-executor248 Not tainted 6.1.128-syzkaller #0
Allocated by task 4281:
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
kmem_cache_alloc_bulk+0x430/0x4fc mm/slub.c:3854
napi_skb_cache_get+0x12c/0x1e8 net/core/skbuff.c:258
__napi_build_skb+0x28/0x310 net/core/skbuff.c:387
__napi_alloc_skb+0x1f8/0x4e4 net/core/skbuff.c:693
napi_alloc_skb include/linux/skbuff.h:3263 [inline]
napi_get_frags+0x78/0x148 net/core/gro.c:699
gve_rx_add_frags drivers/net/ethernet/google/gve/gve_rx.c:309 [inline]
gve_rx_qpl drivers/net/ethernet/google/gve/gve_rx.c:381 [inline]
gve_rx_skb drivers/net/ethernet/google/gve/gve_rx.c:530 [inline]
gve_rx drivers/net/ethernet/google/gve/gve_rx.c:580 [inline]
gve_clean_rx_done drivers/net/ethernet/google/gve/gve_rx.c:728 [inline]
gve_rx_poll+0x1158/0x2bbc drivers/net/ethernet/google/gve/gve_rx.c:782
gve_napi_poll+0xd4/0x2ac drivers/net/ethernet/google/gve/gve_main.c:210
__napi_poll+0xb4/0x3f0 net/core/dev.c:6547
napi_poll net/core/dev.c:6614 [inline]
net_rx_action+0x5cc/0xd3c net/core/dev.c:6728
kfree_skbmem+0x10c/0x19c
__kfree_skb net/core/skbuff.c:871 [inline]
skb_attempt_defer_free+0x274/0x41c net/core/skbuff.c:6676
tcp_eat_recv_skb net/ipv4/tcp.c:1661 [inline]
tcp_recvmsg_locked+0xdd4/0x1ce4 net/ipv4/tcp.c:2655
tcp_recvmsg+0x1dc/0x714 net/ipv4/tcp.c:2701
inet_recvmsg+0x124/0x210 net/ipv4/af_inet.c:890
sock_recvmsg_nosec net/socket.c:1022 [inline]
sock_recvmsg net/socket.c:1040 [inline]
sock_read_iter+0x2dc/0x3d4 net/socket.c:1121
call_read_iter include/linux/fs.h:2259 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x5bc/0x8b4 fs/read_write.c:470
ksys_read+0x15c/0x26c fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__arm64_sys_read+0x7c/0x90 fs/read_write.c:621
which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 192 bytes inside of
240-byte region [ffff0000d4a09000, ffff0000d4a090f0)
The buggy address belongs to the physical page:
page:00000000dbcb1846 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x114a09
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
ffff0000d4a09000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000d4a09080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
^
ffff0000d4a09100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff0000d4a09180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0
ERROR: (device loop0): remounting filesystem as read-only
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 0cbb5f65e52f Linux 6.1.128
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=88cb0e1f997892a4
dashboard link: https://syzkaller.appspot.com/bug?extid=9761806032c56262cd65
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=170811b0580000
dashboard link: https://syzkaller.appspot.com/bug?extid=9761806032c56262cd65
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14783df8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/acd347d0a419/disk-0cbb5f65.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/08daefc52220/vmlinux-0cbb5f65.xz
kernel image: https://storage.googleapis.com/syzbot-assets/230948781702/Image-0cbb5f65.gz.xz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1014cbdf980000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+976180...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: use-after-free in diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
Write of size 32 at addr ffff0000d4a090c0 by task syz-executor248/4297
CPU: 1 PID: 4297 Comm: syz-executor248 Not tainted 6.1.128-syzkaller #0
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
__kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook+0x74/0x458 mm/slab.h:737
kmem_cache_alloc_bulk+0x430/0x4fc mm/slub.c:3854
napi_skb_cache_get+0x12c/0x1e8 net/core/skbuff.c:258
__napi_build_skb+0x28/0x310 net/core/skbuff.c:387
__napi_alloc_skb+0x1f8/0x4e4 net/core/skbuff.c:693
napi_alloc_skb include/linux/skbuff.h:3263 [inline]
napi_get_frags+0x78/0x148 net/core/gro.c:699
gve_rx_add_frags drivers/net/ethernet/google/gve/gve_rx.c:309 [inline]
gve_rx_qpl drivers/net/ethernet/google/gve/gve_rx.c:381 [inline]
gve_rx_skb drivers/net/ethernet/google/gve/gve_rx.c:530 [inline]
gve_rx drivers/net/ethernet/google/gve/gve_rx.c:580 [inline]
gve_clean_rx_done drivers/net/ethernet/google/gve/gve_rx.c:728 [inline]
gve_rx_poll+0x1158/0x2bbc drivers/net/ethernet/google/gve/gve_rx.c:782
gve_napi_poll+0xd4/0x2ac drivers/net/ethernet/google/gve/gve_main.c:210
__napi_poll+0xb4/0x3f0 net/core/dev.c:6547
napi_poll net/core/dev.c:6614 [inline]
net_rx_action+0x5cc/0xd3c net/core/dev.c:6728
handle_softirqs+0x318/0xd58 kernel/softirq.c:578
__do_softirq+0x14/0x20 kernel/softirq.c:612
Freed by task 4281:
__do_softirq+0x14/0x20 kernel/softirq.c:612
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0x2f0/0x588 mm/slub.c:3683
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
kfree_skbmem+0x10c/0x19c
__kfree_skb net/core/skbuff.c:871 [inline]
skb_attempt_defer_free+0x274/0x41c net/core/skbuff.c:6676
tcp_eat_recv_skb net/ipv4/tcp.c:1661 [inline]
tcp_recvmsg_locked+0xdd4/0x1ce4 net/ipv4/tcp.c:2655
tcp_recvmsg+0x1dc/0x714 net/ipv4/tcp.c:2701
inet_recvmsg+0x124/0x210 net/ipv4/af_inet.c:890
sock_recvmsg_nosec net/socket.c:1022 [inline]
sock_recvmsg net/socket.c:1040 [inline]
sock_read_iter+0x2dc/0x3d4 net/socket.c:1121
call_read_iter include/linux/fs.h:2259 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x5bc/0x8b4 fs/read_write.c:470
ksys_read+0x15c/0x26c fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__arm64_sys_read+0x7c/0x90 fs/read_write.c:621
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the object at ffff0000d4a09000
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 192 bytes inside of
240-byte region [ffff0000d4a09000, ffff0000d4a090f0)
The buggy address belongs to the physical page:
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c086c000
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d4a08f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff0000d4a09000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000d4a09080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
^
ffff0000d4a09100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff0000d4a09180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0
ERROR: (device loop0): remounting filesystem as read-only
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Mar 25, 2025, 3:33:45 AM3/25/25
to syzkaller...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkaller...@googlegroups.com.
***
Subject:
Author: purvay...@gmail.com
#syz test
syzkaller...@googlegroups.com.
***
Subject:
Author: purvay...@gmail.com
#syz test
syzbot
Mar 25, 2025, 4:06:35 AM3/25/25
to syzkaller...@googlegroups.com
syzbot
Mar 25, 2025, 5:54:52 AM3/25/25
to syzkaller...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages