All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+43ddf9603437b6bad4e0@syzkaller.appspotmail.com>
To: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	tytso@mit.edu
Subject: [syzbot] KASAN: use-after-free Read in ext4_xattr_set_entry (5)
Date: Sat, 28 May 2022 01:51:17 -0700	[thread overview]
Message-ID: <000000000000b8b00505e00e8610@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    0966d385830d riscv: Fix auipc+jalr relocation range checks
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=16e9aa39f00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6295d67591064921
dashboard link: https://syzkaller.appspot.com/bug?extid=43ddf9603437b6bad4e0
compiler:       riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: riscv64

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+43ddf9603437b6bad4e0@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in ext4_xattr_set_entry+0x212/0x2034 fs/ext4/xattr.c:1593
Read of size 4 at addr ffffaf800f477ffe by task syz-executor.1/5063

CPU: 1 PID: 5063 Comm: syz-executor.1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff804759f4>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff804759f4>] __asan_load4+0x6e/0x96 mm/kasan/generic.c:255
[<ffffffff807c17b4>] ext4_xattr_set_entry+0x212/0x2034 fs/ext4/xattr.c:1593
[<ffffffff807c6c80>] ext4_xattr_ibody_set+0x5c/0x158 fs/ext4/xattr.c:2210
[<ffffffff807c73da>] ext4_xattr_set_handle+0x65e/0xea0 fs/ext4/xattr.c:2367
[<ffffffff807c7e6e>] ext4_xattr_set+0x12e/0x2b4 fs/ext4/xattr.c:2480
[<ffffffff807c9abc>] ext4_xattr_trusted_set+0x34/0x46 fs/ext4/xattr_trusted.c:38
[<ffffffff8052af96>] __vfs_setxattr+0x106/0x172 fs/xattr.c:180
[<ffffffff8052cd3e>] __vfs_setxattr_noperm+0xca/0x378 fs/xattr.c:214
[<ffffffff8052d156>] __vfs_setxattr_locked+0x16a/0x186 fs/xattr.c:275
[<ffffffff8052d2a8>] vfs_setxattr+0x136/0x296 fs/xattr.c:301
[<ffffffff8052d61a>] setxattr+0x212/0x29a fs/xattr.c:575
[<ffffffff8052d844>] path_setxattr+0x1a2/0x1bc fs/xattr.c:595
[<ffffffff8052daca>] __do_sys_setxattr fs/xattr.c:611 [inline]
[<ffffffff8052daca>] sys_setxattr+0x36/0x48 fs/xattr.c:607
[<ffffffff80005716>] ret_from_syscall+0x0/0x2

The buggy address belongs to the page:
page:ffffaf807aa95178 refcount:2 mapcount:0 mapping:ffffaf800ab50810 index:0xb8 pfn:0x8f677
memcg:ffffaf80073e0000
aops:def_blk_aops ino:fd00000
flags: 0x880000203a(referenced|dirty|lru|active|private|section=17|node=0|zone=0)
raw: 000000880000203a ffffaf807aa95138 ffffaf807aaa3e08 ffffaf800ab50810
raw: 00000000000000b8 ffffaf800dbbe910 00000002ffffffff ffffaf80073e0000
raw: 00000000000007ff
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x148c40(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL), pid 1, ts 83303672800, free_ts 0
 __set_page_owner+0x48/0x136 mm/page_owner.c:183
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0xd0/0x10a mm/page_alloc.c:2427
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0x8da/0x12d8 mm/page_alloc.c:4165
 __alloc_pages+0x150/0x3b6 mm/page_alloc.c:5389
 alloc_pages+0x132/0x2a6 mm/mempolicy.c:2271
 folio_alloc+0x24/0x30 mm/mempolicy.c:2281
 filemap_alloc_folio mm/filemap.c:987 [inline]
 __filemap_get_folio+0x63c/0xd58 mm/filemap.c:1990
 pagecache_get_page+0x2e/0x230 mm/folio-compat.c:125
 find_or_create_page include/linux/pagemap.h:488 [inline]
 grow_dev_page fs/buffer.c:949 [inline]
 grow_buffers fs/buffer.c:1014 [inline]
 __getblk_slow+0x1f2/0x738 fs/buffer.c:1041
 __getblk_gfp+0x74/0x78 fs/buffer.c:1334
 sb_getblk_gfp include/linux/buffer_head.h:334 [inline]
 ext4_sb_breadahead_unmovable+0x46/0xa8 fs/ext4/super.c:264
 __ext4_get_inode_loc+0x9d6/0xc08 fs/ext4/inode.c:4488
 __ext4_get_inode_loc_noinmem+0xb2/0x138 fs/ext4/inode.c:4518
 __ext4_iget+0x348/0x20f8 fs/ext4/inode.c:4711
 ext4_lookup fs/ext4/namei.c:1785 [inline]
 ext4_lookup+0x28a/0x4ea fs/ext4/namei.c:1760
 lookup_open.isra.0+0x6a6/0xd4a fs/namei.c:3308
page_owner free stack trace missing

Memory state around the buggy address:
 ffffaf800f477f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffaf800f477f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffaf800f478000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffffaf800f478080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffffaf800f478100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
EXT4-fs error (device vda): ext4_xattr_set_entry:1596: inode #640: comm syz-executor.1: corrupted xattr entries


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

                 reply	other threads:[~2022-05-28  8:51 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=000000000000b8b00505e00e8610@google.com \
    --to=syzbot+43ddf9603437b6bad4e0@syzkaller.appspotmail.com \
    --cc=adilger.kernel@dilger.ca \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.