From: syzbot <syzbot+db6caad9ebd2c8022b41@syzkaller.appspotmail.com>
To: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, tytso@mit.edu
Subject: Re: [syzbot] [ext4?] KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock
Date: Tue, 28 Mar 2023 00:53:47 -0700 [thread overview]
Message-ID: <000000000000d3b32005f7f12805@google.com> (raw)
In-Reply-To: <000000000000b62cdb05f7dfab8b@google.com>
syzbot has found a reproducer for the following issue on:
HEAD commit: 3a93e40326c8 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1034aed5c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9c35b3803e5ad668
dashboard link: https://syzkaller.appspot.com/bug?extid=db6caad9ebd2c8022b41
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11a2cd05c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=158e1f29c80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/65fe3e7679b9/disk-3a93e403.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/169220ad146c/vmlinux-3a93e403.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6f5e2d192c51/bzImage-3a93e403.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/343663881b01/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+db6caad9ebd2c8022b41@syzkaller.appspotmail.com
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.
==================================================================
BUG: KASAN: slab-out-of-bounds in ext4_read_inline_data fs/ext4/inline.c:199 [inline]
BUG: KASAN: slab-out-of-bounds in ext4_convert_inline_data_nolock+0x31a/0xd80 fs/ext4/inline.c:1204
Read of size 20 at addr ffff88807645e1a3 by task syz-executor378/5075
CPU: 0 PID: 5075 Comm: syz-executor378 Not tainted 6.3.0-rc4-syzkaller-00025-g3a93e40326c8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x163/0x540 mm/kasan/report.c:430
kasan_report+0x176/0x1b0 mm/kasan/report.c:536
kasan_check_range+0x283/0x290 mm/kasan/generic.c:187
__asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
ext4_read_inline_data fs/ext4/inline.c:199 [inline]
ext4_convert_inline_data_nolock+0x31a/0xd80 fs/ext4/inline.c:1204
ext4_convert_inline_data+0x4da/0x620 fs/ext4/inline.c:2065
ext4_fallocate+0x14d/0x2050 fs/ext4/extents.c:4701
vfs_fallocate+0x54b/0x6b0 fs/open.c:324
ksys_fallocate fs/open.c:347 [inline]
__do_sys_fallocate fs/open.c:355 [inline]
__se_sys_fallocate fs/open.c:353 [inline]
__x64_sys_fallocate+0xbd/0x100 fs/open.c:353
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb0579425c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdcef99758 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb0579425c9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000003
R10: 0000000000008000 R11: 0000000000000246 R12: 00007ffdcef99790
R13: 00007ffdcef99788 R14: 00007ffdcef99784 R15: 0000000000000003
</TASK>
Allocated by task 5023:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
__kasan_slab_alloc+0x66/0x70 mm/kasan/common.c:328
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:769
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3476
mt_alloc_one lib/maple_tree.c:159 [inline]
mas_alloc_nodes+0x26e/0x780 lib/maple_tree.c:1233
mas_node_count_gfp lib/maple_tree.c:1318 [inline]
mas_preallocate+0x131/0x350 lib/maple_tree.c:5717
vma_iter_prealloc mm/internal.h:972 [inline]
__split_vma+0x1e0/0x7f0 mm/mmap.c:2177
mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663
do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831
__do_sys_mprotect mm/mprotect.c:852 [inline]
__se_sys_mprotect mm/mprotect.c:849 [inline]
__x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 5023:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4f/0x70 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:521
____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook mm/slub.c:1807 [inline]
slab_free mm/slub.c:3787 [inline]
kmem_cache_free+0x297/0x520 mm/slub.c:3809
mas_destroy+0x1bdc/0x2280 lib/maple_tree.c:5774
mas_store_prealloc+0x351/0x460 lib/maple_tree.c:5702
vma_complete+0x1ed/0x970 mm/mmap.c:572
__split_vma+0x7b9/0x7f0 mm/mmap.c:2214
mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663
do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831
__do_sys_mprotect mm/mprotect.c:852 [inline]
__se_sys_mprotect mm/mprotect.c:849 [inline]
__x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff88807645e000
which belongs to the cache maple_node of size 256
The buggy address is located 163 bytes to the right of
allocated 256-byte region [ffff88807645e000, ffff88807645e100)
The buggy address belongs to the physical page:
page:ffffea0001d91780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7645e
head:ffffea0001d91780 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffff8880124cd000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5023, tgid 5023 (rm), ts 57145564531, free_ts 41308598324
prep_new_page mm/page_alloc.c:2553 [inline]
get_page_from_freelist+0x3246/0x33c0 mm/page_alloc.c:4326
__alloc_pages+0x255/0x670 mm/page_alloc.c:5592
alloc_slab_page+0x6a/0x160 mm/slub.c:1851
allocate_slab mm/slub.c:1998 [inline]
new_slab+0x84/0x2f0 mm/slub.c:2051
___slab_alloc+0xa85/0x10a0 mm/slub.c:3193
__slab_alloc mm/slub.c:3292 [inline]
__slab_alloc_node mm/slub.c:3345 [inline]
slab_alloc_node mm/slub.c:3442 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x1b9/0x2e0 mm/slub.c:3476
mt_alloc_one lib/maple_tree.c:159 [inline]
mas_alloc_nodes+0x26e/0x780 lib/maple_tree.c:1233
mas_node_count_gfp lib/maple_tree.c:1318 [inline]
mas_preallocate+0x131/0x350 lib/maple_tree.c:5717
vma_iter_prealloc mm/internal.h:972 [inline]
__split_vma+0x1e0/0x7f0 mm/mmap.c:2177
mprotect_fixup+0x5f5/0x920 mm/mprotect.c:663
do_mprotect_pkey+0x8f8/0xc60 mm/mprotect.c:831
__do_sys_mprotect mm/mprotect.c:852 [inline]
__se_sys_mprotect mm/mprotect.c:849 [inline]
__x64_sys_mprotect+0x80/0x90 mm/mprotect.c:849
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1454 [inline]
free_pcp_prepare mm/page_alloc.c:1504 [inline]
free_unref_page_prepare+0xe2f/0xe70 mm/page_alloc.c:3388
free_unref_page+0x37/0x3f0 mm/page_alloc.c:3483
discard_slab mm/slub.c:2098 [inline]
__unfreeze_partials+0x1b1/0x1f0 mm/slub.c:2637
put_cpu_partial+0x116/0x180 mm/slub.c:2713
qlist_free_all+0x22/0x60 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x14b/0x160 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x23/0x70 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook+0x68/0x3a0 mm/slab.h:769
slab_alloc_node mm/slub.c:3452 [inline]
slab_alloc mm/slub.c:3460 [inline]
__kmem_cache_alloc_lru mm/slub.c:3467 [inline]
kmem_cache_alloc+0x11f/0x2e0 mm/slub.c:3476
vm_area_alloc+0x24/0xe0 kernel/fork.c:458
mmap_region+0xbfb/0x20c0 mm/mmap.c:2553
do_mmap+0x8c9/0xf70 mm/mmap.c:1364
vm_mmap_pgoff+0x1ce/0x2e0 mm/util.c:542
ksys_mmap_pgoff+0x4f9/0x6d0 mm/mmap.c:1410
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff88807645e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807645e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807645e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88807645e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807645e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
next prev parent reply other threads:[~2023-03-28 7:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-27 11:01 [syzbot] [ext4?] KASAN: slab-use-after-free Read in ext4_convert_inline_data_nolock syzbot
2023-03-28 7:53 ` syzbot [this message]
2024-02-01 8:20 ` syzbot
2024-02-01 9:18 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000d3b32005f7f12805@google.com \
--to=syzbot+db6caad9ebd2c8022b41@syzkaller.appspotmail.com \
--cc=adilger.kernel@dilger.ca \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.