Hi Kernel Maintainers, Our tool found a kernel bug KASAN: use-after-free in ext4_find_extent. Please see the details below. Kernel commit: v6.9 (Commits on May 12, 2024) Kernel config: attachment C/Syz reproducer: attachment We find this bug was reported and marked as fixed. (https://syzkaller.appspot.com/bug?extid=7ec4ebe875a7076ebb31) Our reproducer can trigger this bug in v6.9, so the bug may have not been fixed correctly. Please let me know for anything I can help. Best, Shuangpeng [ 104.471062][ T1049] ================================================================== [ 104.473279][ T1049] BUG: KASAN: use-after-free in ext4_find_extent (fs/ext4/extents.c:837 fs/ext4/extents.c:953) [ 104.475224][ T1049] Read of size 4 at addr ffff88815aec5d24 by task kworker/u10:7/1049 [ 104.477244][ T1049] [ 104.477808][ T1049] CPU: 1 PID: 1049 Comm: kworker/u10:7 Not tainted 6.9.0 #7 [ 104.479677][ T1049] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 104.481942][ T1049] Workqueue: ext4-rsv-conversion ext4_end_io_rsv_work [ 104.483662][ T1049] Call Trace: [ 104.484507][ T1049] <TASK> [ 104.485281][ T1049] dump_stack_lvl (lib/dump_stack.c:117) [ 104.487750][ T1049] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) [ 104.488874][ T1049] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) [ 104.490057][ T1049] ? ext4_find_extent (fs/ext4/extents.c:837 fs/ext4/extents.c:953) [ 104.491357][ T1049] kasan_report (mm/kasan/report.c:603) [ 104.492441][ T1049] ? ext4_find_extent (fs/ext4/extents.c:837 fs/ext4/extents.c:953) [ 104.493455][ T1049] ext4_find_extent (fs/ext4/extents.c:837 fs/ext4/extents.c:953) [ 104.494504][ T1049] ext4_ext_map_blocks (fs/ext4/extents.c:4144) [ 104.495628][ T1049] ? preempt_count_add (./include/linux/ftrace.h:974 kernel/sched/core.c:5852 kernel/sched/core.c:5849 kernel/sched/core.c:5877) [ 104.496730][ T1049] ? __pfx_copy_page_from_iter_atomic (lib/iov_iter.c:462) [ 104.498034][ T1049] ? const_folio_flags.constprop.0 (./include/linux/page-flags.h:316) [ 104.499327][ T1049] ? noop_dirty_folio (mm/page-writeback.c:2650) [ 104.500338][ T1049] ? folio_flags.constprop.0 (./include/linux/page-flags.h:325) [ 104.501532][ T1049] ? inode_to_bdi (mm/backing-dev.c:1097) [ 104.502518][ T1049] ? __pfx_ext4_ext_map_blocks (fs/ext4/extents.c:4128) [ 104.503705][ T1049] ? shmem_write_end (mm/shmem.c:2783) [ 104.504958][ T1049] ? generic_perform_write (mm/filemap.c:3938) [ 104.506371][ T1049] ? __pfx_generic_perform_write (mm/filemap.c:3938) [ 104.507787][ T1049] ? percpu_counter_add_batch (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 ./arch/x86/include/asm/irqflags.h:135 lib/percpu_counter.c:102) [ 104.509268][ T1049] ? down_write (./arch/x86/include/asm/preempt.h:103 kernel/locking/rwsem.c:1309 kernel/locking/rwsem.c:1315 kernel/locking/rwsem.c:1580) [ 104.510458][ T1049] ? __pfx_down_write (kernel/locking/rwsem.c:1577) [ 104.511700][ T1049] ext4_map_blocks (fs/ext4/inode.c:637) [ 104.512996][ T1049] ? __pfx_ext4_map_blocks (fs/ext4/inode.c:481) [ 104.514325][ T1049] ? ext4_journal_check_start (fs/ext4/ext4_jbd2.c:88) [ 104.515792][ T1049] ? __ext4_journal_start_sb (fs/ext4/ext4_jbd2.c:114) [ 104.517222][ T1049] ? ext4_convert_unwritten_extents (fs/ext4/extents.c:4840) [ 104.518882][ T1049] ext4_convert_unwritten_extents (fs/ext4/extents.c:4847) [ 104.520471][ T1049] ? __pfx_ext4_convert_unwritten_extents (fs/ext4/extents.c:4818) [ 104.522137][ T1049] ? wakeup_preempt (./arch/x86/include/asm/bitops.h:206 ./arch/x86/include/asm/bitops.h:238 ./include/asm-generic/bitops/instrumented-non-atomic.h:142 ./include/linux/thread_info.h:118 ./include/linux/sched.h:1952 ./include/linux/sched.h:1967 kernel/sched/core.c:2248) [ 104.523257][ T1049] ext4_convert_unwritten_io_end_vec (fs/ext4/extents.c:4887) [ 104.524747][ T1049] ? try_to_wake_up (./arch/x86/include/asm/preempt.h:103 ./include/linux/preempt.h:480 ./include/linux/preempt.h:480 kernel/sched/core.c:4233) [ 104.525878][ T1049] ext4_end_io_rsv_work (fs/ext4/page-io.c:187 fs/ext4/page-io.c:259 fs/ext4/page-io.c:273) [ 104.527018][ T1049] ? __pfx_ext4_end_io_rsv_work (fs/ext4/page-io.c:270) [ 104.528352][ T1049] ? kick_pool (kernel/workqueue.c:1290) [ 104.529398][ T1049] process_one_work (kernel/workqueue.c:3272) [ 104.530571][ T1049] ? kthread_data (kernel/kthread.c:77 kernel/kthread.c:244) [ 104.531647][ T1049] worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) [ 104.532769][ T1049] ? __kthread_parkme (kernel/kthread.c:293) [ 104.533912][ T1049] ? __pfx_worker_thread (kernel/workqueue.c:3375) [ 104.535148][ T1049] kthread (kernel/kthread.c:388) [ 104.536104][ T1049] ? __pfx_kthread (kernel/kthread.c:341) [ 104.537159][ T1049] ret_from_fork (arch/x86/kernel/process.c:153) [ 104.538230][ T1049] ? __pfx_kthread (kernel/kthread.c:341) [ 104.539234][ T1049] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) [ 104.540355][ T1049] </TASK> [ 104.541051][ T1049] [ 104.541606][ T1049] The buggy address belongs to the physical page: [ 104.543248][ T1049] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x15aec5 [ 104.545380][ T1049] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) [ 104.547104][ T1049] page_type: 0xffffffff() [ 104.548186][ T1049] raw: 057ff00000000000 ffffea00056bb088 ffffea00056bb1c8 0000000000000000 [ 104.550181][ T1049] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 104.552298][ T1049] page dumped because: kasan: bad access detected [ 104.553716][ T1049] page_owner tracks the page as freed [ 104.554946][ T1049] page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_WRITE), pid 8103, tgid 8102 (4 [ 104.559217][ T1049] post_alloc_hook (./include/linux/page_owner.h:32 mm/page_alloc.c:1534) [ 104.560336][ T1049] get_page_from_freelist (mm/page_alloc.c:1543 mm/page_alloc.c:3317) [ 104.561656][ T1049] __alloc_pages (mm/page_alloc.c:4576) [ 104.562758][ T1049] alloc_pages_mpol (mm/mempolicy.c:2266) [ 104.563885][ T1049] folio_alloc (mm/mempolicy.c:2342) [ 104.564870][ T1049] filemap_alloc_folio (mm/filemap.c:984) [ 104.566055][ T1049] __filemap_get_folio (mm/filemap.c:1927) [ 104.567272][ T1049] ext4_write_begin (fs/ext4/inode.c:1161) [ 104.568419][ T1049] ext4_da_write_begin (fs/ext4/inode.c:2869) [ 104.569641][ T1049] generic_perform_write (mm/filemap.c:3976) [ 104.570938][ T1049] ext4_buffered_write_iter (./include/linux/fs.h:800 fs/ext4/file.c:302) [ 104.572260][ T1049] ext4_file_write_iter (fs/ext4/file.c:698) [ 104.573498][ T1049] vfs_write (fs/read_write.c:498 fs/read_write.c:590) [ 104.574510][ T1049] ksys_write (fs/read_write.c:644) [ 104.575533][ T1049] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 104.576688][ T1049] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 104.578060][ T1049] page last free pid 8131 tgid 8102 stack trace: [ 104.579478][ T1049] free_unref_page_prepare (./include/linux/page_owner.h:25 mm/page_alloc.c:1141 mm/page_alloc.c:2347) [ 104.580787][ T1049] free_unref_folios (mm/page_alloc.c:2536) [ 104.581977][ T1049] folios_put_refs (mm/swap.c:1034) [ 104.583141][ T1049] truncate_inode_pages_range (./include/linux/sched.h:1988 mm/truncate.c:363) [ 104.584525][ T1049] ext4_punch_hole (fs/ext4/ext4.h:1936 fs/ext4/inode.c:3964) [ 104.585727][ T1049] ext4_fallocate (fs/ext4/extents.c:4803) [ 104.586820][ T1049] vfs_fallocate (fs/open.c:339) [ 104.587933][ T1049] __x64_sys_fallocate (./include/linux/file.h:47 fs/open.c:354 fs/open.c:361 fs/open.c:359 fs/open.c:359) [ 104.589136][ T1049] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 104.590202][ T1049] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 104.591635][ T1049] [ 104.592637][ T1049] Memory state around the buggy address: [ 104.594014][ T1049] ffff88815aec5c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 104.595931][ T1049] ffff88815aec5c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 104.597833][ T1049] >ffff88815aec5d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 104.599718][ T1049] ^ [ 104.600903][ T1049] ffff88815aec5d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 104.602821][ T1049] ffff88815aec5e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 104.604620][ T1049] ================================================================== [ 104.607028][ T8098] EXT4-fs (loop1): This should not happen!! Data will be lost [ 104.607028][ T8098] [ 104.610469][ T1048] EXT4-fs warning (device loop1): ext4_convert_unwritten_extents:4848: inode #15: block 1: len 1: ext4_ext_map_blocks returned -117 [ 104.613454][ T1048] EXT4-fs error (device loop1) in ext4_reserve_inode_write:5738: Corrupt filesystem [ 104.615714][ T1048] EXT4-fs error (device loop1): ext4_convert_unwritten_extents:4853: inode #15: comm kworker/u10:6: mark_inode_dirty error [ 104.618529][ T1048] EXT4-fs (loop1): failed to convert unwritten extents to written extents -- potential data loss! (inode 15, error -117) [ 104.623679][ T8099] EXT4-fs (loop2): Delayed block allocation failed for inode 15 at logical offset 16 with max blocks 184 with error 117 [ 104.624339][ T8132] ------------[ cut here ]------------ [ 104.626580][ T8099] EXT4-fs (loop2): This should not happen!! Data will be lost [ 104.626580][ T8099] [ 104.627413][ T8132] kernel BUG at fs/ext4/extents.c:3180! [ 104.630527][ T8132] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 104.631866][ T8132] CPU: 0 PID: 8132 Comm: a.out Not tainted 6.9.0 #7 [ 104.633183][ T8132] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 104.635028][ T8132] RIP: 0010:ext4_split_extent_at (fs/ext4/extents.c:3180 (discriminator 3)) 104.636331][ T8132] Code: 48 c7 c7 80 b8 80 8a 48 8b 54 24 08 0f b7 43 08 4c 8d 04 40 49 c1 e0 04 49 01 d8 e8 ba 59 ff ff e9 e3 fc ff ff e8 90 7e 58 ff <0f> 0b e8f All code ======== 0: 48 c7 c7 80 b8 80 8a mov $0xffffffff8a80b880,%rdi 7: 48 8b 54 24 08 mov 0x8(%rsp),%rdx c: 0f b7 43 08 movzwl 0x8(%rbx),%eax 10: 4c 8d 04 40 lea (%rax,%rax,2),%r8 14: 49 c1 e0 04 shl $0x4,%r8 18: 49 01 d8 add %rbx,%r8 1b: e8 ba 59 ff ff call 0xffffffffffff59da 20: e9 e3 fc ff ff jmp 0xfffffffffffffd08 25: e8 90 7e 58 ff call 0xffffffffff587eba 2a:* 0f 0b ud2 <-- trapping instruction 2c: 8f .byte 0x8f Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 8f .byte 0x8f [ 104.641847][ T8132] RSP: 0018:ffffc90003f5f9b0 EFLAGS: 00010293 [ 104.643350][ T8132] RAX: 0000000000000000 RBX: 000000000000003f RCX: ffffffff822bcfe1 [ 104.645037][ T8132] RDX: ffff88801ed2c900 RSI: ffffffff822bd5c0 RDI: 0000000000000004 [ 104.646994][ T8132] RBP: ffff88801c30f630 R08: 0000000000000004 R09: 0000000000000000 [ 104.648792][ T8132] R10: 000000000000003f R11: ffff888020ebd6e8 R12: ffff88815ba75428 [ 104.650663][ T8132] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88815836b988 [ 104.652253][ T8132] FS: 00007f6bdd2cb700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 Mes[sage f 104.653844][ T8132] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 104.655856][ T8132] CR2: 000000002003d000 CR3: 0000000016fca000 CR4: 00000000000006f0 [ 104.657513][ T8132] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 104.658902][ T8132] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 104.660242][ T8132] Call Trace: [ 104.660768][ T8132] <TASK> [ 104.661232][ T8132] ? show_regs (arch/x86/kernel/dumpstack.c:479) [ 104.661907][ T8132] ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) [ 104rom .662496][ T8132] ? do_trap (arch/x86/kernel/traps.c:114 arch/x86/kernel/traps.c:155) syslogd@syzkalle[ 104.668396][ T8132] ? ext4_split_extent_at (fs/ext4/extents.c:3180 (discriminator 3)) r at May 15 [ 104.669608][ T08132] ? 2o_error_trap+0xdc/0x150 5:38 ... k[ ern104.670642][ T8132] ? ext4_split_extent_at (fs/ext4/extents.c:3180 (discriminator 3)) el:[[ 1 104.604.67182015]529[ T8132] ? ext4_split_extent_at (fs/ext4/extents.c:3180 (discriminator 3)) ][ T[ 1104804.6] EXT4-f73321][ T8132] ? handle_invalid_op (arch/x86/kernel/traps.c:214) s (l[ oop1104.67448): 5][ faiT8132] le ? ext4_split_extent_at (fs/ext4/extents.c:3180 (discriminator 3)) d to[ con 104.vert675775 un][ Tw8132] ? exc_invalid_op (arch/x86/kernel/traps.c:267) ritt[ en 104.ext67ent690s t5][ T8132] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) o wr[ itt104en ext.678234][ entT8132] ? ext4_split_extent_at (fs/ext4/extents.c:3180 (discriminator 2)) s --[ pot 104ent.679ial d475][ T8132] ? ext4_split_extent_at (fs/ext4/extents.c:3180 (discriminator 3)) ata[ los 1s! 04.6807 (ino90][d T8132] ? ext4_split_extent_at (fs/ext4/extents.c:3180 (discriminator 3)) e 15[ 104, er.68ror 2020][-11 T81372] ? __read_extent_tree_block (fs/ext4/extents.c:590) ) [ 104.683283][ T8132] ? __pfx_ext4_split_extent_at (fs/ext4/extents.c:3158) [ 104.684482][ T8132] ? ext4_find_extent (fs/ext4/extents.c:967) [ 104.685519][ T8132] ext4_ext_remove_space (fs/ext4/extents.c:2877) [ 104.686615][ T8132] ? __pfx__raw_write_lock (kernel/locking/spinlock.c:299) [ 104.687699][ T8132] ? __pfx__ext4_get_block (fs/ext4/inode.c:755) [ 104.688773][ T8132] ? _raw_write_unlock (./arch/x86/include/asm/preempt.h:103 ./include/linux/rwlock_api_smp.h:226 kernel/locking/spinlock.c:342) [ 104.689781][ T8132] ? ext4_discard_preallocations (fs/ext4/mballoc.c:5504) [ 104.690958][ T8132] ? __pfx__raw_write_lock (kernel/locking/spinlock.c:299) [ 104.692029][ T8132] ? ext4_da_release_space (fs/ext4/inode.c:1488) [ 104.693114][ T8132] ? __pfx_ext4_ext_remove_space (fs/ext4/extents.c:2791) [ 104.694249][ T8132] ? __pfx_ext4_es_remove_extent (fs/ext4/extents_status.c:1497) [ 104.695404][ T8132] ? __pfx_down_write (kernel/locking/rwsem.c:1577) [ 104.696407][ T8132] ? __ext4_journal_start_sb (fs/ext4/ext4_jbd2.c:110) [ 104.697539][ T8132] ext4_punch_hole (fs/ext4/inode.c:3994) [ 104.698502][ T8132] ? __pfx_rwsem_wake.isra.0 (kernel/locking/rwsem.c:1203) [ 104.699566][ T8132] ext4_fallocate (fs/ext4/extents.c:4803) [ 104.700515][ T8132] ? __pfx_ext4_fallocate (fs/ext4/extents.c:4709) [ 104.701541][ T8132] ? avc_policy_seqno (security/selinux/avc.c:1205) [ 104.702502][ T8132] ? selinux_file_permission (security/selinux/hooks.c:3643) [ 104.703662][ T8132] ? __pfx_ext4_fallocate (fs/ext4/extents.c:4709) [ 104.704710][ T8132] vfs_fallocate (fs/open.c:339) [ 104.705647][ T8132] __x64_sys_fallocate (./include/linux/file.h:47 fs/open.c:354 fs/open.c:361 fs/open.c:359 fs/open.c:359) [ 104.706660][ T8132] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 104.707607][ T8132] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 104.708804][ T8132] RIP: 0033:0x7f6bdd40873d [ 104.709686][ T8132] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d8 All code ======== 0: 00 c3 add %al,%bl 2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 9: 00 00 00 c: 90 nop d: f3 0f 1e fa endbr64 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 28: 0f 05 syscall 2a:* 48 rex.W <-- trapping instruction 2b: d8 .byte 0xd8 Code starting with the faulting instruction =========================================== 0: 48 rex.W 1: d8 .byte 0xd8 [ 104.713554][ T8132] RSP: 002b:00007f6bdd2cae98 EFLAGS: 00000207 ORIG_RAX: 000000000000011d [ 104.715201][ T8132] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6bdd40873d [ 104.716792][ T8132] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000005 [ 104.718366][ T8132] RBP: 00007f6bdd2caec0 R08: 00007f6bdd2cb700 R09: 0000000000000000 [ 104.719961][ T8132] R10: 000000000000ffff R11: 0000000000000207 R12: 00007ffec136fe7e [ 104.721498][ T8132] R13: 00007ffec136fe7f R14: 00007ffec136ff20 R15: 00007f6bdd2cafc0 [ 104.723020][ T8132] </TASK> [ 104.723652][ T8132] Modules linked in: [ 104.728923][ T1049] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 104.730764][ T1049] Kernel Offset: disabled [ 104.731710][ T1049] Rebooting in 86400 seconds..
Attachment:
repro.c
Description: Binary data
Attachment:
.config
Description: Binary data