KASAN: use-after-free Read in check_extent

Title	Replies (including bot)	Last reply
[syzbot] [bcachefs?] KASAN: use-after-free Read in check_extent_overbig	0 (3)	2025/04/27 06:48

Title

Replies (including bot)

Last reply

[syzbot] [bcachefs?] KASAN: use-after-free Read in check_extent_overbig

0 (3)

2025/04/27 06:48


Created	Duration	User	Repo	Result
2025/05/22 05:52	14m	retest repro	upstream	report log
2025/03/08 01:55	14m	retest repro	upstream	report log
2025/03/08 01:55	14m	retest repro	upstream	report log
2024/12/24 02:14	41m	retest repro	upstream	report log
2024/12/24 02:14	13m	retest repro	upstream	report log

, fixing ================================================================== BUG: KASAN: use-after-free in __extent_entry_type fs/bcachefs/extents.h:53 [inline] BUG: KASAN: use-after-free in extent_entry_is_crc fs/bcachefs/extents.h:120 [inline] BUG: KASAN: use-after-free in check_extent_overbig+0x273/0x7b0 fs/bcachefs/fsck.c:1847 Read of size 8 at addr ffff88806bd02050 by task syz-executor167/5827 CPU: 1 UID: 0 PID: 5827 Comm: syz-executor167 Not tainted 6.16.0-rc4-syzkaller-00013-g66701750d556 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 __extent_entry_type fs/bcachefs/extents.h:53 [inline] extent_entry_is_crc fs/bcachefs/extents.h:120 [inline] check_extent_overbig+0x273/0x7b0 fs/bcachefs/fsck.c:1847 bch2_check_extents+0x5b0/0x4520 fs/bcachefs/fsck.c:2002 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:484 [inline] __bch2_run_recovery_passes+0x395/0x1010 fs/bcachefs/recovery_passes.c:539 bch2_run_recovery_passes+0x184/0x210 fs/bcachefs/recovery_passes.c:610 bch2_fs_recovery+0x2690/0x3a50 fs/bcachefs/recovery.c:1005 bch2_fs_start+0xa99/0xd90 fs/bcachefs/super.c:1212 bch2_fs_get_tree+0xafc/0x14f0 fs/bcachefs/fs.c:2490 vfs_get_tree+0x8f/0x2b0 fs/super.c:1804 do_new_mount+0x24a/0xa40 fs/namespace.c:3902 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x317/0x410 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4673b5851a Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc34e64088 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ffc34e640a0 RCX: 00007f4673b5851a RDX: 0000200000000000 RSI: 0000200000000200 RDI: 00007ffc34e640a0 RBP: 0000200000000200 R08: 00007ffc34e640e0 R09: 00000000000059cd R10: 00000000028000c9 R11: 0000000000000282 R12: 0000200000000000 R13: 0000000000000004 R14: 0000000000000003 R15: 00007ffc34e640e0 </TASK> The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6bd02 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 ffffea0001af4090 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 5, migratetype Unmovable, gfp_mask 0x42800(GFP_NOWAIT|__GFP_COMP), pid 25, tgid 25 (kworker/1:0H), ts 77587477268, free_ts 84496733498 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x21d5/0x22b0 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959 __alloc_pages_noprof+0xa/0x30 mm/page_alloc.c:4993 __alloc_pages_node_noprof include/linux/gfp.h:284 [inline] alloc_pages_node_noprof include/linux/gfp.h:311 [inline] ___kmalloc_large_node+0x85/0x210 mm/slub.c:4272 __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4300 __do_kmalloc_node mm/slub.c:4316 [inline] __kvmalloc_node_noprof+0x6d/0x5f0 mm/slub.c:5015 btree_bounce_alloc fs/bcachefs/btree_io.c:127 [inline] bch2_btree_node_read_done+0x33c4/0x5700 fs/bcachefs/btree_io.c:1280 btree_node_read_work+0x426/0xe30 fs/bcachefs/btree_io.c:1415 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 page last free pid 5827 tgid 5827 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_pages_ok+0xa3b/0xc10 mm/page_alloc.c:1424 __folio_put+0x21b/0x2c0 mm/swap.c:112 folio_put include/linux/mm.h:1356 [inline] free_large_kmalloc+0x145/0x200 mm/slub.c:4768 btree_bounce_free fs/bcachefs/btree_io.c:115 [inline] btree_node_sort+0x117f/0x1760 fs/bcachefs/btree_io.c:383 bch2_btree_post_write_cleanup+0x11f/0xad0 fs/bcachefs/btree_io.c:2582 bch2_btree_node_prep_for_write+0x337/0x650 fs/bcachefs/btree_trans_commit.c:95 bch2_trans_lock_write+0x669/0xba0 fs/bcachefs/btree_trans_commit.c:131 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:850 [inline] __bch2_trans_commit+0x2773/0x8870 fs/bcachefs/btree_trans_commit.c:1085 bch2_trans_commit fs/bcachefs/btree_update.h:241 [inline] check_extent fs/bcachefs/fsck.c:1958 [inline] bch2_check_extents+0x2b24/0x4520 fs/bcachefs/fsck.c:2002 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:484 [inline] __bch2_run_recovery_passes+0x395/0x1010 fs/bcachefs/recovery_passes.c:539 bch2_run_recovery_passes+0x184/0x210 fs/bcachefs/recovery_passes.c:610 bch2_fs_recovery+0x2690/0x3a50 fs/bcachefs/recovery.c:1005 bch2_fs_start+0xa99/0xd90 fs/bcachefs/super.c:1212 bch2_fs_get_tree+0xafc/0x14f0 fs/bcachefs/fs.c:2490 vfs_get_tree+0x8f/0x2b0 fs/super.c:1804 do_new_mount+0x24a/0xa40 fs/namespace.c:3902 Memory state around the buggy address: ffff88806bd01f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88806bd01f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88806bd02000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88806bd02080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88806bd02100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/07/01 16:28	upstream	66701750d556	091a06cd	.config	strace log	report	syz / log	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2024/12/05 15:47	upstream	feffde684ac2	29f61fce	.config	console log	report	syz / log			[disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] [mounted in repro #3]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2025/03/24 20:37	upstream	38fec10eb60d	875573af	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-root	KASAN: use-after-free Read in check_extent_overbig
2025/02/21 20:35	upstream	8a61cb6e150e	d34966d1	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2025/02/04 17:14	upstream	0de63bb7d919	8f267cef	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2025/02/04 17:14	upstream	0de63bb7d919	8f267cef	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2025/01/14 05:03	upstream	c45323b7560e	b1f1cd88	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2024/12/07 15:23	upstream	b5f217084ab3	9ac0fdc6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2024/12/05 17:46	upstream	feffde684ac2	29f61fce	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] [mounted in repro #3]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2024/12/05 14:26	upstream	feffde684ac2	29f61fce	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in check_extent_overbig
2025/07/03 06:46	upstream	b4911fb0b060	115ceea7	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: use-after-free Read in check_extent_overbig
2025/01/22 10:21	upstream	c4b9570cfb63	da72ac06	.config	console log	report				[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: use-after-free Read in check_extent_overbig
2024/12/09 15:50	linux-next	af2ea8ab7a54	9ac0fdc6	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in check_extent_overbig