Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)

From: Ojaswin Mujoo
Date: Fri Mar 28 2025 - 13:11:01 EST

Next message: Xin Li (Intel): "[PATCH v4 13/19] KVM: x86: Mark CR4.FRED as not reserved"
Previous message: Krzysztof Kozlowski: "Re: [PATCH] phy/allwinner: phy-sun50i-usb3: Use dev_err_probe()"
In reply to: syzbot: "Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 27, 2025 at 04:44:03PM -0700, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9
> Author: Ojaswin Mujoo <ojaswin@xxxxxxxxxxxxx>
> Date: Sat Mar 25 08:13:39 2023 +0000
>
> ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1566b43f980000
> start commit: 1e1ba8d23dae Merge tag 'timers-clocksource-2025-03-26' of ..
> git tree: upstream
> final oops: https://syzkaller.appspot.com/x/report.txt?x=1766b43f980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1366b43f980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2edddb53537e0320
> dashboard link: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1623343f980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1123343f980000
>
> Reported-by: syzbot+ee60e584b5c6bb229126@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Okay, so I'm able to replicate this with the patch whereas it does not
hit without it, so the bisect seems right.

In my environment, at the time UAF hits, I also see the following logs:

[ 139.893083][ T9] EXT4-fs error (device loop0): ext4_ext_split:1078: inode #15: comm kworker/u8:0: !
[ 139.894260][ T9] EXT4-fs (loop0): Delayed block allocation failed for inode 15 at logical offset 17
[ 139.894278][ T9] EXT4-fs (loop0): This should not happen!! Data will be lost
[ 139.894278][ T9]

[ 139.897505][ T1098] EXT4-fs error (device loop4): ext4_map_blocks:730: inode #15: block 131075: comm )
[ 139.897607][ T1098] EXT4-fs (loop4): Delayed block allocation failed for inode 15 at logical offset 17
[ 139.897624][ T1098] EXT4-fs (loop4): This should not happen!! Data will be lost

ext4_ext4_split:1078 is

if (unlikely(path[depth].p_ext > EXT_MAX_EXTENT(path[depth].p_hdr))) {

and ext4_map_blocks:730 is check_block_validity failure in map blocks.
I'm still trying to make sense of the logs and the UAF and will update
when I have more information.

Regards,
ojaswin

Next message: Xin Li (Intel): "[PATCH v4 13/19] KVM: x86: Mark CR4.FRED as not reserved"
Previous message: Krzysztof Kozlowski: "Re: [PATCH] phy/allwinner: phy-sun50i-usb3: Use dev_err_probe()"
In reply to: syzbot: "Re: [syzbot] [ext4?] KASAN: use-after-free Read in ext4_find_extent (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]