From: Shaurya Rane <[email protected]> When mounting a corrupted bcachefs filesystem, KASAN detects a use-after-free in the error reporting path. This occurs due to a race between error reporting and key deletion during fsck.
The sequence of events: 1. extent_ptr_validate() detects an invalid extent pointer with a corrupt disk offset 2. It calls __bch2_bkey_fsck_err() to report the error 3. The fsck logic decides to delete the corrupt key 4. Meanwhile, __bch2_bkey_fsck_err() calls bch2_bkey_val_to_text() 5. This traverses the extent entries via bch2_extent_ptr_to_text() 6. sector_to_bucket_and_offset() is called with the corrupt offset 7. Memory access occurs on data being concurrently freed The crash happens in bch2_extent_ptr_to_text() when it attempts to validate bucket boundaries using already-freed extent pointer data. Replace bch2_bkey_val_to_text() with bch2_bpos_to_text() to print only the key position (inode, offset, snapshot) instead of traversing potentially corrupt or freed extent metadata. The position is part of the key header and remains safe to read even as the extent data is being freed. The specific validation error is still printed in the subsequent lines, providing sufficient context for debugging. Tested successfully locally using syzbot provided reproducer Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?id=564efbe31172fe908429 Fixes: d97de0d017cd ("bcachefs: Make bkey_fsck_err() a wrapper around fsck_err()") Signed-off-by: Shaurya Rane <[email protected]> --- fs/bcachefs/error.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/bcachefs/error.c b/fs/bcachefs/error.c index 267e73d9d7e6..b0bf08915aa2 100644 --- a/fs/bcachefs/error.c +++ b/fs/bcachefs/error.c @@ -688,7 +688,7 @@ int __bch2_bkey_fsck_err(struct bch_fs *c, bch2_btree_id_to_text(&buf, from.btree); prt_printf(&buf, " level=%u: ", from.level); - bch2_bkey_val_to_text(&buf, c, k); + bch2_bpos_to_text(&buf, k.k->p); prt_newline(&buf); va_list args; -- 2.34.1
