Hello,
syzbot found the following issue on:
HEAD commit: bf4ad6fa4e53 Linux 6.1.28
git tree: linux-6.1.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=14185d56280000
kernel config:
https://syzkaller.appspot.com/x/.config?x=ee1a89a0c6a2db67
dashboard link:
https://syzkaller.appspot.com/bug?extid=fa205ddb906e0eef949c
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:
https://syzkaller.appspot.com/x/repro.syz?x=1260926e280000
C reproducer:
https://syzkaller.appspot.com/x/repro.c?x=12a5ea6e280000
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/a7b85a636ba8/disk-bf4ad6fa.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/a626aeb9d231/vmlinux-bf4ad6fa.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/78fbbffb9ee8/Image-bf4ad6fa.gz.xz
mounted in repro:
https://storage.googleapis.com/syzbot-assets/19b2b772ee71/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+fa205d...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xb28/0x2824 fs/ntfs/dir.c:292
Read of size 8 at addr ffff0000e23cb55a by task syz-executor199/4218
CPU: 1 PID: 4218 Comm: syz-executor199 Not tainted 6.1.28-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
sle64_to_cpup fs/ntfs/endian.h:46 [inline]
ntfs_lookup_inode_by_name+0xb28/0x2824 fs/ntfs/dir.c:292
check_windows_hibernation_status+0xe4/0x630 fs/ntfs/super.c:1274
load_system_files+0x3494/0x4734 fs/ntfs/super.c:1989
ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2892
mount_bdev+0x26c/0x368 fs/super.c:1423
ntfs_mount+0x44/0x58 fs/ntfs/super.c:3049
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1553
do_new_mount+0x25c/0x8c8 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:000000007d476225 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1223cb
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc000388f308 fffffc000388f288 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e23cb400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e23cb480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000e23cb500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e23cb580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e23cb600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
ntfs: (device loop0): ntfs_lookup_inode_by_name(): Directory index record with vcn 0xffffffffffffffff is corrupt. Corrupt inode 0x5. Run chkdsk.
ntfs: (device loop0): check_windows_hibernation_status(): Failed to find inode number for hiberfil.sys.
ntfs: (device loop0): load_system_files(): Failed to determine if Windows is hibernated. Mounting read-only. Run chkdsk.
------------[ cut here ]------------
kernel BUG at fs/inode.c:611!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4218 Comm: syz-executor199 Tainted: G B 6.1.28-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : clear_inode+0x124/0x148 fs/inode.c:611
lr : clear_inode+0x124/0x148 fs/inode.c:611
sp : ffff80001db77730
x29: ffff80001db77730 x28: 1fffe0001c4a88dd x27: dfff800000000000
x26: 1fffe0001c4a88db x25: 1fffe0001c4a88a9 x24: dfff800000000000
x23: ffff80000961147c x22: dfff800000000000 x21: 0000000000000001
x20: ffff0000e2544750 x19: ffff0000e2544520 x18: 0000000000000140
x17: ffff80001558d000 x16: ffff80000831de80 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000406 x12: ffff700003b6eecc
x11: ff80800008aa2c14 x10: 0000000000000000 x9 : ffff800008aa2c14
x8 : ffff0000c4ab3780 x7 : 0000000000000000 x6 : ffff800008aa2b24
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000831dfb0
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
clear_inode+0x124/0x148 fs/inode.c:611
ntfs_evict_big_inode+0x44/0x41c fs/ntfs/inode.c:2252
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x7c0/0x8a4 fs/inode.c:1773
ntfs_put_super+0x82c/0xe28 fs/ntfs/super.c:2356
generic_shutdown_super+0x130/0x328 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1450
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x554/0x1a88 kernel/exit.c:869
do_group_exit+0x194/0x22c kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1028
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Code: a8c47bfd d50323bf d65f03c0 97e95fac (d4210000)
---[ end trace 0000000000000000 ]---
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup