[v5.15] KASAN: use-after-free Read in ntfs_lookup_inode_by_name
1 view
Skip to first unread message
syzbot
Apr 11, 2023, 11:50:42 PM4/11/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d86dfc4d95cd Linux 5.15.106
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=162c8bf7c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=639d55ab480652c5
dashboard link: https://syzkaller.appspot.com/bug?extid=189e02963bc7402eecce
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b2a94107dd69/disk-d86dfc4d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/398f8d288cb9/vmlinux-d86dfc4d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b790c7e7c8c/Image-d86dfc4d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+189e02...@syzkaller.appspotmail.com
ntfs: volume version 1.0.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xb90/0x2694 fs/ntfs/dir.c:292
Read of size 8 at addr ffff00013de6055a by task syz-executor.2/24320
CPU: 1 PID: 24320 Comm: syz-executor.2 Not tainted 5.15.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309
sle64_to_cpup fs/ntfs/endian.h:46 [inline]
ntfs_lookup_inode_by_name+0xb90/0x2694 fs/ntfs/dir.c:292
check_windows_hibernation_status+0xe8/0x5e4 fs/ntfs/super.c:1274
load_system_files+0x31ec/0x4228 fs/ntfs/super.c:1989
ntfs_fill_super+0x1670/0x24e8 fs/ntfs/super.c:2894
mount_bdev+0x26c/0x368 fs/super.c:1378
ntfs_mount+0x44/0x58 fs/ntfs/super.c:3051
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1508
do_new_mount+0x25c/0x8c8 fs/namespace.c:2994
path_mount+0x590/0x104c fs/namespace.c:3324
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the page:
page:00000000b7de2c3c refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x17de60
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0004fd3108 fffffc0004f8e088 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00013de60400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff00013de60480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff00013de60500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff00013de60580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff00013de60600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: d86dfc4d95cd Linux 5.15.106
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=162c8bf7c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=639d55ab480652c5
dashboard link: https://syzkaller.appspot.com/bug?extid=189e02963bc7402eecce
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b2a94107dd69/disk-d86dfc4d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/398f8d288cb9/vmlinux-d86dfc4d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b790c7e7c8c/Image-d86dfc4d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+189e02...@syzkaller.appspotmail.com
ntfs: volume version 1.0.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xb90/0x2694 fs/ntfs/dir.c:292
Read of size 8 at addr ffff00013de6055a by task syz-executor.2/24320
CPU: 1 PID: 24320 Comm: syz-executor.2 Not tainted 5.15.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load8_noabort+0x44/0x50 mm/kasan/report_generic.c:309
sle64_to_cpup fs/ntfs/endian.h:46 [inline]
ntfs_lookup_inode_by_name+0xb90/0x2694 fs/ntfs/dir.c:292
check_windows_hibernation_status+0xe8/0x5e4 fs/ntfs/super.c:1274
load_system_files+0x31ec/0x4228 fs/ntfs/super.c:1989
ntfs_fill_super+0x1670/0x24e8 fs/ntfs/super.c:2894
mount_bdev+0x26c/0x368 fs/super.c:1378
ntfs_mount+0x44/0x58 fs/ntfs/super.c:3051
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1508
do_new_mount+0x25c/0x8c8 fs/namespace.c:2994
path_mount+0x590/0x104c fs/namespace.c:3324
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the page:
page:00000000b7de2c3c refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x17de60
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc0004fd3108 fffffc0004f8e088 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff00013de60400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff00013de60480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff00013de60500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff00013de60580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff00013de60600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 12, 2023, 8:58:41 PM5/12/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: b0ece631f84a Linux 5.15.111
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=160ad162280000
kernel config: https://syzkaller.appspot.com/x/.config?x=db3750b003ff805e
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10d4f806280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eded75b6c3f9/disk-b0ece631.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/20e5ae802010/vmlinux-b0ece631.xz
kernel image: https://storage.googleapis.com/syzbot-assets/05d665c869f3/Image-b0ece631.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7eb50f6974da/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+189e02...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
CPU: 0 PID: 3964 Comm: syz-executor183 Not tainted 5.15.111-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
page:00000000a2ced912 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x11d318
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc000374c648 fffffc000374c5c8 0000000000000000
ffff0000dd318480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000dd318500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000dd318580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000dd318600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: b0ece631f84a Linux 5.15.111
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=160ad162280000
kernel config: https://syzkaller.appspot.com/x/.config?x=db3750b003ff805e
dashboard link: https://syzkaller.appspot.com/bug?extid=189e02963bc7402eecce
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10e6431a280000
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10d4f806280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eded75b6c3f9/disk-b0ece631.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/20e5ae802010/vmlinux-b0ece631.xz
kernel image: https://storage.googleapis.com/syzbot-assets/05d665c869f3/Image-b0ece631.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7eb50f6974da/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+189e02...@syzkaller.appspotmail.com
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xb90/0x2694 fs/ntfs/dir.c:292
Read of size 8 at addr ffff0000dd31855a by task syz-executor183/3964
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xb90/0x2694 fs/ntfs/dir.c:292
CPU: 0 PID: 3964 Comm: syz-executor183 Not tainted 5.15.111-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc000374c648 fffffc000374c5c8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dd318400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dd318480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000dd318500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000dd318580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000dd318600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
May 13, 2023, 11:12:43 PM5/13/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: bf4ad6fa4e53 Linux 6.1.28
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14185d56280000
kernel config: https://syzkaller.appspot.com/x/.config?x=ee1a89a0c6a2db67
dashboard link: https://syzkaller.appspot.com/bug?extid=fa205ddb906e0eef949c
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a5ea6e280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a7b85a636ba8/disk-bf4ad6fa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a626aeb9d231/vmlinux-bf4ad6fa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/78fbbffb9ee8/Image-bf4ad6fa.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/19b2b772ee71/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fa205d...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xb28/0x2824 fs/ntfs/dir.c:292
Read of size 8 at addr ffff0000e23cb55a by task syz-executor199/4218
CPU: 1 PID: 4218 Comm: syz-executor199 Not tainted 6.1.28-syzkaller #0
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
sle64_to_cpup fs/ntfs/endian.h:46 [inline]
ntfs_lookup_inode_by_name+0xb28/0x2824 fs/ntfs/dir.c:292
check_windows_hibernation_status+0xe4/0x630 fs/ntfs/super.c:1274
load_system_files+0x3494/0x4734 fs/ntfs/super.c:1989
ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2892
mount_bdev+0x26c/0x368 fs/super.c:1423
ntfs_mount+0x44/0x58 fs/ntfs/super.c:3049
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1553
do_new_mount+0x25c/0x8c8 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:000000007d476225 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1223cb
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc000388f308 fffffc000388f288 0000000000000000
ffff0000e23cb480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000e23cb500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e23cb580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e23cb600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
ntfs: (device loop0): ntfs_lookup_inode_by_name(): Directory index record with vcn 0xffffffffffffffff is corrupt. Corrupt inode 0x5. Run chkdsk.
ntfs: (device loop0): check_windows_hibernation_status(): Failed to find inode number for hiberfil.sys.
ntfs: (device loop0): load_system_files(): Failed to determine if Windows is hibernated. Mounting read-only. Run chkdsk.
------------[ cut here ]------------
kernel BUG at fs/inode.c:611!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4218 Comm: syz-executor199 Tainted: G B 6.1.28-syzkaller #0
pc : clear_inode+0x124/0x148 fs/inode.c:611
lr : clear_inode+0x124/0x148 fs/inode.c:611
sp : ffff80001db77730
x29: ffff80001db77730 x28: 1fffe0001c4a88dd x27: dfff800000000000
x26: 1fffe0001c4a88db x25: 1fffe0001c4a88a9 x24: dfff800000000000
x23: ffff80000961147c x22: dfff800000000000 x21: 0000000000000001
x20: ffff0000e2544750 x19: ffff0000e2544520 x18: 0000000000000140
x17: ffff80001558d000 x16: ffff80000831de80 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000406 x12: ffff700003b6eecc
x11: ff80800008aa2c14 x10: 0000000000000000 x9 : ffff800008aa2c14
x8 : ffff0000c4ab3780 x7 : 0000000000000000 x6 : ffff800008aa2b24
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000831dfb0
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
clear_inode+0x124/0x148 fs/inode.c:611
ntfs_evict_big_inode+0x44/0x41c fs/ntfs/inode.c:2252
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x7c0/0x8a4 fs/inode.c:1773
ntfs_put_super+0x82c/0xe28 fs/ntfs/super.c:2356
generic_shutdown_super+0x130/0x328 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1450
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x554/0x1a88 kernel/exit.c:869
do_group_exit+0x194/0x22c kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1028
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Code: a8c47bfd d50323bf d65f03c0 97e95fac (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: bf4ad6fa4e53 Linux 6.1.28
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14185d56280000
kernel config: https://syzkaller.appspot.com/x/.config?x=ee1a89a0c6a2db67
dashboard link: https://syzkaller.appspot.com/bug?extid=fa205ddb906e0eef949c
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1260926e280000
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12a5ea6e280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a7b85a636ba8/disk-bf4ad6fa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a626aeb9d231/vmlinux-bf4ad6fa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/78fbbffb9ee8/Image-bf4ad6fa.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/19b2b772ee71/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
Read of size 8 at addr ffff0000e23cb55a by task syz-executor199/4218
CPU: 1 PID: 4218 Comm: syz-executor199 Not tainted 6.1.28-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351
sle64_to_cpup fs/ntfs/endian.h:46 [inline]
ntfs_lookup_inode_by_name+0xb28/0x2824 fs/ntfs/dir.c:292
check_windows_hibernation_status+0xe4/0x630 fs/ntfs/super.c:1274
load_system_files+0x3494/0x4734 fs/ntfs/super.c:1989
ntfs_fill_super+0x14e0/0x2314 fs/ntfs/super.c:2892
mount_bdev+0x26c/0x368 fs/super.c:1423
ntfs_mount+0x44/0x58 fs/ntfs/super.c:3049
legacy_get_tree+0xd4/0x16c fs/fs_context.c:610
vfs_get_tree+0x90/0x274 fs/super.c:1553
do_new_mount+0x25c/0x8c8 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to the physical page:
page:000000007d476225 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1223cb
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffc000388f308 fffffc000388f288 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e23cb400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000e23cb480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000e23cb500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff0000e23cb580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff0000e23cb600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
ntfs: (device loop0): ntfs_lookup_inode_by_name(): Directory index record with vcn 0xffffffffffffffff is corrupt. Corrupt inode 0x5. Run chkdsk.
ntfs: (device loop0): check_windows_hibernation_status(): Failed to find inode number for hiberfil.sys.
ntfs: (device loop0): load_system_files(): Failed to determine if Windows is hibernated. Mounting read-only. Run chkdsk.
------------[ cut here ]------------
kernel BUG at fs/inode.c:611!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4218 Comm: syz-executor199 Tainted: G B 6.1.28-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : clear_inode+0x124/0x148 fs/inode.c:611
lr : clear_inode+0x124/0x148 fs/inode.c:611
sp : ffff80001db77730
x29: ffff80001db77730 x28: 1fffe0001c4a88dd x27: dfff800000000000
x26: 1fffe0001c4a88db x25: 1fffe0001c4a88a9 x24: dfff800000000000
x23: ffff80000961147c x22: dfff800000000000 x21: 0000000000000001
x20: ffff0000e2544750 x19: ffff0000e2544520 x18: 0000000000000140
x17: ffff80001558d000 x16: ffff80000831de80 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000406 x12: ffff700003b6eecc
x11: ff80800008aa2c14 x10: 0000000000000000 x9 : ffff800008aa2c14
x8 : ffff0000c4ab3780 x7 : 0000000000000000 x6 : ffff800008aa2b24
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80000831dfb0
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
clear_inode+0x124/0x148 fs/inode.c:611
ntfs_evict_big_inode+0x44/0x41c fs/ntfs/inode.c:2252
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x7c0/0x8a4 fs/inode.c:1773
ntfs_put_super+0x82c/0xe28 fs/ntfs/super.c:2356
generic_shutdown_super+0x130/0x328 fs/super.c:501
kill_block_super+0x70/0xdc fs/super.c:1450
deactivate_locked_super+0xac/0x124 fs/super.c:332
deactivate_super+0xf0/0x110 fs/super.c:363
cleanup_mnt+0x394/0x41c fs/namespace.c:1186
__cleanup_mnt+0x20/0x30 fs/namespace.c:1193
task_work_run+0x240/0x2f0 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x554/0x1a88 kernel/exit.c:869
do_group_exit+0x194/0x22c kernel/exit.c:1019
__do_sys_exit_group kernel/exit.c:1030 [inline]
__se_sys_exit_group kernel/exit.c:1028 [inline]
__wake_up_parent+0x0/0x60 kernel/exit.c:1028
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
Code: a8c47bfd d50323bf d65f03c0 97e95fac (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages