[v6.1] KASAN: stack-out-of-bounds Write in truncate_inode_pages_range
0 views
Skip to first unread message
syzbot
Jun 26, 2023, 8:33:58 AM6/26/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e84a4e368abe Linux 6.1.35
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1708cbb0a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f77b603a569f81a7
dashboard link: https://syzkaller.appspot.com/bug?extid=671f219287c3550c8c5e
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17333b57280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11c64557280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/30886a06f234/disk-e84a4e36.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/84ab10f3c74b/vmlinux-e84a4e36.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ea73248cc405/Image-e84a4e36.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/37bb1d1d063e/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+671f21...@syzkaller.appspotmail.com
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
==================================================================
BUG: KASAN: stack-out-of-bounds in truncate_inode_pages_range+0xb4/0xf10 mm/truncate.c:335
Write of size 128 at addr ffff800023177520 by task syz-executor290/21125
CPU: 1 PID: 21125 Comm: syz-executor290 Not tainted 6.1.35-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memset+0x40/0x70 mm/kasan/shadow.c:44
truncate_inode_pages_range+0xb4/0xf10 mm/truncate.c:335
truncate_inode_pages mm/truncate.c:452 [inline]
truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:487
ntfs_evict_inode+0x24/0xc8 fs/ntfs3/inode.c:1760
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x7c0/0x8a4 fs/inode.c:1773
ntfs_fill_super+0x32d8/0x3a04 fs/ntfs3/super.c:1190
get_tree_bdev+0x360/0x54c fs/super.c:1346
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1359
vfs_get_tree+0x90/0x274 fs/super.c:1553
do_new_mount+0x25c/0x8c4 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to stack of task syz-executor290/21125
and is located at offset 32 in frame:
folio_flags include/linux/page-flags.h:319 [inline]
folio_test_head include/linux/page-flags.h:788 [inline]
folio_test_large include/linux/page-flags.h:809 [inline]
folio_nr_pages include/linux/mm.h:1670 [inline]
truncate_inode_pages_range+0x0/0xf10 mm/truncate.c:277
This frame has 2 objects:
[32, 160) 'fbatch'
[192, 312) 'indices'
The buggy address belongs to the virtual mapping at
[ffff800023170000, ffff800023179000) created by:
copy_process+0x530/0x38d0 kernel/fork.c:2090
The buggy address belongs to the physical page:
page:000000007eeb5a98 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10360e
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff800023177400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff800023177480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff800023177500: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3
^
ffff800023177580: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
ffff800023177600: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
==================================================================
ntfs3: loop0: Mark volume as dirty due to NTFS errors
ntfs3: loop0: ino=0, ntfs_iget5
ntfs3: loop0: MFT: r=0, expect seq=5 instead of 1!
ntfs3: loop0: ino=1f, "file2" failed to open parent directory r=0 to update
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e84a4e368abe Linux 6.1.35
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1708cbb0a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f77b603a569f81a7
dashboard link: https://syzkaller.appspot.com/bug?extid=671f219287c3550c8c5e
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17333b57280000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11c64557280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/30886a06f234/disk-e84a4e36.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/84ab10f3c74b/vmlinux-e84a4e36.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ea73248cc405/Image-e84a4e36.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/37bb1d1d063e/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+671f21...@syzkaller.appspotmail.com
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
==================================================================
BUG: KASAN: stack-out-of-bounds in truncate_inode_pages_range+0xb4/0xf10 mm/truncate.c:335
Write of size 128 at addr ffff800023177520 by task syz-executor290/21125
CPU: 1 PID: 21125 Comm: syz-executor290 Not tainted 6.1.35-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189
memset+0x40/0x70 mm/kasan/shadow.c:44
truncate_inode_pages_range+0xb4/0xf10 mm/truncate.c:335
truncate_inode_pages mm/truncate.c:452 [inline]
truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:487
ntfs_evict_inode+0x24/0xc8 fs/ntfs3/inode.c:1760
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1747 [inline]
iput+0x7c0/0x8a4 fs/inode.c:1773
ntfs_fill_super+0x32d8/0x3a04 fs/ntfs3/super.c:1190
get_tree_bdev+0x360/0x54c fs/super.c:1346
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1359
vfs_get_tree+0x90/0x274 fs/super.c:1553
do_new_mount+0x25c/0x8c4 fs/namespace.c:3040
path_mount+0x590/0xe58 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
The buggy address belongs to stack of task syz-executor290/21125
and is located at offset 32 in frame:
folio_flags include/linux/page-flags.h:319 [inline]
folio_test_head include/linux/page-flags.h:788 [inline]
folio_test_large include/linux/page-flags.h:809 [inline]
folio_nr_pages include/linux/mm.h:1670 [inline]
truncate_inode_pages_range+0x0/0xf10 mm/truncate.c:277
This frame has 2 objects:
[32, 160) 'fbatch'
[192, 312) 'indices'
The buggy address belongs to the virtual mapping at
[ffff800023170000, ffff800023179000) created by:
copy_process+0x530/0x38d0 kernel/fork.c:2090
The buggy address belongs to the physical page:
page:000000007eeb5a98 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10360e
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff800023177400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff800023177480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff800023177500: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3
^
ffff800023177580: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
ffff800023177600: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
==================================================================
ntfs3: loop0: Mark volume as dirty due to NTFS errors
ntfs3: loop0: ino=0, ntfs_iget5
ntfs3: loop0: MFT: r=0, expect seq=5 instead of 1!
ntfs3: loop0: ino=1f, "file2" failed to open parent directory r=0 to update
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages