Hello,
syzbot found the following issue on:
HEAD commit: b0ece631f84a Linux 5.15.111
git tree: linux-5.15.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=12968616280000
kernel config:
https://syzkaller.appspot.com/x/.config?x=db3750b003ff805e
dashboard link:
https://syzkaller.appspot.com/bug?extid=86907330aff57bf54596
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/eded75b6c3f9/disk-b0ece631.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/20e5ae802010/vmlinux-b0ece631.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/05d665c869f3/Image-b0ece631.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+869073...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000000
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4611 Comm: syz-executor.4 Not tainted 5.15.111-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ntfs_security_init+0x244/0x9f8 fs/ntfs3/fsntfs.c:1882
lr : resident_data_ex fs/ntfs3/ntfs.h:461 [inline]
lr : ntfs_security_init+0x230/0x9f8 fs/ntfs3/fsntfs.c:1881
sp : ffff80001d0076a0
x29: ffff80001d0077a0 x28: dfff800000000000 x27: 0000000000000020
x26: ffff700003a00edc x25: 0000000000000040 x24: 0000000000000000
x23: ffff00011d018160 x22: ffff80001d007720 x21: ffff0001200e44b0
x20: ffff0001200e4260 x19: ffff0000ccecc000 x18: 0000000000000000
x17: ff808000095bdaa0 x16: ffff80000824cbf4 x15: ffff8000095bdaa0
x14: 1ffff0000291a06a x13: ffffffffffffffff x12: 0000000000040000
x11: 000000000003ffff x10: ffff8000201f9000 x9 : ffff800009586114
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000004 x3 : ffff800011d7c7a0
x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000020
Call trace:
ntfs_security_init+0x244/0x9f8 fs/ntfs3/fsntfs.c:1882
ntfs_fill_super+0x3008/0x33ec fs/ntfs3/super.c:1233
get_tree_bdev+0x360/0x54c fs/super.c:1303
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1354
vfs_get_tree+0x90/0x274 fs/super.c:1508
do_new_mount+0x25c/0x8c8 fs/namespace.c:2994
path_mount+0x590/0x104c fs/namespace.c:3324
do_mount fs/namespace.c:3337 [inline]
__do_sys_mount fs/namespace.c:3545 [inline]
__se_sys_mount fs/namespace.c:3522 [inline]
__arm64_sys_mount+0x510/0x5e0 fs/namespace.c:3522
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:596
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 14000003 97bcf21e 8b1b02f8 d343ff08 (38fc6908)
---[ end trace 17dd4f70a0a60e18 ]---
----------------
Code disassembly (best guess):
0: 14000003 b 0xc
4: 97bcf21e bl 0xfffffffffef3c87c
8: 8b1b02f8 add x24, x23, x27
c: d343ff08 lsr x8, x24, #3
* 10: 38fc6908 ldrsb w8, [x8, x28] <-- trapping instruction
---
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup