[v6.1] KASAN: global-out-of-bounds Read in ntfs_fill_super
2 views
Skip to first unread message
syzbot
May 28, 2025, 2:33:32 PM5/28/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: da3c5173c55f Linux 6.1.140
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14f3f170580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2bfe5a2f04bb30e3
dashboard link: https://syzkaller.appspot.com/bug?extid=5aa42981226a9e2b7f12
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c3ee4de68a1/disk-da3c5173.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/19742d73f52b/vmlinux-da3c5173.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0ffdd39d32ee/Image-da3c5173.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5aa429...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: global-out-of-bounds in __lock_acquire+0x5560/0x6544 kernel/locking/lockdep.c:5019
Read of size 4 at addr ffff80001c267800 by task syz.4.593/6224
CPU: 0 PID: 6224 Comm: syz.4.593 Not tainted 6.1.140-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
print_address_description+0x88/0x220 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:427
kasan_report+0xa8/0x100 mm/kasan/report.c:531
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
__lock_acquire+0x5560/0x6544 kernel/locking/lockdep.c:5019
lock_acquire+0x20c/0x644 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
iput_final fs/inode.c:1823 [inline]
iput+0x5d4/0x7f4 fs/inode.c:1860
ntfs_fill_super+0x2cec/0x32ac fs/ntfs3/super.c:1214
get_tree_bdev+0x358/0x544 fs/super.c:1366
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1383
vfs_get_tree+0x90/0x274 fs/super.c:1573
do_new_mount+0x228/0x810 fs/namespace.c:3058
path_mount+0x5b4/0xe78 fs/namespace.c:3388
do_mount fs/namespace.c:3401 [inline]
__do_sys_mount fs/namespace.c:3609 [inline]
__se_sys_mount fs/namespace.c:3586 [inline]
__arm64_sys_mount+0x49c/0x584 fs/namespace.c:3586
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the variable:
oops_in_progress+0x0/0x20
The buggy address belongs to the virtual mapping at
[ffff800014fe0000, ffff80001c721000) created by:
map_kernel+0x1d0/0x384 arch/arm64/mm/mmu.c:792
The buggy address belongs to the physical page:
page:000000001a9b8b31 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x215a67
flags: 0x5ffc00000001000(reserved|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000001000 fffffc00075699c8 fffffc00075699c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80001c267700: 00 00 f9 f9 00 00 f9 f9 00 00 f9 f9 00 00 00 00
ffff80001c267780: 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 00 f9 f9 f9
>ffff80001c267800: 04 f9 f9 f9 00 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9
^
ffff80001c267880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80001c267900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: da3c5173c55f Linux 6.1.140
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=14f3f170580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2bfe5a2f04bb30e3
dashboard link: https://syzkaller.appspot.com/bug?extid=5aa42981226a9e2b7f12
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c3ee4de68a1/disk-da3c5173.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/19742d73f52b/vmlinux-da3c5173.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0ffdd39d32ee/Image-da3c5173.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5aa429...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: global-out-of-bounds in __lock_acquire+0x5560/0x6544 kernel/locking/lockdep.c:5019
Read of size 4 at addr ffff80001c267800 by task syz.4.593/6224
CPU: 0 PID: 6224 Comm: syz.4.593 Not tainted 6.1.140-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
print_address_description+0x88/0x220 mm/kasan/report.c:316
print_report+0x50/0x68 mm/kasan/report.c:427
kasan_report+0xa8/0x100 mm/kasan/report.c:531
__asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350
__lock_acquire+0x5560/0x6544 kernel/locking/lockdep.c:5019
lock_acquire+0x20c/0x644 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
iput_final fs/inode.c:1823 [inline]
iput+0x5d4/0x7f4 fs/inode.c:1860
ntfs_fill_super+0x2cec/0x32ac fs/ntfs3/super.c:1214
get_tree_bdev+0x358/0x544 fs/super.c:1366
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1383
vfs_get_tree+0x90/0x274 fs/super.c:1573
do_new_mount+0x228/0x810 fs/namespace.c:3058
path_mount+0x5b4/0xe78 fs/namespace.c:3388
do_mount fs/namespace.c:3401 [inline]
__do_sys_mount fs/namespace.c:3609 [inline]
__se_sys_mount fs/namespace.c:3586 [inline]
__arm64_sys_mount+0x49c/0x584 fs/namespace.c:3586
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
The buggy address belongs to the variable:
oops_in_progress+0x0/0x20
The buggy address belongs to the virtual mapping at
[ffff800014fe0000, ffff80001c721000) created by:
map_kernel+0x1d0/0x384 arch/arm64/mm/mmu.c:792
The buggy address belongs to the physical page:
page:000000001a9b8b31 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x215a67
flags: 0x5ffc00000001000(reserved|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000001000 fffffc00075699c8 fffffc00075699c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80001c267700: 00 00 f9 f9 00 00 f9 f9 00 00 f9 f9 00 00 00 00
ffff80001c267780: 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 00 f9 f9 f9
>ffff80001c267800: 04 f9 f9 f9 00 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9
^
ffff80001c267880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80001c267900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Sep 5, 2025, 2:33:24 PM9/5/25
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages