[arm?] KASAN: stack-out-of-bounds Read in save_return_addr
4 views
Skip to first unread message
syzbot
Apr 27, 2023, 11:08:50 AM4/27/23
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 14f8db1c0f9a Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14679ac8280000
kernel config: https://syzkaller.appspot.com/x/.config?x=64943844c9bf6c7e
dashboard link: https://syzkaller.appspot.com/bug?extid=21ab807cfaad7f8d743a
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
CC: [catalin...@arm.com linux-ar...@lists.infradead.org linux-...@vger.kernel.org wi...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/308eaf819538/disk-14f8db1c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3703019b9bb1/vmlinux-14f8db1c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c5599496b155/Image-14f8db1c.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+21ab80...@syzkaller.appspotmail.com
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
==================================================================
BUG: KASAN: stack-out-of-bounds in save_return_addr+0xd8/0xdc arch/arm64/kernel/return_address.c:25
Read of size 4 at addr ffff80002cd175bf by task syz-executor.0/10048
CPU: 0 PID: 10048 Comm: syz-executor.0 Not tainted 6.3.0-rc7-syzkaller-g14f8db1c0f9a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x174/0x514 mm/kasan/report.c:430
kasan_report+0xd4/0x130 mm/kasan/report.c:536
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
save_return_addr+0xd8/0xdc arch/arm64/kernel/return_address.c:25
unwind arch/arm64/kernel/stacktrace.c:138 [inline]
arch_stack_walk+0x148/0x2b4 arch/arm64/kernel/stacktrace.c:208
return_address+0xcc/0x16c arch/arm64/kernel/return_address.c:42
trace_hardirqs_on+0xd8/0x28c kernel/trace/trace_preemptirq.c:56
__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
_raw_spin_unlock_irq+0x30/0x80 kernel/locking/spinlock.c:202
spin_unlock_irq include/linux/spinlock.h:400 [inline]
truncate_inode_pages_final+0x78/0xc0 mm/truncate.c:480
ntfs_evict_inode+0x24/0xc8 fs/ntfs3/inode.c:1771
evict+0x260/0x68c fs/inode.c:665
iput_final fs/inode.c:1748 [inline]
iput+0x734/0x818 fs/inode.c:1774
ntfs_fill_super+0x34a8/0x3b9c fs/ntfs3/super.c:1239
get_tree_bdev+0x360/0x54c fs/super.c:1303
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1408
vfs_get_tree+0x90/0x274 fs/super.c:1510
do_new_mount+0x25c/0x8c8 fs/namespace.c:3042
path_mount+0x590/0xe04 fs/namespace.c:3372
do_mount fs/namespace.c:3385 [inline]
__do_sys_mount fs/namespace.c:3594 [inline]
__se_sys_mount fs/namespace.c:3571 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3571
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x4c/0x15c arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
The buggy address belongs to stack of task syz-executor.0/10048
and is located at offset 31 in frame:
return_address+0x0/0x16c
This frame has 1 object:
[32, 48) 'data'
The buggy address belongs to the virtual mapping at
[ffff80002cd10000, ffff80002cd19000) created by:
copy_process+0x4b8/0x3808 kernel/fork.c:2098
The buggy address belongs to the physical page:
page:000000007075a581 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11389b
memcg:ffff0000ddcf7002
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ffff0000ddcf7002
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80002cd17480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80002cd17500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80002cd17580: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
^
ffff80002cd17600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80002cd17680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
ntfs3: loop0: Mark volume as dirty due to NTFS errors
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If you want to unassign a label, reply with:
#syz unset some-label
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 14f8db1c0f9a Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14679ac8280000
kernel config: https://syzkaller.appspot.com/x/.config?x=64943844c9bf6c7e
dashboard link: https://syzkaller.appspot.com/bug?extid=21ab807cfaad7f8d743a
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
CC: [catalin...@arm.com linux-ar...@lists.infradead.org linux-...@vger.kernel.org wi...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/308eaf819538/disk-14f8db1c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3703019b9bb1/vmlinux-14f8db1c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c5599496b155/Image-14f8db1c.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+21ab80...@syzkaller.appspotmail.com
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
==================================================================
BUG: KASAN: stack-out-of-bounds in save_return_addr+0xd8/0xdc arch/arm64/kernel/return_address.c:25
Read of size 4 at addr ffff80002cd175bf by task syz-executor.0/10048
CPU: 0 PID: 10048 Comm: syz-executor.0 Not tainted 6.3.0-rc7-syzkaller-g14f8db1c0f9a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x174/0x514 mm/kasan/report.c:430
kasan_report+0xd4/0x130 mm/kasan/report.c:536
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
save_return_addr+0xd8/0xdc arch/arm64/kernel/return_address.c:25
unwind arch/arm64/kernel/stacktrace.c:138 [inline]
arch_stack_walk+0x148/0x2b4 arch/arm64/kernel/stacktrace.c:208
return_address+0xcc/0x16c arch/arm64/kernel/return_address.c:42
trace_hardirqs_on+0xd8/0x28c kernel/trace/trace_preemptirq.c:56
__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
_raw_spin_unlock_irq+0x30/0x80 kernel/locking/spinlock.c:202
spin_unlock_irq include/linux/spinlock.h:400 [inline]
truncate_inode_pages_final+0x78/0xc0 mm/truncate.c:480
ntfs_evict_inode+0x24/0xc8 fs/ntfs3/inode.c:1771
evict+0x260/0x68c fs/inode.c:665
iput_final fs/inode.c:1748 [inline]
iput+0x734/0x818 fs/inode.c:1774
ntfs_fill_super+0x34a8/0x3b9c fs/ntfs3/super.c:1239
get_tree_bdev+0x360/0x54c fs/super.c:1303
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1408
vfs_get_tree+0x90/0x274 fs/super.c:1510
do_new_mount+0x25c/0x8c8 fs/namespace.c:3042
path_mount+0x590/0xe04 fs/namespace.c:3372
do_mount fs/namespace.c:3385 [inline]
__do_sys_mount fs/namespace.c:3594 [inline]
__se_sys_mount fs/namespace.c:3571 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3571
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x4c/0x15c arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
The buggy address belongs to stack of task syz-executor.0/10048
and is located at offset 31 in frame:
return_address+0x0/0x16c
This frame has 1 object:
[32, 48) 'data'
The buggy address belongs to the virtual mapping at
[ffff80002cd10000, ffff80002cd19000) created by:
copy_process+0x4b8/0x3808 kernel/fork.c:2098
The buggy address belongs to the physical page:
page:000000007075a581 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11389b
memcg:ffff0000ddcf7002
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ffff0000ddcf7002
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff80002cd17480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80002cd17500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80002cd17580: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
^
ffff80002cd17600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff80002cd17680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
ntfs3: loop0: Mark volume as dirty due to NTFS errors
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If you want to unassign a label, reply with:
#syz unset some-label
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 26, 2023, 3:08:36 AM7/26/23
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages