[syzbot] BUG: unable to handle kernel NULL pointer dereference in ni_find_attr
19 views
Skip to first unread message
syzbot
Aug 24, 2022, 12:36:33 PM8/24/22
to almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1c23f9e627a7 Linux 6.0-rc2
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=152b86a5080000
kernel config: https://syzkaller.appspot.com/x/.config?x=3045c937aad027f7
dashboard link: https://syzkaller.appspot.com/bug?extid=69d15cab6309bffae739
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1621f485080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171012d3080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+69d15c...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 75
ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000238
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107c58000
[0000000000000238] pgd=0800000108ac7003, p4d=0800000108ac7003, pud=0800000109389003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3028 Comm: syz-executor245 Not tainted 6.0.0-rc2-syzkaller-16440-g1c23f9e627a7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/20/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ni_find_attr+0x54/0x43c fs/ntfs3/frecord.c:194
lr : ni_find_attr+0x54/0x43c fs/ntfs3/frecord.c:190
sp : ffff80001200b8f0
x29: ffff80001200b920 x28: 0000000000000000 x27: 00000000fffffffe
x26: 0000000000000000 x25: 0000000000000000 x24: ffff80001200b984
x23: 0000000000000000 x22: 0000000000000080 x21: 0000000000000000
x20: 0000000000000000 x19: 0000000000000000 x18: 00000000000000c0
x17: ffff80000dd7a698 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 00000000fffffffe x12: ffff80000d5998c8
x11: ff80800008be8ec0 x10: 0000000000000000 x9 : ffff800008be8ec0
x8 : ffff0000c5569a80 x7 : 0000000000000000 x6 : ffff80001200b984
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000080
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
ni_find_attr+0x54/0x43c fs/ntfs3/frecord.c:190
attr_load_runs_vcn+0x6c/0x138 fs/ntfs3/attrib.c:1220
mi_read+0x178/0x274 fs/ntfs3/record.c:151
ntfs_read_mft fs/ntfs3/inode.c:69 [inline]
ntfs_iget5+0x15c/0x138c fs/ntfs3/inode.c:501
ntfs_fill_super+0x950/0x14a4 fs/ntfs/super.c:2791
get_tree_bdev+0x1e8/0x2a0 fs/super.c:1323
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1358
vfs_get_tree+0x40/0x140 fs/super.c:1530
do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
path_mount+0x358/0x914 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x48/0x154 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
el0t_64_sync+0x18c/0x190
Code: aa0103fa aa0003f3 f81f83a8 97daea83 (f9411e7b)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: aa0103fa mov x26, x1
4: aa0003f3 mov x19, x0
8: f81f83a8 stur x8, [x29, #-8]
c: 97daea83 bl 0xffffffffff6baa18
* 10: f9411e7b ldr x27, [x19, #568] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 1c23f9e627a7 Linux 6.0-rc2
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=152b86a5080000
kernel config: https://syzkaller.appspot.com/x/.config?x=3045c937aad027f7
dashboard link: https://syzkaller.appspot.com/bug?extid=69d15cab6309bffae739
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1621f485080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=171012d3080000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+69d15c...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 75
ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000238
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107c58000
[0000000000000238] pgd=0800000108ac7003, p4d=0800000108ac7003, pud=0800000109389003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 3028 Comm: syz-executor245 Not tainted 6.0.0-rc2-syzkaller-16440-g1c23f9e627a7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/20/2022
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ni_find_attr+0x54/0x43c fs/ntfs3/frecord.c:194
lr : ni_find_attr+0x54/0x43c fs/ntfs3/frecord.c:190
sp : ffff80001200b8f0
x29: ffff80001200b920 x28: 0000000000000000 x27: 00000000fffffffe
x26: 0000000000000000 x25: 0000000000000000 x24: ffff80001200b984
x23: 0000000000000000 x22: 0000000000000080 x21: 0000000000000000
x20: 0000000000000000 x19: 0000000000000000 x18: 00000000000000c0
x17: ffff80000dd7a698 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 00000000fffffffe x12: ffff80000d5998c8
x11: ff80800008be8ec0 x10: 0000000000000000 x9 : ffff800008be8ec0
x8 : ffff0000c5569a80 x7 : 0000000000000000 x6 : ffff80001200b984
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000080
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
ni_find_attr+0x54/0x43c fs/ntfs3/frecord.c:190
attr_load_runs_vcn+0x6c/0x138 fs/ntfs3/attrib.c:1220
mi_read+0x178/0x274 fs/ntfs3/record.c:151
ntfs_read_mft fs/ntfs3/inode.c:69 [inline]
ntfs_iget5+0x15c/0x138c fs/ntfs3/inode.c:501
ntfs_fill_super+0x950/0x14a4 fs/ntfs/super.c:2791
get_tree_bdev+0x1e8/0x2a0 fs/super.c:1323
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1358
vfs_get_tree+0x40/0x140 fs/super.c:1530
do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
path_mount+0x358/0x914 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x48/0x154 arch/arm64/kernel/syscall.c:206
el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
el0t_64_sync+0x18c/0x190
Code: aa0103fa aa0003f3 f81f83a8 97daea83 (f9411e7b)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: aa0103fa mov x26, x1
4: aa0003f3 mov x19, x0
8: f81f83a8 stur x8, [x29, #-8]
c: 97daea83 bl 0xffffffffff6baa18
* 10: f9411e7b ldr x27, [x19, #568] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Aug 29, 2022, 7:30:20 PM8/29/22
to almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
syzbot has bisected this issue to:
commit 6e5be40d32fb1907285277c02e74493ed43d77fe
Author: Konstantin Komarov <almaz.ale...@paragon-software.com>
Date: Fri Aug 13 14:21:30 2021 +0000
fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1458787d080000
start commit: 8379c0b31fbc Merge tag 'for-6.0-rc3-tag' of git://git.kern..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1658787d080000
console output: https://syzkaller.appspot.com/x/log.txt?x=1258787d080000
kernel config: https://syzkaller.appspot.com/x/.config?x=911efaff115942bb
dashboard link: https://syzkaller.appspot.com/bug?extid=69d15cab6309bffae739
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110d306d080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17409333080000
Reported-by: syzbot+69d15c...@syzkaller.appspotmail.com
Fixes: 6e5be40d32fb ("fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 6e5be40d32fb1907285277c02e74493ed43d77fe
Author: Konstantin Komarov <almaz.ale...@paragon-software.com>
Date: Fri Aug 13 14:21:30 2021 +0000
fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1458787d080000
start commit: 8379c0b31fbc Merge tag 'for-6.0-rc3-tag' of git://git.kern..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1658787d080000
console output: https://syzkaller.appspot.com/x/log.txt?x=1258787d080000
kernel config: https://syzkaller.appspot.com/x/.config?x=911efaff115942bb
dashboard link: https://syzkaller.appspot.com/bug?extid=69d15cab6309bffae739
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=110d306d080000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17409333080000
Reported-by: syzbot+69d15c...@syzkaller.appspotmail.com
Fixes: 6e5be40d32fb ("fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot
Feb 5, 2023, 2:46:19 PM2/5/23
to almaz.ale...@paragon-software.com, edwa...@ambergroup.io, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
syzbot suspects this issue was fixed by commit:
commit 2681631c29739509eec59cc0b34e977bb04c6cf1
Author: Edward Lo <edwa...@ambergroup.io>
Date: Sat Aug 6 17:05:18 2022 +0000
fs/ntfs3: Add null pointer check to attr_load_runs_vcn
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=110ad78d480000
start commit: b7b275e60bcd Linux 6.1-rc7
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=2325e409a9a893e1
dashboard link: https://syzkaller.appspot.com/bug?extid=69d15cab6309bffae739
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b3fb9b880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101313bb880000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fs/ntfs3: Add null pointer check to attr_load_runs_vcn
commit 2681631c29739509eec59cc0b34e977bb04c6cf1
Author: Edward Lo <edwa...@ambergroup.io>
Date: Sat Aug 6 17:05:18 2022 +0000
fs/ntfs3: Add null pointer check to attr_load_runs_vcn
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=110ad78d480000
start commit: b7b275e60bcd Linux 6.1-rc7
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=2325e409a9a893e1
dashboard link: https://syzkaller.appspot.com/bug?extid=69d15cab6309bffae739
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b3fb9b880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=101313bb880000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: fs/ntfs3: Add null pointer check to attr_load_runs_vcn
Aleksandr Nogikh
Feb 6, 2023, 5:21:02 AM2/6/23
to syzbot, almaz.ale...@paragon-software.com, edwa...@ambergroup.io, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
#syz fix: fs/ntfs3: Add null pointer check to attr_load_runs_vcn
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> --
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000009570005f3f92b86%40google.com.
Reply all
Reply to author
Forward
0 new messages