[v5.15] KASAN: wild-memory-access Write in ntfs_evict_inode
3 views
Skip to first unread message
syzbot
May 8, 2025, 11:41:41 PMMay 8
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 16fdf2c7111b Linux 5.15.181
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10b9c670580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1748ac0065c72647
dashboard link: https://syzkaller.appspot.com/bug?extid=c37e633b4cea959be398
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d8540163643f/disk-16fdf2c7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1a4c570bb8bc/vmlinux-16fdf2c7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d4ed683eba5e/bzImage-16fdf2c7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c37e63...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
ntfs3: loop0: Different NTFS' sector size (2048) and media sector size (512)
==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: wild-memory-access in atomic_add_unless include/linux/atomic/atomic-instrumented.h:570 [inline]
BUG: KASAN: wild-memory-access in page_ref_add_unless include/linux/page_ref.h:166 [inline]
BUG: KASAN: wild-memory-access in __page_cache_add_speculative include/linux/pagemap.h:238 [inline]
BUG: KASAN: wild-memory-access in page_cache_get_speculative include/linux/pagemap.h:254 [inline]
BUG: KASAN: wild-memory-access in find_get_entry mm/filemap.c:1992 [inline]
BUG: KASAN: wild-memory-access in find_lock_entries+0x1e1/0xd50 mm/filemap.c:2092
Write of size 4 at addr ffea000158d98034 by task syz.0.431/5928
CPU: 1 PID: 5928 Comm: syz.0.431 Not tainted 5.15.181-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report+0xd5/0x130 mm/kasan/report.c:451
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x27b/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_add_unless include/linux/atomic/atomic-instrumented.h:570 [inline]
page_ref_add_unless include/linux/page_ref.h:166 [inline]
__page_cache_add_speculative include/linux/pagemap.h:238 [inline]
page_cache_get_speculative include/linux/pagemap.h:254 [inline]
find_get_entry mm/filemap.c:1992 [inline]
find_lock_entries+0x1e1/0xd50 mm/filemap.c:2092
truncate_inode_pages_range+0x17c/0xef0 mm/truncate.c:320
ntfs_evict_inode+0x18/0xb0 fs/ntfs3/inode.c:1781
evict+0x485/0x870 fs/inode.c:647
ntfs_fill_super+0x355c/0x3c10 fs/ntfs3/super.c:1185
get_tree_bdev+0x3f1/0x610 fs/super.c:1325
vfs_get_tree+0x88/0x270 fs/super.c:1530
do_new_mount+0x24a/0xa40 fs/namespace.c:3013
do_mount fs/namespace.c:3356 [inline]
__do_sys_mount fs/namespace.c:3564 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3541
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fd469c2e10a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd467a93e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fd467a93ef0 RCX: 00007fd469c2e10a
RDX: 000020000001f340 RSI: 000020000001f380 RDI: 00007fd467a93eb0
RBP: 000020000001f340 R08: 00007fd467a93ef0 R09: 0000000000008400
R10: 0000000000008400 R11: 0000000000000246 R12: 000020000001f380
R13: 00007fd467a93eb0 R14: 000000000001f350 R15: 00002000000006c0
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 16fdf2c7111b Linux 5.15.181
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=10b9c670580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1748ac0065c72647
dashboard link: https://syzkaller.appspot.com/bug?extid=c37e633b4cea959be398
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d8540163643f/disk-16fdf2c7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1a4c570bb8bc/vmlinux-16fdf2c7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d4ed683eba5e/bzImage-16fdf2c7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c37e63...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 4096
ntfs3: loop0: Different NTFS' sector size (2048) and media sector size (512)
==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: wild-memory-access in atomic_add_unless include/linux/atomic/atomic-instrumented.h:570 [inline]
BUG: KASAN: wild-memory-access in page_ref_add_unless include/linux/page_ref.h:166 [inline]
BUG: KASAN: wild-memory-access in __page_cache_add_speculative include/linux/pagemap.h:238 [inline]
BUG: KASAN: wild-memory-access in page_cache_get_speculative include/linux/pagemap.h:254 [inline]
BUG: KASAN: wild-memory-access in find_get_entry mm/filemap.c:1992 [inline]
BUG: KASAN: wild-memory-access in find_lock_entries+0x1e1/0xd50 mm/filemap.c:2092
Write of size 4 at addr ffea000158d98034 by task syz.0.431/5928
CPU: 1 PID: 5928 Comm: syz.0.431 Not tainted 5.15.181-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call Trace:
<TASK>
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report+0xd5/0x130 mm/kasan/report.c:451
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x27b/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_add_unless include/linux/atomic/atomic-instrumented.h:570 [inline]
page_ref_add_unless include/linux/page_ref.h:166 [inline]
__page_cache_add_speculative include/linux/pagemap.h:238 [inline]
page_cache_get_speculative include/linux/pagemap.h:254 [inline]
find_get_entry mm/filemap.c:1992 [inline]
find_lock_entries+0x1e1/0xd50 mm/filemap.c:2092
truncate_inode_pages_range+0x17c/0xef0 mm/truncate.c:320
ntfs_evict_inode+0x18/0xb0 fs/ntfs3/inode.c:1781
evict+0x485/0x870 fs/inode.c:647
ntfs_fill_super+0x355c/0x3c10 fs/ntfs3/super.c:1185
get_tree_bdev+0x3f1/0x610 fs/super.c:1325
vfs_get_tree+0x88/0x270 fs/super.c:1530
do_new_mount+0x24a/0xa40 fs/namespace.c:3013
do_mount fs/namespace.c:3356 [inline]
__do_sys_mount fs/namespace.c:3564 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3541
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fd469c2e10a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd467a93e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fd467a93ef0 RCX: 00007fd469c2e10a
RDX: 000020000001f340 RSI: 000020000001f380 RDI: 00007fd467a93eb0
RBP: 000020000001f340 R08: 00007fd467a93ef0 R09: 0000000000008400
R10: 0000000000008400 R11: 0000000000000246 R12: 000020000001f380
R13: 00007fd467a93eb0 R14: 000000000001f350 R15: 00002000000006c0
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 26, 2025, 9:32:15 PM (yesterday) Nov 26
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages