syzbot

 sign-in | mailing list | source | docs
🐞 Open [847]
🐞 Fixed [138]
🐞 Invalid [973]
Missing Backports [75]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in ntfs_read_folio

Status: upstream: reported C repro on 2023/03/18 10:25
Bug presence: origin:lts-only
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+2fec743e48dcebd0fdc3@syzkaller.appspotmail.com
First crash: 1017d, last: 28d
Fix bisection: failed (error log, bisect log)
  
Bug presence (2)
Date Name Commit Repro Result
2025/12/01 linux-6.1.y (ToT) f6e38ae624cf C [report] KASAN: use-after-free Read in ntfs_read_folio
2025/12/01 upstream (ToT) 7d0a66e4bb90 C Didn't crash
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in ntfs_read_folio ntfs3 19 C error done 12 710d 1018d 25/29 fixed on 2024/03/20 11:33
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2024/10/15 01:05 0m bisect fix linux-6.1.y error job log
2024/09/07 15:57 1h34m bisect fix linux-6.1.y OK (0) job log log
2024/03/20 17:24 1h40m fix candidate upstream OK (0) job log
2023/10/02 23:43 11m bisect fix linux-6.1.y error job log
2023/07/11 09:09 2h10m bisect fix linux-6.1.y OK (0) job log log
marked invalid by web-security-scanner@google.com
2023/06/06 19:38 33m bisect fix linux-6.1.y OK (0) job log log
2023/04/17 10:25 57m bisect fix linux-6.1.y OK (0) job log log

Sample crash report:
loop0: detected capacity change from 0 to 4096
==================================================================
BUG: KASAN: use-after-free in ntfs_read_folio+0x9bb/0x2980 fs/ntfs/aops.c:489
Read of size 80 at addr ffff8880694794b0 by task syz.0.18/4431

CPU: 1 PID: 4431 Comm: syz.0.18 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:316 [inline]
 print_report+0xa8/0x210 mm/kasan/report.c:420
 kasan_report+0x10b/0x140 mm/kasan/report.c:524
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x27b/0x290 mm/kasan/generic.c:189
 memcpy+0x25/0x60 mm/kasan/shadow.c:65
 ntfs_read_folio+0x9bb/0x2980 fs/ntfs/aops.c:489
 filemap_read_folio+0x160/0x760 mm/filemap.c:2490
 do_read_cache_folio+0x2a0/0x760 mm/filemap.c:3627
 do_read_cache_page+0x32/0x220 mm/filemap.c:3669
 read_mapping_page include/linux/pagemap.h:791 [inline]
 ntfs_map_page fs/ntfs/aops.h:75 [inline]
 load_and_init_upcase fs/ntfs/super.c:1678 [inline]
 load_system_files+0x15d3/0x4460 fs/ntfs/super.c:1810
 ntfs_fill_super+0x182a/0x2a60 fs/ntfs/super.c:2892
 mount_bdev+0x287/0x3c0 fs/super.c:1443
 legacy_get_tree+0xe6/0x180 fs/fs_context.c:632
 vfs_get_tree+0x88/0x270 fs/super.c:1573
 do_new_mount+0x24a/0xa40 fs/namespace.c:3078
 do_mount fs/namespace.c:3421 [inline]
 __do_sys_mount fs/namespace.c:3629 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3606
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f7e02190eea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd9d2b5ee8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd9d2b5f70 RCX: 00007f7e02190eea
RDX: 0000200000000080 RSI: 000020000001ecc0 RDI: 00007ffd9d2b5f30
RBP: 0000200000000080 R08: 00007ffd9d2b5f70 R09: 0000000002a10000
R10: 0000000002a10000 R11: 0000000000000246 R12: 000020000001ecc0
R13: 00007ffd9d2b5f30 R14: 000000000001eca1 R15: 00002000000000c0
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001a51e40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x69479
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001a51e88 ffffea0001a51e08 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 4269, tgid 4269 (udevd), ts 74661347601, free_ts 74711170636
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x173/0x1a0 mm/page_alloc.c:2532
 prep_new_page mm/page_alloc.c:2539 [inline]
 get_page_from_freelist+0x1a26/0x1ac0 mm/page_alloc.c:4328
 __alloc_pages+0x1df/0x4e0 mm/page_alloc.c:5614
 __folio_alloc+0xe/0x30 mm/page_alloc.c:5646
 vma_alloc_folio+0x4a3/0x900 mm/mempolicy.c:2243
 alloc_page_vma include/linux/gfp.h:284 [inline]
 do_anonymous_page mm/memory.c:4191 [inline]
 handle_pte_fault mm/memory.c:5029 [inline]
 __handle_mm_fault mm/memory.c:5173 [inline]
 handle_mm_fault+0x2237/0x3e60 mm/memory.c:5294
 do_user_addr_fault+0x51f/0xb10 arch/x86/mm/fault.c:1340
 handle_page_fault arch/x86/mm/fault.c:1431 [inline]
 exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1487
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:608
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1459 [inline]
 free_pcp_prepare mm/page_alloc.c:1509 [inline]
 free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
 free_unref_page_list+0xbb/0x8e0 mm/page_alloc.c:3525
 release_pages+0x1f92/0x2200 mm/swap.c:1035
 tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:254 [inline]
 tlb_flush_mmu+0xff/0x210 mm/mmu_gather.c:261
 tlb_finish_mmu+0xbd/0x1c0 mm/mmu_gather.c:361
 unmap_region+0x272/0x2c0 mm/mmap.c:2343
 do_mas_align_munmap+0xc57/0x1220 mm/mmap.c:2592
 do_mas_munmap+0x240/0x2b0 mm/mmap.c:2650
 __vm_munmap+0x18d/0x290 mm/mmap.c:2936
 __do_sys_munmap mm/mmap.c:2961 [inline]
 __se_sys_munmap mm/mmap.c:2958 [inline]
 __x64_sys_munmap+0x5c/0x70 mm/mmap.c:2958
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Memory state around the buggy address:
 ffff888069479380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888069479400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888069479480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                     ^
 ffff888069479500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888069479580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (11):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/11/30 01:41 linux-6.1.y f6e38ae624cf d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: use-after-free Read in ntfs_read_folio
2025/05/27 07:47 linux-6.1.y da3c5173c55f 874a1386 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in ntfs_read_folio
2024/05/13 10:08 linux-6.1.y 909ba1f1b414 9026e142 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in ntfs_read_folio
2023/03/18 10:25 linux-6.1.y 7eaef76fbc46 7939252e .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in ntfs_read_folio
2023/05/07 12:41 linux-6.1.y ca48fc16c493 90c93c40 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: use-after-free Read in ntfs_read_folio
2023/12/29 08:15 linux-6.1.y 4aa6747d9352 fb427a07 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan KASAN: out-of-bounds Read in ntfs_read_folio
2025/11/30 01:17 linux-6.1.y f6e38ae624cf d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in ntfs_read_folio
2025/11/30 01:14 linux-6.1.y f6e38ae624cf d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in ntfs_read_folio
2023/12/29 07:55 linux-6.1.y 4aa6747d9352 fb427a07 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Read in ntfs_read_folio
2024/05/13 09:53 linux-6.1.y 909ba1f1b414 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: use-after-free Read in ntfs_read_folio
2023/08/05 21:38 linux-6.1.y 52a953d0934b 4ffcc9ef .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan KASAN: use-after-free Write in ntfs_read_folio
* Struck through repros no longer work on HEAD.