KASAN: use-after-free Read in ntfs_lookup_inode_by

Title	Replies (including bot)	Last reply
[syzbot] Monthly ntfs report (May 2023)	0 (1)	2023/05/02 07:18
[syzbot] Monthly ntfs report	0 (1)	2023/03/31 15:00
[syzbot] [ntfs?] KASAN: use-after-free Read in ntfs_lookup_inode_by_name	0 (1)	2022/12/30 07:25

Title

Replies (including bot)

Last reply

[syzbot] Monthly ntfs report (May 2023)

0 (1)

2023/05/02 07:18

[syzbot] Monthly ntfs report

0 (1)

2023/03/31 15:00

[syzbot] [ntfs?] KASAN: use-after-free Read in ntfs_lookup_inode_by_name

0 (1)

2022/12/30 07:25

Kernel	Title	Repro	Fix bisect	Count	Last	Reported	Patched	Status
linux-6.1	KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream	C		2	2d15h	202d	0/3	upstream: reported C repro on 2023/05/14 03:12
linux-5.15	KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream	C	error	5	120d	234d	0/3	upstream: reported C repro on 2023/04/12 03:50
linux-4.19	KASAN: use-after-free Read in ntfs_lookup_inode_by_name ntfs	C	error	1	329d	329d	0/1	upstream: reported C repro on 2023/01/07 03:24

linux-6.1

KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream

2d15h

202d

0/3

upstream: reported C repro on 2023/05/14 03:12

linux-5.15

KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream

error

120d

234d

0/3

upstream: reported C repro on 2023/04/12 03:50

linux-4.19

KASAN: use-after-free Read in ntfs_lookup_inode_by_name ntfs

error

329d

0/1

upstream: reported C repro on 2023/01/07 03:24


Created	Duration	User	Repo	Result
2023/11/25 09:20	18m	retest repro	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	report log
2023/11/10 23:49	11m	retest repro	upstream	report log
2023/11/10 21:55	51m	retest repro	upstream	report log
2023/10/14 23:00	14m	retest repro	upstream	report log
2023/10/14 23:00	17m	retest repro	upstream	report log
2023/10/14 22:04	23m	retest repro	linux-next	error OK
2023/09/30 09:18	2h16m	retest repro	upstream	report log
2023/09/16 08:49	17m	retest repro	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	report log
2023/09/01 21:30	13m	retest repro	upstream	report log
2023/09/01 21:30	17m	retest repro	upstream	report log

Created	Duration	User	Repo	Result
2023/06/12 11:21	46m	bisect fix	upstream	job log (0) log
2023/03/20 16:54	47m	bisect fix	upstream	job log (0) log
2023/02/01 20:05	46m	bisect fix	upstream	job log (0) log

Created

Duration

User

Patch

Repo

Result

2023/06/12 11:21

46m

bisect fix

upstream

job log (0) log

2023/03/20 16:54

47m

bisect fix

upstream

job log (0) log

2023/02/01 20:05

46m

bisect fix

upstream

job log (0) log

syz-executor536[5025]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set loop0: detected capacity change from 0 to 4096 ntfs: volume version 3.1. ================================================================== BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline] BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xe86/0x2ca0 fs/ntfs/dir.c:292 Read of size 8 at addr ffff888073cec55a by task syz-executor536/5025 CPU: 0 PID: 5025 Comm: syz-executor536 Not tainted 6.6.0-rc3-syzkaller-00146-g9f3ebbef746f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x163/0x540 mm/kasan/report.c:475 kasan_report+0x175/0x1b0 mm/kasan/report.c:588 sle64_to_cpup fs/ntfs/endian.h:46 [inline] ntfs_lookup_inode_by_name+0xe86/0x2ca0 fs/ntfs/dir.c:292 check_windows_hibernation_status+0xf0/0x4c0 fs/ntfs/super.c:1282 load_system_files+0x35db/0x4840 fs/ntfs/super.c:1997 ntfs_fill_super+0x19b3/0x2bd0 fs/ntfs/super.c:2900 mount_bdev+0x237/0x300 fs/super.c:1629 legacy_get_tree+0xef/0x190 fs/fs_context.c:638 vfs_get_tree+0x8c/0x280 fs/super.c:1750 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f7da98491ba Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 0e 06 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff406f6f98 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fff406f6fb0 RCX: 00007f7da98491ba RDX: 000000002001ec80 RSI: 000000002001ecc0 RDI: 00007fff406f6fb0 RBP: 0000000000000004 R08: 00007fff406f6ff0 R09: 000000000001ec63 R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000000 R13: 00007fff406f6ff0 R14: 0000000000000003 R15: 0000000000200000 </TASK> The buggy address belongs to the physical page: page:ffffea0001cf3b00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73cec flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000000 ffffea0001cf3b48 ffffea0001cf3ac8 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, tgid 1 (swapper/0), ts 22302775480, free_ts 24837568900 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536 split_map_pages+0x24a/0x510 mm/compaction.c:97 isolate_freepages_range+0x472/0x4d0 mm/compaction.c:775 alloc_contig_range+0x62e/0x9a0 mm/page_alloc.c:6217 __alloc_contig_pages mm/page_alloc.c:6240 [inline] alloc_contig_pages+0x3f4/0x4f0 mm/page_alloc.c:6320 debug_vm_pgtable_alloc_huge_page+0xb9/0x110 mm/debug_vm_pgtable.c:1095 init_args+0x837/0xb10 mm/debug_vm_pgtable.c:1277 debug_vm_pgtable+0xe0/0x540 mm/debug_vm_pgtable.c:1315 do_one_initcall+0x23d/0x7d0 init/main.c:1232 do_initcall_level+0x157/0x210 init/main.c:1294 do_initcalls+0x3f/0x80 init/main.c:1310 kernel_init_freeable+0x429/0x5c0 init/main.c:1547 kernel_init+0x1d/0x2a0 init/main.c:1437 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1136 [inline] free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028 debug_vm_pgtable+0x4ba/0x540 mm/debug_vm_pgtable.c:1408 do_one_initcall+0x23d/0x7d0 init/main.c:1232 do_initcall_level+0x157/0x210 init/main.c:1294 do_initcalls+0x3f/0x80 init/main.c:1310 kernel_init_freeable+0x429/0x5c0 init/main.c:1547 kernel_init+0x1d/0x2a0 init/main.c:1437 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Memory state around the buggy address: ffff888073cec400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888073cec480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888073cec500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888073cec580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888073cec600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================

Crashes (13):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2023/09/30 21:58	upstream	9f3ebbef746f	8e26a358	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-kasan-gce-smack-root	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/21 19:50	upstream	e660abd551f1	09ffe269	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-kasan-gce-root	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/18 10:52	upstream	1b29d271614a	f3921d4d	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-kasan-gce-smack-root	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/05/13 01:19	upstream	cc3c44c9fda2	ecca8a24	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-upstream-fs	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2022/12/26 07:18	upstream	1b929c02afd3	9da18ae8	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci2-upstream-fs	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/01 03:09	linux-next	ec8939156379	2a0d0f29	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/05/13 01:22	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	14f8db1c0f9a	ecca8a24	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro]	ci-upstream-gce-arm64	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/18 19:55	upstream	0e8860d2125f	acb1ba71	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/29 15:58	upstream	b19edac5992d	134ddc02	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/04/25 03:11	upstream	1a0beef98b58	65320f8e	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/02/18 16:53	upstream	38f8ccde04a3	d02e9a70	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-fs	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/04 13:07	linux-next	bdffb18b5dd8	74621247	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/04/05 21:50	git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci	59caa87f9dfb	8b834965	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci-upstream-gce-arm64	KASAN: use-after-free Read in ntfs_lookup_inode_by_name

Crashes (13):

Assets (help?)