syzbot


KASAN: use-after-free Read in ntfs_lookup_inode_by_name

Status: upstream: reported C repro on 2022/12/30 07:25
Subsystems: ntfs
[Documentation on labels]
Reported-by: syzbot+3625b78845a725e80f61@syzkaller.appspotmail.com
First crash: 341d, last: 7d06h
Cause bisection: failed (error log, bisect log)
  
Discussions (3)
Title Replies (including bot) Last reply
[syzbot] Monthly ntfs report (May 2023) 0 (1) 2023/05/02 07:18
[syzbot] Monthly ntfs report 0 (1) 2023/03/31 15:00
[syzbot] [ntfs?] KASAN: use-after-free Read in ntfs_lookup_inode_by_name 0 (1) 2022/12/30 07:25
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream C 2 2d15h 202d 0/3 upstream: reported C repro on 2023/05/14 03:12
linux-5.15 KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream C error 5 120d 234d 0/3 upstream: reported C repro on 2023/04/12 03:50
linux-4.19 KASAN: use-after-free Read in ntfs_lookup_inode_by_name ntfs C error 1 329d 329d 0/1 upstream: reported C repro on 2023/01/07 03:24
Last patch testing requests (10)
Created Duration User Patch Repo Result
2023/11/25 09:20 18m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/11/10 23:49 11m retest repro upstream report log
2023/11/10 21:55 51m retest repro upstream report log
2023/10/14 23:00 14m retest repro upstream report log
2023/10/14 23:00 17m retest repro upstream report log
2023/10/14 22:04 23m retest repro linux-next error OK
2023/09/30 09:18 2h16m retest repro upstream report log
2023/09/16 08:49 17m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci report log
2023/09/01 21:30 13m retest repro upstream report log
2023/09/01 21:30 17m retest repro upstream report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2023/06/12 11:21 46m bisect fix upstream job log (0) log
2023/03/20 16:54 47m bisect fix upstream job log (0) log
2023/02/01 20:05 46m bisect fix upstream job log (0) log

Sample crash report:
syz-executor536[5025]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
loop0: detected capacity change from 0 to 4096
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0xe86/0x2ca0 fs/ntfs/dir.c:292
Read of size 8 at addr ffff888073cec55a by task syz-executor536/5025

CPU: 0 PID: 5025 Comm: syz-executor536 Not tainted 6.6.0-rc3-syzkaller-00146-g9f3ebbef746f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0x163/0x540 mm/kasan/report.c:475
 kasan_report+0x175/0x1b0 mm/kasan/report.c:588
 sle64_to_cpup fs/ntfs/endian.h:46 [inline]
 ntfs_lookup_inode_by_name+0xe86/0x2ca0 fs/ntfs/dir.c:292
 check_windows_hibernation_status+0xf0/0x4c0 fs/ntfs/super.c:1282
 load_system_files+0x35db/0x4840 fs/ntfs/super.c:1997
 ntfs_fill_super+0x19b3/0x2bd0 fs/ntfs/super.c:2900
 mount_bdev+0x237/0x300 fs/super.c:1629
 legacy_get_tree+0xef/0x190 fs/fs_context.c:638
 vfs_get_tree+0x8c/0x280 fs/super.c:1750
 do_new_mount+0x28f/0xae0 fs/namespace.c:3335
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f7da98491ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 0e 06 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff406f6f98 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff406f6fb0 RCX: 00007f7da98491ba
RDX: 000000002001ec80 RSI: 000000002001ecc0 RDI: 00007fff406f6fb0
RBP: 0000000000000004 R08: 00007fff406f6ff0 R09: 000000000001ec63
R10: 0000000000000000 R11: 0000000000000286 R12: 0000000000000000
R13: 00007fff406f6ff0 R14: 0000000000000003 R15: 0000000000200000
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001cf3b00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73cec
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 ffffea0001cf3b48 ffffea0001cf3ac8 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x8(__GFP_MOVABLE), pid 1, tgid 1 (swapper/0), ts 22302775480, free_ts 24837568900
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1536
 split_map_pages+0x24a/0x510 mm/compaction.c:97
 isolate_freepages_range+0x472/0x4d0 mm/compaction.c:775
 alloc_contig_range+0x62e/0x9a0 mm/page_alloc.c:6217
 __alloc_contig_pages mm/page_alloc.c:6240 [inline]
 alloc_contig_pages+0x3f4/0x4f0 mm/page_alloc.c:6320
 debug_vm_pgtable_alloc_huge_page+0xb9/0x110 mm/debug_vm_pgtable.c:1095
 init_args+0x837/0xb10 mm/debug_vm_pgtable.c:1277
 debug_vm_pgtable+0xe0/0x540 mm/debug_vm_pgtable.c:1315
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x429/0x5c0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1136 [inline]
 free_unref_page_prepare+0x8c3/0x9f0 mm/page_alloc.c:2312
 free_unref_page+0x37/0x3f0 mm/page_alloc.c:2405
 free_contig_range+0x9e/0x150 mm/page_alloc.c:6342
 destroy_args+0x95/0x7c0 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x4ba/0x540 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x23d/0x7d0 init/main.c:1232
 do_initcall_level+0x157/0x210 init/main.c:1294
 do_initcalls+0x3f/0x80 init/main.c:1310
 kernel_init_freeable+0x429/0x5c0 init/main.c:1547
 kernel_init+0x1d/0x2a0 init/main.c:1437
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

Memory state around the buggy address:
 ffff888073cec400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888073cec480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888073cec500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                    ^
 ffff888073cec580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888073cec600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/09/30 21:58 upstream 9f3ebbef746f 8e26a358 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/21 19:50 upstream e660abd551f1 09ffe269 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/18 10:52 upstream 1b29d271614a f3921d4d .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/05/13 01:19 upstream cc3c44c9fda2 ecca8a24 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2022/12/26 07:18 upstream 1b929c02afd3 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/01 03:09 linux-next ec8939156379 2a0d0f29 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/05/13 01:22 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 14f8db1c0f9a ecca8a24 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/18 19:55 upstream 0e8860d2125f acb1ba71 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/29 15:58 upstream b19edac5992d 134ddc02 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/04/25 03:11 upstream 1a0beef98b58 65320f8e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/02/18 16:53 upstream 38f8ccde04a3 d02e9a70 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/04 13:07 linux-next bdffb18b5dd8 74621247 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/04/05 21:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 59caa87f9dfb 8b834965 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_lookup_inode_by_name
* Struck through repros no longer work on HEAD.