syzbot


UBSAN: array-index-out-of-bounds in find_lock_entries

Status: upstream: reported C repro on 2023/03/09 01:13
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+78ad3696e1862f5e8775@syzkaller.appspotmail.com
First crash: 351d, last: 131d
Fix bisection: the issue occurs on the latest tested release (bisect log)
Crash: kernel panic: stack is corrupted in return_address (log)
Repro: C syz .config
  
Bug presence (3)
Date Name Commit Repro Result
2023/10/03 linux-6.1.y (ToT) d23900f974e0 C [report] UBSAN: array-index-out-of-bounds in truncate_inode_pages_final
2023/05/19 upstream (ToT) 2d1bcbc6cd70 C [report] UBSAN: array-index-out-of-bounds in find_lock_entries
2023/10/03 upstream (ToT) ce36c8b14987 C Didn't crash
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: vmalloc-out-of-bounds Write in find_lock_entries ntfs3 C done unreliable 61 206d 554d 0/26 auto-obsoleted due to no activity on 2024/01/23 23:53
Fix bisection attempts (6)
Created Duration User Patch Repo Result
2023/10/29 03:02 2h22m fix candidate upstream job log (0)
2023/10/15 13:45 2h35m bisect fix linux-6.1.y job log (0) log
2023/09/07 11:21 2h31m bisect fix linux-6.1.y job log (0) log
2023/06/26 17:16 1h26m bisect fix linux-6.1.y job log (0) log
2023/05/25 12:15 1h08m bisect fix linux-6.1.y job log (0) log
2023/04/08 01:13 1h14m bisect fix linux-6.1.y job log (0) log

Sample crash report:
================================================================================
UBSAN: array-index-out-of-bounds in ./include/linux/pagevec.h:129:2
index 255 is out of range for type 'struct folio *[15]'
CPU: 1 PID: 4603 Comm: syz-executor317 Not tainted 6.1.15-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_out_of_bounds+0xfc/0x148 lib/ubsan.c:282
 folio_batch_add include/linux/pagevec.h:129 [inline]
 find_lock_entries+0x704/0xae8 mm/filemap.c:2110
 truncate_inode_pages_range+0x198/0x13b0 mm/truncate.c:364
 truncate_inode_pages mm/truncate.c:452 [inline]
 truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:487
 ntfs_evict_inode+0x24/0xc8 fs/ntfs3/inode.c:1754
 evict+0x260/0x68c fs/inode.c:664
 iput_final fs/inode.c:1747 [inline]
 iput+0x968/0xa4c fs/inode.c:1773
 ntfs_fill_super+0x32d8/0x3a04 fs/ntfs3/super.c:1190
 get_tree_bdev+0x360/0x54c fs/super.c:1324
 ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1359
 vfs_get_tree+0x90/0x274 fs/super.c:1531
 do_new_mount+0x25c/0x8c8 fs/namespace.c:3040
 path_mount+0x590/0xe58 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x45c/0x594 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
================================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/03/09 01:13 linux-6.1.y 42616e0f09fb 4fc6d98d .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in find_lock_entries
2023/04/22 20:40 linux-6.1.y f17b0ab65d17 2b32bd34 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 UBSAN: array-index-out-of-bounds in find_lock_entries
* Struck through repros no longer work on HEAD.