syzbot

 sign-in | mailing list | source | docs
🐞 Open [418]
🐞 Fixed [20]
🐞 Invalid [106]
Missing Backports [15]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: slab-out-of-bounds Read in ntfs_readdir

Status: upstream: reported C repro on 2025/12/20 12:14
Reported-by: syzbot+ece2a27984b661049b34@syzkaller.appspotmail.com
First crash: 2d13h, last: 1d22h
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 KASAN: slab-out-of-bounds Read in ntfs_readdir missing-backport origin:lts-only 17 C done 92 2d22h 970d 0/3 upstream: reported C repro on 2023/04/27 08:51
linux-4.19 KASAN: slab-out-of-bounds Read in ntfs_readdir ntfs 17 C error 1 1083d 1083d 0/1 upstream: reported C repro on 2023/01/04 05:55
linux-4.14 KASAN: slab-out-of-bounds Read in ntfs_readdir ntfs 17 C 1 1024d 1087d 0/1 upstream: reported C repro on 2022/12/31 19:18
upstream KASAN: slab-out-of-bounds Read in ntfs_readdir ntfs3 17 C error error 507 631d 1090d 0/29 auto-obsoleted due to no activity on 2024/06/09 18:46
linux-6.1 KASAN: slab-out-of-bounds Read in ntfs_readdir origin:upstream missing-backport 17 C done 83 1d06h 929d 0/3 upstream: reported C repro on 2023/06/07 15:22

Sample crash report:
ntfs: (device loop0): ntfs_ucstonls(): Unicode name contains characters that cannot be converted to character set cp857.  You might want to try to use the mount option nls=utf8.
ntfs: (device loop0): ntfs_filldir(): Skipping unrepresentable inode 0x4.
==================================================================
BUG: KASAN: slab-out-of-bounds in ntfs_filldir fs/ntfs/dir.c:1021 [inline]
BUG: KASAN: slab-out-of-bounds in ntfs_readdir+0xd6f/0x2970 fs/ntfs/dir.c:1200
Read of size 1 at addr ffff888027546199 by task syz-executor/5878

CPU: 0 PID: 5878 Comm: syz-executor Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xac/0x220 mm/kasan/report.c:468
 kasan_report+0x117/0x150 mm/kasan/report.c:581
 ntfs_filldir fs/ntfs/dir.c:1021 [inline]
 ntfs_readdir+0xd6f/0x2970 fs/ntfs/dir.c:1200
 wrap_directory_iterator+0x92/0xd0 fs/readdir.c:67
 iterate_dir+0x1c2/0x580 fs/readdir.c:106
 __do_sys_getdents64 fs/readdir.c:405 [inline]
 __se_sys_getdents64+0xe9/0x260 fs/readdir.c:390
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f33789c20b3
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 62 3d f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007ffe58fa7008 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 000055558e74e640 RCX: 00007f33789c20b3
RDX: 0000000000008000 RSI: 000055558e74e640 RDI: 0000000000000006
RBP: 000055558e74e614 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000016 R14: 000055558e74e610 R15: 00007ffe58faa3b0
 </TASK>

Allocated by task 5878:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4e/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1007 [inline]
 __kmalloc+0xb4/0x240 mm/slab_common.c:1020
 kmalloc include/linux/slab.h:604 [inline]
 ntfs_readdir+0x754/0x2970 fs/ntfs/dir.c:1162
 wrap_directory_iterator+0x92/0xd0 fs/readdir.c:67
 iterate_dir+0x1c2/0x580 fs/readdir.c:106
 __do_sys_getdents64 fs/readdir.c:405 [inline]
 __se_sys_getdents64+0xe9/0x260 fs/readdir.c:390
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

The buggy address belongs to the object at ffff888027546000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 65 bytes to the right of
 allocated 344-byte region [ffff888027546000, ffff888027546158)

The buggy address belongs to the physical page:
page:ffffea00009d5100 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888027544c00 pfn:0x27544
head:ffffea00009d5100 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888017841c80 ffffea0000c28400 dead000000000003
raw: ffff888027544c00 000000008010000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2585, tgid 2585 (kworker/u4:2), ts 19339939636, free_ts 0
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
 prep_new_page mm/page_alloc.c:1561 [inline]
 get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
 alloc_slab_page+0x5d/0x170 mm/slub.c:1881
 allocate_slab mm/slub.c:2028 [inline]
 new_slab+0x87/0x2e0 mm/slub.c:2081
 ___slab_alloc+0xc6d/0x1300 mm/slub.c:3253
 __slab_alloc mm/slub.c:3339 [inline]
 __slab_alloc_node mm/slub.c:3392 [inline]
 slab_alloc_node mm/slub.c:3485 [inline]
 __kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3534
 kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098
 kmalloc include/linux/slab.h:600 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 alloc_bprm+0x56/0x9c0 fs/exec.c:1538
 kernel_execve+0x98/0x9c0 fs/exec.c:2023
 call_usermodehelper_exec_async+0x20b/0x350 kernel/umh.c:110
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888027546080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888027546100: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>ffff888027546180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff888027546200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888027546280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/12/21 03:22 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in ntfs_readdir
2025/12/21 01:37 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in ntfs_readdir
2025/12/20 21:46 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in ntfs_readdir
2025/12/20 19:59 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in ntfs_readdir
2025/12/20 18:06 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in ntfs_readdir
2025/12/20 16:04 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in ntfs_readdir
2025/12/20 12:14 linux-6.6.y 5fa4793a2d2d d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-6-kasan KASAN: slab-out-of-bounds Read in ntfs_readdir
* Struck through repros no longer work on HEAD.