syzbot

 sign-in | mailing list | source | docs
🐞 Open [949] 🐞 Fixed [4019] 🐞 Invalid [8929] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KASAN: out-of-bounds Write in end_buffer_read_sync

Status: upstream: reported C repro on 2022/04/25 03:07
Reported-by: syzbot+3f7f291a3d327486073c@syzkaller.appspotmail.com
First crash: 160d, last: 3d13h

Cause bisection: introduced by (bisect log) :
commit 6e5be40d32fb1907285277c02e74493ed43d77fe
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date: Fri Aug 13 14:21:30 2021 +0000

  fs/ntfs3: Add NTFS3 in fs/Kconfig and fs/Makefile

Crash: KASAN: out-of-bounds Write in end_buffer_read_sync (log)
Repro: C syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2022/07/02 04:28 22m gautammenghani201@gmail.com https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 03c765b0e3b4cb5063276b086c76f7a612856a9a report log

Sample crash report:
==================================================================
BUG: KASAN: out-of-bounds in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: out-of-bounds in atomic_dec include/linux/atomic/atomic-instrumented.h:257 [inline]
BUG: KASAN: out-of-bounds in put_bh include/linux/buffer_head.h:287 [inline]
BUG: KASAN: out-of-bounds in end_buffer_read_sync+0x87/0xd0 fs/buffer.c:160
Write of size 4 at addr ffffc900057d79e0 by task ksoftirqd/1/21

CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xf/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_dec include/linux/atomic/atomic-instrumented.h:257 [inline]
 put_bh include/linux/buffer_head.h:287 [inline]
 end_buffer_read_sync+0x87/0xd0 fs/buffer.c:160
 end_bio_bh_io_sync+0xda/0x130 fs/buffer.c:2672
 bio_endio+0x5fe/0x780 block/bio.c:1562
 req_bio_endio block/blk-mq.c:695 [inline]
 blk_update_request+0x401/0x1310 block/blk-mq.c:825
 blk_mq_end_request+0x4b/0x80 block/blk-mq.c:951
 lo_complete_rq+0x1c2/0x280 drivers/block/loop.c:370
 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:571
 run_ksoftirqd kernel/softirq.c:934 [inline]
 run_ksoftirqd+0x2d/0x60 kernel/softirq.c:926
 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

The buggy address belongs to the virtual mapping at
 [ffffc900057d0000, ffffc900057d9000) created by:
 kernel_clone+0xe7/0xab0 kernel/fork.c:2659

The buggy address belongs to the physical page:
page:ffffea00005d4400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17510
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 3601, tgid 3601 (syz-executor164), ts 157092271901, free_ts 157006384093
 prep_new_page mm/page_alloc.c:2457 [inline]
 get_page_from_freelist+0x1298/0x3b80 mm/page_alloc.c:4203
 __alloc_pages+0x1c7/0x510 mm/page_alloc.c:5431
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
 vm_area_alloc_pages mm/vmalloc.c:2927 [inline]
 __vmalloc_area_node mm/vmalloc.c:2995 [inline]
 __vmalloc_node_range+0x735/0x13e0 mm/vmalloc.c:3165
 alloc_thread_stack_node kernel/fork.c:312 [inline]
 dup_task_struct kernel/fork.c:977 [inline]
 copy_process+0x13d5/0x70a0 kernel/fork.c:2075
 kernel_clone+0xe7/0xab0 kernel/fork.c:2659
 __do_sys_clone+0xba/0x100 kernel/fork.c:2793
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3344 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3439
 __vunmap+0x85d/0xd30 mm/vmalloc.c:2665
 __vfree+0x3c/0xd0 mm/vmalloc.c:2713
 vfree+0x5a/0x90 mm/vmalloc.c:2744
 free_partitions block/partitions/core.c:118 [inline]
 check_partition block/partitions/core.c:177 [inline]
 blk_add_partitions block/partitions/core.c:599 [inline]
 bdev_disk_changed block/partitions/core.c:685 [inline]
 bdev_disk_changed+0xb43/0xf60 block/partitions/core.c:652
 blkdev_get_whole+0x18a/0x2d0 block/bdev.c:684
 blkdev_get_by_dev.part.0+0x5ec/0xb90 block/bdev.c:821
 blkdev_get_by_dev block/bdev.c:889 [inline]
 blkdev_get_by_path+0x1b3/0x2e0 block/bdev.c:886
 get_tree_bdev+0xd5/0x760 fs/super.c:1242
 vfs_get_tree+0x89/0x2f0 fs/super.c:1497
 do_new_mount fs/namespace.c:3040 [inline]
 path_mount+0x1320/0x1fa0 fs/namespace.c:3370
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffffc900057d7880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900057d7900: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00
>ffffc900057d7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
                                                          ^
 ffffc900057d7a00: f1 f1 f1 f1 f1 00 00 00 00 00 f3 f3 f3 f3 f3 00
 ffffc900057d7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (236):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2022/08/06 12:04 upstream 200e340f2196 e853abd9 .config log report syz C KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/05/20 12:22 upstream b015dcd62b86 cb1ac2e7 .config log report syz C KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/05/07 13:26 upstream 4b97bac0756a e60b1103 .config log report syz C KASAN: out-of-bounds Write in end_buffer_read_sync
ci2-upstream-fs 2022/09/25 01:49 upstream 3db61221f4e8 0042f2b4 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/09/19 14:35 upstream 521a547ced64 dd9a85ff .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-selinux-root 2022/09/12 12:25 upstream 80e78fcce86d 356d8217 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-selinux-root 2022/09/07 11:13 upstream d2ec799d1c1b 5fc30c37 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/08/16 15:21 upstream 7ebfc85e2cd7 7a7cb304 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-selinux-root 2022/08/15 14:08 upstream 7ebfc85e2cd7 8dfcaa3d .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/08/10 17:33 upstream 200e340f2196 a6201f11 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/08/10 11:20 upstream 200e340f2196 aaa9eaa0 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/08/07 12:18 upstream 200e340f2196 88e3a122 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/08/06 16:17 upstream 200e340f2196 88e3a122 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/08/01 11:01 upstream 3d7cb6b04c3f fef302b1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-selinux-root 2022/07/30 18:10 upstream 620725263f42 fef302b1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/29 21:37 upstream 6e2c0490769e fef302b1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/26 19:09 upstream 5de64d44968e 279b89c2 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/26 04:45 upstream e0dccc3b76fb 34795c51 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-selinux-root 2022/07/25 10:26 upstream e0dccc3b76fb 664c519c .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/23 21:51 upstream 70664fc10c0d 22343af4 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-selinux-root 2022/07/23 15:59 upstream 70664fc10c0d 22343af4 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/22 10:50 upstream 68e77ffbfd06 22343af4 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-selinux-root 2022/07/21 09:12 upstream 353f7988dd84 6e67af9d .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/07/20 15:06 upstream 4a57a8400075 88cb1383 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/18 06:57 upstream ff6992735ade 95cb00d1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/07/15 14:43 upstream 4a57a8400075 95cb00d1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/13 23:31 upstream 4a57a8400075 5d921b08 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/13 06:25 upstream b047602d579b d91dd8ea .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/07/12 15:28 upstream 5a29232d870d d91dd8ea .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/07/12 02:03 upstream 5a29232d870d da3d6955 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/07/11 12:52 upstream 32346491ddf2 f3f217ff .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-selinux-root 2022/07/10 22:58 upstream d9919d43cbf6 b5765a15 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/04/24 09:06 upstream 22da5264abf4 131df97d .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/04/21 03:05 upstream b253435746d9 d4befee1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/08/19 14:11 upstream 4c2d0b039c5c 26a13b38 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/08/02 21:09 upstream 7d0d3fa7339e 1c9013ac .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/08/02 00:27 upstream 9de1f9c8ca51 fef302b1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/28 00:17 upstream 4a57a8400075 fb95c74d .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/25 22:35 upstream 4a57a8400075 34795c51 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/18 16:31 upstream 4a57a8400075 ff988920 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/13 08:37 upstream b047602d579b 5d921b08 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/12 17:45 upstream 5a29232d870d d91dd8ea .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/12 00:49 upstream 8e59a6a7a4fa da3d6955 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/11 08:47 upstream 32346491ddf2 b5765a15 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/10 20:15 upstream d9919d43cbf6 b5765a15 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/07/08 21:44 upstream a471da3100ef b5765a15 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-linux-next-kasan-gce-root 2022/08/17 08:09 linux-next 95d10484d66e 4e72d229 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-linux-next-kasan-gce-root 2022/08/04 08:57 linux-next cb71b93c2dc3 1c9013ac .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-linux-next-kasan-gce-root 2022/07/31 18:20 linux-next cb71b93c2dc3 fef302b1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-linux-next-kasan-gce-root 2022/07/23 12:06 linux-next cb71b93c2dc3 22343af4 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-upstream-linux-next-kasan-gce-root 2022/07/15 22:09 linux-next cb71b93c2dc3 95cb00d1 .config log report info KASAN: out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream 2022/09/21 04:03 upstream 60891ec99e14 c4b8ccfd .config log report info KASAN: stack-out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-root 2022/09/19 03:14 upstream 38eddeedbbea dd9a85ff .config log report info KASAN: stack-out-of-bounds Write in end_buffer_read_sync
ci-upstream-kasan-gce-smack-root 2022/07/13 01:40 upstream 72a8e05d4f66 d91dd8ea .config log report info KASAN: stack-out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/09/15 16:28 upstream 3245cb65fd91 dd9a85ff .config log report info KASAN: stack-out-of-bounds Write in end_buffer_read_sync
ci-qemu-upstream-386 2022/09/01 12:38 upstream c5e4d5e99162 b01ec571 .config log report info KASAN: stack-out-of-bounds Write in end_buffer_read_sync
ci-upstream-linux-next-kasan-gce-root 2022/08/02 01:49 linux-next cb71b93c2dc3 fef302b1 .config log report info KASAN: stack-out-of-bounds Write in end_buffer_read_sync
ci-upstream-linux-next-kasan-gce-root 2022/07/21 23:01 linux-next cb71b93c2dc3 5e6028b9 .config log report info KASAN: stack-out-of-bounds Write in end_buffer_read_sync
* Struck through repros no longer work on HEAD.