KASAN: use-after-free Read in ntfs_test

KASAN: use-after-free Read in ntfs_test_inode
Status: upstream: reported on 2021/05/17 10:56
Reported-by: syzbot+2751da923b5eb8307b0b@syzkaller.appspotmail.com
First crash: 98d, last: 4d22h

Sample crash report:

loop2: detected capacity change from 0 to 8189
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: use-after-free in NInoAttr fs/ntfs/inode.h:200 [inline]
BUG: KASAN: use-after-free in ntfs_test_inode+0x7b/0x2d0 fs/ntfs/inode.c:55
Read of size 8 at addr ffff88807c5910d8 by task syz-executor.2/22921

CPU: 1 PID: 22921 Comm: syz-executor.2 Tainted: G        W         5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:96
 print_address_description+0x66/0x3b0 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report+0x163/0x210 mm/kasan/report.c:436
 check_region_inline mm/kasan/generic.c:135 [inline]
 kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 NInoAttr fs/ntfs/inode.h:200 [inline]
 ntfs_test_inode+0x7b/0x2d0 fs/ntfs/inode.c:55
 find_inode+0x19c/0x4b0 fs/inode.c:831
 ilookup5_nowait fs/inode.c:1341 [inline]
 ilookup5+0x9d/0x1f0 fs/inode.c:1370
 iget5_locked+0x30/0x3d0 fs/inode.c:1151
 ntfs_iget+0xc0/0x190 fs/ntfs/inode.c:168
 load_and_check_logfile fs/ntfs/super.c:1208 [inline]
 load_system_files fs/ntfs/super.c:1941 [inline]
 ntfs_fill_super+0x3d34/0x5f20 fs/ntfs/super.c:2893
 mount_bdev+0x26c/0x3a0 fs/super.c:1368
 legacy_get_tree+0xea/0x180 fs/fs_context.c:592
 vfs_get_tree+0x86/0x270 fs/super.c:1498
 do_new_mount fs/namespace.c:2905 [inline]
 path_mount+0x196f/0x2be0 fs/namespace.c:3235
 do_mount fs/namespace.c:3248 [inline]
 __do_sys_mount fs/namespace.c:3456 [inline]
 __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x467afa
Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f29b4ab6fa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 0000000000467afa
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f29b4ab7000
RBP: 00007f29b4ab7040 R08: 00007f29b4ab7040 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 00007f29b4ab7000 R15: 000000002007dc00

Allocated by task 12738:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x96/0xd0 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc_node mm/slub.c:2970 [inline]
 slab_alloc mm/slub.c:2978 [inline]
 kmem_cache_alloc+0x1d1/0x340 mm/slub.c:2983
 reiserfs_alloc_inode+0x19/0xb0 fs/reiserfs/super.c:642
 alloc_inode fs/inode.c:233 [inline]
 new_inode_pseudo+0x61/0x220 fs/inode.c:934
 new_inode+0x25/0x1d0 fs/inode.c:963
 reiserfs_mkdir+0x18d/0x8c0 fs/reiserfs/namei.c:813
 xattr_mkdir fs/reiserfs/xattr.c:76 [inline]
 create_privroot fs/reiserfs/xattr.c:889 [inline]
 reiserfs_xattr_init+0x34b/0x730 fs/reiserfs/xattr.c:1012
 reiserfs_fill_super+0x2b67/0x3240 fs/reiserfs/super.c:2177
 mount_bdev+0x26c/0x3a0 fs/super.c:1368
 legacy_get_tree+0xea/0x180 fs/fs_context.c:592
 vfs_get_tree+0x86/0x270 fs/super.c:1498
 do_new_mount fs/namespace.c:2905 [inline]
 path_mount+0x196f/0x2be0 fs/namespace.c:3235
 do_mount fs/namespace.c:3248 [inline]
 __do_sys_mount fs/namespace.c:3456 [inline]
 __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3038 [inline]
 call_rcu+0x1a0/0xa20 kernel/rcu/tree.c:3113
 reiserfs_new_inode+0x75d/0x2830 fs/reiserfs/inode.c:2164
 reiserfs_mkdir+0x572/0x8c0 fs/reiserfs/namei.c:843
 xattr_mkdir fs/reiserfs/xattr.c:76 [inline]
 create_privroot fs/reiserfs/xattr.c:889 [inline]
 reiserfs_xattr_init+0x34b/0x730 fs/reiserfs/xattr.c:1012
 reiserfs_fill_super+0x2b67/0x3240 fs/reiserfs/super.c:2177
 mount_bdev+0x26c/0x3a0 fs/super.c:1368
 legacy_get_tree+0xea/0x180 fs/fs_context.c:592
 vfs_get_tree+0x86/0x270 fs/super.c:1498
 do_new_mount fs/namespace.c:2905 [inline]
 path_mount+0x196f/0x2be0 fs/namespace.c:3235
 do_mount fs/namespace.c:3248 [inline]
 __do_sys_mount fs/namespace.c:3456 [inline]
 __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88807c590c10
 which belongs to the cache reiser_inode_cache of size 1416
The buggy address is located 1224 bytes inside of
 1416-byte region [ffff88807c590c10, ffff88807c591198)
The buggy address belongs to the page:
page:ffffea0001f16400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807c590c10 pfn:0x7c590
head:ffffea0001f16400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff88801c7beb40
raw: ffff88807c590c10 0000000080150014 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 12685, ts 165095558724, free_ts 0
 prep_new_page mm/page_alloc.c:2445 [inline]
 get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4178
 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5386
 alloc_slab_page mm/slub.c:1702 [inline]
 allocate_slab+0xf1/0x540 mm/slub.c:1842
 new_slab mm/slub.c:1905 [inline]
 new_slab_objects mm/slub.c:2651 [inline]
 ___slab_alloc+0x1cf/0x350 mm/slub.c:2814
 __slab_alloc mm/slub.c:2854 [inline]
 slab_alloc_node mm/slub.c:2936 [inline]
 slab_alloc mm/slub.c:2978 [inline]
 kmem_cache_alloc+0x299/0x340 mm/slub.c:2983
 reiserfs_alloc_inode+0x19/0xb0 fs/reiserfs/super.c:642
 alloc_inode fs/inode.c:233 [inline]
 iget5_locked+0x9e/0x3d0 fs/inode.c:1154
 reiserfs_fill_super+0x141d/0x3240 fs/reiserfs/super.c:2063
 mount_bdev+0x26c/0x3a0 fs/super.c:1368
 legacy_get_tree+0xea/0x180 fs/fs_context.c:592
 vfs_get_tree+0x86/0x270 fs/super.c:1498
 do_new_mount fs/namespace.c:2905 [inline]
 path_mount+0x196f/0x2be0 fs/namespace.c:3235
 do_mount fs/namespace.c:3248 [inline]
 __do_sys_mount fs/namespace.c:3456 [inline]
 __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3433
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88807c590f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807c591000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807c591080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88807c591100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807c591180: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (7):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Title
ci-upstream-kasan-gce-smack-root	2021/07/06 11:46	upstream	3dbdb38e2869	6c4484eb	.config	log	report	info	KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root	2021/06/19 04:10	upstream	b1edae0d5f2e	aba2b2fb	.config	log	report	info	KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root	2021/04/17 10:24	upstream	9cdbf6467424	7e2b734b	.config	log	report	info	KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root	2021/07/18 10:50	upstream	1d67c8d993ba	f115ae98	.config	log	report	info	KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root	2021/06/17 14:17	upstream	70585216fe77	aba2b2fb	.config	log	report	info	KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root	2021/04/22 11:07	upstream	16fc44d6387e	33c28d03	.config	log	report	info	KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kmsan-gce-386	2021/07/19 16:24	https://github.com/google/kmsan.git master	4edbed3bb57c	e6a17580	.config	log	report	info	KMSAN: uninit-value in ntfs_test_inode