syzbot


KASAN: use-after-free Read in ntfs_test_inode
Status: upstream: reported on 2021/05/17 10:56
Reported-by: syzbot+2751da923b5eb8307b0b@syzkaller.appspotmail.com
First crash: 406d, last: 2d22h
similar bugs (5):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: slab-out-of-bounds Read in ntfs_test_inode 1 101d 101d 0/1 upstream: reported on 2022/02/16 22:11
upstream KMSAN: uninit-value in udf_evict_inode (2) 13 113d 166d 22/22 fixed on 2022/03/08 16:11
upstream KMSAN: uninit-value in ext4_inode_journal_mode (2) 115 3d12h 141d 0/22 upstream: reported on 2022/01/07 15:40
upstream KASAN: slab-out-of-bounds Read in ntfs_iget5 8 9h39m 36d 0/22 upstream: reported on 2022/04/22 13:07
upstream KMSAN: uninit-value in nf_nat_setup_info (2) C 764 61d 141d 0/22 upstream: reported C repro on 2022/01/07 16:51

Sample crash report:
loop2: detected capacity change from 0 to 8189
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: use-after-free in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: use-after-free in NInoAttr fs/ntfs/inode.h:200 [inline]
BUG: KASAN: use-after-free in ntfs_test_inode+0x7b/0x2d0 fs/ntfs/inode.c:55
Read of size 8 at addr ffff888048b82d20 by task syz-executor.2/2404

CPU: 0 PID: 2404 Comm: syz-executor.2 Not tainted 5.18.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description+0x65/0x4b0 mm/kasan/report.c:313
 print_report+0xf4/0x210 mm/kasan/report.c:429
 kasan_report+0xfb/0x130 mm/kasan/report.c:491
 kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 NInoAttr fs/ntfs/inode.h:200 [inline]
 ntfs_test_inode+0x7b/0x2d0 fs/ntfs/inode.c:55
 find_inode+0x19c/0x4d0 fs/inode.c:915
 ilookup5_nowait fs/inode.c:1425 [inline]
 ilookup5+0x9d/0x1f0 fs/inode.c:1454
 iget5_locked+0x33/0x270 fs/inode.c:1235
 ntfs_iget+0xc0/0x190 fs/ntfs/inode.c:168
 load_and_check_logfile+0x3f/0xd0 fs/ntfs/super.c:1208
 load_system_files+0x30cc/0x4620 fs/ntfs/super.c:1941
 ntfs_fill_super+0x19c4/0x2c00 fs/ntfs/super.c:2891
 mount_bdev+0x26c/0x3a0 fs/super.c:1367
 legacy_get_tree+0xea/0x180 fs/fs_context.c:610
 vfs_get_tree+0x88/0x270 fs/super.c:1497
 do_new_mount+0x289/0xad0 fs/namespace.c:3040
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff8f008a61a
Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff8f12aef88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007ff8f008a61a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ff8f12aefe0
RBP: 00007ff8f12af020 R08: 00007ff8f12af020 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000
R13: 0000000020000100 R14: 00007ff8f12aefe0 R15: 000000002007dc00
 </TASK>

Allocated by task 30558:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 __kasan_slab_alloc+0xb2/0xe0 mm/kasan/common.c:469
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:749 [inline]
 slab_alloc_node mm/slub.c:3217 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3232 [inline]
 kmem_cache_alloc_lru+0x175/0x2d0 mm/slub.c:3249
 alloc_inode_sb include/linux/fs.h:2966 [inline]
 reiserfs_alloc_inode+0x23/0xc0 fs/reiserfs/super.c:642
 alloc_inode fs/inode.c:260 [inline]
 new_inode_pseudo+0x61/0x210 fs/inode.c:1018
 new_inode+0x25/0x1d0 fs/inode.c:1047
 reiserfs_mkdir+0x1bc/0x8e0 fs/reiserfs/namei.c:813
 xattr_mkdir fs/reiserfs/xattr.c:76 [inline]
 create_privroot fs/reiserfs/xattr.c:889 [inline]
 reiserfs_xattr_init+0x34b/0x730 fs/reiserfs/xattr.c:1012
 reiserfs_fill_super+0x2206/0x2620 fs/reiserfs/super.c:2177
 mount_bdev+0x26c/0x3a0 fs/super.c:1367
 legacy_get_tree+0xea/0x180 fs/fs_context.c:610
 vfs_get_tree+0x88/0x270 fs/super.c:1497
 do_new_mount+0x289/0xad0 fs/namespace.c:3040
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x3b/0x60 mm/kasan/common.c:38
 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:348
 call_rcu+0x163/0x9c0 kernel/rcu/tree.c:3074
 reiserfs_new_inode+0x76d/0x1d10 fs/reiserfs/inode.c:2164
 reiserfs_mkdir+0x59e/0x8e0 fs/reiserfs/namei.c:843
 xattr_mkdir fs/reiserfs/xattr.c:76 [inline]
 create_privroot fs/reiserfs/xattr.c:889 [inline]
 reiserfs_xattr_init+0x34b/0x730 fs/reiserfs/xattr.c:1012
 reiserfs_fill_super+0x2206/0x2620 fs/reiserfs/super.c:2177
 mount_bdev+0x26c/0x3a0 fs/super.c:1367
 legacy_get_tree+0xea/0x180 fs/fs_context.c:610
 vfs_get_tree+0x88/0x270 fs/super.c:1497
 do_new_mount+0x289/0xad0 fs/namespace.c:3040
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888048b827c0
 which belongs to the cache reiser_inode_cache of size 1568
The buggy address is located 1376 bytes inside of
 1568-byte region [ffff888048b827c0, ffff888048b82de0)

The buggy address belongs to the physical page:
page:ffffea000122e000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888048b827c0 pfn:0x48b80
head:ffffea000122e000 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88807a56c801
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888147835c80
raw: ffff888048b827c0 0000000080130010 00000001ffffffff ffff88807a56c801
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 8632, tgid 8629 (syz-executor.5), ts 283171094014, free_ts 281605266633
 prep_new_page mm/page_alloc.c:2441 [inline]
 get_page_from_freelist+0x72e/0x7a0 mm/page_alloc.c:4182
 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5408
 alloc_slab_page+0x70/0xf0 mm/slub.c:1799
 allocate_slab+0x5e/0x560 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0x41e/0xcd0 mm/slub.c:3005
 __slab_alloc mm/slub.c:3092 [inline]
 slab_alloc_node mm/slub.c:3183 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3232 [inline]
 kmem_cache_alloc_lru+0x221/0x2d0 mm/slub.c:3249
 alloc_inode_sb include/linux/fs.h:2966 [inline]
 reiserfs_alloc_inode+0x23/0xc0 fs/reiserfs/super.c:642
 alloc_inode fs/inode.c:260 [inline]
 iget5_locked+0x9c/0x270 fs/inode.c:1238
 reiserfs_fill_super+0x12e7/0x2620 fs/reiserfs/super.c:2055
 mount_bdev+0x26c/0x3a0 fs/super.c:1367
 legacy_get_tree+0xea/0x180 fs/fs_context.c:610
 vfs_get_tree+0x88/0x270 fs/super.c:1497
 do_new_mount+0x289/0xad0 fs/namespace.c:3040
 do_mount fs/namespace.c:3383 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3568
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1356 [inline]
 free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3328 [inline]
 free_unref_page+0x7d/0x390 mm/page_alloc.c:3423
 do_slab_free mm/slub.c:3498 [inline]
 ___cache_free+0x118/0x1a0 mm/slub.c:3517
 qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:749 [inline]
 slab_alloc_node mm/slub.c:3217 [inline]
 slab_alloc mm/slub.c:3225 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3232 [inline]
 kmem_cache_alloc+0x199/0x2f0 mm/slub.c:3242
 getname_flags+0xb8/0x4e0 fs/namei.c:138
 do_sys_openat2+0xd2/0x500 fs/open.c:1207
 do_sys_open fs/open.c:1229 [inline]
 __do_sys_openat fs/open.c:1245 [inline]
 __se_sys_openat fs/open.c:1240 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1240
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff888048b82c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888048b82c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888048b82d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff888048b82d80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888048b82e00: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00
==================================================================

Crashes (35):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2022/05/16 06:37 upstream 42226c989789 744a39e2 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/05/05 00:33 upstream a7391ad35724 dc9e5259 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-root 2022/04/23 18:37 upstream 13bc32bad705 131df97d .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/04/09 17:47 upstream f1b45d8ccb98 e22c3da3 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/03/25 17:05 upstream 34af78c4e616 89bc8608 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/03/16 18:10 upstream 56e337f2cf13 dfa9a8ed .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/02/26 23:05 upstream 2c8c230edab5 45a13a73 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/02/05 09:10 upstream 0457e5153e0e a7dab638 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/01/31 10:45 upstream 26291c54e111 6b7c57fe .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/01/13 21:51 upstream 455e73a07f6e b8d780ab .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/12/23 22:11 upstream 76657eaef4a7 6caa12e4 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/10/28 04:33 upstream 1fc596a56b33 be531bb4 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/07/06 11:46 upstream 3dbdb38e2869 6c4484eb .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/06/19 04:10 upstream b1edae0d5f2e aba2b2fb .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/04/17 10:24 upstream 9cdbf6467424 7e2b734b .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-linux-next-kasan-gce-root 2022/05/08 18:27 linux-next 38a288f5941e e60b1103 .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-linux-next-kasan-gce-root 2022/02/10 14:08 linux-next ef6b35306dd8 0b33604d .config log report info KASAN: use-after-free Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/05/26 01:46 upstream 7e062cda7d90 3037caa9 .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/05/04 22:31 upstream a7391ad35724 dc9e5259 .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/03/24 01:12 upstream 1bc191051dca 5ff41e94 .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2022/01/08 07:28 upstream d1587f7bfe9a 2ca0d385 .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/11/21 22:41 upstream 40c93d7fff6f 4eb20a4e .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/10/08 23:09 upstream 741668ef7832 efe0f24d .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/09/21 14:16 upstream d9fb678414c0 169724fe .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/07/18 10:50 upstream 1d67c8d993ba f115ae98 .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/06/17 14:17 upstream 70585216fe77 aba2b2fb .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kasan-gce-smack-root 2021/04/22 11:07 upstream 16fc44d6387e 33c28d03 .config log report info KASAN: slab-out-of-bounds Read in ntfs_test_inode
ci-upstream-kmsan-gce-386 2022/05/24 03:30 https://github.com/google/kmsan.git master c5c93da9af13 e7f9308d .config log report info KMSAN: uninit-value in ntfs_test_inode
ci-upstream-kmsan-gce-386 2022/05/19 15:28 https://github.com/google/kmsan.git master c5c93da9af13 50c53f39 .config log report info KMSAN: uninit-value in ntfs_test_inode
ci-upstream-kmsan-gce-386 2022/05/18 21:47 https://github.com/google/kmsan.git master c5c93da9af13 50c53f39 .config log report info KMSAN: uninit-value in ntfs_test_inode
ci-upstream-kmsan-gce-386 2021/08/05 22:05 https://github.com/google/kmsan.git master ee9407ea37bf d2d6e680 .config log report info KMSAN: uninit-value in ntfs_test_inode
ci-upstream-kmsan-gce-386 2021/08/05 09:44 https://github.com/google/kmsan.git master 925ba2a2a2fd 7f7bb950 .config log report info KMSAN: uninit-value in ntfs_test_inode
ci-upstream-kmsan-gce-386 2021/08/04 20:09 https://github.com/google/kmsan.git master b87ff0bc1209 b97d64c9 .config log report info KMSAN: uninit-value in ntfs_test_inode
ci-upstream-kmsan-gce-386 2021/07/28 01:07 https://github.com/google/kmsan.git master 981c4ec7b5ad 17d6ab15 .config log report info KMSAN: uninit-value in ntfs_test_inode
ci-upstream-kmsan-gce-386 2021/07/19 16:24 https://github.com/google/kmsan.git master 4edbed3bb57c e6a17580 .config log report info KMSAN: uninit-value in ntfs_test_inode