syzbot


KASAN: use-after-free Read in ntfs_lookup_inode_by_name

Status: upstream: reported C repro on 2022/12/30 07:25
Subsystems: ntfs3
[Documentation on labels]
Reported-by: syzbot+3625b78845a725e80f61@syzkaller.appspotmail.com
First crash: 430d, last: 41d
Cause bisection: failed (error log, bisect log)
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (3)
Title Replies (including bot) Last reply
[syzbot] [ntfs?] KASAN: use-after-free Read in ntfs_lookup_inode_by_name 0 (2) 2024/02/27 01:09
[syzbot] Monthly ntfs report (May 2023) 0 (1) 2023/05/02 07:18
[syzbot] Monthly ntfs report 0 (1) 2023/03/31 15:00
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream C 2 27d 291d 0/3 upstream: reported C repro on 2023/05/14 03:12
linux-5.15 KASAN: use-after-free Read in ntfs_lookup_inode_by_name origin:upstream C error 6 80d 323d 0/3 upstream: reported C repro on 2023/04/12 03:50
linux-4.19 KASAN: use-after-free Read in ntfs_lookup_inode_by_name ntfs C error 1 418d 418d 0/1 upstream: reported C repro on 2023/01/07 03:24
Last patch testing requests (10)
Created Duration User Patch Repo Result
2024/02/18 05:52 25m retest repro upstream OK log
2024/02/04 01:08 25m retest repro git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci OK log
2024/02/02 01:51 41m retest repro upstream OK log
2024/02/02 01:51 19m retest repro upstream OK log
2023/12/29 06:34 15m retest repro upstream report log
2023/12/29 06:34 16m retest repro upstream report log
2023/12/29 06:34 14m retest repro upstream report log
2023/12/29 06:11 22m retest repro linux-next OK log
2023/12/09 12:18 22m retest repro upstream report log
2023/12/09 12:15 14m retest repro upstream report log
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2024/02/26 20:13 4h55m bisect fix upstream job log (1)
2023/06/12 11:21 46m bisect fix upstream job log (0) log
2023/03/20 16:54 47m bisect fix upstream job log (0) log
2023/02/01 20:05 46m bisect fix upstream job log (0) log

Sample crash report:
ntfs: volume version 3.1.
==================================================================
BUG: KASAN: use-after-free in sle64_to_cpup fs/ntfs/endian.h:46 [inline]
BUG: KASAN: use-after-free in ntfs_lookup_inode_by_name+0x2fe2/0x3120 fs/ntfs/dir.c:292
Read of size 8 at addr ffff88807348755a by task syz-executor340/5062

CPU: 1 PID: 5062 Comm: syz-executor340 Not tainted 6.7.0-rc5-syzkaller-00125-gc7402612e2e6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 sle64_to_cpup fs/ntfs/endian.h:46 [inline]
 ntfs_lookup_inode_by_name+0x2fe2/0x3120 fs/ntfs/dir.c:292
 check_windows_hibernation_status fs/ntfs/super.c:1282 [inline]
 load_system_files fs/ntfs/super.c:1997 [inline]
 ntfs_fill_super+0x4622/0x9100 fs/ntfs/super.c:2900
 mount_bdev+0x1f3/0x2e0 fs/super.c:1650
 legacy_get_tree+0x109/0x220 fs/fs_context.c:662
 vfs_get_tree+0x8c/0x370 fs/super.c:1771
 do_new_mount fs/namespace.c:3337 [inline]
 path_mount+0x1492/0x1ed0 fs/namespace.c:3664
 do_mount fs/namespace.c:3677 [inline]
 __do_sys_mount fs/namespace.c:3886 [inline]
 __se_sys_mount fs/namespace.c:3863 [inline]
 __x64_sys_mount+0x293/0x310 fs/namespace.c:3863
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f2a7638e46a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff678e6678 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2a7638e46a
RDX: 000000002001ec80 RSI: 000000002001ecc0 RDI: 00007fff678e66c0
RBP: 0000000000000004 R08: 00007fff678e6700 R09: 000000000001ec63
R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff678e66c0
R13: 00007fff678e6700 R14: 0000000000200000 R15: 0000000000000003
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001cd21c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x73487
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 5050, tgid 5050 (sshd), ts 68024552059, free_ts 68078141414
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1544 [inline]
 get_page_from_freelist+0xa25/0x36d0 mm/page_alloc.c:3312
 __alloc_pages+0x22e/0x2420 mm/page_alloc.c:4568
 alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
 vma_alloc_folio+0xad/0x220 mm/mempolicy.c:2172
 do_anonymous_page mm/memory.c:4172 [inline]
 do_pte_missing mm/memory.c:3729 [inline]
 handle_pte_fault mm/memory.c:5039 [inline]
 __handle_mm_fault+0xe07/0x3d70 mm/memory.c:5180
 handle_mm_fault+0x47a/0xa10 mm/memory.c:5345
 do_user_addr_fault+0x30b/0x1000 arch/x86/mm/fault.c:1364
 handle_page_fault arch/x86/mm/fault.c:1505 [inline]
 exc_page_fault+0x5d/0xc0 arch/x86/mm/fault.c:1561
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1137 [inline]
 free_unref_page_prepare+0x4fa/0xaa0 mm/page_alloc.c:2347
 free_unref_page_list+0xe6/0xb40 mm/page_alloc.c:2533
 release_pages+0x32a/0x14f0 mm/swap.c:1042
 tlb_batch_pages_flush+0x9a/0x190 mm/mmu_gather.c:98
 tlb_flush_mmu_free mm/mmu_gather.c:293 [inline]
 tlb_flush_mmu mm/mmu_gather.c:300 [inline]
 tlb_finish_mmu+0x14b/0x6f0 mm/mmu_gather.c:392
 unmap_region.constprop.0+0x2e6/0x3b0 mm/mmap.c:2341
 do_vmi_align_munmap+0xde6/0x1600 mm/mmap.c:2657
 do_vmi_munmap+0x20e/0x450 mm/mmap.c:2725
 __vm_munmap+0x144/0x390 mm/mmap.c:3012
 __do_sys_munmap mm/mmap.c:3029 [inline]
 __se_sys_munmap mm/mmap.c:3026 [inline]
 __x64_sys_munmap+0x62/0x80 mm/mmap.c:3026
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Memory state around the buggy address:
 ffff888073487400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888073487480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888073487500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                    ^
 ffff888073487580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888073487600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (15):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/12/15 06:10 upstream c7402612e2e6 3222d10c .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-selinux-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/09/30 21:58 upstream 9f3ebbef746f 8e26a358 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/18 10:52 upstream 1b29d271614a f3921d4d .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-smack-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/21 19:50 upstream e660abd551f1 09ffe269 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/05/13 01:19 upstream cc3c44c9fda2 ecca8a24 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2022/12/26 07:18 upstream 1b929c02afd3 9da18ae8 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/01 03:09 linux-next ec8939156379 2a0d0f29 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/05/13 01:22 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 14f8db1c0f9a ecca8a24 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2024/01/19 01:34 upstream 86c4d58a99ab 21772ce4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/18 19:55 upstream 0e8860d2125f acb1ba71 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/06/29 15:58 upstream b19edac5992d 134ddc02 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/04/25 03:11 upstream 1a0beef98b58 65320f8e .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/02/18 16:53 upstream 38f8ccde04a3 d02e9a70 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/08/04 13:07 linux-next bdffb18b5dd8 74621247 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in ntfs_lookup_inode_by_name
2023/04/05 21:50 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 59caa87f9dfb 8b834965 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in ntfs_lookup_inode_by_name
* Struck through repros no longer work on HEAD.