2022-04-22 18:38:41

by syzbot

[permalink] [raw]
Subject: [syzbot] general protection fault in ntfs_update_mftmirr

Hello,

syzbot found the following issue on:

HEAD commit: b253435746d9 Merge tag 'xtensa-20220416' of https://github..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11588ba2f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4cdc9619f45633df
dashboard link: https://syzkaller.appspot.com/bug?extid=c95173762127ad76a824
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175b13c0f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1502f854f00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

loop0: detected capacity change from 0 to 264192
ntfs3: Unknown parameter 'iochvrset'
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 PID: 3589 Comm: syz-executor210 Not tainted 5.18.0-rc3-syzkaller-00016-gb253435746d9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ntfs_update_mftmirr+0x51/0x6a0 fs/ntfs3/fsntfs.c:834
Code: 48 c1 e8 03 80 3c 18 00 74 08 4c 89 f7 e8 47 d4 13 ff 49 8b 06 48 89 44 24 18 48 8d 68 18 48 89 e8 48 c1 e8 03 48 89 44 24 40 <80> 3c 18 00 74 08 48 89 ef e8 21 d4 13 ff 48 89 6c 24 10 48 8b 45
RSP: 0018:ffffc90002dffc70 EFLAGS: 00010206
RAX: 0000000000000003 RBX: dffffc0000000000 RCX: ffff888025543a00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88807e250000
RBP: 0000000000000018 R08: dffffc0000000000 R09: ffff88807e250290
R10: ffffed100fc4a055 R11: 1ffff1100fc4a052 R12: ffff888079a4dc00
R13: dffffc0000000000 R14: ffff88807e250000 R15: dffffc0000000000
FS: 0000555556d79300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffc47539c0 CR3: 000000001cabf000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
put_ntfs+0x1ed/0x2a0 fs/ntfs3/super.c:463
ntfs_fs_free+0x6a/0xe0 fs/ntfs3/super.c:1363
put_fs_context+0x119/0x7a0 fs/fs_context.c:469
do_new_mount+0x2b4/0xad0 fs/namespace.c:3044
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fc64612025a
Code: 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd5eefed68 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffd5eefedc0 RCX: 00007fc64612025a
RDX: 0000000020001480 RSI: 00000000200014c0 RDI: 00007ffd5eefed80
RBP: 00007ffd5eefed80 R08: 00007ffd5eefedc0 R09: 0000000800000015
R10: 0000000000000008 R11: 0000000000000286 R12: 0000000000000008
R13: 0000000020002a00 R14: 0000000000000004 R15: 0000000000000003
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ntfs_update_mftmirr+0x51/0x6a0 fs/ntfs3/fsntfs.c:834
Code: 48 c1 e8 03 80 3c 18 00 74 08 4c 89 f7 e8 47 d4 13 ff 49 8b 06 48 89 44 24 18 48 8d 68 18 48 89 e8 48 c1 e8 03 48 89 44 24 40 <80> 3c 18 00 74 08 48 89 ef e8 21 d4 13 ff 48 89 6c 24 10 48 8b 45
RSP: 0018:ffffc90002dffc70 EFLAGS: 00010206
RAX: 0000000000000003 RBX: dffffc0000000000 RCX: ffff888025543a00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88807e250000
RBP: 0000000000000018 R08: dffffc0000000000 R09: ffff88807e250290
R10: ffffed100fc4a055 R11: 1ffff1100fc4a052 R12: ffff888079a4dc00
R13: dffffc0000000000 R14: ffff88807e250000 R15: dffffc0000000000
FS: 0000555556d79300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffc47539c0 CR3: 000000001cabf000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 48 c1 e8 03 shr $0x3,%rax
4: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1)
8: 74 08 je 0x12
a: 4c 89 f7 mov %r14,%rdi
d: e8 47 d4 13 ff callq 0xff13d459
12: 49 8b 06 mov (%r14),%rax
15: 48 89 44 24 18 mov %rax,0x18(%rsp)
1a: 48 8d 68 18 lea 0x18(%rax),%rbp
1e: 48 89 e8 mov %rbp,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 48 89 44 24 40 mov %rax,0x40(%rsp)
* 2a: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 48 89 ef mov %rbp,%rdi
33: e8 21 d4 13 ff callq 0xff13d459
38: 48 89 6c 24 10 mov %rbp,0x10(%rsp)
3d: 48 rex.W
3e: 8b .byte 0x8b
3f: 45 rex.RB


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches


2022-04-22 22:19:20

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] general protection fault in ntfs_update_mftmirr

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: [email protected]

Tested on:

commit: b2534357 Merge tag 'xtensa-20220416' of https://github..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=4cdc9619f45633df
dashboard link: https://syzkaller.appspot.com/bug?extid=c95173762127ad76a824
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1778ee1cf00000

Note: testing is done by a robot and is best-effort only.

2022-04-22 22:37:29

by Pavel Skripkin

[permalink] [raw]
Subject: Re: [syzbot] general protection fault in ntfs_update_mftmirr

On 4/21/22 11:17, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: b253435746d9 Merge tag 'xtensa-20220416' of https://github..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11588ba2f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=4cdc9619f45633df
> dashboard link: https://syzkaller.appspot.com/bug?extid=c95173762127ad76a824
> compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175b13c0f00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1502f854f00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>

If ntfs_fill_super wasn't called then sbi->sb is NULL.

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master





With regards,
Pavel Skripkin


Attachments:
ph (487.00 B)
OpenPGP_signature (855.00 B)
OpenPGP digital signature
Download all attachments