Hello,
syzbot found the following issue on:
HEAD commit: 89b749d8552d Merge tag 'fbdev-for-6.0-rc3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14b9661b080000
kernel config: https://syzkaller.appspot.com/x/.config?x=911efaff115942bb
dashboard link: https://syzkaller.appspot.com/bug?extid=5867885efe39089b339b
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only
================================================================================
UBSAN: array-index-out-of-bounds in mm/truncate.c:366:18
index 254 is out of range for type 'long unsigned int [15]'
CPU: 2 PID: 19915 Comm: syz-executor.0 Not tainted 6.0.0-rc2-syzkaller-00260-g89b749d8552d #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
ubsan_epilogue+0xb/0x50 lib/ubsan.c:151
__ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:283
truncate_inode_pages_range+0x12f4/0x1510 mm/truncate.c:366
ntfs_evict_inode+0x16/0xa0 fs/ntfs3/inode.c:1741
evict+0x2ed/0x6b0 fs/inode.c:665
iput_final fs/inode.c:1748 [inline]
iput.part.0+0x55d/0x810 fs/inode.c:1774
iput+0x58/0x70 fs/inode.c:1764
ntfs_fill_super+0x2e89/0x37f0 fs/ntfs3/super.c:1190
get_tree_bdev+0x440/0x760 fs/super.c:1323
vfs_get_tree+0x89/0x2f0 fs/super.c:1530
do_new_mount fs/namespace.c:3040 [inline]
path_mount+0x1326/0x1e20 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__ia32_sys_mount+0x27e/0x300 fs/namespace.c:3568
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7ff6549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7ff1410 EFLAGS: 00000296 ORIG_RAX: 0000000000000015
RAX: ffffffffffffffda RBX: 00000000f7ff1480 RCX: 0000000020000100
RDX: 0000000020000000 RSI: 0000000000000000 RDI: 00000000f7ff14c0
RBP: 00000000f7ff14c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
================================================================================
----------------
Code disassembly (best guess):
0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d
a: 10 06 adc %al,(%rsi)
c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
10: 10 07 adc %al,(%rdi)
12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
16: 10 08 adc %cl,(%rax)
18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1c: 00 00 add %al,(%rax)
1e: 00 00 add %al,(%rax)
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
* 2a: 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
On Wed, 31 Aug 2022 17:13:36 -0700 syzbot <[email protected]> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 89b749d8552d Merge tag 'fbdev-for-6.0-rc3' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14b9661b080000
> kernel config: https://syzkaller.appspot.com/x/.config?x=911efaff115942bb
> dashboard link: https://syzkaller.appspot.com/bug?extid=5867885efe39089b339b
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: i386
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
> ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only
> ================================================================================
> UBSAN: array-index-out-of-bounds in mm/truncate.c:366:18
> index 254 is out of range for type 'long unsigned int [15]'
That's
index = indices[folio_batch_count(&fbatch) - 1] + 1;
I looked. I see no way in which fbatch.nr got a value of 255.
I must say, the the code looks rather hacky. Isn't there a more
type-friendly way of doing this?
On Fri, 2 Sept 2022 at 01:25, Andrew Morton <[email protected]> wrote:
>
> On Wed, 31 Aug 2022 17:13:36 -0700 syzbot <[email protected]> wrote:
>
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 89b749d8552d Merge tag 'fbdev-for-6.0-rc3' of git://git.ke..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=14b9661b080000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=911efaff115942bb
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5867885efe39089b339b
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > userspace arch: i386
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
> > ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only
> > ================================================================================
> > UBSAN: array-index-out-of-bounds in mm/truncate.c:366:18
> > index 254 is out of range for type 'long unsigned int [15]'
>
> That's
>
> index = indices[folio_batch_count(&fbatch) - 1] + 1;
>
> I looked. I see no way in which fbatch.nr got a value of 255.
>
>
> I must say, the the code looks rather hacky. Isn't there a more
> type-friendly way of doing this?
I don't see how this can happen either. Also can't reproduce.
It's happened only once so far, so maybe some silent memory corruption.
Let's wait for more crashes/reproducer, or otherwise syzbot will
auto-close it after some time.
syzbot has found a reproducer for the following issue on:
HEAD commit: e8bc52cb8df8 Merge tag 'driver-core-6.1-rc1' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a70a42880000
kernel config: https://syzkaller.appspot.com/x/.config?x=7579993da6496f03
dashboard link: https://syzkaller.appspot.com/bug?extid=5867885efe39089b339b
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153137b8880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=123cae34880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4dc25a89bfbd/disk-e8bc52cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/16c9ca5fd754/vmlinux-e8bc52cb.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f3507911193f/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
==================================================================
BUG: KASAN: out-of-bounds in folio_batch_count include/linux/pagevec.h:108 [inline]
BUG: KASAN: out-of-bounds in truncate_inode_pages_range+0x512/0x17b0 mm/truncate.c:366
Read of size 1 at addr ffffc9000b40f8a0 by task syz-executor300/12162
CPU: 1 PID: 12162 Comm: syz-executor300 Not tainted 6.0.0-syzkaller-07994-ge8bc52cb8df8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
print_address_description+0x65/0x4b0 mm/kasan/report.c:317
print_report+0x108/0x220 mm/kasan/report.c:433
kasan_report+0xfb/0x130 mm/kasan/report.c:495
folio_batch_count include/linux/pagevec.h:108 [inline]
truncate_inode_pages_range+0x512/0x17b0 mm/truncate.c:366
ntfs_evict_inode+0x18/0xb0 fs/ntfs3/inode.c:1741
evict+0x2a4/0x620 fs/inode.c:664
ntfs_fill_super+0x3c6c/0x4420 fs/ntfs3/super.c:1190
get_tree_bdev+0x400/0x620 fs/super.c:1323
vfs_get_tree+0x88/0x270 fs/super.c:1530
do_new_mount+0x289/0xad0 fs/namespace.c:3040
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1170f482fa
Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1170eee168 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1170f482fa
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f1170eee180
RBP: 0000000000000004 R08: 00007f1170eee1c0 R09: 00007f1170eee6b8
R10: 0000000000000000 R11: 0000000000000286 R12: 00007f1170eee1c0
R13: 0000000000000110 R14: 00007f1170eee180 R15: 0000000020001b80
</TASK>
The buggy address belongs to stack of task syz-executor300/12162
and is located at offset 32 in frame:
truncate_inode_pages_range+0x0/0x17b0
This frame has 2 objects:
[32, 160) 'fbatch'
[192, 312) 'indices'
The buggy address belongs to the virtual mapping at
[ffffc9000b408000, ffffc9000b411000) created by:
dup_task_struct+0x8b/0x490 kernel/fork.c:977
The buggy address belongs to the physical page:
page:ffffea0001d7b300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x75ecc
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 12161, tgid 12161 (syz-executor300), ts 362387697256, free_ts 362353989799
prep_new_page mm/page_alloc.c:2532 [inline]
get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4283
__alloc_pages+0x259/0x560 mm/page_alloc.c:5549
vm_area_alloc_pages mm/vmalloc.c:2958 [inline]
__vmalloc_area_node mm/vmalloc.c:3026 [inline]
__vmalloc_node_range+0x8f4/0x1290 mm/vmalloc.c:3196
alloc_thread_stack_node+0x307/0x500 kernel/fork.c:312
dup_task_struct+0x8b/0x490 kernel/fork.c:977
copy_process+0x637/0x3f60 kernel/fork.c:2085
kernel_clone+0x22f/0x7a0 kernel/fork.c:2671
__do_sys_clone kernel/fork.c:2805 [inline]
__se_sys_clone kernel/fork.c:2789 [inline]
__x64_sys_clone+0x276/0x2e0 kernel/fork.c:2789
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1449 [inline]
free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1499
free_unref_page_prepare mm/page_alloc.c:3380 [inline]
free_unref_page+0x7d/0x630 mm/page_alloc.c:3476
mm_free_pgd kernel/fork.c:737 [inline]
__mmdrop+0xae/0x3f0 kernel/fork.c:788
exit_mm+0x211/0x2f0 kernel/exit.c:510
do_exit+0x4e1/0x20a0 kernel/exit.c:782
do_group_exit+0x23b/0x2f0 kernel/exit.c:925
get_signal+0x172f/0x1780 kernel/signal.c:2857
arch_do_signal_or_restart+0x8d/0x750 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop+0x74/0x160 kernel/entry/common.c:166
exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffffc9000b40f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc9000b40f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc9000b40f880: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc9000b40f900: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
ffffc9000b40f980: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
==================================================================
On Thu, Sep 01, 2022 at 04:24:59PM -0700, Andrew Morton wrote:
> On Wed, 31 Aug 2022 17:13:36 -0700 syzbot <[email protected]> wrote:
>
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 89b749d8552d Merge tag 'fbdev-for-6.0-rc3' of git://git.ke..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=14b9661b080000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=911efaff115942bb
> > dashboard link: https://syzkaller.appspot.com/bug?extid=5867885efe39089b339b
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > userspace arch: i386
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> > ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
> > ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only
> > ================================================================================
> > UBSAN: array-index-out-of-bounds in mm/truncate.c:366:18
> > index 254 is out of range for type 'long unsigned int [15]'
>
> That's
>
> index = indices[folio_batch_count(&fbatch) - 1] + 1;
>
> I looked. I see no way in which fbatch.nr got a value of 255.
NTFS is involved. I stopped looking at that point; it seems to be
riddled with buffer overflows.
> I must say, the the code looks rather hacky. Isn't there a more
> type-friendly way of doing this?
Looking at the three callers, they all want to advance index. We
should probably pass &index instead of index and have find_lock_entries
advance it for them.
Vishal, want to take this on?
On Sat, Oct 8, 2022 at 12:12 PM Matthew Wilcox <[email protected]> wrote:
>
> On Thu, Sep 01, 2022 at 04:24:59PM -0700, Andrew Morton wrote:
> > On Wed, 31 Aug 2022 17:13:36 -0700 syzbot <[email protected]> wrote:
> >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 89b749d8552d Merge tag 'fbdev-for-6.0-rc3' of git://git.ke..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=14b9661b080000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=911efaff115942bb
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=5867885efe39089b339b
> > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > userspace arch: i386
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > >
> > > ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
> > > ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only
> > > ================================================================================
> > > UBSAN: array-index-out-of-bounds in mm/truncate.c:366:18
> > > index 254 is out of range for type 'long unsigned int [15]'
> >
> > That's
> >
> > index = indices[folio_batch_count(&fbatch) - 1] + 1;
> >
> > I looked. I see no way in which fbatch.nr got a value of 255.
>
> NTFS is involved. I stopped looking at that point; it seems to be
> riddled with buffer overflows.
>
> > I must say, the the code looks rather hacky. Isn't there a more
> > type-friendly way of doing this?
>
> Looking at the three callers, they all want to advance index. We
> should probably pass &index instead of index and have find_lock_entries
> advance it for them.
>
> Vishal, want to take this on?
Yup! I'll do that.
syzbot suspects this issue was fixed by commit:
commit d772781964415c63759572b917e21c4f7ec08d9f
Author: Jakub Kicinski <[email protected]>
Date: Fri Jan 6 06:33:54 2023 +0000
devlink: bump the instance index directly when iterating
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=129893bea80000
start commit: e8bc52cb8df8 Merge tag 'driver-core-6.1-rc1' of git://git...
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=7579993da6496f03
dashboard link: https://syzkaller.appspot.com/bug?extid=5867885efe39089b339b
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153137b8880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=123cae34880000
If the result looks correct, please mark the issue as fixed by replying with:
#syz fix: devlink: bump the instance index directly when iterating
For information about bisection process see: https://goo.gl/tpsmEJ#bisection