Good day, dear maintainers, We found a bug using a modified kernel configuration file used by syzbot. We enhanced the coverage of the configuration file using our tool, klocalizer. Kernel Branch: 6.2.0-rc5-next-20230124 Kernel config: https://drive.google.com/file/d/1F-LszDAizEEH0ZX0HcSR06v5q8FPl2Uv/view?usp=sharing Reproducer: https://drive.google.com/file/d/1gufgF45viKoO91FN6MNaC3yu_ZSC7cBS/view?usp=sharing Thank you! Best regards, Sanan Hasanov ntfs: volume version 3.1. ================================================================== BUG: KASAN: slab-out-of-bounds in instrument_atomic_read include/linux/instrumented.h:72 [inline] BUG: KASAN: slab-out-of-bounds in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-out-of-bounds in NInoAttr fs/ntfs/inode.h:200 [inline] BUG: KASAN: slab-out-of-bounds in ntfs_test_inode+0x9a/0x2f0 fs/ntfs/inode.c:55 Read of size 8 at addr ffff88804360fec0 by task syz-executor.0/7772 CPU: 0 PID: 7772 Comm: syz-executor.0 Not tainted 6.2.0-rc5-next-20230124 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x156/0x455 mm/kasan/report.c:417 kasan_report+0xc0/0xf0 mm/kasan/report.c:517 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x144/0x190 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:72 [inline] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] NInoAttr fs/ntfs/inode.h:200 [inline] ntfs_test_inode+0x9a/0x2f0 fs/ntfs/inode.c:55 find_inode+0xe4/0x220 fs/inode.c:916 ilookup5_nowait fs/inode.c:1429 [inline] ilookup5 fs/inode.c:1458 [inline] iget5_locked+0xb6/0x270 fs/inode.c:1239 ntfs_iget+0xa1/0x180 fs/ntfs/inode.c:168 load_and_check_logfile fs/ntfs/super.c:1216 [inline] load_system_files fs/ntfs/super.c:1949 [inline] ntfs_fill_super+0x5988/0x9250 fs/ntfs/super.c:2900 mount_bdev+0x351/0x410 fs/super.c:1359 legacy_get_tree+0x109/0x220 fs/fs_context.c:610 vfs_get_tree+0x8d/0x2f0 fs/super.c:1489 do_new_mount fs/namespace.c:3031 [inline] path_mount+0x675/0x1e20 fs/namespace.c:3361 do_mount fs/namespace.c:3374 [inline] __do_sys_mount fs/namespace.c:3583 [inline] __se_sys_mount fs/namespace.c:3560 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3560 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f815329176e Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8154488a08 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f815329176e RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f8154488a60 RBP: 00007f8154488aa0 R08: 00007f8154488aa0 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000 R13: 0000000020000100 R14: 00007f8154488a60 R15: 0000000020076700 </TASK> Allocated by task 7394: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x7f/0x90 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:769 [inline] slab_alloc_node mm/slub.c:3452 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc_lru+0x20e/0x580 mm/slub.c:3483 __d_alloc+0x32/0x980 fs/dcache.c:1769 d_alloc+0x4e/0x240 fs/dcache.c:1849 __lookup_hash+0xc8/0x180 fs/namei.c:1598 filename_create+0x1d6/0x4a0 fs/namei.c:3809 do_mkdirat+0x9d/0x310 fs/namei.c:4053 __do_sys_mkdirat fs/namei.c:4076 [inline] __se_sys_mkdirat fs/namei.c:4074 [inline] __x64_sys_mkdirat+0x119/0x170 fs/namei.c:4074 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbf/0xd0 mm/kasan/generic.c:488 __call_rcu_common.constprop.0+0x99/0x790 kernel/rcu/tree.c:2624 dentry_free+0xc3/0x160 fs/dcache.c:377 __dentry_kill+0x4c8/0x640 fs/dcache.c:621 dentry_kill fs/dcache.c:745 [inline] dput+0x6b5/0xe10 fs/dcache.c:913 do_unlinkat+0x3ef/0x670 fs/namei.c:4319 __do_sys_unlink fs/namei.c:4364 [inline] __se_sys_unlink fs/namei.c:4362 [inline] __x64_sys_unlink+0xca/0x110 fs/namei.c:4362 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Second to last potentially related work creation: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbf/0xd0 mm/kasan/generic.c:488 __call_rcu_common.constprop.0+0x99/0x790 kernel/rcu/tree.c:2624 dentry_free+0xc3/0x160 fs/dcache.c:377 __dentry_kill+0x4c8/0x640 fs/dcache.c:621 shrink_dentry_list+0x12c/0x4f0 fs/dcache.c:1201 shrink_dcache_parent+0xa7/0x3f0 fs/dcache.c:1652 vfs_rmdir fs/namei.c:4125 [inline] vfs_rmdir+0x2fa/0x630 fs/namei.c:4098 do_rmdir+0x329/0x390 fs/namei.c:4180 __do_sys_unlinkat fs/namei.c:4358 [inline] __se_sys_unlinkat fs/namei.c:4352 [inline] __x64_sys_unlinkat+0xef/0x130 fs/namei.c:4352 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88804360fd60 which belongs to the cache dentry of size 312 The buggy address is located 40 bytes to the right of 312-byte region [ffff88804360fd60, ffff88804360fe98) The buggy address belongs to the physical page: page:0000000042a7ca23 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4360e head:0000000042a7ca23 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 ksm flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffff88810021b2c0 ffffea00010d3280 dead000000000003 raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88804360fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88804360fe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88804360fe80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88804360ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88804360ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================
