On Thu, Sep 01, 2022 at 04:24:59PM -0700, Andrew Morton wrote: > On Wed, 31 Aug 2022 17:13:36 -0700 syzbot <syzbot+5867885efe39089b339b@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 89b749d8552d Merge tag 'fbdev-for-6.0-rc3' of git://git.ke.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=14b9661b080000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=911efaff115942bb > > dashboard link: https://syzkaller.appspot.com/bug?extid=5867885efe39089b339b > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > userspace arch: i386 > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+5867885efe39089b339b@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512) > > ntfs3: loop0: RAW NTFS volume: Filesystem size 0.00 Gb > volume size 0.00 Gb. Mount in read-only > > ================================================================================ > > UBSAN: array-index-out-of-bounds in mm/truncate.c:366:18 > > index 254 is out of range for type 'long unsigned int [15]' > > That's > > index = indices[folio_batch_count(&fbatch) - 1] + 1; > > I looked. I see no way in which fbatch.nr got a value of 255. NTFS is involved. I stopped looking at that point; it seems to be riddled with buffer overflows. > I must say, the the code looks rather hacky. Isn't there a more > type-friendly way of doing this? Looking at the three callers, they all want to advance index. We should probably pass &index instead of index and have find_lock_entries advance it for them. Vishal, want to take this on?
