lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000eb54450618ee7792@google.com>
Date: Mon, 20 May 2024 20:32:33 -0700
From: syzbot <syzbot+6b2e22a2beb29d5b5a50@...kaller.appspotmail.com>
To: almaz.alexandrovich@...agon-software.com, linux-kernel@...r.kernel.org, 
	ntfs3@...ts.linux.dev, syzkaller-bugs@...glegroups.com
Subject: [syzbot] [ntfs3?] WARNING: held lock freed in alloc_super

Hello,

syzbot found the following issue on:

HEAD commit:    6e51b4b5bbc0 Merge tag 'mips_6.10' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15848f0a980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4381d48cde9bcb26
dashboard link: https://syzkaller.appspot.com/bug?extid=6b2e22a2beb29d5b5a50
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-6e51b4b5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2ded6f5d7f90/vmlinux-6e51b4b5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1e9274bab03b/bzImage-6e51b4b5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6b2e22a2beb29d5b5a50@...kaller.appspotmail.com

loop3: detected capacity change from 0 to 4096
ntfs3: loop3: Different NTFS sector size (1024) and media sector size (512).
=========================
WARNING: held lock freed!
6.9.0-syzkaller-09868-g6e51b4b5bbc0 #0 Not tainted
-------------------------
syz-executor.3/16347 is freeing memory ffff88802a8a4098-ffff88802a8a4127, with a lock still held there!
ffff88802a8a40e0 (&type->s_umount_key#74/1){+.+.}-{3:3}, at: alloc_super+0x23d/0xbd0 fs/super.c:343
1 lock held by syz-executor.3/16347:
 #0: ffff88802a8a40e0 (&type->s_umount_key#74/1){+.+.}-{3:3}, at: alloc_super+0x23d/0xbd0 fs/super.c:343

stack backtrace:
CPU: 2 PID: 16347 Comm: syz-executor.3 Not tainted 6.9.0-syzkaller-09868-g6e51b4b5bbc0 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_freed_lock_bug kernel/locking/lockdep.c:6538 [inline]
 debug_check_no_locks_freed+0x203/0x2a0 kernel/locking/lockdep.c:6571
 debug_mutex_init+0x1b/0x70 kernel/locking/mutex-debug.c:86
 ntfs_alloc_inode+0x5b/0x70 fs/ntfs3/super.c:569
 alloc_inode+0x5d/0x230 fs/inode.c:261
 iget5_locked fs/inode.c:1235 [inline]
 iget5_locked+0x1c9/0x2c0 fs/inode.c:1228
 ntfs_iget5+0xd1/0x3950 fs/ntfs3/inode.c:531
 ntfs_fill_super+0x3738/0x4490 fs/ntfs3/super.c:1485
 get_tree_bdev+0x36f/0x610 fs/super.c:1614
 vfs_get_tree+0x8f/0x380 fs/super.c:1779
 do_new_mount fs/namespace.c:3352 [inline]
 path_mount+0x14e6/0x1f20 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount fs/namespace.c:3875 [inline]
 __x64_sys_mount+0x297/0x320 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1a8e07e5ea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1a8edf2ef8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f1a8edf2f80 RCX: 00007f1a8e07e5ea
RDX: 0000000020000040 RSI: 000000002001f840 RDI: 00007f1a8edf2f40
RBP: 0000000020000040 R08: 00007f1a8edf2f80 R09: 0000000000800000
R10: 0000000000800000 R11: 0000000000000202 R12: 000000002001f840
R13: 00007f1a8edf2f40 R14: 000000000001f81b R15: 00000000200003c0
 </TASK>
ntfs3: loop3: try to read out of volume at offset 0x22800
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 2 PID: 16347 Comm: syz-executor.3 Not tainted 6.9.0-syzkaller-09868-g6e51b4b5bbc0 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:iput_final fs/inode.c:1710 [inline]
RIP: 0010:iput.part.0+0x38c/0x7f0 fs/inode.c:1767
Code: 8c ff 48 8b 44 24 10 48 85 c0 0f 85 f5 02 00 00 e8 99 4f 8c ff 49 8d 7e 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d4 03 00 00 49 8b 46 28 48 85 c0 48 89 44 24 10
RSP: 0000:ffffc9000382f8b8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88802a8a4250 RCX: ffffc90005a91000
RDX: 0000000000000005 RSI: ffffffff820198e7 RDI: 0000000000000028
RBP: ffff88802a8a4458 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 6c203a337366746e R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88802a8a4328
FS:  00007f1a8edf36c0(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6a99d14440 CR3: 000000005af5a000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 iput+0x5c/0x80 fs/inode.c:1757
 ntfs_read_mft fs/ntfs3/inode.c:502 [inline]
 ntfs_iget5+0x6b9/0x3950 fs/ntfs3/inode.c:538
 ntfs_fill_super+0x3738/0x4490 fs/ntfs3/super.c:1485
 get_tree_bdev+0x36f/0x610 fs/super.c:1614
 vfs_get_tree+0x8f/0x380 fs/super.c:1779
 do_new_mount fs/namespace.c:3352 [inline]
 path_mount+0x14e6/0x1f20 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount fs/namespace.c:3875 [inline]
 __x64_sys_mount+0x297/0x320 fs/namespace.c:3875
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1a8e07e5ea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1a8edf2ef8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f1a8edf2f80 RCX: 00007f1a8e07e5ea
RDX: 0000000020000040 RSI: 000000002001f840 RDI: 00007f1a8edf2f40
RBP: 0000000020000040 R08: 00007f1a8edf2f80 R09: 0000000000800000
R10: 0000000000800000 R11: 0000000000000202 R12: 000000002001f840
R13: 00007f1a8edf2f40 R14: 000000000001f81b R15: 00000000200003c0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:iput_final fs/inode.c:1710 [inline]
RIP: 0010:iput.part.0+0x38c/0x7f0 fs/inode.c:1767
Code: 8c ff 48 8b 44 24 10 48 85 c0 0f 85 f5 02 00 00 e8 99 4f 8c ff 49 8d 7e 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d4 03 00 00 49 8b 46 28 48 85 c0 48 89 44 24 10
RSP: 0000:ffffc9000382f8b8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88802a8a4250 RCX: ffffc90005a91000
RDX: 0000000000000005 RSI: ffffffff820198e7 RDI: 0000000000000028
RBP: ffff88802a8a4458 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 6c203a337366746e R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88802a8a4328
FS:  00007f1a8edf36c0(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6a99d14440 CR3: 000000005af5a000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	8c ff                	mov    %?,%edi
   2:	48 8b 44 24 10       	mov    0x10(%rsp),%rax
   7:	48 85 c0             	test   %rax,%rax
   a:	0f 85 f5 02 00 00    	jne    0x305
  10:	e8 99 4f 8c ff       	call   0xff8c4fae
  15:	49 8d 7e 28          	lea    0x28(%r14),%rdi
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 d4 03 00 00    	jne    0x408
  34:	49 8b 46 28          	mov    0x28(%r14),%rax
  38:	48 85 c0             	test   %rax,%rax
  3b:	48 89 44 24 10       	mov    %rax,0x10(%rsp)


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ