[syzbot] [exfat?] general protection fault in exfat_init_ext_entry

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+6f6c9397e0078ef60bce@syzkaller.appspotmail.com>
To: Yuezhang.Mo@sony.com, daniel.palmer@sony.com,
	linkinjeon@kernel.org,  linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,  sj1557.seo@samsung.com,
	syzkaller-bugs@googlegroups.com,  wataru.aoyama@sony.com,
	yuezhang.mo@sony.com
Subject: [syzbot] [exfat?] general protection fault in exfat_init_ext_entry
Date: Sun, 01 Dec 2024 15:03:29 -0800	[thread overview]
Message-ID: <674ceb41.050a0220.48a03.0018.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    f486c8aa16b8 Add linux-next specific files for 20241128
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1549f530580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e348a4873516af92
dashboard link: https://syzkaller.appspot.com/bug?extid=6f6c9397e0078ef60bce
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1443ef5f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1349f530580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/beb58ebb63cf/disk-f486c8aa.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b241b5609e64/vmlinux-f486c8aa.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c9d817f665f2/bzImage-f486c8aa.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/792711885a74/mount_0.gz

The issue was bisected to:

commit 8a3f5711ad74db9881b289a6e34d7f3b700df720
Author: Yuezhang Mo <Yuezhang.Mo@sony.com>
Date:   Thu Sep 12 08:57:06 2024 +0000

    exfat: reduce FAT chain traversal

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1145cf78580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1345cf78580000
console output: https://syzkaller.appspot.com/x/log.txt?x=1545cf78580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6f6c9397e0078ef60bce@syzkaller.appspotmail.com
Fixes: 8a3f5711ad74 ("exfat: reduce FAT chain traversal")

syz-executor166: attempt to access beyond end of device
loop3: rw=524288, sector=167, nr_sectors = 1 limit=64
syz-executor166: attempt to access beyond end of device
loop3: rw=0, sector=161, nr_sectors = 1 limit=64
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 0 UID: 0 PID: 5890 Comm: syz-executor166 Not tainted 6.12.0-next-20241128-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:exfat_get_dentry_cached fs/exfat/dir.c:727 [inline]
RIP: 0010:exfat_init_ext_entry+0x3fd/0x990 fs/exfat/dir.c:498
Code: 48 98 49 8d 1c c6 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 01 26 89 ff 48 8b 1b 48 83 c3 28 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 e4 25 89 ff 4c 8b 33 43 80 7c 3d
RSP: 0018:ffffc900041ff318 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 0000000000000028 RCX: 0000000000000009
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 0000000000000020
RBP: 0000000000000200 R08: ffffffff8281406f R09: 0000000000000002
R10: ffff88805d092022 R11: ffffed100ba12407 R12: ffffc900041ff700
R13: 1ffff9200083fee0 R14: ffffc900041ff710 R15: dffffc0000000000
FS:  00007fb6d86536c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb6d8653d58 CR3: 000000002fc0c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 exfat_add_entry+0x529/0xaa0 fs/exfat/namei.c:517
 exfat_create+0x1c7/0x570 fs/exfat/namei.c:565
 lookup_open fs/namei.c:3649 [inline]
 open_last_lookups fs/namei.c:3748 [inline]
 path_openat+0x1c03/0x3590 fs/namei.c:3984
 do_filp_open+0x27f/0x4e0 fs/namei.c:4014
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_creat fs/open.c:1495 [inline]
 __se_sys_creat fs/open.c:1489 [inline]
 __x64_sys_creat+0x123/0x170 fs/open.c:1489
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb6d86c4099
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb6d8653218 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fb6d87534b8 RCX: 00007fb6d86c4099
RDX: 00007fb6d869bc26 RSI: 0000000000000000 RDI: 0000000020000e00
RBP: 00007fb6d87534b0 R08: 00007ffed34fd087 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb6d8718d84
R13: 00007fb6d8717880 R14: 0032656c69662f2e R15: 6f6f6c2f7665642f
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:exfat_get_dentry_cached fs/exfat/dir.c:727 [inline]
RIP: 0010:exfat_init_ext_entry+0x3fd/0x990 fs/exfat/dir.c:498
Code: 48 98 49 8d 1c c6 48 89 d8 48 c1 e8 03 42 80 3c 38 00 74 08 48 89 df e8 01 26 89 ff 48 8b 1b 48 83 c3 28 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 e4 25 89 ff 4c 8b 33 43 80 7c 3d
RSP: 0018:ffffc900041ff318 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 0000000000000028 RCX: 0000000000000009
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 0000000000000020
RBP: 0000000000000200 R08: ffffffff8281406f R09: 0000000000000002
R10: ffff88805d092022 R11: ffffed100ba12407 R12: ffffc900041ff700
R13: 1ffff9200083fee0 R14: ffffc900041ff710 R15: dffffc0000000000
FS:  00007fb6d86536c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055bc85806ca8 CR3: 000000002fc0c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 98                	cltq
   2:	49 8d 1c c6          	lea    (%r14,%rax,8),%rbx
   6:	48 89 d8             	mov    %rbx,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  12:	74 08                	je     0x1c
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 01 26 89 ff       	call   0xff89261d
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 83 c3 28          	add    $0x28,%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 df             	mov    %rbx,%rdi
  34:	e8 e4 25 89 ff       	call   0xff89261d
  39:	4c 8b 33             	mov    (%rbx),%r14
  3c:	43                   	rex.XB
  3d:	80                   	.byte 0x80
  3e:	7c 3d                	jl     0x7d


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2024-12-01 23:03 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-01 23:03 syzbot [this message]
2024-12-02  1:59 ` [syzbot] [exfat?] general protection fault in exfat_init_ext_entry Yuezhang.Mo
2024-12-02  3:26   ` syzbot
2024-12-03  2:21 ` Yuezhang.Mo
2024-12-03  3:10   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=674ceb41.050a0220.48a03.0018.GAE@google.com \
    --to=syzbot+6f6c9397e0078ef60bce@syzkaller.appspotmail.com \
    --cc=Yuezhang.Mo@sony.com \
    --cc=daniel.palmer@sony.com \
    --cc=linkinjeon@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sj1557.seo@samsung.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=wataru.aoyama@sony.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.