syzbot

 sign-in | mailing list | source | docs
🐞 Open [1572]
Subsystems
🐞 Fixed [6334]
🐞 Invalid [16148]
Missing Backports [192]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: stack-out-of-bounds Write in ntfs_get_ea (2)

Status: moderation: reported on 2025/06/28 00:57
Subsystems: ntfs3
[Documentation on labels]
Reported-by: syzbot+b7cb0cd838e61fe3eea6@syzkaller.appspotmail.com
First crash: 5d20h, last: 5d20h
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Write in ntfs_get_ea ntfs3 1 313d 308d 0/29 auto-obsoleted due to no activity on 2024/11/18 18:44
upstream KASAN: slab-out-of-bounds Read in ntfs_get_ea ntfs3 C error done 9 959d 1027d 22/29 fixed on 2023/04/12 21:18

Sample crash report:
ntfs3(loop2): ino=3, ntfs_set_state failed, -22.
ntfs3(loop2): Failed to load $Extend (-22).
ntfs3(loop2): Failed to initialize $Extend.
==================================================================
BUG: KASAN: stack-out-of-bounds in stack_trace_consume_entry+0xf0/0x208 kernel/stacktrace.c:93
Write of size 8 at addr ffff80009e276f58 by task syz.2.396/8486

CPU: 0 UID: 0 PID: 8486 Comm: syz.2.396 Not tainted 6.16.0-rc2-syzkaller-g9aa9b43d689e #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x254 mm/kasan/report.c:408
 print_report+0x68/0x84 mm/kasan/report.c:521
 kasan_report+0xb0/0x110 mm/kasan/report.c:634
 __asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386
 stack_trace_consume_entry+0xf0/0x208 kernel/stacktrace.c:93
 arch_kunwind_consume_entry arch/arm64/kernel/stacktrace.c:380 [inline]
 do_kunwind arch/arm64/kernel/stacktrace.c:293 [inline]
 kunwind_stack_walk arch/arm64/kernel/stacktrace.c:368 [inline]
 arch_stack_walk+0x1dc/0x368 arch/arm64/kernel/stacktrace.c:392
 stack_trace_save+0x94/0xd8 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x17c/0x474 mm/slub.c:4842
 ntfs_get_ea+0x2bc/0x430 fs/ntfs3/xattr.c:306
 ntfs_getxattr+0x1b4/0x540 fs/ntfs3/xattr.c:827
 __vfs_getxattr+0x394/0x3c0 fs/xattr.c:423
 cap_inode_need_killpriv+0x50/0x78 security/commoncap.c:331
 security_inode_need_killpriv+0x90/0x298 security/security.c:2638
 dentry_needs_remove_privs fs/inode.c:2172 [inline]
 file_remove_privs_flags+0x1d4/0x4ac fs/inode.c:2203
 file_modified_flags+0x5c/0x450 fs/inode.c:2363
 file_modified+0x24/0x34 fs/inode.c:2392
 ntfs_file_write_iter+0x2ac/0x66c fs/ntfs3/file.c:1180
 iter_file_splice_write+0x718/0xca4 fs/splice.c:738
 ntfs_file_splice_write+0x128/0x198 fs/ntfs3/file.c:1311
 do_splice_from fs/splice.c:935 [inline]
 direct_splice_actor+0xec/0x14c fs/splice.c:1158
 splice_direct_to_actor+0x414/0x994 fs/splice.c:1102
 do_splice_direct_actor fs/splice.c:1201 [inline]
 do_splice_direct+0x130/0x210 fs/splice.c:1227
 do_sendfile+0x3cc/0x658 fs/read_write.c:1370
 __do_sys_sendfile64 fs/read_write.c:1431 [inline]
 __se_sys_sendfile64 fs/read_write.c:1417 [inline]
 __arm64_sys_sendfile64+0x1b4/0x274 fs/read_write.c:1417
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to stack of task syz.2.396/8486
 and is located at offset 344 in frame:
 stack_trace_save+0x0/0xd8 kernel/stacktrace.c:52

This frame has 1 object:
 [32, 56) 'c'

The buggy address belongs to the virtual mapping at
 [ffff80009e270000, ffff80009e279000) created by:
 copy_process+0x480/0x31ec kernel/fork.c:1999

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x25 pfn:0x133200
memcg:ffff0000cc2b1102
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000025 0000000000000000 00000001ffffffff ffff0000cc2b1102
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff80009e276e00: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
 ffff80009e276e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80009e276f00: 00 00 00 00 00 00 00 00 00 00 00 f3 00 00 00 00
                                                    ^
 ffff80009e276f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff80009e277000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/24 00:46 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 9aa9b43d689e 1a7fb460 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: stack-out-of-bounds Write in ntfs_get_ea
* Struck through repros no longer work on HEAD.