syzbot

 sign-in | mailing list | source | docs
🐞 Open [1488]
Subsystems
🐞 Fixed [6543]
🐞 Invalid [16724]
Missing Backports [202]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: slab-use-after-free Read in bch2_copygc

Status: upstream: reported C repro on 2025/07/08 14:04
Subsystems: bcachefs
[Documentation on labels]
Reported-by: syzbot+3168625f36f4a539237e@syzkaller.appspotmail.com
Fix commit: c02b943f7d12 bcachefs: Fix reference to invalid bucket in copygc
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu-native-arm64-kvm]
First crash: 82d, last: 1h42m
Cause bisection: introduced by (bisect log) :
commit 82067c916994dd1bfec65496144dc16e17899e36
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date: Fri May 9 03:21:28 2025 +0000

  bcachefs: buckets_in_flight on stack

Crash: WARNING in rhashtable_init_noprof (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bcachefs?] KASAN: slab-use-after-free Read in bch2_copygc 0 (3) 2025/07/09 19:34
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in bch2_copygc bcachefs 7 C 88 235d 299d 0/29 auto-obsoleted due to no activity on 2025/03/22 22:59
upstream KMSAN: uninit-value in bch2_copygc (2) bcachefs 7 1 160d 156d 28/29 fixed on 2025/06/10 16:19

Sample crash report:
bcachefs (loop0): Detected missing backpointers in bucket 34, now have 1/128 with missing
BUG: unable to handle page fault for address: ffffed120618f45c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 23ffee067 P4D 23ffee067 PUD 0 
Oops: Oops: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6224 Comm: bch-copygc/loop Not tainted 6.16.0-rc5-syzkaller-00025-gd006330be3f7 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x9b/0x2c0 mm/kasan/generic.c:189
Code: 01 00 00 00 00 fc ff df 4d 8d 34 19 4d 89 f4 4d 29 dc 49 83 fc 10 7f 29 4d 85 e4 0f 84 41 01 00 00 4c 89 cb 48 f7 d3 4c 01 fb <41> 80 3b 00 0f 85 de 01 00 00 49 ff c3 48 ff c3 75 ee e9 21 01 00
RSP: 0018:ffffc90002f17528 EFLAGS: 00010286
RAX: 0000000200000001 RBX: ffffffffffffffff RCX: ffffffff844716b1
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff889030c7a2e0
RBP: ffffc90002f17930 R08: ffff889030c7a2e7 R09: 1ffff1120618f45c
R10: dffffc0000000000 R11: ffffed120618f45c R12: 0000000000000001
R13: dffffc0000000000 R14: ffffed120618f45d R15: 1ffff1120618f45c
FS:  0000000000000000(0000) GS:ffff888125c4f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed120618f45c CR3: 0000000022bdc000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 bch2_bucket_bitmap_test fs/bcachefs/backpointers.h:194 [inline]
 bch2_bucket_is_movable fs/bcachefs/movinggc.c:78 [inline]
 bch2_copygc_get_buckets fs/bcachefs/movinggc.c:157 [inline]
 bch2_copygc+0xfb1/0x4380 fs/bcachefs/movinggc.c:221
 bch2_copygc_thread+0x97a/0xe00 fs/bcachefs/movinggc.c:409
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
CR2: ffffed120618f45c
---[ end trace 0000000000000000 ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:87 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x9b/0x2c0 mm/kasan/generic.c:189
Code: 01 00 00 00 00 fc ff df 4d 8d 34 19 4d 89 f4 4d 29 dc 49 83 fc 10 7f 29 4d 85 e4 0f 84 41 01 00 00 4c 89 cb 48 f7 d3 4c 01 fb <41> 80 3b 00 0f 85 de 01 00 00 49 ff c3 48 ff c3 75 ee e9 21 01 00
RSP: 0018:ffffc90002f17528 EFLAGS: 00010286
RAX: 0000000200000001 RBX: ffffffffffffffff RCX: ffffffff844716b1
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff889030c7a2e0
RBP: ffffc90002f17930 R08: ffff889030c7a2e7 R09: 1ffff1120618f45c
R10: dffffc0000000000 R11: ffffed120618f45c R12: 0000000000000001
R13: dffffc0000000000 R14: ffffed120618f45d R15: 1ffff1120618f45c
FS:  0000000000000000(0000) GS:ffff888125c4f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed120618f45c CR3: 0000000022bdc000 CR4: 00000000003526f0
----------------
Code disassembly (best guess), 7 bytes skipped:
   0:	df 4d 8d             	fisttps -0x73(%rbp)
   3:	34 19                	xor    $0x19,%al
   5:	4d 89 f4             	mov    %r14,%r12
   8:	4d 29 dc             	sub    %r11,%r12
   b:	49 83 fc 10          	cmp    $0x10,%r12
   f:	7f 29                	jg     0x3a
  11:	4d 85 e4             	test   %r12,%r12
  14:	0f 84 41 01 00 00    	je     0x15b
  1a:	4c 89 cb             	mov    %r9,%rbx
  1d:	48 f7 d3             	not    %rbx
  20:	4c 01 fb             	add    %r15,%rbx
* 23:	41 80 3b 00          	cmpb   $0x0,(%r11) <-- trapping instruction
  27:	0f 85 de 01 00 00    	jne    0x20b
  2d:	49 ff c3             	inc    %r11
  30:	48 ff c3             	inc    %rbx
  33:	75 ee                	jne    0x23
  35:	e9                   	.byte 0xe9
  36:	21 01                	and    %eax,(%rcx)

Crashes (24):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/08 18:53 upstream d006330be3f7 4d9fdfa4 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs BUG: unable to handle kernel paging request in bch2_copygc
2025/07/08 14:40 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 7482bb149b9f 4f67c4ae .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in bch2_copygc
2025/09/04 06:21 upstream b9a10f876409 d291dd2d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/30 05:56 upstream fb679c832b64 807a3b61 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/27 05:43 upstream fab1beda7597 e12e5ba4 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/26 04:50 upstream b6add54ba618 bf27483f .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/15 17:30 upstream 8d084337a32f dcc075fb .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/11 13:01 upstream 8f5ae30d69d7 32a0e5ed .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/11 05:38 upstream 8f5ae30d69d7 32a0e5ed .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/11 03:01 upstream 2b38afce25c4 32a0e5ed .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/11 01:13 upstream 2b38afce25c4 32a0e5ed .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/09 23:54 upstream c30a13538d9f 32a0e5ed .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/08/01 21:57 upstream 89748acdf226 40127d41 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/07/27 02:10 upstream 302f88ff3584 fb8f743d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/07/26 05:02 upstream 5f33ebd2018c fb8f743d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/07/17 19:07 upstream e2291551827f 0ea0ca3f .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/07/04 12:14 upstream 4c06e63b9203 d869b261 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/06/28 17:58 upstream aaf724ed6926 fc9d8ee5 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/06/18 17:47 upstream 52da431bf03b ed3e87f7 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/06/14 05:22 upstream 18531f4d1c8c 0e8da31f .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_copygc
2025/09/02 02:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f5ae30d69d7 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in bch2_copygc
2025/09/01 09:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f5ae30d69d7 807a3b61 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in bch2_copygc
2025/08/21 21:07 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 8f5ae30d69d7 0b9605c8 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: slab-use-after-free Read in bch2_copygc
2025/07/08 14:03 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 7482bb149b9f 4f67c4ae .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in bch2_copygc
* Struck through repros no longer work on HEAD.