KASAN: null-ptr-deref Read in do_journal

Date	Name	Commit	Repro	Result
2023/07/16	upstream (ToT)	831fe284d827	C	[report] UBSAN: array-index-out-of-bounds in do_journal_end

Date

Name

Commit

Repro

Result

2023/07/16

upstream (ToT)

831fe284d827

[report] UBSAN: array-index-out-of-bounds in do_journal_end

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-6.1	BUG: unable to handle kernel paging request in do_journal_end origin:upstream	C			3	17d	303d	0/3	upstream: reported C repro on 2023/08/21 09:50
upstream	KASAN: null-ptr-deref Read in do_journal_end (2) reiserfs	C	error	done	40699	163d	689d	0/27	auto-obsoleted due to no activity on 2024/03/18 13:22
upstream	KASAN: null-ptr-deref Read in do_journal_end reiserfs				1	970d	965d	0/27	auto-closed as invalid on 2022/02/20 18:03
linux-4.19	general protection fault in do_journal_end reiserfs	C		error	3	518d	567d	0/1	upstream: reported C repro on 2022/11/30 04:17
linux-4.14	general protection fault in do_journal_end reiserfs	C			2	494d	531d	0/1	upstream: reported C repro on 2023/01/05 12:44

Unable to handle kernel paging request at virtual address dfff800000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 [dfff800000000000] address between user and kernel address ranges Internal error: Oops: 96000006 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 3996 Comm: syz-executor152 Not tainted 5.15.120-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : arch_test_bit include/asm-generic/bitops/non-atomic.h:118 [inline] pc : set_buffer_uptodate include/linux/buffer_head.h:147 [inline] pc : do_journal_end+0xf7c/0x3c50 fs/reiserfs/journal.c:4077 lr : __getblk include/linux/buffer_head.h:416 [inline] lr : do_journal_end+0xf74/0x3c50 fs/reiserfs/journal.c:4074 sp : ffff80001cb975f0 x29: ffff80001cb97750 x28: ffff0000d78b8678 x27: 1ffff00003bbb20b x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000dcc3b017 x23: ffff0000d78b8018 x22: ffff80001ddd9040 x21: 0000000006393dfe x20: ffff0000c058d240 x19: dfff800000000000 x18: ffff80001cb96900 x17: ff8080000889b904 x16: ffff80000824cbf4 x15: ffff800008a089e8 x14: 1ffff0000291e06a x13: ffffffffffffffff x12: 0000000000000000 x11: ff80800008a6a4c4 x10: 0000000000000000 x9 : ffff800008a6a4c4 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000008 x3 : ffff800008a705b8 x2 : 0000000000000001 x1 : 0000000000000003 x0 : 0000000000000000 Call trace: __getblk include/linux/buffer_head.h:416 [inline] do_journal_end+0xf7c/0x3c50 fs/reiserfs/journal.c:4074 journal_end_sync+0x164/0x1d0 fs/reiserfs/journal.c:3533 reiserfs_sync_fs+0xd4/0x150 fs/reiserfs/super.c:78 sync_filesystem+0xe8/0x218 fs/sync.c:56 generic_shutdown_super+0x70/0x29c fs/super.c:448 kill_block_super+0x70/0xdc fs/super.c:1405 reiserfs_kill_sb+0x134/0x14c fs/reiserfs/super.c:570 deactivate_locked_super+0xb8/0x13c fs/super.c:335 deactivate_super+0x108/0x128 fs/super.c:366 cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143 __cleanup_mnt+0x20/0x30 fs/namespace.c:1150 task_work_run+0x130/0x1e4 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline] el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:597 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Code: f81b03b7 97f60470 d343fc08 aa0003fa (38736908) ---[ end trace f3d2883a97d76a0e ]--- ---------------- Code disassembly (best guess): 0: f81b03b7 stur x23, [x29, #-80] 4: 97f60470 bl 0xffffffffffd811c4 8: d343fc08 lsr x8, x0, #3 c: aa0003fa mov x26, x0 * 10: 38736908 ldrb w8, [x8, x19] <-- trapping instruction

Crashes (6):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2023/07/16 15:05	linux-5.15.y	d54cfc420586	35d9ecc5	.config	console log	report	syz	C		[disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] [mounted in repro #3]	ci2-linux-5-15-kasan-arm64	BUG: unable to handle kernel paging request in do_journal_end
2023/10/17 09:05	linux-5.15.y	02e21884dcf2	342b9c55	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: null-ptr-deref Read in do_journal_end
2023/07/05 09:12	linux-5.15.y	4af60700a60c	80298b6f	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: null-ptr-deref Read in do_journal_end
2023/04/06 14:34	linux-5.15.y	d86dfc4d95cd	08707520	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan	KASAN: null-ptr-deref Read in do_journal_end
2023/07/16 08:22	linux-5.15.y	d54cfc420586	35d9ecc5	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan-arm64	BUG: unable to handle kernel paging request in do_journal_end
2023/06/04 12:15	linux-5.15.y	0ab06468cbd1	a4ae4f42	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-5-15-kasan-arm64	BUG: unable to handle kernel paging request in do_journal_end

Crashes (6):

Assets (help?)