syzbot

 sign-in | mailing list | source | docs
🐞 Open [969] Subsystems 🐞 Fixed [4558] 🐞 Invalid [10510] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: null-ptr-deref Read in fix_nodes

Status: upstream: reported syz repro on 2023/04/11 06:54
Labels: reiserfs (incorrect?)
Reported-by: syzbot+5184326923f180b9d11a@syzkaller.appspotmail.com
First crash: 59d, last: 2d00h

Cause bisection: failed (error log, bisect log)
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [reiserfs?] KASAN: null-ptr-deref Read in fix_nodes 0 (2) 2023/05/01 14:32
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: null-ptr-deref Read in fix_nodes 1 46d 46d 0/3 upstream: reported on 2023/04/17 07:27
linux-5.15 KASAN: null-ptr-deref Read in fix_nodes origin:upstream C 2 5d10h 47d 0/3 upstream: reported C repro on 2023/04/15 23:10
linux-4.19 general protection fault in fix_nodes C error 1 176d 176d 0/1 upstream: reported C repro on 2022/12/08 10:03
linux-4.14 general protection fault in fix_nodes syz error 1 169d 169d 0/1 upstream: reported syz repro on 2022/12/15 05:04
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2023/05/31 14:57 32m bisect fix upstream job log (0) log

Sample crash report:
REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 4029, free_space(entry_count) 2
REISERFS error (device loop2): vs-5150 search_by_key: invalid format found in block 539. Fsck?
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: null-ptr-deref in buffer_locked include/linux/buffer_head.h:126 [inline]
BUG: KASAN: null-ptr-deref in fix_nodes+0x464/0x8660 fs/reiserfs/fix_node.c:2578
Read of size 8 at addr 0000000000000000 by task syz-executor.2/5390

CPU: 1 PID: 5390 Comm: syz-executor.2 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_report mm/kasan/report.c:465 [inline]
 kasan_report+0xec/0x130 mm/kasan/report.c:572
 check_region_inline mm/kasan/generic.c:181 [inline]
 kasan_check_range+0x141/0x190 mm/kasan/generic.c:187
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 buffer_locked include/linux/buffer_head.h:126 [inline]
 fix_nodes+0x464/0x8660 fs/reiserfs/fix_node.c:2578
 reiserfs_cut_from_item+0x2bd/0x1b20 fs/reiserfs/stree.c:1740
 reiserfs_do_truncate+0x630/0x1080 fs/reiserfs/stree.c:1971
 reiserfs_truncate_file+0x1b5/0x1070 fs/reiserfs/inode.c:2308
 reiserfs_setattr+0xddf/0x1370 fs/reiserfs/inode.c:3393
 notify_change+0xb2c/0x1180 fs/attr.c:483
 do_truncate+0x143/0x200 fs/open.c:66
 handle_truncate fs/namei.c:3295 [inline]
 do_open fs/namei.c:3640 [inline]
 path_openat+0x2083/0x2750 fs/namei.c:3791
 do_filp_open+0x1ba/0x410 fs/namei.c:3818
 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356
 do_sys_open fs/open.c:1372 [inline]
 __do_sys_open fs/open.c:1380 [inline]
 __se_sys_open fs/open.c:1376 [inline]
 __x64_sys_open+0x11d/0x1c0 fs/open.c:1376
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4ee868c169
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ee9456168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f4ee87ac120 RCX: 00007f4ee868c169
RDX: 0000000000000000 RSI: 000000000014937e RDI: 0000000020000180
RBP: 00007f4ee86e7ca1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe3e91162f R14: 00007f4ee9456300 R15: 0000000000022000
 </TASK>
==================================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Manager Title
2023/05/01 14:31 upstream 58390c8ce1bd 62df2017 .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/05/01 14:07 upstream 58390c8ce1bd 62df2017 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/26 21:44 upstream 5c7ecada25d2 8d843721 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: null-ptr-deref Read in fix_nodes
2023/04/19 01:37 upstream af67688dca57 d931e9f0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/04 06:31 upstream 148341f0a2f5 7db618d0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/21 06:40 upstream 6a66fdd29ea1 2b32bd34 .config console log report info ci-qemu-upstream-386 KASAN: null-ptr-deref Read in fix_nodes
2023/04/25 02:48 linux-next 3b85b9b39960 fdc18293 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/21 15:56 linux-next 44bf136283e5 2b32bd34 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
* Struck through repros no longer work on HEAD.