syzbot

 sign-in | mailing list | source | docs
🐞 Open [985] Subsystems 🐞 Fixed [5216] 🐞 Invalid [12474] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: null-ptr-deref Read in fix_nodes

Status: auto-obsoleted due to no activity on 2024/04/13 10:42
Subsystems: reiserfs
[Documentation on labels]
Reported-by: syzbot+5184326923f180b9d11a@syzkaller.appspotmail.com
First crash: 381d, last: 106d
Cause bisection: introduced by (bisect log) :
commit d24396c5290ba8ab04ba505176874c4e04a2d53c
Author: Rustam Kovhaev <rkovhaev@gmail.com>
Date: Sun Nov 1 14:09:58 2020 +0000

  reiserfs: add check for an invalid ih_entry_count

Crash: invalid opcode in journal_release (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <jack@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

  fs: Block writes to mounted block devices

  
Discussions (2)
Title Replies (including bot) Last reply
[syzbot] [reiserfs?] KASAN: null-ptr-deref Read in fix_nodes 0 (5) 2024/02/23 16:46
Fixing syzkaller bugs 1 (1) 2023/07/18 15:43
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: null-ptr-deref Read in fix_nodes origin:upstream missing-backport C done 6 109d 368d 0/3 upstream: reported C repro on 2023/04/17 07:27
linux-5.15 KASAN: null-ptr-deref Read in fix_nodes origin:upstream C 7 31d 369d 0/3 upstream: reported C repro on 2023/04/15 23:10
linux-4.19 general protection fault in fix_nodes C error 1 498d 498d 0/1 upstream: reported C repro on 2022/12/08 10:03
linux-4.14 general protection fault in fix_nodes syz error 1 491d 491d 0/1 upstream: reported syz repro on 2022/12/15 05:04
Last patch testing requests (9)
Created Duration User Patch Repo Result
2024/02/17 20:09 42m retest repro upstream OK log
2024/01/23 16:01 28m retest repro upstream OK log
2024/01/23 16:01 2h26m retest repro upstream OK log
2024/01/20 17:00 23m retest repro upstream OK log
2023/12/07 20:27 17m retest repro upstream report log
2023/11/12 22:42 14m retest repro upstream report log
2023/11/12 22:42 19m retest repro upstream report log
2023/09/28 19:57 24m retest repro upstream report log
2023/08/29 00:34 13m retest repro upstream report log
Fix bisection attempts (3)
Created Duration User Patch Repo Result
2024/02/23 06:34 10h11m bisect fix upstream job log (1)
2023/07/20 11:18 1h47m bisect fix upstream job log (0) log
2023/05/31 14:57 32m bisect fix upstream job log (0) log
Cause bisection attempts (2)
Created Duration User Patch Repo Result
2023/09/23 14:21 9h39m bisect upstream job log (1) log
2023/05/04 02:10 8h26m bisect upstream error job log (0)
marked invalid by nogikh@google.com

Sample crash report:
REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 4029, free_space(entry_count) 2
REISERFS error (device loop0): vs-5150 search_by_key: invalid format found in block 540. Fsck?
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
BUG: KASAN: null-ptr-deref in buffer_locked include/linux/buffer_head.h:124 [inline]
BUG: KASAN: null-ptr-deref in fix_nodes+0x4b2/0x8ae0 fs/reiserfs/fix_node.c:2579
Read of size 8 at addr 0000000000000000 by task syz-executor256/11251

CPU: 1 PID: 11251 Comm: syz-executor256 Not tainted 6.7.0-rc6-syzkaller-00078-ga4aebe936554 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 check_region_inline mm/kasan/generic.c:181 [inline]
 kasan_check_range+0xef/0x190 mm/kasan/generic.c:187
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 buffer_locked include/linux/buffer_head.h:124 [inline]
 fix_nodes+0x4b2/0x8ae0 fs/reiserfs/fix_node.c:2579
 reiserfs_cut_from_item+0x26a/0x1a10 fs/reiserfs/stree.c:1740
 reiserfs_do_truncate+0x672/0x10b0 fs/reiserfs/stree.c:1971
 reiserfs_truncate_file+0x1bf/0x940 fs/reiserfs/inode.c:2302
 reiserfs_setattr+0x9c3/0x12a0 fs/reiserfs/inode.c:3388
 notify_change+0x742/0x11c0 fs/attr.c:499
 do_truncate+0x15c/0x220 fs/open.c:66
 handle_truncate fs/namei.c:3280 [inline]
 do_open fs/namei.c:3626 [inline]
 path_openat+0x2597/0x2c50 fs/namei.c:3779
 do_filp_open+0x1de/0x430 fs/namei.c:3809
 do_sys_openat2+0x176/0x1e0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_creat fs/open.c:1528 [inline]
 __se_sys_creat fs/open.c:1522 [inline]
 __x64_sys_creat+0xcd/0x120 fs/open.c:1522
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7fb36c4e9589
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb36bc9f168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fb36c5964a8 RCX: 00007fb36c4e9589
RDX: 00007fb36c4e9589 RSI: 0000000000000000 RDI: 0000000020000340
RBP: 00007fb36c5964a0 R08: 00007fb36bc9f6c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb36c5964ac
R13: 0000000000000016 R14: 00007fff04bfe6c0 R15: 00007fff04bfe7a8
 </TASK>
==================================================================

Crashes (17):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/12/22 04:13 upstream a4aebe936554 4f9530a3 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-selinux-root KASAN: null-ptr-deref Read in fix_nodes
2023/10/29 18:00 upstream 2af9b20dbb39 3c418d72 .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/06/15 21:25 upstream b6dad5178cea 757d26ed .config strace log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/05/01 14:31 upstream 58390c8ce1bd 62df2017 .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2024/01/04 10:41 upstream ac865f00af29 28c42cff .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/10/29 16:29 upstream 2af9b20dbb39 3c418d72 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/10/14 05:10 upstream ad7f1baed071 6388bc36 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root KASAN: null-ptr-deref Read in fix_nodes
2023/10/02 12:04 upstream 8a749fd1a872 8e26a358 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/06/09 20:20 upstream 33f2b5785a2b 9018a337 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: null-ptr-deref Read in fix_nodes
2023/05/01 14:07 upstream 58390c8ce1bd 62df2017 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/26 21:44 upstream 5c7ecada25d2 8d843721 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: null-ptr-deref Read in fix_nodes
2023/04/19 01:37 upstream af67688dca57 d931e9f0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/04 06:31 upstream 148341f0a2f5 7db618d0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/21 06:40 upstream 6a66fdd29ea1 2b32bd34 .config console log report info ci-qemu-upstream-386 KASAN: null-ptr-deref Read in fix_nodes
2023/10/22 19:49 linux-next 2030579113a1 361b23dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/25 02:48 linux-next 3b85b9b39960 fdc18293 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
2023/04/21 15:56 linux-next 44bf136283e5 2b32bd34 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: null-ptr-deref Read in fix_nodes
* Struck through repros no longer work on HEAD.