syzbot

 sign-in | mailing list | source | docs
🐞 Open [818]
🐞 Fixed [76]
🐞 Invalid [989]
Missing Backports [121]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

UBSAN: array-index-out-of-bounds in dtReadFirst

Status: upstream: reported C repro on 2024/04/28 12:32
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+77ed0aca57849509422b@syzkaller.appspotmail.com
First crash: 496d, last: 46d
Fix bisection: failed (error log, bisect log)
  
Bug presence (1)
Date Name Commit Repro Result
2025/04/30 upstream (ToT) 7a13c14ee59d C [report] KASAN: slab-out-of-bounds Read in dtReadFirst
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 UBSAN: array-index-out-of-bounds in dtReadFirst origin:lts-only 19 C error 23 121d 285d 0/3 upstream: reported C repro on 2024/11/25 10:09
upstream UBSAN: array-index-out-of-bounds in dtReadFirst jfs 19 C error 200 266d 493d 28/29 fixed on 2024/12/16 09:50
upstream UBSAN: array-index-out-of-bounds in dtReadFirst (2) jfs 19 C error 119 131d 259d 28/29 fixed on 2025/06/10 16:19
upstream KASAN: slab-out-of-bounds Read in dtReadFirst jfs 19 C error 12 12d 59d 0/29 upstream: reported C repro on 2025/07/09 11:02
Last patch testing requests (6)
Created Duration User Patch Repo Result
2025/07/23 00:54 12m retest repro linux-5.15.y report log
2025/05/11 12:10 11m retest repro linux-5.15.y report log
2025/04/26 12:40 19m retest repro linux-5.15.y OK log
2025/02/03 04:50 18m retest repro linux-5.15.y report log
2024/12/31 03:15 1h18m retest repro linux-5.15.y OK log
2024/12/31 03:15 20m retest repro linux-5.15.y OK log

Sample crash report:
loop0: detected capacity change from 0 to 32768
==================================================================
BUG: KASAN: slab-out-of-bounds in addressPXD fs/jfs/jfs_types.h:80 [inline]
BUG: KASAN: slab-out-of-bounds in dtReadFirst+0x3f4/0x78c fs/jfs/jfs_dtree.c:3404
Read of size 4 at addr ffff0000dc3c4050 by task syz-executor125/4018

CPU: 0 PID: 4018 Comm: syz-executor125 Not tainted 5.15.180-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x78/0x30c mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xec/0x15c mm/kasan/report.c:451
 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
 addressPXD fs/jfs/jfs_types.h:80 [inline]
 dtReadFirst+0x3f4/0x78c fs/jfs/jfs_dtree.c:3404
 jfs_readdir+0x628/0x3024 fs/jfs/jfs_dtree.c:3117
 iterate_dir+0x1f0/0x4cc fs/readdir.c:-1
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __arm64_sys_getdents64+0x11c/0x340 fs/readdir.c:354
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 4018:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x74/0x408 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x1e0/0x3e4 mm/slub.c:3233
 jfs_alloc_inode+0x24/0x60 fs/jfs/super.c:105
 alloc_inode fs/inode.c:261 [inline]
 new_inode_pseudo+0x68/0x1fc fs/inode.c:1001
 new_inode+0x38/0x174 fs/inode.c:1030
 ialloc+0x54/0x7a4 fs/jfs/jfs_inode.c:48
 jfs_create+0x170/0x8c4 fs/jfs/namei.c:92
 lookup_open fs/namei.c:3462 [inline]
 open_last_lookups fs/namei.c:3532 [inline]
 path_openat+0x1144/0x26e4 fs/namei.c:3739
 do_filp_open+0x164/0x330 fs/namei.c:3769
 do_sys_openat2+0x128/0x3d8 fs/open.c:1253
 do_sys_open fs/open.c:1269 [inline]
 __do_sys_openat fs/open.c:1285 [inline]
 __se_sys_openat fs/open.c:1280 [inline]
 __arm64_sys_openat+0x120/0x154 fs/open.c:1280
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the object at ffff0000dc3c3780
 which belongs to the cache jfs_ip of size 2240
The buggy address is located 16 bytes to the right of
 2240-byte region [ffff0000dc3c3780, ffff0000dc3c4040)
The buggy address belongs to the page:
page:0000000043a8212e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c3c0
head:0000000043a8212e order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c2a3ea80
raw: 0000000000000000 00000000800d000d 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000dc3c3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000dc3c3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000dc3c4000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                                 ^
 ffff0000dc3c4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000dc3c4100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop0): dtReadFirst: btstack overrun

ERROR: (device loop0): remounting filesystem as read-only
btstack dump:
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0
bn = 0, index = 0

Crashes (32):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/04/27 10:45 linux-5.15.y f7347f400572 c6b4fb39 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/04/09 06:17 linux-5.15.y 0c935c049b5c a775275d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2025/04/09 06:17 linux-5.15.y 0c935c049b5c a775275d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2025/02/23 11:51 linux-5.15.y c16c81c81336 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2025/02/16 19:01 linux-5.15.y c16c81c81336 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2025/02/16 19:01 linux-5.15.y c16c81c81336 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2025/01/20 03:34 linux-5.15.y 4735586da88e f2cb035c .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2025/01/20 03:09 linux-5.15.y 4735586da88e f2cb035c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/01 23:23 linux-5.15.y 0a51d2d4527b 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/01 23:21 linux-5.15.y 0a51d2d4527b 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/26 05:26 linux-5.15.y 0a51d2d4527b 11dbc254 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan UBSAN: array-index-out-of-bounds in dtReadFirst
2025/04/09 03:39 linux-5.15.y 0c935c049b5c a775275d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2025/04/09 03:39 linux-5.15.y 0c935c049b5c a775275d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2025/03/30 10:06 linux-5.15.y 0c935c049b5c d3999433 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2025/03/02 11:23 linux-5.15.y c16c81c81336 c3901742 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2025/02/28 07:19 linux-5.15.y c16c81c81336 6a8fcbc4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2025/02/17 00:31 linux-5.15.y c16c81c81336 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/01 23:13 linux-5.15.y 0a51d2d4527b 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/12/01 23:11 linux-5.15.y 0a51d2d4527b 68914665 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/26 03:48 linux-5.15.y 0a51d2d4527b 11dbc254 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/11/26 03:48 linux-5.15.y 0a51d2d4527b 11dbc254 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/10/05 21:53 linux-5.15.y 3a5928702e71 d7906eff .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/10/05 21:22 linux-5.15.y 3a5928702e71 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/05/27 23:22 linux-5.15.y c61bd26ae81a 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/05/27 22:08 linux-5.15.y c61bd26ae81a 761766e6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/05/12 13:01 linux-5.15.y 284087d4f7d5 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/04/28 13:09 linux-5.15.y b925f60c6ee7 07b455f9 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2024/04/28 12:31 linux-5.15.y b925f60c6ee7 07b455f9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 UBSAN: array-index-out-of-bounds in dtReadFirst
2025/02/05 10:19 linux-5.15.y c16c81c81336 5896748e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: slab-out-of-bounds Read in dtReadFirst
2025/02/05 03:49 linux-5.15.y c16c81c81336 5896748e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: slab-out-of-bounds Read in dtReadFirst
2025/04/27 10:14 linux-5.15.y f7347f400572 c6b4fb39 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
2025/02/16 23:52 linux-5.15.y c16c81c81336 40a34ec9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: slab-out-of-bounds Read in dtReadFirst
* Struck through repros no longer work on HEAD.