syzbot

 sign-in | mailing list | source | docs
🐞 Open [767]
🐞 Fixed [122]
🐞 Invalid [808]
Missing Backports [75]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

UBSAN: shift-out-of-bounds in gfs2_dir_read

Status: upstream: reported C repro on 2025/07/15 01:59
Reported-by: syzbot+949a6433cc143f529b9c@syzkaller.appspotmail.com
First crash: 2d16h, last: 2d00h
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 UBSAN: shift-out-of-bounds in gfs2_dir_read origin:upstream -1 C 7 1d22h 2d15h 0/3 upstream: reported C repro on 2025/07/15 02:48
upstream UBSAN: shift-out-of-bounds in gfs2_dir_read gfs2 -1 1 201d 197d 0/29 auto-obsoleted due to no activity on 2025/04/06 22:03
upstream UBSAN: shift-out-of-bounds in gfs2_dir_read (2) gfs2 -1 C 11 2d11h 3d00h 2/29 upstream: reported C repro on 2025/07/14 17:53

Sample crash report:
gfs2: fsid=syz:syz.s: journal 0 mapped with 5 extents in 0ms
gfs2: fsid=syz:syz.s: first mount done, others may mount
================================================================================
UBSAN: shift-out-of-bounds in fs/gfs2/dir.c:1541:15
shift exponent 32 is too large for 32-bit type 'u32' (aka 'unsigned int')
CPU: 1 PID: 4438 Comm: syz.0.16 Not tainted 6.1.145-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 ubsan_epilogue+0x14/0x48 lib/ubsan.c:151
 __ubsan_handle_shift_out_of_bounds+0x2b0/0x34c lib/ubsan.c:321
 dir_e_read fs/gfs2/dir.c:1541 [inline]
 gfs2_dir_read+0x1334/0x1378 fs/gfs2/dir.c:1582
 gfs2_readdir+0x160/0x1c0 fs/gfs2/file.c:115
 iterate_dir+0x1f0/0x4cc fs/readdir.c:-1
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __arm64_sys_getdents64+0x11c/0x318 fs/readdir.c:354
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
================================================================================
gfs2: fsid=syz:syz.s: fatal: filesystem consistency error
  inode = 12 2341
  function = gfs2_dir_get_hash_table, file = fs/gfs2/dir.c, line = 350
gfs2: fsid=syz:syz.s: G:  s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1
gfs2: fsid=syz:syz.s:  H: s:SH f:H e:0 p:4438 [syz.0.16] iterate_dir+0x1f0/0x4cc fs/readdir.c:-1
gfs2: fsid=syz:syz.s:  I: n:12/2341 t:4 f:0x00 d:0x00000006 s:3864 p:0
gfs2: fsid=syz:syz.s: about to withdraw this file system
gfs2: fsid=syz:syz.s: Journal recovery skipped for jid 0 until next mount.
gfs2: fsid=syz:syz.s: Glock dequeues delayed: 0
gfs2: fsid=syz:syz.s: File system withdrawn
CPU: 0 PID: 4438 Comm: syz.0.16 Not tainted 6.1.145-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 gfs2_withdraw+0xf9c/0x13a8 fs/gfs2/util.c:366
 gfs2_consist_inode_i+0xf0/0x10c fs/gfs2/util.c:468
 gfs2_dir_get_hash_table+0x194/0x830 fs/gfs2/dir.c:350
 dir_e_read fs/gfs2/dir.c:1545 [inline]
 gfs2_dir_read+0x2b8/0x1378 fs/gfs2/dir.c:1582
 gfs2_readdir+0x160/0x1c0 fs/gfs2/file.c:115
 iterate_dir+0x1f0/0x4cc fs/readdir.c:-1
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64 fs/readdir.c:354 [inline]
 __arm64_sys_getdents64+0x11c/0x318 fs/readdir.c:354
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/07/15 17:18 linux-6.1.y f2198ea7eb3e 03fcfc4b .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-1-kasan-arm64 UBSAN: shift-out-of-bounds in gfs2_dir_read
2025/07/15 16:45 linux-6.1.y f2198ea7eb3e 03fcfc4b .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-1-kasan-arm64 UBSAN: shift-out-of-bounds in gfs2_dir_read
2025/07/15 01:59 linux-6.1.y f2198ea7eb3e d8fc7335 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 UBSAN: shift-out-of-bounds in gfs2_dir_read
2025/07/15 01:58 linux-6.1.y f2198ea7eb3e d8fc7335 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 UBSAN: shift-out-of-bounds in gfs2_dir_read
* Struck through repros no longer work on HEAD.