syzbot


KASAN: null-ptr-deref Read in fix_nodes

Status: upstream: reported C repro on 2023/04/15 23:10
Bug presence: origin:upstream
[Documentation on labels]
Reported-by: syzbot+96a6d1aee0cb04be440a@syzkaller.appspotmail.com
First crash: 403d, last: 32d
Bug presence (1)
Date Name Commit Repro Result
2023/05/28 upstream (ToT) 7877cb91f108 C [report] KASAN: null-ptr-deref Read in fix_nodes
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 KASAN: null-ptr-deref Read in fix_nodes origin:upstream missing-backport C done 6 143d 402d 0/3 upstream: reported C repro on 2023/04/17 07:27
upstream KASAN: null-ptr-deref Read in fix_nodes reiserfs C done done 17 140d 408d 0/26 auto-obsoleted due to no activity on 2024/04/13 10:42
linux-4.19 general protection fault in fix_nodes C error 1 532d 532d 0/1 upstream: reported C repro on 2022/12/08 10:03
linux-4.14 general protection fault in fix_nodes syz error 1 525d 525d 0/1 upstream: reported syz repro on 2022/12/15 05:04
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2024/04/20 23:40 1h41m bisect fix linux-5.15.y job log (0) log
2024/03/19 00:26 1h32m bisect fix linux-5.15.y job log (0) log
2024/02/16 11:05 1h28m bisect fix linux-5.15.y job log (0) log
2024/01/09 05:34 1h35m bisect fix linux-5.15.y job log (0) log
2023/11/28 11:16 1h27m bisect fix linux-5.15.y job log (0) log
2023/09/23 22:31 1h28m bisect fix linux-5.15.y job log (0) log
2023/06/28 04:26 46m bisect fix linux-5.15.y job log (0) log

Sample crash report:
REISERFS warning: reiserfs-5093 is_leaf: item entry count seems wrong *3.5*[2 1 0(1) DIR], item_len 35, item_location 4029, free_space(entry_count) 2
REISERFS error (device loop4): vs-5150 search_by_key: invalid format found in block 540. Fsck?
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: null-ptr-deref in buffer_locked include/linux/buffer_head.h:122 [inline]
BUG: KASAN: null-ptr-deref in fix_nodes+0x44d/0x8c70 fs/reiserfs/fix_node.c:2578
Read of size 8 at addr 0000000000000000 by task syz-executor349/3583

CPU: 0 PID: 3583 Comm: syz-executor349 Not tainted 5.15.113-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 __kasan_report mm/kasan/report.c:438 [inline]
 kasan_report+0x161/0x1c0 mm/kasan/report.c:451
 kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
 instrument_atomic_read include/linux/instrumented.h:71 [inline]
 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
 buffer_locked include/linux/buffer_head.h:122 [inline]
 fix_nodes+0x44d/0x8c70 fs/reiserfs/fix_node.c:2578
 reiserfs_cut_from_item+0x463/0x2560 fs/reiserfs/stree.c:1742
 reiserfs_do_truncate+0xa12/0x15b0 fs/reiserfs/stree.c:1973
 reiserfs_truncate_file+0x638/0xda0 fs/reiserfs/inode.c:2318
 reiserfs_setattr+0xa4d/0xf90 fs/reiserfs/inode.c:3409
 notify_change+0xd4d/0x1000 fs/attr.c:488
 do_truncate+0x21c/0x300 fs/open.c:65
 handle_truncate fs/namei.c:3195 [inline]
 do_open fs/namei.c:3542 [inline]
 path_openat+0x28a0/0x2f20 fs/namei.c:3672
 do_filp_open+0x21c/0x460 fs/namei.c:3699
 do_sys_openat2+0x13b/0x500 fs/open.c:1211
 do_sys_open fs/open.c:1227 [inline]
 __do_sys_open fs/open.c:1235 [inline]
 __se_sys_open fs/open.c:1231 [inline]
 __x64_sys_open+0x221/0x270 fs/open.c:1231
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fd29449ee29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd28c4001f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fd29451d7e8 RCX: 00007fd29449ee29
RDX: 0000000000000000 RSI: 000000000014937e RDI: 0000000020000180
RBP: 00007fd29451d7e0 R08: 00007fd28c400700 R09: 0000000000000000
R10: 00007fd28c400700 R11: 0000000000000246 R12: 00007fd29451d7ec
R13: 00007ffd6edb6f1f R14: 00007fd28c400300 R15: 0000000000022000
 </TASK>
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2023/05/28 05:08 linux-5.15.y 1fe619a7d252 cf184559 .config console log report syz C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan KASAN: null-ptr-deref Read in fix_nodes
2023/10/27 08:15 linux-5.15.y 12952a23a5da bf285f0c .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan KASAN: null-ptr-deref Read in fix_nodes
2023/07/12 06:31 linux-5.15.y d54cfc420586 2f19aa4f .config console log report syz [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-5-15-kasan KASAN: null-ptr-deref Read in fix_nodes
2023/12/10 05:34 linux-5.15.y 8a1d809b0545 28b24332 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: null-ptr-deref Read in fix_nodes
2023/10/27 06:17 linux-5.15.y 12952a23a5da bf285f0c .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: null-ptr-deref Read in fix_nodes
2023/10/18 08:27 linux-5.15.y 02e21884dcf2 342b9c55 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: null-ptr-deref Read in fix_nodes
2023/04/15 23:09 linux-5.15.y 4fdad925aa1a ec410564 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: null-ptr-deref Read in fix_nodes
* Struck through repros no longer work on HEAD.