syzbot

 sign-in | mailing list | source | docs
🐞 Open [70]
🐞 Fixed [22]
🐞 Invalid [333]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: null-ptr-deref Write in vfs_rmdir

Status: upstream: reported C repro on 2024/04/11 05:33
Reported-by: syzbot+adaf68663d8cf867260f@syzkaller.appspotmail.com
First crash: 224d, last: 24d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-5-15 KASAN: null-ptr-deref Write in vfs_rmdir origin:downstream C 6364 now 224d 0/2 upstream: reported C repro on 2024/04/11 17:58
android-6-1 KASAN: null-ptr-deref Write in vfs_rmdir origin:downstream C 4572 6h55m 224d 0/2 upstream: reported C repro on 2024/04/11 09:39
android-5-10 KASAN: null-ptr-deref Write in vfs_rmdir C 20254 9m 224d 0/2 upstream: reported C repro on 2024/04/11 05:14
Last patch testing requests (9)
Created Duration User Patch Repo Result
2024/10/28 10:51 11m retest repro android12-5.4 report log
2024/10/28 10:51 17m retest repro android12-5.4 report log
2024/10/28 10:51 13m retest repro android12-5.4 report log
2024/08/18 23:12 27m retest repro android12-5.4 report log
2024/08/18 23:12 23m retest repro android12-5.4 report log
2024/08/18 23:12 18m retest repro android12-5.4 report log
2024/06/09 20:42 20m retest repro android12-5.4 report log
2024/06/09 20:42 6m retest repro android12-5.4 report log
2024/06/09 20:42 5m retest repro android12-5.4 report log

Sample crash report:
 cleanup_mnt+0x44e/0x500 fs/namespace.c:1102
 task_work_run+0x140/0x170 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xcaf/0x2bc0 kernel/exit.c:859
 do_group_exit+0x138/0x300 kernel/exit.c:982
 __do_sys_exit_group kernel/exit.c:993 [inline]
 __se_sys_exit_group kernel/exit.c:991 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:991
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
---[ end trace 9486d8cdf02dd3d2 ]---
==================================================================
BUG: KASAN: null-ptr-deref in atomic_add_return include/asm-generic/atomic-instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic-fallback.h:284 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x1b/0x50 fs/inode.c:421
Write of size 4 at addr 0000000000000160 by task syz-executor263/359

CPU: 0 PID: 359 Comm: syz-executor263 Tainted: G        W         5.4.268-syzkaller-00012-gd0d34dcb02cc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x241 lib/dump_stack.c:118
 __kasan_report+0xe9/0x120 mm/kasan/report.c:520
 kasan_report+0x30/0x60 mm/kasan/common.c:653
 check_memory_region_inline mm/kasan/generic.c:141 [inline]
 check_memory_region+0x272/0x280 mm/kasan/generic.c:191
 atomic_add_return include/asm-generic/atomic-instrumented.h:71 [inline]
 atomic_inc_return include/linux/atomic-fallback.h:284 [inline]
 ihold+0x1b/0x50 fs/inode.c:421
 d_delete_notify include/linux/fsnotify.h:221 [inline]
 vfs_rmdir+0x1e0/0x3c0 fs/namei.c:3992
 incfs_kill_sb+0x105/0x200 fs/incfs/vfs.c:1944
 deactivate_locked_super+0xa8/0x110 fs/super.c:335
 deactivate_super+0x1e2/0x2a0 fs/super.c:366
 cleanup_mnt+0x44e/0x500 fs/namespace.c:1102
 task_work_run+0x140/0x170 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xcaf/0x2bc0 kernel/exit.c:859
 do_group_exit+0x138/0x300 kernel/exit.c:982
 __do_sys_exit_group kernel/exit.c:993 [inline]
 __se_sys_exit_group kernel/exit.c:991 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:991
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000160
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 359 Comm: syz-executor263 Tainted: G    B   W         5.4.268-syzkaller-00012-gd0d34dcb02cc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:167 [inline]
RIP: 0010:atomic_add_return include/asm-generic/atomic-instrumented.h:72 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic-fallback.h:284 [inline]
RIP: 0010:ihold+0x20/0x50 fs/inode.c:421
Code: 0f 1f 84 00 00 00 00 00 66 90 55 53 48 89 fb e8 d6 fd c2 ff 48 8d bb 60 01 00 00 be 04 00 00 00 e8 25 a5 f2 ff bd 01 00 00 00 <f0> 0f c1 ab 60 01 00 00 ff c5 bf 02 00 00 00 89 ee e8 9a 00 c3 ff
RSP: 0018:ffff8881dc277ae0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881dbf70fc0
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: 0000000000000001 R08: ffffffff813af685 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8881dc9ec060 R15: 0000000000000000
FS:  0000555555fb2380(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000160 CR3: 00000001eda5b000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 d_delete_notify include/linux/fsnotify.h:221 [inline]
 vfs_rmdir+0x1e0/0x3c0 fs/namei.c:3992
 incfs_kill_sb+0x105/0x200 fs/incfs/vfs.c:1944
 deactivate_locked_super+0xa8/0x110 fs/super.c:335
 deactivate_super+0x1e2/0x2a0 fs/super.c:366
 cleanup_mnt+0x44e/0x500 fs/namespace.c:1102
 task_work_run+0x140/0x170 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xcaf/0x2bc0 kernel/exit.c:859
 do_group_exit+0x138/0x300 kernel/exit.c:982
 __do_sys_exit_group kernel/exit.c:993 [inline]
 __se_sys_exit_group kernel/exit.c:991 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:991
 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
CR2: 0000000000000160
---[ end trace 9486d8cdf02dd3d3 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:167 [inline]
RIP: 0010:atomic_add_return include/asm-generic/atomic-instrumented.h:72 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic-fallback.h:284 [inline]
RIP: 0010:ihold+0x20/0x50 fs/inode.c:421
Code: 0f 1f 84 00 00 00 00 00 66 90 55 53 48 89 fb e8 d6 fd c2 ff 48 8d bb 60 01 00 00 be 04 00 00 00 e8 25 a5 f2 ff bd 01 00 00 00 <f0> 0f c1 ab 60 01 00 00 ff c5 bf 02 00 00 00 89 ee e8 9a 00 c3 ff
RSP: 0018:ffff8881dc277ae0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881dbf70fc0
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff
RBP: 0000000000000001 R08: ffffffff813af685 R09: 0000000000000003
R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff8881dc9ec060 R15: 0000000000000000
FS:  0000555555fb2380(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000160 CR3: 00000001eda5b000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	0f 1f 84 00 00 00 00 	nopl   0x0(%rax,%rax,1)
   7:	00
   8:	66 90                	xchg   %ax,%ax
   a:	55                   	push   %rbp
   b:	53                   	push   %rbx
   c:	48 89 fb             	mov    %rdi,%rbx
   f:	e8 d6 fd c2 ff       	call   0xffc2fdea
  14:	48 8d bb 60 01 00 00 	lea    0x160(%rbx),%rdi
  1b:	be 04 00 00 00       	mov    $0x4,%esi
  20:	e8 25 a5 f2 ff       	call   0xfff2a54a
  25:	bd 01 00 00 00       	mov    $0x1,%ebp
* 2a:	f0 0f c1 ab 60 01 00 	lock xadd %ebp,0x160(%rbx) <-- trapping instruction
  31:	00
  32:	ff c5                	inc    %ebp
  34:	bf 02 00 00 00       	mov    $0x2,%edi
  39:	89 ee                	mov    %ebp,%esi
  3b:	e8 9a 00 c3 ff       	call   0xffc300da

Crashes (137):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/04/11 18:14 android12-5.4 d0d34dcb02cc 95ed9ece .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/11 09:54 android12-5.4 d0d34dcb02cc 33b9e058 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/11 05:32 android12-5.4 d0d34dcb02cc 33b9e058 .config strace log report syz C [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/03 16:20 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/03 12:27 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/03 09:27 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/03 05:40 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/03 05:01 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/03 04:39 android12-5.4 58de09405d1e 1ecfa2d8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/03 01:27 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/02 22:35 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/02 13:47 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/02 10:49 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/02 09:59 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/02 09:59 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/02 09:59 android12-5.4 58de09405d1e 07f0a0a0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/01 11:57 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/01 11:57 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/07/01 11:57 android12-5.4 4275fce9fe94 757f06b1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/06/26 01:18 android12-5.4 6f97bd951d82 dec8bc94 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/06/26 01:18 android12-5.4 6f97bd951d82 dec8bc94 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/06/26 01:18 android12-5.4 6f97bd951d82 dec8bc94 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/06/26 00:14 android12-5.4 6f97bd951d82 dec8bc94 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/06/26 00:13 android12-5.4 6f97bd951d82 dec8bc94 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/05/26 20:34 android12-5.4 8322246edffa a10a183e .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/05/15 04:24 android12-5.4 51cf29fc2bfc fdb4c10c .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/05/13 18:29 android12-5.4 51cf29fc2bfc 9026e142 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/05/06 06:42 android12-5.4 51cf29fc2bfc 610f2a54 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/05/02 02:19 android12-5.4 2d5d8240a7cb 3ba885bc .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/30 07:12 android12-5.4 2d5d8240a7cb f10afd69 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/30 07:12 android12-5.4 2d5d8240a7cb f10afd69 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:45 android12-5.4 2d5d8240a7cb 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:43 android12-5.4 2d5d8240a7cb 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:43 android12-5.4 2d5d8240a7cb 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:41 android12-5.4 2d5d8240a7cb 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:41 android12-5.4 2d5d8240a7cb 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 09:28 android12-5.4 2d5d8240a7cb 27e33c58 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/24 11:39 android12-5.4 2d5d8240a7cb 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/24 10:11 android12-5.4 2d5d8240a7cb 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/24 10:04 android12-5.4 2d5d8240a7cb 21339d7b .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/22 12:14 android12-5.4 2d5d8240a7cb 36c961ad .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/19 21:08 android12-5.4 2d5d8240a7cb af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/19 11:52 android12-5.4 2d5d8240a7cb af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/18 10:29 android12-5.4 2d5d8240a7cb af24b050 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/17 20:54 android12-5.4 2d5d8240a7cb acc528cb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/17 08:56 android12-5.4 2d5d8240a7cb 18f6e127 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/17 02:25 android12-5.4 2d5d8240a7cb 18f6e127 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/16 06:10 android12-5.4 2d5d8240a7cb 0d592ce4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-5-4-kasan KASAN: null-ptr-deref Write in vfs_rmdir
* Struck through repros no longer work on HEAD.