KASAN: null-ptr-deref Write in vfs

Kernel	Title	Repro	Count	Last	Reported	Patched	Status
android-5-15	KASAN: null-ptr-deref Write in vfs_rmdir origin:downstream	C	5	8d19h	19d	0/2	upstream: reported C repro on 2024/04/11 17:58
android-6-1	KASAN: null-ptr-deref Write in vfs_rmdir origin:downstream	C	38	1d18h	19d	0/2	upstream: reported C repro on 2024/04/11 09:39
android-5-10	KASAN: null-ptr-deref Write in vfs_rmdir	C	88	1d01h	20d	0/2	upstream: reported C repro on 2024/04/11 05:14

cleanup_mnt+0x44e/0x500 fs/namespace.c:1102 task_work_run+0x140/0x170 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xcaf/0x2bc0 kernel/exit.c:859 do_group_exit+0x138/0x300 kernel/exit.c:982 __do_sys_exit_group kernel/exit.c:993 [inline] __se_sys_exit_group kernel/exit.c:991 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:991 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 ---[ end trace 9486d8cdf02dd3d2 ]--- ================================================================== BUG: KASAN: null-ptr-deref in atomic_add_return include/asm-generic/atomic-instrumented.h:71 [inline] BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic-fallback.h:284 [inline] BUG: KASAN: null-ptr-deref in ihold+0x1b/0x50 fs/inode.c:421 Write of size 4 at addr 0000000000000160 by task syz-executor263/359 CPU: 0 PID: 359 Comm: syz-executor263 Tainted: G W 5.4.268-syzkaller-00012-gd0d34dcb02cc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 __kasan_report+0xe9/0x120 mm/kasan/report.c:520 kasan_report+0x30/0x60 mm/kasan/common.c:653 check_memory_region_inline mm/kasan/generic.c:141 [inline] check_memory_region+0x272/0x280 mm/kasan/generic.c:191 atomic_add_return include/asm-generic/atomic-instrumented.h:71 [inline] atomic_inc_return include/linux/atomic-fallback.h:284 [inline] ihold+0x1b/0x50 fs/inode.c:421 d_delete_notify include/linux/fsnotify.h:221 [inline] vfs_rmdir+0x1e0/0x3c0 fs/namei.c:3992 incfs_kill_sb+0x105/0x200 fs/incfs/vfs.c:1944 deactivate_locked_super+0xa8/0x110 fs/super.c:335 deactivate_super+0x1e2/0x2a0 fs/super.c:366 cleanup_mnt+0x44e/0x500 fs/namespace.c:1102 task_work_run+0x140/0x170 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xcaf/0x2bc0 kernel/exit.c:859 do_group_exit+0x138/0x300 kernel/exit.c:982 __do_sys_exit_group kernel/exit.c:993 [inline] __se_sys_exit_group kernel/exit.c:991 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:991 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000160 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 1 PID: 359 Comm: syz-executor263 Tainted: G B W 5.4.268-syzkaller-00012-gd0d34dcb02cc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:167 [inline] RIP: 0010:atomic_add_return include/asm-generic/atomic-instrumented.h:72 [inline] RIP: 0010:atomic_inc_return include/linux/atomic-fallback.h:284 [inline] RIP: 0010:ihold+0x20/0x50 fs/inode.c:421 Code: 0f 1f 84 00 00 00 00 00 66 90 55 53 48 89 fb e8 d6 fd c2 ff 48 8d bb 60 01 00 00 be 04 00 00 00 e8 25 a5 f2 ff bd 01 00 00 00 <f0> 0f c1 ab 60 01 00 00 ff c5 bf 02 00 00 00 89 ee e8 9a 00 c3 ff RSP: 0018:ffff8881dc277ae0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881dbf70fc0 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff RBP: 0000000000000001 R08: ffffffff813af685 R09: 0000000000000003 R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000 R13: dffffc0000000000 R14: ffff8881dc9ec060 R15: 0000000000000000 FS: 0000555555fb2380(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000160 CR3: 00000001eda5b000 CR4: 00000000003406a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: d_delete_notify include/linux/fsnotify.h:221 [inline] vfs_rmdir+0x1e0/0x3c0 fs/namei.c:3992 incfs_kill_sb+0x105/0x200 fs/incfs/vfs.c:1944 deactivate_locked_super+0xa8/0x110 fs/super.c:335 deactivate_super+0x1e2/0x2a0 fs/super.c:366 cleanup_mnt+0x44e/0x500 fs/namespace.c:1102 task_work_run+0x140/0x170 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xcaf/0x2bc0 kernel/exit.c:859 do_group_exit+0x138/0x300 kernel/exit.c:982 __do_sys_exit_group kernel/exit.c:993 [inline] __se_sys_exit_group kernel/exit.c:991 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:991 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Modules linked in: CR2: 0000000000000160 ---[ end trace 9486d8cdf02dd3d3 ]--- RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:167 [inline] RIP: 0010:atomic_add_return include/asm-generic/atomic-instrumented.h:72 [inline] RIP: 0010:atomic_inc_return include/linux/atomic-fallback.h:284 [inline] RIP: 0010:ihold+0x20/0x50 fs/inode.c:421 Code: 0f 1f 84 00 00 00 00 00 66 90 55 53 48 89 fb e8 d6 fd c2 ff 48 8d bb 60 01 00 00 be 04 00 00 00 e8 25 a5 f2 ff bd 01 00 00 00 <f0> 0f c1 ab 60 01 00 00 ff c5 bf 02 00 00 00 89 ee e8 9a 00 c3 ff RSP: 0018:ffff8881dc277ae0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881dbf70fc0 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 00000000ffffffff RBP: 0000000000000001 R08: ffffffff813af685 R09: 0000000000000003 R10: ffffffffffffffff R11: dffffc0000000001 R12: 0000000000000000 R13: dffffc0000000000 R14: ffff8881dc9ec060 R15: 0000000000000000 FS: 0000555555fb2380(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000160 CR3: 00000001eda5b000 CR4: 00000000003406a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 7: 00 8: 66 90 xchg %ax,%ax a: 55 push %rbp b: 53 push %rbx c: 48 89 fb mov %rdi,%rbx f: e8 d6 fd c2 ff call 0xffc2fdea 14: 48 8d bb 60 01 00 00 lea 0x160(%rbx),%rdi 1b: be 04 00 00 00 mov $0x4,%esi 20: e8 25 a5 f2 ff call 0xfff2a54a 25: bd 01 00 00 00 mov $0x1,%ebp * 2a: f0 0f c1 ab 60 01 00 lock xadd %ebp,0x160(%rbx) <-- trapping instruction 31: 00 32: ff c5 inc %ebp 34: bf 02 00 00 00 mov $0x2,%edi 39: 89 ee mov %ebp,%esi 3b: e8 9a 00 c3 ff call 0xffc300da

Crashes (25):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2024/04/11 18:14	android12-5.4	d0d34dcb02cc	95ed9ece	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/11 09:54	android12-5.4	d0d34dcb02cc	33b9e058	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/11 05:32	android12-5.4	d0d34dcb02cc	33b9e058	.config	strace log	report	syz	C		[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/30 07:12	android12-5.4	2d5d8240a7cb	f10afd69	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/30 07:12	android12-5.4	2d5d8240a7cb	f10afd69	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:45	android12-5.4	2d5d8240a7cb	27e33c58	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:43	android12-5.4	2d5d8240a7cb	27e33c58	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:43	android12-5.4	2d5d8240a7cb	27e33c58	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:41	android12-5.4	2d5d8240a7cb	27e33c58	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 19:41	android12-5.4	2d5d8240a7cb	27e33c58	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/29 09:28	android12-5.4	2d5d8240a7cb	27e33c58	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/24 11:39	android12-5.4	2d5d8240a7cb	21339d7b	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/24 10:11	android12-5.4	2d5d8240a7cb	21339d7b	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/24 10:04	android12-5.4	2d5d8240a7cb	21339d7b	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/22 12:14	android12-5.4	2d5d8240a7cb	36c961ad	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/19 21:08	android12-5.4	2d5d8240a7cb	af24b050	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/19 11:52	android12-5.4	2d5d8240a7cb	af24b050	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/18 10:29	android12-5.4	2d5d8240a7cb	af24b050	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/17 20:54	android12-5.4	2d5d8240a7cb	acc528cb	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/17 08:56	android12-5.4	2d5d8240a7cb	18f6e127	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/17 02:25	android12-5.4	2d5d8240a7cb	18f6e127	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/16 06:10	android12-5.4	2d5d8240a7cb	0d592ce4	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/16 06:10	android12-5.4	2d5d8240a7cb	0d592ce4	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/13 14:12	android12-5.4	d0d34dcb02cc	c8349e48	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir
2024/04/12 04:01	android12-5.4	d0d34dcb02cc	27de0a5c	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-android-5-4-kasan	KASAN: null-ptr-deref Write in vfs_rmdir

Crashes (25):

Assets (help?)

2024/04/11 18:14

android12-5.4