syzbot

RBP: 0000000000000016 R08: 00007fff193d8d36 R09: 00007fff193dc250
R10: 000000000000000a R11: 0000000000000246 R12: 00007fff193dc250
---[ end trace 0c4339d171affb48 ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 fs/inode.c:423

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
 __dump_stack+0x21/0x24 lib/dump_stack.c:77
 dump_stack_lvl+0x169/0x1d8 lib/dump_stack.c:118
 __kasan_report mm/kasan/report.c:439 [inline]
 kasan_report+0xd8/0x130 mm/kasan/report.c:452
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x280/0x290 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_inc_return include/asm-generic/atomic-instrumented.h:250 [inline]
 ihold+0x20/0x60 fs/inode.c:423
 d_delete_notify include/linux/fsnotify.h:264 [inline]
 vfs_rmdir+0x247/0x3e0 fs/namei.c:3865
 incfs_kill_sb+0xfe/0x210 fs/incfs/vfs.c:1973
 deactivate_locked_super+0xa0/0x100 fs/super.c:335
 deactivate_super+0xaf/0xe0 fs/super.c:366
 cleanup_mnt+0x446/0x500 fs/namespace.c:1114
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1121
 task_work_run+0x127/0x190 kernel/task_work.c:189
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0xa4f/0x2480 kernel/exit.c:872
 do_group_exit+0x141/0x310 kernel/exit.c:986
 __do_sys_exit_group kernel/exit.c:997 [inline]
 __se_sys_exit_group kernel/exit.c:995 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:995
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fd5f3ee3ec9
Code: Unable to access opcode bytes at RIP 0x7fd5f3ee3e9f.
RSP: 002b:00007fff193daf98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fd5f3f66def RCX: 00007fd5f3ee3ec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000016 R08: 00007fff193d8d36 R09: 00007fff193dc250
R10: 000000000000000a R11: 0000000000000246 R12: 00007fff193dc250
R13: 00007fd5f3f66d7d R14: 000055558c01a4a8 R15: 00007fff193de410
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 117fbb067 P4D 117fbb067 PUD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1490 Comm: syz-executor Tainted: G    B   W         syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x26/0x60 fs/inode.c:423
Code: 00 00 00 00 55 48 89 e5 41 56 53 48 89 fb e8 f1 28 b8 ff 48 8d bb 70 01 00 00 be 04 00 00 00 e8 80 1a f2 ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 70 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 71
RSP: 0018:ffffc90000f47ba8 EFLAGS: 00010246

RAX: ffff88812d8fa700 RBX: 0000000000000000 RCX: 0000000000000282
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 00000000ffffffff
RBP: ffffc90000f47bb8 R08: 0000000000000004 R09: 0000000000000003
R10: fffffbfff0d8ee48 R11: 1ffffffff0d8ee48 R12: 1ffff1102205c3c0
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 0000000120525000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 d_delete_notify include/linux/fsnotify.h:264 [inline]
 vfs_rmdir+0x247/0x3e0 fs/namei.c:3865
 incfs_kill_sb+0xfe/0x210 fs/incfs/vfs.c:1973
 deactivate_locked_super+0xa0/0x100 fs/super.c:335
 deactivate_super+0xaf/0xe0 fs/super.c:366
 cleanup_mnt+0x446/0x500 fs/namespace.c:1114
 __cleanup_mnt+0x19/0x20 fs/namespace.c:1121
 task_work_run+0x127/0x190 kernel/task_work.c:189
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0xa4f/0x2480 kernel/exit.c:872
 do_group_exit+0x141/0x310 kernel/exit.c:986
 __do_sys_exit_group kernel/exit.c:997 [inline]
 __se_sys_exit_group kernel/exit.c:995 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:995
 do_syscall_64+0x31/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7fd5f3ee3ec9
Code: Unable to access opcode bytes at RIP 0x7fd5f3ee3e9f.
RSP: 002b:00007fff193daf98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fd5f3f66def RCX: 00007fd5f3ee3ec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000016 R08: 00007fff193d8d36 R09: 00007fff193dc250
R10: 000000000000000a R11: 0000000000000246 R12: 00007fff193dc250
R13: 00007fd5f3f66d7d R14: 000055558c01a4a8 R15: 00007fff193de410
Modules linked in:
CR2: 0000000000000170
---[ end trace 0c4339d171affb49 ]---
RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
RIP: 0010:arch_atomic_inc_return include/linux/atomic-arch-fallback.h:286 [inline]
RIP: 0010:atomic_inc_return include/asm-generic/atomic-instrumented.h:251 [inline]
RIP: 0010:ihold+0x26/0x60 fs/inode.c:423
Code: 00 00 00 00 55 48 89 e5 41 56 53 48 89 fb e8 f1 28 b8 ff 48 8d bb 70 01 00 00 be 04 00 00 00 e8 80 1a f2 ff 41 be 01 00 00 00 <f0> 44 0f c1 b3 70 01 00 00 41 ff c6 bf 02 00 00 00 44 89 f6 e8 71
RSP: 0018:ffffc90000f47ba8 EFLAGS: 00010246
RAX: ffff88812d8fa700 RBX: 0000000000000000 RCX: 0000000000000282
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 00000000ffffffff
RBP: ffffc90000f47bb8 R08: 0000000000000004 R09: 0000000000000003
R10: fffffbfff0d8ee48 R11: 1ffffffff0d8ee48 R12: 1ffff1102205c3c0
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 0000000120525000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 00                	add    %al,(%rax)
   4:	55                   	push   %rbp
   5:	48 89 e5             	mov    %rsp,%rbp
   8:	41 56                	push   %r14
   a:	53                   	push   %rbx
   b:	48 89 fb             	mov    %rdi,%rbx
   e:	e8 f1 28 b8 ff       	call   0xffb82904
  13:	48 8d bb 70 01 00 00 	lea    0x170(%rbx),%rdi
  1a:	be 04 00 00 00       	mov    $0x4,%esi
  1f:	e8 80 1a f2 ff       	call   0xfff21aa4
  24:	41 be 01 00 00 00    	mov    $0x1,%r14d
* 2a:	f0 44 0f c1 b3 70 01 	lock xadd %r14d,0x170(%rbx) <-- trapping instruction
  31:	00 00
  33:	41 ff c6             	inc    %r14d
  36:	bf 02 00 00 00       	mov    $0x2,%edi
  3b:	44 89 f6             	mov    %r14d,%esi
  3e:	e8                   	.byte 0xe8
  3f:	71                   	.byte 0x71