syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1322]
Subsystems
🐞 Fixed [7152]
🐞 Invalid [18908]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KASAN: use-after-free Read in bch2_check_dirents

Status: upstream: reported C repro on 2024/11/15 11:11
Subsystems: fs
[Documentation on labels]
Reported-by: syzbot+fea0322882c0cba65f11@syzkaller.appspotmail.com
Fix commit: bcachefs: Fix UAF in check_dirent()
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-rust-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 574d, last: 254d
Cause bisection: introduced by (bisect log) :
commit d97de0d017cde0d442c3d144b4f969f43064cc0f
Author: Kent Overstreet <kent.overstreet@linux.dev>
Date: Tue Aug 13 01:31:25 2024 +0000

  bcachefs: Make bkey_fsck_err() a wrapper around fsck_err()

Crash: kernel BUG in vfs_get_tree (log)
Repro: C syz .config
  
✨ AI Jobs (4)
ID Workflow Result Correct Ext Bug ID Bug Created Started Finished Revision Error
0da004d3-66a1-42b7-bd34-8d49171c99c2 assessment-security 💥 KASAN: use-after-free Read in bch2_check_dirents 2026/06/10 04:20 2026/06/10 04:20 2026/06/10 04:49 c36c07f6c1f2230a36374cbd22235f635e8f9284 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/1a579f47ae558f948483ef65be2b9e685481612b" "-s" "bzImage" "compile_commands.json"]: exit status 2 Root cause: ld.lld: error: undefined symbol: wcslen * * Restart config... * * * General setup * Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n Compile the kernel with warnings as errors (WERROR) [N/y/?] n Local version - append to kernel release (LOCALVERSION) [] Automatically append version information to the version string (LOCALVERSION_AUTO) [Y/n/?] y Build ID Salt (BUILD_SALT) [] Kernel compression mode > 1. Gzip (KERNEL_GZIP) 2. Bzip2 (KERNEL_BZIP2) 3. LZMA (KERNEL_LZMA) 4. XZ (KERNEL_XZ) 5. LZO (KERNEL_LZO) 6. LZ4 (KERNEL_LZ4) 7. ZSTD (KERNEL_ZSTD) choice[1-7?]: 1 Default init path (DEFAULT_INIT) [] Default hostname (DEFAULT_HOSTNAME) [(none)] (none) System V IPC (SYSVIPC) [Y/n/?] y POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y General notification queue (WATCH_QUEUE) [Y/n/?] y Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y uselib syscall (for libc5 and earlier) (USELIB) [N/y/?] n Auditing support (AUDIT) [Y/n/?] y Preemption Model 1. No Forced Preemption (Server) (PREEMPT_NONE) 2. Voluntary Kernel Preemption (Desktop) (PREEMPT_VOLUNTARY) > 3. Preemptible Kernel (Low-Latency Desktop) (PREEMPT) 4. Scheduler controlled preemption model (PREEMPT_LAZY) choice[1-4?]: 3 Fully Preemptible Kernel (Real-Time) (PREEMPT_RT) [N/y/?] n Preemption behaviour defined on boot (PREEMPT_DYNAMIC) [Y/n/?] y Core Scheduling for SMT (SCHED_CORE) [Y/n/?] y CPU isolation (CPU_ISOLATION) [Y/n/?] y Kernel .config support (IKCONFIG) [Y/n/m/?] y Enable access to .config through /proc/config.gz (IKCONFIG_PROC) [Y/n/?] y Enable kernel headers through /sys/kernel/kheaders.tar.xz (IKHEADERS) [N/m/y/?] n Kernel log buffer size (16 => 64KB, 17 => 128KB) (LOG_BUF_SHIFT) [18] 18 CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB) (LOG_CPU_MAX_BUF_SHIFT) [12] 12 Printk indexing debugfs interface (PRINTK_INDEX) [N/y/?] n Memory placement aware NUMA scheduler (NUMA_BALANCING) [Y/n/?] y Automatically enable NUMA aware memory/task placement (NUMA_BALANCING_DEFAULT_ENABLED) [Y/n/?] y Checkpoint/restore support (CHECKPOINT_RESTORE) [Y/n/?] y Automatic process group scheduling (SCHED_AUTOGROUP) [N/y/?] n Kernel->user space relay support (formerly relayfs) (RELAY) [Y/?] y Initial RAM filesystem and RAM disk (initramfs/initrd) support (BLK_DEV_INITRD) [Y/n/?] y Initramfs source file(s) (INITRAMFS_SOURCE) [] Support initial ramdisk/ramfs compressed using gzip (RD_GZIP) [Y/n/?] y Support initial ramdisk/ramfs compressed using bzip2 (RD_BZIP2) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZMA (RD_LZMA) [Y/n/?] y Support initial ramdisk/ramfs compressed using XZ (RD_XZ) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZO (RD_LZO) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZ4 (RD_LZ4) [Y/n/?] y Support initial ramdisk/ramfs compressed using ZSTD (RD_ZSTD) [Y/n/?] y Boot config support (BOOT_CONFIG) [N/y/?] n Preserve cpio archive mtimes in initramfs (INITRAMFS_PRESERVE_MTIME) [Y/n/?] y Compiler optimization level > 1. Optimize for performance (-O2) (CC_OPTIMIZE_FOR_PERFORMANCE) 2. Optimize for size (-Os) (CC_OPTIMIZE_FOR_SIZE) choice[1-2?]: 1 Enable madvise/fadvise syscalls (ADVISE_SYSCALLS) [Y/n/?] y Enable membarrier() system call (MEMBARRIER) [Y/?] y Enable kcmp() system call (KCMP) [Y/?] y Enable rseq() system call (RSEQ) [Y/n/?] y Enable debugging of rseq() system call (DEBUG_RSEQ) [N/y/?] n Enable cachestat() system call (CACHESTAT_SYSCALL) [Y/n/?] y PC/104 support (PC104) [N/y/?] n Load all symbols for debugging/ksymoops (KALLSYMS) [Y/?] y Test the basic functions and performance of kallsyms (KALLSYMS_SELFTEST) [N/y/?] n Include all symbols in kallsyms (KALLSYMS_ALL) [Y/?] y Profiling support (PROFILING) [Y/n/?] y Rust support (RUST) [N/y/?] (
95765311-8d9d-4bcf-8096-6c5991f791ef assessment-security 💥 KASAN: use-after-free Read in bch2_check_dirents 2026/06/04 07:36 2026/06/04 07:36 2026/06/04 07:57 62fe15281f5011cd203d8845b8767b10e7443aa5 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/1a579f47ae558f948483ef65be2b9e685481612b" "-s" "bzImage" "compile_commands.json"]: exit status 2 Root cause: ld.lld: error: undefined symbol: wcslen * * Restart config... * * * General setup * Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n Compile the kernel with warnings as errors (WERROR) [N/y/?] n Local version - append to kernel release (LOCALVERSION) [] Automatically append version information to the version string (LOCALVERSION_AUTO) [Y/n/?] y Build ID Salt (BUILD_SALT) [] Kernel compression mode > 1. Gzip (KERNEL_GZIP) 2. Bzip2 (KERNEL_BZIP2) 3. LZMA (KERNEL_LZMA) 4. XZ (KERNEL_XZ) 5. LZO (KERNEL_LZO) 6. LZ4 (KERNEL_LZ4) 7. ZSTD (KERNEL_ZSTD) choice[1-7?]: 1 Default init path (DEFAULT_INIT) [] Default hostname (DEFAULT_HOSTNAME) [(none)] (none) System V IPC (SYSVIPC) [Y/n/?] y POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y General notification queue (WATCH_QUEUE) [Y/n/?] y Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y uselib syscall (for libc5 and earlier) (USELIB) [N/y/?] n Auditing support (AUDIT) [Y/n/?] y Preemption Model 1. No Forced Preemption (Server) (PREEMPT_NONE) 2. Voluntary Kernel Preemption (Desktop) (PREEMPT_VOLUNTARY) > 3. Preemptible Kernel (Low-Latency Desktop) (PREEMPT) 4. Scheduler controlled preemption model (PREEMPT_LAZY) choice[1-4?]: 3 Fully Preemptible Kernel (Real-Time) (PREEMPT_RT) [N/y/?] n Preemption behaviour defined on boot (PREEMPT_DYNAMIC) [Y/n/?] y Core Scheduling for SMT (SCHED_CORE) [Y/n/?] y CPU isolation (CPU_ISOLATION) [Y/n/?] y Kernel .config support (IKCONFIG) [Y/n/m/?] y Enable access to .config through /proc/config.gz (IKCONFIG_PROC) [Y/n/?] y Enable kernel headers through /sys/kernel/kheaders.tar.xz (IKHEADERS) [N/m/y/?] n Kernel log buffer size (16 => 64KB, 17 => 128KB) (LOG_BUF_SHIFT) [18] 18 CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB) (LOG_CPU_MAX_BUF_SHIFT) [12] 12 Printk indexing debugfs interface (PRINTK_INDEX) [N/y/?] n Memory placement aware NUMA scheduler (NUMA_BALANCING) [Y/n/?] y Automatically enable NUMA aware memory/task placement (NUMA_BALANCING_DEFAULT_ENABLED) [Y/n/?] y Checkpoint/restore support (CHECKPOINT_RESTORE) [Y/n/?] y Automatic process group scheduling (SCHED_AUTOGROUP) [N/y/?] n Kernel->user space relay support (formerly relayfs) (RELAY) [Y/?] y Initial RAM filesystem and RAM disk (initramfs/initrd) support (BLK_DEV_INITRD) [Y/n/?] y Initramfs source file(s) (INITRAMFS_SOURCE) [] Support initial ramdisk/ramfs compressed using gzip (RD_GZIP) [Y/n/?] y Support initial ramdisk/ramfs compressed using bzip2 (RD_BZIP2) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZMA (RD_LZMA) [Y/n/?] y Support initial ramdisk/ramfs compressed using XZ (RD_XZ) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZO (RD_LZO) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZ4 (RD_LZ4) [Y/n/?] y Support initial ramdisk/ramfs compressed using ZSTD (RD_ZSTD) [Y/n/?] y Boot config support (BOOT_CONFIG) [N/y/?] n Preserve cpio archive mtimes in initramfs (INITRAMFS_PRESERVE_MTIME) [Y/n/?] y Compiler optimization level > 1. Optimize for performance (-O2) (CC_OPTIMIZE_FOR_PERFORMANCE) 2. Optimize for size (-Os) (CC_OPTIMIZE_FOR_SIZE) choice[1-2?]: 1 Enable madvise/fadvise syscalls (ADVISE_SYSCALLS) [Y/n/?] y Enable membarrier() system call (MEMBARRIER) [Y/?] y Enable kcmp() system call (KCMP) [Y/?] y Enable rseq() system call (RSEQ) [Y/n/?] y Enable debugging of rseq() system call (DEBUG_RSEQ) [N/y/?] n Enable cachestat() system call (CACHESTAT_SYSCALL) [Y/n/?] y PC/104 support (PC104) [N/y/?] n Load all symbols for debugging/ksymoops (KALLSYMS) [Y/?] y Test the basic functions and performance of kallsyms (KALLSYMS_SELFTEST) [N/y/?] n Include all symbols in kallsyms (KALLSYMS_ALL) [Y/?] y Profiling support (PROFILING) [Y/n/?] y Rust support (RUST) [N/y/?] (
54cd0d41-b8c8-40e2-ad6d-95ca05434328 assessment-security 💥 KASAN: use-after-free Read in bch2_check_dirents 2026/06/02 05:43 2026/06/02 05:43 2026/06/02 06:16 1095583bae1d2729a3b4be301cb6ddc85ced9e38 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/1a579f47ae558f948483ef65be2b9e685481612b" "-s" "bzImage" "compile_commands.json"]: exit status 2 Root cause: ld.lld: error: undefined symbol: wcslen * * Restart config... * * * General setup * Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n Compile the kernel with warnings as errors (WERROR) [N/y/?] n Local version - append to kernel release (LOCALVERSION) [] Automatically append version information to the version string (LOCALVERSION_AUTO) [Y/n/?] y Build ID Salt (BUILD_SALT) [] Kernel compression mode > 1. Gzip (KERNEL_GZIP) 2. Bzip2 (KERNEL_BZIP2) 3. LZMA (KERNEL_LZMA) 4. XZ (KERNEL_XZ) 5. LZO (KERNEL_LZO) 6. LZ4 (KERNEL_LZ4) 7. ZSTD (KERNEL_ZSTD) choice[1-7?]: 1 Default init path (DEFAULT_INIT) [] Default hostname (DEFAULT_HOSTNAME) [(none)] (none) System V IPC (SYSVIPC) [Y/n/?] y POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y General notification queue (WATCH_QUEUE) [Y/n/?] y Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y uselib syscall (for libc5 and earlier) (USELIB) [N/y/?] n Auditing support (AUDIT) [Y/n/?] y Preemption Model 1. No Forced Preemption (Server) (PREEMPT_NONE) 2. Voluntary Kernel Preemption (Desktop) (PREEMPT_VOLUNTARY) > 3. Preemptible Kernel (Low-Latency Desktop) (PREEMPT) 4. Scheduler controlled preemption model (PREEMPT_LAZY) choice[1-4?]: 3 Fully Preemptible Kernel (Real-Time) (PREEMPT_RT) [N/y/?] n Preemption behaviour defined on boot (PREEMPT_DYNAMIC) [Y/n/?] y Core Scheduling for SMT (SCHED_CORE) [Y/n/?] y CPU isolation (CPU_ISOLATION) [Y/n/?] y Kernel .config support (IKCONFIG) [Y/n/m/?] y Enable access to .config through /proc/config.gz (IKCONFIG_PROC) [Y/n/?] y Enable kernel headers through /sys/kernel/kheaders.tar.xz (IKHEADERS) [N/m/y/?] n Kernel log buffer size (16 => 64KB, 17 => 128KB) (LOG_BUF_SHIFT) [18] 18 CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB) (LOG_CPU_MAX_BUF_SHIFT) [12] 12 Printk indexing debugfs interface (PRINTK_INDEX) [N/y/?] n Memory placement aware NUMA scheduler (NUMA_BALANCING) [Y/n/?] y Automatically enable NUMA aware memory/task placement (NUMA_BALANCING_DEFAULT_ENABLED) [Y/n/?] y Checkpoint/restore support (CHECKPOINT_RESTORE) [Y/n/?] y Automatic process group scheduling (SCHED_AUTOGROUP) [N/y/?] n Kernel->user space relay support (formerly relayfs) (RELAY) [Y/?] y Initial RAM filesystem and RAM disk (initramfs/initrd) support (BLK_DEV_INITRD) [Y/n/?] y Initramfs source file(s) (INITRAMFS_SOURCE) [] Support initial ramdisk/ramfs compressed using gzip (RD_GZIP) [Y/n/?] y Support initial ramdisk/ramfs compressed using bzip2 (RD_BZIP2) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZMA (RD_LZMA) [Y/n/?] y Support initial ramdisk/ramfs compressed using XZ (RD_XZ) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZO (RD_LZO) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZ4 (RD_LZ4) [Y/n/?] y Support initial ramdisk/ramfs compressed using ZSTD (RD_ZSTD) [Y/n/?] y Boot config support (BOOT_CONFIG) [N/y/?] n Preserve cpio archive mtimes in initramfs (INITRAMFS_PRESERVE_MTIME) [Y/n/?] y Compiler optimization level > 1. Optimize for performance (-O2) (CC_OPTIMIZE_FOR_PERFORMANCE) 2. Optimize for size (-Os) (CC_OPTIMIZE_FOR_SIZE) choice[1-2?]: 1 Enable madvise/fadvise syscalls (ADVISE_SYSCALLS) [Y/n/?] y Enable membarrier() system call (MEMBARRIER) [Y/?] y Enable kcmp() system call (KCMP) [Y/?] y Enable rseq() system call (RSEQ) [Y/n/?] y Enable debugging of rseq() system call (DEBUG_RSEQ) [N/y/?] n Enable cachestat() system call (CACHESTAT_SYSCALL) [Y/n/?] y PC/104 support (PC104) [N/y/?] n Load all symbols for debugging/ksymoops (KALLSYMS) [Y/?] y Test the basic functions and performance of kallsyms (KALLSYMS_SELFTEST) [N/y/?] n Include all symbols in kallsyms (KALLSYMS_ALL) [Y/?] y Profiling support (PROFILING) [Y/n/?] y Rust support (RUST) [N/y/?] (
487d7c59-60bd-4fcc-96c9-22463e043dba assessment-security 💥 KASAN: use-after-free Read in bch2_check_dirents 2026/05/22 02:01 2026/05/22 02:01 2026/05/22 02:37 d57425845dbe663f86e1e54a4997e95bd557b624 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/1a579f47ae558f948483ef65be2b9e685481612b" "-s" "bzImage" "compile_commands.json"]: exit status 2 Root cause: ld.lld: error: undefined symbol: wcslen * * Restart config... * * * General setup * Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n Compile the kernel with warnings as errors (WERROR) [N/y/?] n Local version - append to kernel release (LOCALVERSION) [] Automatically append version information to the version string (LOCALVERSION_AUTO) [Y/n/?] y Build ID Salt (BUILD_SALT) [] Kernel compression mode > 1. Gzip (KERNEL_GZIP) 2. Bzip2 (KERNEL_BZIP2) 3. LZMA (KERNEL_LZMA) 4. XZ (KERNEL_XZ) 5. LZO (KERNEL_LZO) 6. LZ4 (KERNEL_LZ4) 7. ZSTD (KERNEL_ZSTD) choice[1-7?]: 1 Default init path (DEFAULT_INIT) [] Default hostname (DEFAULT_HOSTNAME) [(none)] (none) System V IPC (SYSVIPC) [Y/n/?] y POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y General notification queue (WATCH_QUEUE) [Y/n/?] y Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y uselib syscall (for libc5 and earlier) (USELIB) [N/y/?] n Auditing support (AUDIT) [Y/n/?] y Preemption Model 1. No Forced Preemption (Server) (PREEMPT_NONE) 2. Voluntary Kernel Preemption (Desktop) (PREEMPT_VOLUNTARY) > 3. Preemptible Kernel (Low-Latency Desktop) (PREEMPT) 4. Scheduler controlled preemption model (PREEMPT_LAZY) choice[1-4?]: 3 Fully Preemptible Kernel (Real-Time) (PREEMPT_RT) [N/y/?] n Preemption behaviour defined on boot (PREEMPT_DYNAMIC) [Y/n/?] y Core Scheduling for SMT (SCHED_CORE) [Y/n/?] y CPU isolation (CPU_ISOLATION) [Y/n/?] y Kernel .config support (IKCONFIG) [Y/n/m/?] y Enable access to .config through /proc/config.gz (IKCONFIG_PROC) [Y/n/?] y Enable kernel headers through /sys/kernel/kheaders.tar.xz (IKHEADERS) [N/m/y/?] n Kernel log buffer size (16 => 64KB, 17 => 128KB) (LOG_BUF_SHIFT) [18] 18 CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB) (LOG_CPU_MAX_BUF_SHIFT) [12] 12 Printk indexing debugfs interface (PRINTK_INDEX) [N/y/?] n Memory placement aware NUMA scheduler (NUMA_BALANCING) [Y/n/?] y Automatically enable NUMA aware memory/task placement (NUMA_BALANCING_DEFAULT_ENABLED) [Y/n/?] y Checkpoint/restore support (CHECKPOINT_RESTORE) [Y/n/?] y Automatic process group scheduling (SCHED_AUTOGROUP) [N/y/?] n Kernel->user space relay support (formerly relayfs) (RELAY) [Y/?] y Initial RAM filesystem and RAM disk (initramfs/initrd) support (BLK_DEV_INITRD) [Y/n/?] y Initramfs source file(s) (INITRAMFS_SOURCE) [] Support initial ramdisk/ramfs compressed using gzip (RD_GZIP) [Y/n/?] y Support initial ramdisk/ramfs compressed using bzip2 (RD_BZIP2) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZMA (RD_LZMA) [Y/n/?] y Support initial ramdisk/ramfs compressed using XZ (RD_XZ) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZO (RD_LZO) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZ4 (RD_LZ4) [Y/n/?] y Support initial ramdisk/ramfs compressed using ZSTD (RD_ZSTD) [Y/n/?] y Boot config support (BOOT_CONFIG) [N/y/?] n Preserve cpio archive mtimes in initramfs (INITRAMFS_PRESERVE_MTIME) [Y/n/?] y Compiler optimization level > 1. Optimize for performance (-O2) (CC_OPTIMIZE_FOR_PERFORMANCE) 2. Optimize for size (-Os) (CC_OPTIMIZE_FOR_SIZE) choice[1-2?]: 1 Enable madvise/fadvise syscalls (ADVISE_SYSCALLS) [Y/n/?] y Enable membarrier() system call (MEMBARRIER) [Y/?] y Enable kcmp() system call (KCMP) [Y/?] y Enable rseq() system call (RSEQ) [Y/n/?] y Enable debugging of rseq() system call (DEBUG_RSEQ) [N/y/?] n Enable cachestat() system call (CACHESTAT_SYSCALL) [Y/n/?] y PC/104 support (PC104) [N/y/?] n Load all symbols for debugging/ksymoops (KALLSYMS) [Y/?] y Test the basic functions and performance of kallsyms (KALLSYMS_SELFTEST) [N/y/?] n Include all symbols in kallsyms (KALLSYMS_ALL) [Y/?] y Profiling support (PROFILING) [Y/n/?] y Rust support (RUST) [N/y/?] (
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [bcachefs?] KASAN: use-after-free Read in bch2_check_dirents 0 (2) 2024/12/05 20:34
Last patch testing requests (1)
Created Duration User Patch Repo Result
2024/11/29 04:50 18m retest repro upstream report log
Cause bisection attempts (2)
Created Duration User Patch Repo Result
2024/12/05 12:29 8h04m bisect upstream OK (1) job log log
2024/11/15 04:47 11h03m bisect upstream OK (1) job log log
marked invalid by nogikh@google.com

Sample crash report:
bcachefs (loop0): check_inodes... done
bcachefs (loop0): check_extents... done
bcachefs (loop0): check_dirents...
dirent points to missing inode:
u64s 8 type dirent 4096:6728544935518790663:U32_MAX len 0 ver 0: lost+found -> 4097 type dir, fixing
==================================================================
BUG: KASAN: use-after-free in check_dirent fs/bcachefs/fsck.c:2443 [inline]
BUG: KASAN: use-after-free in bch2_check_dirents+0x2b68/0x3e90 fs/bcachefs/fsck.c:2468
Read of size 1 at addr ffff88805d564048 by task syz-executor265/6269

CPU: 1 UID: 0 PID: 6269 Comm: syz-executor265 Not tainted 6.14.0-rc3-syzkaller-00166-g334426094588 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0x16e/0x5b0 mm/kasan/report.c:521
 kasan_report+0x143/0x180 mm/kasan/report.c:634
 check_dirent fs/bcachefs/fsck.c:2443 [inline]
 bch2_check_dirents+0x2b68/0x3e90 fs/bcachefs/fsck.c:2468
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:226
 bch2_run_recovery_passes+0x2ad/0xa90 fs/bcachefs/recovery_passes.c:291
 bch2_fs_recovery+0x2c48/0x3de0 fs/bcachefs/recovery.c:973
 bch2_fs_start+0x37c/0x610 fs/bcachefs/super.c:1041
 bch2_fs_get_tree+0xdb7/0x17a0 fs/bcachefs/fs.c:2203
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814
 do_new_mount+0x2be/0xb40 fs/namespace.c:3560
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x2d6/0x3c0 fs/namespace.c:4088
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7eff7d61461a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd68e9c008 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007eff7d61461a
RDX: 0000400000000000 RSI: 0000400000000040 RDI: 00007ffd68e9c050
RBP: 0000000000000004 R08: 00007ffd68e9c090 R09: 0000000000005956
R10: 0000000001000001 R11: 0000000000000282 R12: 0000000001000000
R13: 00007ffd68e9c090 R14: 0000400000000000 R15: 0000000000000003
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d564
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 5, migratetype Unmovable, gfp_mask 0x52800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP), pid 6269, tgid 6269 (syz-executor265), ts 106334437847, free_ts 106682597280
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1551
 prep_new_page mm/page_alloc.c:1559 [inline]
 get_page_from_freelist+0x3651/0x37a0 mm/page_alloc.c:3477
 __alloc_frozen_pages_noprof+0x292/0x710 mm/page_alloc.c:4739
 __alloc_pages_noprof+0xa/0x30 mm/page_alloc.c:4773
 __alloc_pages_node_noprof include/linux/gfp.h:265 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:292 [inline]
 ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4239
 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4266
 __do_kmalloc_node mm/slub.c:4282 [inline]
 __kmalloc_node_noprof+0x33a/0x4d0 mm/slub.c:4300
 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:662
 btree_bounce_alloc fs/bcachefs/btree_io.c:123 [inline]
 btree_node_sort+0x620/0x1830 fs/bcachefs/btree_io.c:322
 bch2_btree_post_write_cleanup+0x11a/0xa70 fs/bcachefs/btree_io.c:2293
 bch2_btree_node_prep_for_write+0x345/0x660 fs/bcachefs/btree_trans_commit.c:93
 bch2_trans_lock_write+0x68e/0xc60 fs/bcachefs/btree_trans_commit.c:129
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:862 [inline]
 __bch2_trans_commit+0x258c/0x9790 fs/bcachefs/btree_trans_commit.c:1070
 __bch2_str_hash_check_key+0x1ea4/0x3ac0
 bch2_str_hash_check_key fs/bcachefs/str_hash.h:415 [inline]
 check_dirent fs/bcachefs/fsck.c:2373 [inline]
 bch2_check_dirents+0x2eb0/0x3e90 fs/bcachefs/fsck.c:2468
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:226
page last free pid 6269 tgid 6269 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1127 [inline]
 __free_pages_ok+0xbbc/0xe40 mm/page_alloc.c:1271
 __folio_put+0x2b3/0x360 mm/swap.c:112
 folio_put include/linux/mm.h:1489 [inline]
 free_large_kmalloc+0xfe/0x180 mm/slub.c:4728
 kfree+0x212/0x430 mm/slub.c:4751
 btree_bounce_free fs/bcachefs/btree_io.c:111 [inline]
 btree_node_sort+0x1100/0x1830 fs/bcachefs/btree_io.c:379
 bch2_btree_post_write_cleanup+0x11a/0xa70 fs/bcachefs/btree_io.c:2293
 bch2_btree_node_prep_for_write+0x345/0x660 fs/bcachefs/btree_trans_commit.c:93
 bch2_trans_lock_write+0x68e/0xc60 fs/bcachefs/btree_trans_commit.c:129
 do_bch2_trans_commit fs/bcachefs/btree_trans_commit.c:862 [inline]
 __bch2_trans_commit+0x258c/0x9790 fs/bcachefs/btree_trans_commit.c:1070
 bch2_trans_commit fs/bcachefs/btree_update.h:183 [inline]
 check_dirent fs/bcachefs/fsck.c:2438 [inline]
 bch2_check_dirents+0x28be/0x3e90 fs/bcachefs/fsck.c:2468
 bch2_run_recovery_pass+0xf0/0x1e0 fs/bcachefs/recovery_passes.c:226
 bch2_run_recovery_passes+0x2ad/0xa90 fs/bcachefs/recovery_passes.c:291
 bch2_fs_recovery+0x2c48/0x3de0 fs/bcachefs/recovery.c:973
 bch2_fs_start+0x37c/0x610 fs/bcachefs/super.c:1041
 bch2_fs_get_tree+0xdb7/0x17a0 fs/bcachefs/fs.c:2203
 vfs_get_tree+0x90/0x2b0 fs/super.c:1814

Memory state around the buggy address:
 ffff88805d563f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805d563f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805d564000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff88805d564080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805d564100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (769):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/21 13:25 upstream 334426094588 0808a665 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in bch2_check_dirents
2024/11/15 04:43 upstream cfaaa7d010d1 a8c99394 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs KASAN: use-after-free Read in bch2_check_dirents
2025/02/15 03:49 linux-next 0ae0fa3bf0b4 40a34ec9 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in bch2_check_dirents
2025/08/22 05:14 upstream 3957a5720157 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root KASAN: use-after-free Read in bch2_check_dirents
2025/07/23 02:34 upstream 89be9a83ccf1 8e9d1dc1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs KASAN: use-after-free Read in bch2_check_dirents
2025/09/30 09:22 upstream 449c2b302c8e 86341da6 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/30 05:04 upstream 449c2b302c8e 86341da6 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/29 14:43 upstream e5f0a698b34e 86341da6 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/28 20:41 upstream 8f9736633f8c 001c9061 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/28 09:43 upstream 51a24b7deaae 001c9061 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/27 22:31 upstream fec734e8d564 001c9061 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/27 06:57 upstream 083fc6d7fa0d 001c9061 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/27 02:47 upstream 083fc6d7fa0d 001c9061 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/27 02:45 upstream 083fc6d7fa0d 001c9061 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/25 22:25 upstream bf40f4b87761 0abd0691 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/25 17:04 upstream bf40f4b87761 0abd0691 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/25 06:21 upstream 4ea5af085908 0abd0691 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/23 08:52 upstream cec1e6e5d1ab 0ac7291c .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/21 14:30 upstream 3b08f56fbbb9 67c37560 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/21 09:46 upstream 3b08f56fbbb9 67c37560 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/21 01:00 upstream cd89d487374c 67c37560 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/19 15:25 upstream 097a6c336d00 67c37560 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/19 13:58 upstream 097a6c336d00 67c37560 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/19 07:31 upstream cbf658dd0941 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/19 06:14 upstream cbf658dd0941 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/19 05:59 upstream cbf658dd0941 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/19 01:38 upstream cbf658dd0941 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/18 14:13 upstream 8b789f2b7602 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/18 01:44 upstream d4b779985a6c e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/16 17:56 upstream 46a51f4f5eda e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/15 20:24 upstream f83ec76bf285 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/15 20:23 upstream f83ec76bf285 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/15 01:22 upstream 79e8447ec662 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/13 11:36 upstream 22f20375f5b7 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/12 23:35 upstream 22f20375f5b7 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/12 16:37 upstream 320475fbd590 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/11 17:43 upstream 02ffd6f89c50 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/11 15:53 upstream 02ffd6f89c50 e2beed91 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/11 08:29 upstream 7aac71907bde fdeaa69b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/11 07:00 upstream 7aac71907bde fdeaa69b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/10 17:43 upstream 9dd1835ecda5 fdeaa69b .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/09 01:55 upstream f777d1112ee5 d291dd2d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/08 04:01 upstream 6ab41fca2e80 d291dd2d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/07 08:55 upstream b236920731dd d291dd2d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/06 06:58 upstream c8ed9b5c02a5 d291dd2d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/05 03:44 upstream 08b06c30a445 d291dd2d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/04 05:16 upstream b9a10f876409 d291dd2d .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/03 12:02 upstream e6b9dce0aeeb 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/03 09:26 upstream e6b9dce0aeeb 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/03 07:59 upstream e6b9dce0aeeb 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/03 04:56 upstream e6b9dce0aeeb 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/03 01:00 upstream e6b9dce0aeeb 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/02 21:01 upstream b320789d6883 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/02 18:11 upstream b320789d6883 96a211bc .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: use-after-free Read in bch2_check_dirents
2025/09/04 07:58 linux-next 5d50cf9f7cf2 d291dd2d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: use-after-free Read in bch2_check_dirents
2025/08/02 13:29 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 82af5ea7c611 7368264b .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 KASAN: use-after-free Read in bch2_check_dirents
2025/08/15 21:55 upstream 8d084337a32f dcc075fb .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root KASAN: slab-use-after-free Read in bch2_check_dirents
* Struck through repros no longer work on HEAD.