syzbot

 sign-in | mailing list | source | docs
🐞 Open [826]
🐞 Fixed [87]
🐞 Invalid [1180]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress

Status: upstream: reported C repro on 2025/02/25 19:01
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+97e2bfc681254dbac9d6@syzkaller.appspotmail.com
First crash: 320d, last: 1d02h
Bug presence (2)
Date Name Commit Repro Result
2025/06/06 linux-5.15.y (ToT) 1c700860e8bc C [report] KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/06/06 upstream (ToT) e271ed52b344 C Didn't crash
Similar bugs (5)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: uninit-value in z_erofs_lz4_decompress erofs 7 1 890d 890d 0/29 auto-obsoleted due to no activity on 2023/11/03 19:44
upstream KMSAN: uninit-value in z_erofs_lz4_decompress (3) erofs 7 C 16 704d 710d 0/29 closed as dup on 2024/03/19 10:34
upstream KMSAN: uninit-value in z_erofs_lz4_decompress (2) erofs 7 C 33 714d 746d 25/29 fixed on 2024/01/30 15:47
upstream KMSAN: kernel-infoleak in _copy_to_iter (7) net 23 C 138977 1052d 1405d 22/29 fixed on 2023/02/24 13:50
upstream KMSAN: kernel-infoleak in _copy_to_iter (8) mm 23 C 21180 948d 1043d 22/29 fixed on 2023/06/08 14:41
Last patch testing requests (2)
Created Duration User Patch Repo Result
2025/07/05 01:41 14m retest repro linux-5.15.y report log
2025/07/05 01:41 11m retest repro linux-5.15.y report log
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2025/07/20 21:06 2h49m fix candidate upstream OK (0) job log

Sample crash report:
erofs: (device loop0): z_erofs_readahead: readahead error at page 46 @ nid 36
attempt to access beyond end of device
loop0: rw=524288, want=32, limit=16
erofs: (device loop0): z_erofs_lz4_decompress: failed to decompress -36 in[64, 4032] out[3537]
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in hex_dump_to_buffer+0x3c0/0xd50 lib/hexdump.c:193
Read of size 1 at addr ffffc900013e9000 by task syz.0.17/4312

CPU: 0 PID: 4312 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 hex_dump_to_buffer+0x3c0/0xd50 lib/hexdump.c:193
 print_hex_dump+0x136/0x260 lib/hexdump.c:276
 z_erofs_lz4_decompress+0xc7f/0x1180 fs/erofs/decompressor.c:243
 z_erofs_decompress_generic fs/erofs/decompressor.c:332 [inline]
 z_erofs_decompress+0x767/0xde0 fs/erofs/decompressor.c:410
 z_erofs_decompress_pcluster fs/erofs/zdata.c:980 [inline]
 z_erofs_decompress_queue+0x11a6/0x1990 fs/erofs/zdata.c:1058
 z_erofs_runqueue+0x164c/0x1890 fs/erofs/zdata.c:1370
 z_erofs_readahead+0xb81/0x10c0 fs/erofs/zdata.c:1459
 read_pages+0x165/0x920 mm/readahead.c:130
 page_cache_ra_unbounded+0x830/0x930 mm/readahead.c:239
 do_page_cache_ra mm/readahead.c:269 [inline]
 force_page_cache_ra+0x3e5/0x440 mm/readahead.c:301
 force_page_cache_readahead mm/internal.h:78 [inline]
 generic_fadvise+0x520/0x7d0 mm/fadvise.c:107
 vfs_fadvise mm/fadvise.c:186 [inline]
 ksys_fadvise64_64 mm/fadvise.c:200 [inline]
 __do_sys_fadvise64 mm/fadvise.c:215 [inline]
 __se_sys_fadvise64 mm/fadvise.c:213 [inline]
 __x64_sys_fadvise64+0x139/0x180 mm/fadvise.c:213
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f0495585749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff43239b18 EFLAGS: 00000246 ORIG_RAX: 00000000000000dd
RAX: ffffffffffffffda RBX: 00007f04957dbfa0 RCX: 00007f0495585749
RDX: 0000000000020000 RSI: 000000000000fcff RDI: 0000000000000004
RBP: 00007f0495609f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f04957dbfa0 R14: 00007f04957dbfa0 R15: 0000000000000004
 </TASK>


Memory state around the buggy address:
 ffffc900013e8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc900013e8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc900013e9000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc900013e9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc900013e9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (648):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/01 11:32 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/09/15 05:35 linux-5.15.y 43bb85222e53 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/06/06 01:31 linux-5.15.y 1c700860e8bc 6b6b5f21 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/02/25 19:59 linux-5.15.y c16c81c81336 d34966d1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan-arm64 KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/02/25 19:21 linux-5.15.y c16c81c81336 d34966d1 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-5-15-kasan-arm64 KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/11 05:08 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/10 19:28 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/10 03:49 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/10 00:52 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/09 13:49 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/04 20:59 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/04 08:28 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/04 04:39 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2026/01/01 11:07 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/12/24 01:04 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/12/19 18:02 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/12/19 01:35 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/12/17 14:11 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/12/12 14:08 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/12/11 04:19 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/11/27 06:50 linux-5.15.y cc5ec8769306 d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/11/21 04:15 linux-5.15.y cc5ec8769306 2cc4c24a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/11/20 06:18 linux-5.15.y cc5ec8769306 26ee5237 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/11/08 04:47 linux-5.15.y cc5ec8769306 4e1406b4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/11/08 03:22 linux-5.15.y cc5ec8769306 4e1406b4 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/11/03 05:10 linux-5.15.y cc5ec8769306 2c50b6a9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/11/01 00:57 linux-5.15.y cc5ec8769306 2c50b6a9 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/26 01:57 linux-5.15.y ac56c046adf4 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/25 23:35 linux-5.15.y ac56c046adf4 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/23 15:43 linux-5.15.y ac56c046adf4 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/23 02:27 linux-5.15.y ac56c046adf4 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/23 01:21 linux-5.15.y ac56c046adf4 c0460fcd .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/19 03:14 linux-5.15.y 29e53a5b1c4f 1c8c8cd8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/06 06:11 linux-5.15.y 29e53a5b1c4f 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/04 23:32 linux-5.15.y 29e53a5b1c4f 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/04 09:56 linux-5.15.y 29e53a5b1c4f 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/03 20:40 linux-5.15.y 29e53a5b1c4f 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/03 15:51 linux-5.15.y 29e53a5b1c4f 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/03 15:51 linux-5.15.y 29e53a5b1c4f 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/02 22:10 linux-5.15.y 29e53a5b1c4f 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/10/01 00:49 linux-5.15.y 43bb85222e53 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/09/29 00:22 linux-5.15.y 43bb85222e53 001c9061 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/09/28 18:56 linux-5.15.y 43bb85222e53 001c9061 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/09/25 22:01 linux-5.15.y 43bb85222e53 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/09/25 15:10 linux-5.15.y 43bb85222e53 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/09/25 07:09 linux-5.15.y 43bb85222e53 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/09/24 20:57 linux-5.15.y 43bb85222e53 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/09/24 17:02 linux-5.15.y 43bb85222e53 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/08/26 14:11 linux-5.15.y c79648372d02 bf27483f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
2025/02/25 19:01 linux-5.15.y c16c81c81336 d34966d1 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 KASAN: vmalloc-out-of-bounds Read in z_erofs_lz4_decompress
* Struck through repros no longer work on HEAD.