Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff6e251dc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff17818e497
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff6e251e80
RBP: 00007fff6e251e80 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff6e252f10
R13: 00007ff17820e08c R14: 000000000003c07c R15: 00007fff6e252f50
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic/atomic-instrumented.h:198 [inline]
BUG: KASAN: null-ptr-deref in ihold+0x20/0x60 fs/inode.c:452
Write of size 4 at addr 0000000000000170 by task syz-executor/14274
CPU: 0 PID: 14274 Comm: syz-executor Tainted: G W 6.1.129-syzkaller-00051-gc1fd50266bd6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
print_report+0xe1/0x4e0 mm/kasan/report.c:430
kasan_report+0x13c/0x170 mm/kasan/report.c:531
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x294/0x2a0 mm/kasan/generic.c:189
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
atomic_inc_return include/linux/atomic/atomic-instrumented.h:198 [inline]
ihold+0x20/0x60 fs/inode.c:452
d_delete_notify include/linux/fsnotify.h:289 [inline]
vfs_rmdir+0x268/0x500 fs/namei.c:4203
incfs_kill_sb+0x113/0x230 fs/incfs/vfs.c:1995
deactivate_locked_super+0xad/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x94/0xa0 kernel/entry/common.c:177
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:303
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7ff17818e497
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff6e251dc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff17818e497
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff6e251e80
RBP: 00007fff6e251e80 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff6e252f10
R13: 00007ff17820e08c R14: 000000000003c07c R15: 00007fff6e252f50
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000170
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 14c4ac067 P4D 14c4ac067 PUD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 14274 Comm: syz-executor Tainted: G B W 6.1.129-syzkaller-00051-gc1fd50266bd6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:arch_atomic_add_return include/linux/instrumented.h:-1 [inline]
RIP: 0010:arch_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:440 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:199 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:452
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 c1 1a a8 ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 00 c8 ef ff bb 01 00 00 00 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 44 1e a8
RSP: 0018:ffffc90000b07c30 EFLAGS: 00010246
RAX: ffff88810e070000 RBX: 0000000000000001 RCX: ffff88810e070000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b07c40 R08: ffffffff8144b443 R09: fffffbfff0f6e8fd
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1102559e639
R13: ffff88814fdd0ee0 R14: 0000000000000000 R15: 1ffff11029fba1e2
FS: 0000555594f77500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000012ac2c000 CR4: 00000000003526a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
d_delete_notify include/linux/fsnotify.h:289 [inline]
vfs_rmdir+0x268/0x500 fs/namei.c:4203
incfs_kill_sb+0x113/0x230 fs/incfs/vfs.c:1995
deactivate_locked_super+0xad/0x110 fs/super.c:334
deactivate_super+0xbe/0xf0 fs/super.c:365
cleanup_mnt+0x485/0x510 fs/namespace.c:1186
__cleanup_mnt+0x19/0x20 fs/namespace.c:1193
task_work_run+0x24d/0x2e0 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0x94/0xa0 kernel/entry/common.c:177
exit_to_user_mode_prepare+0x5a/0xa0 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x26/0x130 kernel/entry/common.c:303
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7ff17818e497
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff6e251dc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff17818e497
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff6e251e80
RBP: 00007fff6e251e80 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff6e252f10
R13: 00007ff17820e08c R14: 000000000003c07c R15: 00007fff6e252f50
Modules linked in:
CR2: 0000000000000170
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_atomic_add_return include/linux/instrumented.h:-1 [inline]
RIP: 0010:arch_atomic_inc_return include/linux/atomic/atomic-arch-fallback.h:440 [inline]
RIP: 0010:atomic_inc_return include/linux/atomic/atomic-instrumented.h:199 [inline]
RIP: 0010:ihold+0x25/0x60 fs/inode.c:452
Code: 00 00 00 00 00 55 48 89 e5 41 56 53 49 89 fe e8 c1 1a a8 ff 49 8d be 70 01 00 00 be 04 00 00 00 e8 00 c8 ef ff bb 01 00 00 00 41 0f c1 9e 70 01 00 00 ff c3 bf 02 00 00 00 89 de e8 44 1e a8
RSP: 0018:ffffc90000b07c30 EFLAGS: 00010246
RAX: ffff88810e070000 RBX: 0000000000000001 RCX: ffff88810e070000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000b07c40 R08: ffffffff8144b443 R09: fffffbfff0f6e8fd
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1102559e639
R13: ffff88814fdd0ee0 R14: 0000000000000000 R15: 1ffff11029fba1e2
FS: 0000555594f77500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000170 CR3: 000000012ac2c000 CR4: 00000000003526a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 3 bytes skipped:
0: ff f7 push %rdi
2: d8 64 89 01 fsubs 0x1(%rcx,%rcx,4)
6: 48 83 c8 ff or $0xffffffffffffffff,%rax
a: c3 ret
b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
10: 31 f6 xor %esi,%esi
12: e9 09 00 00 00 jmp 0x20
17: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
1e: 00 00
20: b8 a6 00 00 00 mov $0xa6,%eax
25: 0f 05 syscall
* 27: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
2d: 77 01 ja 0x30
2f: c3 ret
30: 48 c7 c2 a8 ff ff ff mov $0xffffffffffffffa8,%rdx
37: f7 d8 neg %eax
39: 64 89 02 mov %eax,%fs:(%rdx)
3c: b8 .byte 0xb8