bisecting fixing commit since 10ad6cfd57360760116cde00a8ef756e121367a9 building syzkaller on 1b88c6d5c8477f1d4fb3b389443b200acc32e9a8 testing commit 10ad6cfd57360760116cde00a8ef756e121367a9 with gcc (GCC) 8.1.0 kernel signature: 9d8a4da8483ba546113b2928062825773b13d9a803d6adfd8e0846b1d039d889 all runs: crashed: KASAN: slab-out-of-bounds Write in init_sb testing current HEAD 79524e8c64bda80bb35ab490177d0e6813bf112c testing commit 79524e8c64bda80bb35ab490177d0e6813bf112c with gcc (GCC) 8.1.0 kernel signature: 92698f10620c002f61703ba4b95fbb42ab14ee4c88e83bb4f8ab6c5c8a121403 run #0: crashed: KASAN: slab-out-of-bounds Write in init_sb run #1: crashed: KASAN: slab-out-of-bounds Write in init_sb run #2: crashed: KASAN: slab-out-of-bounds Write in init_sb run #3: crashed: KASAN: slab-out-of-bounds Write in init_sb run #4: crashed: KASAN: slab-out-of-bounds Write in init_sb run #5: crashed: KASAN: slab-out-of-bounds Write in init_sb run #6: crashed: KASAN: slab-out-of-bounds Write in init_sb run #7: crashed: KASAN: slab-out-of-bounds Write in init_sb run #8: crashed: KASAN: slab-out-of-bounds Write in init_sb run #9: crashed: BUG: unable to handle kernel NULL pointer dereference in corrupted revisions tested: 2, total time: 23m38.501034506s (build: 17m13.508957452s, test: 5m54.739280841s) the crash still happens on HEAD commit msg: Linux 4.19.153 crash: BUG: unable to handle kernel NULL pointer dereference in corrupted gfs2: fsid=loop2: Now mounting FS... IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready gfs2: fsid=loop0: Trying to join cluster "lock_nolock", "loop0" ================================================================== BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 BUG: KASAN: slab-out-of-bounds in gfs2_read_sb fs/gfs2/ops_fstype.c:332 [inline] BUG: KASAN: slab-out-of-bounds in init_sb+0xbe7/0xd20 fs/gfs2/ops_fstype.c:469 PGD 0 P4D 0 Write of size 8 at addr ffff88809ed2e5e8 by task syz-executor.3/8098 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8098 Comm: syz-executor.3 Not tainted 4.19.153-syzkaller #0 CPU: 0 PID: 8103 Comm: systemd-udevd Not tainted 4.19.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:167 [inline] RIP: 0010:atomic_add_return include/asm-generic/atomic-instrumented.h:294 [inline] RIP: 0010:__sigqueue_alloc+0xd8/0x3b0 kernel/signal.c:422 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x17c/0x22a lib/dump_stack.c:118 Code: ea 03 80 3c 02 00 0f 85 93 02 00 00 4c 8b a3 90 00 00 00 be 04 00 00 00 bb 01 00 00 00 4d 8d 74 24 08 4c 89 f7 e8 68 85 56 00 41 0f c1 5c 24 08 83 c3 01 83 fb 01 75 0b f0 41 ff 04 24 0f 88 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256 RSP: 0000:ffff88808e83fb28 EFLAGS: 00010096 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff813b8138 RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000008 RBP: ffff88808e83fb60 R08: 1ffff110137219e8 R09: ffffed101748473a __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:438 R10: ffffed101748473a R11: ffff8880ba4239d3 R12: 0000000000000000 gfs2_read_sb fs/gfs2/ops_fstype.c:332 [inline] init_sb+0xbe7/0xd20 fs/gfs2/ops_fstype.c:469 R13: ffff88809b90c6c0 R14: 0000000000000008 R15: 0000000000000001 FS: 00007f3a6836e8c0(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 fill_super+0x1576/0x24a0 fs/gfs2/ops_fstype.c:1120 CR2: 0000000000000008 CR3: 000000009c22e000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __send_signal+0x1ad/0x1110 kernel/signal.c:1129 send_signal+0x32/0xa0 kernel/signal.c:1212 gfs2_mount+0x413/0x4de fs/gfs2/ops_fstype.c:1312 specific_send_sig_info kernel/signal.c:1257 [inline] force_sig_info+0x1ef/0x2e0 kernel/signal.c:1309 force_sig_info_fault.constprop.7+0x1f9/0x310 arch/x86/mm/fault.c:226 mount_fs+0x7f/0x2a2 fs/super.c:1261 vfs_kern_mount.part.11+0x58/0x3d0 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x376/0x2710 fs/namespace.c:2799 __bad_area_nosemaphore+0x1ef/0x2c0 arch/x86/mm/fault.c:910 __bad_area arch/x86/mm/fault.c:944 [inline] bad_area+0x64/0x80 arch/x86/mm/fault.c:951 __do_page_fault+0x7b2/0xb30 arch/x86/mm/fault.c:1382 ksys_mount+0xba/0xe0 fs/namespace.c:3015 __do_sys_mount fs/namespace.c:3029 [inline] __se_sys_mount fs/namespace.c:3026 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3026 do_page_fault+0x64/0x3a7 arch/x86/mm/fault.c:1487 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205 RIP: 0033:0x4607ea RIP: 0033: (null) Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a 89 fb ff c3 66 0f 1f 84 00 00 00 00 00 Code: Bad RIP value. RSP: 002b:00007f9c31dcfa88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RSP: 002b:00007ffda2a13790 EFLAGS: 00010207 RAX: ffffffffffffffda RBX: 00007f9c31dcfb20 RCX: 00000000004607ea RAX: 0000000000000001 RBX: 00005584c4bbeeb0 RCX: 00007f3a671ef2e3 RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f9c31dcfae0 RBP: 00007f9c31dcfae0 R08: 00007f9c31dcfb20 R09: 0000000020000000 RDX: 0000000000000004 RSI: 00007ffda2a13850 RDI: 0000000000000004 R10: 0000000002200000 R11: 0000000000000246 R12: 0000000020000000 RBP: 00007ffda2a13900 R08: 00005584c4bac0c0 R09: 0000000000000000 R13: 0000000020000100 R14: 0000000020000200 R15: 0000000020000080 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffda2a13850 R13: 00005584c4babcb0 R14: 0000000000000003 R15: 000000000000000e Allocated by task 8098: Modules linked in: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553 CR2: 0000000000000008 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538 ---[ end trace 3eb543780a199d3b ]--- kmem_cache_alloc_trace+0x152/0x3a0 mm/slab.c:3625 RIP: 0010:arch_atomic_add_return arch/x86/include/asm/atomic.h:167 [inline] RIP: 0010:atomic_add_return include/asm-generic/atomic-instrumented.h:294 [inline] RIP: 0010:__sigqueue_alloc+0xd8/0x3b0 kernel/signal.c:422 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] init_sbd fs/gfs2/ops_fstype.c:71 [inline] fill_super+0xd5/0x24a0 fs/gfs2/ops_fstype.c:1041 Code: ea 03 80 3c 02 00 0f 85 93 02 00 00 4c 8b a3 90 00 00 00 be 04 00 00 00 bb 01 00 00 00 4d 8d 74 24 08 4c 89 f7 e8 68 85 56 00 41 0f c1 5c 24 08 83 c3 01 83 fb 01 75 0b f0 41 ff 04 24 0f 88 gfs2_mount+0x413/0x4de fs/gfs2/ops_fstype.c:1312 RSP: 0000:ffff88808e83fb28 EFLAGS: 00010096 mount_fs+0x7f/0x2a2 fs/super.c:1261 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff813b8138 vfs_kern_mount.part.11+0x58/0x3d0 fs/namespace.c:961 vfs_kern_mount fs/namespace.c:951 [inline] do_new_mount fs/namespace.c:2469 [inline] do_mount+0x376/0x2710 fs/namespace.c:2799 RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000008 ksys_mount+0xba/0xe0 fs/namespace.c:3015 RBP: ffff88808e83fb60 R08: 1ffff110137219e8 R09: ffffed101748473a __do_sys_mount fs/namespace.c:3029 [inline] __se_sys_mount fs/namespace.c:3026 [inline] __x64_sys_mount+0xb9/0x150 fs/namespace.c:3026 R10: ffffed101748473a R11: ffff8880ba4239d3 R12: 0000000000000000 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 R13: ffff88809b90c6c0 R14: 0000000000000008 R15: 0000000000000001 FS: 00007f3a6836e8c0(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 entry_SYSCALL_64_after_hwframe+0x49/0xbe CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000009c22e000 CR4: 00000000001406f0 Freed by task 0: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 (stack is not available) DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400