* [syzbot] [nilfs?] general protection fault in __d_unalias
@ 2025-02-03 18:55 syzbot
2025-02-04 0:10 ` Edward Adam Davis
2025-02-04 2:20 ` Ryusuke Konishi
0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2025-02-03 18:55 UTC (permalink / raw)
To: konishi.ryusuke, linux-kernel, linux-nilfs, syzkaller-bugs, viro
Hello,
syzbot found the following issue on:
HEAD commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git...
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14fbdddf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=57ab43c279fa614d
dashboard link: https://syzkaller.appspot.com/bug?extid=ab57f676a518849a8d57
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15da95f8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165f8b24580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ea84ac864e92/disk-69b8923f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6a465997b4e0/vmlinux-69b8923f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d72b67b2bd15/bzImage-69b8923f.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7d96d510aa23/mount_0.gz
The issue was bisected to:
commit 30d61efe118cad1a73ad2ad66a3298e4abdf9f41
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Mon Jan 6 02:33:17 2025 +0000
9p: fix ->rename_sem exclusion
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=148b7b64580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=168b7b64580000
console output: https://syzkaller.appspot.com/x/log.txt?x=128b7b64580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab57f676a518849a8d57@syzkaller.appspotmail.com
Fixes: 30d61efe118c ("9p: fix ->rename_sem exclusion")
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
CPU: 0 UID: 0 PID: 5821 Comm: syz-executor287 Not tainted 6.13.0-syzkaller-09793-g69b8923f5003 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:__d_unalias+0x199/0x2a0 fs/dcache.c:2969
Code: 98 00 00 00 4c 89 fb 48 c1 eb 03 49 89 ed 80 3c 2b 00 74 08 4c 89 ff e8 65 62 e7 ff 49 8b 2f 48 83 c5 68 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 48 62 e7 ff 4c 8b 5d 00 4d 85 db
RSP: 0018:ffffc90003d9fa98 EFLAGS: 00010202
RAX: 000000000000000d RBX: 1ffff1100996cb61 RCX: ffff88804d821e00
RDX: 0000000000000000 RSI: ffff88804cb65a70 RDI: ffff88804cb658f8
RBP: 0000000000000068 R08: ffff88804e530f6b R09: 1ffff11009ca61ed
R10: dffffc0000000000 R11: ffffed1009ca61ee R12: ffff88804cb65a70
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88804cb65b08
FS: 000055555b892380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe074ff000 CR3: 0000000078440000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
d_splice_alias+0x1e6/0x330 fs/dcache.c:3037
nilfs_lookup+0x1c2/0x2a0 fs/nilfs2/namei.c:77
lookup_one_qstr_excl+0x126/0x2b0 fs/namei.c:1693
do_renameat2+0x706/0x13f0 fs/namei.c:5176
__do_sys_rename fs/namei.c:5273 [inline]
__se_sys_rename fs/namei.c:5271 [inline]
__x64_sys_rename+0x82/0x90 fs/namei.c:5271
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7cc482fad9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe074fe328 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 00007f7cc4878fc8 RCX: 00007f7cc482fad9
RDX: 0000000000000000 RSI: 0000000020000800 RDI: 00000000200001c0
RBP: 00007f7cc48a35f0 R08: 000055555b8934c0 R09: 000055555b8934c0
R10: 000055555b8934c0 R11: 0000000000000246 R12: 00007ffe074fe350
R13: 00007ffe074fe578 R14: 431bde82d7b634db R15: 00007f7cc487803b
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__d_unalias+0x199/0x2a0 fs/dcache.c:2969
Code: 98 00 00 00 4c 89 fb 48 c1 eb 03 49 89 ed 80 3c 2b 00 74 08 4c 89 ff e8 65 62 e7 ff 49 8b 2f 48 83 c5 68 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 48 62 e7 ff 4c 8b 5d 00 4d 85 db
RSP: 0018:ffffc90003d9fa98 EFLAGS: 00010202
RAX: 000000000000000d RBX: 1ffff1100996cb61 RCX: ffff88804d821e00
RDX: 0000000000000000 RSI: ffff88804cb65a70 RDI: ffff88804cb658f8
RBP: 0000000000000068 R08: ffff88804e530f6b R09: 1ffff11009ca61ed
R10: dffffc0000000000 R11: ffffed1009ca61ee R12: ffff88804cb65a70
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88804cb65b08
FS: 000055555b892380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe074ff000 CR3: 0000000078440000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 98 cwtl
1: 00 00 add %al,(%rax)
3: 00 4c 89 fb add %cl,-0x5(%rcx,%rcx,4)
7: 48 c1 eb 03 shr $0x3,%rbx
b: 49 89 ed mov %rbp,%r13
e: 80 3c 2b 00 cmpb $0x0,(%rbx,%rbp,1)
12: 74 08 je 0x1c
14: 4c 89 ff mov %r15,%rdi
17: e8 65 62 e7 ff call 0xffe76281
1c: 49 8b 2f mov (%r15),%rbp
1f: 48 83 c5 68 add $0x68,%rbp
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 ef mov %rbp,%rdi
34: e8 48 62 e7 ff call 0xffe76281
39: 4c 8b 5d 00 mov 0x0(%rbp),%r11
3d: 4d 85 db test %r11,%r11
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [syzbot] [nilfs?] general protection fault in __d_unalias
2025-02-03 18:55 [syzbot] [nilfs?] general protection fault in __d_unalias syzbot
@ 2025-02-04 0:10 ` Edward Adam Davis
2025-02-04 1:14 ` syzbot
2025-02-04 2:20 ` Ryusuke Konishi
1 sibling, 1 reply; 5+ messages in thread
From: Edward Adam Davis @ 2025-02-04 0:10 UTC (permalink / raw)
To: syzbot+ab57f676a518849a8d57; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/fs/dcache.c b/fs/dcache.c
index 9cc0d47da321..96b21a47312e 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2966,11 +2966,11 @@ static int __d_unalias(struct dentry *dentry, struct dentry *alias)
goto out_err;
m2 = &alias->d_parent->d_inode->i_rwsem;
out_unalias:
- if (alias->d_op->d_unalias_trylock &&
+ if (alias->d_op && alias->d_op->d_unalias_trylock &&
!alias->d_op->d_unalias_trylock(alias))
goto out_err;
__d_move(alias, dentry, false);
- if (alias->d_op->d_unalias_unlock)
+ if (alias->d_op && alias->d_op->d_unalias_unlock)
alias->d_op->d_unalias_unlock(alias);
ret = 0;
out_err:
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [syzbot] [nilfs?] general protection fault in __d_unalias
2025-02-03 18:55 [syzbot] [nilfs?] general protection fault in __d_unalias syzbot
2025-02-04 0:10 ` Edward Adam Davis
@ 2025-02-04 2:20 ` Ryusuke Konishi
1 sibling, 0 replies; 5+ messages in thread
From: Ryusuke Konishi @ 2025-02-04 2:20 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, linux-nilfs, syzkaller-bugs, viro
On Tue, Feb 4, 2025 at 3:55 AM syzbot
<syzbot+ab57f676a518849a8d57@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 69b8923f5003 Merge tag 'for-linus-6.14-ofs4' of git://git...
> git tree: upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=14fbdddf980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=57ab43c279fa614d
> dashboard link: https://syzkaller.appspot.com/bug?extid=ab57f676a518849a8d57
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15da95f8580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=165f8b24580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/ea84ac864e92/disk-69b8923f.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/6a465997b4e0/vmlinux-69b8923f.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/d72b67b2bd15/bzImage-69b8923f.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/7d96d510aa23/mount_0.gz
>
> The issue was bisected to:
>
> commit 30d61efe118cad1a73ad2ad66a3298e4abdf9f41
> Author: Al Viro <viro@zeniv.linux.org.uk>
> Date: Mon Jan 6 02:33:17 2025 +0000
>
> 9p: fix ->rename_sem exclusion
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=148b7b64580000
> final oops: https://syzkaller.appspot.com/x/report.txt?x=168b7b64580000
> console output: https://syzkaller.appspot.com/x/log.txt?x=128b7b64580000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+ab57f676a518849a8d57@syzkaller.appspotmail.com
> Fixes: 30d61efe118c ("9p: fix ->rename_sem exclusion")
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] PREEMPT SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
> CPU: 0 UID: 0 PID: 5821 Comm: syz-executor287 Not tainted 6.13.0-syzkaller-09793-g69b8923f5003 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
> RIP: 0010:__d_unalias+0x199/0x2a0 fs/dcache.c:2969
> Code: 98 00 00 00 4c 89 fb 48 c1 eb 03 49 89 ed 80 3c 2b 00 74 08 4c 89 ff e8 65 62 e7 ff 49 8b 2f 48 83 c5 68 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 48 62 e7 ff 4c 8b 5d 00 4d 85 db
> RSP: 0018:ffffc90003d9fa98 EFLAGS: 00010202
> RAX: 000000000000000d RBX: 1ffff1100996cb61 RCX: ffff88804d821e00
> RDX: 0000000000000000 RSI: ffff88804cb65a70 RDI: ffff88804cb658f8
> RBP: 0000000000000068 R08: ffff88804e530f6b R09: 1ffff11009ca61ed
> R10: dffffc0000000000 R11: ffffed1009ca61ee R12: ffff88804cb65a70
> R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88804cb65b08
> FS: 000055555b892380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffe074ff000 CR3: 0000000078440000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> d_splice_alias+0x1e6/0x330 fs/dcache.c:3037
> nilfs_lookup+0x1c2/0x2a0 fs/nilfs2/namei.c:77
> lookup_one_qstr_excl+0x126/0x2b0 fs/namei.c:1693
> do_renameat2+0x706/0x13f0 fs/namei.c:5176
> __do_sys_rename fs/namei.c:5273 [inline]
> __se_sys_rename fs/namei.c:5271 [inline]
> __x64_sys_rename+0x82/0x90 fs/namei.c:5271
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f7cc482fad9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffe074fe328 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
> RAX: ffffffffffffffda RBX: 00007f7cc4878fc8 RCX: 00007f7cc482fad9
> RDX: 0000000000000000 RSI: 0000000020000800 RDI: 00000000200001c0
> RBP: 00007f7cc48a35f0 R08: 000055555b8934c0 R09: 000055555b8934c0
> R10: 000055555b8934c0 R11: 0000000000000246 R12: 00007ffe074fe350
> R13: 00007ffe074fe578 R14: 431bde82d7b634db R15: 00007f7cc487803b
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:__d_unalias+0x199/0x2a0 fs/dcache.c:2969
> Code: 98 00 00 00 4c 89 fb 48 c1 eb 03 49 89 ed 80 3c 2b 00 74 08 4c 89 ff e8 65 62 e7 ff 49 8b 2f 48 83 c5 68 48 89 e8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 ef e8 48 62 e7 ff 4c 8b 5d 00 4d 85 db
> RSP: 0018:ffffc90003d9fa98 EFLAGS: 00010202
> RAX: 000000000000000d RBX: 1ffff1100996cb61 RCX: ffff88804d821e00
> RDX: 0000000000000000 RSI: ffff88804cb65a70 RDI: ffff88804cb658f8
> RBP: 0000000000000068 R08: ffff88804e530f6b R09: 1ffff11009ca61ed
> R10: dffffc0000000000 R11: ffffed1009ca61ee R12: ffff88804cb65a70
> R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88804cb65b08
> FS: 000055555b892380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffe074ff000 CR3: 0000000078440000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
> 0: 98 cwtl
> 1: 00 00 add %al,(%rax)
> 3: 00 4c 89 fb add %cl,-0x5(%rcx,%rcx,4)
> 7: 48 c1 eb 03 shr $0x3,%rbx
> b: 49 89 ed mov %rbp,%r13
> e: 80 3c 2b 00 cmpb $0x0,(%rbx,%rbp,1)
> 12: 74 08 je 0x1c
> 14: 4c 89 ff mov %r15,%rdi
> 17: e8 65 62 e7 ff call 0xffe76281
> 1c: 49 8b 2f mov (%r15),%rbp
> 1f: 48 83 c5 68 add $0x68,%rbp
> 23: 48 89 e8 mov %rbp,%rax
> 26: 48 c1 e8 03 shr $0x3,%rax
> * 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
> 2f: 74 08 je 0x39
> 31: 48 89 ef mov %rbp,%rdi
> 34: e8 48 62 e7 ff call 0xffe76281
> 39: 4c 8b 5d 00 mov 0x0(%rbp),%r11
> 3d: 4d 85 db test %r11,%r11
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
I tested reproducers locally and found that the issue was fixed with
the latest commit:
#syz fix: fix braino in "9p: fix ->rename_sem exclusion"
Ryusuke Konishi
^ permalink raw reply [flat|nested] 5+ messages in thread
* [syzbot] [udf?] general protection fault in d_splice_alias
@ 2025-02-03 19:48 syzbot
2025-02-04 0:10 ` [syzbot] [nilfs?] general protection fault in __d_unalias Edward Adam Davis
0 siblings, 1 reply; 5+ messages in thread
From: syzbot @ 2025-02-03 19:48 UTC (permalink / raw)
To: amir73il, asmadeus, brauner, corbet, ericvh, jack, jack,
linux-doc, linux-fsdevel, linux-kernel, linux_oss, lucho, mjguzik,
syzkaller-bugs, v9fs, viro, willy
Hello,
syzbot found the following issue on:
HEAD commit: 69e858e0b8b2 Merge tag 'uml-for-linus-6.14-rc1' of git://g..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11bfc518580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d1a6d4df5fcc342f
dashboard link: https://syzkaller.appspot.com/bug?extid=a9c0867e4d1dd0c7ab19
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=125d0eb0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a595f8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a4b4612f419c/disk-69e858e0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/07abf7c78a98/vmlinux-69e858e0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/085b44906cce/bzImage-69e858e0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/0e8d208f30b1/mount_0.gz
The issue was bisected to:
commit 30d61efe118cad1a73ad2ad66a3298e4abdf9f41
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Mon Jan 6 02:33:17 2025 +0000
9p: fix ->rename_sem exclusion
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1050fddf980000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1250fddf980000
console output: https://syzkaller.appspot.com/x/log.txt?x=1450fddf980000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a9c0867e4d1dd0c7ab19@syzkaller.appspotmail.com
Fixes: 30d61efe118c ("9p: fix ->rename_sem exclusion")
UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000)
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
CPU: 0 UID: 0 PID: 5832 Comm: syz-executor165 Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:__d_unalias fs/dcache.c:2969 [inline]
RIP: 0010:d_splice_alias+0x9cd/0xf30 fs/dcache.c:3037
Code: 48 c1 ea 03 80 3c 02 00 0f 85 4e 05 00 00 49 8b 85 70 ff ff ff 48 ba 00 00 00 00 00 fc ff df 48 8d 78 68 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 14 05 00 00 48 8b 40 68 48 85 c0 74 31 48 89 44
RSP: 0018:ffffc90003667c18 EFLAGS: 00010212
RAX: 0000000000000000 RBX: ffff88807dbd7318 RCX: 000000000000000d
RDX: dffffc0000000000 RSI: ffffffff82348f0c RDI: 0000000000000068
RBP: ffff8880754107b8 R08: 0000000000000000 R09: ffffed100f23d67a
R10: ffff8880791eb3d3 R11: 0000000000000032 R12: ffff8880791eb318
R13: ffff8880791eafd8 R14: ffff8880791eaeb0 R15: ffff8880791eaf48
FS: 0000555581642380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe875be000 CR3: 0000000076b7a000 CR4: 0000000000350ef0
Call Trace:
<TASK>
udf_lookup+0x191/0x240 fs/udf/namei.c:130
lookup_one_qstr_excl+0x120/0x190 fs/namei.c:1693
do_rmdir+0x247/0x410 fs/namei.c:4444
__do_sys_rmdir fs/namei.c:4474 [inline]
__se_sys_rmdir fs/namei.c:4472 [inline]
__x64_sys_rmdir+0xc5/0x110 fs/namei.c:4472
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9ee0142d99
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe875bd248 EFLAGS: 00000246 ORIG_RAX: 0000000000000054
RAX: ffffffffffffffda RBX: 6f72746e6f632f2e RCX: 00007f9ee0142d99
RDX: 00007f9ee0142d99 RSI: 00007f9ee0142d99 RDI: 0000000020000100
RBP: 00007f9ee01b75f0 R08: 00005555816434c0 R09: 00005555816434c0
R10: 00005555816434c0 R11: 0000000000000246 R12: 00007ffe875bd270
R13: 00007ffe875bd498 R14: 431bde82d7b634db R15: 00007f9ee018c03b
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__d_unalias fs/dcache.c:2969 [inline]
RIP: 0010:d_splice_alias+0x9cd/0xf30 fs/dcache.c:3037
Code: 48 c1 ea 03 80 3c 02 00 0f 85 4e 05 00 00 49 8b 85 70 ff ff ff 48 ba 00 00 00 00 00 fc ff df 48 8d 78 68 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 14 05 00 00 48 8b 40 68 48 85 c0 74 31 48 89 44
RSP: 0018:ffffc90003667c18 EFLAGS: 00010212
RAX: 0000000000000000 RBX: ffff88807dbd7318 RCX: 000000000000000d
RDX: dffffc0000000000 RSI: ffffffff82348f0c RDI: 0000000000000068
RBP: ffff8880754107b8 R08: 0000000000000000 R09: ffffed100f23d67a
R10: ffff8880791eb3d3 R11: 0000000000000032 R12: ffff8880791eb318
R13: ffff8880791eafd8 R14: ffff8880791eaeb0 R15: ffff8880791eaf48
FS: 0000555581642380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe875be000 CR3: 0000000076b7a000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
0: 48 c1 ea 03 shr $0x3,%rdx
4: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
8: 0f 85 4e 05 00 00 jne 0x55c
e: 49 8b 85 70 ff ff ff mov -0x90(%r13),%rax
15: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
1c: fc ff df
1f: 48 8d 78 68 lea 0x68(%rax),%rdi
23: 48 89 f9 mov %rdi,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) <-- trapping instruction
2e: 0f 85 14 05 00 00 jne 0x548
34: 48 8b 40 68 mov 0x68(%rax),%rax
38: 48 85 c0 test %rax,%rax
3b: 74 31 je 0x6e
3d: 48 rex.W
3e: 89 .byte 0x89
3f: 44 rex.R
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [syzbot] [nilfs?] general protection fault in __d_unalias
2025-02-03 19:48 [syzbot] [udf?] general protection fault in d_splice_alias syzbot
@ 2025-02-04 0:10 ` Edward Adam Davis
0 siblings, 0 replies; 5+ messages in thread
From: Edward Adam Davis @ 2025-02-04 0:10 UTC (permalink / raw)
To: syzbot+a9c0867e4d1dd0c7ab19; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/fs/dcache.c b/fs/dcache.c
index 9cc0d47da321..96b21a47312e 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2966,11 +2966,11 @@ static int __d_unalias(struct dentry *dentry, struct dentry *alias)
goto out_err;
m2 = &alias->d_parent->d_inode->i_rwsem;
out_unalias:
- if (alias->d_op->d_unalias_trylock &&
+ if (alias->d_op && alias->d_op->d_unalias_trylock &&
!alias->d_op->d_unalias_trylock(alias))
goto out_err;
__d_move(alias, dentry, false);
- if (alias->d_op->d_unalias_unlock)
+ if (alias->d_op && alias->d_op->d_unalias_unlock)
alias->d_op->d_unalias_unlock(alias);
ret = 0;
out_err:
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-02-04 2:20 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-03 18:55 [syzbot] [nilfs?] general protection fault in __d_unalias syzbot
2025-02-04 0:10 ` Edward Adam Davis
2025-02-04 1:14 ` syzbot
2025-02-04 2:20 ` Ryusuke Konishi
-- strict thread matches above, loose matches on Subject: below --
2025-02-03 19:48 [syzbot] [udf?] general protection fault in d_splice_alias syzbot
2025-02-04 0:10 ` [syzbot] [nilfs?] general protection fault in __d_unalias Edward Adam Davis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.