[syzbot] [net?] general protection fault in ip6_pol_route (3)

[syzbot] [net?] general protection fault in ip6_pol_route (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f1b785f4c787 Merge tag 'for_linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=100bc1a7980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=3201be560ebfa39bc6bd
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1209e4c0580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-f1b785f4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3d6bd514fd25/vmlinux-f1b785f4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bf9273b213e1/bzImage-f1b785f4.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d332161a8efa/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3201be560ebfa39bc6bd@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 0 UID: 0 PID: 24 Comm: kworker/u4:2 Not tainted 6.12.0-rc7-syzkaller-00042-gf1b785f4c787 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound macvlan_process_broadcast
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1408 [inline]
RIP: 0010:ip6_pol_route+0x4d1/0x15d0 net/ipv6/route.c:2264
Code: 93 f7 48 8b 03 65 4c 8b 30 31 ff 4c 89 f6 e8 86 b4 29 f7 4d 85 f6 0f 84 da 00 00 00 49 8d 9e 98 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 12 0f 00 00 44 8b 3b 31 ff 44 89 fe e8
RSP: 0018:ffffc900000073a0 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000099 RCX: ffff88801bb0c880
RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900000074f0 R08: ffffffff8a6b3a6a R09: ffff888012677b40
R10: dffffc0000000000 R11: fffffbfff203a13e R12: ffffc90000007470
R13: 1ffff92000000e8e R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b9a67e000 CR3: 000000003ea02000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 pol_lookup_func include/net/ip6_fib.h:616 [inline]
 fib6_rule_lookup+0x58c/0x790 net/ipv6/fib6_rules.c:117
 ip6_route_input_lookup net/ipv6/route.c:2300 [inline]
 ip6_route_input+0x859/0xd90 net/ipv6/route.c:2596
 ip6_rcv_finish+0x144/0x180 net/ipv6/ip6_input.c:77
 NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
 __netif_receive_skb_one_core net/core/dev.c:5670 [inline]
 __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5783
 process_backlog+0x662/0x15b0 net/core/dev.c:6115
 __napi_poll+0xcb/0x490 net/core/dev.c:6779
 napi_poll net/core/dev.c:6848 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:6970
 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
 do_softirq+0x11b/0x1e0 kernel/softirq.c:455
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 netif_rx+0x83/0x90 net/core/dev.c:5255
 macvlan_broadcast+0x3c4/0x670 drivers/net/macvlan.c:290
 macvlan_process_broadcast+0x50e/0x7f0 drivers/net/macvlan.c:338
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rt6_get_pcpu_route net/ipv6/route.c:1408 [inline]
RIP: 0010:ip6_pol_route+0x4d1/0x15d0 net/ipv6/route.c:2264
Code: 93 f7 48 8b 03 65 4c 8b 30 31 ff 4c 89 f6 e8 86 b4 29 f7 4d 85 f6 0f 84 da 00 00 00 49 8d 9e 98 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 12 0f 00 00 44 8b 3b 31 ff 44 89 fe e8
RSP: 0018:ffffc900000073a0 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000099 RCX: ffff88801bb0c880
RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc900000074f0 R08: ffffffff8a6b3a6a R09: ffff888012677b40
R10: dffffc0000000000 R11: fffffbfff203a13e R12: ffffc90000007470
R13: 1ffff92000000e8e R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7b9a67e000 CR3: 000000003ea02000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	93                   	xchg   %eax,%ebx
   1:	f7 48 8b 03 65 4c 8b 	testl  $0x8b4c6503,-0x75(%rax)
   8:	30 31                	xor    %dh,(%rcx)
   a:	ff 4c 89 f6          	decl   -0xa(%rcx,%rcx,4)
   e:	e8 86 b4 29 f7       	call   0xf729b499
  13:	4d 85 f6             	test   %r14,%r14
  16:	0f 84 da 00 00 00    	je     0xf6
  1c:	49 8d 9e 98 00 00 00 	lea    0x98(%r14),%rbx
  23:	48 89 d8             	mov    %rbx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 12 0f 00 00    	jne    0xf49
  37:	44 8b 3b             	mov    (%rbx),%r15d
  3a:	31 ff                	xor    %edi,%edi
  3c:	44 89 fe             	mov    %r15d,%esi
  3f:	e8                   	.byte 0xe8


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [net?] general protection fault in ip6_pol_route (3)

[Hillf Danton]

On Tue, 04 Feb 2025 06:07:34 -0800
> syzbot found the following issue on:
> 
> HEAD commit:    f1b785f4c787 Merge tag 'for_linus' of git://git.kernel.org..
> git tree:       upstream
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1209e4c0580000

#syz test  upstream  master

--- x/net/ipv6/route.c
+++ y/net/ipv6/route.c
@@ -2258,7 +2258,7 @@ struct rt6_info *ip6_pol_route(struct ne
 
 			return rt;
 		}
-	} else {
+	} else if (res.nh) {
 		/* Get a percpu copy */
 		local_bh_disable();
 		rt = rt6_get_pcpu_route(&res);
--

Re: [syzbot] [net?] general protection fault in ip6_pol_route (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

 79.765602][ T5343] 
[   79.766558][ T5343] The buggy address belongs to the physical page:
[   79.769019][ T5343] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f464
[   79.772366][ T5343] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   79.775598][ T5343] anon flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   79.778676][ T5343] page_type: f5(slab)
[   79.780232][ T5343] raw: 04fff00000000040 ffff88801ac41c80 0000000000000000 dead000000000001
[   79.783372][ T5343] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[   79.786627][ T5343] head: 04fff00000000040 ffff88801ac41c80 0000000000000000 dead000000000001
[   79.789858][ T5343] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[   79.793129][ T5343] head: 04fff00000000001 ffffea00013d1901 ffffffffffffffff 0000000000000000
[   79.796507][ T5343] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[   79.799785][ T5343] page dumped because: kasan: bad access detected
[   79.802261][ T5343] page_owner tracks the page as allocated
[   79.804507][ T5343] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5329, tgid 5329 (syz-executor), ts 78415084094, free_ts 78169759446
[   79.812368][ T5343]  post_alloc_hook+0x1f4/0x240
[   79.814298][ T5343]  get_page_from_freelist+0x365c/0x37a0
[   79.816463][ T5343]  __alloc_frozen_pages_noprof+0x292/0x710
[   79.818703][ T5343]  alloc_pages_mpol+0x311/0x660
[   79.820563][ T5343]  allocate_slab+0x8f/0x3a0
[   79.822338][ T5343]  ___slab_alloc+0xc27/0x14a0
[   79.824253][ T5343]  __slab_alloc+0x58/0xa0
[   79.825926][ T5343]  __kmalloc_cache_noprof+0x27b/0x390
[   79.827981][ T5343]  binderfs_fill_super+0x58e/0xd90
[   79.829916][ T5343]  get_tree_nodev+0xb7/0x140
[   79.831720][ T5343]  vfs_get_tree+0x90/0x2b0
[   79.833832][ T5343]  do_new_mount+0x2be/0xb40
[   79.835650][ T5343]  __se_sys_mount+0x2d6/0x3c0
[   79.837488][ T5343]  do_syscall_64+0xf3/0x230
[   79.839249][ T5343]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   79.841466][ T5343] page last free pid 80 tgid 80 stack trace:
[   79.843812][ T5343]  free_unref_folios+0xe40/0x18b0
[   79.845786][ T5343]  shrink_folio_list+0x41a7/0x5ac0
[   79.847791][ T5343]  evict_folios+0x45fd/0x56a0
[   79.849591][ T5343]  try_to_shrink_lruvec+0x713/0x9b0
[   79.851656][ T5343]  shrink_one+0x3b9/0x850
[   79.853309][ T5343]  shrink_node+0x37c5/0x3e50
[   79.855093][ T5343]  kswapd+0x20f3/0x3b10
[   79.856715][ T5343]  kthread+0x7a9/0x920
[   79.858297][ T5343]  ret_from_fork+0x4b/0x80
[   79.859943][ T5343]  ret_from_fork_asm+0x1a/0x30
[   79.861728][ T5343] 
[   79.862691][ T5343] Memory state around the buggy address:
[   79.864899][ T5343]  ffff88804f464700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   79.868793][ T5343]  ffff88804f464780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   79.871847][ T5343] >ffff88804f464800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.875096][ T5343]                       ^
[   79.876814][ T5343]  ffff88804f464880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.879777][ T5343]  ffff88804f464900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.882810][ T5343] ==================================================================
[   80.174438][ T1033] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   80.177606][ T1033] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   80.241533][ T1068] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   80.255404][ T1068] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   80.841220][ T5343] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   80.844058][ T5343] CPU: 0 UID: 0 PID: 5343 Comm: syz-executor Not tainted 6.14.0-rc1-syzkaller-g5c8c229261f1-dirty #0
[   80.848035][ T5343] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   80.852045][ T5343] Call Trace:
[   80.853331][ T5343]  <TASK>
[   80.854460][ T5343]  dump_stack_lvl+0x241/0x360
[   80.856209][ T5343]  ? __pfx_dump_stack_lvl+0x10/0x10
[   80.858174][ T5343]  ? __pfx__printk+0x10/0x10
[   80.859914][ T5343]  ? preempt_schedule+0xe1/0xf0
[   80.861752][ T5343]  ? vscnprintf+0x5d/0x90
[   80.863363][ T5343]  panic+0x349/0x880
[   80.864858][ T5343]  ? check_panic_on_warn+0x21/0xb0
[   80.866780][ T5343]  ? __pfx_panic+0x10/0x10
[   80.868454][ T5343]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   80.870716][ T5343]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   80.873049][ T5343]  ? print_report+0x502/0x550
[   80.874886][ T5343]  check_panic_on_warn+0x86/0xb0
[   80.876762][ T5343]  ? binder_add_device+0x5f/0xa0
[   80.878699][ T5343]  end_report+0x77/0x160
[   80.880307][ T5343]  kasan_report+0x154/0x180
[   80.882054][ T5343]  ? binder_add_device+0x5f/0xa0
[   80.883951][ T5343]  binder_add_device+0x5f/0xa0
[   80.885778][ T5343]  binderfs_binder_device_create+0x7bf/0x9c0
[   80.888011][ T5343]  binderfs_fill_super+0x944/0xd90
[   80.889968][ T5343]  ? __pfx_binderfs_fill_super+0x10/0x10
[   80.892086][ T5343]  ? shrinker_register+0x160/0x230
[   80.893912][ T5343]  ? sget_fc+0x909/0x9c0
[   80.895358][ T5343]  ? __pfx_set_anon_super_fc+0x10/0x10
[   80.897187][ T5343]  ? __pfx_binderfs_fill_super+0x10/0x10
[   80.899300][ T5343]  get_tree_nodev+0xb7/0x140
[   80.901061][ T5343]  vfs_get_tree+0x90/0x2b0
[   80.902772][ T5343]  do_new_mount+0x2be/0xb40
[   80.904510][ T5343]  ? __pfx_do_new_mount+0x10/0x10
[   80.906387][ T5343]  __se_sys_mount+0x2d6/0x3c0
[   80.908141][ T5343]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   80.910345][ T5343]  ? __pfx___se_sys_mount+0x10/0x10
[   80.912308][ T5343]  ? do_syscall_64+0x100/0x230
[   80.914126][ T5343]  ? __x64_sys_mount+0x20/0xc0
[   80.915911][ T5343]  do_syscall_64+0xf3/0x230
[   80.917629][ T5343]  ? clear_bhb_loop+0x35/0x90
[   80.919384][ T5343]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.921583][ T5343] RIP: 0033:0x7fc18af7feba
[   80.923238][ T5343] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   80.930263][ T5343] RSP: 002b:00007fffe7bd7398 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   80.933382][ T5343] RAX: ffffffffffffffda RBX: 00007fc18aff1b21 RCX: 00007fc18af7feba
[   80.936291][ T5343] RDX: 00007fc18affcfa8 RSI: 00007fc18aff1b21 RDI: 00007fc18affcfa8
[   80.939200][ T5343] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   80.942081][ T5343] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc18b005050
[   80.944983][ T5343] R13: 00007fffe7bd7418 R14: 0000000000000009 R15: 0000000000000000
[   80.947863][ T5343]  </TASK>
[   80.949295][ T5343] Kernel Offset: disabled
[   80.950938][ T5343] Rebooting in 86400 seconds..

VM DIAGNOSIS:
11:53:19  Registers:
info registers vcpu 0

CPU#0
RAX=000000000000007a RBX=ffffffff9a718760 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000000000 RDI=0000000000000020 RBP=0000000000000000 RSP=ffffc9000d3171d0
R8 =ffffffff856cbbeb R9 =1ffff110067ff046 R10=dffffc0000000000 R11=ffffffff856cbba0
R12=dffffc0000000000 R13=000000000000007a R14=000000000000007a R15=00000000000003f8
RIP=ffffffff856cbc1e RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 000055558166b500 ffffffff 00c00000
GS =0000 ffff88801fc00000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007fc18ae4af90 CR3=000000004f316000 CR4=00352ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=00000000ffffff80 Opmask01=000000000000000f Opmask02=00000000ffffffef Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007fffe7bd73b0 0000003000000010
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2525252525252525 2525252525252525 2525252525252525 2525252525252525
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 6573726170206f74 2064656c69616600 277325273d727473 0035333535362030
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 4056574455054a51 054140494c444300 0256000218575156 0010161010130515
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build102701335=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 4dfba277487
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=4dfba277487a7023ab9f5783302da4a9b5e9bef8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241113-111659'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4dfba277487a7023ab9f5783302da4a9b5e9bef8\"
/usr/bin/ld: /tmp/ccOQNa87.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/ccOQNa87.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=131f44a4580000


Tested on:

commit:         5c8c2292 Merge tag 'kthreads-fixes-2025-02-04' of git:..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=d256a021904f1cd7
dashboard link: https://syzkaller.appspot.com/bug?extid=3201be560ebfa39bc6bd
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=109493df980000

Re: [syzbot] [net?] general protection fault in ip6_pol_route (3)

[Hillf Danton]

On Tue, 04 Feb 2025 06:07:34 -0800
> syzbot found the following issue on:
> 
> HEAD commit:    f1b785f4c787 Merge tag 'for_linus' of git://git.kernel.org..
> git tree:       upstream
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1209e4c0580000

#syz test  upstream  master

--- x/net/ipv6/route.c
+++ y/net/ipv6/route.c
@@ -2258,7 +2258,7 @@ struct rt6_info *ip6_pol_route(struct ne
 
 			return rt;
 		}
-	} else {
+	} else if (res.nh) {
 		/* Get a percpu copy */
 		local_bh_disable();
 		rt = rt6_get_pcpu_route(&res);
--- a/drivers/hid/hid-corsair-void.c
+++ b/drivers/hid/hid-corsair-void.c
@@ -727,6 +727,7 @@ static void corsair_void_remove(struct hid_device *hid_dev)
 		power_supply_unregister(drvdata->battery);

 	cancel_delayed_work_sync(&drvdata->delayed_firmware_work);
+	cancel_delayed_work_sync(&drvdata->delayed_status_work);
 	sysfs_remove_group(&hid_dev->dev.kobj, &corsair_void_attr_group);
 }

--

Re: [syzbot] [net?] general protection fault in ip6_pol_route (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file net/ipv6/route.c
checking file drivers/hid/hid-corsair-void.c
patch: **** unexpected end of file in patch



Tested on:

commit:         92514ef2 Merge tag 'for-6.14-rc1-tag' of git://git.ker..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=d2aeec8c0b2e420c
dashboard link: https://syzkaller.appspot.com/bug?extid=3201be560ebfa39bc6bd
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1068a4a4580000

Re: [syzbot] [net?] general protection fault in ip6_pol_route (3)

[Hillf Danton]

On Tue, 04 Feb 2025 06:07:34 -0800
> syzbot found the following issue on:
> 
> HEAD commit:    f1b785f4c787 Merge tag 'for_linus' of git://git.kernel.org..
> git tree:       upstream
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1209e4c0580000

#syz test  upstream  master

--- x/net/ipv6/route.c
+++ y/net/ipv6/route.c
@@ -2258,7 +2258,7 @@ struct rt6_info *ip6_pol_route(struct ne
 
 			return rt;
 		}
-	} else {
+	} else if (res.nh) {
 		/* Get a percpu copy */
 		local_bh_disable();
 		rt = rt6_get_pcpu_route(&res);
--- a/drivers/hid/hid-corsair-void.c
+++ b/drivers/hid/hid-corsair-void.c
@@ -726,6 +726,7 @@ static void corsair_void_remove(struct h
 	if (drvdata->battery)
 		power_supply_unregister(drvdata->battery);
 
+	cancel_delayed_work_sync(&drvdata->delayed_status_work);
 	cancel_delayed_work_sync(&drvdata->delayed_firmware_work);
 	sysfs_remove_group(&hid_dev->dev.kobj, &corsair_void_attr_group);
 }
--

Re: [syzbot] [net?] general protection fault in ip6_pol_route (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

x10
[   85.293372][    C0]  ? __pfx_fib6_rule_lookup+0x10/0x10
[   85.295445][    C0]  ? __local_bh_enable_ip+0x168/0x200
[   85.297405][    C0]  ? __pfx___local_bh_disable_ip+0x10/0x10
[   85.299560][    C0]  ? ip6t_do_table+0x205/0x18a0
[   85.301398][    C0]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   85.303557][    C0]  ip6_route_input+0x859/0xd90
[   85.305331][    C0]  ? __pfx_ip6_route_input+0x10/0x10
[   85.307250][    C0]  ? __pfx_lock_release+0x10/0x10
[   85.309244][    C0]  ? ip6_rcv_finish_core+0x20f/0x410
[   85.311229][    C0]  ip6_rcv_finish+0x144/0x180
[   85.313088][    C0]  ? __pfx_ip6_rcv_finish+0x10/0x10
[   85.315021][    C0]  NF_HOOK+0x3a4/0x450
[   85.316743][    C0]  ? skb_orphan+0x4b/0xd0
[   85.318409][    C0]  ? NF_HOOK+0x9a/0x450
[   85.320017][    C0]  ? __pfx_NF_HOOK+0x10/0x10
[   85.321814][    C0]  ? __pfx_ip6_rcv_finish+0x10/0x10
[   85.323622][    C0]  ? __pfx_ipv6_rcv+0x10/0x10
[   85.325252][    C0]  __netif_receive_skb+0x1ea/0x650
[   85.327108][    C0]  ? __pfx_lock_acquire+0x10/0x10
[   85.329035][    C0]  ? __pfx___netif_receive_skb+0x10/0x10
[   85.331023][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   85.333914][    C0]  ? __pfx_lock_release+0x10/0x10
[   85.336388][    C0]  ? _raw_spin_lock_irq+0xdf/0x120
[   85.338749][    C0]  process_backlog+0x662/0x15b0
[   85.340660][    C0]  ? process_backlog+0x33b/0x15b0
[   85.342593][    C0]  ? __pfx_process_backlog+0x10/0x10
[   85.344774][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   85.346950][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   85.349327][    C0]  ? trace_rcu_utilization+0x4b/0x1e0
[   85.351372][    C0]  __napi_poll+0xcb/0x490
[   85.353054][    C0]  net_rx_action+0x89b/0x1240
[   85.354900][    C0]  ? __pfx_net_rx_action+0x10/0x10
[   85.356826][    C0]  ? do_softirq+0x11b/0x1e0
[   85.358585][    C0]  ? __pfx_lockdep_softirqs_off+0x10/0x10
[   85.360701][    C0]  ? lockdep_softirqs_on+0x334/0x5a0
[   85.362790][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   85.365259][    C0]  handle_softirqs+0x2d4/0x9b0
[   85.367051][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   85.369207][    C0]  ? do_softirq+0x11b/0x1e0
[   85.371014][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   85.373108][    C0]  do_softirq+0x11b/0x1e0
[   85.374820][    C0]  </IRQ>
[   85.375942][    C0]  <TASK>
[   85.377044][    C0]  ? __pfx_do_softirq+0x10/0x10
[   85.378934][    C0]  ? __pfx_lockdep_softirqs_on+0x10/0x10
[   85.381010][    C0]  ? rcu_is_watching+0x15/0xb0
[   85.382747][    C0]  __local_bh_enable_ip+0x1bb/0x200
[   85.384669][    C0]  ? dev_hard_start_xmit+0x768/0x7d0
[   85.386628][    C0]  ? __dev_queue_xmit+0x2f4/0x3f50
[   85.388554][    C0]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   85.390696][    C0]  ? __dev_queue_xmit+0x2f4/0x3f50
[   85.392723][    C0]  __dev_queue_xmit+0x1775/0x3f50
[   85.394645][    C0]  ? __dev_queue_xmit+0x2f4/0x3f50
[   85.396618][    C0]  ? __pfx___dev_queue_xmit+0x10/0x10
[   85.398643][    C0]  ? neigh_resolve_output+0x450/0x740
[   85.400773][    C0]  ? read_seqbegin+0x15a/0x2c0
[   85.402609][    C0]  ? lockdep_hardirqs_on+0x99/0x150
[   85.404653][    C0]  ? read_seqbegin+0x200/0x2c0
[   85.406474][    C0]  ? __pfx_read_seqbegin+0x10/0x10
[   85.408532][    C0]  ? neigh_resolve_output+0x2e5/0x740
[   85.410658][    C0]  ? eth_header+0x11c/0x1f0
[   85.412483][    C0]  ? __asan_memcpy+0x40/0x70
[   85.414215][    C0]  ? eth_header+0x11c/0x1f0
[   85.415980][    C0]  ? __pfx_eth_header+0x10/0x10
[   85.417875][    C0]  ? neigh_resolve_output+0x61f/0x740
[   85.419858][    C0]  ip6_finish_output2+0x12ad/0x1780
[   85.421764][    C0]  ? ip6_finish_output2+0x61d/0x1780
[   85.423624][    C0]  ? __pfx_ip6_finish_output2+0x10/0x10
[   85.425794][    C0]  ? ip6_mtu+0x81/0x3f0
[   85.427425][    C0]  ip6_finish_output+0x41e/0x840
[   85.429249][    C0]  ndisc_send_skb+0xb30/0x1450
[   85.431073][    C0]  ? ndisc_send_skb+0x563/0x1450
[   85.432980][    C0]  ? __pfx_ndisc_send_skb+0x10/0x10
[   85.434944][    C0]  ? __pfx_dst_output+0x10/0x10
[   85.436614][    C0]  ? __pfx_ndisc_ns_create+0x10/0x10
[   85.438567][    C0]  ndisc_send_ns+0xcc/0x160
[   85.440339][    C0]  ? __pfx_ndisc_send_ns+0x10/0x10
[   85.442326][    C0]  addrconf_dad_work+0xb2d/0x16a0
[   85.444358][    C0]  ? __pfx_addrconf_dad_work+0x10/0x10
[   85.446504][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   85.449024][    C0]  ? process_scheduled_works+0x976/0x1840
[   85.451074][    C0]  process_scheduled_works+0xa66/0x1840
[   85.453146][    C0]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.455426][    C0]  ? assign_work+0x364/0x3d0
[   85.457174][    C0]  worker_thread+0x870/0xd30
[   85.458768][    C0]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   85.460971][    C0]  ? __kthread_parkme+0x169/0x1d0
[   85.463125][    C0]  ? __pfx_worker_thread+0x10/0x10
[   85.465052][    C0]  kthread+0x7a9/0x920
[   85.466620][    C0]  ? __pfx_kthread+0x10/0x10
[   85.468429][    C0]  ? __pfx_worker_thread+0x10/0x10
[   85.470430][    C0]  ? __pfx_kthread+0x10/0x10
[   85.472221][    C0]  ? __pfx_kthread+0x10/0x10
[   85.474017][    C0]  ? __pfx_kthread+0x10/0x10
[   85.475890][    C0]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.478015][    C0]  ? lockdep_hardirqs_on+0x99/0x150
[   85.480047][    C0]  ? __pfx_kthread+0x10/0x10
[   85.482033][    C0]  ret_from_fork+0x4b/0x80
[   85.483827][    C0]  ? __pfx_kthread+0x10/0x10
[   85.485729][    C0]  ret_from_fork_asm+0x1a/0x30
[   85.487633][    C0]  </TASK>
[   85.488903][    C0] Modules linked in:
[   85.490457][    C0] ---[ end trace 0000000000000000 ]---
[   85.492579][    C0] RIP: 0010:find_match+0xae/0xc10
[   85.494566][    C0] Code: 08 48 89 df e8 e3 e9 96 f7 4c 89 64 24 40 48 89 d8 bb c0 00 00 00 48 03 18 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 df e8 b4 e9 96 f7 4c 8b 23 e8 4c 03 5d 01
[   85.501822][    C0] RSP: 0018:ffffc90000006fe0 EFLAGS: 00010206
[   85.504104][    C0] RAX: 0000000000000018 RBX: 00000000000000c0 RCX: dffffc0000000000
[   85.507165][    C0] RDX: ffff888030f02440 RSI: 0000000000000000 RDI: 0000000000000000
[   85.510121][    C0] RBP: ffffffff9a7a0878 R08: ffffffff8a8f0c7f R09: ffffc90000007310
[   85.514048][    C0] R10: ffffc90000007300 R11: fffff52000000e2e R12: ffffc90000007310
[   85.517299][    C0] R13: ffffffff9a7a088f R14: 1ffffffff34f4111 R15: 1ffffffff34f410f
[   85.520785][    C0] FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   85.525167][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.527695][    C0] CR2: 00007feee96c6ff8 CR3: 0000000034810000 CR4: 0000000000352ef0
[   85.530980][    C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   85.534129][    C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   85.537267][    C0] Kernel panic - not syncing: Fatal exception in interrupt
[   85.540414][    C0] Kernel Offset: disabled
[   85.542267][    C0] Rebooting in 86400 seconds..

VM DIAGNOSIS:
12:22:51  Registers:
info registers vcpu 0

CPU#0
RAX=0000000000000030 RBX=ffffffff9a718760 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000000000 RDI=0000000000000020 RBP=0000000000000000 RSP=ffffc90000006710
R8 =ffffffff856cbcab R9 =1ffff11003de2046 R10=dffffc0000000000 R11=ffffffff856cbc60
R12=dffffc0000000000 R13=0000000000000030 R14=0000000000000030 R15=00000000000003f8
RIP=ffffffff856cbcde RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88801fc00000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007feee96c6ff8 CR3=0000000034810000 CR4=00352ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=0000000004040101 Opmask01=00000000011000f0 Opmask02=000000000fffffff Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007ffd92f51ba0 0000003000000010
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007ffd92f51ba0 0000003000000010
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 2e2e2e2e2e2e2e2e 2e2e2e2e2e2e2e2e
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 ff00ff00ffffffff ffff000000000000
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000000ffffffff00 ff00ff00ff00ff00
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 ff00ff00ffffffff ffff000000000000
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2525252525252525 2525252525252525 2525252525252525 2525252525252525
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 5548474900000000 0000000000000000 0000000000000000 0000000000000000
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 5548474953004d52 4c4147495300424b 4c56444049405700 4d52455447495300
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000031 0000000000000000 326874652f74656e 2f306d6973766564
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 00000000000000b1 00005632511b3700 00316e6170772f74 656e2f317968702f
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000021 0000000000000000 00005632347d9233 73656d5f70636864
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 725f0f8b9df47661 72610ff5fbfb737f 65677773777dffff 7f7f7d7f75777965
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0032343433636672 2000313633336366 722000676e697274 7320007865686e69
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000021 0000000000000000 0000000000000031 0000726565666965
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000021 0000000000000000 0000000000000031 00006d5f65636864
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 bfbfbfbfbfbfbfbf bfbfbfbfbfbfbfbf bfbfbfbfbfbfbfbf bfbf2b313423342c
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 262821df2e2e33df 3228df3232202b22 df312e232d2435bf 2324353124322431
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 4141414141414141 4141414141414141 4141414141414141 4141414141414141
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a 1a1a1a1a1a1a1a1a
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2020202020202020 2020202020202020 2020202020202020 2020202020202020


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2809212995=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 4dfba277487
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=4dfba277487a7023ab9f5783302da4a9b5e9bef8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241113-111659'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"4dfba277487a7023ab9f5783302da4a9b5e9bef8\"
/usr/bin/ld: /tmp/cc1rmchH.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cc1rmchH.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=13448ca4580000


Tested on:

commit:         bb066fe8 Merge tag 'pci-v6.14-fixes-2' of git://git.ke..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=d256a021904f1cd7
dashboard link: https://syzkaller.appspot.com/bug?extid=3201be560ebfa39bc6bd
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1412f3df980000

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Move bset size check before csum check

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: fix assert in bch2_btree_path_traverse_cached()

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix __bch2_alloc_to_v4 copy

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: fix the memory leak in exception case

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: net

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: mm

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: mm

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: mm

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't trust sb->nr_devices in members_to_text()

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: Fix possible console lock involved deadlock

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: block

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Move bset size check before csum check

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Move bset size check before csum check

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't allow mounting with crazy numbers of dirty journal entries

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: bluetooth

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Add missing validation for superblock section clean

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: btree_iter: fix updates, journal overlay

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: journal_entry_btree_keys_to_text() is more careful

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: block fs

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix possible console lock involved deadlock

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix possible console lock involved deadlock

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: mm: memory: extend finish_fault() to support large folio

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Increase BCH_MIN_NR_NBUCKETS

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Increase BCH_MIN_NR_NBUCKETS

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: Increase BCH_MIN_NR_NBUCKETS

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Increase BCH_MIN_NR_NBUCKETS

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: Add missing ei_last_dirtied update

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: afs

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: btree_check_root_boundaries()

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix incorrect transaction handling

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: Ignore accounting key type larger than BCH_DISK_ACCOUNTING_TYPE_NR

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't lock inode around page_symlink

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: abinashsinghlalotra@gmail.com

#syz test

--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -872,6 +872,11 @@ static int ax88772_bind(struct usbnet *dev, struct
usb_interface *intf)
        if (ret < 0)
                return ret;

+ if (ret >= 32) {
+ netdev_warn(dev->net, "Invalid PHY address %d, clamping\n", ret);
+ return -EINVAL;
+ }
+
        priv->phy_addr = ret;
        priv->embd_phy = ((priv->phy_addr & 0x1f) == AX_EMBD_PHY_ADDR);


--

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: abinashsinghlalotra@gmail.com

#syz test

--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -33,6 +33,12 @@ static int ovl_cleanup_locked(struct dentry *workdir,
struct dentry *dentry)
        struct inode *dir = d_inode(workdir);
        struct inode *inode = d_inode(dentry);

+ /* Avoid unlinking an already unlinked inode */
+ if (inode && inode->i_nlink == 0) {
+ d_drop(dentry);
+ return 0;
+ }
+
        if (ovl_is_whiteout(dentry))
                return ovl_remove_and_whiteout(workdir, dentry, true);

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

No longer relevant
#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

no longer relevant

#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: deepak.takumi.120@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: kriish.sharma2006@gmail.com

#syz test

diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index 26d6c1eea559..a879e8030568 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -760,7 +760,7 @@ static int compute_bitstructs(struct gfs2_rgrpd *rgd)
        u32 bytes_left, bytes;
        int x;

-       if (!length)
+       if (!length || length > KMALLOC_MAX_SIZE / sizeof(struct
gfs2_bitmap))
                return -EINVAL;

        rgd->rd_bits = kcalloc(length, sizeof(struct gfs2_bitmap),
GFP_NOFS);

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nooraineqbal@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

Resending this patch in the existing thread with a '#syz test:' directive
so syzbot can test it.

From 1bb35c6722b8fb03e9262f6e6530d240629a44df Mon Sep 17 00:00:00 2001
From: neqbal <nooraineqbal@gmail.com>
Date: Sun, 28 Sep 2025 03:52:44 +0530
Subject: [PATCH] x86/mm: Fix off-by-one error in set_memory

Correct end page calculation by subtracting 1 to prevent
out-of-bounds access.

Reported-by: syzbot+e34177f6091df113ef20@syzkaller.appspotmail.com
Signed-off-by: neqbal <nooraineqbal@gmail.com>
---
 arch/x86/mm/pat/set_memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c
index d2d54b8c4dbb..daefc96403f1 100644
--- a/arch/x86/mm/pat/set_memory.c
+++ b/arch/x86/mm/pat/set_memory.c
@@ -446,7 +446,7 @@ static void cpa_flush(struct cpa_data *cpa, int cache)
 	}
 
 	start = fix_addr(__cpa_addr(cpa, 0));
-	end =   fix_addr(__cpa_addr(cpa, cpa->numpages));
+	end =   fix_addr(__cpa_addr(cpa, cpa->numpages - 1));
 	if (cpa->force_flush_all)
 		end = TLB_FLUSH_ALL;
 
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test


 fs/ntfs3/index.c | 10 +++++-----
 fs/ntfs3/ntfs.h  |  5 ++++-
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 6d1bf890929d..2e512abc7000 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1808,7 +1808,7 @@ indx_insert_into_buffer(struct ntfs_index *indx, struct ntfs_inode *ni,
 	CLST new_vbn;
 	__le64 t_vbn, *sub_vbn;
 	u16 sp_size;
-	void *hdr1_saved = NULL;
+	void *blk1_saved = NULL;
 
 	/* Try the most easy case. */
 	e = fnd->level - 1 == level ? fnd->de[level] : NULL;
@@ -1842,8 +1842,8 @@ indx_insert_into_buffer(struct ntfs_index *indx, struct ntfs_inode *ni,
 	memcpy(up_e, sp, sp_size);
 
 	used1 = le32_to_cpu(hdr1->used);
-	hdr1_saved = kmemdup(hdr1, used1, GFP_NOFS);
-	if (!hdr1_saved) {
+	blk1_saved = kmemdup(&n1->index->blk, used1, GFP_NOFS);
+	if (!blk1_saved) {
 		err = -ENOMEM;
 		goto out;
 	}
@@ -1924,13 +1924,13 @@ indx_insert_into_buffer(struct ntfs_index *indx, struct ntfs_inode *ni,
 		 * Undo critical operations.
 		 */
 		indx_mark_free(indx, ni, new_vbn >> indx->idx2vbn_bits);
-		memcpy(hdr1, hdr1_saved, used1);
+		memcpy(&n1->index->blk, blk1_saved, used1);
 		indx_write(indx, ni, n1, 0);
 	}
 
 out:
 	kfree(up_e);
-	kfree(hdr1_saved);
+	kfree(blk1_saved);
 
 	return err;
 }
diff --git a/fs/ntfs3/ntfs.h b/fs/ntfs3/ntfs.h
index 552b97905813..d5e2b22eacd7 100644
--- a/fs/ntfs3/ntfs.h
+++ b/fs/ntfs3/ntfs.h
@@ -754,7 +754,10 @@ static inline bool hdr_has_subnode(const struct INDEX_HDR *hdr)
 struct INDEX_BUFFER {
 	struct NTFS_RECORD_HEADER rhdr; // 'INDX'
 	__le64 vbn; // 0x10: vcn if index >= cluster or vsn id index < cluster
-	struct INDEX_HDR ihdr; // 0x18:
+	struct_group(blk,
+		struct INDEX_HDR ihdr; // 0x18:
+	        u8 data[]; // NTFS_DE entries
+	);
 };
 
 static_assert(sizeof(struct INDEX_BUFFER) == 0x28);
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/jfs/namei.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 65a218eba8fa..37cd16a423c5 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -1228,7 +1228,7 @@ static int jfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
 				jfs_err("jfs_rename: dtInsert returned -EIO");
 			goto out_tx;
 		}
-		if (S_ISDIR(old_ip->i_mode))
+		if (S_ISDIR(old_ip->i_mode) && old_dir != new_dir)
 			inc_nlink(new_dir);
 	}
 	/*
@@ -1244,8 +1244,9 @@ static int jfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
 		goto out_tx;
 	}
 	if (S_ISDIR(old_ip->i_mode)) {
-		drop_nlink(old_dir);
 		if (old_dir != new_dir) {
+			drop_nlink(old_dir);
+
 			/*
 			 * Change inode number of parent for moved directory
 			 */
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/jfs/namei.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 65a218eba8fa..7879c049632b 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -1228,7 +1228,7 @@ static int jfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
 				jfs_err("jfs_rename: dtInsert returned -EIO");
 			goto out_tx;
 		}
-		if (S_ISDIR(old_ip->i_mode))
+		if (S_ISDIR(old_ip->i_mode) && old_dir != new_dir)
 			inc_nlink(new_dir);
 	}
 	/*
@@ -1244,7 +1244,9 @@ static int jfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
 		goto out_tx;
 	}
 	if (S_ISDIR(old_ip->i_mode)) {
-		drop_nlink(old_dir);
+		if (new_ip || old_dir != new_dir)
+			drop_nlink(old_dir);
+
 		if (old_dir != new_dir) {
 			/*
 			 * Change inode number of parent for moved directory
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
fs/minix/namei.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..86779a6ec1a7 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -224,7 +224,7 @@ static int minix_rename(struct mnt_idmap *idmap,
err = minix_add_link(new_dentry, old_inode);
if (err)
goto out_dir;
- if (dir_de)
+ if (dir_de && old_dir != new_dir)
inode_inc_link_count(new_dir);
}
@@ -236,7 +236,7 @@ static int minix_rename(struct mnt_idmap *idmap,
if (dir_de) {
err = minix_set_link(dir_de, dir_folio, new_dir);
- if (!err)
+ if (!err && (new_inode || old_dir != new_dir))
inode_dec_link_count(old_dir);
}
out_dir:
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/minix/inode.c | 14 ++++++++++++++
 fs/minix/namei.c | 22 ++++++++++++++--------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index f007e389d5d2..e27907fc9bf2 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -517,6 +517,13 @@ static struct inode *V1_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-ESTALE);
 	}
+	if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks == 1) {
+		printk("MINIX-fs: directory inode (%lu) has single i_nlink\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-EIO);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
@@ -555,6 +562,13 @@ static struct inode *V2_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-ESTALE);
 	}
+	if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks == 1) {
+		printk("MINIX-fs: directory inode (%lu) has single i_nlink\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-EIO);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..8297ee6651a1 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -161,15 +161,21 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
 static int minix_rmdir(struct inode * dir, struct dentry *dentry)
 {
 	struct inode * inode = d_inode(dentry);
-	int err = -ENOTEMPTY;
-
-	if (minix_empty_dir(inode)) {
-		err = minix_unlink(dir, dentry);
-		if (!err) {
-			inode_dec_link_count(dir);
-			inode_dec_link_count(inode);
-		}
+	int err = -EIO;
+
+	if (dir->i_nlink <= 2)
+		goto out;
+
+	err = -ENOTEMPTY;
+	if (!minix_empty_dir(inode))
+		goto out;
+
+	err = minix_unlink(dir, dentry);
+	if (!err) {
+		inode_dec_link_count(dir);
+		inode_dec_link_count(inode);
 	}
+out:
 	return err;
 }
 
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/minix/inode.c | 14 ++++++++++++++
 fs/minix/namei.c | 22 ++++++++++++++--------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index f007e389d5d2..e27907fc9bf2 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -517,6 +517,13 @@ static struct inode *V1_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-ESTALE);
 	}
+	if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks == 1) {
+		printk("MINIX-fs: directory inode (%lu) has single i_nlink\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-EIO);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
@@ -555,6 +562,13 @@ static struct inode *V2_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-ESTALE);
 	}
+	if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks == 1) {
+		printk("MINIX-fs: directory inode (%lu) has single i_nlink\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-EIO);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..8297ee6651a1 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -161,15 +161,21 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
 static int minix_rmdir(struct inode * dir, struct dentry *dentry)
 {
 	struct inode * inode = d_inode(dentry);
-	int err = -ENOTEMPTY;
-
-	if (minix_empty_dir(inode)) {
-		err = minix_unlink(dir, dentry);
-		if (!err) {
-			inode_dec_link_count(dir);
-			inode_dec_link_count(inode);
-		}
+	int err = -EIO;
+
+	if (dir->i_nlink <= 2)
+		goto out;
+
+	err = -ENOTEMPTY;
+	if (!minix_empty_dir(inode))
+		goto out;
+
+	err = minix_unlink(dir, dentry);
+	if (!err) {
+		inode_dec_link_count(dir);
+		inode_dec_link_count(inode);
 	}
+out:
 	return err;
 }
 
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: clf700383@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master

From 6dc2deb09faf7d53707cc9e75e175b09644fd181 Mon Sep 17 00:00:00 2001
From: clingfei <clf700383@gmail.com>
Date: Mon, 20 Oct 2025 13:48:54 +0800
Subject: [PATCH] fix integer overflow in set_ipsecrequest

syzbot reported a kernel BUG in set_ipsecrequest() due to an skb_over_panic.

The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives
family as uint8_t,  causing a integer overflow and the later size_req calculation
error, which exceeds the size used in alloc_skb, and ultimately triggered the
kernel bug in skb_put.

Reported-by: syzbot+be97dd4da14ae88b6ba4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Signed-off-by: Cheng Lingfei <clf700383@gmail.com>
---
 net/key/af_key.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..08f4cde01994 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
 
 static int set_ipsecrequest(struct sk_buff *skb,
 			    uint8_t proto, uint8_t mode, int level,
-			    uint32_t reqid, uint8_t family,
+			    uint32_t reqid, uint16_t family,
 			    const xfrm_address_t *src, const xfrm_address_t *dst)
 {
 	struct sadb_x_ipsecrequest *rq;
-- 
2.34.1

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: zlatistiv@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: kubik.bartlomiej@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 0ab83bb7bbdf..07dd01c79ca2 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -170,8 +170,8 @@ static void dtGetKey(dtpage_t * p, int i, struct component_name * key,
 static int ciGetLeafPrefixKey(dtpage_t * lp, int li, dtpage_t * rp,
 			      int ri, struct component_name * key, int flag);
 
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
-			  ddata_t * data, struct dt_lock **);
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+			 ddata_t * data, struct dt_lock **);
 
 static void dtMoveEntry(dtpage_t * sp, int si, dtpage_t * dp,
 			struct dt_lock ** sdtlock, struct dt_lock ** ddtlock,
@@ -891,7 +891,8 @@ int dtInsert(tid_t tid, struct inode *ip,
 	lv->length = 1;
 	dtlck->index++;
 
-	dtInsertEntry(p, index, name, &data, &dtlck);
+	if (!(rc = dtInsertEntry(p, index, name, &data, &dtlck)))
+		return rc;
 
 	/* linelock stbl of non-root leaf page */
 	if (!(p->header.flag & BT_ROOT)) {
@@ -3627,7 +3628,7 @@ static void dtGetKey(dtpage_t * p, int i,	/* entry index */
  *
  * return: entry slot index
  */
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 			  ddata_t * data, struct dt_lock ** dtlock)
 {
 	struct dtslot *h, *t;
@@ -3649,6 +3650,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* allocate a free slot */
 	hsi = fsi = p->header.freelist;
+	if (fsi >= p->header.maxslot) {
+		jfs_err("Encountered corrupted dtpage before insert");
+		return -EIO;
+	}
 	h = &p->slot[fsi];
 	p->header.freelist = h->next;
 	--p->header.freecnt;
@@ -3697,6 +3702,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 	while (klen) {
 		/* get free slot */
 		fsi = p->header.freelist;
+		if (fsi >= p->header.maxslot) {
+			jfs_err("Encountered corrupted dtpage before insert");
+			return -EIO;
+		}
 		t = &p->slot[fsi];
 		p->header.freelist = t->next;
 		--p->header.freecnt;
@@ -3774,6 +3783,8 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* advance next available entry index of stbl */
 	++p->header.nextindex;
+
+	return 0;
 }

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/jfs/jfs_dtree.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 0ab83bb7bbdf..e919de01c42a 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -170,8 +170,8 @@ static void dtGetKey(dtpage_t * p, int i, struct component_name * key,
 static int ciGetLeafPrefixKey(dtpage_t * lp, int li, dtpage_t * rp,
 			      int ri, struct component_name * key, int flag);
 
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
-			  ddata_t * data, struct dt_lock **);
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+			 ddata_t * data, struct dt_lock **);
 
 static void dtMoveEntry(dtpage_t * sp, int si, dtpage_t * dp,
 			struct dt_lock ** sdtlock, struct dt_lock ** ddtlock,
@@ -891,7 +891,8 @@ int dtInsert(tid_t tid, struct inode *ip,
 	lv->length = 1;
 	dtlck->index++;
 
-	dtInsertEntry(p, index, name, &data, &dtlck);
+	if (!(rc = dtInsertEntry(p, index, name, &data, &dtlck)))
+		return rc;
 
 	/* linelock stbl of non-root leaf page */
 	if (!(p->header.flag & BT_ROOT)) {
@@ -3625,9 +3626,10 @@ static void dtGetKey(dtpage_t * p, int i,	/* entry index */
  * function: allocate free slot(s) and
  *	     write a leaf/internal entry
  *
- * return: entry slot index
+ * * return: 0 - success;
+ *	   errno - failure;
  */
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 			  ddata_t * data, struct dt_lock ** dtlock)
 {
 	struct dtslot *h, *t;
@@ -3649,6 +3651,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* allocate a free slot */
 	hsi = fsi = p->header.freelist;
+	if (fsi >= ((p->header.flag & BT_ROOT) ? DTROOTMAXSLOT : p->header.maxslot)) {
+		jfs_err("Encountered corrupted dtpage before insert");
+		return -EIO;
+	}
 	h = &p->slot[fsi];
 	p->header.freelist = h->next;
 	--p->header.freecnt;
@@ -3697,6 +3703,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 	while (klen) {
 		/* get free slot */
 		fsi = p->header.freelist;
+		if (fsi >= ((p->header.flag & BT_ROOT) ? DTROOTMAXSLOT : p->header.maxslot)) {
+			jfs_err("Encountered corrupted dtpage before insert");
+			return -EIO;
+		}
 		t = &p->slot[fsi];
 		p->header.freelist = t->next;
 		--p->header.freecnt;
@@ -3774,6 +3784,8 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* advance next available entry index of stbl */
 	++p->header.nextindex;
+
+	return 0;
 }
 
 
-- 
2.51.1.dirty

Re: Forwarded:

[Al Viro]

On Tue, Oct 28, 2025 at 10:25:20AM -0700, syzbot wrote:
> For archival purposes, forwarding an incoming command email to
> linux-kernel@vger.kernel.org.

For fuck sake, either generate a more useful subject, or take
that to a separate list just for syzbot use.

Do you really intend to end up in a bunch of .procmailrc?

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/jfs/jfs_dtree.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 0ab83bb7bbdf..e919de01c42a 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -170,8 +170,8 @@ static void dtGetKey(dtpage_t * p, int i, struct component_name * key,
 static int ciGetLeafPrefixKey(dtpage_t * lp, int li, dtpage_t * rp,
 			      int ri, struct component_name * key, int flag);
 
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
-			  ddata_t * data, struct dt_lock **);
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+			 ddata_t * data, struct dt_lock **);
 
 static void dtMoveEntry(dtpage_t * sp, int si, dtpage_t * dp,
 			struct dt_lock ** sdtlock, struct dt_lock ** ddtlock,
@@ -891,7 +891,8 @@ int dtInsert(tid_t tid, struct inode *ip,
 	lv->length = 1;
 	dtlck->index++;
 
-	dtInsertEntry(p, index, name, &data, &dtlck);
+	if (!(rc = dtInsertEntry(p, index, name, &data, &dtlck)))
+		return rc;
 
 	/* linelock stbl of non-root leaf page */
 	if (!(p->header.flag & BT_ROOT)) {
@@ -3625,9 +3626,10 @@ static void dtGetKey(dtpage_t * p, int i,	/* entry index */
  * function: allocate free slot(s) and
  *	     write a leaf/internal entry
  *
- * return: entry slot index
+ * * return: 0 - success;
+ *	   errno - failure;
  */
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 			  ddata_t * data, struct dt_lock ** dtlock)
 {
 	struct dtslot *h, *t;
@@ -3649,6 +3651,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* allocate a free slot */
 	hsi = fsi = p->header.freelist;
+	if (fsi >= ((p->header.flag & BT_ROOT) ? DTROOTMAXSLOT : p->header.maxslot)) {
+		jfs_err("Encountered corrupted dtpage before insert");
+		return -EIO;
+	}
 	h = &p->slot[fsi];
 	p->header.freelist = h->next;
 	--p->header.freecnt;
@@ -3697,6 +3703,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 	while (klen) {
 		/* get free slot */
 		fsi = p->header.freelist;
+		if (fsi >= ((p->header.flag & BT_ROOT) ? DTROOTMAXSLOT : p->header.maxslot)) {
+			jfs_err("Encountered corrupted dtpage before insert");
+			return -EIO;
+		}
 		t = &p->slot[fsi];
 		p->header.freelist = t->next;
 		--p->header.freecnt;
@@ -3774,6 +3784,8 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* advance next available entry index of stbl */
 	++p->header.nextindex;
+
+	return 0;
 }
 
 
-- 
2.51.1.dirty

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/minix/minix.h |  2 ++
 fs/minix/namei.c | 26 ++++++++++++++++++--------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index d54273c3c9ff..ce62cb61186d 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -168,4 +168,6 @@ static inline int minix_test_bit(int nr, const void *vaddr)
 
 #endif
 
+#define EFSCORRUPTED	EUCLEAN		/* Filesystem is corrupted */
+
 #endif /* FS_MINIX_H */
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..a8d5a7e22b7b 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -161,15 +161,25 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
 static int minix_rmdir(struct inode * dir, struct dentry *dentry)
 {
 	struct inode * inode = d_inode(dentry);
-	int err = -ENOTEMPTY;
-
-	if (minix_empty_dir(inode)) {
-		err = minix_unlink(dir, dentry);
-		if (!err) {
-			inode_dec_link_count(dir);
-			inode_dec_link_count(inode);
-		}
+	int err = -EFSCORRUPTED;
+
+	if (dir->i_nlink <= 2) {
+		printk(KERN_CRIT "minix-fs error: directory inode has "
+		       "corrupted nlink");
+		goto out;
 	}
+
+	err = -ENOTEMPTY;
+	if (!minix_empty_dir(inode))
+		goto out;
+
+	err = minix_unlink(dir, dentry);
+	if (!err) {
+		inode_dec_link_count(dir);
+		inode_dec_link_count(inode);
+ 	}
+
+out:
 	return err;
 }
 
-- 
2.51.1.dirty

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index a8d5a7e22b7b..8648d860ef0c 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -218,6 +218,13 @@ static int minix_rename(struct mnt_idmap *idmap,
                if (dir_de && !minix_empty_dir(new_inode))
                        goto out_dir;
 
+               err = -EFSCORRUPTED;
+               if (dir_de && new_inode->i_nlink != 2) {
+                       printk(KERN_CRIT "minix-fs error: directory inode has "
+                              "corrupted nlink");
+                       goto out_dir;
+               }
+
                err = -ENOENT;
                new_de = minix_find_entry(new_dentry, &new_folio);
                if (!new_de)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index d54273c3c9ff..ce62cb61186d 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -168,4 +168,6 @@ static inline int minix_test_bit(int nr, const void *vaddr)
 
 #endif
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif /* FS_MINIX_H */

diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index a8d5a7e22b7b..8648d860ef0c 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -218,6 +218,13 @@ static int minix_rename(struct mnt_idmap *idmap,
                if (dir_de && !minix_empty_dir(new_inode))
                        goto out_dir;
 
+               err = -EFSCORRUPTED;
+               if (dir_de && new_inode->i_nlink != 2) {
+                       printk(KERN_CRIT "minix-fs error: directory inode has "
+                              "corrupted nlink");
+                       goto out_dir;
+               }
+
                err = -ENOENT;
                new_de = minix_find_entry(new_dentry, &new_folio);
                if (!new_de)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index d54273c3c9ff..ce62cb61186d 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -168,4 +168,6 @@ static inline int minix_test_bit(int nr, const void *vaddr)
 
 #endif
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif /* FS_MINIX_H */
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..493a75eff2c9 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -208,6 +218,13 @@ static int minix_rename(struct mnt_idmap *idmap,
                if (dir_de && !minix_empty_dir(new_inode))
                        goto out_dir;
 
+               err = -EFSCORRUPTED;
+               if (new_inode->i_nlink == 0 || (dir_de && new_inode->i_nlink != 2)) {
+                       printk(KERN_CRIT "minix-fs error: inode (ino: %ld) "
+                              "has corrupted nlink", new_inode->i_ino);
+                       goto out_dir;
+               }
+
                err = -ENOENT;
                new_de = minix_find_entry(new_dentry, &new_folio);
                if (!new_de)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index aae1f32f4dab..f193912d8632 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -704,8 +704,8 @@ static void ntfs_put_super(struct super_block *sb)
        ntfs_set_state(sbi, NTFS_DIRTY_CLEAR);
 
        if (sbi->options) {
+               kfree(sbi->options->nls_name);
                unload_nls(sbi->options->nls);
-               kfree(sbi->options->nls);
                kfree(sbi->options);
                sbi->options = NULL;
        }
@@ -1670,8 +1670,8 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
        iput(inode);
 out:
        if (sbi && sbi->options) {
+               kfree(sbi->options->nls_name);
                unload_nls(sbi->options->nls);
-               kfree(sbi->options->nls);
                kfree(sbi->options);
                sbi->options = NULL;
        }

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index d54273c3c9ff..ce62cb61186d 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -168,4 +168,6 @@ static inline int minix_test_bit(int nr, const void *vaddr)
 
 #endif
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif /* FS_MINIX_H */
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index a8d5a7e22b7b..f18f7474aca4 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -145,6 +145,12 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
        struct minix_dir_entry * de;
        int err;
 
+       if (inode->i_nlink < 1) {
+               printk(KERN_CRIT "minix-fs error: inode (ino: %ld) "
+                      "has corrupted nlink", inode->i_ino);
+               return -EFSCORRUPTED;
+       }
+
        de = minix_find_entry(dentry, &folio);
        if (!de)
                return -ENOENT;
@@ -218,6 +224,13 @@ static int minix_rename(struct mnt_idmap *idmap,
                if (dir_de && !minix_empty_dir(new_inode))
                        goto out_dir;
 
+               err = -EFSCORRUPTED;
+               if (new_inode->i_nlink == 0 || (dir_de && new_inode->i_nlink != 2)) {
+                       printk(KERN_CRIT "minix-fs error: inode (ino: %ld) "
+                              "has corrupted nlink", new_inode->i_ino);
+                       goto out_dir;
+               }
+
                err = -ENOENT;
                new_de = minix_find_entry(new_dentry, &new_folio);
                if (!new_de)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 86a6b317b474..ee1760305380 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
        int res;
 
        inode = hfs_new_inode(dir, &dentry->d_name, mode);
-       if (!inode)
-               return -ENOMEM;
+       if (IS_ERR(inode))
+               return PTR_ERR(inode);
 
        res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
        if (res) {
@@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
        int res;
 
        inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
-       if (!inode)
-               return ERR_PTR(-ENOMEM);
+       if (IS_ERR(inode))
+               return ERR_CAST(inode);
 
        res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
        if (res) {
diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
index fff149af89da..6808b1316b60 100644
--- a/fs/hfs/hfs_fs.h
+++ b/fs/hfs/hfs_fs.h
@@ -273,4 +273,6 @@ static inline void hfs_bitmap_dirty(struct super_block *sb)
        __bh;                                           \
 })
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..ef46a2d29d6a 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -188,7 +188,7 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
        s64 folder_count;
 
        if (!inode)
-               return NULL;
+               return ERR_PTR(-ENOMEM);
 
        mutex_init(&HFS_I(inode)->extents_lock);
        INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
@@ -209,7 +209,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
        if (S_ISDIR(mode)) {
                inode->i_size = 2;
                folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
-               BUG_ON(folder_count > U32_MAX);
+               if (folder_count > U32_MAX) {
+                       printk(KERN_CRIT "hfs error: folder count on super block is corrupt");
+                       return ERR_PTR(-EFSCORRUPTED);
+               }
                if (dir->i_ino == HFS_ROOT_CNID)
                        HFS_SB(sb)->root_dirs++;
                inode->i_op = &hfs_dir_inode_operations;
@@ -219,7 +222,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
        } else if (S_ISREG(mode)) {
                HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
                file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
-               BUG_ON(file_count > U32_MAX);
+               if (file_count > U32_MAX) {
+                       printk(KERN_CRIT "hfs error: file count on super block is corrupt");
+                       return ERR_PTR(-EFSCORRUPTED);
+               }
                if (dir->i_ino == HFS_ROOT_CNID)
                        HFS_SB(sb)->root_files++;
                inode->i_op = &hfs_file_inode_operations;

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 86a6b317b474..ee1760305380 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
 	int res;
 
 	inode = hfs_new_inode(dir, &dentry->d_name, mode);
-	if (!inode)
-		return -ENOMEM;
+	if (IS_ERR(inode))
+		return PTR_ERR(inode);
 
 	res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
 	if (res) {
@@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
 	int res;
 
 	inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
-	if (!inode)
-		return ERR_PTR(-ENOMEM);
+	if (IS_ERR(inode))
+		return ERR_CAST(inode);
 
 	res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
 	if (res) {
diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
index fff149af89da..6808b1316b60 100644
--- a/fs/hfs/hfs_fs.h
+++ b/fs/hfs/hfs_fs.h
@@ -273,4 +273,6 @@ static inline void hfs_bitmap_dirty(struct super_block *sb)
 	__bh;						\
 })
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..cb74904994cc 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -186,16 +186,22 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	s64 next_id;
 	s64 file_count;
 	s64 folder_count;
+	int err = -ENOMEM;
 
 	if (!inode)
-		return NULL;
+		goto out_err;
+
+	err = -EFSCORRUPTED;
 
 	mutex_init(&HFS_I(inode)->extents_lock);
 	INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
 	spin_lock_init(&HFS_I(inode)->open_dir_lock);
 	hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
 	next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
-	BUG_ON(next_id > U32_MAX);
+	if (next_id > U32_MAX) {
+		printk(KERN_CRIT "hfs error: next file id on super block is corrupt");
+		goto out_discard;
+	}
 	inode->i_ino = (u32)next_id;
 	inode->i_mode = mode;
 	inode->i_uid = current_fsuid();
@@ -209,7 +215,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	if (S_ISDIR(mode)) {
 		inode->i_size = 2;
 		folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
-		BUG_ON(folder_count > U32_MAX);
+		if (folder_count > U32_MAX) {
+			printk(KERN_CRIT "hfs error: folder count on super block is corrupt");
+			goto out_discard;
+		}
 		if (dir->i_ino == HFS_ROOT_CNID)
 			HFS_SB(sb)->root_dirs++;
 		inode->i_op = &hfs_dir_inode_operations;
@@ -219,7 +228,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	} else if (S_ISREG(mode)) {
 		HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
 		file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
-		BUG_ON(file_count > U32_MAX);
+		if (file_count > U32_MAX) {
+			printk(KERN_CRIT "hfs error: file count on super block is corrupt");
+			goto out_discard;
+		}
 		if (dir->i_ino == HFS_ROOT_CNID)
 			HFS_SB(sb)->root_files++;
 		inode->i_op = &hfs_file_inode_operations;
@@ -243,6 +255,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	hfs_mark_mdb_dirty(sb);
 
 	return inode;
+
+	out_discard:
+		iput(inode);	
+	out_err:
+		return ERR_PTR(err); 
 }
 
 void hfs_delete_inode(struct inode *inode)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 86a6b317b474..ee1760305380 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
 	int res;
 
 	inode = hfs_new_inode(dir, &dentry->d_name, mode);
-	if (!inode)
-		return -ENOMEM;
+	if (IS_ERR(inode))
+		return PTR_ERR(inode);
 
 	res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
 	if (res) {
@@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
 	int res;
 
 	inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
-	if (!inode)
-		return ERR_PTR(-ENOMEM);
+	if (IS_ERR(inode))
+		return ERR_CAST(inode);
 
 	res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
 	if (res) {
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..beec6fe7e801 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -186,16 +186,23 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	s64 next_id;
 	s64 file_count;
 	s64 folder_count;
+	int err = -ENOMEM;
 
 	if (!inode)
-		return NULL;
+		goto out_err;
+
+	err = -ENOSPC;
 
 	mutex_init(&HFS_I(inode)->extents_lock);
 	INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
 	spin_lock_init(&HFS_I(inode)->open_dir_lock);
 	hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
 	next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
-	BUG_ON(next_id > U32_MAX);
+	if (next_id > U32_MAX) {
+		pr_err("hfs: next file ID exceeds 32-bit limit — possible "
+		       "superblock corruption");
+		goto out_discard;
+	}
 	inode->i_ino = (u32)next_id;
 	inode->i_mode = mode;
 	inode->i_uid = current_fsuid();
@@ -209,7 +216,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	if (S_ISDIR(mode)) {
 		inode->i_size = 2;
 		folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
-		BUG_ON(folder_count > U32_MAX);
+		if (folder_count > U32_MAX) {
+			pr_err("hfs: folder count exceeds 32-bit limit — possible "
+			       "superblock corruption");
+			goto out_discard;
+		}
 		if (dir->i_ino == HFS_ROOT_CNID)
 			HFS_SB(sb)->root_dirs++;
 		inode->i_op = &hfs_dir_inode_operations;
@@ -219,7 +230,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	} else if (S_ISREG(mode)) {
 		HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
 		file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
-		BUG_ON(file_count > U32_MAX);
+		if (file_count > U32_MAX) {
+			pr_err("hfs: file count exceeds 32-bit limit — possible "
+			       "superblock corruption");
+			goto out_discard;
+		}
 		if (dir->i_ino == HFS_ROOT_CNID)
 			HFS_SB(sb)->root_files++;
 		inode->i_op = &hfs_file_inode_operations;
@@ -243,6 +258,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	hfs_mark_mdb_dirty(sb);
 
 	return inode;
+
+	out_discard:
+		iput(inode);	
+	out_err:
+		return ERR_PTR(err); 
 }
 
 void hfs_delete_inode(struct inode *inode)
@@ -251,7 +271,6 @@ void hfs_delete_inode(struct inode *inode)
 
 	hfs_dbg("ino %lu\n", inode->i_ino);
 	if (S_ISDIR(inode->i_mode)) {
-		BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
 		atomic64_dec(&HFS_SB(sb)->folder_count);
 		if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
 			HFS_SB(sb)->root_dirs--;
@@ -260,7 +279,6 @@ void hfs_delete_inode(struct inode *inode)
 		return;
 	}
 
-	BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
 	atomic64_dec(&HFS_SB(sb)->file_count);
 	if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
 		HFS_SB(sb)->root_files--;
diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
index 53f3fae60217..1c3fb631cc8e 100644
--- a/fs/hfs/mdb.c
+++ b/fs/hfs/mdb.c
@@ -273,15 +273,12 @@ void hfs_mdb_commit(struct super_block *sb)
 		/* These parameters may have been modified, so write them back */
 		mdb->drLsMod = hfs_mtime();
 		mdb->drFreeBks = cpu_to_be16(HFS_SB(sb)->free_ablocks);
-		BUG_ON(atomic64_read(&HFS_SB(sb)->next_id) > U32_MAX);
 		mdb->drNxtCNID =
 			cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->next_id));
 		mdb->drNmFls = cpu_to_be16(HFS_SB(sb)->root_files);
 		mdb->drNmRtDirs = cpu_to_be16(HFS_SB(sb)->root_dirs);
-		BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
 		mdb->drFilCnt =
 			cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->file_count));
-		BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
 		mdb->drDirCnt =
 			cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->folder_count));
 
-- 
2.51.1.dirty

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz dup: WARNING in ntfs_put_super

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/minix/inode.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 7897f5123b3d..bee191c50010 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -171,7 +171,15 @@ static bool minix_check_superblock(struct super_block *sb)
 {
 	struct minix_sb_info *sbi = minix_sb(sb);
 
-	if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
+	if (sbi->s_log_zone_size != 0) {
+		printk("minix-fs error: zone size must equal block size. "
+		       "s_log_zone_size > 0 is not supported.\n");
+		return false;
+	}
+
+	if (sbi->s_imap_blocks < 1 || sbi->s_zmap_blocks < 1 ||
+	    sbi->s_ninodes < 1 || sbi->s_firstdatazone <= 4 ||
+	    sbi->s_firstdatazone >= sbi->s_nzones)
 		return false;
 
 	/*
-- 
2.51.2

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: agruenba@redhat.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2.git
4daba9379bbd702c63459f54ef448746bfeab42d

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: pimyn@google.com

#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: contact@gvernon.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: klnm1908v@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index 91fd3673c09a..e588a188f50a 100644
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -126,23 +126,10 @@ static enum hrtimer_restart
xen_timer_callback(struct hrtimer *timer)
 {
 	struct kvm_vcpu *vcpu = container_of(timer, struct kvm_vcpu,
 					     arch.xen.timer);
-	struct kvm_xen_evtchn e;
-	int rc;

 	if (atomic_read(&vcpu->arch.xen.timer_pending))
 		return HRTIMER_NORESTART;

-	e.vcpu_id = vcpu->vcpu_id;
-	e.vcpu_idx = vcpu->vcpu_idx;
-	e.port = vcpu->arch.xen.timer_virq;
-	e.priority = KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL;
-
-	rc = kvm_xen_set_evtchn_fast(&e, vcpu->kvm);
-	if (rc != -EWOULDBLOCK) {
-		vcpu->arch.xen.timer_expires = 0;
-		return HRTIMER_NORESTART;
-	}
-
 	atomic_inc(&vcpu->arch.xen.timer_pending);
 	kvm_make_request(KVM_REQ_UNBLOCK, vcpu);
 	kvm_vcpu_kick(vcpu);

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: halves@igalia.com

#syz test

--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -147,6 +147,7 @@ int dvb_generic_open(struct inode *inode, struct file *file)
                dvbdev->writers--;
        }

+       dvb_device_get(dvbdev);
        dvbdev->users--;
        return 0;
 }
-- 
2.53.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: daiky0325@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The bug is actually fixed long time ago.

#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

The bug is actually no longer present.

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The bug has actually been already fixed.

#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Doesn't happen for a long time in fact.

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Actually fixed long ago.

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Fixed long ago

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Actually already fixed