From: syzbot <syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com>
To: dmantipov@yandex.ru, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [ocfs2?] kernel BUG in ocfs2_commit_truncate
Date: Wed, 29 Oct 2025 02:59:03 -0700 [thread overview]
Message-ID: <6901e567.050a0220.32483.0209.GAE@google.com> (raw)
In-Reply-To: <20251029062155.3faRf%dmantipov@yandex.ru>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: signed-integer-overflow in ip_idents_reserve
================================================================================
UBSAN: signed-integer-overflow in ./arch/x86/include/asm/atomic.h:165:11
1823136308 + 1553543319 cannot be represented in type 'int'
CPU: 1 PID: 234 Comm: kworker/u4:4 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: phy9 ieee80211_iface_work
Call Trace:
<IRQ>
dump_stack+0xfd/0x16e lib/dump_stack.c:118
ubsan_epilogue+0xa/0x30 lib/ubsan.c:148
handle_overflow+0x192/0x1b0 lib/ubsan.c:180
arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
atomic_add_return include/asm-generic/atomic-instrumented.h:73 [inline]
ip_idents_reserve+0x14a/0x170 net/ipv4/route.c:521
__ip_select_ident+0xe4/0x1c0 net/ipv4/route.c:538
iptunnel_xmit+0x465/0x840 net/ipv4/ip_tunnel_core.c:80
udp_tunnel_xmit_skb+0x1b7/0x280 net/ipv4/udp_tunnel_core.c:190
geneve_xmit_skb drivers/net/geneve.c:1004 [inline]
geneve_xmit+0x1d00/0x2130 drivers/net/geneve.c:1117
__netdev_start_xmit include/linux/netdevice.h:4824 [inline]
netdev_start_xmit include/linux/netdevice.h:4838 [inline]
xmit_one net/core/dev.c:3601 [inline]
dev_hard_start_xmit+0x2aa/0x7f0 net/core/dev.c:3617
__dev_queue_xmit+0x1684/0x2960 net/core/dev.c:4203
neigh_output include/net/neighbour.h:509 [inline]
ip6_finish_output2+0x101a/0x1480 net/ipv6/ip6_output.c:130
rcu_read_lock include/linux/rcupdate.h:718 [inline]
nf_hook include/linux/netfilter.h:220 [inline]
NF_HOOK+0x45/0x2c0 include/linux/netfilter.h:294
mld_sendpack+0x5f1/0xa50 net/ipv6/mcast.c:1676
mld_send_cr net/ipv6/mcast.c:1972 [inline]
mld_ifc_timer_expire+0x7e1/0x990 net/ipv6/mcast.c:2471
call_timer_fn+0x105/0x490 kernel/time/timer.c:1444
expire_timers kernel/time/timer.c:1489 [inline]
__run_timers+0x5d5/0x7a0 kernel/time/timer.c:1783
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1796
__do_softirq+0x267/0x92e kernel/softirq.c:298
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
do_softirq_own_stack+0x9b/0xe0 arch/x86/kernel/irq_64.c:77
invoke_softirq kernel/softirq.c:393 [inline]
__irq_exit_rcu+0x227/0x230 kernel/softirq.c:423
irq_exit_rcu+0x5/0x20 kernel/softirq.c:435
sysvec_apic_timer_interrupt+0xea/0x100 arch/x86/kernel/apic/apic.c:1106
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:console_unlock+0xbb0/0xfc0 kernel/printk/printk.c:2548
Code: 00 00 48 83 7c 24 28 00 48 8b 5c 24 30 75 07 e8 76 5d 18 00 eb 0a e8 6f 5d 18 00 e8 ba 5b 1e 00 48 89 5c 24 58 ff 74 24 58 9d <f6> 44 24 07 01 0f 84 08 f6 ff ff e8 50 5d 18 00 48 c7 c7 40 1c 4a
RSP: 0018:ffffc9000197f9b0 EFLAGS: 00000293
RAX: fa4294196ff25300 RBX: 0000000000000293 RCX: ffff888019648000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffffffff81594776
RBP: ffffc9000197fb00 R08: dffffc0000000000 R09: fffffbfff191fb2e
R10: fffffbfff191fb2e R11: 1ffffffff191fb2d R12: 0000000000000057
R13: ffffc9000197fa20 R14: 1ffffffff179392d R15: dffffc0000000000
vprintk_emit+0x160/0x240 kernel/printk/printk.c:2060
printk+0x76/0xa0 kernel/printk/printk.c:2108
ieee80211_sta_find_ibss net/mac80211/ibss.c:1486 [inline]
ieee80211_ibss_work+0x1054/0x1180 net/mac80211/ibss.c:1712
process_one_work+0x85b/0xfe0 kernel/workqueue.c:2282
worker_thread+0xa9b/0x1430 kernel/workqueue.c:2428
kthread+0x384/0x410 kernel/kthread.c:328
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
================================================================================
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 48 83 7c 24 28 00 cmpq $0x0,0x28(%rsp)
8: 48 8b 5c 24 30 mov 0x30(%rsp),%rbx
d: 75 07 jne 0x16
f: e8 76 5d 18 00 call 0x185d8a
14: eb 0a jmp 0x20
16: e8 6f 5d 18 00 call 0x185d8a
1b: e8 ba 5b 1e 00 call 0x1e5bda
20: 48 89 5c 24 58 mov %rbx,0x58(%rsp)
25: ff 74 24 58 push 0x58(%rsp)
29: 9d popf
* 2a: f6 44 24 07 01 testb $0x1,0x7(%rsp) <-- trapping instruction
2f: 0f 84 08 f6 ff ff je 0xfffff63d
35: e8 50 5d 18 00 call 0x185d8a
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: c7 .byte 0xc7
3d: 40 1c 4a rex sbb $0x4a,%al
Tested on:
commit: d3d0b4e2 Linux 5.10.245
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
console output: https://syzkaller.appspot.com/x/log.txt?x=126abd42580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e1734393bfd41d2b
dashboard link: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=142bf614580000
next parent reply other threads:[~2025-10-29 9:59 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20251029062155.3faRf%dmantipov@yandex.ru>
2025-10-29 9:59 ` syzbot [this message]
[not found] <20251029062744.Dt_0Z%dmantipov@yandex.ru>
2025-10-29 16:40 ` [syzbot] [ocfs2?] kernel BUG in ocfs2_commit_truncate syzbot
[not found] <20251029062550.DPi_g%dmantipov@yandex.ru>
2025-10-29 15:13 ` syzbot
[not found] <20251028182302.s5LSI%dmantipov@yandex.ru>
2025-10-28 22:18 ` syzbot
[not found] <20251028182112.Uxb09%dmantipov@yandex.ru>
2025-10-28 20:58 ` syzbot
[not found] <20251028181942.Oxouk%dmantipov@yandex.ru>
2025-10-28 20:10 ` syzbot
[not found] <20251028104201.d8y_T%dmantipov@yandex.ru>
2025-10-28 10:51 ` syzbot
[not found] <20251028104122.AvpFW%dmantipov@yandex.ru>
2025-10-28 10:46 ` syzbot
[not found] <20251028104008.88VPQ%dmantipov@yandex.ru>
2025-10-28 10:45 ` syzbot
[not found] <20251024071535.FSE50%dmantipov@yandex.ru>
2025-10-24 14:26 ` syzbot
[not found] <20251024071523.DLZkR%dmantipov@yandex.ru>
2025-10-24 13:03 ` syzbot
[not found] <20251024071156.J2MZa%dmantipov@yandex.ru>
2025-10-24 10:24 ` syzbot
[not found] <20251023133603.ZNEGS%dmantipov@yandex.ru>
2025-10-23 13:57 ` syzbot
[not found] <20251023113536.hzwsv%dmantipov@yandex.ru>
2025-10-23 12:02 ` syzbot
[not found] <20251022150507.AgqUs%dmantipov@yandex.ru>
2025-10-22 19:51 ` syzbot
[not found] <20241216164356.v_RSK%dmantipov@yandex.ru>
2024-12-16 17:09 ` syzbot
[not found] <20241216105219.nV527%dmantipov@yandex.ru>
2024-12-16 14:45 ` syzbot
2024-12-15 4:45 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6901e567.050a0220.32483.0209.GAE@google.com \
--to=syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com \
--cc=dmantipov@yandex.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.