From: syzbot <syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [jfs?] KMSAN: uninit-value in txLock
Date: Fri, 23 Jan 2026 00:01:02 -0800 [thread overview]
Message-ID: <69732abe.a70a0220.35de72.0006.GAE@google.com> (raw)
In-Reply-To: <20260123051225.1843851-1-kartikey406@gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in __mark_inode_dirty
loop0: detected capacity change from 0 to 32768
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000001381f067 P4D 800000001381f067 PUD 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6507 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:__list_del_entry_valid include/linux/list.h:127 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:223 [inline]
RIP: 0010:list_move include/linux/list.h:306 [inline]
RIP: 0010:inode_io_list_move_locked+0x152/0x8d0 fs/fs-writeback.c:122
Code: 00 00 00 4d 8b b4 24 e8 00 00 00 48 89 7d a8 e8 54 34 cc ff 4c 8b 28 44 8b 3a 4d 85 ed 0f 85 bc 03 00 00 49 81 c4 e0 00 00 00 <49> 8b 1e 4c 89 f7 e8 33 34 cc ff 48 8b 00 48 85 c0 74 12 48 89 d9
RSP: 0018:ffff88803945b8c8 EFLAGS: 00010286
RAX: ffff88801ae0d7c8 RBX: 0000000000000000 RCX: 0000000000087a41
RDX: ffff88801b20d7c8 RSI: 0000000000000001 RDI: ffff88801b60d7c8
RBP: ffff88803945b930 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88801ae0d760 R11: ffffffff844dab90 R12: ffff88801b60d7c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f249ec6e6c0(0000) GS:ffff8881aadec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f37a000 CR4: 00000000003526f0
Call Trace:
<TASK>
__mark_inode_dirty+0x878/0x1050 fs/fs-writeback.c:2668
generic_update_time fs/inode.c:2158 [inline]
inode_update_time fs/inode.c:2171 [inline]
file_update_time_flags+0x9e7/0xa60 fs/inode.c:2398
file_update_time+0x30/0x40 fs/inode.c:2419
__generic_file_write_iter+0x124/0x460 mm/filemap.c:4412
generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe1/0x15c0 fs/read_write.c:686
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f249dd9aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f249ec6e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f249e005fa0 RCX: 00007f249dd9aef9
RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007f249de2fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f249e006038 R14: 00007f249e005fa0 R15: 00007fff32808dd8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid include/linux/list.h:127 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:223 [inline]
RIP: 0010:list_move include/linux/list.h:306 [inline]
RIP: 0010:inode_io_list_move_locked+0x152/0x8d0 fs/fs-writeback.c:122
Code: 00 00 00 4d 8b b4 24 e8 00 00 00 48 89 7d a8 e8 54 34 cc ff 4c 8b 28 44 8b 3a 4d 85 ed 0f 85 bc 03 00 00 49 81 c4 e0 00 00 00 <49> 8b 1e 4c 89 f7 e8 33 34 cc ff 48 8b 00 48 85 c0 74 12 48 89 d9
RSP: 0018:ffff88803945b8c8 EFLAGS: 00010286
RAX: ffff88801ae0d7c8 RBX: 0000000000000000 RCX: 0000000000087a41
RDX: ffff88801b20d7c8 RSI: 0000000000000001 RDI: ffff88801b60d7c8
RBP: ffff88803945b930 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88801ae0d760 R11: ffffffff844dab90 R12: ffff88801b60d7c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f249ec6e6c0(0000) GS:ffff8881aadec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f37a000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 4d 8b add %cl,-0x75(%rbp)
5: b4 24 mov $0x24,%ah
7: e8 00 00 00 48 call 0x4800000c
c: 89 7d a8 mov %edi,-0x58(%rbp)
f: e8 54 34 cc ff call 0xffcc3468
14: 4c 8b 28 mov (%rax),%r13
17: 44 8b 3a mov (%rdx),%r15d
1a: 4d 85 ed test %r13,%r13
1d: 0f 85 bc 03 00 00 jne 0x3df
23: 49 81 c4 e0 00 00 00 add $0xe0,%r12
* 2a: 49 8b 1e mov (%r14),%rbx <-- trapping instruction
2d: 4c 89 f7 mov %r14,%rdi
30: e8 33 34 cc ff call 0xffcc3468
35: 48 8b 00 mov (%rax),%rax
38: 48 85 c0 test %rax,%rax
3b: 74 12 je 0x4f
3d: 48 89 d9 mov %rbx,%rcx
Tested on:
commit: c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b857fc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=62c21fde37118981
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=147797fc580000
next parent reply other threads:[~2026-01-23 8:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260123051225.1843851-1-kartikey406@gmail.com>
2026-01-23 8:01 ` syzbot [this message]
[not found] <177645307166.231234.16799988278505488734@gmail.com>
2026-04-17 20:02 ` [syzbot] [jfs?] KMSAN: uninit-value in txLock syzbot
[not found] <177644276543.3783661.2549646862156202244@talencesecurity.com>
2026-04-17 18:49 ` syzbot
[not found] <20260417133011.3194994-1-tristmd@gmail.com>
2026-04-17 14:12 ` syzbot
[not found] <20260417101149.2488963-1-tristmd@gmail.com>
2026-04-17 11:16 ` syzbot
[not found] <20260123053348.1844888-1-kartikey406@gmail.com>
2026-01-23 8:34 ` syzbot
[not found] <20260123053111.1844791-1-kartikey406@gmail.com>
2026-01-23 6:21 ` syzbot
2026-01-22 18:49 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69732abe.a70a0220.35de72.0006.GAE@google.com \
--to=syzbot+d3a57c32b9112d7b01ec@syzkaller.appspotmail.com \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.