All of lore.kernel.org
 help / color / mirror / Atom feed
* [Bridge] [syzbot] possible deadlock in br_multicast_rcv (3)
@ 2023-01-16 16:40 ` syzbot
  0 siblings, 0 replies; 21+ messages in thread
From: syzbot @ 2023-01-16 16:40 UTC (permalink / raw)
  To: axboe, bridge, davem, edumazet, hch, ivecera, jiri, kbusch, kuba,
	lengchao, linux-kernel, linux-nvme, llvm, nathan, ndesaulniers,
	netdev, pabeni, razor, roopa, sagi, syzkaller-bugs, trix

Hello,

syzbot found the following issue on:

HEAD commit:    60d86034b14e Merge tag 'mlx5-updates-2023-01-10' of git://..
git tree:       net-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1745e1ce480000
kernel config:  https://syzkaller.appspot.com/x/.config?x=de2f853811ba4e08
dashboard link: https://syzkaller.appspot.com/bug?extid=d7b7f1412c02134efa6d
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16aa9b6e480000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16645fd6480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b5b394a217aa/disk-60d86034.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f129c2da4b3a/vmlinux-60d86034.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6dbc96a4303d/bzImage-60d86034.xz

The issue was bisected to:

commit dda3248e7fc306e0ce3612ae96bdd9a36e2ab04f
Author: Chao Leng <lengchao@huawei.com>
Date:   Thu Feb 4 07:55:11 2021 +0000

    nvme: introduce a nvme_host_path_error helper

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1564ba0e480000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=1764ba0e480000
console output: https://syzkaller.appspot.com/x/log.txt?x=1364ba0e480000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d7b7f1412c02134efa6d@syzkaller.appspotmail.com
Fixes: dda3248e7fc3 ("nvme: introduce a nvme_host_path_error helper")

============================================
WARNING: possible recursive locking detected
6.2.0-rc2-syzkaller-00378-g60d86034b14e #0 Not tainted
--------------------------------------------
ksoftirqd/0/15 is trying to acquire lock:
ffff88814b52d338 (&br->multicast_lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
ffff88814b52d338 (&br->multicast_lock){+.-.}-{2:2}, at: br_ip6_multicast_query net/bridge/br_multicast.c:3351 [inline]
ffff88814b52d338 (&br->multicast_lock){+.-.}-{2:2}, at: br_multicast_ipv6_rcv net/bridge/br_multicast.c:3747 [inline]
ffff88814b52d338 (&br->multicast_lock){+.-.}-{2:2}, at: br_multicast_rcv+0x2019/0x6830 net/bridge/br_multicast.c:3802

but task is already holding lock:
ffff88807ac21338 (&br->multicast_lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
ffff88807ac21338 (&br->multicast_lock){+.-.}-{2:2}, at: br_multicast_port_query_expired+0x61/0x360 net/bridge/br_multicast.c:1752

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&br->multicast_lock);
  lock(&br->multicast_lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

5 locks held by ksoftirqd/0/15:
 #0: ffffc90000147c50 ((&pmctx->ip6_own_query.timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:31 [inline]
 #0: ffffc90000147c50 ((&pmctx->ip6_own_query.timer)){+.-.}-{0:0}, at: call_timer_fn+0xd4/0x7c0 kernel/time/timer.c:1690
 #1: ffff88807ac21338 (&br->multicast_lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]
 #1: ffff88807ac21338 (&br->multicast_lock){+.-.}-{2:2}, at: br_multicast_port_query_expired+0x61/0x360 net/bridge/br_multicast.c:1752
 #2: ffffffff8c791b20 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x237/0x3ba0 net/core/dev.c:4166
 #3: ffffffff8c791b20 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x237/0x3ba0 net/core/dev.c:4166
 #4: ffffffff8c791b80 (rcu_read_lock){....}-{1:2}, at: br_dev_xmit+0x4/0x1620 net/bridge/br_device.c:29

stack backtrace:
CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.2.0-rc2-syzkaller-00378-g60d86034b14e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_deadlock_bug kernel/locking/lockdep.c:2990 [inline]
 check_deadlock kernel/locking/lockdep.c:3033 [inline]
 validate_chain kernel/locking/lockdep.c:3818 [inline]
 __lock_acquire.cold+0x116/0x3a7 kernel/locking/lockdep.c:5055
 lock_acquire kernel/locking/lockdep.c:5668 [inline]
 lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:350 [inline]
 br_ip6_multicast_query net/bridge/br_multicast.c:3351 [inline]
 br_multicast_ipv6_rcv net/bridge/br_multicast.c:3747 [inline]
 br_multicast_rcv+0x2019/0x6830 net/bridge/br_multicast.c:3802
 br_dev_xmit+0x726/0x1620 net/bridge/br_device.c:89
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one net/core/dev.c:3583 [inline]
 dev_hard_start_xmit+0x1c2/0x990 net/core/dev.c:3599
 __dev_queue_xmit+0x2cdf/0x3ba0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 vlan_dev_hard_start_xmit+0x1bc/0x5c0 net/8021q/vlan_dev.c:124
 __netdev_start_xmit include/linux/netdevice.h:4865 [inline]
 netdev_start_xmit include/linux/netdevice.h:4879 [inline]
 xmit_one net/core/dev.c:3583 [inline]
 dev_hard_start_xmit+0x1c2/0x990 net/core/dev.c:3599
 __dev_queue_xmit+0x2cdf/0x3ba0 net/core/dev.c:4249
 dev_queue_xmit include/linux/netdevice.h:3035 [inline]
 br_dev_queue_push_xmit+0x26e/0x740 net/bridge/br_forward.c:53
 NF_HOOK include/linux/netfilter.h:302 [inline]
 __br_multicast_send_query+0x11c6/0x3b70 net/bridge/br_multicast.c:1656
 br_multicast_send_query+0x266/0x4b0 net/bridge/br_multicast.c:1735
 br_multicast_port_query_expired+0x2c3/0x360 net/bridge/br_multicast.c:1760
 call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1700
 expire_timers+0x2c6/0x5c0 kernel/time/timer.c:1751
 __run_timers kernel/time/timer.c:2022 [inline]
 __run_timers kernel/time/timer.c:1995 [inline]
 run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035
 __do_softirq+0x1fb/0xadc kernel/softirq.c:571
 run_ksoftirqd kernel/softirq.c:934 [inline]
 run_ksoftirqd+0x31/0x60 kernel/softirq.c:926
 smpboot_thread_fn+0x659/0xa20 kernel/smpboot.c:164
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtInsertEntry
@ 2024-10-03 19:10 syzbot
  2025-11-18 14:11 ` Forwarded: test syzbot
  0 siblings, 1 reply; 21+ messages in thread
From: syzbot @ 2024-10-03 19:10 UTC (permalink / raw)
  To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    e7ed34365879 Merge tag 'mailbox-v6.12' of git://git.kernel..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=164e8127980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=84a3f3ed29aaafa0
dashboard link: https://syzkaller.appspot.com/bug?extid=5f7f0caf9979e9d09ff8
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/eb021424c7db/disk-e7ed3436.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2f5f0d22ea96/vmlinux-e7ed3436.xz
kernel image: https://storage.googleapis.com/syzbot-assets/47176809b11c/bzImage-e7ed3436.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5f7f0caf9979e9d09ff8@syzkaller.appspotmail.com

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3632:9
index 27 is out of range for type 'struct lv[20]'
CPU: 1 UID: 0 PID: 5469 Comm: syz.1.37 Not tainted 6.11.0-syzkaller-12113-ge7ed34365879 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 dtInsertEntry+0x174e/0x1780 fs/jfs/jfs_dtree.c:3632
 dtSplitPage+0x2d99/0x3ed0 fs/jfs/jfs_dtree.c:1595
 dtSplitUp fs/jfs/jfs_dtree.c:1091 [inline]
 dtInsert+0x14bd/0x6c10 fs/jfs/jfs_dtree.c:870
 jfs_create+0x7ba/0xbb0 fs/jfs/namei.c:137
 lookup_open fs/namei.c:3595 [inline]
 open_last_lookups fs/namei.c:3694 [inline]
 path_openat+0x1c03/0x3590 fs/namei.c:3930
 do_filp_open+0x235/0x490 fs/namei.c:3960
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1415
 do_sys_open fs/open.c:1430 [inline]
 __do_sys_creat fs/open.c:1506 [inline]
 __se_sys_creat fs/open.c:1500 [inline]
 __x64_sys_creat+0x123/0x170 fs/open.c:1500
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2c1f97dff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2c20746038 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007f2c1fb35f80 RCX: 00007f2c1f97dff9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000e00
RBP: 00007f2c1f9f0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2c1fb35f80 R15: 00007ffdc44cf8d8
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [jfs?] UBSAN: shift-out-of-bounds in jfs_statfs (3)
@ 2025-04-30 13:26 syzbot
  2025-11-20 15:15 ` Forwarded: test syzbot
  0 siblings, 1 reply; 21+ messages in thread
From: syzbot @ 2025-04-30 13:26 UTC (permalink / raw)
  To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    c72692105976 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=16b1f574580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2a6efb1b6b7e84ef
dashboard link: https://syzkaller.appspot.com/bug?extid=13ba7f3e9a17f77250fe
compiler:       Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bc4c947b6a4c/disk-c7269210.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/26198601f51b/vmlinux-c7269210.xz
kernel image: https://storage.googleapis.com/syzbot-assets/426ac395cf1d/Image-c7269210.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+13ba7f3e9a17f77250fe@syzkaller.appspotmail.com

 ... Log Wrap ... Log Wrap ... Log Wrap ...
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/jfs/super.c:140:14
shift exponent 770 is too large for 64-bit type 's64' (aka 'long long')
CPU: 1 UID: 0 PID: 6605 Comm: syz.1.10 Not tainted 6.15.0-rc2-syzkaller-gc72692105976 #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 ubsan_epilogue+0x14/0x48 lib/ubsan.c:231
 __ubsan_handle_shift_out_of_bounds+0x2b0/0x34c lib/ubsan.c:492
 jfs_statfs+0x400/0x484 fs/jfs/super.c:140
 statfs_by_dentry fs/statfs.c:66 [inline]
 vfs_statfs+0x13c/0x2b0 fs/statfs.c:90
 ovl_check_namelen fs/overlayfs/super.c:388 [inline]
 ovl_get_upper fs/overlayfs/super.c:506 [inline]
 ovl_fill_super+0x5b8/0x2bac fs/overlayfs/super.c:1387
 vfs_get_super fs/super.c:1280 [inline]
 get_tree_nodev+0xb4/0x144 fs/super.c:1299
 ovl_get_tree+0x28/0x38 fs/overlayfs/params.c:701
 vfs_get_tree+0x90/0x28c fs/super.c:1759
 do_new_mount+0x228/0x814 fs/namespace.c:3879
 path_mount+0x5b4/0xde0 fs/namespace.c:4206
 do_mount fs/namespace.c:4219 [inline]
 __do_sys_mount fs/namespace.c:4430 [inline]
 __se_sys_mount fs/namespace.c:4407 [inline]
 __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4407
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
---[ end trace ]---
read_mapping_page failed!
ERROR: (device loop1): txAbort: 

ERROR: (device loop1): remounting filesystem as read-only
overlayfs: failed to create directory ./file0/work (errno: 5); mounting read-only
overlayfs: failed to set uuid (/file2, err=-30); falling back to uuid=null.
netlink: 277 bytes leftover after parsing attributes in process `syz.1.10'.


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbSplit (3)
@ 2025-04-30 21:08 syzbot
  2025-11-19  2:55 ` Forwarded: test syzbot
  0 siblings, 1 reply; 21+ messages in thread
From: syzbot @ 2025-04-30 21:08 UTC (permalink / raw)
  To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    f1a3944c860b Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10d550d4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=90837c100b88a636
dashboard link: https://syzkaller.appspot.com/bug?extid=4c1966e88c28fa96e053
compiler:       Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1250a270580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14d550d4580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-f1a3944c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fbe8c2bb0602/vmlinux-f1a3944c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b4268e0ec733/bzImage-f1a3944c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/10b2c382300e/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=14f49d74580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4c1966e88c28fa96e053@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2629:11
shift exponent 110 is too large for 32-bit type 'int'
CPU: 0 UID: 0 PID: 5303 Comm: syz-executor956 Not tainted 6.15.0-rc3-syzkaller-00283-gf1a3944c860b #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:231
 __ubsan_handle_shift_out_of_bounds+0x386/0x410 lib/ubsan.c:492
 dbSplit+0x1f8/0x200 fs/jfs/jfs_dmap.c:2629
 dbAdjCtl+0x34c/0xa20 fs/jfs/jfs_dmap.c:2521
 dbAllocDmap fs/jfs/jfs_dmap.c:2032 [inline]
 dbAllocNear+0x2ee/0x3d0 fs/jfs/jfs_dmap.c:1243
 dbAlloc+0x933/0xba0 fs/jfs/jfs_dmap.c:828
 ea_write+0x374/0xdd0 fs/jfs/xattr.c:232
 ea_put fs/jfs/xattr.c:619 [inline]
 __jfs_setxattr+0xa01/0x1120 fs/jfs/xattr.c:792
 __jfs_xattr_set+0xda/0x170 fs/jfs/xattr.c:941
 __vfs_setxattr+0x439/0x480 fs/xattr.c:200
 __vfs_setxattr_noperm+0x12d/0x660 fs/xattr.c:234
 vfs_setxattr+0x16b/0x2f0 fs/xattr.c:321
 do_setxattr fs/xattr.c:636 [inline]
 filename_setxattr+0x274/0x600 fs/xattr.c:665
 path_setxattrat+0x364/0x3a0 fs/xattr.c:713
 __do_sys_lsetxattr fs/xattr.c:754 [inline]
 __se_sys_lsetxattr fs/xattr.c:750 [inline]
 __x64_sys_lsetxattr+0xbf/0xe0 fs/xattr.c:750
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdaa19996b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffe3d43d28 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 0000200000000200 RCX: 00007fdaa19996b9
RDX: 0000000000000000 RSI: 0000200000000200 RDI: 0000200000000040
RBP: 00002000000000c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000040
R13: 0031656c69662f2e R14: 0000000000000001 R15: 0000000000000001
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [rdma?] KMSAN: uninit-value in ib_nl_handle_ip_res_resp
@ 2025-09-30 20:29 syzbot
  2025-11-06 19:28 ` Forwarded: test syzbot
  0 siblings, 1 reply; 21+ messages in thread
From: syzbot @ 2025-09-30 20:29 UTC (permalink / raw)
  To: jgg, leon, linux-kernel, linux-rdma, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    1896ce8eb6c6 Merge tag 'fsverity-for-linus' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=153d0092580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6eca10e0cdef44f
dashboard link: https://syzkaller.appspot.com/bug?extid=938fcd548c303fe33c1a
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d0fbab3c0b62/disk-1896ce8e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/71c7b444e106/vmlinux-1896ce8e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/96a4aa63999d/bzImage-1896ce8e.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com

netlink: 8 bytes leftover after parsing attributes in process `syz.8.3246'.
=====================================================
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
 hex_byte_pack include/linux/hex.h:13 [inline]
 ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475
 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
 ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
 rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x333/0x3d0 net/socket.c:729
 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703
 __compat_sys_sendmsg net/compat.c:346 [inline]
 __do_compat_sys_sendmsg net/compat.c:353 [inline]
 __se_compat_sys_sendmsg net/compat.c:350 [inline]
 __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:369
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

Local variable gid.i created at:
 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:102 [inline]
 ib_nl_handle_ip_res_resp+0x254/0x9d0 drivers/infiniband/core/addr.c:141
 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
 rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259

CPU: 0 UID: 0 PID: 17455 Comm: syz.8.3246 Not tainted syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [jfs?] stack segment fault in dbUpdatePMap
@ 2025-11-01 17:24 syzbot
  2025-11-10 11:30 ` Forwarded: test syzbot
  0 siblings, 1 reply; 21+ messages in thread
From: syzbot @ 2025-11-01 17:24 UTC (permalink / raw)
  To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    ba36dd5ee6fd Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1145ae14580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=f5a5b157b7336d1fda1d
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b151a6a8b947/disk-ba36dd5e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ddc072fd4513/vmlinux-ba36dd5e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7cdcc5b6e230/bzImage-ba36dd5e.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f5a5b157b7336d1fda1d@syzkaller.appspotmail.com

Oops: stack segment: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 122 Comm: jfsCommit Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__list_add_valid_or_report+0x3e/0x130 lib/list_debug.c:29
Code: 00 00 00 48 89 d3 48 85 d2 0f 84 93 00 00 00 49 89 f6 49 89 ff 49 bd 00 00 00 00 00 fc ff df 4c 8d 63 08 4c 89 e5 48 c1 ed 03 <42> 80 7c 2d 00 00 74 08 4c 89 e7 e8 32 c4 9d fd 4d 39 34 24 75 71
RSP: 0018:ffffc900031f7a20 EFLAGS: 00010a06
RAX: 0000000000000000 RBX: dead000000000100 RCX: ffff88801dbc9e00
RDX: dead000000000100 RSI: ffffc9000323a140 RDI: ffff88802f4c9898
RBP: 1bd5a00000000021 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1dac5cf R12: dead000000000108
R13: dffffc0000000000 R14: ffffc9000323a140 R15: ffff88802f4c9898
FS:  0000000000000000(0000) GS:ffff888126ef9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555586d63608 CR3: 0000000038d96000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:96 [inline]
 __list_add include/linux/list.h:158 [inline]
 list_add include/linux/list.h:177 [inline]
 dbUpdatePMap+0x7e4/0xeb0 fs/jfs/jfs_dmap.c:577
 txAllocPMap+0x57d/0x6b0 fs/jfs/jfs_txnmgr.c:2426
 txUpdateMap+0x2a2/0x9c0 fs/jfs/jfs_txnmgr.c:2309
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0x3e/0x130 lib/list_debug.c:29
Code: 00 00 00 48 89 d3 48 85 d2 0f 84 93 00 00 00 49 89 f6 49 89 ff 49 bd 00 00 00 00 00 fc ff df 4c 8d 63 08 4c 89 e5 48 c1 ed 03 <42> 80 7c 2d 00 00 74 08 4c 89 e7 e8 32 c4 9d fd 4d 39 34 24 75 71
RSP: 0018:ffffc900031f7a20 EFLAGS: 00010a06
RAX: 0000000000000000 RBX: dead000000000100 RCX: ffff88801dbc9e00
RDX: dead000000000100 RSI: ffffc9000323a140 RDI: ffff88802f4c9898
RBP: 1bd5a00000000021 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1dac5cf R12: dead000000000108
R13: dffffc0000000000 R14: ffffc9000323a140 R15: ffff88802f4c9898
FS:  0000000000000000(0000) GS:ffff888126ef9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555586d63608 CR3: 0000000038d96000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 48 89             	add    %cl,-0x77(%rax)
   5:	d3 48 85             	rorl   %cl,-0x7b(%rax)
   8:	d2 0f                	rorb   %cl,(%rdi)
   a:	84 93 00 00 00 49    	test   %dl,0x49000000(%rbx)
  10:	89 f6                	mov    %esi,%esi
  12:	49 89 ff             	mov    %rdi,%r15
  15:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
  1c:	fc ff df
  1f:	4c 8d 63 08          	lea    0x8(%rbx),%r12
  23:	4c 89 e5             	mov    %r12,%rbp
  26:	48 c1 ed 03          	shr    $0x3,%rbp
* 2a:	42 80 7c 2d 00 00    	cmpb   $0x0,0x0(%rbp,%r13,1) <-- trapping instruction
  30:	74 08                	je     0x3a
  32:	4c 89 e7             	mov    %r12,%rdi
  35:	e8 32 c4 9d fd       	call   0xfd9dc46c
  3a:	4d 39 34 24          	cmp    %r14,(%r12)
  3e:	75 71                	jne    0xb1


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [jfs?] general protection fault in txCommit (2)
@ 2025-11-07  7:29 syzbot
  2025-11-14 13:48 ` Forwarded: test syzbot
  2025-11-14 14:36 ` syzbot
  0 siblings, 2 replies; 21+ messages in thread
From: syzbot @ 2025-11-07  7:29 UTC (permalink / raw)
  To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    8bb886cb8f3a Merge tag 'edac_urgent_for_v6.18_rc5' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1207c114580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=9489c9f9f3d437221ea2
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1033d012580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11ea1bcd980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/393661e2054b/disk-8bb886cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ba628b757c6a/vmlinux-8bb886cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/15255c2cc8ad/bzImage-8bb886cb.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5ffcac92a4cf/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=125bf932580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9489c9f9f3d437221ea2@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
UFO tlock:0xffffc900034fa[  113.512606][ T5985] UFO tlock:0xffffc900034fa1b0
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 0 UID: 0 PID: 5985 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:txLog fs/jfs/jfs_txnmgr.c:1390 [inline]
RIP: 0010:txCommit+0xafb/0x5430 fs/jfs/jfs_txnmgr.c:1265
Code: 3c 10 00 74 12 4c 89 f7 e8 f2 cb e2 fe 48 ba 00 00 00 00 00 fc ff df 4c 89 74 24 68 4d 8b 36 4d 8d 7e 28 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 ff e8 c7 cb e2 fe 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90003fc74e0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 0000000000000948 RCX: 1ffff9200069fd48
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003fc76b0 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1dac5ef R12: 0000000000000002
R13: ffffc900034fa000 R14: 0000000000000000 R15: 0000000000000028
FS:  0000555570e52500(0000) GS:ffff888126df9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000038f28000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 jfs_create+0x865/0xa80 fs/jfs/namei.c:156
 lookup_open fs/namei.c:3796 [inline]
 open_last_lookups fs/namei.c:3895 [inline]
 path_openat+0x1500/0x3840 fs/namei.c:4131
 do_filp_open+0x1fa/0x410 fs/namei.c:4161
 do_sys_openat2+0x121/0x1c0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_creat fs/open.c:1530 [inline]
 __se_sys_creat fs/open.c:1524 [inline]
 __x64_sys_creat+0x8f/0xc0 fs/open.c:1524
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f575dbcf6c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff260cfb28 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007f575de25fa0 RCX: 00007f575dbcf6c9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000580
RBP: 00007f575dc51f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f575de25fa0 R14: 00007f575de25fa0 R15: 0000000000000002
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:txLog fs/jfs/jfs_txnmgr.c:1390 [inline]
RIP: 0010:txCommit+0xafb/0x5430 fs/jfs/jfs_txnmgr.c:1265
Code: 3c 10 00 74 12 4c 89 f7 e8 f2 cb e2 fe 48 ba 00 00 00 00 00 fc ff df 4c 89 74 24 68 4d 8b 36 4d 8d 7e 28 4c 89 f8 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 ff e8 c7 cb e2 fe 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90003fc74e0 EFLAGS: 00010206
RAX: 0000000000000005 RBX: 0000000000000948 RCX: 1ffff9200069fd48
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003fc76b0 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1dac5ef R12: 0000000000000002
R13: ffffc900034fa000 R14: 0000000000000000 R15: 0000000000000028
FS:  0000555570e52500(0000) GS:ffff888126df9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000038f28000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	3c 10                	cmp    $0x10,%al
   2:	00 74 12 4c          	add    %dh,0x4c(%rdx,%rdx,1)
   6:	89 f7                	mov    %esi,%edi
   8:	e8 f2 cb e2 fe       	call   0xfee2cbff
   d:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  14:	fc ff df
  17:	4c 89 74 24 68       	mov    %r14,0x68(%rsp)
  1c:	4d 8b 36             	mov    (%r14),%r14
  1f:	4d 8d 7e 28          	lea    0x28(%r14),%r15
  23:	4c 89 f8             	mov    %r15,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 10 00          	cmpb   $0x0,(%rax,%rdx,1) <-- trapping instruction
  2e:	74 12                	je     0x42
  30:	4c 89 ff             	mov    %r15,%rdi
  33:	e8 c7 cb e2 fe       	call   0xfee2cbff
  38:	48                   	rex.W
  39:	ba 00 00 00 00       	mov    $0x0,%edx
  3e:	00 fc                	add    %bh,%ah


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_open
@ 2026-05-18  1:17 syzbot
  2026-05-18 11:19 ` Forwarded: test syzbot
  2026-05-19  0:36 ` syzbot
  0 siblings, 2 replies; 21+ messages in thread
From: syzbot @ 2026-05-18  1:17 UTC (permalink / raw)
  To: linux-kernel, linux-media, mchehab, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    5cbb61bf4168 arm64/fpsimd: ptrace: zero target's fpsimd_st..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14614fce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a834c6344141a58b
dashboard link: https://syzkaller.appspot.com/bug?extid=40339ea82afa8184ad5d
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=127e5636580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/04156ec16593/disk-5cbb61bf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6bfa041e2c79/vmlinux-5cbb61bf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a92d82d8a79e/Image-5cbb61bf.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+40339ea82afa8184ad5d@syzkaller.appspotmail.com

i2c i2c-0: dvb_frontend_start: failed to start kthread (-4)
==================================================================
BUG: KASAN: slab-use-after-free in dvb_frontend_open+0xdac/0x105c drivers/media/dvb-core/dvb_frontend.c:2892
Read of size 4 at addr ffff0000cc9e9c3c by task syz.4.109/5364

CPU: 1 UID: 0 PID: 5364 Comm: syz.4.109 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xb0/0x238 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:482
 kasan_report+0x8c/0xc4 mm/kasan/report.c:595
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 dvb_frontend_open+0xdac/0x105c drivers/media/dvb-core/dvb_frontend.c:2892
 dvb_device_open+0x1f4/0x250 drivers/media/dvb-core/dvbdev.c:109
 chrdev_open+0x398/0x3e8 fs/char_dev.c:411
 do_dentry_open+0x5c8/0x10dc fs/open.c:947
 vfs_open+0x44/0x2d4 fs/open.c:1079
 do_open fs/namei.c:4699 [inline]
 path_openat+0x2234/0x2a6c fs/namei.c:4858
 do_file_open+0x1c4/0x2e4 fs/namei.c:4887
 do_sys_openat2+0x114/0x1e8 fs/open.c:1364
 do_sys_open+0xac/0xdc fs/open.c:1370
 __do_sys_openat fs/open.c:1386 [inline]
 __se_sys_openat fs/open.c:1381 [inline]
 __arm64_sys_openat+0x9c/0xb8 fs/open.c:1381
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
 el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

Allocated by task 1:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:78
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x284/0x56c mm/slub.c:5415
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 dvb_register_device+0x1ac/0x16ec drivers/media/dvb-core/dvbdev.c:472
 dvb_register_frontend+0x464/0x698 drivers/media/dvb-core/dvb_frontend.c:3051
 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:438 [inline]
 vidtv_bridge_probe+0x57c/0xa24 drivers/media/test-drivers/vidtv/vidtv_bridge.c:510
 platform_probe+0xfc/0x198 drivers/base/platform.c:1418
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x2a8/0x7e8 drivers/base/dd.c:709
 __driver_probe_device+0x1e0/0x33c drivers/base/dd.c:871
 driver_probe_device+0x6c/0x19c drivers/base/dd.c:901
 __driver_attach+0x164/0x374 drivers/base/dd.c:1295
 bus_for_each_dev+0x128/0x1b4 drivers/base/bus.c:383
 driver_attach+0x4c/0x5c drivers/base/dd.c:1313
 bus_add_driver+0x208/0x4fc drivers/base/bus.c:756
 driver_register+0x220/0x30c drivers/base/driver.c:249
 __platform_driver_register+0x6c/0x80 drivers/base/platform.c:910
 vidtv_bridge_init+0x34/0x5c drivers/media/test-drivers/vidtv/vidtv_bridge.c:600
 do_one_initcall+0x274/0xc20 init/main.c:1392
 do_initcall_level+0x128/0x1c4 init/main.c:1454
 do_initcalls+0x70/0xd0 init/main.c:1470
 do_basic_setup+0x7c/0x90 init/main.c:1490
 kernel_init_freeable+0x268/0x3a8 init/main.c:1703
 kernel_init+0x24/0x1dc init/main.c:1593
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:842

Freed by task 5364:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:78
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 slab_free mm/slub.c:6246 [inline]
 kfree+0x188/0x5e4 mm/slub.c:6561
 dvb_free_device drivers/media/dvb-core/dvbdev.c:616 [inline]
 kref_put include/linux/kref.h:65 [inline]
 dvb_device_put+0x64/0xd0 drivers/media/dvb-core/dvbdev.c:629
 dvb_generic_release+0xec/0x154 drivers/media/dvb-core/dvbdev.c:169
 dvb_frontend_open+0x9b8/0x105c drivers/media/dvb-core/dvb_frontend.c:2890
 dvb_device_open+0x1f4/0x250 drivers/media/dvb-core/dvbdev.c:109
 chrdev_open+0x398/0x3e8 fs/char_dev.c:411
 do_dentry_open+0x5c8/0x10dc fs/open.c:947
 vfs_open+0x44/0x2d4 fs/open.c:1079
 do_open fs/namei.c:4699 [inline]
 path_openat+0x2234/0x2a6c fs/namei.c:4858
 do_file_open+0x1c4/0x2e4 fs/namei.c:4887
 do_sys_openat2+0x114/0x1e8 fs/open.c:1364
 do_sys_open+0xac/0xdc fs/open.c:1370
 __do_sys_openat fs/open.c:1386 [inline]
 __se_sys_openat fs/open.c:1381 [inline]
 __arm64_sys_openat+0x9c/0xb8 fs/open.c:1381
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
 el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594

The buggy address belongs to the object at ffff0000cc9e9c00
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 60 bytes inside of
 freed 256-byte region [ffff0000cc9e9c00, ffff0000cc9e9d00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000cc9e9200 pfn:0x10c9e8
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000240 ffff0000c0001b40 fffffdffc333d590 fffffdffc3064090
raw: ffff0000cc9e9200 000000080010000f 00000000f5000000 0000000000000000
head: 05ffc00000000240 ffff0000c0001b40 fffffdffc333d590 fffffdffc3064090
head: ffff0000cc9e9200 000000080010000f 00000000f5000000 0000000000000000
head: 05ffc00000000001 fffffdffc3327a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cc9e9b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000cc9e9b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000cc9e9c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff0000cc9e9c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000cc9e9d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28, CPU#1: syz.4.109/5364
Modules linked in:
CPU: 1 UID: 0 PID: 5364 Comm: syz.4.109 Tainted: G    B               syzkaller #0 PREEMPT 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
lr : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
sp : ffff80009bdd7540
x29: ffff80009bdd7540 x28: ffff0000dbdcc748 x27: dfff800000000000
x26: 1fffe0001b7b98e9 x25: dfff800000000000 x24: ffff0000cc649068
x23: ffff0000dbdcc748 x22: ffff800083949be4 x21: 0000000000000000
x20: ffff0000cc9e9c10 x19: ffff800089f06000 x18: 0000000000000000
x17: 3d3d3d3d3d3d3d3d x16: 3d3d3d3d3d3d3d3d x15: 3d3d3d3d3d3d3d3d
x14: 3d3d3d3d3d3d3d3d x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000000b4e x10: 0000000000ff0100 x9 : 9ef5470fdd42bb00
x8 : 9ef5470fdd42bb00 x7 : 0000000000000000 x6 : ffff8000804886d0
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0
x2 : 0000000100000000 x1 : ffff0000d7dc8000 x0 : 0000000000000000
Call trace:
 refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28 (P)
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 kref_put include/linux/kref.h:64 [inline]
 dvb_device_put+0xac/0xd0 drivers/media/dvb-core/dvbdev.c:629
 dvb_device_open+0x238/0x250 drivers/media/dvb-core/dvbdev.c:113
 chrdev_open+0x398/0x3e8 fs/char_dev.c:411
 do_dentry_open+0x5c8/0x10dc fs/open.c:947
 vfs_open+0x44/0x2d4 fs/open.c:1079
 do_open fs/namei.c:4699 [inline]
 path_openat+0x2234/0x2a6c fs/namei.c:4858
 do_file_open+0x1c4/0x2e4 fs/namei.c:4887
 do_sys_openat2+0x114/0x1e8 fs/open.c:1364
 do_sys_open+0xac/0xdc fs/open.c:1370
 __do_sys_openat fs/open.c:1386 [inline]
 __se_sys_openat fs/open.c:1381 [inline]
 __arm64_sys_openat+0x9c/0xb8 fs/open.c:1381
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
 el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 562843
hardirqs last  enabled at (562843): [<ffff8000867248cc>] irqentry_exit_to_kernel_mode_after_preempt include/linux/irq-entry-common.h:515 [inline]
hardirqs last  enabled at (562843): [<ffff8000867248cc>] arm64_exit_to_kernel_mode+0x7c/0x90 arch/arm64/kernel/entry-common.c:62
hardirqs last disabled at (562842): [<ffff800086720b00>] __el1_irq arch/arm64/kernel/entry-common.c:493 [inline]
hardirqs last disabled at (562842): [<ffff800086720b00>] el1_interrupt+0x28/0x60 arch/arm64/kernel/entry-common.c:509
softirqs last  enabled at (562784): [<ffff800080139e6c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (562782): [<ffff800080139e38>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [net?] WARNING in netif_rx_mode_run
@ 2026-05-19 11:56 syzbot
  2026-05-19 12:49 ` Forwarded: test syzbot
  2026-05-20  9:34 ` syzbot
  0 siblings, 2 replies; 21+ messages in thread
From: syzbot @ 2026-05-19 11:56 UTC (permalink / raw)
  To: davem, edumazet, horms, kuba, linux-kernel, netdev, pabeni,
	syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    c8993263ffd3 bpf: Add Jiayuan Chen to sockmap maintainers
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=156e9bce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4caf64b1ee83dac0
dashboard link: https://syzkaller.appspot.com/bug?extid=f2421634072a4b47071e
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=121aee36580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=136e9bce580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bd0898114f61/disk-c8993263.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2b3988a1716d/vmlinux-c8993263.xz
kernel image: https://storage.googleapis.com/syzbot-assets/eedc9b64bb9f/bzImage-c8993263.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f2421634072a4b47071e@syzkaller.appspotmail.com

RSP: 002b:00007ffde2b3c518 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fece9c15fa0 RCX: 00007fece999ce59
RDX: 0000200000000000 RSI: 0000000000008931 RDI: 0000000000000003
RBP: 00007ffde2b3c580 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fece9c15fac R14: 00007fece9c15fa0 R15: 00007fece9c15fa0
 </TASK>
------------[ cut here ]------------
netdevice: dummy0: failed to sync uc/mc addresses
WARNING: net/core/dev_addr_lists.c:1278 at netif_rx_mode_run+0xd55/0x1290 net/core/dev_addr_lists.c:1278, CPU#1: syz.0.17/5854
Modules linked in:
CPU: 1 UID: 0 PID: 5854 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:netif_rx_mode_run+0xe82/0x1290 net/core/dev_addr_lists.c:1278
Code: 3a 48 c7 c2 a0 ec dd 8c eb 1a e8 e9 8a 43 f8 48 c7 c2 20 eb dd 8c eb 0c e8 db 8a 43 f8 48 c7 c2 20 ec dd 8c 4c 89 f7 4c 89 fe <67> 48 0f b9 3a 48 8b 5c 24 38 48 8b 7c 24 48 e8 da be 29 02 42 c7
RSP: 0018:ffffc90002e2f9e0 EFLAGS: 00010293
RAX: ffffffff898241b7 RBX: 0000000000000001 RCX: ffff88802dcd5c40
RDX: ffffffff8cddeb20 RSI: ffff888025bb6120 RDI: ffffffff903fb9d0
RBP: ffffc90002e2fbb8 R08: ffff88802dcd5c40 R09: 0000000000000006
R10: 0000000000000005 R11: 0000000000000000 R12: ffff888025bb6120
R13: dffffc0000000000 R14: ffffffff903fb9d0 R15: ffff888025bb6120
FS:  000055556040b500(0000) GS:ffff888125388000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000000 CR3: 0000000033696000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 netif_rx_mode_sync+0x171/0x1e0 net/core/dev_addr_lists.c:1428
 dev_ifsioc+0xf51/0x1330 net/core/dev_ioctl.c:596
 dev_ioctl+0x7b4/0x1150 net/core/dev_ioctl.c:816
 sock_do_ioctl+0x23e/0x320 net/socket.c:1327
 sock_ioctl+0x5c6/0x7f0 net/socket.c:1434
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fece999ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffde2b3c518 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fece9c15fa0 RCX: 00007fece999ce59
RDX: 0000200000000000 RSI: 0000000000008931 RDI: 0000000000000003
RBP: 00007ffde2b3c580 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fece9c15fac R14: 00007fece9c15fa0 R15: 00007fece9c15fa0
 </TASK>
----------------
Code disassembly (best guess):
   0:	3a 48 c7             	cmp    -0x39(%rax),%cl
   3:	c2 a0 ec             	ret    $0xeca0
   6:	dd 8c eb 1a e8 e9 8a 	fisttpll -0x751617e6(%rbx,%rbp,8)
   d:	43 f8                	rex.XB clc
   f:	48 c7 c2 20 eb dd 8c 	mov    $0xffffffff8cddeb20,%rdx
  16:	eb 0c                	jmp    0x24
  18:	e8 db 8a 43 f8       	call   0xf8438af8
  1d:	48 c7 c2 20 ec dd 8c 	mov    $0xffffffff8cddec20,%rdx
  24:	4c 89 f7             	mov    %r14,%rdi
  27:	4c 89 fe             	mov    %r15,%rsi
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	48 8b 5c 24 38       	mov    0x38(%rsp),%rbx
  34:	48 8b 7c 24 48       	mov    0x48(%rsp),%rdi
  39:	e8 da be 29 02       	call   0x229bf18
  3e:	42                   	rex.X
  3f:	c7                   	.byte 0xc7


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [net?] possible deadlock in __sk_receive_skb
@ 2026-05-19 18:53 syzbot
  2026-05-20  2:05 ` Forwarded: test syzbot
                   ` (3 more replies)
  0 siblings, 4 replies; 21+ messages in thread
From: syzbot @ 2026-05-19 18:53 UTC (permalink / raw)
  To: courmisch, davem, edumazet, horms, kuba, linux-kernel, netdev,
	pabeni, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    97e797263a5e Add linux-next specific files for 20260420
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17c62c36580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=354b135d724a721f
dashboard link: https://syzkaller.appspot.com/bug?extid=9f4a135646b66c509935
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f622d2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12f88e6a580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bfe08255b02b/disk-97e79726.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/70874e341331/vmlinux-97e79726.xz
kernel image: https://storage.googleapis.com/syzbot-assets/68352f7fca94/bzImage-97e79726.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9f4a135646b66c509935@syzkaller.appspotmail.com

======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/6130 is trying to acquire lock:
ffff88803976da20 (slock-AF_PHONET/1){+.+.}-{3:3}, at: __sk_receive_skb+0x1bf/0x9e0 net/core/sock.c:563

but task is already holding lock:
ffff88803976e2e0 (slock-AF_PHONET){+...}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
ffff88803976e2e0 (slock-AF_PHONET){+...}-{3:3}, at: __sk_receive_skb+0x1f1/0x9e0 net/core/sock.c:565

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (slock-AF_PHONET){+...}-{3:3}:
       rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
       spin_lock include/linux/spinlock_rt.h:45 [inline]
       __sk_receive_skb+0x1f1/0x9e0 net/core/sock.c:565
       sk_receive_skb include/net/sock.h:2022 [inline]
       phonet_rcv+0x781/0xc40 net/phonet/af_phonet.c:-1
       __netif_receive_skb_one_core net/core/dev.c:6210 [inline]
       __netif_receive_skb net/core/dev.c:6323 [inline]
       process_backlog+0x5e1/0xc60 net/core/dev.c:6674
       __napi_poll+0xab/0x550 net/core/dev.c:7738
       napi_poll net/core/dev.c:7801 [inline]
       net_rx_action+0x696/0xe00 net/core/dev.c:7958
       handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
       __do_softirq kernel/softirq.c:660 [inline]
       __local_bh_enable_ip+0x170/0x2b0 kernel/softirq.c:302
       local_bh_enable include/linux/bottom_half.h:33 [inline]
       netif_rx+0xb9/0xf0 net/core/dev.c:5776
       pn_send+0x62a/0x8e0 net/phonet/af_phonet.c:188
       pn_skb_send+0x218/0x530 net/phonet/af_phonet.c:275
       pep_indicate net/phonet/pep.c:123 [inline]
       pipe_snd_status+0x1f1/0x320 net/phonet/pep.c:221
       pipe_grant_credits net/phonet/pep.c:244 [inline]
       pipe_do_rcv+0xf15/0x16a0 net/phonet/pep.c:433
       sk_backlog_rcv include/net/sock.h:1190 [inline]
       __sk_receive_skb+0x962/0x9e0 net/core/sock.c:572
       sk_receive_skb include/net/sock.h:2022 [inline]
       pep_do_rcv+0x685/0xaa0 net/phonet/pep.c:675
       sk_backlog_rcv include/net/sock.h:1190 [inline]
       __release_sock+0x2a9/0x3d0 net/core/sock.c:3216
       release_sock+0x1be/0x290 net/core/sock.c:3815
       pep_sock_accept+0xd47/0x11e0 net/phonet/pep.c:879
       pn_socket_accept+0xc1/0x310 net/phonet/socket.c:303
       do_accept+0x6ca/0x930 net/socket.c:2062
       __sys_accept4_file net/socket.c:2096 [inline]
       __sys_accept4+0x139/0x230 net/socket.c:2118
       __do_sys_accept4 net/socket.c:2125 [inline]
       __se_sys_accept4 net/socket.c:2122 [inline]
       __x64_sys_accept4+0x9a/0xb0 net/socket.c:2122
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (slock-AF_PHONET/1){+.+.}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3167 [inline]
       check_prevs_add kernel/locking/lockdep.c:3286 [inline]
       validate_chain kernel/locking/lockdep.c:3910 [inline]
       __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5239
       lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5870
       rt_spin_lock_nested+0x81/0x3f0 kernel/locking/spinlock_rt.c:64
       __sk_receive_skb+0x1bf/0x9e0 net/core/sock.c:563
       sk_receive_skb include/net/sock.h:2022 [inline]
       pep_do_rcv+0x685/0xaa0 net/phonet/pep.c:675
       sk_backlog_rcv include/net/sock.h:1190 [inline]
       __sk_receive_skb+0x962/0x9e0 net/core/sock.c:572
       sk_receive_skb include/net/sock.h:2022 [inline]
       phonet_rcv+0x781/0xc40 net/phonet/af_phonet.c:-1
       __netif_receive_skb_one_core net/core/dev.c:6210 [inline]
       __netif_receive_skb net/core/dev.c:6323 [inline]
       process_backlog+0x5e1/0xc60 net/core/dev.c:6674
       __napi_poll+0xab/0x550 net/core/dev.c:7738
       napi_poll net/core/dev.c:7801 [inline]
       net_rx_action+0x696/0xe00 net/core/dev.c:7958
       handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
       __do_softirq kernel/softirq.c:660 [inline]
       __local_bh_enable_ip+0x170/0x2b0 kernel/softirq.c:302
       local_bh_enable include/linux/bottom_half.h:33 [inline]
       netif_rx+0xb9/0xf0 net/core/dev.c:5776
       pn_send+0x62a/0x8e0 net/phonet/af_phonet.c:188
       pn_skb_send+0x218/0x530 net/phonet/af_phonet.c:275
       pipe_skb_send+0x2f7/0x540 net/phonet/pep.c:1130
       pep_sendmsg+0x9ca/0xb00 net/phonet/pep.c:1206
       pn_socket_sendmsg+0x1e5/0x250 net/phonet/socket.c:424
       sock_sendmsg_nosec+0x112/0x150 net/socket.c:797
       __sock_sendmsg net/socket.c:812 [inline]
       sock_write_iter+0x308/0x410 net/socket.c:1269
       new_sync_write fs/read_write.c:595 [inline]
       vfs_write+0x629/0xba0 fs/read_write.c:688
       ksys_write+0x156/0x270 fs/read_write.c:740
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(slock-AF_PHONET);
                               lock(slock-AF_PHONET/1);
                               lock(slock-AF_PHONET);
  lock(slock-AF_PHONET/1);

 *** DEADLOCK ***

6 locks held by syz.0.17/6130:
 #0: ffff88803aded218 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1713 [inline]
 #0: ffff88803aded218 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: pep_sendmsg+0x7b6/0xb00 net/phonet/pep.c:1199
 #1: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: __local_bh_disable_ip+0x3c/0x420 kernel/softirq.c:163
 #2: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #2: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #2: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x271/0xc60 net/core/dev.c:6673
 #3: ffff88803976e2e0 (slock-AF_PHONET){+...}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88803976e2e0 (slock-AF_PHONET){+...}-{3:3}, at: __sk_receive_skb+0x1f1/0x9e0 net/core/sock.c:565
 #4: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #4: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #4: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8e3c8140 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88803976e398 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: sk_receive_skb include/net/sock.h:2022 [inline]
 #5: ffff88803976e398 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: phonet_rcv+0x781/0xc40 net/phonet/af_phonet.c:-1

stack backtrace:
CPU: 0 UID: 0 PID: 6130 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2045
 check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2177
 check_prev_add kernel/locking/lockdep.c:3167 [inline]
 check_prevs_add kernel/locking/lockdep.c:3286 [inline]
 validate_chain kernel/locking/lockdep.c:3910 [inline]
 __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5239
 lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5870
 rt_spin_lock_nested+0x81/0x3f0 kernel/locking/spinlock_rt.c:64
 __sk_receive_skb+0x1bf/0x9e0 net/core/sock.c:563
 sk_receive_skb include/net/sock.h:2022 [inline]
 pep_do_rcv+0x685/0xaa0 net/phonet/pep.c:675
 sk_backlog_rcv include/net/sock.h:1190 [inline]
 __sk_receive_skb+0x962/0x9e0 net/core/sock.c:572
 sk_receive_skb include/net/sock.h:2022 [inline]
 phonet_rcv+0x781/0xc40 net/phonet/af_phonet.c:-1
 __netif_receive_skb_one_core net/core/dev.c:6210 [inline]
 __netif_receive_skb net/core/dev.c:6323 [inline]
 process_backlog+0x5e1/0xc60 net/core/dev.c:6674
 __napi_poll+0xab/0x550 net/core/dev.c:7738
 napi_poll net/core/dev.c:7801 [inline]
 net_rx_action+0x696/0xe00 net/core/dev.c:7958
 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:626
 __do_softirq kernel/softirq.c:660 [inline]
 __local_bh_enable_ip+0x170/0x2b0 kernel/softirq.c:302
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 netif_rx+0xb9/0xf0 net/core/dev.c:5776
 pn_send+0x62a/0x8e0 net/phonet/af_phonet.c:188
 pn_skb_send+0x218/0x530 net/phonet/af_phonet.c:275
 pipe_skb_send+0x2f7/0x540 net/phonet/pep.c:1130
 pep_sendmsg+0x9ca/0xb00 net/phonet/pep.c:1206
 pn_socket_sendmsg+0x1e5/0x250 net/phonet/socket.c:424
 sock_sendmsg_nosec+0x112/0x150 net/socket.c:797
 __sock_sendmsg net/socket.c:812 [inline]
 sock_write_iter+0x308/0x410 net/socket.c:1269
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x629/0xba0 fs/read_write.c:688
 ksys_write+0x156/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd74410c819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd743745028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fd744386090 RCX: 00007fd74410c819
RDX: 00000000000003db RSI: 0000200000000480 RDI: 0000000000000006
RBP: 00007fd7441a2c91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd744386128 R14: 00007fd744386090 R15: 00007fff7efc5418
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
* [syzbot] [block?] general protection fault in ublk_queue_rq
@ 2026-05-31  1:20 syzbot
  2026-06-01 18:58 ` Forwarded: test syzbot
  0 siblings, 1 reply; 21+ messages in thread
From: syzbot @ 2026-05-31  1:20 UTC (permalink / raw)
  To: axboe, linux-block, linux-kernel, syzkaller-bugs, tom.leiming

Hello,

syzbot found the following issue on:

HEAD commit:    4b4362973b6f Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=165f17a6580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f52fb4a6d220c448
dashboard link: https://syzkaller.appspot.com/bug?extid=415b9ec753cd2a196087
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15a33a0e580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=115f17a6580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cdc9dd8cab69/disk-4b436297.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6bb74747f86d/vmlinux-4b436297.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a20d7153214f/Image-4b436297.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+415b9ec753cd2a196087@syzkaller.appspotmail.com

Unable to handle kernel paging request at virtual address dfff800000000003
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000003] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1]  SMP
Modules linked in:
CPU: 0 UID: 0 PID: 4778 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events ublk_partition_scan_work
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : ublk_queue_cmd drivers/block/ublk_drv.c:2095 [inline]
pc : ublk_queue_rq+0x114/0x1dc drivers/block/ublk_drv.c:2223
lr : ublk_queue_cmd drivers/block/ublk_drv.c:2092 [inline]
lr : ublk_queue_rq+0xec/0x1dc drivers/block/ublk_drv.c:2223
sp : ffff800099646b10
x29: ffff800099646b20 x28: ffff7000132c8d80 x27: ffff0000c610b280
x26: ffff0000c610b2c8 x25: 1fffe00018c21652 x24: dfff800000000000
x23: 0000000000000004 x22: 0000000000000002 x21: 0000000000000000
x20: ffff0000c610b280 x19: 0000000000000000 x18: 00000000ffffffff
x17: ffff80008a186c80 x16: ffff80008a4b54f8 x15: ffff0000d9c0c550
x14: ffff0000d9c0c530 x13: 0000000000000001 x12: 0000000000000000
x11: ffff80008a3fcd08 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000003 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000008 x3 : ffff800082559f20
x2 : 0000000000000004 x1 : ffff0000d9c0ba00 x0 : 0000000000000018
Call trace:
 ublk_queue_cmd drivers/block/ublk_drv.c:2095 [inline] (P)
 ublk_queue_rq+0x114/0x1dc drivers/block/ublk_drv.c:2223 (P)
 blk_mq_dispatch_rq_list+0x3bc/0x13a4 block/blk-mq.c:2148
 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
 blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
 __blk_mq_sched_dispatch_requests+0xa40/0x10bc block/blk-mq-sched.c:307
 blk_mq_sched_dispatch_requests+0xa4/0x154 block/blk-mq-sched.c:329
 blk_mq_run_hw_queue+0x3c0/0x4dc block/blk-mq.c:2386
 blk_mq_dispatch_list+0xa2c/0xb2c block/blk-mq.c:-1
 blk_mq_flush_plug_list+0x3a4/0x484 block/blk-mq.c:2997
 __blk_flush_plug+0x338/0x410 block/blk-core.c:1230
 blk_finish_plug block/blk-core.c:1257 [inline]
 __submit_bio+0x39c/0x478 block/blk-core.c:649
 __submit_bio_noacct_mq block/blk-core.c:722 [inline]
 submit_bio_noacct_nocheck+0x284/0xa98 block/blk-core.c:753
 submit_bio_noacct+0xd90/0x1814 block/blk-core.c:884
 submit_bio+0x38c/0x528 block/blk-core.c:926
 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline]
 submit_bh_wbc+0x4b0/0x594 fs/buffer.c:2737
 submit_bh fs/buffer.c:2742 [inline]
 block_read_full_folio+0x69c/0x734 fs/buffer.c:2358
 blkdev_read_folio+0x28/0x38 block/fops.c:494
 filemap_read_folio+0xf0/0x2fc mm/filemap.c:2502
 do_read_cache_folio+0x368/0x5b8 mm/filemap.c:4107
 read_cache_folio+0x68/0x84 mm/filemap.c:4139
 read_mapping_folio include/linux/pagemap.h:1017 [inline]
 read_part_sector+0xcc/0x708 block/partitions/core.c:724
 adfspart_check_ICS+0xa4/0x6fc block/partitions/acorn.c:356
 check_partition block/partitions/core.c:143 [inline]
 blk_add_partitions block/partitions/core.c:591 [inline]
 bdev_disk_changed+0x6fc/0x11c8 block/partitions/core.c:695
 ublk_partition_scan_work+0x74/0xf4 drivers/block/ublk_drv.c:2467
 process_one_work kernel/workqueue.c:3314 [inline]
 process_scheduled_works+0x79c/0x1098 kernel/workqueue.c:3397
 worker_thread+0x754/0xba0 kernel/workqueue.c:3478
 kthread+0x2f8/0x3c8 kernel/kthread.c:436
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:842
Code: 979832c3 f94002b5 910062a0 d343fc08 (38786908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	979832c3 	bl	0xfffffffffe60cb0c
   4:	f94002b5 	ldr	x21, [x21]
   8:	910062a0 	add	x0, x21, #0x18
   c:	d343fc08 	lsr	x8, x0, #3
* 10:	38786908 	ldrb	w8, [x8, x24] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 21+ messages in thread
end of thread, other threads:[~2026-06-01 18:59 UTC | newest]

Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-01-16 16:40 [Bridge] [syzbot] possible deadlock in br_multicast_rcv (3) syzbot
2023-01-16 16:40 ` syzbot
2023-10-02 13:08 ` [Bridge] [syzbot] [bridge?] " syzbot
2023-10-02 13:08   ` syzbot
2026-04-23 16:10 ` Forwarded: test syzbot
  -- strict thread matches above, loose matches on Subject: below --
2024-10-03 19:10 [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtInsertEntry syzbot
2025-11-18 14:11 ` Forwarded: test syzbot
2025-04-30 13:26 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in jfs_statfs (3) syzbot
2025-11-20 15:15 ` Forwarded: test syzbot
2025-04-30 21:08 [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbSplit (3) syzbot
2025-11-19  2:55 ` Forwarded: test syzbot
2025-09-30 20:29 [syzbot] [rdma?] KMSAN: uninit-value in ib_nl_handle_ip_res_resp syzbot
2025-11-06 19:28 ` Forwarded: test syzbot
2025-11-01 17:24 [syzbot] [jfs?] stack segment fault in dbUpdatePMap syzbot
2025-11-10 11:30 ` Forwarded: test syzbot
2025-11-07  7:29 [syzbot] [jfs?] general protection fault in txCommit (2) syzbot
2025-11-14 13:48 ` Forwarded: test syzbot
2025-11-14 14:36 ` syzbot
2026-05-18  1:17 [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_open syzbot
2026-05-18 11:19 ` Forwarded: test syzbot
2026-05-19  0:36 ` syzbot
2026-05-19 11:56 [syzbot] [net?] WARNING in netif_rx_mode_run syzbot
2026-05-19 12:49 ` Forwarded: test syzbot
2026-05-20  9:34 ` syzbot
2026-05-19 18:53 [syzbot] [net?] possible deadlock in __sk_receive_skb syzbot
2026-05-20  2:05 ` Forwarded: test syzbot
2026-05-20  9:15 ` syzbot
2026-05-20 10:27 ` syzbot
2026-05-20 14:33 ` syzbot
2026-05-31  1:20 [syzbot] [block?] general protection fault in ublk_queue_rq syzbot
2026-06-01 18:58 ` Forwarded: test syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.