Forwarded:

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Move bset size check before csum check

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: fix assert in bch2_btree_path_traverse_cached()

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix __bch2_alloc_to_v4 copy

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: fix the memory leak in exception case

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: net

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: mm

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: mm

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: mm

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't trust sb->nr_devices in members_to_text()

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: purvayeshi550@gmail.com

#syz-test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: Fix possible console lock involved deadlock

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: block

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Move bset size check before csum check

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Move bset size check before csum check

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't allow mounting with crazy numbers of dirty journal entries

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: bluetooth

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Add missing validation for superblock section clean

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: btree_iter: fix updates, journal overlay

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: journal_entry_btree_keys_to_text() is more careful

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: block fs

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix possible console lock involved deadlock

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix possible console lock involved deadlock

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: mm: memory: extend finish_fault() to support large folio

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Increase BCH_MIN_NR_NBUCKETS

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Increase BCH_MIN_NR_NBUCKETS

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: Increase BCH_MIN_NR_NBUCKETS

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Increase BCH_MIN_NR_NBUCKETS

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: Add missing ei_last_dirtied update

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz set subsystems: afs

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: btree_check_root_boundaries()

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Fix incorrect transaction handling

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix:  bcachefs: Ignore accounting key type larger than BCH_DISK_ACCOUNTING_TYPE_NR

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: kent.overstreet@linux.dev

#syz fix: bcachefs: Don't lock inode around page_symlink

[syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    89748acdf226 Merge tag 'drm-next-2025-08-01' of https://gi..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=165cfcf0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7ff65239b4835001
dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b88042580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=115cfcf0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ce090dd92dc2/disk-89748acd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/32b5903a7759/vmlinux-89748acd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/dc68a867773d/bzImage-89748acd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com

=====================================================
BUG: KMSAN: uninit-value in nci_init_req net/nfc/nci/core.c:177 [inline]
BUG: KMSAN: uninit-value in __nci_request net/nfc/nci/core.c:108 [inline]
BUG: KMSAN: uninit-value in nci_open_device net/nfc/nci/core.c:521 [inline]
BUG: KMSAN: uninit-value in nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
 nci_init_req net/nfc/nci/core.c:177 [inline]
 __nci_request net/nfc/nci/core.c:108 [inline]
 nci_open_device net/nfc/nci/core.c:521 [inline]
 nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
 nfc_dev_up+0x201/0x3d0 net/nfc/core.c:118
 nfc_genl_dev_up+0xe9/0x1c0 net/nfc/netlink.c:775
 genl_family_rcv_msg_doit+0x335/0x3f0 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0xacf/0xc10 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x54a/0x680 net/netlink/af_netlink.c:2552
 genl_rcv+0x41/0x60 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x333/0x3d0 net/socket.c:729
 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2614
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2703
 x64_sys_call+0x1dfd/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 6169 at kernel/stacktrace.c:29 stack_trace_print+0xd4/0xf0 kernel/stacktrace.c:29
Modules linked in:
CPU: 1 UID: 0 PID: 6169 Comm: syz-executor421 Not tainted 6.16.0-syzkaller-10499-g89748acdf226 #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:stack_trace_print+0xd4/0xf0 kernel/stacktrace.c:29
Code: 8f bc 03 92 89 de ba 20 00 00 00 4c 89 e1 e8 c3 5d 4d ff 49 83 c6 08 49 ff cd 0f 85 6e ff ff ff eb 0b e8 ff 26 c3 00 eb d4 90 <0f> 0b 90 5b 41 5c 41 5d 41 5e 41 5f 5d e9 9a 33 07 0f cc 66 0f 1f
RSP: 0018:ffff8881343b31c8 EFLAGS: 00010246
RAX: ffff888114afac20 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881343b31f0 R08: 0000000000000000 R09: 0000000000000000
R10: ffff888133bb3208 R11: 0000000000000001 R12: 0000000000000000
R13: 00000000abcd0100 R14: 0000000000000000 R15: 0000000000000000
FS:  00007f0c264ae6c0(0000) GS:ffff8881aa9a5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0c26531650 CR3: 00000001193c6000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 kmsan_print_origin+0xb0/0x340 mm/kmsan/report.c:133
 kmsan_report+0x1d3/0x320 mm/kmsan/report.c:196
 __msan_warning+0x1b/0x30 mm/kmsan/instrumentation.c:315
 nci_init_req net/nfc/nci/core.c:177 [inline]
 __nci_request net/nfc/nci/core.c:108 [inline]
 nci_open_device net/nfc/nci/core.c:521 [inline]
 nci_dev_up+0x13a2/0x1ba0 net/nfc/nci/core.c:632
 nfc_dev_up+0x201/0x3d0 net/nfc/core.c:118
 nfc_genl_dev_up+0xe9/0x1c0 net/nfc/netlink.c:775
 genl_family_rcv_msg_doit+0x335/0x3f0 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0xacf/0xc10 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x54a/0x680 net/netlink/af_netlink.c:2552
 genl_rcv+0x41/0x60 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:714 [inline]
 __sock_sendmsg+0x333/0x3d0 net/socket.c:729
 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2614
 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2668
 __sys_sendmsg net/socket.c:2700 [inline]
 __do_sys_sendmsg net/socket.c:2705 [inline]
 __se_sys_sendmsg net/socket.c:2703 [inline]
 __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2703
 x64_sys_call+0x1dfd/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0c264f62c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0c264ae218 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f0c2657f368 RCX: 00007f0c264f62c9
RDX: 0000000000000000 RSI: 0000200000000140 RDI: 0000000000000004
RBP: 00007f0c2657f360 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0c2654c074
R13: 0000200000000150 R14: 00002000000000c0 R15: 0000200000000300
 </TASK>
---[ end trace 0000000000000000 ]---

Uninit was stored to memory at:
 nci_core_reset_ntf_packet net/nfc/nci/ntf.c:36 [inline]
 nci_ntf_packet+0x179d/0x42b0 net/nfc/nci/ntf.c:812
 nci_rx_work+0x403/0x750 net/nfc/nci/core.c:1555
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xb8e/0x1d80 kernel/workqueue.c:3319
 worker_thread+0xedf/0x1590 kernel/workqueue.c:3400
 kthread+0xd5c/0xf00 kernel/kthread.c:464
 ret_from_fork+0x1e0/0x310 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4186 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4281
 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:578
 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:669
 alloc_skb include/linux/skbuff.h:1336 [inline]
 virtual_ncidev_write+0x6b/0x430 drivers/nfc/virtual_ncidev.c:120
 vfs_write+0x463/0x1580 fs/read_write.c:684
 ksys_write fs/read_write.c:738 [inline]
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
 x64_sys_call+0x3014/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:2
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 6169 Comm: syz-executor421 Tainted: G        W           6.16.0-syzkaller-10499-g89748acdf226 #0 PREEMPT(none) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: abinashsinghlalotra@gmail.com

#syz test

--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -872,6 +872,11 @@ static int ax88772_bind(struct usbnet *dev, struct
usb_interface *intf)
        if (ret < 0)
                return ret;

+ if (ret >= 32) {
+ netdev_warn(dev->net, "Invalid PHY address %d, clamping\n", ret);
+ return -EINVAL;
+ }
+
        priv->phy_addr = ret;
        priv->embd_phy = ((priv->phy_addr & 0x1f) == AX_EMBD_PHY_ADDR);


--

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: abinashsinghlalotra@gmail.com

#syz test

--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -33,6 +33,12 @@ static int ovl_cleanup_locked(struct dentry *workdir,
struct dentry *dentry)
        struct inode *dir = d_inode(workdir);
        struct inode *inode = d_inode(dentry);

+ /* Avoid unlinking an already unlinked inode */
+ if (inode && inode->i_nlink == 0) {
+ d_drop(dentry);
+ return 0;
+ }
+
        if (ovl_is_whiteout(dentry))
                return ovl_remove_and_whiteout(workdir, dentry, true);

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

No longer relevant
#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

no longer relevant

#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

#syz invalid

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: deepak.takumi.120@gmail.com

#syz test

Forwarded: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.takumi.120@gmail.com

#syz test

On Wed, Sep 17, 2025 at 6:40 PM Cortex Auth <deepak.takumi.120@gmail.com> wrote:
>
>

Forwarded: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.takumi.120@gmail.com

#syz test

On Wed, Sep 17, 2025 at 7:25 PM syzbot
<syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
> Tested-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
>
> Tested on:
>
> commit:         5aca7966 Merge tag 'perf-tools-fixes-for-v6.17-2025-09..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14cd8c7c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1b093ccee5a9e08c
> dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=13dfaf62580000
>
> Note: testing is done by a robot and is best-effort only.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/68cabdb6.050a0220.3c6139.0fa6.GAE%40google.com.

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: kriish.sharma2006@gmail.com

#syz test

diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index 26d6c1eea559..a879e8030568 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -760,7 +760,7 @@ static int compute_bitstructs(struct gfs2_rgrpd *rgd)
        u32 bytes_left, bytes;
        int x;

-       if (!length)
+       if (!length || length > KMALLOC_MAX_SIZE / sizeof(struct
gfs2_bitmap))
                return -EINVAL;

        rgd->rd_bits = kcalloc(length, sizeof(struct gfs2_bitmap),
GFP_NOFS);

Forwarded: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [net?] [nfc?] KMSAN: uninit-value in nci_dev_up (2)
Author: deepak.takumi.120@gmail.com

#syz test

On Thu, Sep 18, 2025 at 11:29 PM syzbot
<syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
> Tested-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
>
> Tested on:
>
> commit:         86cc796e Merge tag 'for-linus' of git://git.kernel.org..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13d94712580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=1b093ccee5a9e08c
> dashboard link: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8
> compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=162bdf62580000
>
> Note: testing is done by a robot and is best-effort only.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/syzkaller-bugs/68cc4866.050a0220.28a605.000a.GAE%40google.com.

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nooraineqbal@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

Resending this patch in the existing thread with a '#syz test:' directive
so syzbot can test it.

From 1bb35c6722b8fb03e9262f6e6530d240629a44df Mon Sep 17 00:00:00 2001
From: neqbal <nooraineqbal@gmail.com>
Date: Sun, 28 Sep 2025 03:52:44 +0530
Subject: [PATCH] x86/mm: Fix off-by-one error in set_memory

Correct end page calculation by subtracting 1 to prevent
out-of-bounds access.

Reported-by: syzbot+e34177f6091df113ef20@syzkaller.appspotmail.com
Signed-off-by: neqbal <nooraineqbal@gmail.com>
---
 arch/x86/mm/pat/set_memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c
index d2d54b8c4dbb..daefc96403f1 100644
--- a/arch/x86/mm/pat/set_memory.c
+++ b/arch/x86/mm/pat/set_memory.c
@@ -446,7 +446,7 @@ static void cpa_flush(struct cpa_data *cpa, int cache)
 	}
 
 	start = fix_addr(__cpa_addr(cpa, 0));
-	end =   fix_addr(__cpa_addr(cpa, cpa->numpages));
+	end =   fix_addr(__cpa_addr(cpa, cpa->numpages - 1));
 	if (cpa->force_flush_all)
 		end = TLB_FLUSH_ALL;
 
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test


 fs/ntfs3/index.c | 10 +++++-----
 fs/ntfs3/ntfs.h  |  5 ++++-
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
index 6d1bf890929d..2e512abc7000 100644
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -1808,7 +1808,7 @@ indx_insert_into_buffer(struct ntfs_index *indx, struct ntfs_inode *ni,
 	CLST new_vbn;
 	__le64 t_vbn, *sub_vbn;
 	u16 sp_size;
-	void *hdr1_saved = NULL;
+	void *blk1_saved = NULL;
 
 	/* Try the most easy case. */
 	e = fnd->level - 1 == level ? fnd->de[level] : NULL;
@@ -1842,8 +1842,8 @@ indx_insert_into_buffer(struct ntfs_index *indx, struct ntfs_inode *ni,
 	memcpy(up_e, sp, sp_size);
 
 	used1 = le32_to_cpu(hdr1->used);
-	hdr1_saved = kmemdup(hdr1, used1, GFP_NOFS);
-	if (!hdr1_saved) {
+	blk1_saved = kmemdup(&n1->index->blk, used1, GFP_NOFS);
+	if (!blk1_saved) {
 		err = -ENOMEM;
 		goto out;
 	}
@@ -1924,13 +1924,13 @@ indx_insert_into_buffer(struct ntfs_index *indx, struct ntfs_inode *ni,
 		 * Undo critical operations.
 		 */
 		indx_mark_free(indx, ni, new_vbn >> indx->idx2vbn_bits);
-		memcpy(hdr1, hdr1_saved, used1);
+		memcpy(&n1->index->blk, blk1_saved, used1);
 		indx_write(indx, ni, n1, 0);
 	}
 
 out:
 	kfree(up_e);
-	kfree(hdr1_saved);
+	kfree(blk1_saved);
 
 	return err;
 }
diff --git a/fs/ntfs3/ntfs.h b/fs/ntfs3/ntfs.h
index 552b97905813..d5e2b22eacd7 100644
--- a/fs/ntfs3/ntfs.h
+++ b/fs/ntfs3/ntfs.h
@@ -754,7 +754,10 @@ static inline bool hdr_has_subnode(const struct INDEX_HDR *hdr)
 struct INDEX_BUFFER {
 	struct NTFS_RECORD_HEADER rhdr; // 'INDX'
 	__le64 vbn; // 0x10: vcn if index >= cluster or vsn id index < cluster
-	struct INDEX_HDR ihdr; // 0x18:
+	struct_group(blk,
+		struct INDEX_HDR ihdr; // 0x18:
+	        u8 data[]; // NTFS_DE entries
+	);
 };
 
 static_assert(sizeof(struct INDEX_BUFFER) == 0x28);
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/jfs/namei.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 65a218eba8fa..37cd16a423c5 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -1228,7 +1228,7 @@ static int jfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
 				jfs_err("jfs_rename: dtInsert returned -EIO");
 			goto out_tx;
 		}
-		if (S_ISDIR(old_ip->i_mode))
+		if (S_ISDIR(old_ip->i_mode) && old_dir != new_dir)
 			inc_nlink(new_dir);
 	}
 	/*
@@ -1244,8 +1244,9 @@ static int jfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
 		goto out_tx;
 	}
 	if (S_ISDIR(old_ip->i_mode)) {
-		drop_nlink(old_dir);
 		if (old_dir != new_dir) {
+			drop_nlink(old_dir);
+
 			/*
 			 * Change inode number of parent for moved directory
 			 */
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/jfs/namei.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 65a218eba8fa..7879c049632b 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -1228,7 +1228,7 @@ static int jfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
 				jfs_err("jfs_rename: dtInsert returned -EIO");
 			goto out_tx;
 		}
-		if (S_ISDIR(old_ip->i_mode))
+		if (S_ISDIR(old_ip->i_mode) && old_dir != new_dir)
 			inc_nlink(new_dir);
 	}
 	/*
@@ -1244,7 +1244,9 @@ static int jfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
 		goto out_tx;
 	}
 	if (S_ISDIR(old_ip->i_mode)) {
-		drop_nlink(old_dir);
+		if (new_ip || old_dir != new_dir)
+			drop_nlink(old_dir);
+
 		if (old_dir != new_dir) {
 			/*
 			 * Change inode number of parent for moved directory
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
fs/minix/namei.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..86779a6ec1a7 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -224,7 +224,7 @@ static int minix_rename(struct mnt_idmap *idmap,
err = minix_add_link(new_dentry, old_inode);
if (err)
goto out_dir;
- if (dir_de)
+ if (dir_de && old_dir != new_dir)
inode_inc_link_count(new_dir);
}
@@ -236,7 +236,7 @@ static int minix_rename(struct mnt_idmap *idmap,
if (dir_de) {
err = minix_set_link(dir_de, dir_folio, new_dir);
- if (!err)
+ if (!err && (new_inode || old_dir != new_dir))
inode_dec_link_count(old_dir);
}
out_dir:
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/minix/inode.c | 14 ++++++++++++++
 fs/minix/namei.c | 22 ++++++++++++++--------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index f007e389d5d2..e27907fc9bf2 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -517,6 +517,13 @@ static struct inode *V1_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-ESTALE);
 	}
+	if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks == 1) {
+		printk("MINIX-fs: directory inode (%lu) has single i_nlink\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-EIO);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
@@ -555,6 +562,13 @@ static struct inode *V2_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-ESTALE);
 	}
+	if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks == 1) {
+		printk("MINIX-fs: directory inode (%lu) has single i_nlink\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-EIO);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..8297ee6651a1 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -161,15 +161,21 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
 static int minix_rmdir(struct inode * dir, struct dentry *dentry)
 {
 	struct inode * inode = d_inode(dentry);
-	int err = -ENOTEMPTY;
-
-	if (minix_empty_dir(inode)) {
-		err = minix_unlink(dir, dentry);
-		if (!err) {
-			inode_dec_link_count(dir);
-			inode_dec_link_count(inode);
-		}
+	int err = -EIO;
+
+	if (dir->i_nlink <= 2)
+		goto out;
+
+	err = -ENOTEMPTY;
+	if (!minix_empty_dir(inode))
+		goto out;
+
+	err = minix_unlink(dir, dentry);
+	if (!err) {
+		inode_dec_link_count(dir);
+		inode_dec_link_count(inode);
 	}
+out:
 	return err;
 }
 
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/minix/inode.c | 14 ++++++++++++++
 fs/minix/namei.c | 22 ++++++++++++++--------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index f007e389d5d2..e27907fc9bf2 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -517,6 +517,13 @@ static struct inode *V1_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-ESTALE);
 	}
+	if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks == 1) {
+		printk("MINIX-fs: directory inode (%lu) has single i_nlink\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-EIO);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
@@ -555,6 +562,13 @@ static struct inode *V2_minix_iget(struct inode *inode)
 		iget_failed(inode);
 		return ERR_PTR(-ESTALE);
 	}
+	if (S_ISDIR(raw_inode->i_mode) && raw_inode->i_nlinks == 1) {
+		printk("MINIX-fs: directory inode (%lu) has single i_nlink\n",
+		       inode->i_ino);
+		brelse(bh);
+		iget_failed(inode);
+		return ERR_PTR(-EIO);
+	}
 	inode->i_mode = raw_inode->i_mode;
 	i_uid_write(inode, raw_inode->i_uid);
 	i_gid_write(inode, raw_inode->i_gid);
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..8297ee6651a1 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -161,15 +161,21 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
 static int minix_rmdir(struct inode * dir, struct dentry *dentry)
 {
 	struct inode * inode = d_inode(dentry);
-	int err = -ENOTEMPTY;
-
-	if (minix_empty_dir(inode)) {
-		err = minix_unlink(dir, dentry);
-		if (!err) {
-			inode_dec_link_count(dir);
-			inode_dec_link_count(inode);
-		}
+	int err = -EIO;
+
+	if (dir->i_nlink <= 2)
+		goto out;
+
+	err = -ENOTEMPTY;
+	if (!minix_empty_dir(inode))
+		goto out;
+
+	err = minix_unlink(dir, dentry);
+	if (!err) {
+		inode_dec_link_count(dir);
+		inode_dec_link_count(inode);
 	}
+out:
 	return err;
 }
 
-- 
2.51.0

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: clf700383@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git master

From 6dc2deb09faf7d53707cc9e75e175b09644fd181 Mon Sep 17 00:00:00 2001
From: clingfei <clf700383@gmail.com>
Date: Mon, 20 Oct 2025 13:48:54 +0800
Subject: [PATCH] fix integer overflow in set_ipsecrequest

syzbot reported a kernel BUG in set_ipsecrequest() due to an skb_over_panic.

The mp->new_family and mp->old_family is u16, while set_ipsecrequest receives
family as uint8_t,  causing a integer overflow and the later size_req calculation
error, which exceeds the size used in alloc_skb, and ultimately triggered the
kernel bug in skb_put.

Reported-by: syzbot+be97dd4da14ae88b6ba4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=be97dd4da14ae88b6ba4
Signed-off-by: Cheng Lingfei <clf700383@gmail.com>
---
 net/key/af_key.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 2ebde0352245..08f4cde01994 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3518,7 +3518,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *
 
 static int set_ipsecrequest(struct sk_buff *skb,
 			    uint8_t proto, uint8_t mode, int level,
-			    uint32_t reqid, uint8_t family,
+			    uint32_t reqid, uint16_t family,
 			    const xfrm_address_t *src, const xfrm_address_t *dst)
 {
 	struct sadb_x_ipsecrequest *rq;
-- 
2.34.1

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: zlatistiv@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: kubik.bartlomiej@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 0ab83bb7bbdf..07dd01c79ca2 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -170,8 +170,8 @@ static void dtGetKey(dtpage_t * p, int i, struct component_name * key,
 static int ciGetLeafPrefixKey(dtpage_t * lp, int li, dtpage_t * rp,
 			      int ri, struct component_name * key, int flag);
 
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
-			  ddata_t * data, struct dt_lock **);
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+			 ddata_t * data, struct dt_lock **);
 
 static void dtMoveEntry(dtpage_t * sp, int si, dtpage_t * dp,
 			struct dt_lock ** sdtlock, struct dt_lock ** ddtlock,
@@ -891,7 +891,8 @@ int dtInsert(tid_t tid, struct inode *ip,
 	lv->length = 1;
 	dtlck->index++;
 
-	dtInsertEntry(p, index, name, &data, &dtlck);
+	if (!(rc = dtInsertEntry(p, index, name, &data, &dtlck)))
+		return rc;
 
 	/* linelock stbl of non-root leaf page */
 	if (!(p->header.flag & BT_ROOT)) {
@@ -3627,7 +3628,7 @@ static void dtGetKey(dtpage_t * p, int i,	/* entry index */
  *
  * return: entry slot index
  */
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 			  ddata_t * data, struct dt_lock ** dtlock)
 {
 	struct dtslot *h, *t;
@@ -3649,6 +3650,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* allocate a free slot */
 	hsi = fsi = p->header.freelist;
+	if (fsi >= p->header.maxslot) {
+		jfs_err("Encountered corrupted dtpage before insert");
+		return -EIO;
+	}
 	h = &p->slot[fsi];
 	p->header.freelist = h->next;
 	--p->header.freecnt;
@@ -3697,6 +3702,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 	while (klen) {
 		/* get free slot */
 		fsi = p->header.freelist;
+		if (fsi >= p->header.maxslot) {
+			jfs_err("Encountered corrupted dtpage before insert");
+			return -EIO;
+		}
 		t = &p->slot[fsi];
 		p->header.freelist = t->next;
 		--p->header.freecnt;
@@ -3774,6 +3783,8 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* advance next available entry index of stbl */
 	++p->header.nextindex;
+
+	return 0;
 }

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/jfs/jfs_dtree.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 0ab83bb7bbdf..e919de01c42a 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -170,8 +170,8 @@ static void dtGetKey(dtpage_t * p, int i, struct component_name * key,
 static int ciGetLeafPrefixKey(dtpage_t * lp, int li, dtpage_t * rp,
 			      int ri, struct component_name * key, int flag);
 
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
-			  ddata_t * data, struct dt_lock **);
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+			 ddata_t * data, struct dt_lock **);
 
 static void dtMoveEntry(dtpage_t * sp, int si, dtpage_t * dp,
 			struct dt_lock ** sdtlock, struct dt_lock ** ddtlock,
@@ -891,7 +891,8 @@ int dtInsert(tid_t tid, struct inode *ip,
 	lv->length = 1;
 	dtlck->index++;
 
-	dtInsertEntry(p, index, name, &data, &dtlck);
+	if (!(rc = dtInsertEntry(p, index, name, &data, &dtlck)))
+		return rc;
 
 	/* linelock stbl of non-root leaf page */
 	if (!(p->header.flag & BT_ROOT)) {
@@ -3625,9 +3626,10 @@ static void dtGetKey(dtpage_t * p, int i,	/* entry index */
  * function: allocate free slot(s) and
  *	     write a leaf/internal entry
  *
- * return: entry slot index
+ * * return: 0 - success;
+ *	   errno - failure;
  */
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 			  ddata_t * data, struct dt_lock ** dtlock)
 {
 	struct dtslot *h, *t;
@@ -3649,6 +3651,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* allocate a free slot */
 	hsi = fsi = p->header.freelist;
+	if (fsi >= ((p->header.flag & BT_ROOT) ? DTROOTMAXSLOT : p->header.maxslot)) {
+		jfs_err("Encountered corrupted dtpage before insert");
+		return -EIO;
+	}
 	h = &p->slot[fsi];
 	p->header.freelist = h->next;
 	--p->header.freecnt;
@@ -3697,6 +3703,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 	while (klen) {
 		/* get free slot */
 		fsi = p->header.freelist;
+		if (fsi >= ((p->header.flag & BT_ROOT) ? DTROOTMAXSLOT : p->header.maxslot)) {
+			jfs_err("Encountered corrupted dtpage before insert");
+			return -EIO;
+		}
 		t = &p->slot[fsi];
 		p->header.freelist = t->next;
 		--p->header.freecnt;
@@ -3774,6 +3784,8 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* advance next available entry index of stbl */
 	++p->header.nextindex;
+
+	return 0;
 }
 
 
-- 
2.51.1.dirty

Re: Forwarded:

[Al Viro]

On Tue, Oct 28, 2025 at 10:25:20AM -0700, syzbot wrote:
> For archival purposes, forwarding an incoming command email to
> linux-kernel@vger.kernel.org.

For fuck sake, either generate a more useful subject, or take
that to a separate list just for syzbot use.

Do you really intend to end up in a bunch of .procmailrc?

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/jfs/jfs_dtree.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 0ab83bb7bbdf..e919de01c42a 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -170,8 +170,8 @@ static void dtGetKey(dtpage_t * p, int i, struct component_name * key,
 static int ciGetLeafPrefixKey(dtpage_t * lp, int li, dtpage_t * rp,
 			      int ri, struct component_name * key, int flag);
 
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
-			  ddata_t * data, struct dt_lock **);
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+			 ddata_t * data, struct dt_lock **);
 
 static void dtMoveEntry(dtpage_t * sp, int si, dtpage_t * dp,
 			struct dt_lock ** sdtlock, struct dt_lock ** ddtlock,
@@ -891,7 +891,8 @@ int dtInsert(tid_t tid, struct inode *ip,
 	lv->length = 1;
 	dtlck->index++;
 
-	dtInsertEntry(p, index, name, &data, &dtlck);
+	if (!(rc = dtInsertEntry(p, index, name, &data, &dtlck)))
+		return rc;
 
 	/* linelock stbl of non-root leaf page */
 	if (!(p->header.flag & BT_ROOT)) {
@@ -3625,9 +3626,10 @@ static void dtGetKey(dtpage_t * p, int i,	/* entry index */
  * function: allocate free slot(s) and
  *	     write a leaf/internal entry
  *
- * return: entry slot index
+ * * return: 0 - success;
+ *	   errno - failure;
  */
-static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
+static int dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 			  ddata_t * data, struct dt_lock ** dtlock)
 {
 	struct dtslot *h, *t;
@@ -3649,6 +3651,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* allocate a free slot */
 	hsi = fsi = p->header.freelist;
+	if (fsi >= ((p->header.flag & BT_ROOT) ? DTROOTMAXSLOT : p->header.maxslot)) {
+		jfs_err("Encountered corrupted dtpage before insert");
+		return -EIO;
+	}
 	h = &p->slot[fsi];
 	p->header.freelist = h->next;
 	--p->header.freecnt;
@@ -3697,6 +3703,10 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 	while (klen) {
 		/* get free slot */
 		fsi = p->header.freelist;
+		if (fsi >= ((p->header.flag & BT_ROOT) ? DTROOTMAXSLOT : p->header.maxslot)) {
+			jfs_err("Encountered corrupted dtpage before insert");
+			return -EIO;
+		}
 		t = &p->slot[fsi];
 		p->header.freelist = t->next;
 		--p->header.freecnt;
@@ -3774,6 +3784,8 @@ static void dtInsertEntry(dtpage_t * p, int index, struct component_name * key,
 
 	/* advance next available entry index of stbl */
 	++p->header.nextindex;
+
+	return 0;
 }
 
 
-- 
2.51.1.dirty

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/minix/minix.h |  2 ++
 fs/minix/namei.c | 26 ++++++++++++++++++--------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index d54273c3c9ff..ce62cb61186d 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -168,4 +168,6 @@ static inline int minix_test_bit(int nr, const void *vaddr)
 
 #endif
 
+#define EFSCORRUPTED	EUCLEAN		/* Filesystem is corrupted */
+
 #endif /* FS_MINIX_H */
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..a8d5a7e22b7b 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -161,15 +161,25 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
 static int minix_rmdir(struct inode * dir, struct dentry *dentry)
 {
 	struct inode * inode = d_inode(dentry);
-	int err = -ENOTEMPTY;
-
-	if (minix_empty_dir(inode)) {
-		err = minix_unlink(dir, dentry);
-		if (!err) {
-			inode_dec_link_count(dir);
-			inode_dec_link_count(inode);
-		}
+	int err = -EFSCORRUPTED;
+
+	if (dir->i_nlink <= 2) {
+		printk(KERN_CRIT "minix-fs error: directory inode has "
+		       "corrupted nlink");
+		goto out;
 	}
+
+	err = -ENOTEMPTY;
+	if (!minix_empty_dir(inode))
+		goto out;
+
+	err = minix_unlink(dir, dentry);
+	if (!err) {
+		inode_dec_link_count(dir);
+		inode_dec_link_count(inode);
+ 	}
+
+out:
 	return err;
 }
 
-- 
2.51.1.dirty

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index a8d5a7e22b7b..8648d860ef0c 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -218,6 +218,13 @@ static int minix_rename(struct mnt_idmap *idmap,
                if (dir_de && !minix_empty_dir(new_inode))
                        goto out_dir;
 
+               err = -EFSCORRUPTED;
+               if (dir_de && new_inode->i_nlink != 2) {
+                       printk(KERN_CRIT "minix-fs error: directory inode has "
+                              "corrupted nlink");
+                       goto out_dir;
+               }
+
                err = -ENOENT;
                new_de = minix_find_entry(new_dentry, &new_folio);
                if (!new_de)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index d54273c3c9ff..ce62cb61186d 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -168,4 +168,6 @@ static inline int minix_test_bit(int nr, const void *vaddr)
 
 #endif
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif /* FS_MINIX_H */

diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index a8d5a7e22b7b..8648d860ef0c 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -218,6 +218,13 @@ static int minix_rename(struct mnt_idmap *idmap,
                if (dir_de && !minix_empty_dir(new_inode))
                        goto out_dir;
 
+               err = -EFSCORRUPTED;
+               if (dir_de && new_inode->i_nlink != 2) {
+                       printk(KERN_CRIT "minix-fs error: directory inode has "
+                              "corrupted nlink");
+                       goto out_dir;
+               }
+
                err = -ENOENT;
                new_de = minix_find_entry(new_dentry, &new_folio);
                if (!new_de)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index d54273c3c9ff..ce62cb61186d 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -168,4 +168,6 @@ static inline int minix_test_bit(int nr, const void *vaddr)
 
 #endif
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif /* FS_MINIX_H */
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8d3c..493a75eff2c9 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -208,6 +218,13 @@ static int minix_rename(struct mnt_idmap *idmap,
                if (dir_de && !minix_empty_dir(new_inode))
                        goto out_dir;
 
+               err = -EFSCORRUPTED;
+               if (new_inode->i_nlink == 0 || (dir_de && new_inode->i_nlink != 2)) {
+                       printk(KERN_CRIT "minix-fs error: inode (ino: %ld) "
+                              "has corrupted nlink", new_inode->i_ino);
+                       goto out_dir;
+               }
+
                err = -ENOENT;
                new_de = minix_find_entry(new_dentry, &new_folio);
                if (!new_de)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index aae1f32f4dab..f193912d8632 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -704,8 +704,8 @@ static void ntfs_put_super(struct super_block *sb)
        ntfs_set_state(sbi, NTFS_DIRTY_CLEAR);
 
        if (sbi->options) {
+               kfree(sbi->options->nls_name);
                unload_nls(sbi->options->nls);
-               kfree(sbi->options->nls);
                kfree(sbi->options);
                sbi->options = NULL;
        }
@@ -1670,8 +1670,8 @@ static int ntfs_fill_super(struct super_block *sb, struct fs_context *fc)
        iput(inode);
 out:
        if (sbi && sbi->options) {
+               kfree(sbi->options->nls_name);
                unload_nls(sbi->options->nls);
-               kfree(sbi->options->nls);
                kfree(sbi->options);
                sbi->options = NULL;
        }

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
diff --git a/fs/minix/minix.h b/fs/minix/minix.h
index d54273c3c9ff..ce62cb61186d 100644
--- a/fs/minix/minix.h
+++ b/fs/minix/minix.h
@@ -168,4 +168,6 @@ static inline int minix_test_bit(int nr, const void *vaddr)
 
 #endif
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif /* FS_MINIX_H */
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index a8d5a7e22b7b..f18f7474aca4 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -145,6 +145,12 @@ static int minix_unlink(struct inode * dir, struct dentry *dentry)
        struct minix_dir_entry * de;
        int err;
 
+       if (inode->i_nlink < 1) {
+               printk(KERN_CRIT "minix-fs error: inode (ino: %ld) "
+                      "has corrupted nlink", inode->i_ino);
+               return -EFSCORRUPTED;
+       }
+
        de = minix_find_entry(dentry, &folio);
        if (!de)
                return -ENOENT;
@@ -218,6 +224,13 @@ static int minix_rename(struct mnt_idmap *idmap,
                if (dir_de && !minix_empty_dir(new_inode))
                        goto out_dir;
 
+               err = -EFSCORRUPTED;
+               if (new_inode->i_nlink == 0 || (dir_de && new_inode->i_nlink != 2)) {
+                       printk(KERN_CRIT "minix-fs error: inode (ino: %ld) "
+                              "has corrupted nlink", new_inode->i_ino);
+                       goto out_dir;
+               }
+
                err = -ENOENT;
                new_de = minix_find_entry(new_dentry, &new_folio);
                if (!new_de)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 86a6b317b474..ee1760305380 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
        int res;
 
        inode = hfs_new_inode(dir, &dentry->d_name, mode);
-       if (!inode)
-               return -ENOMEM;
+       if (IS_ERR(inode))
+               return PTR_ERR(inode);
 
        res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
        if (res) {
@@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
        int res;
 
        inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
-       if (!inode)
-               return ERR_PTR(-ENOMEM);
+       if (IS_ERR(inode))
+               return ERR_CAST(inode);
 
        res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
        if (res) {
diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
index fff149af89da..6808b1316b60 100644
--- a/fs/hfs/hfs_fs.h
+++ b/fs/hfs/hfs_fs.h
@@ -273,4 +273,6 @@ static inline void hfs_bitmap_dirty(struct super_block *sb)
        __bh;                                           \
 })
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..ef46a2d29d6a 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -188,7 +188,7 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
        s64 folder_count;
 
        if (!inode)
-               return NULL;
+               return ERR_PTR(-ENOMEM);
 
        mutex_init(&HFS_I(inode)->extents_lock);
        INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
@@ -209,7 +209,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
        if (S_ISDIR(mode)) {
                inode->i_size = 2;
                folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
-               BUG_ON(folder_count > U32_MAX);
+               if (folder_count > U32_MAX) {
+                       printk(KERN_CRIT "hfs error: folder count on super block is corrupt");
+                       return ERR_PTR(-EFSCORRUPTED);
+               }
                if (dir->i_ino == HFS_ROOT_CNID)
                        HFS_SB(sb)->root_dirs++;
                inode->i_op = &hfs_dir_inode_operations;
@@ -219,7 +222,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
        } else if (S_ISREG(mode)) {
                HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
                file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
-               BUG_ON(file_count > U32_MAX);
+               if (file_count > U32_MAX) {
+                       printk(KERN_CRIT "hfs error: file count on super block is corrupt");
+                       return ERR_PTR(-EFSCORRUPTED);
+               }
                if (dir->i_ino == HFS_ROOT_CNID)
                        HFS_SB(sb)->root_files++;
                inode->i_op = &hfs_file_inode_operations;

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 86a6b317b474..ee1760305380 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
 	int res;
 
 	inode = hfs_new_inode(dir, &dentry->d_name, mode);
-	if (!inode)
-		return -ENOMEM;
+	if (IS_ERR(inode))
+		return PTR_ERR(inode);
 
 	res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
 	if (res) {
@@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
 	int res;
 
 	inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
-	if (!inode)
-		return ERR_PTR(-ENOMEM);
+	if (IS_ERR(inode))
+		return ERR_CAST(inode);
 
 	res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
 	if (res) {
diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
index fff149af89da..6808b1316b60 100644
--- a/fs/hfs/hfs_fs.h
+++ b/fs/hfs/hfs_fs.h
@@ -273,4 +273,6 @@ static inline void hfs_bitmap_dirty(struct super_block *sb)
 	__bh;						\
 })
 
+#define EFSCORRUPTED   EUCLEAN         /* Filesystem is corrupted */
+
 #endif
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..cb74904994cc 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -186,16 +186,22 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	s64 next_id;
 	s64 file_count;
 	s64 folder_count;
+	int err = -ENOMEM;
 
 	if (!inode)
-		return NULL;
+		goto out_err;
+
+	err = -EFSCORRUPTED;
 
 	mutex_init(&HFS_I(inode)->extents_lock);
 	INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
 	spin_lock_init(&HFS_I(inode)->open_dir_lock);
 	hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
 	next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
-	BUG_ON(next_id > U32_MAX);
+	if (next_id > U32_MAX) {
+		printk(KERN_CRIT "hfs error: next file id on super block is corrupt");
+		goto out_discard;
+	}
 	inode->i_ino = (u32)next_id;
 	inode->i_mode = mode;
 	inode->i_uid = current_fsuid();
@@ -209,7 +215,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	if (S_ISDIR(mode)) {
 		inode->i_size = 2;
 		folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
-		BUG_ON(folder_count > U32_MAX);
+		if (folder_count > U32_MAX) {
+			printk(KERN_CRIT "hfs error: folder count on super block is corrupt");
+			goto out_discard;
+		}
 		if (dir->i_ino == HFS_ROOT_CNID)
 			HFS_SB(sb)->root_dirs++;
 		inode->i_op = &hfs_dir_inode_operations;
@@ -219,7 +228,10 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	} else if (S_ISREG(mode)) {
 		HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
 		file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
-		BUG_ON(file_count > U32_MAX);
+		if (file_count > U32_MAX) {
+			printk(KERN_CRIT "hfs error: file count on super block is corrupt");
+			goto out_discard;
+		}
 		if (dir->i_ino == HFS_ROOT_CNID)
 			HFS_SB(sb)->root_files++;
 		inode->i_op = &hfs_file_inode_operations;
@@ -243,6 +255,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	hfs_mark_mdb_dirty(sb);
 
 	return inode;
+
+	out_discard:
+		iput(inode);	
+	out_err:
+		return ERR_PTR(err); 
 }
 
 void hfs_delete_inode(struct inode *inode)

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---

diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 86a6b317b474..ee1760305380 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -196,8 +196,8 @@ static int hfs_create(struct mnt_idmap *idmap, struct inode *dir,
 	int res;
 
 	inode = hfs_new_inode(dir, &dentry->d_name, mode);
-	if (!inode)
-		return -ENOMEM;
+	if (IS_ERR(inode))
+		return PTR_ERR(inode);
 
 	res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
 	if (res) {
@@ -226,8 +226,8 @@ static struct dentry *hfs_mkdir(struct mnt_idmap *idmap, struct inode *dir,
 	int res;
 
 	inode = hfs_new_inode(dir, &dentry->d_name, S_IFDIR | mode);
-	if (!inode)
-		return ERR_PTR(-ENOMEM);
+	if (IS_ERR(inode))
+		return ERR_CAST(inode);
 
 	res = hfs_cat_create(inode->i_ino, dir, &dentry->d_name, inode);
 	if (res) {
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index 9cd449913dc8..beec6fe7e801 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -186,16 +186,23 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	s64 next_id;
 	s64 file_count;
 	s64 folder_count;
+	int err = -ENOMEM;
 
 	if (!inode)
-		return NULL;
+		goto out_err;
+
+	err = -ENOSPC;
 
 	mutex_init(&HFS_I(inode)->extents_lock);
 	INIT_LIST_HEAD(&HFS_I(inode)->open_dir_list);
 	spin_lock_init(&HFS_I(inode)->open_dir_lock);
 	hfs_cat_build_key(sb, (btree_key *)&HFS_I(inode)->cat_key, dir->i_ino, name);
 	next_id = atomic64_inc_return(&HFS_SB(sb)->next_id);
-	BUG_ON(next_id > U32_MAX);
+	if (next_id > U32_MAX) {
+		pr_err("hfs: next file ID exceeds 32-bit limit — possible "
+		       "superblock corruption");
+		goto out_discard;
+	}
 	inode->i_ino = (u32)next_id;
 	inode->i_mode = mode;
 	inode->i_uid = current_fsuid();
@@ -209,7 +216,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	if (S_ISDIR(mode)) {
 		inode->i_size = 2;
 		folder_count = atomic64_inc_return(&HFS_SB(sb)->folder_count);
-		BUG_ON(folder_count > U32_MAX);
+		if (folder_count > U32_MAX) {
+			pr_err("hfs: folder count exceeds 32-bit limit — possible "
+			       "superblock corruption");
+			goto out_discard;
+		}
 		if (dir->i_ino == HFS_ROOT_CNID)
 			HFS_SB(sb)->root_dirs++;
 		inode->i_op = &hfs_dir_inode_operations;
@@ -219,7 +230,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	} else if (S_ISREG(mode)) {
 		HFS_I(inode)->clump_blocks = HFS_SB(sb)->clumpablks;
 		file_count = atomic64_inc_return(&HFS_SB(sb)->file_count);
-		BUG_ON(file_count > U32_MAX);
+		if (file_count > U32_MAX) {
+			pr_err("hfs: file count exceeds 32-bit limit — possible "
+			       "superblock corruption");
+			goto out_discard;
+		}
 		if (dir->i_ino == HFS_ROOT_CNID)
 			HFS_SB(sb)->root_files++;
 		inode->i_op = &hfs_file_inode_operations;
@@ -243,6 +258,11 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t
 	hfs_mark_mdb_dirty(sb);
 
 	return inode;
+
+	out_discard:
+		iput(inode);	
+	out_err:
+		return ERR_PTR(err); 
 }
 
 void hfs_delete_inode(struct inode *inode)
@@ -251,7 +271,6 @@ void hfs_delete_inode(struct inode *inode)
 
 	hfs_dbg("ino %lu\n", inode->i_ino);
 	if (S_ISDIR(inode->i_mode)) {
-		BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
 		atomic64_dec(&HFS_SB(sb)->folder_count);
 		if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
 			HFS_SB(sb)->root_dirs--;
@@ -260,7 +279,6 @@ void hfs_delete_inode(struct inode *inode)
 		return;
 	}
 
-	BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
 	atomic64_dec(&HFS_SB(sb)->file_count);
 	if (HFS_I(inode)->cat_key.ParID == cpu_to_be32(HFS_ROOT_CNID))
 		HFS_SB(sb)->root_files--;
diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c
index 53f3fae60217..1c3fb631cc8e 100644
--- a/fs/hfs/mdb.c
+++ b/fs/hfs/mdb.c
@@ -273,15 +273,12 @@ void hfs_mdb_commit(struct super_block *sb)
 		/* These parameters may have been modified, so write them back */
 		mdb->drLsMod = hfs_mtime();
 		mdb->drFreeBks = cpu_to_be16(HFS_SB(sb)->free_ablocks);
-		BUG_ON(atomic64_read(&HFS_SB(sb)->next_id) > U32_MAX);
 		mdb->drNxtCNID =
 			cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->next_id));
 		mdb->drNmFls = cpu_to_be16(HFS_SB(sb)->root_files);
 		mdb->drNmRtDirs = cpu_to_be16(HFS_SB(sb)->root_dirs);
-		BUG_ON(atomic64_read(&HFS_SB(sb)->file_count) > U32_MAX);
 		mdb->drFilCnt =
 			cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->file_count));
-		BUG_ON(atomic64_read(&HFS_SB(sb)->folder_count) > U32_MAX);
 		mdb->drDirCnt =
 			cpu_to_be32((u32)atomic64_read(&HFS_SB(sb)->folder_count));
 
-- 
2.51.1.dirty

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz dup: WARNING in ntfs_put_super

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: eslam.medhat1993@gmail.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: 
Author: jkoolstra@xs4all.nl

#syz test

---
 fs/minix/inode.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/minix/inode.c b/fs/minix/inode.c
index 7897f5123b3d..bee191c50010 100644
--- a/fs/minix/inode.c
+++ b/fs/minix/inode.c
@@ -171,7 +171,15 @@ static bool minix_check_superblock(struct super_block *sb)
 {
 	struct minix_sb_info *sbi = minix_sb(sb);
 
-	if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
+	if (sbi->s_log_zone_size != 0) {
+		printk("minix-fs error: zone size must equal block size. "
+		       "s_log_zone_size > 0 is not supported.\n");
+		return false;
+	}
+
+	if (sbi->s_imap_blocks < 1 || sbi->s_zmap_blocks < 1 ||
+	    sbi->s_ninodes < 1 || sbi->s_firstdatazone <= 4 ||
+	    sbi->s_firstdatazone >= sbi->s_nzones)
 		return false;
 
 	/*
-- 
2.51.2

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: agruenba@redhat.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2.git
4daba9379bbd702c63459f54ef448746bfeab42d

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: pimyn@google.com

#syz invalid

Forwarded: Re: [PATCH net v6] net: nfc: nci: Fix parameter validation for packet data

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [PATCH net v6] net: nfc: nci: Fix parameter validation for packet data
Author: krzk@kernel.org

On 18/02/2026 09:30, Michael Thalmeier wrote:
> Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for
> packet data") communication with nci nfc chips is not working any more.
> 
> The mentioned commit tries to fix access of uninitialized data, but
> failed to understand that in some cases the data packet is of variable
> length and can therefore not be compared to the maximum packet length
> given by the sizeof(struct).
> 
> Fixes: 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data")

Reported-by: syzbot+740e04c2a93467a0f8c8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=740e04c2a93467a0f8c8

#syz unfix

> Cc: stable@vger.kernel.org
> Signed-off-by: Michael Thalmeier <michael.thalmeier@hale.at>
> ---
> v6:
> - use ssize_t for data_len parameter to guard against underflows
> - omit unneeded data_len decrements at the end of the functions
> 
> v5:
> - also check helper functions in nci_extract_rf_params_nfcf_passive_listen
>   and nci_rf_discover_ntf_packet
> 
> v4:
> - formatting fixes
> 
> v3:
> - perform complete checks
> - replace magic numbers with offsetofend and sizeof
> 
> v2:
> - Reference correct commit hash
> 
> ---
>  net/nfc/nci/ntf.c | 159 ++++++++++++++++++++++++++++++++++++++++------
>  1 file changed, 141 insertions(+), 18 deletions(-)
> 
> diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
> index 418b84e2b260..c96512bb8653 100644
> --- a/net/nfc/nci/ntf.c
> +++ b/net/nfc/nci/ntf.c
> @@ -58,7 +58,7 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
>  	struct nci_conn_info *conn_info;
>  	int i;
>  
> -	if (skb->len < sizeof(struct nci_core_conn_credit_ntf))
> +	if (skb->len < offsetofend(struct nci_core_conn_credit_ntf, num_entries))
>  		return -EINVAL;
>  
>  	ntf = (struct nci_core_conn_credit_ntf *)skb->data;
> @@ -68,6 +68,10 @@ static int nci_core_conn_credits_ntf_packet(struct nci_dev *ndev,
>  	if (ntf->num_entries > NCI_MAX_NUM_CONN)
>  		ntf->num_entries = NCI_MAX_NUM_CONN;
>  
> +	if (skb->len < offsetofend(struct nci_core_conn_credit_ntf, num_entries) +
> +			ntf->num_entries * sizeof(struct conn_credit_entry))
> +		return -EINVAL;
> +
>  	/* update the credits */
>  	for (i = 0; i < ntf->num_entries; i++) {
>  		ntf->conn_entries[i].conn_id =
> @@ -138,23 +142,48 @@ static int nci_core_conn_intf_error_ntf_packet(struct nci_dev *ndev,
>  static const __u8 *
>  nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
>  					struct rf_tech_specific_params_nfca_poll *nfca_poll,
> -					const __u8 *data)
> +					const __u8 *data, ssize_t data_len)
>  {
> +	/* Check if we have enough data for sens_res (2 bytes) */
> +	if (data_len < 2)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfca_poll->sens_res = __le16_to_cpu(*((__le16 *)data));
>  	data += 2;
> +	data_len -= 2;
> +
> +	/* Check if we have enough data for nfcid1_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
>  
>  	nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
> +	data_len--;
>  
>  	pr_debug("sens_res 0x%x, nfcid1_len %d\n",
>  		 nfca_poll->sens_res, nfca_poll->nfcid1_len);
>  
> +	/* Check if we have enough data for nfcid1 */
> +	if (data_len < nfca_poll->nfcid1_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfca_poll->nfcid1, data, nfca_poll->nfcid1_len);
>  	data += nfca_poll->nfcid1_len;
> +	data_len -= nfca_poll->nfcid1_len;
> +
> +	/* Check if we have enough data for sel_res_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
>  
>  	nfca_poll->sel_res_len = *data++;
> +	data_len--;
> +
> +	if (nfca_poll->sel_res_len != 0) {
> +		/* Check if we have enough data for sel_res (1 byte) */
> +		if (data_len < 1)
> +			return ERR_PTR(-EINVAL);
>  
> -	if (nfca_poll->sel_res_len != 0)
>  		nfca_poll->sel_res = *data++;
> +	}
>  
>  	pr_debug("sel_res_len %d, sel_res 0x%x\n",
>  		 nfca_poll->sel_res_len,
> @@ -166,12 +195,21 @@ nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
>  static const __u8 *
>  nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
>  					struct rf_tech_specific_params_nfcb_poll *nfcb_poll,
> -					const __u8 *data)
> +					const __u8 *data, ssize_t data_len)
>  {
> +	/* Check if we have enough data for sensb_res_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE);
> +	data_len--;
>  
>  	pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);
>  
> +	/* Check if we have enough data for sensb_res */
> +	if (data_len < nfcb_poll->sensb_res_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfcb_poll->sensb_res, data, nfcb_poll->sensb_res_len);
>  	data += nfcb_poll->sensb_res_len;
>  
> @@ -181,14 +219,29 @@ nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
>  static const __u8 *
>  nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
>  					struct rf_tech_specific_params_nfcf_poll *nfcf_poll,
> -					const __u8 *data)
> +					const __u8 *data, ssize_t data_len)
>  {
> +	/* Check if we have enough data for bit_rate (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcf_poll->bit_rate = *data++;
> +	data_len--;
> +
> +	/* Check if we have enough data for sensf_res_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
> +	data_len--;
>  
>  	pr_debug("bit_rate %d, sensf_res_len %d\n",
>  		 nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);
>  
> +	/* Check if we have enough data for sensf_res */
> +	if (data_len < nfcf_poll->sensf_res_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfcf_poll->sensf_res, data, nfcf_poll->sensf_res_len);
>  	data += nfcf_poll->sensf_res_len;
>  
> @@ -198,22 +251,49 @@ nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
>  static const __u8 *
>  nci_extract_rf_params_nfcv_passive_poll(struct nci_dev *ndev,
>  					struct rf_tech_specific_params_nfcv_poll *nfcv_poll,
> -					const __u8 *data)
> +					const __u8 *data, ssize_t data_len)
>  {
> +	/* Skip 1 byte (reserved) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	++data;
> +	data_len--;
> +
> +	/* Check if we have enough data for dsfid (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcv_poll->dsfid = *data++;
> +	data_len--;
> +
> +	/* Check if we have enough data for uid (8 bytes) */
> +	if (data_len < NFC_ISO15693_UID_MAXSIZE)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfcv_poll->uid, data, NFC_ISO15693_UID_MAXSIZE);
>  	data += NFC_ISO15693_UID_MAXSIZE;
> +
>  	return data;
>  }
>  
>  static const __u8 *
>  nci_extract_rf_params_nfcf_passive_listen(struct nci_dev *ndev,
>  					  struct rf_tech_specific_params_nfcf_listen *nfcf_listen,
> -					  const __u8 *data)
> +					  const __u8 *data, ssize_t data_len)
>  {
> +	/* Check if we have enough data for local_nfcid2_len (1 byte) */
> +	if (data_len < 1)
> +		return ERR_PTR(-EINVAL);
> +
>  	nfcf_listen->local_nfcid2_len = min_t(__u8, *data++,
>  					      NFC_NFCID2_MAXSIZE);
> +	data_len--;
> +
> +	/* Check if we have enough data for local_nfcid2 */
> +	if (data_len < nfcf_listen->local_nfcid2_len)
> +		return ERR_PTR(-EINVAL);
> +
>  	memcpy(nfcf_listen->local_nfcid2, data, nfcf_listen->local_nfcid2_len);
>  	data += nfcf_listen->local_nfcid2_len;
>  
> @@ -364,7 +444,7 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
>  	const __u8 *data;
>  	bool add_target = true;
>  
> -	if (skb->len < sizeof(struct nci_rf_discover_ntf))
> +	if (skb->len < offsetofend(struct nci_rf_discover_ntf, rf_tech_specific_params_len))
>  		return -EINVAL;
>  
>  	data = skb->data;
> @@ -380,26 +460,42 @@ static int nci_rf_discover_ntf_packet(struct nci_dev *ndev,
>  	pr_debug("rf_tech_specific_params_len %d\n",
>  		 ntf.rf_tech_specific_params_len);
>  
> +	if (skb->len < (data - skb->data) +
> +			ntf.rf_tech_specific_params_len + sizeof(ntf.ntf_type))
> +		return -EINVAL;
> +
>  	if (ntf.rf_tech_specific_params_len > 0) {
>  		switch (ntf.rf_tech_and_mode) {
>  		case NCI_NFC_A_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfca_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfca_poll), data);
> +				&(ntf.rf_tech_specific_params.nfca_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return PTR_ERR(data);
>  			break;
>  
>  		case NCI_NFC_B_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcb_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcb_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcb_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return PTR_ERR(data);
>  			break;
>  
>  		case NCI_NFC_F_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcf_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcf_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcf_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return PTR_ERR(data);
>  			break;
>  
>  		case NCI_NFC_V_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcv_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcv_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcv_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return PTR_ERR(data);
>  			break;
>  
>  		default:
> @@ -596,7 +692,7 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  	const __u8 *data;
>  	int err = NCI_STATUS_OK;
>  
> -	if (skb->len < sizeof(struct nci_rf_intf_activated_ntf))
> +	if (skb->len < offsetofend(struct nci_rf_intf_activated_ntf, rf_tech_specific_params_len))
>  		return -EINVAL;
>  
>  	data = skb->data;
> @@ -628,26 +724,41 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  	if (ntf.rf_interface == NCI_RF_INTERFACE_NFCEE_DIRECT)
>  		goto listen;
>  
> +	if (skb->len < (data - skb->data) + ntf.rf_tech_specific_params_len)
> +		return -EINVAL;
> +
>  	if (ntf.rf_tech_specific_params_len > 0) {
>  		switch (ntf.activation_rf_tech_and_mode) {
>  		case NCI_NFC_A_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfca_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfca_poll), data);
> +				&(ntf.rf_tech_specific_params.nfca_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		case NCI_NFC_B_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcb_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcb_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcb_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		case NCI_NFC_F_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcf_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcf_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcf_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		case NCI_NFC_V_PASSIVE_POLL_MODE:
>  			data = nci_extract_rf_params_nfcv_passive_poll(ndev,
> -				&(ntf.rf_tech_specific_params.nfcv_poll), data);
> +				&(ntf.rf_tech_specific_params.nfcv_poll), data,
> +				ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		case NCI_NFC_A_PASSIVE_LISTEN_MODE:
> @@ -657,7 +768,9 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  		case NCI_NFC_F_PASSIVE_LISTEN_MODE:
>  			data = nci_extract_rf_params_nfcf_passive_listen(ndev,
>  				&(ntf.rf_tech_specific_params.nfcf_listen),
> -				data);
> +				data, ntf.rf_tech_specific_params_len);
> +			if (IS_ERR(data))
> +				return -EINVAL;
>  			break;
>  
>  		default:
> @@ -668,6 +781,13 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  		}
>  	}
>  
> +	if (skb->len < (data - skb->data) +
> +			sizeof(ntf.data_exch_rf_tech_and_mode) +
> +			sizeof(ntf.data_exch_tx_bit_rate) +
> +			sizeof(ntf.data_exch_rx_bit_rate) +
> +			sizeof(ntf.activation_params_len))
> +		return -EINVAL;
> +
>  	ntf.data_exch_rf_tech_and_mode = *data++;
>  	ntf.data_exch_tx_bit_rate = *data++;
>  	ntf.data_exch_rx_bit_rate = *data++;
> @@ -679,6 +799,9 @@ static int nci_rf_intf_activated_ntf_packet(struct nci_dev *ndev,
>  	pr_debug("data_exch_rx_bit_rate 0x%x\n", ntf.data_exch_rx_bit_rate);
>  	pr_debug("activation_params_len %d\n", ntf.activation_params_len);
>  
> +	if (skb->len < (data - skb->data) + ntf.activation_params_len)
> +		return -EINVAL;
> +
>  	if (ntf.activation_params_len > 0) {
>  		switch (ntf.rf_interface) {
>  		case NCI_RF_INTERFACE_ISO_DEP:


Best regards,
Krzysztof

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: contact@gvernon.com

#syz test

Forwarded:

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: klnm1908v@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index 91fd3673c09a..e588a188f50a 100644
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -126,23 +126,10 @@ static enum hrtimer_restart
xen_timer_callback(struct hrtimer *timer)
 {
 	struct kvm_vcpu *vcpu = container_of(timer, struct kvm_vcpu,
 					     arch.xen.timer);
-	struct kvm_xen_evtchn e;
-	int rc;

 	if (atomic_read(&vcpu->arch.xen.timer_pending))
 		return HRTIMER_NORESTART;

-	e.vcpu_id = vcpu->vcpu_id;
-	e.vcpu_idx = vcpu->vcpu_idx;
-	e.port = vcpu->arch.xen.timer_virq;
-	e.priority = KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL;
-
-	rc = kvm_xen_set_evtchn_fast(&e, vcpu->kvm);
-	if (rc != -EWOULDBLOCK) {
-		vcpu->arch.xen.timer_expires = 0;
-		return HRTIMER_NORESTART;
-	}
-
 	atomic_inc(&vcpu->arch.xen.timer_pending);
 	kvm_make_request(KVM_REQ_UNBLOCK, vcpu);
 	kvm_vcpu_kick(vcpu);