[syzbot] [jfs?] KASAN: user-memory-access Write in __destroy

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode
@ 2023-05-04  9:32 syzbot
  2025-09-24 19:11 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cec1e6e5d1ab33403b809f79cd20d6aff124ccfe syzbot
  2026-01-07 14:57 ` [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode syzbot
  0 siblings, 2 replies; 4+ messages in thread
From: syzbot @ 2023-05-04  9:32 UTC (permalink / raw)
  To: brauner, jfs-discussion, linux-fsdevel, linux-kernel, shaggy,
	syzkaller-bugs, viro

Hello,

syzbot found the following issue on:

HEAD commit:    fa31fc82fb77 Merge tag 'pm-6.4-rc1-2' of git://git.kernel...
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=176f146c280000
kernel config:  https://syzkaller.appspot.com/x/.config?x=73a06f6ef2d5b492
dashboard link: https://syzkaller.appspot.com/bug?extid=dcc068159182a4c31ca3
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13a40690280000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=156b965c280000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/47047382df87/disk-fa31fc82.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1fd540f5f80a/vmlinux-fa31fc82.xz
kernel image: https://storage.googleapis.com/syzbot-assets/21da1f9e2c23/bzImage-fa31fc82.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/058ce906b620/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dcc068159182a4c31ca3@syzkaller.appspotmail.com

ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 6
ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 7
==================================================================
BUG: KASAN: user-memory-access in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: user-memory-access in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: user-memory-access in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: user-memory-access in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: user-memory-access in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: user-memory-access in posix_acl_release include/linux/posix_acl.h:57 [inline]
BUG: KASAN: user-memory-access in __destroy_inode+0x426/0x5e0 fs/inode.c:297
Write of size 4 at addr 0000000b00000000 by task syz-executor374/4998

CPU: 0 PID: 4998 Comm: syz-executor374 Not tainted 6.3.0-syzkaller-12999-gfa31fc82fb77 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 print_report+0xe6/0x540 mm/kasan/report.c:465
 kasan_report+0x176/0x1b0 mm/kasan/report.c:572
 kasan_check_range+0x283/0x290 mm/kasan/generic.c:187
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
 __refcount_sub_and_test include/linux/refcount.h:272 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 posix_acl_release include/linux/posix_acl.h:57 [inline]
 __destroy_inode+0x426/0x5e0 fs/inode.c:297
 destroy_inode fs/inode.c:308 [inline]
 evict+0x51b/0x620 fs/inode.c:680
 dispose_list fs/inode.c:698 [inline]
 evict_inodes+0x5f8/0x690 fs/inode.c:748
 generic_shutdown_super+0x98/0x340 fs/super.c:479
 kill_block_super+0x84/0xf0 fs/super.c:1407
 deactivate_locked_super+0xa4/0x110 fs/super.c:331
 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1177
 task_work_run+0x24a/0x300 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x68f/0x2290 kernel/exit.c:871
 do_group_exit+0x206/0x2c0 kernel/exit.c:1021
 __do_sys_exit_group kernel/exit.c:1032 [inline]
 __se_sys_exit_group kernel/exit.c:1030 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f696702ea49
Code: Unable to access opcode bytes at 0x7f696702ea1f.
RSP: 002b:00007ffcc25baa18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f69670a9330 RCX: 00007f696702ea49
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f69670a3e40
R10: 00007f69670a3e40 R11: 0000000000000246 R12: 00007f69670a9330
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>
==================================================================

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cec1e6e5d1ab33403b809f79cd20d6aff124ccfe
  2023-05-04  9:32 [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode syzbot
@ 2025-09-24 19:11 ` syzbot
  2026-01-07 14:57 ` [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode syzbot
  1 sibling, 0 replies; 4+ messages in thread
From: syzbot @ 2025-09-24 19:11 UTC (permalink / raw)
  To: linux-kernel, syzkaller-bugs

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cec1e6e5d1ab33403b809f79cd20d6aff124ccfe
Author: dmantipov@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cec1e6e5d1ab33403b809f79cd20d6aff124ccfe

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode
  2023-05-04  9:32 [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode syzbot
  2025-09-24 19:11 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cec1e6e5d1ab33403b809f79cd20d6aff124ccfe syzbot
@ 2026-01-07 14:57 ` syzbot
  2026-01-07 15:05   ` Mateusz Guzik
  1 sibling, 1 reply; 4+ messages in thread
From: syzbot @ 2026-01-07 14:57 UTC (permalink / raw)
  To: brauner, dmantipov, jack, jfs-discussion, linux-fsdevel,
	linux-kernel, lvc-project, mjguzik, shaggy, syzkaller-bugs, viro

syzbot suspects this issue was fixed by commit:

commit dca3aa666fbd71118905d88bb1c353881002b647
Author: Mateusz Guzik <mjguzik@gmail.com>
Date:   Sun Nov 9 12:19:31 2025 +0000

    fs: move inode fields used during fast path lookup closer together

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1480019a580000
start commit:   6146a0f1dfae Linux 6.18-rc4
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=e46b8a1c645465a9
dashboard link: https://syzkaller.appspot.com/bug?extid=dcc068159182a4c31ca3
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ef4532580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=179c1e14580000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: fs: move inode fields used during fast path lookup closer together

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode
  2026-01-07 14:57 ` [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode syzbot
@ 2026-01-07 15:05   ` Mateusz Guzik
  0 siblings, 0 replies; 4+ messages in thread
From: Mateusz Guzik @ 2026-01-07 15:05 UTC (permalink / raw)
  To: syzbot
  Cc: brauner, dmantipov, jack, jfs-discussion, linux-fsdevel,
	linux-kernel, lvc-project, shaggy, syzkaller-bugs, viro

On Wed, Jan 7, 2026 at 3:57 PM syzbot
<syzbot+dcc068159182a4c31ca3@syzkaller.appspotmail.com> wrote:
>
> syzbot suspects this issue was fixed by commit:
>
> commit dca3aa666fbd71118905d88bb1c353881002b647
> Author: Mateusz Guzik <mjguzik@gmail.com>
> Date:   Sun Nov 9 12:19:31 2025 +0000
>
>     fs: move inode fields used during fast path lookup closer together
>

I don't know what the bug is, at best this patch has an unintended
side-effect of neutering the reproducer.

> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1480019a580000
> start commit:   6146a0f1dfae Linux 6.18-rc4
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e46b8a1c645465a9
> dashboard link: https://syzkaller.appspot.com/bug?extid=dcc068159182a4c31ca3
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ef4532580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=179c1e14580000
>
> If the result looks correct, please mark the issue as fixed by replying with:
>
> #syz fix: fs: move inode fields used during fast path lookup closer together
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-01-07 15:05 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-04  9:32 [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode syzbot
2025-09-24 19:11 ` Forwarded: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git cec1e6e5d1ab33403b809f79cd20d6aff124ccfe syzbot
2026-01-07 14:57 ` [syzbot] [jfs?] KASAN: user-memory-access Write in __destroy_inode syzbot
2026-01-07 15:05   ` Mateusz Guzik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox