[syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    88264981f208 Merge tag 'sched_ext-for-6.12' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e9de9f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e851828834875d6f
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-88264981.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/df2a0a047a7a/vmlinux-88264981.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bbdb25081712/bzImage-88264981.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
=======================================================
WARNING: The mand mount option has been deprecated and
         and is ignored by this kernel. Remove the mand
         option from the mount to silence this warning.
=======================================================
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
overlayfs: upper fs does not support tmpfile.
overlayfs: upper fs does not support RENAME_WHITEOUT.
overlayfs: upper fs missing required features.
==================================================================
BUG: KASAN: use-after-free in ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1784 [inline]
BUG: KASAN: use-after-free in ocfs2_dir_foreach_blk+0x1704/0x1b20 fs/ocfs2/dir.c:1912
Read of size 2 at addr ffff88804d20b008 by task syz.0.0/5119

CPU: 0 UID: 0 PID: 5119 Comm: syz.0.0 Not tainted 6.11.0-syzkaller-08481-g88264981f208 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 ocfs2_check_dir_entry fs/ocfs2/dir.c:305 [inline]
 ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1784 [inline]
 ocfs2_dir_foreach_blk+0x1704/0x1b20 fs/ocfs2/dir.c:1912
 ocfs2_readdir+0x2a1/0x5e0 fs/ocfs2/dir.c:1956
 wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65
 iterate_dir+0x571/0x800 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:407 [inline]
 __se_sys_getdents64+0x20d/0x4f0 fs/readdir.c:392
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e2d77def9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9e2e4f8038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f9e2d935f80 RCX: 00007f9e2d77def9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000008
RBP: 00007f9e2d7f0b76 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f9e2d935f80 R15: 00007ffd76550ee8
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x20001 pfn:0x4d20b
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea0001347788 ffffea0001347808 0000000000000000
raw: 0000000000020001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5119, tgid 5118 (syz.0.0), ts 141582230460, free_ts 141702836739
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 folio_alloc_mpol_noprof+0x36/0x50 mm/mempolicy.c:2283
 __read_swap_cache_async+0x250/0x8e0 mm/swap_state.c:477
 swap_cluster_readahead+0x674/0x7f0 mm/swap_state.c:703
 swapin_readahead+0x1bb/0xdf0 mm/swap_state.c:882
 do_swap_page+0x584/0x7b30 mm/memory.c:4324
 handle_pte_fault+0x61d/0x6800 mm/memory.c:5754
 __handle_mm_fault mm/memory.c:5894 [inline]
 handle_mm_fault+0x1106/0x1bb0 mm/memory.c:6062
 do_user_addr_fault arch/x86/mm/fault.c:1389 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x2b9/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 5119 tgid 5118 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1108 [inline]
 free_unref_folios+0xf12/0x18d0 mm/page_alloc.c:2686
 folios_put_refs+0x76c/0x860 mm/swap.c:1007
 free_pages_and_swap_cache+0x5c8/0x690 mm/swap_state.c:335
 __tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
 tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
 tlb_flush_mmu+0x3a3/0x680 mm/mmu_gather.c:373
 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:465
 vms_clear_ptes+0x437/0x530 mm/vma.c:1096
 vms_clean_up_area+0x62/0x1c0 mm/vma.c:1108
 mmap_region+0x1a84/0x2990 mm/mmap.c:1439
 do_mmap+0x8f0/0x1000 mm/mmap.c:496
 vm_mmap_pgoff+0x1dd/0x3d0 mm/util.c:588
 ksys_mmap_pgoff+0x4eb/0x720 mm/mmap.c:542
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88804d20af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88804d20af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804d20b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff88804d20b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88804d20b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    e42b1a9a2557 Merge tag 'spi-fix-v6.12-rc5' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=170b064b980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4aec7739e14231a7
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=108b064b980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14a5f0e7980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-e42b1a9a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3e2253169da8/vmlinux-e42b1a9a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b9d2f5008f24/bzImage-e42b1a9a.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/1da7d3546e21/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/019e0246868a/mount_3.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

(kworker/u4:4,1025,0):ocfs2_read_blocks_sync:112 ERROR: status = -12
(kworker/u4:4,1025,0):ocfs2_read_locked_inode:521 ERROR: status = -12
==================================================================
BUG: KASAN: slab-out-of-bounds in ocfs2_check_dir_entry fs/ocfs2/dir.c:321 [inline]
BUG: KASAN: slab-out-of-bounds in ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1784 [inline]
BUG: KASAN: slab-out-of-bounds in ocfs2_dir_foreach_blk+0x1ab6/0x1b20 fs/ocfs2/dir.c:1912
Read of size 8 at addr ffff888040701778 by task kworker/u4:4/1025

CPU: 0 UID: 0 PID: 1025 Comm: kworker/u4:4 Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: ocfs2_wq ocfs2_complete_recovery
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 ocfs2_check_dir_entry fs/ocfs2/dir.c:321 [inline]
 ocfs2_dir_foreach_blk_id fs/ocfs2/dir.c:1784 [inline]
 ocfs2_dir_foreach_blk+0x1ab6/0x1b20 fs/ocfs2/dir.c:1912
 ocfs2_dir_foreach+0xb4/0x100 fs/ocfs2/dir.c:1923
 ocfs2_queue_orphans fs/ocfs2/journal.c:2186 [inline]
 ocfs2_recover_orphans fs/ocfs2/journal.c:2270 [inline]
 ocfs2_complete_recovery+0xcf1/0x25c0 fs/ocfs2/journal.c:1351
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 1:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:247 [inline]
 slab_post_alloc_hook mm/slub.c:4085 [inline]
 slab_alloc_node mm/slub.c:4134 [inline]
 kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
 __kernfs_new_node+0xd8/0x870 fs/kernfs/dir.c:624
 kernfs_new_node+0x137/0x240 fs/kernfs/dir.c:700
 __kernfs_create_file+0x49/0x2e0 fs/kernfs/file.c:1034
 sysfs_add_file_mode_ns+0x24a/0x310 fs/sysfs/file.c:307
 create_files fs/sysfs/group.c:76 [inline]
 internal_create_group+0x7a7/0x11d0 fs/sysfs/group.c:180
 sysfs_slab_add+0x157/0x290 mm/slub.c:7104
 slab_sysfs_init+0x66/0x170 mm/slub.c:7184
 do_one_initcall+0x248/0x880 init/main.c:1269
 do_initcall_level+0x157/0x210 init/main.c:1331
 do_initcalls+0x3f/0x80 init/main.c:1347
 kernel_init_freeable+0x435/0x5d0 init/main.c:1580
 kernel_init+0x1d/0x2b0 init/main.c:1469
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff888040701690
 which belongs to the cache kernfs_node_cache of size 176
The buggy address is located 56 bytes to the right of
 allocated 176-byte region [ffff888040701690, ffff888040701740)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40701
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff888030407dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000110011 00000001f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 22332972406, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
 prep_new_page mm/page_alloc.c:1545 [inline]
 get_page_from_freelist+0x3045/0x3190 mm/page_alloc.c:3457
 __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
 alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
 alloc_slab_page+0x6a/0x120 mm/slub.c:2412
 allocate_slab+0x5a/0x2f0 mm/slub.c:2578
 new_slab mm/slub.c:2631 [inline]
 ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
 __slab_alloc+0x58/0xa0 mm/slub.c:3908
 __slab_alloc_node mm/slub.c:3961 [inline]
 slab_alloc_node mm/slub.c:4122 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x2a0 mm/slub.c:4141
 __kernfs_new_node+0xd8/0x870 fs/kernfs/dir.c:624
 kernfs_new_node+0x137/0x240 fs/kernfs/dir.c:700
 __kernfs_create_file+0x49/0x2e0 fs/kernfs/file.c:1034
 sysfs_add_file_mode_ns+0x24a/0x310 fs/sysfs/file.c:307
 create_files fs/sysfs/group.c:76 [inline]
 internal_create_group+0x7a7/0x11d0 fs/sysfs/group.c:180
 sysfs_slab_add+0x157/0x290 mm/slub.c:7104
 slab_sysfs_init+0x66/0x170 mm/slub.c:7184
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888040701600: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff888040701680: fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888040701700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                                                ^
 ffff888040701780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888040701800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Tested-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

Tested on:

commit:         0d97f206 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=134a11e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=33b052d7a6d140c9
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17bbf334580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Tested-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

Tested on:

commit:         5472d60c Merge tag 'trace-v6.18-2' of git://git.kernel..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1657b458580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2b842a78bbee09b1
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13f08dcd980000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Tested-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

Tested on:

commit:         552c5071 Merge tag 'vfio-v6.18-rc3' of https://github...
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=167b8d2f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b1620e3721dc97c0
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16c2ce7c580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

50.688447][ T6310] device veth1_vlan entered promiscuous mode
[   50.706746][ T1035] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   50.714583][ T1035] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   50.722574][ T1035] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   50.731116][ T1035] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   50.741832][ T6310] device veth0_macvtap entered promiscuous mode
[   50.752332][ T6310] device veth1_macvtap entered promiscuous mode
[   50.767297][ T6310] batman_adv: batadv0: Interface activated: batadv_slave_0
[   50.774561][   T44] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   50.782673][   T44] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   50.790547][   T44] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   50.799051][   T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   50.809245][ T6310] batman_adv: batadv0: Interface activated: batadv_slave_1
[   50.819680][   T44] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   50.828323][   T44] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   50.839843][ T6310] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   50.848757][ T6310] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   50.857500][ T6310] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   50.866296][ T6310] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   50.905760][    C0] ================================================================================
[   50.915055][    C0] UBSAN: signed-integer-overflow in ./arch/x86/include/asm/atomic.h:165:11
[   50.923684][    C0] -1416465042 + -1732037041 cannot be represented in type 'int'
[   50.931326][    C0] CPU: 0 PID: 6310 Comm: syz-executor Not tainted syzkaller #0
[   50.938841][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[   50.948878][    C0] Call Trace:
[   50.952150][    C0]  <IRQ>
[   50.954981][    C0]  dump_stack+0xfd/0x16e
[   50.959197][    C0]  ubsan_epilogue+0xa/0x30
[   50.963586][    C0]  handle_overflow+0x192/0x1b0
[   50.968326][    C0]  ? do_syscall_64+0x34/0x50
[   50.972883][    C0]  ? prandom_u32+0x1d/0x1f0
[   50.977354][    C0]  ip_idents_reserve+0x14a/0x170
[   50.982259][    C0]  __ip_select_ident+0xe4/0x1c0
[   50.987096][    C0]  iptunnel_xmit+0x466/0x7b0
[   50.991696][    C0]  udp_tunnel_xmit_skb+0x1ba/0x290
[   50.996806][    C0]  geneve_xmit+0x1d05/0x2140
[   51.001464][    C0]  dev_hard_start_xmit+0x294/0x780
[   51.006575][    C0]  __dev_queue_xmit+0x1678/0x28b0
[   51.011592][    C0]  ip6_finish_output2+0x1020/0x1490
[   51.016769][    C0]  NF_HOOK+0x45/0x2c0
[   51.020719][    C0]  ? NF_HOOK+0x2c0/0x2c0
[   51.024936][    C0]  mld_sendpack+0x5f9/0xa70
[   51.029434][    C0]  mld_ifc_timer_expire+0x7e1/0x990
[   51.034621][    C0]  ? lock_acquire+0x78/0x310
[   51.039193][    C0]  ? lock_release+0x69/0x610
[   51.043762][    C0]  ? debug_object_deactivate+0x9b/0x250
[   51.049287][    C0]  ? mld_gq_timer_expire+0xe0/0xe0
[   51.054413][    C0]  call_timer_fn+0x105/0x440
[   51.059120][    C0]  ? mld_gq_timer_expire+0xe0/0xe0
[   51.064234][    C0]  __run_timers+0x5d8/0x7a0
[   51.068809][    C0]  ? __do_softirq+0x164/0x8ae
[   51.073463][    C0]  run_timer_softirq+0x19/0x30
[   51.078690][    C0]  __do_softirq+0x23c/0x8ae
[   51.083286][    C0]  ? asm_call_irq_on_stack+0xf/0x20
[   51.088488][    C0]  asm_call_irq_on_stack+0xf/0x20
[   51.093513][    C0]  </IRQ>
[   51.096429][    C0]  do_softirq_own_stack+0x6d/0xb0
[   51.101437][    C0]  __irq_exit_rcu+0x1e1/0x1f0
[   51.106105][    C0]  irq_exit_rcu+0x5/0x20
[   51.110371][    C0]  sysvec_apic_timer_interrupt+0x9d/0xb0
[   51.116111][    C0]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   51.122091][    C0] RIP: 0010:truncate_inode_pages_final+0x2/0xd0
[   51.128319][    C0] Code: fe e8 62 7a da ff 4c 89 f7 48 89 de 48 c7 c2 ff ff ff ff 5b 41 5e e9 ad e5 ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 41 57 <41> 56 53 48 89 fb 49 bf 00 00 00 00 00 fc ff df e8 29 7a da ff 48
[   51.147990][    C0] RSP: 0018:ffffc90001cff658 EFLAGS: 00000293
[   51.154043][    C0] RAX: ffffffff81b9ba30 RBX: ffff888038e835a0 RCX: ffff88801b1cd040
[   51.161995][    C0] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888038e837c8
[   51.170256][    C0] RBP: ffff888038e83678 R08: dffffc0000000000 R09: ffffed10071d06c6
[   51.178204][    C0] R10: ffffed10071d06c6 R11: 1ffff110071d06c5 R12: dffffc0000000000
[   51.186161][    C0] R13: ffffffff893efaf0 R14: 0000000000000000 R15: ffff888038e83628
[   51.194208][    C0]  ? evict+0x410/0x860
[   51.198252][    C0]  evict+0x41c/0x860
[   51.202557][    C0]  ? _raw_spin_unlock+0x1a/0x30
[   51.207377][    C0]  ? iput+0x6d9/0x890
[   51.211339][    C0]  __dentry_kill+0x436/0x660
[   51.215919][    C0]  dentry_kill+0xb9/0x2d0
[   51.220305][    C0]  dput+0xd5/0x1b0
[   51.224008][    C0]  simple_recursive_removal+0x295/0x8e0
[   51.229524][    C0]  ? debugfs_remove+0x70/0x70
[   51.234238][    C0]  debugfs_remove+0x56/0x70
[   51.238760][    C0]  ieee80211_debugfs_remove_netdev+0x4e/0xb0
[   51.244718][    C0]  ieee80211_if_change_type+0x215/0xe60
[   51.250235][    C0]  ? trace_rdev_return_void+0x7a/0x190
[   51.255665][    C0]  ? ieee80211_set_cqm_rssi_range_config+0x220/0x220
[   51.262453][    C0]  ? cfg80211_mgmt_registrations_update+0x5dc/0x7d0
[   51.269031][    C0]  ieee80211_change_iface+0x57/0x420
[   51.274298][    C0]  cfg80211_change_iface+0x73c/0xe50
[   51.279558][    C0]  nl80211_set_interface+0x43e/0x750
[   51.285004][    C0]  genl_rcv_msg+0xb22/0xdd0
[   51.289582][    C0]  ? nl80211_dump_interface+0x630/0x630
[   51.295106][    C0]  netlink_rcv_skb+0x187/0x390
[   51.299927][    C0]  ? genl_bind+0x2c0/0x2c0
[   51.304331][    C0]  genl_rcv+0x24/0x40
[   51.308316][    C0]  netlink_unicast+0x7b7/0x9b0
[   51.313154][    C0]  netlink_sendmsg+0x968/0xb50
[   51.317999][    C0]  ? netlink_getsockopt+0x4f0/0x4f0
[   51.323270][    C0]  __sock_sendmsg+0x15c/0x170
[   51.328024][    C0]  __sys_sendto+0x323/0x430
[   51.332498][    C0]  __x64_sys_sendto+0xda/0xf0
[   51.337178][    C0]  do_syscall_64+0x34/0x50
[   51.341745][    C0]  entry_SYSCALL_64_after_hwframe+0x67/0xd1
[   51.347795][    C0] RIP: 0033:0x7f971276aa3c
[   51.352206][    C0] Code: 2a 5f 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5f 02 00 48 8b
[   51.371869][    C0] RSP: 002b:00007ffd4d7d3b30 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[   51.380254][    C0] RAX: ffffffffffffffda RBX: 00007f97134de620 RCX: 00007f971276aa3c
[   51.388206][    C0] RDX: 0000000000000024 RSI: 00007f97134de670 RDI: 0000000000000003
[   51.396360][    C0] RBP: 0000000000000000 R08: 00007ffd4d7d3b84 R09: 000000000000000c
[   51.404329][    C0] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
[   51.412277][    C0] R13: 0000000000000000 R14: 00007f97134de670 R15: 0000000000000000
[   51.420284][    C0] ================================================================================
[   51.425412][ T6054] Bluetooth: hci0: command 0x0409 tx timeout
[   51.429678][    C0] Kernel panic - not syncing: UBSAN: panic_on_warn set ...
[   51.442783][    C0] CPU: 0 PID: 6310 Comm: syz-executor Not tainted syzkaller #0
[   51.450297][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[   51.460336][    C0] Call Trace:
[   51.463600][    C0]  <IRQ>
[   51.466429][    C0]  dump_stack+0xfd/0x16e
[   51.470817][    C0]  panic+0x2f0/0x9c0
[   51.474691][    C0]  check_panic_on_warn+0x95/0xe0
[   51.479688][    C0]  handle_overflow+0x192/0x1b0
[   51.484421][    C0]  ? do_syscall_64+0x34/0x50
[   51.488983][    C0]  ? prandom_u32+0x1d/0x1f0
[   51.493463][    C0]  ip_idents_reserve+0x14a/0x170
[   51.498392][    C0]  __ip_select_ident+0xe4/0x1c0
[   51.503215][    C0]  iptunnel_xmit+0x466/0x7b0
[   51.507794][    C0]  udp_tunnel_xmit_skb+0x1ba/0x290
[   51.512893][    C0]  geneve_xmit+0x1d05/0x2140
[   51.517470][    C0]  dev_hard_start_xmit+0x294/0x780
[   51.522562][    C0]  __dev_queue_xmit+0x1678/0x28b0
[   51.527566][    C0]  ip6_finish_output2+0x1020/0x1490
[   51.532737][    C0]  NF_HOOK+0x45/0x2c0
[   51.536699][    C0]  ? NF_HOOK+0x2c0/0x2c0
[   51.540927][    C0]  mld_sendpack+0x5f9/0xa70
[   51.545417][    C0]  mld_ifc_timer_expire+0x7e1/0x990
[   51.550595][    C0]  ? lock_acquire+0x78/0x310
[   51.555163][    C0]  ? lock_release+0x69/0x610
[   51.559730][    C0]  ? debug_object_deactivate+0x9b/0x250
[   51.565246][    C0]  ? mld_gq_timer_expire+0xe0/0xe0
[   51.570327][    C0]  call_timer_fn+0x105/0x440
[   51.575081][    C0]  ? mld_gq_timer_expire+0xe0/0xe0
[   51.580163][    C0]  __run_timers+0x5d8/0x7a0
[   51.584647][    C0]  ? __do_softirq+0x164/0x8ae
[   51.589330][    C0]  run_timer_softirq+0x19/0x30
[   51.594067][    C0]  __do_softirq+0x23c/0x8ae
[   51.598568][    C0]  ? asm_call_irq_on_stack+0xf/0x20
[   51.603833][    C0]  asm_call_irq_on_stack+0xf/0x20
[   51.608831][    C0]  </IRQ>
[   51.611742][    C0]  do_softirq_own_stack+0x6d/0xb0
[   51.616739][    C0]  __irq_exit_rcu+0x1e1/0x1f0
[   51.621421][    C0]  irq_exit_rcu+0x5/0x20
[   51.625666][    C0]  sysvec_apic_timer_interrupt+0x9d/0xb0
[   51.631392][    C0]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   51.637422][    C0] RIP: 0010:truncate_inode_pages_final+0x2/0xd0
[   51.643641][    C0] Code: fe e8 62 7a da ff 4c 89 f7 48 89 de 48 c7 c2 ff ff ff ff 5b 41 5e e9 ad e5 ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 41 57 <41> 56 53 48 89 fb 49 bf 00 00 00 00 00 fc ff df e8 29 7a da ff 48
[   51.663214][    C0] RSP: 0018:ffffc90001cff658 EFLAGS: 00000293
[   51.669401][    C0] RAX: ffffffff81b9ba30 RBX: ffff888038e835a0 RCX: ffff88801b1cd040
[   51.677381][    C0] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888038e837c8
[   51.685334][    C0] RBP: ffff888038e83678 R08: dffffc0000000000 R09: ffffed10071d06c6
[   51.693282][    C0] R10: ffffed10071d06c6 R11: 1ffff110071d06c5 R12: dffffc0000000000
[   51.701226][    C0] R13: ffffffff893efaf0 R14: 0000000000000000 R15: ffff888038e83628
[   51.709190][    C0]  ? evict+0x410/0x860
[   51.713328][    C0]  evict+0x41c/0x860
[   51.717195][    C0]  ? _raw_spin_unlock+0x1a/0x30
[   51.722026][    C0]  ? iput+0x6d9/0x890
[   51.725979][    C0]  __dentry_kill+0x436/0x660
[   51.730536][    C0]  dentry_kill+0xb9/0x2d0
[   51.734907][    C0]  dput+0xd5/0x1b0
[   51.738655][    C0]  simple_recursive_removal+0x295/0x8e0
[   51.744283][    C0]  ? debugfs_remove+0x70/0x70
[   51.748935][    C0]  debugfs_remove+0x56/0x70
[   51.753415][    C0]  ieee80211_debugfs_remove_netdev+0x4e/0xb0
[   51.759395][    C0]  ieee80211_if_change_type+0x215/0xe60
[   51.765032][    C0]  ? trace_rdev_return_void+0x7a/0x190
[   51.770486][    C0]  ? ieee80211_set_cqm_rssi_range_config+0x220/0x220
[   51.777136][    C0]  ? cfg80211_mgmt_registrations_update+0x5dc/0x7d0
[   51.783695][    C0]  ieee80211_change_iface+0x57/0x420
[   51.788958][    C0]  cfg80211_change_iface+0x73c/0xe50
[   51.794219][    C0]  nl80211_set_interface+0x43e/0x750
[   51.799488][    C0]  genl_rcv_msg+0xb22/0xdd0
[   51.803966][    C0]  ? nl80211_dump_interface+0x630/0x630
[   51.809481][    C0]  netlink_rcv_skb+0x187/0x390
[   51.814303][    C0]  ? genl_bind+0x2c0/0x2c0
[   51.818688][    C0]  genl_rcv+0x24/0x40
[   51.822639][    C0]  netlink_unicast+0x7b7/0x9b0
[   51.827389][    C0]  netlink_sendmsg+0x968/0xb50
[   51.832154][    C0]  ? netlink_getsockopt+0x4f0/0x4f0
[   51.837345][    C0]  __sock_sendmsg+0x15c/0x170
[   51.842085][    C0]  __sys_sendto+0x323/0x430
[   51.846568][    C0]  __x64_sys_sendto+0xda/0xf0
[   51.851220][    C0]  do_syscall_64+0x34/0x50
[   51.855606][    C0]  entry_SYSCALL_64_after_hwframe+0x67/0xd1
[   51.861556][    C0] RIP: 0033:0x7f971276aa3c
[   51.866054][    C0] Code: 2a 5f 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5f 02 00 48 8b
[   51.885718][    C0] RSP: 002b:00007ffd4d7d3b30 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[   51.894103][    C0] RAX: ffffffffffffffda RBX: 00007f97134de620 RCX: 00007f971276aa3c
[   51.902132][    C0] RDX: 0000000000000024 RSI: 00007f97134de670 RDI: 0000000000000003
[   51.910076][    C0] RBP: 0000000000000000 R08: 00007ffd4d7d3b84 R09: 000000000000000c
[   51.918102][    C0] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
[   51.926045][    C0] R13: 0000000000000000 R14: 00007f97134de670 R15: 0000000000000000
[   51.934253][    C0] Kernel Offset: disabled
[   51.938567][    C0] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build210064581=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at e2beed91937
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e2beed91937c0ace342f19a2e9afb67adb3a828a -X github.com/google/syzkaller/prog.gitRevisionDate=20250911-084951"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e2beed91937c0ace342f19a2e9afb67adb3a828a -X github.com/google/syzkaller/prog.gitRevisionDate=20250911-084951"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e2beed91937c0ace342f19a2e9afb67adb3a828a -X github.com/google/syzkaller/prog.gitRevisionDate=20250911-084951"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"e2beed91937c0ace342f19a2e9afb67adb3a828a\"
/usr/bin/ld: /tmp/cczDeOCJ.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=14e3db04580000


Tested on:

commit:         d3d0b4e2 Linux 5.10.245
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
kernel config:  https://syzkaller.appspot.com/x/.config?x=39182a54870857eb
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13bc7734580000

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Tested-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

Tested on:

commit:         8e6e2188 Linux 6.1.157
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17c17734580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3fff88b67220f824
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=164eae7c580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Tested-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

Tested on:

commit:         4fc43deb Linux 6.12.55
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13697734580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=52b41b67187b07bc
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=177a8c92580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/linux-5.10.y: failed to run ["git" "fetch" "--force" "4d52a57a3858a6eee0d0b25cc3a0c9533f747d8f" "linux-5.10.y"]: exit status 128


Tested on:

commit:         [unknown 
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-5.10.y
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=109ed3cd980000

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/linux-6.1.y: failed to run ["git" "fetch" "--force" "4d52a57a3858a6eee0d0b25cc3a0c9533f747d8f" "linux-6.1.y"]: exit status 128


Tested on:

commit:         [unknown 
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-6.1.y
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15b81f34580000

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/linux-6.12.y: failed to run ["git" "fetch" "--force" "4d52a57a3858a6eee0d0b25cc3a0c9533f747d8f" "linux-6.12.y"]: exit status 128


Tested on:

commit:         [unknown 
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-6.12.y
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10463614580000

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/ocfs2/ocfs2_fs.h:474:40: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:489:40: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:502:43: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:646:26: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:659:16: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:807:37: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:943:43: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:1030:39: error: expected ';' at end of declaration list


Tested on:

commit:         d3d0b4e2 Linux 5.10.245
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=141d3614580000

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/ocfs2/ocfs2_fs.h:472:40: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:487:40: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:500:43: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:644:26: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:657:16: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:805:37: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:941:43: error: expected ';' at end of declaration list
fs/ocfs2/ocfs2_fs.h:1028:39: error: expected ';' at end of declaration list


Tested on:

commit:         8e6e2188 Linux 6.1.157
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5b21423ca3f0a96
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12ee6932580000

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Tested-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

Tested on:

commit:         4fc43deb Linux 6.12.55
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17358bcd980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=52b41b67187b07bc
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12ea67e2580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

omes ready
[   58.948418][ T1019] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   58.956145][ T6370] device veth0_vlan entered promiscuous mode
[   58.970007][ T6370] device veth1_vlan entered promiscuous mode
[   58.988166][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   58.996279][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   59.004239][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   59.012641][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   59.022364][ T6370] device veth0_macvtap entered promiscuous mode
[   59.033758][ T6370] device veth1_macvtap entered promiscuous mode
[   59.047533][ T6370] batman_adv: batadv0: Interface activated: batadv_slave_0
[   59.057709][ T6370] batman_adv: batadv0: Interface activated: batadv_slave_1
[   59.065252][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   59.073242][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   59.081462][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   59.090049][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   59.098646][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   59.107144][ T1121] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   59.117076][ T6370] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   59.126016][ T6370] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   59.134732][ T6370] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   59.143399][ T6370] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   59.174329][    C0] ================================================================================
[   59.183666][    C0] UBSAN: signed-integer-overflow in ./arch/x86/include/asm/atomic.h:165:11
[   59.192488][    C0] 1175525299 + 1358810344 cannot be represented in type 'int'
[   59.200063][    C0] CPU: 0 PID: 6370 Comm: syz-executor Not tainted syzkaller #0
[   59.207691][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[   59.217852][    C0] Call Trace:
[   59.221135][    C0]  <IRQ>
[   59.223999][    C0]  dump_stack+0xfd/0x16e
[   59.228248][    C0]  ubsan_epilogue+0xa/0x30
[   59.232700][    C0]  handle_overflow+0x192/0x1b0
[   59.237472][    C0]  ? __sys_sendto+0x323/0x430
[   59.242160][    C0]  ? prandom_u32+0x1d/0x1f0
[   59.246674][    C0]  ip_idents_reserve+0x14a/0x170
[   59.251640][    C0]  __ip_select_ident+0xe4/0x1c0
[   59.256503][    C0]  iptunnel_xmit+0x466/0x7b0
[   59.261103][    C0]  udp_tunnel_xmit_skb+0x1ba/0x290
[   59.266427][    C0]  geneve_xmit+0x1d05/0x2140
[   59.271032][    C0]  dev_hard_start_xmit+0x294/0x780
[   59.276150][    C0]  __dev_queue_xmit+0x1678/0x28b0
[   59.281177][    C0]  ip6_finish_output2+0x1020/0x1490
[   59.286390][    C0]  NF_HOOK+0x45/0x2c0
[   59.290567][    C0]  ? NF_HOOK+0x2c0/0x2c0
[   59.294813][    C0]  mld_sendpack+0x5f9/0xa70
[   59.299323][    C0]  mld_ifc_timer_expire+0x7e1/0x990
[   59.304526][    C0]  ? lock_acquire+0x78/0x310
[   59.309234][    C0]  ? lock_release+0x69/0x610
[   59.313846][    C0]  ? debug_object_deactivate+0x9b/0x250
[   59.319401][    C0]  ? mld_gq_timer_expire+0xe0/0xe0
[   59.324524][    C0]  call_timer_fn+0x105/0x440
[   59.329120][    C0]  ? mld_gq_timer_expire+0xe0/0xe0
[   59.334331][    C0]  __run_timers+0x5d8/0x7a0
[   59.338941][    C0]  ? __do_softirq+0x164/0x8ae
[   59.343624][    C0]  run_timer_softirq+0x19/0x30
[   59.348392][    C0]  __do_softirq+0x23c/0x8ae
[   59.352911][    C0]  ? asm_call_irq_on_stack+0xf/0x20
[   59.358118][    C0]  asm_call_irq_on_stack+0xf/0x20
[   59.363137][    C0]  </IRQ>
[   59.366089][    C0]  do_softirq_own_stack+0x6d/0xb0
[   59.371295][    C0]  __irq_exit_rcu+0x1e1/0x1f0
[   59.375980][    C0]  irq_exit_rcu+0x5/0x20
[   59.380251][    C0]  sysvec_apic_timer_interrupt+0x9d/0xb0
[   59.385992][    C0]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   59.392003][    C0] RIP: 0010:memset_erms+0xb/0x20
[   59.396940][    C0] Code: 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 e9 bd e1 3a 05 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 f9 40 88 f0 48 89 d1 f3 aa <4c> 89 c8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 49
[   59.416545][    C0] RSP: 0018:ffffc90001a4f468 EFLAGS: 00000202
[   59.422707][    C0] RAX: 0000000000000000 RBX: ffff8880376f2648 RCX: 0000000000000000
[   59.430762][    C0] RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8880376f2658
[   59.438798][    C0] RBP: 0000000000040cd0 R08: dffffc0000000000 R09: ffff8880376f2648
[   59.446750][    C0] R10: ffffed1006ede4cb R11: 1ffff11006ede4c9 R12: 0000000000000007
[   59.454709][    C0] R13: 0000000000000002 R14: ffff8880376f2760 R15: dffffc0000000000
[   59.462719][    C0]  init_once+0x237/0x260
[   59.466946][    C0]  setup_object+0x40/0x130
[   59.471344][    C0]  new_slab+0x1b0/0x4a0
[   59.475471][    C0]  ? mempolicy_slab_node+0x124/0x2f0
[   59.480818][    C0]  ___slab_alloc+0x3d1/0x580
[   59.485389][    C0]  ? new_inode_pseudo+0x7d/0x220
[   59.490301][    C0]  ? new_inode_pseudo+0x7d/0x220
[   59.495230][    C0]  kmem_cache_alloc+0x131/0x2e0
[   59.500058][    C0]  new_inode_pseudo+0x7d/0x220
[   59.504986][    C0]  new_inode+0x25/0x1c0
[   59.509118][    C0]  ? start_creating+0x1fc/0x310
[   59.513937][    C0]  __debugfs_create_file+0x148/0x520
[   59.519204][    C0]  ieee80211_debugfs_add_netdev+0xd6a/0xe50
[   59.525082][    C0]  ieee80211_if_add+0x717/0x16a0
[   59.529995][    C0]  ieee80211_register_hw+0x2be1/0x3bf0
[   59.535437][    C0]  mac80211_hwsim_new_radio+0x2c63/0x4300
[   59.541143][    C0]  hwsim_new_radio_nl+0xb4f/0xd50
[   59.546143][    C0]  genl_rcv_msg+0xb22/0xdd0
[   59.550632][    C0]  ? hwsim_tx_info_frame_received_nl+0xef0/0xef0
[   59.556941][    C0]  netlink_rcv_skb+0x187/0x390
[   59.561683][    C0]  ? genl_bind+0x2c0/0x2c0
[   59.566088][    C0]  genl_rcv+0x24/0x40
[   59.570249][    C0]  netlink_unicast+0x7b7/0x9b0
[   59.575081][    C0]  netlink_sendmsg+0x968/0xb50
[   59.579913][    C0]  ? netlink_getsockopt+0x4f0/0x4f0
[   59.585124][    C0]  __sock_sendmsg+0x15c/0x170
[   59.589822][    C0]  __sys_sendto+0x323/0x430
[   59.594319][    C0]  __x64_sys_sendto+0xda/0xf0
[   59.599079][    C0]  do_syscall_64+0x34/0x50
[   59.603471][    C0]  entry_SYSCALL_64_after_hwframe+0x67/0xd1
[   59.609433][    C0] RIP: 0033:0x7f378254ea3c
[   59.614162][    C0] Code: 2a 5f 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5f 02 00 48 8b
[   59.633920][    C0] RSP: 002b:00007ffde7bb18f0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[   59.642418][    C0] RAX: ffffffffffffffda RBX: 00007f37832c2620 RCX: 00007f378254ea3c
[   59.650377][    C0] RDX: 0000000000000024 RSI: 00007f37832c2670 RDI: 0000000000000003
[   59.658358][    C0] RBP: 0000000000000000 R08: 00007ffde7bb1944 R09: 000000000000000c
[   59.666342][    C0] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
[   59.674343][    C0] R13: 0000000000000000 R14: 00007f37832c2670 R15: 0000000000000000
[   59.682356][    C0] ================================================================================
[   59.691756][    C0] Kernel panic - not syncing: UBSAN: panic_on_warn set ...
[   59.698933][    C0] CPU: 0 PID: 6370 Comm: syz-executor Not tainted syzkaller #0
[   59.706521][    C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[   59.716551][    C0] Call Trace:
[   59.719834][    C0]  <IRQ>
[   59.722667][    C0]  dump_stack+0xfd/0x16e
[   59.726892][    C0]  panic+0x2f0/0x9c0
[   59.730778][    C0]  check_panic_on_warn+0x95/0xe0
[   59.735693][    C0]  handle_overflow+0x192/0x1b0
[   59.740430][    C0]  ? __sys_sendto+0x323/0x430
[   59.745387][    C0]  ? prandom_u32+0x1d/0x1f0
[   59.749884][    C0]  ip_idents_reserve+0x14a/0x170
[   59.754830][    C0]  __ip_select_ident+0xe4/0x1c0
[   59.759747][    C0]  iptunnel_xmit+0x466/0x7b0
[   59.764421][    C0]  udp_tunnel_xmit_skb+0x1ba/0x290
[   59.769531][    C0]  geneve_xmit+0x1d05/0x2140
[   59.774139][    C0]  dev_hard_start_xmit+0x294/0x780
[   59.779336][    C0]  __dev_queue_xmit+0x1678/0x28b0
[   59.784338][    C0]  ip6_finish_output2+0x1020/0x1490
[   59.789515][    C0]  NF_HOOK+0x45/0x2c0
[   59.793575][    C0]  ? NF_HOOK+0x2c0/0x2c0
[   59.797891][    C0]  mld_sendpack+0x5f9/0xa70
[   59.802474][    C0]  mld_ifc_timer_expire+0x7e1/0x990
[   59.804690][ T6333] Bluetooth: hci0: command 0x0409 tx timeout
[   59.808108][    C0]  ? lock_acquire+0x78/0x310
[   59.818844][    C0]  ? lock_release+0x69/0x610
[   59.823619][    C0]  ? debug_object_deactivate+0x9b/0x250
[   59.829328][    C0]  ? mld_gq_timer_expire+0xe0/0xe0
[   59.834428][    C0]  call_timer_fn+0x105/0x440
[   59.839004][    C0]  ? mld_gq_timer_expire+0xe0/0xe0
[   59.844183][    C0]  __run_timers+0x5d8/0x7a0
[   59.848682][    C0]  ? __do_softirq+0x164/0x8ae
[   59.853362][    C0]  run_timer_softirq+0x19/0x30
[   59.858110][    C0]  __do_softirq+0x23c/0x8ae
[   59.863190][    C0]  ? asm_call_irq_on_stack+0xf/0x20
[   59.868486][    C0]  asm_call_irq_on_stack+0xf/0x20
[   59.873488][    C0]  </IRQ>
[   59.876458][    C0]  do_softirq_own_stack+0x6d/0xb0
[   59.881487][    C0]  __irq_exit_rcu+0x1e1/0x1f0
[   59.886306][    C0]  irq_exit_rcu+0x5/0x20
[   59.890662][    C0]  sysvec_apic_timer_interrupt+0x9d/0xb0
[   59.896277][    C0]  asm_sysvec_apic_timer_interrupt+0x12/0x20
[   59.902237][    C0] RIP: 0010:memset_erms+0xb/0x20
[   59.907244][    C0] Code: 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 e9 bd e1 3a 05 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 f9 40 88 f0 48 89 d1 f3 aa <4c> 89 c8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 49
[   59.927609][    C0] RSP: 0018:ffffc90001a4f468 EFLAGS: 00000202
[   59.933668][    C0] RAX: 0000000000000000 RBX: ffff8880376f2648 RCX: 0000000000000000
[   59.941718][    C0] RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8880376f2658
[   59.949681][    C0] RBP: 0000000000040cd0 R08: dffffc0000000000 R09: ffff8880376f2648
[   59.957856][    C0] R10: ffffed1006ede4cb R11: 1ffff11006ede4c9 R12: 0000000000000007
[   59.965825][    C0] R13: 0000000000000002 R14: ffff8880376f2760 R15: dffffc0000000000
[   59.973791][    C0]  init_once+0x237/0x260
[   59.978011][    C0]  setup_object+0x40/0x130
[   59.982784][    C0]  new_slab+0x1b0/0x4a0
[   59.986926][    C0]  ? mempolicy_slab_node+0x124/0x2f0
[   59.992196][    C0]  ___slab_alloc+0x3d1/0x580
[   59.996877][    C0]  ? new_inode_pseudo+0x7d/0x220
[   60.001809][    C0]  ? new_inode_pseudo+0x7d/0x220
[   60.006736][    C0]  kmem_cache_alloc+0x131/0x2e0
[   60.011696][    C0]  new_inode_pseudo+0x7d/0x220
[   60.016537][    C0]  new_inode+0x25/0x1c0
[   60.020675][    C0]  ? start_creating+0x1fc/0x310
[   60.025875][    C0]  __debugfs_create_file+0x148/0x520
[   60.031153][    C0]  ieee80211_debugfs_add_netdev+0xd6a/0xe50
[   60.037336][    C0]  ieee80211_if_add+0x717/0x16a0
[   60.042289][    C0]  ieee80211_register_hw+0x2be1/0x3bf0
[   60.047757][    C0]  mac80211_hwsim_new_radio+0x2c63/0x4300
[   60.053624][    C0]  hwsim_new_radio_nl+0xb4f/0xd50
[   60.058638][    C0]  genl_rcv_msg+0xb22/0xdd0
[   60.063514][    C0]  ? hwsim_tx_info_frame_received_nl+0xef0/0xef0
[   60.069828][    C0]  netlink_rcv_skb+0x187/0x390
[   60.074571][    C0]  ? genl_bind+0x2c0/0x2c0
[   60.078969][    C0]  genl_rcv+0x24/0x40
[   60.082939][    C0]  netlink_unicast+0x7b7/0x9b0
[   60.087778][    C0]  netlink_sendmsg+0x968/0xb50
[   60.092704][    C0]  ? netlink_getsockopt+0x4f0/0x4f0
[   60.098109][    C0]  __sock_sendmsg+0x15c/0x170
[   60.102765][    C0]  __sys_sendto+0x323/0x430
[   60.107339][    C0]  __x64_sys_sendto+0xda/0xf0
[   60.111995][    C0]  do_syscall_64+0x34/0x50
[   60.116391][    C0]  entry_SYSCALL_64_after_hwframe+0x67/0xd1
[   60.122269][    C0] RIP: 0033:0x7f378254ea3c
[   60.126659][    C0] Code: 2a 5f 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5f 02 00 48 8b
[   60.146280][    C0] RSP: 002b:00007ffde7bb18f0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
[   60.154692][    C0] RAX: ffffffffffffffda RBX: 00007f37832c2620 RCX: 00007f378254ea3c
[   60.162662][    C0] RDX: 0000000000000024 RSI: 00007f37832c2670 RDI: 0000000000000003
[   60.170623][    C0] RBP: 0000000000000000 R08: 00007ffde7bb1944 R09: 000000000000000c
[   60.178672][    C0] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
[   60.186632][    C0] R13: 0000000000000000 R14: 00007f37832c2670 R15: 0000000000000000
[   60.194884][    C0] Kernel Offset: disabled
[   60.199222][    C0] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2528876832=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at e2beed91937
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e2beed91937c0ace342f19a2e9afb67adb3a828a -X github.com/google/syzkaller/prog.gitRevisionDate=20250911-084951"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e2beed91937c0ace342f19a2e9afb67adb3a828a -X github.com/google/syzkaller/prog.gitRevisionDate=20250911-084951"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=e2beed91937c0ace342f19a2e9afb67adb3a828a -X github.com/google/syzkaller/prog.gitRevisionDate=20250911-084951"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"e2beed91937c0ace342f19a2e9afb67adb3a828a\"
/usr/bin/ld: /tmp/ccKwcYCP.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=175fdfe2580000


Tested on:

commit:         d3d0b4e2 Linux 5.10.245
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
kernel config:  https://syzkaller.appspot.com/x/.config?x=39182a54870857eb
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16983e7c580000

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Tested-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

Tested on:

commit:         8e6e2188 Linux 6.1.157
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1514efe2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3fff88b67220f824
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10ba9932580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_dir_foreach_blk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com
Tested-by: syzbot+b20bbf680bb0f2ecedae@syzkaller.appspotmail.com

Tested on:

commit:         4408a3d6 Linux 6.12.56
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y
console output: https://syzkaller.appspot.com/x/log.txt?x=118dbd42580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=52b41b67187b07bc
dashboard link: https://syzkaller.appspot.com/bug?extid=b20bbf680bb0f2ecedae
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11511258580000

Note: testing is done by a robot and is best-effort only.