[moderation] [bcachefs?] KASAN: null-ptr-deref Write in btree_key_cache_fill
6 views
Skip to first unread message
syzbot
Jun 29, 2025, 3:23:27 AM6/29/25
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7595b66ae9de Merge tag 'selinux-pr-20250624' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15a84f0c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=79da270cec5ffd65
dashboard link: https://syzkaller.appspot.com/bug?extid=5d4979c5112460e0c04a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
CC: [kent.ov...@linux.dev linux-b...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-7595b66a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3332acf57c8d/vmlinux-7595b66a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e83a48cfe09a/bzImage-7595b66a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5d4979...@syzkaller.appspotmail.com
SLUB: Unable to allocate memory on CPU 0 (of node 0) on node -1, gfp=0xcc0(GFP_KERNEL)
cache: kmalloc-256, object size: 256, buffer size: 512, default order: 0, min order: 0
node 0: slabs: 43, objs: 344, free: 0
node 1: slabs: 676, objs: 5408, free: 2
SLUB: Unable to allocate memory on CPU 0 (of node 0) on node -1, gfp=0xcc0(GFP_KERNEL)
cache: kmalloc-256, object size: 256, buffer size: 512, default order: 0, min order: 0
node 0: slabs: 43, objs: 344, free: 0
node 1: slabs: 690, objs: 5520, free: 2
bcachefs (loop0): error allocating memory for key cache key, btree inodes u64s 32
==================================================================
BUG: KASAN: null-ptr-deref in bkey_reassemble fs/bcachefs/bkey.h:505 [inline]
BUG: KASAN: null-ptr-deref in btree_key_cache_create fs/bcachefs/btree_key_cache.c:270 [inline]
BUG: KASAN: null-ptr-deref in btree_key_cache_fill+0x7c4/0x3010 fs/bcachefs/btree_key_cache.c:344
Write of size 40 at addr 0000000000000000 by task syz.0.0/5347
CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00044-g7595b66ae9de #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
kasan_report+0x118/0x150 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
bkey_reassemble fs/bcachefs/bkey.h:505 [inline]
btree_key_cache_create fs/bcachefs/btree_key_cache.c:270 [inline]
btree_key_cache_fill+0x7c4/0x3010 fs/bcachefs/btree_key_cache.c:344
bch2_btree_path_traverse_cached+0xc5d/0x10d0 fs/bcachefs/btree_key_cache.c:399
bch2_btree_path_traverse_one+0x372/0x21d0 fs/bcachefs/btree_iter.c:1179
bch2_btree_path_traverse fs/bcachefs/btree_iter.h:250 [inline]
bch2_btree_iter_peek_slot+0x74e/0x1fa0 fs/bcachefs/btree_iter.c:2781
__bch2_bkey_get_iter fs/bcachefs/btree_iter.h:632 [inline]
bch2_bkey_get_iter fs/bcachefs/btree_iter.h:646 [inline]
__bch2_inode_peek+0x133/0x370 fs/bcachefs/inode.c:348
bch2_inode_peek fs/bcachefs/inode.h:136 [inline]
bch2_inode_find_by_inum_trans fs/bcachefs/inode.c:411 [inline]
bch2_inode_find_by_inum+0xef/0x240 fs/bcachefs/inode.c:420
bchfs_truncate+0x3a8/0xc20 fs/bcachefs/fs-io.c:458
notify_change+0xb33/0xe40 fs/attr.c:552
do_truncate+0x1a4/0x220 fs/open.c:68
do_coredump+0x2ad3/0x3440 fs/coredump.c:790
get_signal+0x1109/0x1340 kernel/signal.c:3019
arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:111
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
ret_from_fork+0x47f/0x770 arch/x86/kernel/process.c:157
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 7595b66ae9de Merge tag 'selinux-pr-20250624' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15a84f0c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=79da270cec5ffd65
dashboard link: https://syzkaller.appspot.com/bug?extid=5d4979c5112460e0c04a
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
CC: [kent.ov...@linux.dev linux-b...@vger.kernel.org linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-7595b66a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3332acf57c8d/vmlinux-7595b66a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e83a48cfe09a/bzImage-7595b66a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5d4979...@syzkaller.appspotmail.com
SLUB: Unable to allocate memory on CPU 0 (of node 0) on node -1, gfp=0xcc0(GFP_KERNEL)
cache: kmalloc-256, object size: 256, buffer size: 512, default order: 0, min order: 0
node 0: slabs: 43, objs: 344, free: 0
node 1: slabs: 676, objs: 5408, free: 2
SLUB: Unable to allocate memory on CPU 0 (of node 0) on node -1, gfp=0xcc0(GFP_KERNEL)
cache: kmalloc-256, object size: 256, buffer size: 512, default order: 0, min order: 0
node 0: slabs: 43, objs: 344, free: 0
node 1: slabs: 690, objs: 5520, free: 2
bcachefs (loop0): error allocating memory for key cache key, btree inodes u64s 32
==================================================================
BUG: KASAN: null-ptr-deref in bkey_reassemble fs/bcachefs/bkey.h:505 [inline]
BUG: KASAN: null-ptr-deref in btree_key_cache_create fs/bcachefs/btree_key_cache.c:270 [inline]
BUG: KASAN: null-ptr-deref in btree_key_cache_fill+0x7c4/0x3010 fs/bcachefs/btree_key_cache.c:344
Write of size 40 at addr 0000000000000000 by task syz.0.0/5347
CPU: 0 UID: 0 PID: 5347 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00044-g7595b66ae9de #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
kasan_report+0x118/0x150 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:189
__asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
bkey_reassemble fs/bcachefs/bkey.h:505 [inline]
btree_key_cache_create fs/bcachefs/btree_key_cache.c:270 [inline]
btree_key_cache_fill+0x7c4/0x3010 fs/bcachefs/btree_key_cache.c:344
bch2_btree_path_traverse_cached+0xc5d/0x10d0 fs/bcachefs/btree_key_cache.c:399
bch2_btree_path_traverse_one+0x372/0x21d0 fs/bcachefs/btree_iter.c:1179
bch2_btree_path_traverse fs/bcachefs/btree_iter.h:250 [inline]
bch2_btree_iter_peek_slot+0x74e/0x1fa0 fs/bcachefs/btree_iter.c:2781
__bch2_bkey_get_iter fs/bcachefs/btree_iter.h:632 [inline]
bch2_bkey_get_iter fs/bcachefs/btree_iter.h:646 [inline]
__bch2_inode_peek+0x133/0x370 fs/bcachefs/inode.c:348
bch2_inode_peek fs/bcachefs/inode.h:136 [inline]
bch2_inode_find_by_inum_trans fs/bcachefs/inode.c:411 [inline]
bch2_inode_find_by_inum+0xef/0x240 fs/bcachefs/inode.c:420
bchfs_truncate+0x3a8/0xc20 fs/bcachefs/fs-io.c:458
notify_change+0xb33/0xe40 fs/attr.c:552
do_truncate+0x1a4/0x220 fs/open.c:68
do_coredump+0x2ad3/0x3440 fs/coredump.c:790
get_signal+0x1109/0x1340 kernel/signal.c:3019
arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:111
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
ret_from_fork+0x47f/0x770 arch/x86/kernel/process.c:157
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Sep 23, 2025, 3:16:15 AM9/23/25
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages