[syzbot] [jfs?] KMSAN: uninit-value in txLock
1 view
Skip to first unread message
syzbot
Jan 22, 2026, 1:49:40āÆPMĀ (22 hours ago)Ā Jan 22
to jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: e84d960149e7 Merge tag 'for-6.19-rc5-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16784b9a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=158fdb9a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=170153fa580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2d9623942f5a/disk-e84d9601.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/61b0e15f8560/vmlinux-e84d9601.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8b71c88680c4/bzImage-e84d9601.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7023ce628e6e/mount_2.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=130153fa580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d3a57c...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
xtTruncate+0x1002/0x5050 fs/jfs/jfs_xtree.c:2337
jfs_truncate_nolock+0x223/0x670 fs/jfs/inode.c:396
jfs_truncate fs/jfs/inode.c:420 [inline]
jfs_write_failed+0x207/0x3c0 fs/jfs/inode.c:295
jfs_write_end+0xcc/0x110 fs/jfs/inode.c:322
generic_perform_write+0x999/0x1050 mm/filemap.c:4335
__generic_file_write_iter+0x213/0x460 mm/filemap.c:4431
generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
__alloc_frozen_pages_noprof+0x421/0xab0 mm/page_alloc.c:5263
alloc_pages_mpol+0x328/0x860 mm/mempolicy.c:2486
alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline]
alloc_pages_noprof+0x102/0x280 mm/mempolicy.c:2577
vm_area_alloc_pages mm/vmalloc.c:3649 [inline]
__vmalloc_area_node mm/vmalloc.c:3863 [inline]
__vmalloc_node_range_noprof+0xa94/0x2d90 mm/vmalloc.c:4051
__vmalloc_node_noprof mm/vmalloc.c:4111 [inline]
vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297
init_jfs_fs+0x1b2/0xcb0 fs/jfs/super.c:977
do_one_initcall+0x22b/0xad0 init/main.c:1378
do_initcall_level+0x157/0x2e0 init/main.c:1440
do_initcalls+0x176/0x310 init/main.c:1456
do_basic_setup+0x1d/0x30 init/main.c:1475
kernel_init_freeable+0x214/0x430 init/main.c:1688
kernel_init+0x2f/0x5e0 init/main.c:1578
ret_from_fork+0x208/0x710 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
CPU: 1 UID: 0 PID: 6025 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: e84d960149e7 Merge tag 'for-6.19-rc5-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16784b9a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=158fdb9a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=170153fa580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2d9623942f5a/disk-e84d9601.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/61b0e15f8560/vmlinux-e84d9601.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8b71c88680c4/bzImage-e84d9601.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/7023ce628e6e/mount_2.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=130153fa580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d3a57c...@syzkaller.appspotmail.com
=====================================================
BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
xtTruncate+0x1002/0x5050 fs/jfs/jfs_xtree.c:2337
jfs_truncate_nolock+0x223/0x670 fs/jfs/inode.c:396
jfs_truncate fs/jfs/inode.c:420 [inline]
jfs_write_failed+0x207/0x3c0 fs/jfs/inode.c:295
jfs_write_end+0xcc/0x110 fs/jfs/inode.c:322
generic_perform_write+0x999/0x1050 mm/filemap.c:4335
__generic_file_write_iter+0x213/0x460 mm/filemap.c:4431
generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
__alloc_frozen_pages_noprof+0x421/0xab0 mm/page_alloc.c:5263
alloc_pages_mpol+0x328/0x860 mm/mempolicy.c:2486
alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline]
alloc_pages_noprof+0x102/0x280 mm/mempolicy.c:2577
vm_area_alloc_pages mm/vmalloc.c:3649 [inline]
__vmalloc_area_node mm/vmalloc.c:3863 [inline]
__vmalloc_node_range_noprof+0xa94/0x2d90 mm/vmalloc.c:4051
__vmalloc_node_noprof mm/vmalloc.c:4111 [inline]
vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297
init_jfs_fs+0x1b2/0xcb0 fs/jfs/super.c:977
do_one_initcall+0x22b/0xad0 init/main.c:1378
do_initcall_level+0x157/0x2e0 init/main.c:1440
do_initcalls+0x176/0x310 init/main.c:1456
do_basic_setup+0x1d/0x30 init/main.c:1475
kernel_init_freeable+0x214/0x430 init/main.c:1688
kernel_init+0x2f/0x5e0 init/main.c:1578
ret_from_fork+0x208/0x710 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
CPU: 1 UID: 0 PID: 6025 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
=====================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
12:12āÆAMĀ (12 hours ago)Ā 12:12āÆAM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a KMSAN uninit-value warning in txLock when accessing
jfs_ip->atlhead:
BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
This occurs because the jfs_inode_info structure is allocated from a
slab cache but not fully initialized, leaving fields like atlhead,
atltail, and anon_inode_list with garbage values from previously freed
inodes.
When txLock() attempts to traverse the anonymous transaction lock list
by reading jfs_ip->atlhead, it accesses uninitialized memory, triggering
the KMSAN warning.
Fix this by zeroing the entire jfs_inode_info structure in
jfs_alloc_inode(). This is consistent with how other filesystems handle
inode allocation and ensures all fields start with known values,
preventing this and potential similar bugs.
Reported-by: syzbot+d3a57c...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/jfs/super.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index 3cfb86c5a36e..236fe8d42542 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -105,9 +105,7 @@ static struct inode *jfs_alloc_inode(struct super_block *sb)
jfs_inode = alloc_inode_sb(sb, jfs_inode_cachep, GFP_NOFS);
if (!jfs_inode)
return NULL;
-#ifdef CONFIG_QUOTA
- memset(&jfs_inode->i_dquot, 0, sizeof(jfs_inode->i_dquot));
-#endif
+ memset(jfs_inode, 0, sizeof(struct jfs_inode_info));
return &jfs_inode->vfs_inode;
}
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Syzbot reported a KMSAN uninit-value warning in txLock when accessing
jfs_ip->atlhead:
BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
slab cache but not fully initialized, leaving fields like atlhead,
atltail, and anon_inode_list with garbage values from previously freed
inodes.
When txLock() attempts to traverse the anonymous transaction lock list
by reading jfs_ip->atlhead, it accesses uninitialized memory, triggering
the KMSAN warning.
Fix this by zeroing the entire jfs_inode_info structure in
jfs_alloc_inode(). This is consistent with how other filesystems handle
inode allocation and ensures all fields start with known values,
preventing this and potential similar bugs.
Reported-by: syzbot+d3a57c...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/jfs/super.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index 3cfb86c5a36e..236fe8d42542 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -105,9 +105,7 @@ static struct inode *jfs_alloc_inode(struct super_block *sb)
jfs_inode = alloc_inode_sb(sb, jfs_inode_cachep, GFP_NOFS);
if (!jfs_inode)
return NULL;
-#ifdef CONFIG_QUOTA
- memset(&jfs_inode->i_dquot, 0, sizeof(jfs_inode->i_dquot));
-#endif
+ memset(jfs_inode, 0, sizeof(struct jfs_inode_info));
return &jfs_inode->vfs_inode;
}
--
2.43.0
syzbot
12:31āÆAMĀ (11 hours ago)Ā 12:31āÆAM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git maste
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git maste
Syzbot reported a KMSAN uninit-value warning in txLock when accessing
the global TxLock array:
BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
vmalloc(), which does not zero the allocated memory. When txLock()
traverses the transaction lock list by accessing elements in this array
(via lid_to_tlock()), it reads uninitialized 'next' pointers, triggering
the KMSAN warning.
The uninitialized memory originates from:
vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297
Fix this by using vzalloc() instead of vmalloc() to ensure the TxLock
txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297
array is zero-initialized. This guarantees that all tlock structures
start with valid initial values, particularly the 'next' field which is
used for list traversal.
Reported-by: syzbot+d3a57c...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index c16578af3a77..4c72103a0b46 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -294,7 +294,7 @@ int txInit(void)
* tlock id = 0 is reserved.
*/
size = sizeof(struct tlock) * nTxLock;
- TxLock = vmalloc(size);
+ TxLock = vzalloc(size);
if (TxLock == NULL) {
vfree(TxBlock);
return -ENOMEM;
--
2.43.0
syzbot
12:33āÆAMĀ (11 hours ago)Ā 12:33āÆAM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] jfs: fix KMSAN warning in txLock
Author: karti...@gmail.com
Syzbot reported a KMSAN uninit-value warning in txLock when accessing
the global TxLock array:
BUG: KMSAN: uninit-value in txLock+0x13a2/0x2900 fs/jfs/jfs_txnmgr.c:659
The issue occurs because txInit() allocates the TxLock array using
vmalloc(), which does not zero the allocated memory. When txLock()
traverses the transaction lock list by accessing elements in this array
(via lid_to_tlock()), it reads uninitialized 'next' pointers, triggering
the KMSAN warning.
The uninitialized memory originates from:
vmalloc(), which does not zero the allocated memory. When txLock()
traverses the transaction lock list by accessing elements in this array
(via lid_to_tlock()), it reads uninitialized 'next' pointers, triggering
the KMSAN warning.
The uninitialized memory originates from:
vmalloc_noprof+0xce/0x140 mm/vmalloc.c:4146
txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297
txInit+0xb5c/0xfa0 fs/jfs/jfs_txnmgr.c:297
syzbot
1:21āÆAMĀ (11 hours ago)Ā 1:21āÆAM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/maste: failed to run ["git" "fetch" "--force" "f569e972c8e9057ee9c286220c83a480ebf30cc5" "maste"]: exit status 128
Tested on:
commit: [unknown
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git maste
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/maste: failed to run ["git" "fetch" "--force" "f569e972c8e9057ee9c286220c83a480ebf30cc5" "maste"]: exit status 128
Tested on:
commit: [unknown
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git maste
kernel config: https://syzkaller.appspot.com/x/.config?x=46b5f80a6e7aaa5c
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:
patch: https://syzkaller.appspot.com/x/patch.diff?x=1114ff9a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler:
syzbot
3:01āÆAMĀ (9 hours ago)Ā 3:01āÆAM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in __mark_inode_dirty
loop0: detected capacity change from 0 to 32768
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000001381f067 P4D 800000001381f067 PUD 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6507 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:__list_del_entry_valid include/linux/list.h:127 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:223 [inline]
RIP: 0010:list_move include/linux/list.h:306 [inline]
RIP: 0010:inode_io_list_move_locked+0x152/0x8d0 fs/fs-writeback.c:122
Code: 00 00 00 4d 8b b4 24 e8 00 00 00 48 89 7d a8 e8 54 34 cc ff 4c 8b 28 44 8b 3a 4d 85 ed 0f 85 bc 03 00 00 49 81 c4 e0 00 00 00 <49> 8b 1e 4c 89 f7 e8 33 34 cc ff 48 8b 00 48 85 c0 74 12 48 89 d9
RSP: 0018:ffff88803945b8c8 EFLAGS: 00010286
RAX: ffff88801ae0d7c8 RBX: 0000000000000000 RCX: 0000000000087a41
RDX: ffff88801b20d7c8 RSI: 0000000000000001 RDI: ffff88801b60d7c8
RBP: ffff88803945b930 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88801ae0d760 R11: ffffffff844dab90 R12: ffff88801b60d7c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f249ec6e6c0(0000) GS:ffff8881aadec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f37a000 CR4: 00000000003526f0
Call Trace:
<TASK>
__mark_inode_dirty+0x878/0x1050 fs/fs-writeback.c:2668
generic_update_time fs/inode.c:2158 [inline]
inode_update_time fs/inode.c:2171 [inline]
file_update_time_flags+0x9e7/0xa60 fs/inode.c:2398
file_update_time+0x30/0x40 fs/inode.c:2419
__generic_file_write_iter+0x124/0x460 mm/filemap.c:4412
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f249dd9aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f249ec6e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f249e005fa0 RCX: 00007f249dd9aef9
RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007f249de2fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f249e006038 R14: 00007f249e005fa0 R15: 00007fff32808dd8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid include/linux/list.h:127 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:223 [inline]
RIP: 0010:list_move include/linux/list.h:306 [inline]
RIP: 0010:inode_io_list_move_locked+0x152/0x8d0 fs/fs-writeback.c:122
Code: 00 00 00 4d 8b b4 24 e8 00 00 00 48 89 7d a8 e8 54 34 cc ff 4c 8b 28 44 8b 3a 4d 85 ed 0f 85 bc 03 00 00 49 81 c4 e0 00 00 00 <49> 8b 1e 4c 89 f7 e8 33 34 cc ff 48 8b 00 48 85 c0 74 12 48 89 d9
RSP: 0018:ffff88803945b8c8 EFLAGS: 00010286
RAX: ffff88801ae0d7c8 RBX: 0000000000000000 RCX: 0000000000087a41
RDX: ffff88801b20d7c8 RSI: 0000000000000001 RDI: ffff88801b60d7c8
RBP: ffff88803945b930 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88801ae0d760 R11: ffffffff844dab90 R12: ffff88801b60d7c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f249ec6e6c0(0000) GS:ffff8881aadec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f37a000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 4d 8b add %cl,-0x75(%rbp)
5: b4 24 mov $0x24,%ah
7: e8 00 00 00 48 call 0x4800000c
c: 89 7d a8 mov %edi,-0x58(%rbp)
f: e8 54 34 cc ff call 0xffcc3468
14: 4c 8b 28 mov (%rax),%r13
17: 44 8b 3a mov (%rdx),%r15d
1a: 4d 85 ed test %r13,%r13
1d: 0f 85 bc 03 00 00 jne 0x3df
23: 49 81 c4 e0 00 00 00 add $0xe0,%r12
* 2a: 49 8b 1e mov (%r14),%rbx <-- trapping instruction
2d: 4c 89 f7 mov %r14,%rdi
30: e8 33 34 cc ff call 0xffcc3468
35: 48 8b 00 mov (%rax),%rax
38: 48 85 c0 test %rax,%rax
3b: 74 12 je 0x4f
3d: 48 89 d9 mov %rbx,%rcx
Tested on:
commit: c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b857fc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=62c21fde37118981
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=147797fc580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in __mark_inode_dirty
loop0: detected capacity change from 0 to 32768
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000001381f067 P4D 800000001381f067 PUD 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6507 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:__list_del_entry_valid include/linux/list.h:127 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:223 [inline]
RIP: 0010:list_move include/linux/list.h:306 [inline]
RIP: 0010:inode_io_list_move_locked+0x152/0x8d0 fs/fs-writeback.c:122
Code: 00 00 00 4d 8b b4 24 e8 00 00 00 48 89 7d a8 e8 54 34 cc ff 4c 8b 28 44 8b 3a 4d 85 ed 0f 85 bc 03 00 00 49 81 c4 e0 00 00 00 <49> 8b 1e 4c 89 f7 e8 33 34 cc ff 48 8b 00 48 85 c0 74 12 48 89 d9
RSP: 0018:ffff88803945b8c8 EFLAGS: 00010286
RAX: ffff88801ae0d7c8 RBX: 0000000000000000 RCX: 0000000000087a41
RDX: ffff88801b20d7c8 RSI: 0000000000000001 RDI: ffff88801b60d7c8
RBP: ffff88803945b930 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88801ae0d760 R11: ffffffff844dab90 R12: ffff88801b60d7c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f249ec6e6c0(0000) GS:ffff8881aadec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f37a000 CR4: 00000000003526f0
Call Trace:
<TASK>
__mark_inode_dirty+0x878/0x1050 fs/fs-writeback.c:2668
generic_update_time fs/inode.c:2158 [inline]
inode_update_time fs/inode.c:2171 [inline]
file_update_time_flags+0x9e7/0xa60 fs/inode.c:2398
file_update_time+0x30/0x40 fs/inode.c:2419
__generic_file_write_iter+0x124/0x460 mm/filemap.c:4412
generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe1/0x15c0 fs/read_write.c:686
new_sync_write fs/read_write.c:593 [inline]
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f249dd9aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f249ec6e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f249e005fa0 RCX: 00007f249dd9aef9
RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007f249de2fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f249e006038 R14: 00007f249e005fa0 R15: 00007fff32808dd8
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid include/linux/list.h:127 [inline]
RIP: 0010:__list_del_entry include/linux/list.h:223 [inline]
RIP: 0010:list_move include/linux/list.h:306 [inline]
RIP: 0010:inode_io_list_move_locked+0x152/0x8d0 fs/fs-writeback.c:122
Code: 00 00 00 4d 8b b4 24 e8 00 00 00 48 89 7d a8 e8 54 34 cc ff 4c 8b 28 44 8b 3a 4d 85 ed 0f 85 bc 03 00 00 49 81 c4 e0 00 00 00 <49> 8b 1e 4c 89 f7 e8 33 34 cc ff 48 8b 00 48 85 c0 74 12 48 89 d9
RSP: 0018:ffff88803945b8c8 EFLAGS: 00010286
RAX: ffff88801ae0d7c8 RBX: 0000000000000000 RCX: 0000000000087a41
RDX: ffff88801b20d7c8 RSI: 0000000000000001 RDI: ffff88801b60d7c8
RBP: ffff88803945b930 R08: ffffea000000000f R09: 0000000000000000
R10: ffff88801ae0d760 R11: ffffffff844dab90 R12: ffff88801b60d7c0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f249ec6e6c0(0000) GS:ffff8881aadec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000004f37a000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 4d 8b add %cl,-0x75(%rbp)
5: b4 24 mov $0x24,%ah
7: e8 00 00 00 48 call 0x4800000c
c: 89 7d a8 mov %edi,-0x58(%rbp)
f: e8 54 34 cc ff call 0xffcc3468
14: 4c 8b 28 mov (%rax),%r13
17: 44 8b 3a mov (%rdx),%r15d
1a: 4d 85 ed test %r13,%r13
1d: 0f 85 bc 03 00 00 jne 0x3df
23: 49 81 c4 e0 00 00 00 add $0xe0,%r12
* 2a: 49 8b 1e mov (%r14),%rbx <-- trapping instruction
2d: 4c 89 f7 mov %r14,%rdi
30: e8 33 34 cc ff call 0xffcc3468
35: 48 8b 00 mov (%rax),%rax
38: 48 85 c0 test %rax,%rax
3b: 74 12 je 0x4f
3d: 48 89 d9 mov %rbx,%rcx
Tested on:
commit: c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b857fc580000
kernel config: https://syzkaller.appspot.com/x/.config?x=62c21fde37118981
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=147797fc580000
syzbot
3:34āÆAMĀ (8 hours ago)Ā 3:34āÆAM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in txLock
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG at fs/jfs/jfs_txnmgr.c:662 assert(last)
------------[ cut here ]------------
kernel BUG at fs/jfs/jfs_txnmgr.c:662!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 0 UID: 0 PID: 6674 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:txLock+0x144c/0x2900 fs/jfs/jfs_txnmgr.c:662
Code: c7 80 20 03 00 00 00 00 00 00 48 c7 c7 d5 c9 d1 91 48 c7 c6 76 86 aa 91 ba 96 02 00 00 48 c7 c1 b6 ff be 91 e8 d5 ae c7 fc 90 <0f> 0b 48 83 7d b8 00 0f 85 df 0f 00 00 4c 8b 6d 90 41 0f b7 5d 00
RSP: 0018:ffff888046c5b458 EFLAGS: 00010286
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffff888046c5b548 R08: ffffea000000000f R09: 0000000000000000
R10: ffff888237b1f028 R11: ffff88823f26ad60 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fb5748466c0(0000) GS:ffff8881aacec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000022000 CR3: 0000000049288000 CR4: 00000000003526f0
Call Trace:
<TASK>
xtTruncate+0xffd/0x5210 fs/jfs/jfs_xtree.c:2337
jfs_truncate_nolock+0x223/0x670 fs/jfs/inode.c:396
jfs_truncate fs/jfs/inode.c:420 [inline]
jfs_write_failed+0x207/0x3c0 fs/jfs/inode.c:295
jfs_write_end+0xcc/0x110 fs/jfs/inode.c:322
generic_perform_write+0x99f/0x1050 mm/filemap.c:4335
jfs_truncate fs/jfs/inode.c:420 [inline]
jfs_write_failed+0x207/0x3c0 fs/jfs/inode.c:295
jfs_write_end+0xcc/0x110 fs/jfs/inode.c:322
__generic_file_write_iter+0x213/0x460 mm/filemap.c:4431
generic_file_write_iter+0x131/0x980 mm/filemap.c:4457
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe1/0x15c0 fs/read_write.c:686
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb57399aef9
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe1/0x15c0 fs/read_write.c:686
ksys_pwrite64 fs/read_write.c:793 [inline]
__do_sys_pwrite64 fs/read_write.c:801 [inline]
__se_sys_pwrite64 fs/read_write.c:798 [inline]
__x64_sys_pwrite64+0x2ab/0x3b0 fs/read_write.c:798
x64_sys_call+0xbaf/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:19
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb574846028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fb573c05fa0 RCX: 00007fb57399aef9
RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007fb573a2fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb573c06038 R14: 00007fb573c05fa0 R15: 00007ffc81835368
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:txLock+0x144c/0x2900 fs/jfs/jfs_txnmgr.c:662
Code: c7 80 20 03 00 00 00 00 00 00 48 c7 c7 d5 c9 d1 91 48 c7 c6 76 86 aa 91 ba 96 02 00 00 48 c7 c1 b6 ff be 91 e8 d5 ae c7 fc 90 <0f> 0b 48 83 7d b8 00 0f 85 df 0f 00 00 4c 8b 6d 90 41 0f b7 5d 00
RSP: 0018:ffff888046c5b458 EFLAGS: 00010286
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: ffff888046c5b548 R08: ffffea000000000f R09: 0000000000000000
R10: ffff888237b1f028 R11: ffff88823f26ad60 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fb5748466c0(0000) GS:ffff8881aacec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000022000 CR3: 0000000049288000 CR4: 00000000003526f0
console output: https://syzkaller.appspot.com/x/log.txt?x=15128bfa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=62c21fde37118981
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=17cf97fc580000
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a57c32b9112d7b01ec
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Reply all
Reply to author
Forward
0 new messages