[syzbot] [ocfs2?] UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill
6 views
Skip to first unread message
syzbot
Oct 14, 2025, 10:12:29 PM (11 days ago) Oct 14
to ak...@linux-foundation.org, dman...@yandex.ru, jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, ma...@fasheh.com, ocfs2...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 52ba76324a9d Add linux-next specific files for 20251013
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=157d3b34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=99cb6b007a8889ef
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15039dcd980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15ad9542580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1729256319ee/disk-52ba7632.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3152cfcba7c/vmlinux-52ba7632.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4065a3b3d959/bzImage-52ba7632.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d98ffa49f949/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1510f304580000)
The issue was bisected to:
commit aa545adbe491402cf1e664f6be0a799ed69d9946
Author: Dmitry Antipov <dman...@yandex.ru>
Date: Tue Oct 7 12:35:26 2025 +0000
ocfs2: annotate flexible array members with __counted_by_le()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11575542580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=13575542580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15575542580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Fixes: aa545adbe491 ("ocfs2: annotate flexible array members with __counted_by_le()")
option from the mount to silence this warning.
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/ocfs2/suballoc.c:380:22
index 0 is out of range for type 'struct ocfs2_chain_rec[] __counted_by(cl_count)' (aka 'struct ocfs2_chain_rec[]')
CPU: 0 UID: 0 PID: 6052 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:455
ocfs2_block_group_fill+0x938/0xb30 fs/ocfs2/suballoc.c:380
ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:454 [inline]
ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline]
ocfs2_reserve_suballoc_bits+0x117d/0x4680 fs/ocfs2/suballoc.c:834
ocfs2_reserve_new_metadata_blocks+0x403/0x940 fs/ocfs2/suballoc.c:984
ocfs2_expand_inline_dir fs/ocfs2/dir.c:2853 [inline]
ocfs2_extend_dir+0xc76/0x4870 fs/ocfs2/dir.c:3215
ocfs2_prepare_dir_for_insert+0x2fdf/0x54b0 fs/ocfs2/dir.c:4320
ocfs2_mknod+0x819/0x2050 fs/ocfs2/namei.c:297
ocfs2_mkdir+0x191/0x440 fs/ocfs2/namei.c:659
vfs_mkdir+0x306/0x510 fs/namei.c:4453
do_mkdirat+0x247/0x590 fs/namei.c:4486
__do_sys_mkdirat fs/namei.c:4503 [inline]
__se_sys_mkdirat fs/namei.c:4501 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4501
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0917d8d617
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff863b0218 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fff863b02a0 RCX: 00007f0917d8d617
RDX: 00000000000001ff RSI: 0000200000000680 RDI: 00000000ffffff9c
RBP: 0000200000000080 R08: 0000200000000140 R09: 0000000000000000
R10: 0000200000000080 R11: 0000000000000246 R12: 0000200000000680
R13: 00007fff863b0260 R14: 0000000000000000 R15: 0000000000000000
</TASK>
---[ end trace ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 52ba76324a9d Add linux-next specific files for 20251013
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=157d3b34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=99cb6b007a8889ef
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15039dcd980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15ad9542580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1729256319ee/disk-52ba7632.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3152cfcba7c/vmlinux-52ba7632.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4065a3b3d959/bzImage-52ba7632.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d98ffa49f949/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1510f304580000)
The issue was bisected to:
commit aa545adbe491402cf1e664f6be0a799ed69d9946
Author: Dmitry Antipov <dman...@yandex.ru>
Date: Tue Oct 7 12:35:26 2025 +0000
ocfs2: annotate flexible array members with __counted_by_le()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11575542580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=13575542580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15575542580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Fixes: aa545adbe491 ("ocfs2: annotate flexible array members with __counted_by_le()")
option from the mount to silence this warning.
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/ocfs2/suballoc.c:380:22
index 0 is out of range for type 'struct ocfs2_chain_rec[] __counted_by(cl_count)' (aka 'struct ocfs2_chain_rec[]')
CPU: 0 UID: 0 PID: 6052 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:455
ocfs2_block_group_fill+0x938/0xb30 fs/ocfs2/suballoc.c:380
ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:454 [inline]
ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline]
ocfs2_reserve_suballoc_bits+0x117d/0x4680 fs/ocfs2/suballoc.c:834
ocfs2_reserve_new_metadata_blocks+0x403/0x940 fs/ocfs2/suballoc.c:984
ocfs2_expand_inline_dir fs/ocfs2/dir.c:2853 [inline]
ocfs2_extend_dir+0xc76/0x4870 fs/ocfs2/dir.c:3215
ocfs2_prepare_dir_for_insert+0x2fdf/0x54b0 fs/ocfs2/dir.c:4320
ocfs2_mknod+0x819/0x2050 fs/ocfs2/namei.c:297
ocfs2_mkdir+0x191/0x440 fs/ocfs2/namei.c:659
vfs_mkdir+0x306/0x510 fs/namei.c:4453
do_mkdirat+0x247/0x590 fs/namei.c:4486
__do_sys_mkdirat fs/namei.c:4503 [inline]
__se_sys_mkdirat fs/namei.c:4501 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4501
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0917d8d617
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff863b0218 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fff863b02a0 RCX: 00007f0917d8d617
RDX: 00000000000001ff RSI: 0000200000000680 RDI: 00000000ffffff9c
RBP: 0000200000000080 R08: 0000200000000140 R09: 0000000000000000
R10: 0000200000000080 R11: 0000000000000246 R12: 0000200000000680
R13: 00007fff863b0260 R14: 0000000000000000 R15: 0000000000000000
</TASK>
---[ end trace ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 15, 2025, 12:46:47 AM (11 days ago) Oct 15
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] ocfs2: add validation for chain index in ocfs2_block_group_fill
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Add validation to ensure my_chain index is within bounds before
accessing cl->cl_recs[] array. Without this check, a corrupted
filesystem with cl_count set to 0 can trigger an out-of-bounds
array access, detected by UBSAN.
The issue was exposed by commit aa545adbe491 ("ocfs2: annotate
flexible array members with __counted_by_le()"), which added
the __counted_by_le() annotation to cl_recs[], allowing UBSAN
to detect the out-of-bounds access.
UBSAN report:
The fix adds an explicit bounds check at the start of
ocfs2_block_group_fill() to validate my_chain is less than
cl->cl_count before accessing the array, preventing the
out-of-bounds access and properly handling corrupted
filesystems.
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..dd58cc0f9838 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -353,6 +353,14 @@ static int ocfs2_block_group_fill(handle_t *handle,
struct ocfs2_super *osb = OCFS2_SB(alloc_inode->i_sb);
struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data;
struct super_block * sb = alloc_inode->i_sb;
+
+ /* Validate chain index before accessing cl_recs array */
+ if (my_chain >= le16_to_cpu(cl->cl_count)) {
+ status = ocfs2_error(alloc_inode->i_sb,
+ "chain index %u out of range (count=%u)\n",
+ my_chain, le16_to_cpu(cl->cl_count));
+ goto bail;
+ }
if (((unsigned long long) bg_bh->b_blocknr) != group_blkno) {
status = ocfs2_error(alloc_inode->i_sb,
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] ocfs2: add validation for chain index in ocfs2_block_group_fill
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Add validation to ensure my_chain index is within bounds before
accessing cl->cl_recs[] array. Without this check, a corrupted
filesystem with cl_count set to 0 can trigger an out-of-bounds
array access, detected by UBSAN.
The issue was exposed by commit aa545adbe491 ("ocfs2: annotate
flexible array members with __counted_by_le()"), which added
the __counted_by_le() annotation to cl_recs[], allowing UBSAN
to detect the out-of-bounds access.
UBSAN report:
UBSAN: array-index-out-of-bounds in fs/ocfs2/suballoc.c:380:22
index 0 is out of range for type 'struct ocfs2_chain_rec[]'
The fix adds an explicit bounds check at the start of
ocfs2_block_group_fill() to validate my_chain is less than
cl->cl_count before accessing the array, preventing the
out-of-bounds access and properly handling corrupted
filesystems.
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
Fixes: aa545adbe491 ("ocfs2: annotate flexible array members with __counted_by_le()")
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..dd58cc0f9838 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -353,6 +353,14 @@ static int ocfs2_block_group_fill(handle_t *handle,
struct ocfs2_super *osb = OCFS2_SB(alloc_inode->i_sb);
struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data;
struct super_block * sb = alloc_inode->i_sb;
+
+ /* Validate chain index before accessing cl_recs array */
+ if (my_chain >= le16_to_cpu(cl->cl_count)) {
+ status = ocfs2_error(alloc_inode->i_sb,
+ "chain index %u out of range (count=%u)\n",
+ my_chain, le16_to_cpu(cl->cl_count));
+ goto bail;
+ }
if (((unsigned long long) bg_bh->b_blocknr) != group_blkno) {
status = ocfs2_error(alloc_inode->i_sb,
--
2.43.0
syzbot
Oct 15, 2025, 1:15:06 AM (11 days ago) Oct 15
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11fc7b34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11fc7b34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=167985e2580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: testing is done by a robot and is best-effort only.
syzbot
Oct 15, 2025, 1:28:58 AM (11 days ago) Oct 15
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 13863a59e410cab46d26751941980dc8f088b9b3
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: dman...@yandex.ru
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 13863a59e410cab46d26751941980dc8f088b9b3
syzbot
Oct 15, 2025, 2:21:08 AM (11 days ago) Oct 15
to dman...@yandex.ru, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
console output: https://syzkaller.appspot.com/x/log.txt?x=151d85e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1304d542580000
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Oct 15, 2025, 2:45:11 AM (11 days ago) Oct 15
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] ocfs2: validate chain list count before use in ocfs2_reserve_suballoc_bits
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Add validation to check if the chain list count (cl_count) is zero
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
before using the chain list in ocfs2_reserve_suballoc_bits(). When
cl_count is zero, the cl_recs array is empty, but the code attempts
to access cl_recs[0] in subsequent operations, leading to an
out-of-bounds array access.
The issue was discovered by syzbot using a corrupted filesystem image
where cl_count was set to 0. This triggers a UBSAN array-index-out-of-
bounds error when ocfs2_block_group_fill() attempts to access the
first chain record.
By adding this validation early in ocfs2_reserve_suballoc_bits(), we
catch the corruption before any allocation operations begin. The
filesystem will fail to mount with a clear error message directing
users to run fsck.ocfs2.
This follows the existing pattern in the function where similar
validation checks (like OCFS2_CHAIN_FL) are performed on the
allocator inode before use.
Link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
Reported-by:syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
---
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
fs/ocfs2/suballoc.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..57ec07f9751a 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -778,6 +778,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
struct buffer_head *bh = NULL;
struct ocfs2_dinode *fe;
u32 free_bits;
+ struct ocfs2_chain_list *cl;
alloc_inode = ocfs2_get_system_file_inode(osb, type, slot);
if (!alloc_inode) {
@@ -800,7 +801,14 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
ac->ac_alloc_slot = slot;
fe = (struct ocfs2_dinode *) bh->b_data;
-
+ cl = &fe->id2.i_chain;
+ /* Validate chain list before use */
+ if (le16_to_cpu(cl->cl_count) == 0) {
+ status = ocfs2_error(alloc_inode->i_sb,
+ "Chain allocator %llu has invalid chain list (cl_count=0)\n",
+ (unsigned long long)le64_to_cpu(fe->i_blkno));
+ goto bail;
+ }
/* The bh was validated by the inode read inside
* ocfs2_inode_lock(). Any corruption is a code bug. */
BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
--
2.43.0
syzbot
Oct 15, 2025, 3:12:04 AM (11 days ago) Oct 15
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
git tree: linux-next
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
console output: https://syzkaller.appspot.com/x/log.txt?x=1590ac58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=179a7b34580000
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Oct 17, 2025, 6:11:44 AM (9 days ago) Oct 17
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2433b84761658ef123ae683508bc461b07c5b0f0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: dman...@yandex.ru
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2433b84761658ef123ae683508bc461b07c5b0f0
syzbot
Oct 17, 2025, 7:26:04 AM (8 days ago) Oct 17
to dman...@yandex.ru, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 2433b847 Add linux-next specific files for 20251016
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=106275e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=137d9c58580000
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Oct 22, 2025, 8:13:16 AM (3 days ago) Oct 22
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 552c50713f273b494ac6c77052032a49bc9255e2
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: dman...@yandex.ru
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 552c50713f273b494ac6c77052032a49bc9255e2
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 162711cc5b20..ce38505a823c 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -6164,7 +6164,7 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
struct buffer_head *bh = NULL;
struct ocfs2_dinode *di;
struct ocfs2_truncate_log *tl;
- unsigned int tl_count;
+ unsigned int tl_count, tl_used;
inode = ocfs2_get_system_file_inode(osb,
TRUNCATE_LOG_SYSTEM_INODE,
@@ -6184,9 +6184,10 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
di = (struct ocfs2_dinode *)bh->b_data;
tl = &di->id2.i_dealloc;
+ tl_used = le16_to_cpu(tl->tl_used);
tl_count = le16_to_cpu(tl->tl_count);
if (unlikely(tl_count > ocfs2_truncate_recs_per_inode(osb->sb) ||
- tl_count == 0)) {
+ tl_count == 0 || tl_used > tl_count)) {
status = -EFSCORRUPTED;
iput(inode);
brelse(bh);
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 8c9c4825f984..2785ff245e79 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -302,8 +302,21 @@ static int ocfs2_check_dir_entry(struct inode *dir,
unsigned long offset)
{
const char *error_msg = NULL;
- const int rlen = le16_to_cpu(de->rec_len);
- const unsigned long next_offset = ((char *) de - buf) + rlen;
+ unsigned long next_offset;
+ int rlen;
+
+ if (offset > size - OCFS2_DIR_REC_LEN(1)) {
+ /* Dirent is (maybe partially) beyond the buffer
+ * boundaries so touching 'de' members is unsafe.
+ */
+ mlog(ML_ERROR, "directory entry (#%llu: offset=%lu) "
+ "too close to end or out-of-bounds",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);
+ return 0;
+ }
+
+ rlen = le16_to_cpu(de->rec_len);
+ next_offset = ((char *) de - buf) + rlen;
if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
error_msg = "rec_len is smaller than minimal";
@@ -778,6 +791,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
struct ocfs2_extent_block *eb;
struct ocfs2_extent_rec *rec = NULL;
+ if (le16_to_cpu(el->l_count) !=
+ ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has invalid extent list length %u\n",
+ inode->i_ino, le16_to_cpu(el->l_count));
+ goto out;
+ }
+
if (el->l_tree_depth) {
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
&eb_bh);
@@ -3423,6 +3444,14 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh,
offset += le16_to_cpu(de->rec_len);
}
+ if (!last_de) {
+ ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
+ "is unexpectedly short",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno,
+ i_size_read(dir));
+ goto out;
+ }
+
/*
* We're going to require expansion of the directory - figure
* out how many blocks we'll need so that a place for the
@@ -4104,10 +4133,15 @@ static int ocfs2_expand_inline_dx_root(struct inode *dir,
}
dx_root->dr_flags &= ~OCFS2_DX_FLAG_INLINE;
- memset(&dx_root->dr_list, 0, osb->sb->s_blocksize -
- offsetof(struct ocfs2_dx_root_block, dr_list));
+
+ dx_root->dr_list.l_tree_depth = 0;
dx_root->dr_list.l_count =
cpu_to_le16(ocfs2_extent_recs_per_dx_root(osb->sb));
+ dx_root->dr_list.l_next_free_rec = 0;
+ memset(&dx_root->dr_list.l_recs, 0,
+ osb->sb->s_blocksize -
+ (offsetof(struct ocfs2_dx_root_block, dr_list) +
+ offsetof(struct ocfs2_extent_list, l_recs)));
/* This should never fail considering we start with an empty
* dx_root. */
diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c
index d1aa04a5af1b..56be21c695d6 100644
--- a/fs/ocfs2/localalloc.c
+++ b/fs/ocfs2/localalloc.c
@@ -905,13 +905,11 @@ static int ocfs2_local_alloc_find_clear_bits(struct ocfs2_super *osb,
static void ocfs2_clear_local_alloc(struct ocfs2_dinode *alloc)
{
struct ocfs2_local_alloc *la = OCFS2_LOCAL_ALLOC(alloc);
- int i;
alloc->id1.bitmap1.i_total = 0;
alloc->id1.bitmap1.i_used = 0;
la->la_bm_off = 0;
- for(i = 0; i < le16_to_cpu(la->la_size); i++)
- la->la_bitmap[i] = 0;
+ memset(la->la_bitmap, 0, le16_to_cpu(la->la_size));
}
#if 0
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 86f2631e6360..ba4952b41602 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -98,7 +98,13 @@ static int __ocfs2_move_extent(handle_t *handle,
rec = &el->l_recs[index];
- BUG_ON(ext_flags != rec->e_flags);
+ if (ext_flags != rec->e_flags) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has corrupted extent %d with flags 0x%x at cpos %u\n",
+ (unsigned long long)ino, index, rec->e_flags, cpos);
+ goto out;
+ }
+
/*
* after moving/defraging to new location, the extent is not going
* to be refcounted anymore.
@@ -1031,6 +1037,12 @@ int ocfs2_ioctl_move_extents(struct file *filp, void __user *argp)
if (range.me_threshold > i_size_read(inode))
range.me_threshold = i_size_read(inode);
+ if (range.me_flags & ~(OCFS2_MOVE_EXT_FL_AUTO_DEFRAG |
+ OCFS2_MOVE_EXT_FL_PART_DEFRAG)) {
+ status = -EINVAL;
+ goto out_free;
+ }
+
if (range.me_flags & OCFS2_MOVE_EXT_FL_AUTO_DEFRAG) {
context->auto_defrag = 1;
diff --git a/fs/ocfs2/ocfs2_fs.h b/fs/ocfs2/ocfs2_fs.h
index ae0e44e5f2ad..c501eb3cdcda 100644
--- a/fs/ocfs2/ocfs2_fs.h
+++ b/fs/ocfs2/ocfs2_fs.h
@@ -468,7 +468,8 @@ struct ocfs2_extent_list {
__le16 l_reserved1;
__le64 l_reserved2; /* Pad to
sizeof(ocfs2_extent_rec) */
-/*10*/ struct ocfs2_extent_rec l_recs[]; /* Extent records */
+ /* Extent records */
+/*10*/ struct ocfs2_extent_rec l_recs[] __counted_by_le(l_count);
};
/*
@@ -482,7 +483,8 @@ struct ocfs2_chain_list {
__le16 cl_count; /* Total chains in this list */
__le16 cl_next_free_rec; /* Next unused chain slot */
__le64 cl_reserved1;
-/*10*/ struct ocfs2_chain_rec cl_recs[]; /* Chain records */
+ /* Chain records */
+/*10*/ struct ocfs2_chain_rec cl_recs[] __counted_by_le(cl_count);
};
/*
@@ -494,7 +496,8 @@ struct ocfs2_truncate_log {
/*00*/ __le16 tl_count; /* Total records in this log */
__le16 tl_used; /* Number of records in use */
__le32 tl_reserved1;
-/*08*/ struct ocfs2_truncate_rec tl_recs[]; /* Truncate records */
+ /* Truncate records */
+/*08*/ struct ocfs2_truncate_rec tl_recs[] __counted_by_le(tl_count);
};
/*
@@ -638,7 +641,7 @@ struct ocfs2_local_alloc
__le16 la_size; /* Size of included bitmap, in bytes */
__le16 la_reserved1;
__le64 la_reserved2;
-/*10*/ __u8 la_bitmap[];
+/*10*/ __u8 la_bitmap[] __counted_by_le(la_size);
};
/*
@@ -651,7 +654,7 @@ struct ocfs2_inline_data
* for data, starting at id_data */
__le16 id_reserved0;
__le32 id_reserved1;
- __u8 id_data[]; /* Start of user data */
+ __u8 id_data[] __counted_by_le(id_count); /* Start of user data */
};
/*
@@ -796,9 +799,10 @@ struct ocfs2_dx_entry_list {
* possible in de_entries */
__le16 de_num_used; /* Current number of
* de_entries entries */
- struct ocfs2_dx_entry de_entries[]; /* Indexed dir entries
- * in a packed array of
- * length de_num_used */
+ /* Indexed dir entries in a packed
+ * array of length de_num_used.
+ */
+ struct ocfs2_dx_entry de_entries[] __counted_by_le(de_count);
};
#define OCFS2_DX_FLAG_INLINE 0x01
@@ -934,7 +938,8 @@ struct ocfs2_refcount_list {
__le16 rl_used; /* Current number of used records */
__le32 rl_reserved2;
__le64 rl_reserved1; /* Pad to sizeof(ocfs2_refcount_record) */
-/*10*/ struct ocfs2_refcount_rec rl_recs[]; /* Refcount records */
+ /* Refcount records */
+/*10*/ struct ocfs2_refcount_rec rl_recs[] __counted_by_le(rl_count);
};
@@ -1020,7 +1025,8 @@ struct ocfs2_xattr_header {
buckets. A block uses
xb_check and sets
this field to zero.) */
- struct ocfs2_xattr_entry xh_entries[]; /* xattr entry list. */
+ /* xattr entry list. */
+ struct ocfs2_xattr_entry xh_entries[] __counted_by_le(xh_count);
};
/*
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..9969a041ab18 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -649,6 +649,16 @@ ocfs2_block_group_alloc_discontig(handle_t *handle,
return status ? ERR_PTR(status) : bg_bh;
}
+static int ocfs2_check_chain_list(struct ocfs2_chain_list *cl,
+ struct super_block *sb)
+{
+ if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb))
+ return -EINVAL;
+ if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count))
+ return -EINVAL;
+ return 0;
+}
+
/*
* We expect the block group allocator to already be locked.
*/
@@ -671,6 +681,10 @@ static int ocfs2_block_group_alloc(struct ocfs2_super *osb,
BUG_ON(ocfs2_is_cluster_bitmap(alloc_inode));
cl = &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, alloc_inode->i_sb);
+ if (status)
+ goto bail;
+
status = ocfs2_reserve_clusters_with_limit(osb,
le16_to_cpu(cl->cl_cpg),
max_block, flags, &ac);
@@ -1992,6 +2006,9 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac,
}
cl = (struct ocfs2_chain_list *) &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, ac->ac_inode->i_sb);
+ if (status)
+ goto bail;
victim = ocfs2_find_victim_chain(cl);
ac->ac_chain = victim;
syzbot
Oct 22, 2025, 8:46:05 AM (3 days ago) Oct 22
to dman...@yandex.ru, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 552c5071 Merge tag 'vfio-v6.18-rc3' of https://github...
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16944614580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9ad7b090a18654a7
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=10a44614580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Oct 24, 2025, 3:11:56 AM (yesterday) Oct 24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: dman...@yandex.ru
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 94c7acfebe18..0e0a4742b8a6 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -6155,6 +6155,9 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
int status;
struct inode *inode = NULL;
struct buffer_head *bh = NULL;
+ struct ocfs2_dinode *di;
+ struct ocfs2_truncate_log *tl;
+ unsigned int tl_count, tl_used;
inode = ocfs2_get_system_file_inode(osb,
TRUNCATE_LOG_SYSTEM_INODE,
@@ -6172,6 +6175,19 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
inode = ocfs2_get_system_file_inode(osb,
TRUNCATE_LOG_SYSTEM_INODE,
goto bail;
}
+ di = (struct ocfs2_dinode *)bh->b_data;
+ tl = &di->id2.i_dealloc;
+ tl_used = le16_to_cpu(tl->tl_used);
+ tl_count = le16_to_cpu(tl->tl_count);
+ if (unlikely(tl_count > ocfs2_truncate_recs_per_inode(osb->sb) ||
+ tl_count == 0 || tl_used > tl_count)) {
+ status = -EFSCORRUPTED;
+ iput(inode);
+ brelse(bh);
+ mlog_errno(status);
+ goto bail;
+ }
+
*tl_inode = inode;
*tl_bh = bh;
bail:
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 195515eefd33..364c7e5f23c5 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -304,8 +304,21 @@ static int ocfs2_check_dir_entry(struct inode *dir,
unsigned long offset)
{
const char *error_msg = NULL;
- const int rlen = le16_to_cpu(de->rec_len);
- const unsigned long next_offset = ((char *) de - buf) + rlen;
+ unsigned long next_offset;
+ int rlen;
+
+ if (offset > size - OCFS2_DIR_REC_LEN(1)) {
+ /* Dirent is (maybe partially) beyond the buffer
+ * boundaries so touching 'de' members is unsafe.
+ */
+ mlog(ML_ERROR, "directory entry (#%llu: offset=%lu) "
+ "too close to end or out-of-bounds",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);
+ return 0;
+ }
+
+ rlen = le16_to_cpu(de->rec_len);
+ next_offset = ((char *) de - buf) + rlen;
if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
error_msg = "rec_len is smaller than minimal";
@@ -780,6 +793,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
{
const char *error_msg = NULL;
- const int rlen = le16_to_cpu(de->rec_len);
- const unsigned long next_offset = ((char *) de - buf) + rlen;
+ unsigned long next_offset;
+ int rlen;
+
+ if (offset > size - OCFS2_DIR_REC_LEN(1)) {
+ /* Dirent is (maybe partially) beyond the buffer
+ * boundaries so touching 'de' members is unsafe.
+ */
+ mlog(ML_ERROR, "directory entry (#%llu: offset=%lu) "
+ "too close to end or out-of-bounds",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);
+ return 0;
+ }
+
+ rlen = le16_to_cpu(de->rec_len);
+ next_offset = ((char *) de - buf) + rlen;
if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
error_msg = "rec_len is smaller than minimal";
struct ocfs2_extent_block *eb;
struct ocfs2_extent_rec *rec = NULL;
+ if (le16_to_cpu(el->l_count) !=
+ ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has invalid extent list length %u\n",
+ inode->i_ino, le16_to_cpu(el->l_count));
+ goto out;
+ }
+
if (el->l_tree_depth) {
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
&eb_bh);
@@ -3418,6 +3439,14 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh,
struct ocfs2_extent_rec *rec = NULL;
+ if (le16_to_cpu(el->l_count) !=
+ ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has invalid extent list length %u\n",
+ inode->i_ino, le16_to_cpu(el->l_count));
+ goto out;
+ }
+
if (el->l_tree_depth) {
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
&eb_bh);
offset += le16_to_cpu(de->rec_len);
}
+ if (!last_de) {
+ ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
+ "is unexpectedly short",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno,
+ i_size_read(dir));
+ goto out;
+ }
+
/*
* We're going to require expansion of the directory - figure
* out how many blocks we'll need so that a place for the
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
}
+ if (!last_de) {
+ ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
+ "is unexpectedly short",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno,
+ i_size_read(dir));
+ goto out;
+ }
+
/*
* We're going to require expansion of the directory - figure
* out how many blocks we'll need so that a place for the
index 7c9dfd50c1c1..a25af01463cf 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1418,6 +1418,14 @@ int ocfs2_validate_inode_block(struct super_block *sb,
goto bail;
}
+ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+ le32_to_cpu(di->i_clusters)) {
+ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+ (unsigned long long)bh->b_blocknr,
+ le32_to_cpu(di->i_clusters));
+ goto bail;
+ }
+
rc = 0;
bail:
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 98e77ea957ff..8732965760d2 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -100,7 +100,13 @@ static int __ocfs2_move_extent(handle_t *handle,
rec = &el->l_recs[index];
- BUG_ON(ext_flags != rec->e_flags);
+ if (ext_flags != rec->e_flags) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has corrupted extent %d with flags 0x%x at cpos %u\n",
+ (unsigned long long)ino, index, rec->e_flags, cpos);
+ goto out;
+ }
+
/*
* after moving/defraging to new location, the extent is not going
* to be refcounted anymore.
if (range.me_threshold > i_size_read(inode))
range.me_threshold = i_size_read(inode);
+ if (range.me_flags & ~(OCFS2_MOVE_EXT_FL_AUTO_DEFRAG |
+ OCFS2_MOVE_EXT_FL_PART_DEFRAG)) {
+ status = -EINVAL;
+ goto out_free;
+ }
+
if (range.me_flags & OCFS2_MOVE_EXT_FL_AUTO_DEFRAG) {
context->auto_defrag = 1;
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
range.me_threshold = i_size_read(inode);
+ if (range.me_flags & ~(OCFS2_MOVE_EXT_FL_AUTO_DEFRAG |
+ OCFS2_MOVE_EXT_FL_PART_DEFRAG)) {
+ status = -EINVAL;
+ goto out_free;
+ }
+
if (range.me_flags & OCFS2_MOVE_EXT_FL_AUTO_DEFRAG) {
context->auto_defrag = 1;
index 4f48003e4327..41254d625691 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -647,6 +647,16 @@ ocfs2_block_group_alloc_discontig(handle_t *handle,
return status ? ERR_PTR(status) : bg_bh;
}
+static int ocfs2_check_chain_list(struct ocfs2_chain_list *cl,
+ struct super_block *sb)
+{
+ if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb))
+ return -EINVAL;
+ if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count))
+ return -EINVAL;
+ return 0;
+}
+
/*
* We expect the block group allocator to already be locked.
*/
@@ -669,6 +679,10 @@ static int ocfs2_block_group_alloc(struct ocfs2_super *osb,
}
+static int ocfs2_check_chain_list(struct ocfs2_chain_list *cl,
+ struct super_block *sb)
+{
+ if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb))
+ return -EINVAL;
+ if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count))
+ return -EINVAL;
+ return 0;
+}
+
/*
* We expect the block group allocator to already be locked.
*/
BUG_ON(ocfs2_is_cluster_bitmap(alloc_inode));
cl = &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, alloc_inode->i_sb);
+ if (status)
+ goto bail;
+
status = ocfs2_reserve_clusters_with_limit(osb,
le16_to_cpu(cl->cl_cpg),
max_block, flags, &ac);
@@ -1925,6 +1939,9 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac,
cl = &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, alloc_inode->i_sb);
+ if (status)
+ goto bail;
+
status = ocfs2_reserve_clusters_with_limit(osb,
le16_to_cpu(cl->cl_cpg),
max_block, flags, &ac);
syzbot
Oct 24, 2025, 3:15:24 AM (yesterday) Oct 24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
index 7f11ffacc915..e606826045b5 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -302,8 +302,21 @@ static int ocfs2_check_dir_entry(struct inode *dir,
unsigned long offset)
{
const char *error_msg = NULL;
- const int rlen = le16_to_cpu(de->rec_len);
- const unsigned long next_offset = ((char *) de - buf) + rlen;
+ unsigned long next_offset;
+ int rlen;
+
+ if (offset > size - OCFS2_DIR_REC_LEN(1)) {
+ /* Dirent is (maybe partially) beyond the buffer
+ * boundaries so touching 'de' members is unsafe.
+ */
+ mlog(ML_ERROR, "directory entry (#%llu: offset=%lu) "
+ "too close to end or out-of-bounds",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);
+ return 0;
+ }
+
+ rlen = le16_to_cpu(de->rec_len);
+ next_offset = ((char *) de - buf) + rlen;
if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
error_msg = "rec_len is smaller than minimal";
@@ -778,6 +791,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
{
const char *error_msg = NULL;
- const int rlen = le16_to_cpu(de->rec_len);
- const unsigned long next_offset = ((char *) de - buf) + rlen;
+ unsigned long next_offset;
+ int rlen;
+
+ if (offset > size - OCFS2_DIR_REC_LEN(1)) {
+ /* Dirent is (maybe partially) beyond the buffer
+ * boundaries so touching 'de' members is unsafe.
+ */
+ mlog(ML_ERROR, "directory entry (#%llu: offset=%lu) "
+ "too close to end or out-of-bounds",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);
+ return 0;
+ }
+
+ rlen = le16_to_cpu(de->rec_len);
+ next_offset = ((char *) de - buf) + rlen;
if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
error_msg = "rec_len is smaller than minimal";
struct ocfs2_extent_block *eb;
struct ocfs2_extent_rec *rec = NULL;
+ if (le16_to_cpu(el->l_count) !=
+ ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has invalid extent list length %u\n",
+ inode->i_ino, le16_to_cpu(el->l_count));
+ goto out;
+ }
+
if (el->l_tree_depth) {
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
&eb_bh);
@@ -3416,6 +3437,14 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh,
struct ocfs2_extent_rec *rec = NULL;
+ if (le16_to_cpu(el->l_count) !=
+ ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has invalid extent list length %u\n",
+ inode->i_ino, le16_to_cpu(el->l_count));
+ goto out;
+ }
+
if (el->l_tree_depth) {
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
&eb_bh);
offset += le16_to_cpu(de->rec_len);
}
+ if (!last_de) {
+ ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
+ "is unexpectedly short",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno,
+ i_size_read(dir));
+ goto out;
+ }
+
/*
* We're going to require expansion of the directory - figure
* out how many blocks we'll need so that a place for the
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index a1f3b25ce612..7115d2091cb9 100644
}
+ if (!last_de) {
+ ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
+ "is unexpectedly short",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno,
+ i_size_read(dir));
+ goto out;
+ }
+
/*
* We're going to require expansion of the directory - figure
* out how many blocks we'll need so that a place for the
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct super_block *sb,
goto bail;
}
+ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+ le32_to_cpu(di->i_clusters)) {
+ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+ (unsigned long long)bh->b_blocknr,
+ le32_to_cpu(di->i_clusters));
+ goto bail;
+ }
+
rc = 0;
bail:
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index b1e32ec4a9d4..6acf13adfb55 100644
}
+ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+ le32_to_cpu(di->i_clusters)) {
+ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+ (unsigned long long)bh->b_blocknr,
+ le32_to_cpu(di->i_clusters));
+ goto bail;
+ }
+
rc = 0;
bail:
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -98,7 +98,13 @@ static int __ocfs2_move_extent(handle_t *handle,
rec = &el->l_recs[index];
- BUG_ON(ext_flags != rec->e_flags);
+ if (ext_flags != rec->e_flags) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has corrupted extent %d with flags 0x%x at cpos %u\n",
+ (unsigned long long)ino, index, rec->e_flags, cpos);
+ goto out;
+ }
+
/*
* after moving/defraging to new location, the extent is not going
* to be refcounted anymore.
if (range.me_threshold > i_size_read(inode))
range.me_threshold = i_size_read(inode);
+ if (range.me_flags & ~(OCFS2_MOVE_EXT_FL_AUTO_DEFRAG |
+ OCFS2_MOVE_EXT_FL_PART_DEFRAG)) {
+ status = -EINVAL;
+ goto out_free;
+ }
+
if (range.me_flags & OCFS2_MOVE_EXT_FL_AUTO_DEFRAG) {
context->auto_defrag = 1;
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 166c8918c825..d11a0b83baba 100644
range.me_threshold = i_size_read(inode);
+ if (range.me_flags & ~(OCFS2_MOVE_EXT_FL_AUTO_DEFRAG |
+ OCFS2_MOVE_EXT_FL_PART_DEFRAG)) {
+ status = -EINVAL;
+ goto out_free;
+ }
+
if (range.me_flags & OCFS2_MOVE_EXT_FL_AUTO_DEFRAG) {
context->auto_defrag = 1;
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -645,6 +645,16 @@ ocfs2_block_group_alloc_discontig(handle_t *handle,
return status ? ERR_PTR(status) : bg_bh;
}
+static int ocfs2_check_chain_list(struct ocfs2_chain_list *cl,
+ struct super_block *sb)
+{
+ if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb))
+ return -EINVAL;
+ if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count))
+ return -EINVAL;
+ return 0;
+}
+
/*
* We expect the block group allocator to already be locked.
*/
@@ -667,6 +677,10 @@ static int ocfs2_block_group_alloc(struct ocfs2_super *osb,
}
+static int ocfs2_check_chain_list(struct ocfs2_chain_list *cl,
+ struct super_block *sb)
+{
+ if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb))
+ return -EINVAL;
+ if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count))
+ return -EINVAL;
+ return 0;
+}
+
/*
* We expect the block group allocator to already be locked.
*/
BUG_ON(ocfs2_is_cluster_bitmap(alloc_inode));
cl = &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, alloc_inode->i_sb);
+ if (status)
+ goto bail;
+
status = ocfs2_reserve_clusters_with_limit(osb,
le16_to_cpu(cl->cl_cpg),
max_block, flags, &ac);
@@ -1923,6 +1937,9 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac,
cl = &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, alloc_inode->i_sb);
+ if (status)
+ goto bail;
+
status = ocfs2_reserve_clusters_with_limit(osb,
le16_to_cpu(cl->cl_cpg),
max_block, flags, &ac);
syzbot
Oct 24, 2025, 3:15:35 AM (yesterday) Oct 24
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
index 5d9388b44e5b..b84e164c6314 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -6162,6 +6162,9 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
int status;
struct inode *inode = NULL;
struct buffer_head *bh = NULL;
+ struct ocfs2_dinode *di;
+ struct ocfs2_truncate_log *tl;
+ unsigned int tl_count, tl_used;
inode = ocfs2_get_system_file_inode(osb,
TRUNCATE_LOG_SYSTEM_INODE,
@@ -6179,6 +6182,19 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
struct inode *inode = NULL;
struct buffer_head *bh = NULL;
+ struct ocfs2_dinode *di;
+ struct ocfs2_truncate_log *tl;
+ unsigned int tl_count, tl_used;
inode = ocfs2_get_system_file_inode(osb,
TRUNCATE_LOG_SYSTEM_INODE,
goto bail;
}
+ di = (struct ocfs2_dinode *)bh->b_data;
+ tl = &di->id2.i_dealloc;
+ tl_used = le16_to_cpu(tl->tl_used);
+ tl_count = le16_to_cpu(tl->tl_count);
+ if (unlikely(tl_count > ocfs2_truncate_recs_per_inode(osb->sb) ||
+ tl_count == 0 || tl_used > tl_count)) {
+ status = -EFSCORRUPTED;
+ iput(inode);
+ brelse(bh);
+ mlog_errno(status);
+ goto bail;
+ }
+
*tl_inode = inode;
*tl_bh = bh;
bail:
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 7799f4d16ce9..46f392374388 100644
}
+ di = (struct ocfs2_dinode *)bh->b_data;
+ tl = &di->id2.i_dealloc;
+ tl_used = le16_to_cpu(tl->tl_used);
+ tl_count = le16_to_cpu(tl->tl_count);
+ if (unlikely(tl_count > ocfs2_truncate_recs_per_inode(osb->sb) ||
+ tl_count == 0 || tl_used > tl_count)) {
+ status = -EFSCORRUPTED;
+ iput(inode);
+ brelse(bh);
+ mlog_errno(status);
+ goto bail;
+ }
+
*tl_inode = inode;
*tl_bh = bh;
bail:
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
offset += le16_to_cpu(de->rec_len);
}
+ if (!last_de) {
+ ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
+ "is unexpectedly short",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno,
+ i_size_read(dir));
+ goto out;
+ }
+
/*
* We're going to require expansion of the directory - figure
* out how many blocks we'll need so that a place for the
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index 4a7509389cf3..41310d2b937c 100644
}
+ if (!last_de) {
+ ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
+ "is unexpectedly short",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno,
+ i_size_read(dir));
+ goto out;
+ }
+
/*
* We're going to require expansion of the directory - figure
* out how many blocks we'll need so that a place for the
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct super_block *sb,
goto bail;
}
+ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+ le32_to_cpu(di->i_clusters)) {
+ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+ (unsigned long long)bh->b_blocknr,
+ le32_to_cpu(di->i_clusters));
+ goto bail;
+ }
+
rc = 0;
bail:
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index f9d6a4f9ca92..b10c8acd469b 100644
+++ b/fs/ocfs2/inode.c
@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct super_block *sb,
goto bail;
}
+ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+ le32_to_cpu(di->i_clusters)) {
+ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+ (unsigned long long)bh->b_blocknr,
+ le32_to_cpu(di->i_clusters));
+ goto bail;
+ }
+
rc = 0;
bail:
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -649,6 +649,16 @@ ocfs2_block_group_alloc_discontig(handle_t *handle,
return status ? ERR_PTR(status) : bg_bh;
}
+static int ocfs2_check_chain_list(struct ocfs2_chain_list *cl,
+ struct super_block *sb)
+{
+ if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb))
+ return -EINVAL;
+ if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count))
+ return -EINVAL;
+ return 0;
+}
+
/*
* We expect the block group allocator to already be locked.
*/
@@ -671,6 +681,10 @@ static int ocfs2_block_group_alloc(struct ocfs2_super *osb,
}
+static int ocfs2_check_chain_list(struct ocfs2_chain_list *cl,
+ struct super_block *sb)
+{
+ if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb))
+ return -EINVAL;
+ if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count))
+ return -EINVAL;
+ return 0;
+}
+
/*
* We expect the block group allocator to already be locked.
*/
BUG_ON(ocfs2_is_cluster_bitmap(alloc_inode));
cl = &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, alloc_inode->i_sb);
+ if (status)
+ goto bail;
+
status = ocfs2_reserve_clusters_with_limit(osb,
le16_to_cpu(cl->cl_cpg),
max_block, flags, &ac);
@@ -1992,6 +2006,9 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac,
cl = &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, alloc_inode->i_sb);
+ if (status)
+ goto bail;
+
status = ocfs2_reserve_clusters_with_limit(osb,
le16_to_cpu(cl->cl_cpg),
max_block, flags, &ac);
syzbot
Oct 24, 2025, 4:31:05 AM (yesterday) Oct 24
to dman...@yandex.ru, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
UBSAN: signed-integer-overflow in ip_idents_reserve
================================================================================
UBSAN: signed-integer-overflow in ./arch/x86/include/asm/atomic.h:165:11
-1399202697 + -1961381633 cannot be represented in type 'int'
CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted syzkaller #0
Call Trace:
dump_stack+0xfd/0x16e lib/dump_stack.c:118
ubsan_epilogue+0xa/0x30 lib/ubsan.c:148
handle_overflow+0x192/0x1b0 lib/ubsan.c:180
arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
atomic_add_return include/asm-generic/atomic-instrumented.h:73 [inline]
ip_idents_reserve+0x14a/0x170 net/ipv4/route.c:521
__ip_select_ident+0xe4/0x1c0 net/ipv4/route.c:538
iptunnel_xmit+0x468/0x850 net/ipv4/ip_tunnel_core.c:80
udp_tunnel_xmit_skb+0x1ba/0x290 net/ipv4/udp_tunnel_core.c:190
send4+0x5d4/0xaf0 drivers/net/wireguard/socket.c:85
wg_socket_send_skb_to_peer+0xcd/0x1c0 drivers/net/wireguard/socket.c:175
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x16b/0x280 drivers/net/wireguard/send.c:51
process_one_work+0x85e/0xff0 kernel/workqueue.c:2282
worker_thread+0xa9b/0x1430 kernel/workqueue.c:2428
kthread+0x386/0x410 kernel/kthread.c:328
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
================================================================================
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted syzkaller #0
Call Trace:
dump_stack+0xfd/0x16e lib/dump_stack.c:118
panic+0x2f0/0x9c0 kernel/panic.c:308
check_panic_on_warn+0x95/0xe0 kernel/panic.c:228
handle_overflow+0x192/0x1b0 lib/ubsan.c:180
arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
atomic_add_return include/asm-generic/atomic-instrumented.h:73 [inline]
ip_idents_reserve+0x14a/0x170 net/ipv4/route.c:521
__ip_select_ident+0xe4/0x1c0 net/ipv4/route.c:538
iptunnel_xmit+0x468/0x850 net/ipv4/ip_tunnel_core.c:80
udp_tunnel_xmit_skb+0x1ba/0x290 net/ipv4/udp_tunnel_core.c:190
send4+0x5d4/0xaf0 drivers/net/wireguard/socket.c:85
wg_socket_send_skb_to_peer+0xcd/0x1c0 drivers/net/wireguard/socket.c:175
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x16b/0x280 drivers/net/wireguard/send.c:51
process_one_work+0x85e/0xff0 kernel/workqueue.c:2282
worker_thread+0xa9b/0x1430 kernel/workqueue.c:2428
kthread+0x386/0x410 kernel/kthread.c:328
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
Kernel Offset: disabled
Rebooting in 86400 seconds..
Warning: Permanently added '10.128.1.176' (ED25519) to the list of known hosts.
2025/10/24 08:30:04 parsed 1 programs
[ 48.013663][ T6013] cgroup: Unknown subsys name 'net'
[ 48.170944][ T6013] cgroup: Unknown subsys name 'rlimit'
[ 49.896812][ T6013] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 50.802412][ T6020] IPVS: ftp: loaded support on port[0] = 21
[ 50.981218][ T6026] IPVS: ftp: loaded support on port[0] = 21
[ 51.070963][ T6031] IPVS: ftp: loaded support on port[0] = 21
[ 51.212304][ T6037] IPVS: ftp: loaded support on port[0] = 21
[ 51.298209][ T6042] IPVS: ftp: loaded support on port[0] = 21
[ 51.396045][ T6047] IPVS: ftp: loaded support on port[0] = 21
[ 51.445463][ T6047] chnl_net:caif_netlink_parms(): no params data found
[ 51.483834][ T6047] bridge0: port 1(bridge_slave_0) entered blocking state
[ 51.491355][ T6047] bridge0: port 1(bridge_slave_0) entered disabled state
[ 51.499426][ T6047] device bridge_slave_0 entered promiscuous mode
[ 51.507218][ T6047] bridge0: port 2(bridge_slave_1) entered blocking state
[ 51.514361][ T6047] bridge0: port 2(bridge_slave_1) entered disabled state
[ 51.521916][ T6047] device bridge_slave_1 entered promiscuous mode
[ 51.540701][ T6047] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 51.551842][ T6047] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 51.567750][ T6047] team0: Port device team_slave_0 added
[ 51.574571][ T6047] team0: Port device team_slave_1 added
[ 51.586442][ T6047] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 51.593515][ T6047] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 51.619504][ T6047] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 51.631289][ T6047] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 51.638275][ T6047] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 51.664460][ T6047] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 51.688501][ T6047] device hsr_slave_0 entered promiscuous mode
[ 51.695170][ T6047] device hsr_slave_1 entered promiscuous mode
[ 51.745737][ T6047] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 51.754100][ T6047] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 51.762823][ T6047] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 51.771249][ T6047] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 51.786410][ T6047] bridge0: port 2(bridge_slave_1) entered blocking state
[ 51.793485][ T6047] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 51.800980][ T6047] bridge0: port 1(bridge_slave_0) entered blocking state
[ 51.808073][ T6047] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 51.835190][ T6047] 8021q: adding VLAN 0 to HW filter on device bond0
[ 51.846473][ T178] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 51.855767][ T178] bridge0: port 1(bridge_slave_0) entered disabled state
[ 51.863380][ T178] bridge0: port 2(bridge_slave_1) entered disabled state
[ 51.871161][ T178] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 51.886989][ T6047] 8021q: adding VLAN 0 to HW filter on device team0
[ 51.896287][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 51.904678][ T27] bridge0: port 1(bridge_slave_0) entered blocking state
[ 51.911755][ T27] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 51.928140][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 51.936459][ T27] bridge0: port 2(bridge_slave_1) entered blocking state
[ 51.943545][ T27] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 51.951785][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 51.968045][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 51.976221][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 51.986689][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 51.997233][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 52.007405][ T6047] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 52.064410][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 52.072318][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 52.083417][ T6047] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 52.097534][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 52.116942][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 52.125424][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 52.133639][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 52.144186][ T6047] device veth0_vlan entered promiscuous mode
[ 52.158944][ T6047] device veth1_vlan entered promiscuous mode
[ 52.173076][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 52.181468][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 52.189866][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 52.205170][ T6047] device veth0_macvtap entered promiscuous mode
[ 52.213384][ T6047] device veth1_macvtap entered promiscuous mode
[ 52.226086][ T6047] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 52.233924][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 52.242748][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 52.257429][ T6047] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 52.264976][ T178] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 52.275526][ T6047] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.284833][ T6047] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.293537][ T6047] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.302445][ T6047] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.318876][ T27] ================================================================================
[ 52.328195][ T27] UBSAN: signed-integer-overflow in ./arch/x86/include/asm/atomic.h:165:11
[ 52.336760][ T27] -1399202697 + -1961381633 cannot be represented in type 'int'
[ 52.344421][ T27] CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted syzkaller #0
[ 52.351780][ T27] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 52.361832][ T27] Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
[ 52.368761][ T27] Call Trace:
[ 52.372032][ T27] dump_stack+0xfd/0x16e
[ 52.376247][ T27] ubsan_epilogue+0xa/0x30
[ 52.380663][ T27] handle_overflow+0x192/0x1b0
[ 52.385400][ T27] ? prandom_u32+0x217/0x260
[ 52.390240][ T27] ip_idents_reserve+0x14a/0x170
[ 52.395164][ T27] __ip_select_ident+0xe4/0x1c0
[ 52.400000][ T27] iptunnel_xmit+0x468/0x850
[ 52.404585][ T27] udp_tunnel_xmit_skb+0x1ba/0x290
[ 52.409691][ T27] send4+0x5d4/0xaf0
[ 52.413573][ T27] wg_socket_send_skb_to_peer+0xcd/0x1c0
[ 52.419181][ T27] wg_packet_handshake_send_worker+0x16b/0x280
[ 52.425312][ T27] process_one_work+0x85e/0xff0
[ 52.430173][ T27] worker_thread+0xa9b/0x1430
[ 52.434940][ T27] ? rcu_lock_release+0x20/0x20
[ 52.439765][ T27] kthread+0x386/0x410
[ 52.443809][ T27] ? rcu_lock_release+0x20/0x20
[ 52.448664][ T27] ? kthread_blkcg+0xd0/0xd0
[ 52.453322][ T27] ret_from_fork+0x1f/0x30
[ 52.457765][ T27] ================================================================================
[ 52.467065][ T27] Kernel panic - not syncing: UBSAN: panic_on_warn set ...
[ 52.474261][ T27] CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted syzkaller #0
[ 52.481603][ T27] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 52.491670][ T27] Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
[ 52.498580][ T27] Call Trace:
[ 52.501854][ T27] dump_stack+0xfd/0x16e
[ 52.506080][ T27] panic+0x2f0/0x9c0
[ 52.509954][ T27] check_panic_on_warn+0x95/0xe0
[ 52.514870][ T27] handle_overflow+0x192/0x1b0
[ 52.519633][ T27] ? prandom_u32+0x217/0x260
[ 52.524228][ T27] ip_idents_reserve+0x14a/0x170
[ 52.529235][ T27] __ip_select_ident+0xe4/0x1c0
[ 52.534066][ T27] iptunnel_xmit+0x468/0x850
[ 52.538633][ T27] udp_tunnel_xmit_skb+0x1ba/0x290
[ 52.543721][ T27] send4+0x5d4/0xaf0
[ 52.547604][ T27] wg_socket_send_skb_to_peer+0xcd/0x1c0
[ 52.553417][ T27] wg_packet_handshake_send_worker+0x16b/0x280
[ 52.559562][ T27] process_one_work+0x85e/0xff0
[ 52.564387][ T27] worker_thread+0xa9b/0x1430
[ 52.569136][ T27] ? rcu_lock_release+0x20/0x20
[ 52.574052][ T27] kthread+0x386/0x410
[ 52.578096][ T27] ? rcu_lock_release+0x20/0x20
[ 52.582913][ T27] ? kthread_blkcg+0xd0/0xd0
[ 52.587475][ T27] ret_from_fork+0x1f/0x30
[ 52.592191][ T27] Kernel Offset: disabled
[ 52.596510][ T27] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1315598195=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at b6605ba8b96
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=b6605ba8b96835063c5eb766c38d27fac98b84d4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251013-102005" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=b6605ba8b96835063c5eb766c38d27fac98b84d4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251013-102005" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=b6605ba8b96835063c5eb766c38d27fac98b84d4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251013-102005" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b6605ba8b96835063c5eb766c38d27fac98b84d4\"
/usr/bin/ld: /tmp/cccF2O1E.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: d3d0b4e2 Linux 5.10.245
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
kernel config: https://syzkaller.appspot.com/x/.config?x=6e4052b2d7feb092
syzbot tried to test the proposed patch but the build/boot failed:
UBSAN: signed-integer-overflow in ip_idents_reserve
================================================================================
UBSAN: signed-integer-overflow in ./arch/x86/include/asm/atomic.h:165:11
-1399202697 + -1961381633 cannot be represented in type 'int'
CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
Call Trace:
dump_stack+0xfd/0x16e lib/dump_stack.c:118
ubsan_epilogue+0xa/0x30 lib/ubsan.c:148
handle_overflow+0x192/0x1b0 lib/ubsan.c:180
arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
atomic_add_return include/asm-generic/atomic-instrumented.h:73 [inline]
ip_idents_reserve+0x14a/0x170 net/ipv4/route.c:521
__ip_select_ident+0xe4/0x1c0 net/ipv4/route.c:538
iptunnel_xmit+0x468/0x850 net/ipv4/ip_tunnel_core.c:80
udp_tunnel_xmit_skb+0x1ba/0x290 net/ipv4/udp_tunnel_core.c:190
send4+0x5d4/0xaf0 drivers/net/wireguard/socket.c:85
wg_socket_send_skb_to_peer+0xcd/0x1c0 drivers/net/wireguard/socket.c:175
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x16b/0x280 drivers/net/wireguard/send.c:51
process_one_work+0x85e/0xff0 kernel/workqueue.c:2282
worker_thread+0xa9b/0x1430 kernel/workqueue.c:2428
kthread+0x386/0x410 kernel/kthread.c:328
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
================================================================================
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
Call Trace:
dump_stack+0xfd/0x16e lib/dump_stack.c:118
panic+0x2f0/0x9c0 kernel/panic.c:308
check_panic_on_warn+0x95/0xe0 kernel/panic.c:228
handle_overflow+0x192/0x1b0 lib/ubsan.c:180
arch_atomic_add_return arch/x86/include/asm/atomic.h:165 [inline]
atomic_add_return include/asm-generic/atomic-instrumented.h:73 [inline]
ip_idents_reserve+0x14a/0x170 net/ipv4/route.c:521
__ip_select_ident+0xe4/0x1c0 net/ipv4/route.c:538
iptunnel_xmit+0x468/0x850 net/ipv4/ip_tunnel_core.c:80
udp_tunnel_xmit_skb+0x1ba/0x290 net/ipv4/udp_tunnel_core.c:190
send4+0x5d4/0xaf0 drivers/net/wireguard/socket.c:85
wg_socket_send_skb_to_peer+0xcd/0x1c0 drivers/net/wireguard/socket.c:175
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x16b/0x280 drivers/net/wireguard/send.c:51
process_one_work+0x85e/0xff0 kernel/workqueue.c:2282
worker_thread+0xa9b/0x1430 kernel/workqueue.c:2428
kthread+0x386/0x410 kernel/kthread.c:328
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
Kernel Offset: disabled
Rebooting in 86400 seconds..
Warning: Permanently added '10.128.1.176' (ED25519) to the list of known hosts.
2025/10/24 08:30:04 parsed 1 programs
[ 48.013663][ T6013] cgroup: Unknown subsys name 'net'
[ 48.170944][ T6013] cgroup: Unknown subsys name 'rlimit'
[ 49.896812][ T6013] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 50.802412][ T6020] IPVS: ftp: loaded support on port[0] = 21
[ 50.981218][ T6026] IPVS: ftp: loaded support on port[0] = 21
[ 51.070963][ T6031] IPVS: ftp: loaded support on port[0] = 21
[ 51.212304][ T6037] IPVS: ftp: loaded support on port[0] = 21
[ 51.298209][ T6042] IPVS: ftp: loaded support on port[0] = 21
[ 51.396045][ T6047] IPVS: ftp: loaded support on port[0] = 21
[ 51.445463][ T6047] chnl_net:caif_netlink_parms(): no params data found
[ 51.483834][ T6047] bridge0: port 1(bridge_slave_0) entered blocking state
[ 51.491355][ T6047] bridge0: port 1(bridge_slave_0) entered disabled state
[ 51.499426][ T6047] device bridge_slave_0 entered promiscuous mode
[ 51.507218][ T6047] bridge0: port 2(bridge_slave_1) entered blocking state
[ 51.514361][ T6047] bridge0: port 2(bridge_slave_1) entered disabled state
[ 51.521916][ T6047] device bridge_slave_1 entered promiscuous mode
[ 51.540701][ T6047] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 51.551842][ T6047] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 51.567750][ T6047] team0: Port device team_slave_0 added
[ 51.574571][ T6047] team0: Port device team_slave_1 added
[ 51.586442][ T6047] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 51.593515][ T6047] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 51.619504][ T6047] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 51.631289][ T6047] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 51.638275][ T6047] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 51.664460][ T6047] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 51.688501][ T6047] device hsr_slave_0 entered promiscuous mode
[ 51.695170][ T6047] device hsr_slave_1 entered promiscuous mode
[ 51.745737][ T6047] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 51.754100][ T6047] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 51.762823][ T6047] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 51.771249][ T6047] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 51.786410][ T6047] bridge0: port 2(bridge_slave_1) entered blocking state
[ 51.793485][ T6047] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 51.800980][ T6047] bridge0: port 1(bridge_slave_0) entered blocking state
[ 51.808073][ T6047] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 51.835190][ T6047] 8021q: adding VLAN 0 to HW filter on device bond0
[ 51.846473][ T178] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 51.855767][ T178] bridge0: port 1(bridge_slave_0) entered disabled state
[ 51.863380][ T178] bridge0: port 2(bridge_slave_1) entered disabled state
[ 51.871161][ T178] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 51.886989][ T6047] 8021q: adding VLAN 0 to HW filter on device team0
[ 51.896287][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 51.904678][ T27] bridge0: port 1(bridge_slave_0) entered blocking state
[ 51.911755][ T27] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 51.928140][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 51.936459][ T27] bridge0: port 2(bridge_slave_1) entered blocking state
[ 51.943545][ T27] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 51.951785][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 51.968045][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 51.976221][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 51.986689][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 51.997233][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 52.007405][ T6047] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 52.064410][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 52.072318][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 52.083417][ T6047] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 52.097534][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 52.116942][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 52.125424][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 52.133639][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 52.144186][ T6047] device veth0_vlan entered promiscuous mode
[ 52.158944][ T6047] device veth1_vlan entered promiscuous mode
[ 52.173076][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 52.181468][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 52.189866][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 52.205170][ T6047] device veth0_macvtap entered promiscuous mode
[ 52.213384][ T6047] device veth1_macvtap entered promiscuous mode
[ 52.226086][ T6047] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 52.233924][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 52.242748][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 52.257429][ T6047] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 52.264976][ T178] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 52.275526][ T6047] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.284833][ T6047] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.293537][ T6047] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.302445][ T6047] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 52.318876][ T27] ================================================================================
[ 52.328195][ T27] UBSAN: signed-integer-overflow in ./arch/x86/include/asm/atomic.h:165:11
[ 52.336760][ T27] -1399202697 + -1961381633 cannot be represented in type 'int'
[ 52.344421][ T27] CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted syzkaller #0
[ 52.351780][ T27] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 52.361832][ T27] Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
[ 52.368761][ T27] Call Trace:
[ 52.372032][ T27] dump_stack+0xfd/0x16e
[ 52.376247][ T27] ubsan_epilogue+0xa/0x30
[ 52.380663][ T27] handle_overflow+0x192/0x1b0
[ 52.385400][ T27] ? prandom_u32+0x217/0x260
[ 52.390240][ T27] ip_idents_reserve+0x14a/0x170
[ 52.395164][ T27] __ip_select_ident+0xe4/0x1c0
[ 52.400000][ T27] iptunnel_xmit+0x468/0x850
[ 52.404585][ T27] udp_tunnel_xmit_skb+0x1ba/0x290
[ 52.409691][ T27] send4+0x5d4/0xaf0
[ 52.413573][ T27] wg_socket_send_skb_to_peer+0xcd/0x1c0
[ 52.419181][ T27] wg_packet_handshake_send_worker+0x16b/0x280
[ 52.425312][ T27] process_one_work+0x85e/0xff0
[ 52.430173][ T27] worker_thread+0xa9b/0x1430
[ 52.434940][ T27] ? rcu_lock_release+0x20/0x20
[ 52.439765][ T27] kthread+0x386/0x410
[ 52.443809][ T27] ? rcu_lock_release+0x20/0x20
[ 52.448664][ T27] ? kthread_blkcg+0xd0/0xd0
[ 52.453322][ T27] ret_from_fork+0x1f/0x30
[ 52.457765][ T27] ================================================================================
[ 52.467065][ T27] Kernel panic - not syncing: UBSAN: panic_on_warn set ...
[ 52.474261][ T27] CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted syzkaller #0
[ 52.481603][ T27] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 52.491670][ T27] Workqueue: wg-kex-wg0 wg_packet_handshake_send_worker
[ 52.498580][ T27] Call Trace:
[ 52.501854][ T27] dump_stack+0xfd/0x16e
[ 52.506080][ T27] panic+0x2f0/0x9c0
[ 52.509954][ T27] check_panic_on_warn+0x95/0xe0
[ 52.514870][ T27] handle_overflow+0x192/0x1b0
[ 52.519633][ T27] ? prandom_u32+0x217/0x260
[ 52.524228][ T27] ip_idents_reserve+0x14a/0x170
[ 52.529235][ T27] __ip_select_ident+0xe4/0x1c0
[ 52.534066][ T27] iptunnel_xmit+0x468/0x850
[ 52.538633][ T27] udp_tunnel_xmit_skb+0x1ba/0x290
[ 52.543721][ T27] send4+0x5d4/0xaf0
[ 52.547604][ T27] wg_socket_send_skb_to_peer+0xcd/0x1c0
[ 52.553417][ T27] wg_packet_handshake_send_worker+0x16b/0x280
[ 52.559562][ T27] process_one_work+0x85e/0xff0
[ 52.564387][ T27] worker_thread+0xa9b/0x1430
[ 52.569136][ T27] ? rcu_lock_release+0x20/0x20
[ 52.574052][ T27] kthread+0x386/0x410
[ 52.578096][ T27] ? rcu_lock_release+0x20/0x20
[ 52.582913][ T27] ? kthread_blkcg+0xd0/0xd0
[ 52.587475][ T27] ret_from_fork+0x1f/0x30
[ 52.592191][ T27] Kernel Offset: disabled
[ 52.596510][ T27] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1315598195=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at b6605ba8b96
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=b6605ba8b96835063c5eb766c38d27fac98b84d4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251013-102005" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=b6605ba8b96835063c5eb766c38d27fac98b84d4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251013-102005" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=b6605ba8b96835063c5eb766c38d27fac98b84d4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251013-102005" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"b6605ba8b96835063c5eb766c38d27fac98b84d4\"
/usr/bin/ld: /tmp/cccF2O1E.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: d3d0b4e2 Linux 5.10.245
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y
kernel config: https://syzkaller.appspot.com/x/.config?x=6e4052b2d7feb092
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=16982d2f980000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Oct 24, 2025, 6:07:05 AM (yesterday) Oct 24
to dman...@yandex.ru, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 8e6e2188 Linux 6.1.157
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17bb6d42580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ef8bef4a2b3407ea
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=117a8c92580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
Oct 24, 2025, 6:49:05 AM (yesterday) Oct 24
to dman...@yandex.ru, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 4fc43deb Linux 6.12.55
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16c99be2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d75e2b3488f52930
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=10fc7734580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Reply all
Reply to author
Forward
0 new messages