syzbot

ID	Workflow	Result	Correct	Bug	Created	Started	Finished	Revision	Error
1f13009a-cea8-45f1-b127-df61d34bba49	repro		❓	KMSAN: uninit-value in ntfs_read_hdr (4)	2026/03/08 05:17	2026/03/08 05:17	2026/03/08 05:26	31e9c887f7dc24e04b3ca70d0d54fc34141844b0

repro

❓

KMSAN: uninit-value in ntfs_read_hdr (4)

2026/03/08 05:17

2026/03/08 05:26

31e9c887f7dc24e04b3ca70d0d54fc34141844b0

{ "pkgs": [], "progs": [ "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n" ] }

syz_mount_image(&(0x7f0000000000)='ntfs3\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x0, 0x1, 0x0, 0x0) r0 = openat(AT_FDCWD, &(0x7f0000000200)='.\x00', 0x0, 0x0) creat(&(0x7f0000000300)='file1\x00', 0x0) rename(&(0x7f0000000300)='file1\x00', &(0x7f0000000400)='file2\x00') getdents64(r0, &(0x7f0000000500), 0x1000)

===================================================== BUG: KMSAN: uninit-value in ntfs_dir_emit fs/ntfs3/dir.c:335 [inline] BUG: KMSAN: uninit-value in ntfs_read_hdr+0xfd2/0x1440 fs/ntfs3/dir.c:384 ntfs_dir_emit fs/ntfs3/dir.c:335 [inline] ntfs_read_hdr+0xfd2/0x1440 fs/ntfs3/dir.c:384 ntfs_readdir+0xf21/0x1a30 fs/ntfs3/dir.c:495 iterate_dir+0x459/0x630 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:412 [inline] __se_sys_getdents64+0x17e/0x550 fs/readdir.c:397 __x64_sys_getdents64+0x97/0xe0 fs/readdir.c:397 x64_sys_call+0x3cef/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f <Zero or more stacks not recorded to save memory> Uninit was stored to memory at: ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437 indx_write fs/ntfs3/index.c:1027 [inline] indx_insert_into_buffer+0x287/0x2010 fs/ntfs3/index.c:1819 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110 lookup_open fs/namei.c:4449 [inline] open_last_lookups fs/namei.c:4549 [inline] path_openat+0x37dd/0x7160 fs/namei.c:4793 do_filp_open+0x27f/0x660 fs/namei.c:4823 do_sys_openat2+0x1c6/0x430 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_creat fs/open.c:1514 [inline] __se_sys_creat fs/open.c:1508 [inline] __x64_sys_creat+0xe1/0x150 fs/open.c:1508 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: hdr_insert_de+0x471/0x560 fs/ntfs3/index.c:835 indx_insert_into_buffer+0x1b6/0x2010 fs/ntfs3/index.c:1815 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110 lookup_open fs/namei.c:4449 [inline] open_last_lookups fs/namei.c:4549 [inline] path_openat+0x37dd/0x7160 fs/namei.c:4793 do_filp_open+0x27f/0x660 fs/namei.c:4823 do_sys_openat2+0x1c6/0x430 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_creat fs/open.c:1514 [inline] __se_sys_creat fs/open.c:1508 [inline] __x64_sys_creat+0xe1/0x150 fs/open.c:1508 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ntfs_read_run_nb+0x7cf/0x1810 fs/ntfs3/fsntfs.c:1232 ntfs_read_bh+0x6a/0xc10 fs/ntfs3/fsntfs.c:1293 indx_read+0x447/0x1820 fs/ntfs3/index.c:1067 indx_find+0xa80/0x1500 fs/ntfs3/index.c:1179 indx_insert_entry+0xd74/0x1050 fs/ntfs3/index.c:1974 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110 lookup_open fs/namei.c:4449 [inline] open_last_lookups fs/namei.c:4549 [inline] path_openat+0x37dd/0x7160 fs/namei.c:4793 do_filp_open+0x27f/0x660 fs/namei.c:4823 do_sys_openat2+0x1c6/0x430 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_creat fs/open.c:1514 [inline] __se_sys_creat fs/open.c:1508 [inline] __x64_sys_creat+0xe1/0x150 fs/open.c:1508 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437 indx_write fs/ntfs3/index.c:1027 [inline] indx_delete_entry+0x27c5/0x88c0 fs/ntfs3/index.c:2347 ni_remove_name+0x33d/0xdb0 fs/ntfs3/frecord.c:2805 ni_rename+0x170/0x220 fs/ntfs3/frecord.c:2965 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ntfs_read_run_nb+0x7cf/0x1810 fs/ntfs3/fsntfs.c:1232 ntfs_read_bh+0x6a/0xc10 fs/ntfs3/fsntfs.c:1293 indx_read+0x447/0x1820 fs/ntfs3/index.c:1067 indx_find+0xa80/0x1500 fs/ntfs3/index.c:1179 indx_delete_entry+0x117f/0x88c0 fs/ntfs3/index.c:2311 ni_remove_name+0x33d/0xdb0 fs/ntfs3/frecord.c:2805 ni_rename+0x170/0x220 fs/ntfs3/frecord.c:2965 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437 indx_write fs/ntfs3/index.c:1027 [inline] indx_insert_into_buffer+0x287/0x2010 fs/ntfs3/index.c:1819 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997 ni_add_name+0xef7/0x11e0 fs/ntfs3/frecord.c:2931 ni_rename+0x97/0x220 fs/ntfs3/frecord.c:2962 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: hdr_insert_de+0x4cc/0x560 fs/ntfs3/index.c:838 indx_insert_into_buffer+0x1b6/0x2010 fs/ntfs3/index.c:1815 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997 ni_add_name+0xef7/0x11e0 fs/ntfs3/frecord.c:2931 ni_rename+0x97/0x220 fs/ntfs3/frecord.c:2962 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x967/0x1730 mm/slub.c:5270 ntfs_rename+0x874/0x1290 fs/ntfs3/namei.c:307 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 5785 Comm: syz-executor Tainted: G L syzkaller #0 PREEMPT(voluntary) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 =====================================================

Trajectory:
Seq	Timestamp	Type	Name	Duration
0/0	2026/03/08 05:17	flow	repro	9m Results: map[ReproOpts:{ "pkgs": [], "progs": [ "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n" ] } ReproSyz:syz_mount_image(&(0x7f0000000000)='ntfs3\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x0, 0x1, 0x0, 0x0) r0 = openat(AT_FDCWD, &(0x7f0000000200)='.\x00', 0x0, 0x0) creat(&(0x7f0000000300)='file1\x00', 0x0) rename(&(0x7f0000000300)='file1\x00', &(0x7f0000000400)='file2\x00') getdents64(r0, &(0x7f0000000500), 0x1000) SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]
1/1	2026/03/08 05:17	action	provide-var	0m Results: map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]
2/1	2026/03/08 05:17	action	kernel-checkouter	0m Results: map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/656999a5500966ef94900a70fd38eebe6ff83d6f]
3/1	2026/03/08 05:17	action	kernel-builder	6m Results: map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/79e503db25c1d9874db1f3145ae2b67836b95bf8]
4/1	2026/03/08 05:24	agent	crash-repro-finder	1m Model: gemini-3-pro-preview Results: map[ReproOpts:{ "pkgs": [], "progs": [ "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n" ] }] Instruction: You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug. Print only the syz program that could be executed directly, without backticks. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: Bug Title: KMSAN: uninit-value in ntfs_read_hdr Original Crash Report: ===================================================== BUG: KMSAN: uninit-value in ntfs_dir_emit fs/ntfs3/dir.c:335 [inline] BUG: KMSAN: uninit-value in ntfs_read_hdr+0xfd2/0x1440 fs/ntfs3/dir.c:384 ntfs_dir_emit fs/ntfs3/dir.c:335 [inline] ntfs_read_hdr+0xfd2/0x1440 fs/ntfs3/dir.c:384 ntfs_readdir+0xf21/0x1a30 fs/ntfs3/dir.c:495 iterate_dir+0x459/0x630 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:412 [inline] __se_sys_getdents64+0x17e/0x550 fs/readdir.c:397 __x64_sys_getdents64+0x97/0xe0 fs/readdir.c:397 x64_sys_call+0x3cef/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:218 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f <Zero or more stacks not recorded to save memory> Uninit was stored to memory at: ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437 indx_write fs/ntfs3/index.c:1027 [inline] indx_insert_into_buffer+0x287/0x2010 fs/ntfs3/index.c:1819 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110 lookup_open fs/namei.c:4449 [inline] open_last_lookups fs/namei.c:4549 [inline] path_openat+0x37dd/0x7160 fs/namei.c:4793 do_filp_open+0x27f/0x660 fs/namei.c:4823 do_sys_openat2+0x1c6/0x430 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_creat fs/open.c:1514 [inline] __se_sys_creat fs/open.c:1508 [inline] __x64_sys_creat+0xe1/0x150 fs/open.c:1508 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: hdr_insert_de+0x471/0x560 fs/ntfs3/index.c:835 indx_insert_into_buffer+0x1b6/0x2010 fs/ntfs3/index.c:1815 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110 lookup_open fs/namei.c:4449 [inline] open_last_lookups fs/namei.c:4549 [inline] path_openat+0x37dd/0x7160 fs/namei.c:4793 do_filp_open+0x27f/0x660 fs/namei.c:4823 do_sys_openat2+0x1c6/0x430 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_creat fs/open.c:1514 [inline] __se_sys_creat fs/open.c:1508 [inline] __x64_sys_creat+0xe1/0x150 fs/open.c:1508 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ntfs_read_run_nb+0x7cf/0x1810 fs/ntfs3/fsntfs.c:1232 ntfs_read_bh+0x6a/0xc10 fs/ntfs3/fsntfs.c:1293 indx_read+0x447/0x1820 fs/ntfs3/index.c:1067 indx_find+0xa80/0x1500 fs/ntfs3/index.c:1179 indx_insert_entry+0xd74/0x1050 fs/ntfs3/index.c:1974 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110 lookup_open fs/namei.c:4449 [inline] open_last_lookups fs/namei.c:4549 [inline] path_openat+0x37dd/0x7160 fs/namei.c:4793 do_filp_open+0x27f/0x660 fs/namei.c:4823 do_sys_openat2+0x1c6/0x430 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_creat fs/open.c:1514 [inline] __se_sys_creat fs/open.c:1508 [inline] __x64_sys_creat+0xe1/0x150 fs/open.c:1508 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437 indx_write fs/ntfs3/index.c:1027 [inline] indx_delete_entry+0x27c5/0x88c0 fs/ntfs3/index.c:2347 ni_remove_name+0x33d/0xdb0 fs/ntfs3/frecord.c:2805 ni_rename+0x170/0x220 fs/ntfs3/frecord.c:2965 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ntfs_read_run_nb+0x7cf/0x1810 fs/ntfs3/fsntfs.c:1232 ntfs_read_bh+0x6a/0xc10 fs/ntfs3/fsntfs.c:1293 indx_read+0x447/0x1820 fs/ntfs3/index.c:1067 indx_find+0xa80/0x1500 fs/ntfs3/index.c:1179 indx_delete_entry+0x117f/0x88c0 fs/ntfs3/index.c:2311 ni_remove_name+0x33d/0xdb0 fs/ntfs3/frecord.c:2805 ni_rename+0x170/0x220 fs/ntfs3/frecord.c:2965 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437 indx_write fs/ntfs3/index.c:1027 [inline] indx_insert_into_buffer+0x287/0x2010 fs/ntfs3/index.c:1819 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997 ni_add_name+0xef7/0x11e0 fs/ntfs3/frecord.c:2931 ni_rename+0x97/0x220 fs/ntfs3/frecord.c:2962 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: hdr_insert_de+0x4cc/0x560 fs/ntfs3/index.c:838 indx_insert_into_buffer+0x1b6/0x2010 fs/ntfs3/index.c:1815 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997 ni_add_name+0xef7/0x11e0 fs/ntfs3/frecord.c:2931 ni_rename+0x97/0x220 fs/ntfs3/frecord.c:2962 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x967/0x1730 mm/slub.c:5270 ntfs_rename+0x874/0x1290 fs/ntfs3/namei.c:307 vfs_rename+0x249d/0x29a0 fs/namei.c:5938 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056 __do_sys_rename fs/namei.c:6099 [inline] __se_sys_rename fs/namei.c:6097 [inline] __x64_sys_rename+0xd7/0x140 fs/namei.c:6097 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 5785 Comm: syz-executor Tainted: G L syzkaller #0 PREEMPT(voluntary) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 ===================================================== The list of existing description files: acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt Reply: syz_mount_image(&(0x7f0000000000)='ntfs3\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x0, 0x1, 0x0, 0x0) r0 = openat(AT_FDCWD, &(0x7f0000000200)='.\x00', 0x0, 0x0) creat(&(0x7f0000000300)='file1\x00', 0x0) rename(&(0x7f0000000300)='file1\x00', &(0x7f0000000400)='file2\x00') getdents64(r0, &(0x7f0000000500), 0x1000)
5/2	2026/03/08 05:24	llm	crash-repro-finder	1m Model: gemini-3-pro-preview Tokens: input: 6318 output: 278 thoughts: 9408 Thoughts: KMSAN Bug Reproduction in ntfs3 Filesystem Okay, so the goal here is to trigger that KMSAN bug, likely an uninitialized memory read, within the `ntfs_read_hdr` function in the `ntfs3` file system driver. The bug report points to `ntfs_dir_emit` calling `ntfs_read_hdr` after a crash during directory iteration via `iterate_dir` -> `ntfs_readdir`. The uninitialized data is probably originating from write/read functions during directory entry modifications, like `ntfs_write_bh`, `ntfs_read_run_nb`, or `hdr_insert_de`. The stack traces mention operations like `ntfs_create`, `ntfs_rename`, and `ntfs_readdir`, all hinting at index modifications. The core of this seems related to reading directory entries, index entries, in NTFS. We are dealing with uninitialized memory potentially in a buffer head or page. This data got written to and accessed but wasn't properly initialized first. The goal is to trigger this sequence, i.e., write dirty memory and read it back. To reproduce this, I'm going to follow this plan: 1. Mount an NTFS3 file system. 2. Modify the directory structure using create and rename operations to populate the index. 3. Call `getdents64` on the directory to invoke `ntfs_readdir` and ultimately `ntfs_read_hdr`. I looked for the proper way to mount a file system using `filesystem.txt` or similar syzkaller documentation. Assuming the `syz_mount_image` function is available, which it should be, this would simplify the repro. The bug is in `fs/ntfs3`, so the kernel must have it enabled and supported by syzkaller. I'm thinking to construct a reproduction like this: 1. Create a loop device with an NTFS image. 2. Mount it using `ntfs3`. 3. Open the mount point. 4. Create some files within. 5. Rename some files. 6. Call `getdents64` on the directory. Since `syzkaller` operates by fuzzing syscalls, I rely on `syz_mount_image` to set up the filesystem. So I don't have to create a valid image manually. The fuzzer can have mutated an image. The uninitialized values seem to originate in writes: `ntfs_write_bh`, `ntfs_read_run_nb`, or during inserting entries into the index. The goal here is to get some directory index modifications and then to read those values. From the crash report, sources of uninit values could be: * `ntfs_write_bh` -> `indx_write` -> `indx_insert_into_buffer` -> `indx_insert_entry` -> `ntfs_create_inode` -> `ntfs_create`. * `ntfs_read_run_nb` -> `ntfs_read_bh` -> `indx_read` -> `indx_find` -> `indx_insert_entry`. It seems like inserting index entries in the directory is causing the problem. So the sequence `creat` -> `getdents64`, or `creat` -> `rename` -> `getdents64`, would likely work. The stack traces point out that `ntfs_rename` calls functions that modify the index. Let's build a syzkaller program. It looks like `syz_mount_image` is the standard approach to mounting a file system, and this is followed by operations like: create, rename and read directory. ```syz syz_mount_image(&(0x7f0000000000)='ntfs3\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x0, 0x1, 0x0, 0x0) r0 = openat(AT_FDCWD, &(0x7f0000000200)='.\x00', 0x0, 0x0) creat(&(0x7f0000000300)='file1\x00', 0x0) rename(&(0x7f0000000300)='file1\x00', &(0x7f0000000400)='file2\x00') getdents64(r0, &(0x7
6/2	2026/03/08 05:26	tool	set-results	0m Args: map[ReproOpts:{ "pkgs": [], "progs": [ "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n" ] }] Results: map[ReproOpts:{ "pkgs": [], "progs": [ "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n" ] }]
7/2	2026/03/08 05:26	llm	crash-repro-finder	0m Model: gemini-3-pro-preview Tokens: input: 17305 output: 240 thoughts: 0

Trajectory:

Seq

Timestamp

Type

Name

Duration

0/0

2026/03/08 05:17

flow

repro

Results:

map[ReproOpts:{
 "pkgs": [],
 "progs": [
  "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n"
 ]
} ReproSyz:syz_mount_image(&(0x7f0000000000)='ntfs3\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x0, 0x1, 0x0, 0x0)
r0 = openat(AT_FDCWD, &(0x7f0000000200)='.\x00', 0x0, 0x0)
creat(&(0x7f0000000300)='file1\x00', 0x0)
rename(&(0x7f0000000300)='file1\x00', &(0x7f0000000400)='file2\x00')
getdents64(r0, &(0x7f0000000500), 0x1000)
 SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]

1/1

2026/03/08 05:17

action

provide-var

Results:

map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0]

2/1

2026/03/08 05:17

action

kernel-checkouter

Results:

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/656999a5500966ef94900a70fd38eebe6ff83d6f]

3/1

2026/03/08 05:17

action

kernel-builder

Results:

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/79e503db25c1d9874db1f3145ae2b67836b95bf8]

4/1

2026/03/08 05:24

agent

crash-repro-finder

Model:

gemini-3-pro-preview

Results:

map[ReproOpts:{
 "pkgs": [],
 "progs": [
  "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n"
 ]
}]

Instruction:

You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug.
Print only the syz program that could be executed directly, without backticks.




Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Prompt:

Bug Title: KMSAN: uninit-value in ntfs_read_hdr

Original Crash Report:
=====================================================
BUG: KMSAN: uninit-value in ntfs_dir_emit fs/ntfs3/dir.c:335 [inline]
BUG: KMSAN: uninit-value in ntfs_read_hdr+0xfd2/0x1440 fs/ntfs3/dir.c:384
 ntfs_dir_emit fs/ntfs3/dir.c:335 [inline]
 ntfs_read_hdr+0xfd2/0x1440 fs/ntfs3/dir.c:384
 ntfs_readdir+0xf21/0x1a30 fs/ntfs3/dir.c:495
 iterate_dir+0x459/0x630 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:412 [inline]
 __se_sys_getdents64+0x17e/0x550 fs/readdir.c:397
 __x64_sys_getdents64+0x97/0xe0 fs/readdir.c:397
 x64_sys_call+0x3cef/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:218
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

<Zero or more stacks not recorded to save memory>

Uninit was stored to memory at:
 ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437
 indx_write fs/ntfs3/index.c:1027 [inline]
 indx_insert_into_buffer+0x287/0x2010 fs/ntfs3/index.c:1819
 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997
 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656
 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110
 lookup_open fs/namei.c:4449 [inline]
 open_last_lookups fs/namei.c:4549 [inline]
 path_openat+0x37dd/0x7160 fs/namei.c:4793
 do_filp_open+0x27f/0x660 fs/namei.c:4823
 do_sys_openat2+0x1c6/0x430 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_creat fs/open.c:1514 [inline]
 __se_sys_creat fs/open.c:1508 [inline]
 __x64_sys_creat+0xe1/0x150 fs/open.c:1508
 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 hdr_insert_de+0x471/0x560 fs/ntfs3/index.c:835
 indx_insert_into_buffer+0x1b6/0x2010 fs/ntfs3/index.c:1815
 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997
 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656
 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110
 lookup_open fs/namei.c:4449 [inline]
 open_last_lookups fs/namei.c:4549 [inline]
 path_openat+0x37dd/0x7160 fs/namei.c:4793
 do_filp_open+0x27f/0x660 fs/namei.c:4823
 do_sys_openat2+0x1c6/0x430 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_creat fs/open.c:1514 [inline]
 __se_sys_creat fs/open.c:1508 [inline]
 __x64_sys_creat+0xe1/0x150 fs/open.c:1508
 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 ntfs_read_run_nb+0x7cf/0x1810 fs/ntfs3/fsntfs.c:1232
 ntfs_read_bh+0x6a/0xc10 fs/ntfs3/fsntfs.c:1293
 indx_read+0x447/0x1820 fs/ntfs3/index.c:1067
 indx_find+0xa80/0x1500 fs/ntfs3/index.c:1179
 indx_insert_entry+0xd74/0x1050 fs/ntfs3/index.c:1974
 ntfs_create_inode+0x3ee3/0x57b0 fs/ntfs3/inode.c:1656
 ntfs_create+0x56/0x70 fs/ntfs3/namei.c:110
 lookup_open fs/namei.c:4449 [inline]
 open_last_lookups fs/namei.c:4549 [inline]
 path_openat+0x37dd/0x7160 fs/namei.c:4793
 do_filp_open+0x27f/0x660 fs/namei.c:4823
 do_sys_openat2+0x1c6/0x430 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_creat fs/open.c:1514 [inline]
 __se_sys_creat fs/open.c:1508 [inline]
 __x64_sys_creat+0xe1/0x150 fs/open.c:1508
 x64_sys_call+0x3cdb/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:86
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437
 indx_write fs/ntfs3/index.c:1027 [inline]
 indx_delete_entry+0x27c5/0x88c0 fs/ntfs3/index.c:2347
 ni_remove_name+0x33d/0xdb0 fs/ntfs3/frecord.c:2805
 ni_rename+0x170/0x220 fs/ntfs3/frecord.c:2965
 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332
 vfs_rename+0x249d/0x29a0 fs/namei.c:5938
 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056
 __do_sys_rename fs/namei.c:6099 [inline]
 __se_sys_rename fs/namei.c:6097 [inline]
 __x64_sys_rename+0xd7/0x140 fs/namei.c:6097
 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 ntfs_read_run_nb+0x7cf/0x1810 fs/ntfs3/fsntfs.c:1232
 ntfs_read_bh+0x6a/0xc10 fs/ntfs3/fsntfs.c:1293
 indx_read+0x447/0x1820 fs/ntfs3/index.c:1067
 indx_find+0xa80/0x1500 fs/ntfs3/index.c:1179
 indx_delete_entry+0x117f/0x88c0 fs/ntfs3/index.c:2311
 ni_remove_name+0x33d/0xdb0 fs/ntfs3/frecord.c:2805
 ni_rename+0x170/0x220 fs/ntfs3/frecord.c:2965
 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332
 vfs_rename+0x249d/0x29a0 fs/namei.c:5938
 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056
 __do_sys_rename fs/namei.c:6099 [inline]
 __se_sys_rename fs/namei.c:6097 [inline]
 __x64_sys_rename+0xd7/0x140 fs/namei.c:6097
 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 ntfs_write_bh+0x6ae/0xe90 fs/ntfs3/fsntfs.c:1437
 indx_write fs/ntfs3/index.c:1027 [inline]
 indx_insert_into_buffer+0x287/0x2010 fs/ntfs3/index.c:1819
 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997
 ni_add_name+0xef7/0x11e0 fs/ntfs3/frecord.c:2931
 ni_rename+0x97/0x220 fs/ntfs3/frecord.c:2962
 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332
 vfs_rename+0x249d/0x29a0 fs/namei.c:5938
 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056
 __do_sys_rename fs/namei.c:6099 [inline]
 __se_sys_rename fs/namei.c:6097 [inline]
 __x64_sys_rename+0xd7/0x140 fs/namei.c:6097
 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was stored to memory at:
 hdr_insert_de+0x4cc/0x560 fs/ntfs3/index.c:838
 indx_insert_into_buffer+0x1b6/0x2010 fs/ntfs3/index.c:1815
 indx_insert_entry+0xcde/0x1050 fs/ntfs3/index.c:1997
 ni_add_name+0xef7/0x11e0 fs/ntfs3/frecord.c:2931
 ni_rename+0x97/0x220 fs/ntfs3/frecord.c:2962
 ntfs_rename+0xdd2/0x1290 fs/ntfs3/namei.c:332
 vfs_rename+0x249d/0x29a0 fs/namei.c:5938
 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056
 __do_sys_rename fs/namei.c:6099 [inline]
 __se_sys_rename fs/namei.c:6097 [inline]
 __x64_sys_rename+0xd7/0x140 fs/namei.c:6097
 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:4960 [inline]
 slab_alloc_node mm/slub.c:5263 [inline]
 kmem_cache_alloc_noprof+0x967/0x1730 mm/slub.c:5270
 ntfs_rename+0x874/0x1290 fs/ntfs3/namei.c:307
 vfs_rename+0x249d/0x29a0 fs/namei.c:5938
 do_renameat2+0xb7f/0x15a0 fs/namei.c:6056
 __do_sys_rename fs/namei.c:6099 [inline]
 __se_sys_rename fs/namei.c:6097 [inline]
 __x64_sys_rename+0xd7/0x140 fs/namei.c:6097
 x64_sys_call+0x2c5/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5785 Comm: syz-executor Tainted: G             L      syzkaller #0 PREEMPT(voluntary) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
=====================================================


The list of existing description files:
acpi_thermal_rel.txt
aio.txt
auto.txt
binfmt.txt
bpf.txt
bpf_prog.txt
bpf_trace.txt
cgroup.txt
damon.txt
dev_ashmem.txt
dev_bifrost.txt
dev_binder.txt
dev_binderfs.txt
dev_block.txt
dev_bsg.txt
dev_bus_usb.txt
dev_camx.txt
dev_cdrom.txt
dev_cec.txt
dev_char_usb.txt
dev_comedi.txt
dev_dma_heap.txt
dev_dri.txt
dev_dsp.txt
dev_dvb_demux.txt
dev_dvb_dvr.txt
dev_dvb_frontend.txt
dev_fb.txt
dev_floppy.txt
dev_hidraw.txt
dev_i2c.txt
dev_i915.txt
dev_img_rogue.txt
dev_infiniband_rdma.txt
dev_infiniband_rdma_cm.txt
dev_input.txt
dev_iommu.txt
dev_kvm.txt
dev_kvm_amd64.txt
dev_kvm_arm64.txt
dev_kvm_extra.txt
dev_kvm_riscv64.txt
dev_loop.txt
dev_mali.txt
dev_media.txt
dev_msm.txt
dev_msr.txt
dev_nbd.txt
dev_net_tun.txt
dev_panthor.txt
dev_ppp.txt
dev_ptmx.txt
dev_ptp.txt
dev_qat_adf_ctl.txt
dev_qrtr_tun.txt
dev_random.txt
dev_rfkill.txt
dev_rtc.txt
dev_sequencer.txt
dev_sg.txt
dev_snapshot.txt
dev_snd_control.txt
dev_snd_hw.txt
dev_snd_midi.txt
dev_snd_pcm.txt
dev_snd_seq.txt
dev_snd_timer.txt
dev_sr.txt
dev_sw_sync.txt
dev_tlk_device.txt
dev_trusty.txt
dev_udmabuf.txt
dev_uhid.txt
dev_uinput.txt
dev_usb_hiddev.txt
dev_usbmon.txt
dev_userio.txt
dev_vfio.txt
dev_vga_arbiter.txt
dev_vhci.txt
dev_video4linux.txt
dev_video4linux_vim2m.txt
dev_virtual_nci.txt
dev_vtpm.txt
fanotify.txt
filesystem.txt
fs_9p.txt
fs_fuse.txt
fs_incfs.txt
fs_ioctl.txt
fs_ioctl_autofs.txt
fs_ioctl_btrfs.txt
fs_ioctl_ext4.txt
fs_ioctl_f2fs.txt
fs_ioctl_fat.txt
fs_ioctl_fscrypt.txt
fs_ioctl_fsverity.txt
fs_ioctl_xfs.txt
futex.txt
hafnium.txt
inotify.txt
io_uring.txt
ipc.txt
key.txt
kfuzztest.txt
l2cap.txt
landlock.txt
lsm.txt
namespaces.txt
net_80211.txt
netfilter.txt
netfilter_arp.txt
netfilter_bridge.txt
netfilter_ipv4.txt
netfilter_ipv6.txt
netfilter_ipvs.txt
netfilter_targets.txt
pagemap_ioctl.txt
perf.txt
prctl.txt
quotactl.txt
seccomp.txt
security_apparmor.txt
security_selinux.txt
security_smack.txt
socket.txt
socket_alg.txt
socket_ax25.txt
socket_bluetooth.txt
socket_caif.txt
socket_can.txt
socket_ieee802154.txt
socket_inet.txt
socket_inet6.txt
socket_inet_dccp.txt
socket_inet_icmp.txt
socket_inet_igmp.txt
socket_inet_l2tp.txt
socket_inet_sctp.txt
socket_inet_tcp.txt
socket_inet_udp.txt
socket_ip_tunnel.txt
socket_isdn.txt
socket_kcm.txt
socket_key.txt
socket_llc.txt
socket_netlink.txt
socket_netlink_audit.txt
socket_netlink_crypto.txt
socket_netlink_generic.txt
socket_netlink_generic_80211.txt
socket_netlink_generic_batadv.txt
socket_netlink_generic_devlink.txt
socket_netlink_generic_ethtool.txt
socket_netlink_generic_fou.txt
socket_netlink_generic_gtp.txt
socket_netlink_generic_mptcp.txt
socket_netlink_generic_net_dm.txt
socket_netlink_generic_netlabel.txt
socket_netlink_generic_nfc.txt
socket_netlink_generic_seg6.txt
socket_netlink_generic_smc.txt
socket_netlink_generic_team.txt
socket_netlink_generic_wireguard.txt
socket_netlink_netfilter.txt
socket_netlink_netfilter_acct.txt
socket_netlink_netfilter_conntrack.txt
socket_netlink_netfilter_conntrack_exp.txt
socket_netlink_netfilter_conntrack_helper.txt
socket_netlink_netfilter_ipset.txt
socket_netlink_netfilter_log.txt
socket_netlink_netfilter_nft_compat.txt
socket_netlink_netfilter_nftables.txt
socket_netlink_netfilter_osf.txt
socket_netlink_netfilter_queue.txt
socket_netlink_netfilter_timeout.txt
socket_netlink_rdma.txt
socket_netlink_route.txt
socket_netlink_route_sched.txt
socket_netlink_route_sched_retired.txt
socket_netlink_sock_diag.txt
socket_netlink_xfrm.txt
socket_netrom.txt
socket_nfc.txt
socket_nvme_of_tcp.txt
socket_packet.txt
socket_phonet.txt
socket_pppox.txt
socket_qipcrtr.txt
socket_rds.txt
socket_rose.txt
socket_rxrpc.txt
socket_tipc.txt
socket_tipc_netlink.txt
socket_unix.txt
socket_vnet.txt
socket_x25.txt
socket_xdp.txt
sys.txt
uffd.txt
usbip.txt
vmw_vmci.txt
vnet.txt
vnet_mptcp.txt
vusb.txt
watch_queue.txt
xattr.txt

Reply:

syz_mount_image(&(0x7f0000000000)='ntfs3\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x0, 0x1, 0x0, 0x0)
r0 = openat(AT_FDCWD, &(0x7f0000000200)='.\x00', 0x0, 0x0)
creat(&(0x7f0000000300)='file1\x00', 0x0)
rename(&(0x7f0000000300)='file1\x00', &(0x7f0000000400)='file2\x00')
getdents64(r0, &(0x7f0000000500), 0x1000)

5/2

2026/03/08 05:24

llm

crash-repro-finder

Model:

gemini-3-pro-preview

Tokens:

							input: 6318
							output: 278
							thoughts: 9408

Thoughts:

**KMSAN Bug Reproduction in ntfs3 Filesystem**

Okay, so the goal here is to trigger that KMSAN bug, likely an uninitialized memory read, within the `ntfs_read_hdr` function in the `ntfs3` file system driver. The bug report points to `ntfs_dir_emit` calling `ntfs_read_hdr` after a crash during directory iteration via `iterate_dir` -> `ntfs_readdir`. The uninitialized data is probably originating from write/read functions during directory entry modifications, like `ntfs_write_bh`, `ntfs_read_run_nb`, or `hdr_insert_de`. The stack traces mention operations like `ntfs_create`, `ntfs_rename`, and `ntfs_readdir`, all hinting at index modifications.

The core of this seems related to reading directory entries, index entries, in NTFS. We are dealing with uninitialized memory potentially in a buffer head or page. This data got written to and accessed but wasn't properly initialized first. The goal is to trigger this sequence, i.e., write dirty memory and read it back.

To reproduce this, I'm going to follow this plan:

1.  Mount an NTFS3 file system.
2.  Modify the directory structure using create and rename operations to populate the index.
3.  Call `getdents64` on the directory to invoke `ntfs_readdir` and ultimately `ntfs_read_hdr`.

I looked for the proper way to mount a file system using `filesystem.txt` or similar syzkaller documentation. Assuming the `syz_mount_image` function is available, which it should be, this would simplify the repro. The bug is in `fs/ntfs3`, so the kernel must have it enabled and supported by syzkaller.

I'm thinking to construct a reproduction like this:

1.  Create a loop device with an NTFS image.
2.  Mount it using `ntfs3`.
3.  Open the mount point.
4.  Create some files within.
5.  Rename some files.
6.  Call `getdents64` on the directory.

Since `syzkaller` operates by fuzzing syscalls, I rely on `syz_mount_image` to set up the filesystem. So I don't have to create a valid image manually. The fuzzer can have mutated an image. The uninitialized values seem to originate in writes: `ntfs_write_bh`, `ntfs_read_run_nb`, or during inserting entries into the index. The goal here is to get some directory index modifications and then to read those values.

From the crash report, sources of uninit values could be:

*   `ntfs_write_bh` -> `indx_write` -> `indx_insert_into_buffer` -> `indx_insert_entry` -> `ntfs_create_inode` -> `ntfs_create`.
*   `ntfs_read_run_nb` -> `ntfs_read_bh` -> `indx_read` -> `indx_find` -> `indx_insert_entry`.

It seems like inserting index entries in the directory is causing the problem. So the sequence `creat` -> `getdents64`, or `creat` -> `rename` -> `getdents64`, would likely work. The stack traces point out that `ntfs_rename` calls functions that modify the index.

Let's build a syzkaller program. It looks like `syz_mount_image` is the standard approach to mounting a file system, and this is followed by operations like: create, rename and read directory.

```syz
syz_mount_image(&(0x7f0000000000)='ntfs3\x00', &(0x7f0000000100)='./mnt\x00', 0x0, 0x0, 0x1, 0x0, 0x0)
r0 = openat(AT_FDCWD, &(0x7f0000000200)='.\x00', 0x0, 0x0)
creat(&(0x7f0000000300)='file1\x00', 0x0)
rename(&(0x7f0000000300)='file1\x00', &(0x7f0000000400)='file2\x00')
getdents64(r0, &(0x7

6/2

2026/03/08 05:26

tool

set-results

Args:

map[ReproOpts:{
 "pkgs": [],
 "progs": [
  "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n"
 ]
}]

Results:

map[ReproOpts:{
 "pkgs": [],
 "progs": [
  "syz_mount_image(&(0x7f0000000000)='ntfs3\\x00', &(0x7f0000000100)='./mnt\\x00', 0x0, 0x0, 0x1, 0x0, 0x0)\nr0 = openat(AT_FDCWD, &(0x7f0000000200)='.\\x00', 0x0, 0x0)\ncreat(&(0x7f0000000300)='file1\\x00', 0x0)\nrename(&(0x7f0000000300)='file1\\x00', &(0x7f0000000400)='file2\\x00')\ngetdents64(r0, &(0x7f0000000500), 0x1000)\n"
 ]
}]

7/2

2026/03/08 05:26

llm

crash-repro-finder

Model:

gemini-3-pro-preview

Tokens:

							input: 17305
							output: 240
							thoughts: 0