syzbot

 sign-in | mailing list | source | docs
🐞 Open [1592]
Subsystems
🐞 Fixed [6233]
🐞 Invalid [15780]
Missing Backports [183]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: unable to handle kernel paging request in evict (2)

Status: upstream: reported C repro on 2024/11/25 06:06
Subsystems: jfs ntfs3
[Documentation on labels]
Reported-by: syzbot+34226167ebf8da2171a9@syzkaller.appspotmail.com
First crash: 272d, last: 13d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: KASAN: use-after-free Write in diWrite (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [ntfs3?] BUG: unable to handle kernel paging request in evict (2) 0 (1) 2024/11/25 06:06
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 BUG: unable to handle kernel paging request in evict 10 71d 248d 0/3 upstream: reported on 2024/09/10 16:38
upstream BUG: unable to handle kernel paging request in evict exfat C error done 23 920d 965d 22/28 fixed on 2023/02/24 13:50
android-5-15 KASAN: use-after-free Read in evict fat 1 856d 856d 0/2 auto-obsoleted due to no activity on 2023/04/20 02:58
Last patch testing requests (3)
Created Duration User Patch Repo Result
2025/04/10 20:09 16m retest repro upstream report log
2025/03/04 17:38 14m retest repro upstream report log
2024/12/09 13:51 58m retest repro upstream report log
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2025/03/22 00:51 3h31m bisect fix upstream OK (0) job log log
2025/01/30 08:03 1h55m bisect fix upstream OK (0) job log log

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xdffffc0100000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000000800000008-0x000000080000000f]
CPU: 0 UID: 0 PID: 5836 Comm: syz-executor997 Not tainted 6.14.0-rc1-syzkaller-00235-g9946eaf552b1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:__hlist_del include/linux/list.h:982 [inline]
RIP: 0010:hlist_del_init_rcu include/linux/rculist.h:228 [inline]
RIP: 0010:__remove_inode_hash fs/inode.c:671 [inline]
RIP: 0010:remove_inode_hash include/linux/fs.h:3325 [inline]
RIP: 0010:evict+0x64f/0x9a0 fs/inode.c:804
Code: 4c 89 ff e8 f3 2e e6 ff 4d 89 27 4d 85 e4 74 61 e8 16 1c 82 ff 49 83 c4 08 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 e7 e8 c3 2e e6 ff 4d 89 3c 24 eb 38 e8 e8
RSP: 0018:ffffc90003fdf9c0 EFLAGS: 00010202
RAX: 0000000100000001 RBX: 1ffff1100e7397a1 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffc90003fdf940
RBP: ffffc90003fdfaf0 R08: 0000000000000003 R09: fffff520007fbf28
R10: dffffc0000000000 R11: fffff520007fbf28 R12: 0000000800000008
R13: ffff8880739cbc00 R14: ffff8880739cbd08 R15: ffffc90000c4c388
FS:  0000555591cae480(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffca91c5000 CR3: 0000000076844000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 dispose_list fs/inode.c:845 [inline]
 evict_inodes+0x6f6/0x790 fs/inode.c:899
 generic_shutdown_super+0xa0/0x2d0 fs/super.c:627
 kill_block_super+0x44/0x90 fs/super.c:1710
 deactivate_locked_super+0xc4/0x130 fs/super.c:473
 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1413
 task_work_run+0x24f/0x310 kernel/task_work.c:227
 ptrace_notify+0x2d2/0x380 kernel/signal.c:2522
 ptrace_report_syscall include/linux/ptrace.h:415 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
 syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173
 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
 syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2505837cc7
Code: 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffca91c3388 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 00007f2505837cc7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffca91c3440
RBP: 00007ffca91c3440 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffca91c44b0
R13: 0000555591caf7c0 R14: 0000000000016c6b R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__hlist_del include/linux/list.h:982 [inline]
RIP: 0010:hlist_del_init_rcu include/linux/rculist.h:228 [inline]
RIP: 0010:__remove_inode_hash fs/inode.c:671 [inline]
RIP: 0010:remove_inode_hash include/linux/fs.h:3325 [inline]
RIP: 0010:evict+0x64f/0x9a0 fs/inode.c:804
Code: 4c 89 ff e8 f3 2e e6 ff 4d 89 27 4d 85 e4 74 61 e8 16 1c 82 ff 49 83 c4 08 4c 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 e7 e8 c3 2e e6 ff 4d 89 3c 24 eb 38 e8 e8
RSP: 0018:ffffc90003fdf9c0 EFLAGS: 00010202
RAX: 0000000100000001 RBX: 1ffff1100e7397a1 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffc90003fdf940
RBP: ffffc90003fdfaf0 R08: 0000000000000003 R09: fffff520007fbf28
R10: dffffc0000000000 R11: fffff520007fbf28 R12: 0000000800000008
R13: ffff8880739cbc00 R14: ffff8880739cbd08 R15: ffffc90000c4c388
FS:  0000555591cae480(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffca91c5000 CR3: 0000000076844000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	4c 89 ff             	mov    %r15,%rdi
   3:	e8 f3 2e e6 ff       	call   0xffe62efb
   8:	4d 89 27             	mov    %r12,(%r15)
   b:	4d 85 e4             	test   %r12,%r12
   e:	74 61                	je     0x71
  10:	e8 16 1c 82 ff       	call   0xff821c2b
  15:	49 83 c4 08          	add    $0x8,%r12
  19:	4c 89 e0             	mov    %r12,%rax
  1c:	48 c1 e8 03          	shr    $0x3,%rax
  20:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  27:	fc ff df
* 2a:	80 3c 08 00          	cmpb   $0x0,(%rax,%rcx,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	4c 89 e7             	mov    %r12,%rdi
  33:	e8 c3 2e e6 ff       	call   0xffe62efb
  38:	4d 89 3c 24          	mov    %r15,(%r12)
  3c:	eb 38                	jmp    0x76
  3e:	e8                   	.byte 0xe8
  3f:	e8                   	.byte 0xe8

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/02/09 07:09 upstream 9946eaf552b1 ef44b750 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-upstream-fs general protection fault in evict
2024/11/25 06:05 upstream 9f16d5e6f220 68da6d95 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-upstream-fs general protection fault in evict
2025/05/03 18:04 upstream 95d3481af6dc b0714e37 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-snapshot-upstream-root general protection fault in evict
2025/05/03 15:30 upstream 95d3481af6dc b0714e37 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-snapshot-upstream-root general protection fault in evict
2024/09/02 16:54 upstream 67784a74e258 1eda0d14 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root BUG: unable to handle kernel paging request in evict
2024/08/28 22:34 upstream 86987d84b968 940f38c1 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root BUG: unable to handle kernel paging request in evict
2024/08/17 10:38 upstream e5fa841af679 dbc93b08 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root BUG: unable to handle kernel paging request in evict
2024/12/21 11:56 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 573067a5a685 d7f584ee .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-gce-arm64 BUG: unable to handle kernel paging request in evict
2025/05/03 14:04 upstream 95d3481af6dc b0714e37 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in evict
2025/02/18 10:53 upstream 2408a807bfc3 c37c7249 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in evict
2025/02/18 10:53 upstream 2408a807bfc3 c37c7249 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in evict
2024/11/25 05:15 upstream 9f16d5e6f220 68da6d95 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs general protection fault in evict
2025/04/21 03:37 upstream 6fea5fabd332 2a20f901 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root general protection fault in evict
2024/12/28 21:21 linux-next 8155b4ef3466 d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in evict
* Struck through repros no longer work on HEAD.