syzbot

 sign-in | mailing list | source | docs
🐞 Open [1507]
Subsystems
🐞 Fixed [6660]
🐞 Invalid [17050]
Missing Backports [214]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

general protection fault in exfat_utf16_to_nls

Status: upstream: reported C repro on 2025/09/24 22:04
Subsystems: exfat
[Documentation on labels]
Reported-by: syzbot+3e9cb93e3c5f90d28e19@syzkaller.appspotmail.com
Fix commit: 29c063658d53 exfat: combine iocharset and utf8 option setup
Patched on: [ci-qemu-gce-upstream-auto ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu-native-arm64-kvm ci-upstream-gce-arm64]
First crash: 22d, last: 22d
Cause bisection: introduced by (bisect log) :
commit acab02ffcd6b1e796570ffa9658c90c8f09caae3
Author: Yuezhang Mo <Yuezhang.Mo@sony.com>
Date: Thu Sep 11 08:54:31 2025 +0000

  exfat: support modifying mount options via remount

Crash: BUG: unable to handle kernel NULL pointer dereference in exfat_utf16_to_nls (log)
Repro: C syz .config
  
Discussions (5)
Title Replies (including bot) Last reply
[PATCH v2] exfat: combine iocharset and utf8 option setup 3 (3) 2025/09/28 09:27
[syzbot] [exfat?] general protection fault in exfat_utf16_to_nls 0 (7) 2025/09/26 12:54
Re: [PATCH] exfat: move utf8 mount option setup to exfat_parse_param() 3 (3) 2025/09/26 05:19
[PATCH] exfat: move utf8 mount option setup to exfat_parse_param() 1 (1) 2025/09/25 18:40
[PATCH] exfat: check for utf8 option change in exfat_reconfigure 1 (1) 2025/09/25 15:53
Last patch testing requests (5)
Created Duration User Patch Repo Result
2025/09/26 12:54 23m ekffu200098@gmail.com patch linux-next OK log
2025/09/25 16:21 1h52m ekffu200098@gmail.com patch linux-next OK log
2025/09/25 14:37 22m ekffu200098@gmail.com patch linux-next OK log
2025/09/25 13:49 0m ekffu200098@gmail.com patch linux-next error
2025/09/25 04:12 23m ekffu200098@gmail.com patch linux-next error

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 UID: 0 PID: 5982 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:exfat_convert_ucs2_to_char fs/exfat/nls.c:441 [inline]
RIP: 0010:__exfat_utf16_to_nls fs/exfat/nls.c:554 [inline]
RIP: 0010:exfat_utf16_to_nls+0x21c/0x840 fs/exfat/nls.c:638
Code: 2e 29 ff 66 41 83 fc 7f 77 14 e8 7f 2a 29 ff e9 b6 00 00 00 e8 75 2a 29 ff e9 a9 00 00 00 48 8b 4c 24 40 48 89 c8 48 c1 e8 03 <42> 80 3c 38 00 74 0f 48 8b 7c 24 40 e8 d3 6b 8e ff 48 8b 4c 24 40
RSP: 0018:ffffc90003c9f760 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000004 RCX: 0000000000000010
RDX: ffff8880310f9e40 RSI: 00000000000000e1 RDI: 0000000000000080
RBP: ffffc90003c9f850 R08: 0000000000000005 R09: 0000000000000000
R10: ffffc90003c9f7e0 R11: fffff52000793efc R12: 00000000000000e1
R13: ffffc90003c9fa48 R14: 0000000000000000 R15: dffffc0000000000
FS:  000055556520c500(0000) GS:ffff888125a03000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055556522f608 CR3: 0000000079d18000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 exfat_readdir fs/exfat/dir.c:143 [inline]
 exfat_iterate+0x19a7/0x2050 fs/exfat/dir.c:243
 wrap_directory_iterator+0x96/0xe0 fs/readdir.c:65
 iterate_dir+0x399/0x570 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64+0xe4/0x260 fs/readdir.c:396
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff17b9c1833
Code: c1 66 0f 1f 44 00 00 48 83 c4 08 48 89 ef 5b 5d e9 32 3d f8 ff 66 90 b8 ff ff ff 7f 48 39 c2 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 a8 ff ff ff f7 d8
RSP: 002b:00007fff3d1c29f8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 0000555565227600 RCX: 00007ff17b9c1833
RDX: 0000000000008000 RSI: 0000555565227600 RDI: 0000000000000005
RBP: 00005555652275d4 R08: 0000000000028a41 R09: 0000000000000000
R10: 00007ff17bbb7cc0 R11: 0000000000000293 R12: ffffffffffffffa8
R13: 0000000000000010 R14: 00005555652275d0 R15: 00007fff3d1c4cb0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:exfat_convert_ucs2_to_char fs/exfat/nls.c:441 [inline]
RIP: 0010:__exfat_utf16_to_nls fs/exfat/nls.c:554 [inline]
RIP: 0010:exfat_utf16_to_nls+0x21c/0x840 fs/exfat/nls.c:638
Code: 2e 29 ff 66 41 83 fc 7f 77 14 e8 7f 2a 29 ff e9 b6 00 00 00 e8 75 2a 29 ff e9 a9 00 00 00 48 8b 4c 24 40 48 89 c8 48 c1 e8 03 <42> 80 3c 38 00 74 0f 48 8b 7c 24 40 e8 d3 6b 8e ff 48 8b 4c 24 40
RSP: 0018:ffffc90003c9f760 EFLAGS: 00010202
RAX: 0000000000000002 RBX: 0000000000000004 RCX: 0000000000000010
RDX: ffff8880310f9e40 RSI: 00000000000000e1 RDI: 0000000000000080
RBP: ffffc90003c9f850 R08: 0000000000000005 R09: 0000000000000000
R10: ffffc90003c9f7e0 R11: fffff52000793efc R12: 00000000000000e1
R13: ffffc90003c9fa48 R14: 0000000000000000 R15: dffffc0000000000
FS:  000055556520c500(0000) GS:ffff888125a03000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c007d08000 CR3: 0000000079d18000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	2e 29 ff             	cs sub %edi,%edi
   3:	66 41 83 fc 7f       	cmp    $0x7f,%r12w
   8:	77 14                	ja     0x1e
   a:	e8 7f 2a 29 ff       	call   0xff292a8e
   f:	e9 b6 00 00 00       	jmp    0xca
  14:	e8 75 2a 29 ff       	call   0xff292a8e
  19:	e9 a9 00 00 00       	jmp    0xc7
  1e:	48 8b 4c 24 40       	mov    0x40(%rsp),%rcx
  23:	48 89 c8             	mov    %rcx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 0f                	je     0x40
  31:	48 8b 7c 24 40       	mov    0x40(%rsp),%rdi
  36:	e8 d3 6b 8e ff       	call   0xff8e6c0e
  3b:	48 8b 4c 24 40       	mov    0x40(%rsp),%rcx

Crashes (11):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/09/25 04:46 linux-next b5a4da2c459f 0abd0691 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/25 03:29 linux-next b5a4da2c459f 0abd0691 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/25 01:16 linux-next b5a4da2c459f 0abd0691 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/24 23:06 linux-next b5a4da2c459f 0abd0691 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/24 21:04 linux-next b5a4da2c459f 0abd0691 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/24 20:40 linux-next b5a4da2c459f 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/24 19:39 linux-next b5a4da2c459f 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/24 19:36 linux-next b5a4da2c459f 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/24 19:36 linux-next b5a4da2c459f 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/24 19:36 linux-next b5a4da2c459f 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
2025/09/24 19:35 linux-next b5a4da2c459f 0abd0691 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in exfat_utf16_to_nls
* Struck through repros no longer work on HEAD.