syzbot

 sign-in | mailing list | source | docs
🐞 Open [1437]
Subsystems
🐞 Fixed [6753]
🐞 Invalid [17397]
Missing Backports [222]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill

Status: upstream: reported C repro on 2025/10/15 02:12
Subsystems: ocfs2
[Documentation on labels]
Reported-by: syzbot+77026564530dbc29b854@syzkaller.appspotmail.com
Fix commit: ocfs2: add extra consistency checks for chain allocator dinodes
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-rust-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 41d, last: 39d
Cause bisection: introduced by (bisect log) :
commit aa545adbe491402cf1e664f6be0a799ed69d9946
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date: Tue Oct 7 12:35:26 2025 +0000

  ocfs2: annotate flexible array members with __counted_by_le()

Crash: UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill (log)
Repro: C syz .config
  
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [ocfs2?] UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill 0 (19) 2025/10/29 06:27
Last patch testing requests (18)
Created Duration User Patch Repo Result
2025/10/29 06:27 22m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y OK log
2025/10/29 06:25 22m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y OK log
2025/10/29 06:21 20m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y error
2025/10/28 18:22 32m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y OK log
2025/10/28 18:21 17m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y error
2025/10/28 18:19 13m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y error
2025/10/28 10:41 0m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-6.12.y error
2025/10/28 10:41 1m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-6.1.y error
2025/10/28 10:40 4m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git linux-5.10.y error
2025/10/28 07:02 46m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fd57572253bc356330dbe5b233c2e1d8426c66fd OK log
2025/10/24 07:15 26m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.12.y OK log
2025/10/24 07:15 50m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-6.1.y OK log
2025/10/24 07:11 54m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.10.y error
2025/10/22 12:13 29m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 552c50713f273b494ac6c77052032a49bc9255e2 OK log
2025/10/17 10:11 23m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 2433b84761658ef123ae683508bc461b07c5b0f0 OK log
2025/10/15 06:45 24m kartikey406@gmail.com patch linux-next OK log
2025/10/15 05:28 26m dmantipov@yandex.ru patch https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 13863a59e410cab46d26751941980dc8f088b9b3 OK log
2025/10/15 04:46 25m kartikey406@gmail.com patch linux-next OK log

Sample crash report:
         option from the mount to silence this warning.
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/ocfs2/suballoc.c:380:22
index 0 is out of range for type 'struct ocfs2_chain_rec[] __counted_by(cl_count)' (aka 'struct ocfs2_chain_rec[]')
CPU: 0 UID: 0 PID: 6052 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
 __ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:455
 ocfs2_block_group_fill+0x938/0xb30 fs/ocfs2/suballoc.c:380
 ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:454 [inline]
 ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline]
 ocfs2_reserve_suballoc_bits+0x117d/0x4680 fs/ocfs2/suballoc.c:834
 ocfs2_reserve_new_metadata_blocks+0x403/0x940 fs/ocfs2/suballoc.c:984
 ocfs2_expand_inline_dir fs/ocfs2/dir.c:2853 [inline]
 ocfs2_extend_dir+0xc76/0x4870 fs/ocfs2/dir.c:3215
 ocfs2_prepare_dir_for_insert+0x2fdf/0x54b0 fs/ocfs2/dir.c:4320
 ocfs2_mknod+0x819/0x2050 fs/ocfs2/namei.c:297
 ocfs2_mkdir+0x191/0x440 fs/ocfs2/namei.c:659
 vfs_mkdir+0x306/0x510 fs/namei.c:4453
 do_mkdirat+0x247/0x590 fs/namei.c:4486
 __do_sys_mkdirat fs/namei.c:4503 [inline]
 __se_sys_mkdirat fs/namei.c:4501 [inline]
 __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4501
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0917d8d617
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff863b0218 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fff863b02a0 RCX: 00007f0917d8d617
RDX: 00000000000001ff RSI: 0000200000000680 RDI: 00000000ffffff9c
RBP: 0000200000000080 R08: 0000200000000140 R09: 0000000000000000
R10: 0000200000000080 R11: 0000000000000246 R12: 0000200000000680
R13: 00007fff863b0260 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
---[ end trace ]---

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/10/14 02:02 linux-next 52ba76324a9d b6605ba8 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill
2025/10/14 02:23 linux-next 52ba76324a9d b6605ba8 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill
2025/10/16 07:17 linux-next 1fdbb3ff1233 19568248 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill
2025/10/16 07:16 linux-next 1fdbb3ff1233 19568248 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill
2025/10/13 12:23 linux-next 52ba76324a9d ff1712fe .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill
2025/10/13 12:23 linux-next 52ba76324a9d ff1712fe .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill
* Struck through repros no longer work on HEAD.