syzbot

 sign-in | mailing list | source | docs
🐞 Open [37]
🐞 Fixed [0]
🐞 Invalid [2]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: null-ptr-deref Write in d_delete

Status: internal: reported on 2025/06/24 07:51
Reported-by: syzbot+b9229806f8054b03a7a6@syzkaller.appspotmail.com
First crash: 11h41m, last: 11h41m
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: null-ptr-deref Write in d_delete 3 1215d 1215d 0/2 auto-closed as invalid on 2022/06/25 18:25

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1300 [inline]
BUG: KASAN: null-ptr-deref in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
BUG: KASAN: null-ptr-deref in do_raw_spin_lock include/linux/spinlock.h:187 [inline]
BUG: KASAN: null-ptr-deref in __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
BUG: KASAN: null-ptr-deref in _raw_spin_lock+0x7f/0x120 kernel/locking/spinlock.c:154
Write of size 4 at addr 0000000000000080 by task kworker/1:2/305

CPU: 1 UID: 0 PID: 305 Comm: kworker/1:2 Not tainted 6.12.30-syzkaller-g1d4f4d446dbd #0 c93aecf919cd453af8c9b0d1ce6d9747cbb4dbdf
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events _RNvXs6_NtCs43vyB533jt3_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCshgDM7dBCdno_11rust_binder7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_
Call Trace:
 <TASK>
 __dump_stack+0x21/0x30 lib/dump_stack.c:94
 dump_stack_lvl+0x10c/0x190 lib/dump_stack.c:120
 print_report+0x3d/0x70 mm/kasan/report.c:491
 kasan_report+0x163/0x1a0 mm/kasan/report.c:601
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x299/0x2a0 mm/kasan/generic.c:189
 __kasan_check_write+0x18/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1300 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
 do_raw_spin_lock include/linux/spinlock.h:187 [inline]
 __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
 _raw_spin_lock+0x7f/0x120 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 d_delete+0x4a/0x120 fs/dcache.c:2398
 rust_binderfs_remove_file+0xec/0x110 drivers/android/binder/rust_binderfs.c:509
 <rust_binder::BinderfsProcFile as core::ops::drop::Drop>::drop drivers/android/binder/rust_binder.rs:627 [inline]
 core::ptr::drop_in_place::<rust_binder::BinderfsProcFile> usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:523 [inline]
 core::ptr::drop_in_place::<core::option::Option<rust_binder::BinderfsProcFile>> usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:523 [inline]
 core::mem::drop::<core::option::Option<rust_binder::BinderfsProcFile>> usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:935 [inline]
 <rust_binder::process::Process>::deferred_release drivers/android/binder/process.rs:1286 [inline]
 <rust_binder::process::Process as kernel::workqueue::WorkItem>::run+0x9d4/0x2860 drivers/android/binder/process.rs:483
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0x7d2/0x1020 kernel/workqueue.c:3319
 worker_thread+0xc58/0x1250 kernel/workqueue.c:3400
 kthread+0x2ca/0x370 kernel/kthread.c:389
 ret_from_fork+0x64/0xa0 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 800000012f745067 P4D 800000012f745067 PUD 0 
Oops: Oops: 0002 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 305 Comm: kworker/1:2 Tainted: G    B              6.12.30-syzkaller-g1d4f4d446dbd #0 c93aecf919cd453af8c9b0d1ce6d9747cbb4dbdf
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events _RNvXs6_NtCs43vyB533jt3_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCshgDM7dBCdno_11rust_binder7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:107 [inline]
RIP: 0010:raw_atomic_try_cmpxchg_acquire include/linux/atomic/atomic-arch-fallback.h:2170 [inline]
RIP: 0010:atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1302 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:187 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
RIP: 0010:_raw_spin_lock+0x95/0x120 kernel/locking/spinlock.c:154
Code: 7d 7a c7 44 24 20 00 00 00 00 be 04 00 00 00 e8 f1 63 54 fc 4c 89 f7 be 04 00 00 00 e8 e4 63 54 fc 8b 44 24 20 b9 01 00 00 00 <f0> 0f b1 0b 75 32 48 c7 04 24 0e 36 e0 45 4b c7 04 3c 00 00 00 00
RSP: 0018:ffffc9000b75f4e0 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 0000000000000080 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc9000b75f500
RBP: ffffc9000b75f560 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff520016ebea0 R12: 1ffff920016ebe9c
R13: dffffc0000000000 R14: ffffc9000b75f500 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000012da56000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 spin_lock include/linux/spinlock.h:351 [inline]
 d_delete+0x4a/0x120 fs/dcache.c:2398
 rust_binderfs_remove_file+0xec/0x110 drivers/android/binder/rust_binderfs.c:509
 <rust_binder::BinderfsProcFile as core::ops::drop::Drop>::drop drivers/android/binder/rust_binder.rs:627 [inline]
 core::ptr::drop_in_place::<rust_binder::BinderfsProcFile> usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:523 [inline]
 core::ptr::drop_in_place::<core::option::Option<rust_binder::BinderfsProcFile>> usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:523 [inline]
 core::mem::drop::<core::option::Option<rust_binder::BinderfsProcFile>> usr/local/rustup/toolchains/1.87.0-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:935 [inline]
 <rust_binder::process::Process>::deferred_release drivers/android/binder/process.rs:1286 [inline]
 <rust_binder::process::Process as kernel::workqueue::WorkItem>::run+0x9d4/0x2860 drivers/android/binder/process.rs:483
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0x7d2/0x1020 kernel/workqueue.c:3319
 worker_thread+0xc58/0x1250 kernel/workqueue.c:3400
 kthread+0x2ca/0x370 kernel/kthread.c:389
 ret_from_fork+0x64/0xa0 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
CR2: 0000000000000080
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:107 [inline]
RIP: 0010:raw_atomic_try_cmpxchg_acquire include/linux/atomic/atomic-arch-fallback.h:2170 [inline]
RIP: 0010:atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1302 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:187 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
RIP: 0010:_raw_spin_lock+0x95/0x120 kernel/locking/spinlock.c:154
Code: 7d 7a c7 44 24 20 00 00 00 00 be 04 00 00 00 e8 f1 63 54 fc 4c 89 f7 be 04 00 00 00 e8 e4 63 54 fc 8b 44 24 20 b9 01 00 00 00 <f0> 0f b1 0b 75 32 48 c7 04 24 0e 36 e0 45 4b c7 04 3c 00 00 00 00
RSP: 0018:ffffc9000b75f4e0 EFLAGS: 00010297
RAX: 0000000000000000 RBX: 0000000000000080 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc9000b75f500
RBP: ffffc9000b75f560 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff520016ebea0 R12: 1ffff920016ebe9c
R13: dffffc0000000000 R14: ffffc9000b75f500 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000012da56000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	7d 7a                	jge    0x7c
   2:	c7 44 24 20 00 00 00 	movl   $0x0,0x20(%rsp)
   9:	00
   a:	be 04 00 00 00       	mov    $0x4,%esi
   f:	e8 f1 63 54 fc       	call   0xfc546405
  14:	4c 89 f7             	mov    %r14,%rdi
  17:	be 04 00 00 00       	mov    $0x4,%esi
  1c:	e8 e4 63 54 fc       	call   0xfc546405
  21:	8b 44 24 20          	mov    0x20(%rsp),%eax
  25:	b9 01 00 00 00       	mov    $0x1,%ecx
* 2a:	f0 0f b1 0b          	lock cmpxchg %ecx,(%rbx) <-- trapping instruction
  2e:	75 32                	jne    0x62
  30:	48 c7 04 24 0e 36 e0 	movq   $0x45e0360e,(%rsp)
  37:	45
  38:	4b c7 04 3c 00 00 00 	movq   $0x0,(%r12,%r15,1)
  3f:	00

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/24 07:35 android16-6.12 1d4f4d446dbd e2f27c35 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-12-rust KASAN: null-ptr-deref Write in d_delete
* Struck through repros no longer work on HEAD.