syzbot

 sign-in | mailing list | source | docs
🐞 Open [908]
🐞 Fixed [143]
🐞 Invalid [1101]
Missing Backports [73]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: null-ptr-deref Write in f2fs_stop_gc_thread

Status: upstream: reported C repro on 2024/12/29 01:22
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+e0b7d6e01c651364459a@syzkaller.appspotmail.com
First crash: 499d, last: 1d12h
Fix bisection: failed (error log, bisect log)
  
Bug presence (2)
Date Name Commit Repro Result
2025/01/06 linux-6.1.y (ToT) 7dc732d24ff7 C [report] KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2025/01/06 upstream (ToT) 9d89551994a4 C Didn't crash
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-6-1 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread origin:lts 12 C error 5 30d 301d 0/2 upstream: reported C repro on 2025/07/15 15:45
android-5-15 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread origin:lts 12 C error 5 25d 301d 0/2 upstream: reported C repro on 2025/07/15 08:24
android-5-10 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread 19 C 7 1d10h 405d 0/2 upstream: reported C repro on 2025/04/02 05:33
upstream KASAN: null-ptr-deref Write in f2fs_stop_gc_thread f2fs 22 C done 5 609d 656d 28/29 fixed on 2024/10/22 11:56
Fix bisection attempts (4)
Created Duration User Patch Repo Result
2025/10/27 02:12 2h36m fix candidate upstream OK (0) job log
2025/04/21 07:57 22m fix candidate upstream error job log
2025/02/10 05:52 1h13m fix candidate upstream error job log
2025/02/07 19:30 1h20m bisect fix linux-6.1.y error job log

Sample crash report:
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: null-ptr-deref in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
BUG: KASAN: null-ptr-deref in __refcount_add include/linux/refcount.h:193 [inline]
BUG: KASAN: null-ptr-deref in __refcount_inc include/linux/refcount.h:250 [inline]
BUG: KASAN: null-ptr-deref in refcount_inc include/linux/refcount.h:267 [inline]
BUG: KASAN: null-ptr-deref in get_task_struct include/linux/sched/task.h:111 [inline]
BUG: KASAN: null-ptr-deref in kthread_stop+0x100/0x7f8 kernel/kthread.c:705
Write of size 4 at addr 0000000000000028 by task syz.2.133/5226

CPU: 0 PID: 5226 Comm: syz.2.133 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
 dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
 print_report+0x40/0x68 mm/kasan/report.c:423
 kasan_report+0xa8/0xfc mm/kasan/report.c:524
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x258/0x290 mm/kasan/generic.c:189
 __kasan_check_write+0x2c/0x3c mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
 atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
 __refcount_add include/linux/refcount.h:193 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_task_struct include/linux/sched/task.h:111 [inline]
 kthread_stop+0x100/0x7f8 kernel/kthread.c:705
 f2fs_stop_gc_thread+0x70/0xc0 fs/f2fs/gc.c:209
 f2fs_ioc_shutdown fs/f2fs/file.c:2361 [inline]
 __f2fs_ioctl+0x78b4/0xb194 fs/f2fs/file.c:4373
 f2fs_ioctl+0x130/0x1a0 fs/f2fs/file.c:4454
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
==================================================================
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000001062c7000
[0000000000000028] pgd=0800000119d1f003, p4d=0800000119d1f003, pud=080000010c1de003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 5226 Comm: syz.2.133 Tainted: G    B              syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : __lse_atomic_fetch_add_relaxed arch/arm64/include/asm/atomic_lse.h:62 [inline]
pc : arch_atomic_fetch_add_relaxed arch/arm64/include/asm/atomic.h:49 [inline]
pc : atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:117 [inline]
pc : __refcount_add include/linux/refcount.h:193 [inline]
pc : __refcount_inc include/linux/refcount.h:250 [inline]
pc : refcount_inc include/linux/refcount.h:267 [inline]
pc : get_task_struct include/linux/sched/task.h:111 [inline]
pc : kthread_stop+0x10c/0x7f8 kernel/kthread.c:705
lr : __lse_atomic_fetch_add_relaxed arch/arm64/include/asm/atomic_lse.h:62 [inline]
lr : arch_atomic_fetch_add_relaxed arch/arm64/include/asm/atomic.h:49 [inline]
lr : atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:117 [inline]
lr : __refcount_add include/linux/refcount.h:193 [inline]
lr : __refcount_inc include/linux/refcount.h:250 [inline]
lr : refcount_inc include/linux/refcount.h:267 [inline]
lr : get_task_struct include/linux/sched/task.h:111 [inline]
lr : kthread_stop+0x108/0x7f8 kernel/kthread.c:705
sp : ffff8000249d7720
x29: ffff8000249d7720 x28: ffff8000249d7960 x27: dfff800000000000
x26: 1fffe0001b88f000 x25: 0000000000400140 x24: 0000000000000000
x23: dfff800000000000 x22: dfff800000000000 x21: 0000000000000028
x20: 0000000000000001 x19: 0000000000000000 x18: ffff800011b9bf60
x17: 1fffe00033ea637e x16: ffff80000804309c x15: 0000000040000000
x14: 0000000000000001 x13: 1ffff00002fc1d6c x12: 0000000000ff0100
x11: ff00800008219508 x10: 0000000000000000 x9 : ffff800008219508
x8 : 0000000000000001 x7 : 0000000000000004 x6 : ffff800008257984
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff800008193d18
x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
 __lse_atomic_fetch_add_relaxed arch/arm64/include/asm/atomic_lse.h:-1 [inline]
 arch_atomic_fetch_add_relaxed arch/arm64/include/asm/atomic.h:49 [inline]
 atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:117 [inline]
 __refcount_add include/linux/refcount.h:193 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_task_struct include/linux/sched/task.h:111 [inline]
 kthread_stop+0x10c/0x7f8 kernel/kthread.c:705
 f2fs_stop_gc_thread+0x70/0xc0 fs/f2fs/gc.c:209
 f2fs_ioc_shutdown fs/f2fs/file.c:2361 [inline]
 __f2fs_ioctl+0x78b4/0xb194 fs/f2fs/file.c:4373
 f2fs_ioctl+0x130/0x1a0 fs/f2fs/file.c:4454
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 941b391d d503201f 940a4845 52800028 (b82802b4) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	941b391d 	bl	0x6ce474
   4:	d503201f 	nop
   8:	940a4845 	bl	0x29211c
   c:	52800028 	mov	w8, #0x1                   	// #1
* 10:	b82802b4 	ldadd	w8, w20, [x21] <-- trapping instruction

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/05/11 04:35 linux-6.1.y 128a674368bf 29233ece .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/30 23:02 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/30 18:34 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/30 12:58 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/30 06:35 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/30 02:02 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/29 19:18 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/29 16:23 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/29 09:55 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/29 05:08 linux-6.1.y 563edd786f0a d3ccff63 .config console log report syz / log [disk image] [vmlinux] [kernel image] [mounted in repro] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2026/05/11 03:39 linux-6.1.y 128a674368bf 29233ece .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2026/05/11 03:37 linux-6.1.y 128a674368bf 29233ece .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
2024/12/29 01:21 linux-6.1.y 563edd786f0a d3ccff63 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 KASAN: null-ptr-deref Write in f2fs_stop_gc_thread
* Struck through repros no longer work on HEAD.