syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1327]
Subsystems
🐞 Fixed [7155]
🐞 Invalid [18916]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

UBSAN: array-index-out-of-bounds in dtDelete

Status: upstream: reported C repro on 2025/03/18 19:54
Subsystems: jfs
[Documentation on labels]
Reported-by: syzbot+4f9c823a6f63d87491ba@syzkaller.appspotmail.com
First crash: 455d, last: 88d
✨ AI Jobs (4)
ID Workflow Result Correct Bug Created Started Finished Revision Error
bb71c57d-2c7e-4fd9-992f-bc6ef919a78e assessment-security 💥 UBSAN: array-index-out-of-bounds in dtDelete 2026/06/09 23:19 2026/06/09 23:19 2026/06/09 23:47 c36c07f6c1f2230a36374cbd22235f635e8f9284 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/c10762ce8b6c6b88435c2255d2d0d249f4a1a18f" "-s" "bzImage" "compile_commands.json"]: exit status 2 Root cause: ld.lld: error: undefined symbol: wcslen * * Restart config... * * * General setup * Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n Compile the kernel with warnings as errors (WERROR) [N/y/?] n Local version - append to kernel release (LOCALVERSION) [] Automatically append version information to the version string (LOCALVERSION_AUTO) [Y/n/?] y Build ID Salt (BUILD_SALT) [] Kernel compression mode > 1. Gzip (KERNEL_GZIP) 2. Bzip2 (KERNEL_BZIP2) 3. LZMA (KERNEL_LZMA) 4. XZ (KERNEL_XZ) 5. LZO (KERNEL_LZO) 6. LZ4 (KERNEL_LZ4) 7. ZSTD (KERNEL_ZSTD) choice[1-7?]: 1 Default init path (DEFAULT_INIT) [] Default hostname (DEFAULT_HOSTNAME) [(none)] (none) System V IPC (SYSVIPC) [Y/n/?] y POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y General notification queue (WATCH_QUEUE) [Y/n/?] y Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y uselib syscall (for libc5 and earlier) (USELIB) [N/y/?] n Auditing support (AUDIT) [Y/?] y Preemption Model 1. No Forced Preemption (Server) (PREEMPT_NONE) 2. Voluntary Kernel Preemption (Desktop) (PREEMPT_VOLUNTARY) > 3. Preemptible Kernel (Low-Latency Desktop) (PREEMPT) 4. Scheduler controlled preemption model (PREEMPT_LAZY) choice[1-4?]: 3 Fully Preemptible Kernel (Real-Time) (PREEMPT_RT) [N/y/?] n Preemption behaviour defined on boot (PREEMPT_DYNAMIC) [Y/n/?] y Core Scheduling for SMT (SCHED_CORE) [Y/n/?] y CPU isolation (CPU_ISOLATION) [Y/n/?] y Kernel .config support (IKCONFIG) [Y/n/m/?] y Enable access to .config through /proc/config.gz (IKCONFIG_PROC) [Y/n/?] y Enable kernel headers through /sys/kernel/kheaders.tar.xz (IKHEADERS) [N/m/y/?] n Kernel log buffer size (16 => 64KB, 17 => 128KB) (LOG_BUF_SHIFT) [18] 18 CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB) (LOG_CPU_MAX_BUF_SHIFT) [12] 12 Printk indexing debugfs interface (PRINTK_INDEX) [N/y/?] n Memory placement aware NUMA scheduler (NUMA_BALANCING) [Y/n/?] y Automatically enable NUMA aware memory/task placement (NUMA_BALANCING_DEFAULT_ENABLED) [Y/n/?] y Checkpoint/restore support (CHECKPOINT_RESTORE) [Y/n/?] y Automatic process group scheduling (SCHED_AUTOGROUP) [N/y/?] n Kernel->user space relay support (formerly relayfs) (RELAY) [Y/?] y Initial RAM filesystem and RAM disk (initramfs/initrd) support (BLK_DEV_INITRD) [Y/n/?] y Initramfs source file(s) (INITRAMFS_SOURCE) [] Support initial ramdisk/ramfs compressed using gzip (RD_GZIP) [Y/n/?] y Support initial ramdisk/ramfs compressed using bzip2 (RD_BZIP2) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZMA (RD_LZMA) [Y/n/?] y Support initial ramdisk/ramfs compressed using XZ (RD_XZ) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZO (RD_LZO) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZ4 (RD_LZ4) [Y/n/?] y Support initial ramdisk/ramfs compressed using ZSTD (RD_ZSTD) [Y/n/?] y Boot config support (BOOT_CONFIG) [N/y/?] n Preserve cpio archive mtimes in initramfs (INITRAMFS_PRESERVE_MTIME) [Y/n/?] y Compiler optimization level > 1. Optimize for performance (-O2) (CC_OPTIMIZE_FOR_PERFORMANCE) 2. Optimize for size (-Os) (CC_OPTIMIZE_FOR_SIZE) choice[1-2?]: 1 Enable madvise/fadvise syscalls (ADVISE_SYSCALLS) [Y/n/?] y Enable membarrier() system call (MEMBARRIER) [Y/?] y Enable kcmp() system call (KCMP) [Y/?] y Enable rseq() system call (RSEQ) [Y/n/?] y Enable debugging of rseq() system call (DEBUG_RSEQ) [N/y/?] n Enable cachestat() system call (CACHESTAT_SYSCALL) [Y/n/?] y PC/104 support (PC104) [N/y/?] n Load all symbols for debugging/ksymoops (KALLSYMS) [Y/?] y Test the basic functions and performance of kallsyms (KALLSYMS_SELFTEST) [N/y/?] n Include all symbols in kallsyms (KALLSYMS_ALL) [Y/?] y Profiling support (PROFILING) [Y/n/?] y Rust support (RUST) [N/y/?] (NE
a456529c-e797-4551-8fdb-f7cc9005414d assessment-security 💥 UBSAN: array-index-out-of-bounds in dtDelete 2026/06/04 01:05 2026/06/04 01:05 2026/06/04 01:25 62fe15281f5011cd203d8845b8767b10e7443aa5 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/c10762ce8b6c6b88435c2255d2d0d249f4a1a18f" "-s" "bzImage" "compile_commands.json"]: exit status 2 Root cause: ld.lld: error: undefined symbol: wcslen * * Restart config... * * * General setup * Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n Compile the kernel with warnings as errors (WERROR) [N/y/?] n Local version - append to kernel release (LOCALVERSION) [] Automatically append version information to the version string (LOCALVERSION_AUTO) [Y/n/?] y Build ID Salt (BUILD_SALT) [] Kernel compression mode > 1. Gzip (KERNEL_GZIP) 2. Bzip2 (KERNEL_BZIP2) 3. LZMA (KERNEL_LZMA) 4. XZ (KERNEL_XZ) 5. LZO (KERNEL_LZO) 6. LZ4 (KERNEL_LZ4) 7. ZSTD (KERNEL_ZSTD) choice[1-7?]: 1 Default init path (DEFAULT_INIT) [] Default hostname (DEFAULT_HOSTNAME) [(none)] (none) System V IPC (SYSVIPC) [Y/n/?] y POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y General notification queue (WATCH_QUEUE) [Y/n/?] y Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y uselib syscall (for libc5 and earlier) (USELIB) [N/y/?] n Auditing support (AUDIT) [Y/?] y Preemption Model 1. No Forced Preemption (Server) (PREEMPT_NONE) 2. Voluntary Kernel Preemption (Desktop) (PREEMPT_VOLUNTARY) > 3. Preemptible Kernel (Low-Latency Desktop) (PREEMPT) 4. Scheduler controlled preemption model (PREEMPT_LAZY) choice[1-4?]: 3 Fully Preemptible Kernel (Real-Time) (PREEMPT_RT) [N/y/?] n Preemption behaviour defined on boot (PREEMPT_DYNAMIC) [Y/n/?] y Core Scheduling for SMT (SCHED_CORE) [Y/n/?] y CPU isolation (CPU_ISOLATION) [Y/n/?] y Kernel .config support (IKCONFIG) [Y/n/m/?] y Enable access to .config through /proc/config.gz (IKCONFIG_PROC) [Y/n/?] y Enable kernel headers through /sys/kernel/kheaders.tar.xz (IKHEADERS) [N/m/y/?] n Kernel log buffer size (16 => 64KB, 17 => 128KB) (LOG_BUF_SHIFT) [18] 18 CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB) (LOG_CPU_MAX_BUF_SHIFT) [12] 12 Printk indexing debugfs interface (PRINTK_INDEX) [N/y/?] n Memory placement aware NUMA scheduler (NUMA_BALANCING) [Y/n/?] y Automatically enable NUMA aware memory/task placement (NUMA_BALANCING_DEFAULT_ENABLED) [Y/n/?] y Checkpoint/restore support (CHECKPOINT_RESTORE) [Y/n/?] y Automatic process group scheduling (SCHED_AUTOGROUP) [N/y/?] n Kernel->user space relay support (formerly relayfs) (RELAY) [Y/?] y Initial RAM filesystem and RAM disk (initramfs/initrd) support (BLK_DEV_INITRD) [Y/n/?] y Initramfs source file(s) (INITRAMFS_SOURCE) [] Support initial ramdisk/ramfs compressed using gzip (RD_GZIP) [Y/n/?] y Support initial ramdisk/ramfs compressed using bzip2 (RD_BZIP2) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZMA (RD_LZMA) [Y/n/?] y Support initial ramdisk/ramfs compressed using XZ (RD_XZ) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZO (RD_LZO) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZ4 (RD_LZ4) [Y/n/?] y Support initial ramdisk/ramfs compressed using ZSTD (RD_ZSTD) [Y/n/?] y Boot config support (BOOT_CONFIG) [N/y/?] n Preserve cpio archive mtimes in initramfs (INITRAMFS_PRESERVE_MTIME) [Y/n/?] y Compiler optimization level > 1. Optimize for performance (-O2) (CC_OPTIMIZE_FOR_PERFORMANCE) 2. Optimize for size (-Os) (CC_OPTIMIZE_FOR_SIZE) choice[1-2?]: 1 Enable madvise/fadvise syscalls (ADVISE_SYSCALLS) [Y/n/?] y Enable membarrier() system call (MEMBARRIER) [Y/?] y Enable kcmp() system call (KCMP) [Y/?] y Enable rseq() system call (RSEQ) [Y/n/?] y Enable debugging of rseq() system call (DEBUG_RSEQ) [N/y/?] n Enable cachestat() system call (CACHESTAT_SYSCALL) [Y/n/?] y PC/104 support (PC104) [N/y/?] n Load all symbols for debugging/ksymoops (KALLSYMS) [Y/?] y Test the basic functions and performance of kallsyms (KALLSYMS_SELFTEST) [N/y/?] n Include all symbols in kallsyms (KALLSYMS_ALL) [Y/?] y Profiling support (PROFILING) [Y/n/?] y Rust support (RUST) [N/y/?] (NE
5c9073d6-d8ef-42fe-8775-00868c97e7ef assessment-security 💥 UBSAN: array-index-out-of-bounds in dtDelete 2026/06/01 08:23 2026/06/01 08:23 2026/06/01 08:57 6b4a844333e83556da95d61d7f207e7ef5cd4bc6 failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/c10762ce8b6c6b88435c2255d2d0d249f4a1a18f" "-s" "bzImage" "compile_commands.json"]: exit status 2 Root cause: ld.lld: error: undefined symbol: wcslen * * Restart config... * * * General setup * Compile also drivers which will not load (COMPILE_TEST) [N/y/?] n Compile the kernel with warnings as errors (WERROR) [N/y/?] n Local version - append to kernel release (LOCALVERSION) [] Automatically append version information to the version string (LOCALVERSION_AUTO) [Y/n/?] y Build ID Salt (BUILD_SALT) [] Kernel compression mode > 1. Gzip (KERNEL_GZIP) 2. Bzip2 (KERNEL_BZIP2) 3. LZMA (KERNEL_LZMA) 4. XZ (KERNEL_XZ) 5. LZO (KERNEL_LZO) 6. LZ4 (KERNEL_LZ4) 7. ZSTD (KERNEL_ZSTD) choice[1-7?]: 1 Default init path (DEFAULT_INIT) [] Default hostname (DEFAULT_HOSTNAME) [(none)] (none) System V IPC (SYSVIPC) [Y/n/?] y POSIX Message Queues (POSIX_MQUEUE) [Y/n/?] y General notification queue (WATCH_QUEUE) [Y/n/?] y Enable process_vm_readv/writev syscalls (CROSS_MEMORY_ATTACH) [Y/n/?] y uselib syscall (for libc5 and earlier) (USELIB) [N/y/?] n Auditing support (AUDIT) [Y/?] y Preemption Model 1. No Forced Preemption (Server) (PREEMPT_NONE) 2. Voluntary Kernel Preemption (Desktop) (PREEMPT_VOLUNTARY) > 3. Preemptible Kernel (Low-Latency Desktop) (PREEMPT) 4. Scheduler controlled preemption model (PREEMPT_LAZY) choice[1-4?]: 3 Fully Preemptible Kernel (Real-Time) (PREEMPT_RT) [N/y/?] n Preemption behaviour defined on boot (PREEMPT_DYNAMIC) [Y/n/?] y Core Scheduling for SMT (SCHED_CORE) [Y/n/?] y CPU isolation (CPU_ISOLATION) [Y/n/?] y Kernel .config support (IKCONFIG) [Y/n/m/?] y Enable access to .config through /proc/config.gz (IKCONFIG_PROC) [Y/n/?] y Enable kernel headers through /sys/kernel/kheaders.tar.xz (IKHEADERS) [N/m/y/?] n Kernel log buffer size (16 => 64KB, 17 => 128KB) (LOG_BUF_SHIFT) [18] 18 CPU kernel log buffer size contribution (13 => 8 KB, 17 => 128KB) (LOG_CPU_MAX_BUF_SHIFT) [12] 12 Printk indexing debugfs interface (PRINTK_INDEX) [N/y/?] n Memory placement aware NUMA scheduler (NUMA_BALANCING) [Y/n/?] y Automatically enable NUMA aware memory/task placement (NUMA_BALANCING_DEFAULT_ENABLED) [Y/n/?] y Checkpoint/restore support (CHECKPOINT_RESTORE) [Y/n/?] y Automatic process group scheduling (SCHED_AUTOGROUP) [N/y/?] n Kernel->user space relay support (formerly relayfs) (RELAY) [Y/?] y Initial RAM filesystem and RAM disk (initramfs/initrd) support (BLK_DEV_INITRD) [Y/n/?] y Initramfs source file(s) (INITRAMFS_SOURCE) [] Support initial ramdisk/ramfs compressed using gzip (RD_GZIP) [Y/n/?] y Support initial ramdisk/ramfs compressed using bzip2 (RD_BZIP2) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZMA (RD_LZMA) [Y/n/?] y Support initial ramdisk/ramfs compressed using XZ (RD_XZ) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZO (RD_LZO) [Y/n/?] y Support initial ramdisk/ramfs compressed using LZ4 (RD_LZ4) [Y/n/?] y Support initial ramdisk/ramfs compressed using ZSTD (RD_ZSTD) [Y/n/?] y Boot config support (BOOT_CONFIG) [N/y/?] n Preserve cpio archive mtimes in initramfs (INITRAMFS_PRESERVE_MTIME) [Y/n/?] y Compiler optimization level > 1. Optimize for performance (-O2) (CC_OPTIMIZE_FOR_PERFORMANCE) 2. Optimize for size (-Os) (CC_OPTIMIZE_FOR_SIZE) choice[1-2?]: 1 Enable madvise/fadvise syscalls (ADVISE_SYSCALLS) [Y/n/?] y Enable membarrier() system call (MEMBARRIER) [Y/?] y Enable kcmp() system call (KCMP) [Y/?] y Enable rseq() system call (RSEQ) [Y/n/?] y Enable debugging of rseq() system call (DEBUG_RSEQ) [N/y/?] n Enable cachestat() system call (CACHESTAT_SYSCALL) [Y/n/?] y PC/104 support (PC104) [N/y/?] n Load all symbols for debugging/ksymoops (KALLSYMS) [Y/?] y Test the basic functions and performance of kallsyms (KALLSYMS_SELFTEST) [N/y/?] n Include all symbols in kallsyms (KALLSYMS_ALL) [Y/?] y Profiling support (PROFILING) [Y/n/?] y Rust support (RUST) [N/y/?] (NE
07139ebd-2ec3-450d-b55f-ee4011de0961 assessment-security 💥 UBSAN: array-index-out-of-bounds in dtDelete 2026/05/15 10:47 2026/05/15 10:47 2026/05/15 10:48 9cd3beaadf14b3a22d15fd97a0bf081ee41ebe01 failed to run ["git" "pull" "origin" "HEAD" "--depth=1" "--allow-unrelated-histories"]: exit status 1 fatal: write error: No space left on device fatal: fetch-pack: invalid index-pack output
Discussions (4)
Title Replies (including bot) Last reply
[PATCH] jfs: Add check for array bounds in dtDelete 1 (1) 2025/09/19 22:50
[syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtDelete 0 (3) 2025/09/19 15:23
[PATCH] jfs: Add check for array bounds in dtDelete 1 (2) 2025/09/18 21:27
Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in dtDelete 1 (2) 2025/03/19 02:43
Last patch testing requests (11)
Created Duration User Patch Repo Result
2026/05/26 00:51 23m retest repro upstream log
2026/03/16 23:51 19m retest repro upstream report log
2026/01/05 23:21 14m retest repro upstream report log
2025/10/27 22:44 8m retest repro upstream report log
2025/09/19 15:23 20m pedrodemargomes@gmail.com patch upstream OK log
2025/09/18 21:11 14m pedrodemargomes@gmail.com patch upstream report log
2025/08/18 22:25 15m retest repro upstream report log
2025/06/09 21:58 17m retest repro upstream report log
2025/04/18 03:25 21m richard120310@gmail.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git e3a854b577cb report log
2025/03/28 21:57 16m retest repro upstream report log
2025/03/19 02:26 16m leo.fthirata@gmail.com patch upstream report log

Sample crash report:
loop0: detected capacity change from 0 to 32768
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:2132:32
index 240 is out of range for type 'struct dtslot[128]'
CPU: 0 UID: 0 PID: 5303 Comm: syz-executor483 Not tainted 6.14.0-rc6-syzkaller-00115-ge3a854b577cb #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 dtDelete+0x2d67/0x2db0 fs/jfs/jfs_dtree.c:2132
 jfs_rename+0xf91/0x1bf0 fs/jfs/namei.c:1239
 vfs_rename+0xbdb/0xf00 fs/namei.c:5069
 do_renameat2+0xd94/0x13f0 fs/namei.c:5226
 __do_sys_rename fs/namei.c:5273 [inline]
 __se_sys_rename fs/namei.c:5271 [inline]
 __x64_sys_rename+0x82/0x90 fs/namei.c:5271
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc873bc9bb9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff24dc46e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
RAX: ffffffffffffffda RBX: 0000400000000e00 RCX: 00007fc873bc9bb9
RDX: 00007fc873bc9bb9 RSI: 0000400000000f40 RDI: 0000400000000300
RBP: 00007fc873c42610 R08: 00007fff24dc48b8 R09: 00007fff24dc48b8
R10: 00007fff24dc48b8 R11: 0000000000000246 R12: 0000000000000001
R13: 00007fff24dc48a8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
---[ end trace ]---

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/03/14 21:42 upstream e3a854b577cb e2826670 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (corrupt fs)] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dtDelete
2025/11/20 21:16 upstream 8e621c9a3375 2cc4c24a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dtDelete
2025/05/26 21:41 upstream 0ff41df1cb26 06877188 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dtDelete
2025/04/21 01:39 upstream 6fea5fabd332 2a20f901 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dtDelete
2025/03/14 19:51 upstream e3a854b577cb e2826670 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root UBSAN: array-index-out-of-bounds in dtDelete
* Struck through repros no longer work on HEAD.