On Wed, Sep 25, 2024 at 11:50:17AM -0400, reveliofuzzing wrote: > Hello, > > We found the following error when fuzzing^1 the Linux kernel 6.10 and > we are able > to reproduce it. Must be nice, seeing that the rest of us are only given something that needs syzbot (presumably with your modifications) to translate into usable C. [snip "dangling struct filename on return from mkdir()"] > - reproducer > syz_genetlink_get_family_id$mptcp(0x0, 0xffffffffffffffff) > syz_open_dev$usbmon(&(0x7f00000004c0), 0x0, 0x0) > setxattr$trusted_overlay_opaque(0x0, 0x0, 0x0, 0x0, 0x0) > socket$nl_generic(0x10, 0x3, 0x10) > openat$null(0xffffffffffffff9c, &(0x7f0000001180), 0x0, 0x0) > r0 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) > read(r0, &(0x7f0000000000), 0x2000) > shutdown(0xffffffffffffffff, 0x0) > r1 = syz_open_dev$sg(&(0x7f0000000040), 0x0, 0x0) Seeing that nothing in that, as far as I can parse the damn language, should go anywhere near mkdir(), I suspect that you are seeing a memory corruption from something that reproducer is actually doing. And IIRC there had been a bunch of reports from you lately, all with similar reproducers and with rather varied symptoms, which makes memory corruptor triggering crap in whatever code that might step on the buggered data structures afterwards. Hard to tell anything beyond that without something one could actually run...
