From: syzbot ci <syzbot+ciaf5532c890030251@syzkaller.appspotmail.com>
To: agruenba@redhat.com, aivazian.tigran@gmail.com,
almaz.alexandrovich@paragon-software.com, axboe@kernel.dk,
bcrl@kvack.org, brauner@kernel.org, david@kernel.org,
dsterba@suse.com, gfs2@lists.linux.dev,
hirofumi@mail.parknet.co.jp, jack@suse.cz, jlbec@evilplan.org,
joseph.qi@linux.alibaba.com, linux-aio@kvack.org,
linux-block@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
muchun.song@linux.dev, ntfs3@lists.linux.dev,
ocfs2-devel@lists.linux.dev, osalvador@suse.de, tytso@mit.edu,
viro@zeniv.linux.org.uk
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: [syzbot ci] Re: fs: Move metadata bh tracking from address_space
Date: Tue, 03 Mar 2026 15:35:35 -0800 [thread overview]
Message-ID: <69a77047.050a0220.21ae90.0011.GAE@google.com> (raw)
In-Reply-To: <20260303101717.27224-1-jack@suse.cz>
syzbot ci has tested the following series
[v1] fs: Move metadata bh tracking from address_space
https://lore.kernel.org/all/20260303101717.27224-1-jack@suse.cz
* [PATCH 01/32] fat: Sync and invalidate metadata buffers from fat_evict_inode()
* [PATCH 02/32] udf: Sync and invalidate metadata buffers from udf_evict_inode()
* [PATCH 03/32] minix: Sync and invalidate metadata buffers from minix_evict_inode()
* [PATCH 04/32] ext2: Sync and invalidate metadata buffers from ext2_evict_inode()
* [PATCH 05/32] ext4: Sync and invalidate metadata buffers from ext4_evict_inode()
* [PATCH 06/32] ext4: Use inode_has_buffers()
* [PATCH 07/32] bfs: Sync and invalidate metadata buffers from bfs_evict_inode()
* [PATCH 08/32] affs: Sync and invalidate metadata buffers from affs_evict_inode()
* [PATCH 09/32] fs: Ignore inode metadata buffers in inode_lru_isolate()
* [PATCH 10/32] fs: Stop using i_private_data for metadata bh tracking
* [PATCH 11/32] gfs2: Don't zero i_private_data
* [PATCH 12/32] hugetlbfs: Stop using i_private_data
* [PATCH 13/32] aio: Stop using i_private_data and i_private_lock
* [PATCH 14/32] fs: Remove i_private_data
* [PATCH 15/32] fs: Drop osync_buffers_list()
* [PATCH 16/32] fs: Fold fsync_buffers_list() into sync_mapping_buffers()
* [PATCH 17/32] fs: Move metadata bhs tracking to a separate struct
* [PATCH 18/32] fs: Provide operation for fetching mapping_metadata_bhs
* [PATCH 19/32] ntfs3: Drop pointless sync_mapping_buffers() call
* [PATCH 20/32] ocfs2: Drop pointless sync_mapping_buffers() calls
* [PATCH 21/32] bdev: Drop pointless invalidate_mapping_buffers() call
* [PATCH 22/32] fs: Switch inode_has_buffers() to take mapping_metadata_bhs
* [PATCH 23/32] ext2: Track metadata bhs in fs-private inode part
* [PATCH 24/32] affs: Track metadata bhs in fs-private inode part
* [PATCH 25/32] bfs: Track metadata bhs in fs-private inode part
* [PATCH 26/32] fat: Track metadata bhs in fs-private inode part
* [PATCH 27/32] udf: Track metadata bhs in fs-private inode part
* [PATCH 28/32] minix: Track metadata bhs in fs-private inode part
* [PATCH 29/32] ext4: Track metadata bhs in fs-private inode part
* [PATCH 30/32] vfs: Drop mapping_metadata_bhs from address space
* [PATCH 31/32] kvm: Use private inode list instead of i_private_list
* [PATCH 32/32] fs: Drop i_private_list from address_space
and found the following issues:
* BUG: spinlock bad magic in region_del
* KASAN: slab-use-after-free Read in region_del
* general protection fault in mark_buffer_dirty_inode
Full report is available here:
https://ci.syzbot.org/series/3cf14b16-7f50-44ce-9f95-8ac4b86cf294
***
BUG: spinlock bad magic in region_del
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: f50c6ce7bf30099042dac755fbd1e97da456f5ec
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config
syz repro: https://ci.syzbot.org/findings/0d1bc933-ce69-432e-a2d5-b2411fe4cfec/syz_repro
BUG: spinlock bad magic on CPU#0, syz.0.151/6273
lock: 0xffff8881165dc808, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
CPU: 0 UID: 0 PID: 6273 Comm: syz.0.151 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
spin_bug kernel/locking/spinlock_debug.c:78 [inline]
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x1e5/0x2f0 kernel/locking/spinlock_debug.c:115
spin_lock include/linux/spinlock.h:341 [inline]
region_del+0xbe/0x950 mm/hugetlb.c:863
hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757
remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613
hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623
evict+0x61e/0xb10 fs/inode.c:841
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
do_one_tree fs/dcache.c:1657 [inline]
shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671
generic_shutdown_super+0x6f/0x2d0 fs/super.c:624
kill_anon_super+0x3b/0x70 fs/super.c:1292
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2320 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6e0f19c799
Code: Unable to access opcode bytes at 0x7f6e0f19c76f.
RSP: 002b:00007f6e101360e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6e0f415fa8 RCX: 00007f6e0f19c799
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6e0f415fa8
RBP: 00007f6e0f415fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6e0f416038 R14: 00007fff1de1a520 R15: 00007fff1de1a608
</TASK>
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 6273 Comm: syz.0.151 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:region_del+0x108/0x950 mm/hugetlb.c:864
Code: 24 20 49 29 c4 4c 03 23 48 89 03 48 8b 5c 24 40 4c 39 eb 0f 84 64 05 00 00 e8 74 c0 9c ff 4c 89 64 24 10 49 89 df 49 c1 ef 03 <41> 80 3c 2f 00 74 08 48 89 df e8 b9 d8 06 00 48 8b 03 48 89 44 24
RSP: 0018:ffffc90003b17330 EFLAGS: 00010246
RAX: a69e65823ec40000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90003b172a0
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000762e54 R12: 0000000000000000
R13: ffff8881165dc848 R14: 1ffff11022cbb909 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88818de67000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc23744ea7c CR3: 000000000e54c000 CR4: 00000000000006f0
Call Trace:
<TASK>
hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757
remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613
hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623
evict+0x61e/0xb10 fs/inode.c:841
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
do_one_tree fs/dcache.c:1657 [inline]
shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671
generic_shutdown_super+0x6f/0x2d0 fs/super.c:624
kill_anon_super+0x3b/0x70 fs/super.c:1292
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2320 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6e0f19c799
Code: Unable to access opcode bytes at 0x7f6e0f19c76f.
RSP: 002b:00007f6e101360e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6e0f415fa8 RCX: 00007f6e0f19c799
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6e0f415fa8
RBP: 00007f6e0f415fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6e0f416038 R14: 00007fff1de1a520 R15: 00007fff1de1a608
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:region_del+0x108/0x950 mm/hugetlb.c:864
Code: 24 20 49 29 c4 4c 03 23 48 89 03 48 8b 5c 24 40 4c 39 eb 0f 84 64 05 00 00 e8 74 c0 9c ff 4c 89 64 24 10 49 89 df 49 c1 ef 03 <41> 80 3c 2f 00 74 08 48 89 df e8 b9 d8 06 00 48 8b 03 48 89 44 24
RSP: 0018:ffffc90003b17330 EFLAGS: 00010246
RAX: a69e65823ec40000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90003b172a0
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000762e54 R12: 0000000000000000
R13: ffff8881165dc848 R14: 1ffff11022cbb909 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88818de67000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc23744ea7c CR3: 000000000e54c000 CR4: 00000000000006f0
----------------
Code disassembly (best guess):
0: 24 20 and $0x20,%al
2: 49 29 c4 sub %rax,%r12
5: 4c 03 23 add (%rbx),%r12
8: 48 89 03 mov %rax,(%rbx)
b: 48 8b 5c 24 40 mov 0x40(%rsp),%rbx
10: 4c 39 eb cmp %r13,%rbx
13: 0f 84 64 05 00 00 je 0x57d
19: e8 74 c0 9c ff call 0xff9cc092
1e: 4c 89 64 24 10 mov %r12,0x10(%rsp)
23: 49 89 df mov %rbx,%r15
26: 49 c1 ef 03 shr $0x3,%r15
* 2a: 41 80 3c 2f 00 cmpb $0x0,(%r15,%rbp,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 b9 d8 06 00 call 0x6d8f2
39: 48 8b 03 mov (%rbx),%rax
3c: 48 rex.W
3d: 89 .byte 0x89
3e: 44 rex.R
3f: 24 .byte 0x24
***
KASAN: slab-use-after-free Read in region_del
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: f50c6ce7bf30099042dac755fbd1e97da456f5ec
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config
syz repro: https://ci.syzbot.org/findings/df3f89db-a2df-4664-973c-472164179e0a/syz_repro
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
Read of size 1 at addr ffff888114425020 by task syz.2.313/6592
CPU: 0 UID: 0 PID: 6592 Comm: syz.2.313 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x79/0x2e0 kernel/locking/lockdep.c:5842
__raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:341 [inline]
region_del+0xbe/0x950 mm/hugetlb.c:863
hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757
remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613
hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623
evict+0x61e/0xb10 fs/inode.c:841
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
do_one_tree fs/dcache.c:1657 [inline]
shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671
generic_shutdown_super+0x6f/0x2d0 fs/super.c:624
kill_anon_super+0x3b/0x70 fs/super.c:1292
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2320 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6b41f9c799
Code: Unable to access opcode bytes at 0x7f6b41f9c76f.
RSP: 002b:00007f6b42db90e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6b42215fa8 RCX: 00007f6b41f9c799
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6b42215fa8
RBP: 00007f6b42215fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6b42216038 R14: 00007ffd7b00f490 R15: 00007ffd7b00f578
</TASK>
Allocated by task 6005:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5339
kmalloc_noprof include/linux/slab.h:962 [inline]
resv_map_alloc+0x51/0x2c0 mm/hugetlb.c:1108
hugetlbfs_get_inode+0x5d/0x680 fs/hugetlbfs/inode.c:932
hugetlbfs_mknod fs/hugetlbfs/inode.c:987 [inline]
hugetlbfs_create+0x59/0xf0 fs/hugetlbfs/inode.c:1009
lookup_open fs/namei.c:4483 [inline]
open_last_lookups fs/namei.c:4583 [inline]
path_openat+0x1395/0x3860 fs/namei.c:4827
do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_creat fs/open.c:1450 [inline]
__se_sys_creat fs/open.c:1444 [inline]
__x64_sys_creat+0x8f/0xc0 fs/open.c:1444
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6005:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2687 [inline]
slab_free mm/slub.c:6124 [inline]
kfree+0x1c1/0x630 mm/slub.c:6442
hugetlbfs_evict_inode+0xe1/0x260 fs/hugetlbfs/inode.c:628
evict+0x61e/0xb10 fs/inode.c:841
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
shrink_kill+0xa9/0x2c0 fs/dcache.c:1147
shrink_dentry_list+0x2e0/0x5e0 fs/dcache.c:1174
shrink_dcache_tree+0xcf/0x310 fs/dcache.c:-1
do_one_tree fs/dcache.c:1654 [inline]
shrink_dcache_for_umount+0xa8/0x1f0 fs/dcache.c:1671
generic_shutdown_super+0x6f/0x2d0 fs/super.c:624
kill_anon_super+0x3b/0x70 fs/super.c:1292
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2320 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888114425000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 32 bytes inside of
freed 512-byte region [ffff888114425000, ffff888114425200)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888114424000 pfn:0x114424
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x17ff00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 017ff00000000240 ffff888100041c80 ffffea00044b8a10 ffffea0004539010
raw: ffff888114424000 0000000000100009 00000000f5000000 0000000000000000
head: 017ff00000000240 ffff888100041c80 ffffea00044b8a10 ffffea0004539010
head: ffff888114424000 0000000000100009 00000000f5000000 0000000000000000
head: 017ff00000000002 ffffea0004510901 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5267, tgid 5267 (udevd), ts 28927219244, free_ts 28922963584
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
prep_new_page mm/page_alloc.c:1897 [inline]
get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
alloc_slab_page mm/slub.c:3255 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3444
new_slab mm/slub.c:3502 [inline]
refill_objects+0x331/0x3c0 mm/slub.c:7134
refill_sheaf mm/slub.c:2804 [inline]
__pcs_replace_empty_main+0x2b9/0x620 mm/slub.c:4578
alloc_from_pcs mm/slub.c:4681 [inline]
slab_alloc_node mm/slub.c:4815 [inline]
__kmalloc_cache_noprof+0x392/0x660 mm/slub.c:5334
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1200 [inline]
kernfs_fop_open+0x397/0xca0 fs/kernfs/file.c:641
do_dentry_open+0x785/0x14e0 fs/open.c:949
vfs_open+0x3b/0x340 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x2e08/0x3860 fs/namei.c:4830
do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5265 tgid 5265 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1433 [inline]
__free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
__slab_free+0x263/0x2b0 mm/slub.c:5532
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4501 [inline]
slab_alloc_node mm/slub.c:4830 [inline]
kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
lsm_inode_alloc security/security.c:228 [inline]
security_inode_alloc+0x39/0x310 security/security.c:1189
inode_init_always_gfp+0x9c8/0xda0 fs/inode.c:305
inode_init_always include/linux/fs.h:2925 [inline]
alloc_inode+0x82/0x1b0 fs/inode.c:352
iget_locked+0x131/0x6a0 fs/inode.c:1474
kernfs_get_inode+0x4f/0x780 fs/kernfs/inode.c:253
kernfs_iop_lookup+0x1fe/0x320 fs/kernfs/dir.c:1241
__lookup_slow+0x2b7/0x410 fs/namei.c:1916
lookup_slow+0x53/0x70 fs/namei.c:1933
walk_component fs/namei.c:2279 [inline]
lookup_last fs/namei.c:2780 [inline]
path_lookupat+0x3f5/0x8c0 fs/namei.c:2804
filename_lookup+0x256/0x5d0 fs/namei.c:2833
Memory state around the buggy address:
ffff888114424f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888114424f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888114425000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888114425080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888114425100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
***
general protection fault in mark_buffer_dirty_inode
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: f50c6ce7bf30099042dac755fbd1e97da456f5ec
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config
C repro: https://ci.syzbot.org/findings/670a21ca-1447-4fda-909b-5098c9c0cdd9/c_repro
syz repro: https://ci.syzbot.org/findings/670a21ca-1447-4fda-909b-5098c9c0cdd9/syz_repro
EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none.
ext4 filesystem being mounted at /0/mnt supports timestamps until 2038-01-19 (0x7fffffff)
fscrypt: AES-256-CBC-CTS using implementation "cts(cbc(ecb(aes-lib)))"
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 UID: 0 PID: 5946 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 e9 40 6a 80 09 cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90003c9f380 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffffff8bafae9e RCX: 0000000080000002
RDX: 0000000000000000 RSI: ffffffff8bafae9e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff2023057 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000018 R15: 0000000000000001
FS: 0000555590824500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e763fff CR3: 000000016fa5e000 CR4: 00000000000006f0
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40 mm/kasan/common.c:573
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x79/0x2e0 kernel/locking/lockdep.c:5842
__raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:341 [inline]
mark_buffer_dirty_inode+0xe3/0x2f0 fs/buffer.c:748
__ext4_handle_dirty_metadata+0x27a/0x810 fs/ext4/ext4_jbd2.c:393
ext4_xattr_block_set+0x24ff/0x2ad0 fs/ext4/xattr.c:2168
ext4_xattr_set_handle+0xe34/0x14c0 fs/ext4/xattr.c:2457
ext4_set_context+0x233/0x560 fs/ext4/crypto.c:166
fscrypt_set_context+0x397/0x460 fs/crypto/policy.c:791
__ext4_new_inode+0x3158/0x3d20 fs/ext4/ialloc.c:1314
ext4_symlink+0x3ac/0xb90 fs/ext4/namei.c:3386
vfs_symlink+0x195/0x340 fs/namei.c:5615
filename_symlinkat+0x1cd/0x410 fs/namei.c:5640
__do_sys_symlink fs/namei.c:5667 [inline]
__se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe222b9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdf34afb88 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007fe222e15fa0 RCX: 00007fe222b9c799
RDX: 0000000000000000 RSI: 00002000000000c0 RDI: 0000200000000080
RBP: 00007fe222c32bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe222e15fac R14: 00007fe222e15fa0 R15: 00007fe222e15fa0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 e9 40 6a 80 09 cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90003c9f380 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffffff8bafae9e RCX: 0000000080000002
RDX: 0000000000000000 RSI: ffffffff8bafae9e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff2023057 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000018 R15: 0000000000000001
FS: 0000555590824500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e763fff CR3: 000000016fa5e000 CR4: 00000000000006f0
----------------
Code disassembly (best guess), 4 bytes skipped:
0: 0f 1f 40 00 nopl 0x0(%rax)
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 0f 1f 40 d6 nopl -0x2a(%rax)
18: 48 c1 ef 03 shr $0x3,%rdi
1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
23: fc ff df
* 26: 0f b6 04 07 movzbl (%rdi,%rax,1),%eax <-- trapping instruction
2a: 3c 08 cmp $0x8,%al
2c: 0f 92 c0 setb %al
2f: e9 40 6a 80 09 jmp 0x9806a74
34: cc int3
35: 66 data16
36: 66 data16
37: 66 data16
38: 66 data16
39: 66 data16
3a: 66 data16
3b: 2e cs
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
prev parent reply other threads:[~2026-03-03 23:35 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 10:33 [PATCH 0/32] " Jan Kara
2026-03-03 10:33 ` [PATCH 01/32] fat: Sync and invalidate metadata buffers from fat_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 02/32] udf: Sync and invalidate metadata buffers from udf_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 03/32] minix: Sync and invalidate metadata buffers from minix_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 04/32] ext2: Sync and invalidate metadata buffers from ext2_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 05/32] ext4: Sync and invalidate metadata buffers from ext4_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 06/32] ext4: Use inode_has_buffers() Jan Kara
2026-03-03 10:33 ` [PATCH 07/32] bfs: Sync and invalidate metadata buffers from bfs_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 08/32] affs: Sync and invalidate metadata buffers from affs_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 09/32] fs: Ignore inode metadata buffers in inode_lru_isolate() Jan Kara
2026-03-03 10:33 ` [PATCH 10/32] fs: Stop using i_private_data for metadata bh tracking Jan Kara
2026-03-03 10:34 ` [PATCH 11/32] gfs2: Don't zero i_private_data Jan Kara
2026-03-03 12:32 ` Andreas Gruenbacher
2026-03-03 10:34 ` [PATCH 12/32] hugetlbfs: Stop using i_private_data Jan Kara
2026-03-03 10:34 ` [PATCH 13/32] aio: Stop using i_private_data and i_private_lock Jan Kara
2026-03-03 10:34 ` [PATCH 14/32] fs: Remove i_private_data Jan Kara
2026-03-03 10:34 ` [PATCH 15/32] fs: Drop osync_buffers_list() Jan Kara
2026-03-03 10:34 ` [PATCH 16/32] fs: Fold fsync_buffers_list() into sync_mapping_buffers() Jan Kara
2026-03-03 10:34 ` [PATCH 17/32] fs: Move metadata bhs tracking to a separate struct Jan Kara
2026-03-03 10:34 ` [PATCH 18/32] fs: Provide operation for fetching mapping_metadata_bhs Jan Kara
2026-03-03 10:34 ` [PATCH 19/32] ntfs3: Drop pointless sync_mapping_buffers() call Jan Kara
2026-03-03 10:34 ` [PATCH 20/32] ocfs2: Drop pointless sync_mapping_buffers() calls Jan Kara
2026-03-03 10:34 ` [PATCH 21/32] bdev: Drop pointless invalidate_mapping_buffers() call Jan Kara
2026-03-03 14:03 ` Christoph Hellwig
2026-03-03 14:09 ` Christoph Hellwig
2026-03-03 10:34 ` [PATCH 22/32] fs: Switch inode_has_buffers() to take mapping_metadata_bhs Jan Kara
2026-03-03 10:34 ` [PATCH 23/32] ext2: Track metadata bhs in fs-private inode part Jan Kara
2026-03-03 10:34 ` [PATCH 24/32] affs: " Jan Kara
2026-03-03 10:34 ` [PATCH 25/32] bfs: " Jan Kara
2026-03-03 10:34 ` [PATCH 26/32] fat: " Jan Kara
2026-03-03 10:34 ` [PATCH 27/32] udf: " Jan Kara
2026-03-03 10:34 ` [PATCH 28/32] minix: " Jan Kara
2026-03-03 10:34 ` [PATCH 29/32] ext4: " Jan Kara
2026-03-03 10:34 ` [PATCH 30/32] vfs: Drop mapping_metadata_bhs from address space Jan Kara
2026-03-03 10:34 ` [PATCH 31/32] kvm: Use private inode list instead of i_private_list Jan Kara
2026-03-03 10:34 ` [PATCH 32/32] fs: Drop i_private_list from address_space Jan Kara
2026-03-03 23:35 ` syzbot ci [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69a77047.050a0220.21ae90.0011.GAE@google.com \
--to=syzbot+ciaf5532c890030251@syzkaller.appspotmail.com \
--cc=agruenba@redhat.com \
--cc=aivazian.tigran@gmail.com \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=brauner@kernel.org \
--cc=david@kernel.org \
--cc=dsterba@suse.com \
--cc=gfs2@lists.linux.dev \
--cc=hirofumi@mail.parknet.co.jp \
--cc=jack@suse.cz \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=linux-aio@kvack.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=muchun.song@linux.dev \
--cc=ntfs3@lists.linux.dev \
--cc=ocfs2-devel@lists.linux.dev \
--cc=osalvador@suse.de \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox