From: syzbot ci <syzbot+ciaf5532c890030251@syzkaller.appspotmail.com>
To: agruenba@redhat.com, aivazian.tigran@gmail.com,
almaz.alexandrovich@paragon-software.com, axboe@kernel.dk,
bcrl@kvack.org, brauner@kernel.org, david@kernel.org,
dsterba@suse.com, gfs2@lists.linux.dev,
hirofumi@mail.parknet.co.jp, jack@suse.cz, jlbec@evilplan.org,
joseph.qi@linux.alibaba.com, linux-aio@kvack.org,
linux-block@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
muchun.song@linux.dev, ntfs3@lists.linux.dev,
ocfs2-devel@lists.linux.dev, osalvador@suse.de, tytso@mit.edu,
viro@zeniv.linux.org.uk
Cc: syzbot@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: [syzbot ci] Re: fs: Move metadata bh tracking from address_space
Date: Tue, 03 Mar 2026 15:35:35 -0800 [thread overview]
Message-ID: <69a77047.050a0220.21ae90.0011.GAE@google.com> (raw)
In-Reply-To: <20260303101717.27224-1-jack@suse.cz>
syzbot ci has tested the following series
[v1] fs: Move metadata bh tracking from address_space
https://lore.kernel.org/all/20260303101717.27224-1-jack@suse.cz
* [PATCH 01/32] fat: Sync and invalidate metadata buffers from fat_evict_inode()
* [PATCH 02/32] udf: Sync and invalidate metadata buffers from udf_evict_inode()
* [PATCH 03/32] minix: Sync and invalidate metadata buffers from minix_evict_inode()
* [PATCH 04/32] ext2: Sync and invalidate metadata buffers from ext2_evict_inode()
* [PATCH 05/32] ext4: Sync and invalidate metadata buffers from ext4_evict_inode()
* [PATCH 06/32] ext4: Use inode_has_buffers()
* [PATCH 07/32] bfs: Sync and invalidate metadata buffers from bfs_evict_inode()
* [PATCH 08/32] affs: Sync and invalidate metadata buffers from affs_evict_inode()
* [PATCH 09/32] fs: Ignore inode metadata buffers in inode_lru_isolate()
* [PATCH 10/32] fs: Stop using i_private_data for metadata bh tracking
* [PATCH 11/32] gfs2: Don't zero i_private_data
* [PATCH 12/32] hugetlbfs: Stop using i_private_data
* [PATCH 13/32] aio: Stop using i_private_data and i_private_lock
* [PATCH 14/32] fs: Remove i_private_data
* [PATCH 15/32] fs: Drop osync_buffers_list()
* [PATCH 16/32] fs: Fold fsync_buffers_list() into sync_mapping_buffers()
* [PATCH 17/32] fs: Move metadata bhs tracking to a separate struct
* [PATCH 18/32] fs: Provide operation for fetching mapping_metadata_bhs
* [PATCH 19/32] ntfs3: Drop pointless sync_mapping_buffers() call
* [PATCH 20/32] ocfs2: Drop pointless sync_mapping_buffers() calls
* [PATCH 21/32] bdev: Drop pointless invalidate_mapping_buffers() call
* [PATCH 22/32] fs: Switch inode_has_buffers() to take mapping_metadata_bhs
* [PATCH 23/32] ext2: Track metadata bhs in fs-private inode part
* [PATCH 24/32] affs: Track metadata bhs in fs-private inode part
* [PATCH 25/32] bfs: Track metadata bhs in fs-private inode part
* [PATCH 26/32] fat: Track metadata bhs in fs-private inode part
* [PATCH 27/32] udf: Track metadata bhs in fs-private inode part
* [PATCH 28/32] minix: Track metadata bhs in fs-private inode part
* [PATCH 29/32] ext4: Track metadata bhs in fs-private inode part
* [PATCH 30/32] vfs: Drop mapping_metadata_bhs from address space
* [PATCH 31/32] kvm: Use private inode list instead of i_private_list
* [PATCH 32/32] fs: Drop i_private_list from address_space
and found the following issues:
* BUG: spinlock bad magic in region_del
* KASAN: slab-use-after-free Read in region_del
* general protection fault in mark_buffer_dirty_inode
Full report is available here:
https://ci.syzbot.org/series/3cf14b16-7f50-44ce-9f95-8ac4b86cf294
***
BUG: spinlock bad magic in region_del
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: f50c6ce7bf30099042dac755fbd1e97da456f5ec
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config
syz repro: https://ci.syzbot.org/findings/0d1bc933-ce69-432e-a2d5-b2411fe4cfec/syz_repro
BUG: spinlock bad magic on CPU#0, syz.0.151/6273
lock: 0xffff8881165dc808, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
CPU: 0 UID: 0 PID: 6273 Comm: syz.0.151 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
spin_bug kernel/locking/spinlock_debug.c:78 [inline]
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x1e5/0x2f0 kernel/locking/spinlock_debug.c:115
spin_lock include/linux/spinlock.h:341 [inline]
region_del+0xbe/0x950 mm/hugetlb.c:863
hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757
remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613
hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623
evict+0x61e/0xb10 fs/inode.c:841
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
do_one_tree fs/dcache.c:1657 [inline]
shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671
generic_shutdown_super+0x6f/0x2d0 fs/super.c:624
kill_anon_super+0x3b/0x70 fs/super.c:1292
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2320 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6e0f19c799
Code: Unable to access opcode bytes at 0x7f6e0f19c76f.
RSP: 002b:00007f6e101360e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6e0f415fa8 RCX: 00007f6e0f19c799
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6e0f415fa8
RBP: 00007f6e0f415fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6e0f416038 R14: 00007fff1de1a520 R15: 00007fff1de1a608
</TASK>
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 6273 Comm: syz.0.151 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:region_del+0x108/0x950 mm/hugetlb.c:864
Code: 24 20 49 29 c4 4c 03 23 48 89 03 48 8b 5c 24 40 4c 39 eb 0f 84 64 05 00 00 e8 74 c0 9c ff 4c 89 64 24 10 49 89 df 49 c1 ef 03 <41> 80 3c 2f 00 74 08 48 89 df e8 b9 d8 06 00 48 8b 03 48 89 44 24
RSP: 0018:ffffc90003b17330 EFLAGS: 00010246
RAX: a69e65823ec40000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90003b172a0
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000762e54 R12: 0000000000000000
R13: ffff8881165dc848 R14: 1ffff11022cbb909 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88818de67000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc23744ea7c CR3: 000000000e54c000 CR4: 00000000000006f0
Call Trace:
<TASK>
hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757
remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613
hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623
evict+0x61e/0xb10 fs/inode.c:841
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
do_one_tree fs/dcache.c:1657 [inline]
shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671
generic_shutdown_super+0x6f/0x2d0 fs/super.c:624
kill_anon_super+0x3b/0x70 fs/super.c:1292
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2320 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6e0f19c799
Code: Unable to access opcode bytes at 0x7f6e0f19c76f.
RSP: 002b:00007f6e101360e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6e0f415fa8 RCX: 00007f6e0f19c799
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6e0f415fa8
RBP: 00007f6e0f415fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6e0f416038 R14: 00007fff1de1a520 R15: 00007fff1de1a608
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:region_del+0x108/0x950 mm/hugetlb.c:864
Code: 24 20 49 29 c4 4c 03 23 48 89 03 48 8b 5c 24 40 4c 39 eb 0f 84 64 05 00 00 e8 74 c0 9c ff 4c 89 64 24 10 49 89 df 49 c1 ef 03 <41> 80 3c 2f 00 74 08 48 89 df e8 b9 d8 06 00 48 8b 03 48 89 44 24
RSP: 0018:ffffc90003b17330 EFLAGS: 00010246
RAX: a69e65823ec40000 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90003b172a0
RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000762e54 R12: 0000000000000000
R13: ffff8881165dc848 R14: 1ffff11022cbb909 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88818de67000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc23744ea7c CR3: 000000000e54c000 CR4: 00000000000006f0
----------------
Code disassembly (best guess):
0: 24 20 and $0x20,%al
2: 49 29 c4 sub %rax,%r12
5: 4c 03 23 add (%rbx),%r12
8: 48 89 03 mov %rax,(%rbx)
b: 48 8b 5c 24 40 mov 0x40(%rsp),%rbx
10: 4c 39 eb cmp %r13,%rbx
13: 0f 84 64 05 00 00 je 0x57d
19: e8 74 c0 9c ff call 0xff9cc092
1e: 4c 89 64 24 10 mov %r12,0x10(%rsp)
23: 49 89 df mov %rbx,%r15
26: 49 c1 ef 03 shr $0x3,%r15
* 2a: 41 80 3c 2f 00 cmpb $0x0,(%r15,%rbp,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 b9 d8 06 00 call 0x6d8f2
39: 48 8b 03 mov (%rbx),%rax
3c: 48 rex.W
3d: 89 .byte 0x89
3e: 44 rex.R
3f: 24 .byte 0x24
***
KASAN: slab-use-after-free Read in region_del
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: f50c6ce7bf30099042dac755fbd1e97da456f5ec
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config
syz repro: https://ci.syzbot.org/findings/df3f89db-a2df-4664-973c-472164179e0a/syz_repro
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
Read of size 1 at addr ffff888114425020 by task syz.2.313/6592
CPU: 0 UID: 0 PID: 6592 Comm: syz.2.313 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x79/0x2e0 kernel/locking/lockdep.c:5842
__raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:341 [inline]
region_del+0xbe/0x950 mm/hugetlb.c:863
hugetlb_unreserve_pages+0xfa/0x230 mm/hugetlb.c:6757
remove_inode_hugepages+0x1036/0x11a0 fs/hugetlbfs/inode.c:613
hugetlbfs_evict_inode+0xaf/0x260 fs/hugetlbfs/inode.c:623
evict+0x61e/0xb10 fs/inode.c:841
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
do_one_tree fs/dcache.c:1657 [inline]
shrink_dcache_for_umount+0xe1/0x1f0 fs/dcache.c:1671
generic_shutdown_super+0x6f/0x2d0 fs/super.c:624
kill_anon_super+0x3b/0x70 fs/super.c:1292
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2320 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6b41f9c799
Code: Unable to access opcode bytes at 0x7f6b41f9c76f.
RSP: 002b:00007f6b42db90e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f6b42215fa8 RCX: 00007f6b41f9c799
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6b42215fa8
RBP: 00007f6b42215fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6b42216038 R14: 00007ffd7b00f490 R15: 00007ffd7b00f578
</TASK>
Allocated by task 6005:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5339
kmalloc_noprof include/linux/slab.h:962 [inline]
resv_map_alloc+0x51/0x2c0 mm/hugetlb.c:1108
hugetlbfs_get_inode+0x5d/0x680 fs/hugetlbfs/inode.c:932
hugetlbfs_mknod fs/hugetlbfs/inode.c:987 [inline]
hugetlbfs_create+0x59/0xf0 fs/hugetlbfs/inode.c:1009
lookup_open fs/namei.c:4483 [inline]
open_last_lookups fs/namei.c:4583 [inline]
path_openat+0x1395/0x3860 fs/namei.c:4827
do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_creat fs/open.c:1450 [inline]
__se_sys_creat fs/open.c:1444 [inline]
__x64_sys_creat+0x8f/0xc0 fs/open.c:1444
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6005:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2687 [inline]
slab_free mm/slub.c:6124 [inline]
kfree+0x1c1/0x630 mm/slub.c:6442
hugetlbfs_evict_inode+0xe1/0x260 fs/hugetlbfs/inode.c:628
evict+0x61e/0xb10 fs/inode.c:841
__dentry_kill+0x1a2/0x5e0 fs/dcache.c:670
shrink_kill+0xa9/0x2c0 fs/dcache.c:1147
shrink_dentry_list+0x2e0/0x5e0 fs/dcache.c:1174
shrink_dcache_tree+0xcf/0x310 fs/dcache.c:-1
do_one_tree fs/dcache.c:1654 [inline]
shrink_dcache_for_umount+0xa8/0x1f0 fs/dcache.c:1671
generic_shutdown_super+0x6f/0x2d0 fs/super.c:624
kill_anon_super+0x3b/0x70 fs/super.c:1292
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2320 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888114425000
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 32 bytes inside of
freed 512-byte region [ffff888114425000, ffff888114425200)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888114424000 pfn:0x114424
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x17ff00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 017ff00000000240 ffff888100041c80 ffffea00044b8a10 ffffea0004539010
raw: ffff888114424000 0000000000100009 00000000f5000000 0000000000000000
head: 017ff00000000240 ffff888100041c80 ffffea00044b8a10 ffffea0004539010
head: ffff888114424000 0000000000100009 00000000f5000000 0000000000000000
head: 017ff00000000002 ffffea0004510901 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5267, tgid 5267 (udevd), ts 28927219244, free_ts 28922963584
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
prep_new_page mm/page_alloc.c:1897 [inline]
get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
alloc_slab_page mm/slub.c:3255 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3444
new_slab mm/slub.c:3502 [inline]
refill_objects+0x331/0x3c0 mm/slub.c:7134
refill_sheaf mm/slub.c:2804 [inline]
__pcs_replace_empty_main+0x2b9/0x620 mm/slub.c:4578
alloc_from_pcs mm/slub.c:4681 [inline]
slab_alloc_node mm/slub.c:4815 [inline]
__kmalloc_cache_noprof+0x392/0x660 mm/slub.c:5334
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1200 [inline]
kernfs_fop_open+0x397/0xca0 fs/kernfs/file.c:641
do_dentry_open+0x785/0x14e0 fs/open.c:949
vfs_open+0x3b/0x340 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x2e08/0x3860 fs/namei.c:4830
do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5265 tgid 5265 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1433 [inline]
__free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
__slab_free+0x263/0x2b0 mm/slub.c:5532
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4501 [inline]
slab_alloc_node mm/slub.c:4830 [inline]
kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4837
lsm_inode_alloc security/security.c:228 [inline]
security_inode_alloc+0x39/0x310 security/security.c:1189
inode_init_always_gfp+0x9c8/0xda0 fs/inode.c:305
inode_init_always include/linux/fs.h:2925 [inline]
alloc_inode+0x82/0x1b0 fs/inode.c:352
iget_locked+0x131/0x6a0 fs/inode.c:1474
kernfs_get_inode+0x4f/0x780 fs/kernfs/inode.c:253
kernfs_iop_lookup+0x1fe/0x320 fs/kernfs/dir.c:1241
__lookup_slow+0x2b7/0x410 fs/namei.c:1916
lookup_slow+0x53/0x70 fs/namei.c:1933
walk_component fs/namei.c:2279 [inline]
lookup_last fs/namei.c:2780 [inline]
path_lookupat+0x3f5/0x8c0 fs/namei.c:2804
filename_lookup+0x256/0x5d0 fs/namei.c:2833
Memory state around the buggy address:
ffff888114424f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888114424f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888114425000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888114425080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888114425100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
***
general protection fault in mark_buffer_dirty_inode
tree: mm-new
URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git
base: f50c6ce7bf30099042dac755fbd1e97da456f5ec
arch: amd64
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
config: https://ci.syzbot.org/builds/e716ec88-6c00-48e7-868d-3f4cb3999d4b/config
C repro: https://ci.syzbot.org/findings/670a21ca-1447-4fda-909b-5098c9c0cdd9/c_repro
syz repro: https://ci.syzbot.org/findings/670a21ca-1447-4fda-909b-5098c9c0cdd9/syz_repro
EXT4-fs (loop0): mounted filesystem 76b65be2-f6da-4727-8c75-0525a5b65a09 r/w without journal. Quota mode: none.
ext4 filesystem being mounted at /0/mnt supports timestamps until 2038-01-19 (0x7fffffff)
fscrypt: AES-256-CBC-CTS using implementation "cts(cbc(ecb(aes-lib)))"
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 UID: 0 PID: 5946 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 e9 40 6a 80 09 cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90003c9f380 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffffff8bafae9e RCX: 0000000080000002
RDX: 0000000000000000 RSI: ffffffff8bafae9e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff2023057 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000018 R15: 0000000000000001
FS: 0000555590824500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e763fff CR3: 000000016fa5e000 CR4: 00000000000006f0
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40 mm/kasan/common.c:573
kasan_check_byte include/linux/kasan.h:402 [inline]
lock_acquire+0x79/0x2e0 kernel/locking/lockdep.c:5842
__raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:341 [inline]
mark_buffer_dirty_inode+0xe3/0x2f0 fs/buffer.c:748
__ext4_handle_dirty_metadata+0x27a/0x810 fs/ext4/ext4_jbd2.c:393
ext4_xattr_block_set+0x24ff/0x2ad0 fs/ext4/xattr.c:2168
ext4_xattr_set_handle+0xe34/0x14c0 fs/ext4/xattr.c:2457
ext4_set_context+0x233/0x560 fs/ext4/crypto.c:166
fscrypt_set_context+0x397/0x460 fs/crypto/policy.c:791
__ext4_new_inode+0x3158/0x3d20 fs/ext4/ialloc.c:1314
ext4_symlink+0x3ac/0xb90 fs/ext4/namei.c:3386
vfs_symlink+0x195/0x340 fs/namei.c:5615
filename_symlinkat+0x1cd/0x410 fs/namei.c:5640
__do_sys_symlink fs/namei.c:5667 [inline]
__se_sys_symlink+0x4d/0x2b0 fs/namei.c:5663
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe222b9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdf34afb88 EFLAGS: 00000246 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 00007fe222e15fa0 RCX: 00007fe222b9c799
RDX: 0000000000000000 RSI: 00002000000000c0 RDI: 0000200000000080
RBP: 00007fe222c32bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fe222e15fac R14: 00007fe222e15fa0 R15: 00007fe222e15fa0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210
Code: 79 ff ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 e9 40 6a 80 09 cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc90003c9f380 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffffff8bafae9e RCX: 0000000080000002
RDX: 0000000000000000 RSI: ffffffff8bafae9e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff2023057 R12: 0000000000000000
R13: 0000000000000018 R14: 0000000000000018 R15: 0000000000000001
FS: 0000555590824500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2e763fff CR3: 000000016fa5e000 CR4: 00000000000006f0
----------------
Code disassembly (best guess), 4 bytes skipped:
0: 0f 1f 40 00 nopl 0x0(%rax)
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 0f 1f 40 d6 nopl -0x2a(%rax)
18: 48 c1 ef 03 shr $0x3,%rdi
1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
23: fc ff df
* 26: 0f b6 04 07 movzbl (%rdi,%rax,1),%eax <-- trapping instruction
2a: 3c 08 cmp $0x8,%al
2c: 0f 92 c0 setb %al
2f: e9 40 6a 80 09 jmp 0x9806a74
34: cc int3
35: 66 data16
36: 66 data16
37: 66 data16
38: 66 data16
39: 66 data16
3a: 66 data16
3b: 2e cs
***
If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com
---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
next prev parent reply other threads:[~2026-03-03 23:35 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 10:33 [PATCH 0/32] fs: Move metadata bh tracking from address_space Jan Kara
2026-03-03 10:33 ` [PATCH 01/32] fat: Sync and invalidate metadata buffers from fat_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 02/32] udf: Sync and invalidate metadata buffers from udf_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 03/32] minix: Sync and invalidate metadata buffers from minix_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 04/32] ext2: Sync and invalidate metadata buffers from ext2_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 05/32] ext4: Sync and invalidate metadata buffers from ext4_evict_inode() Jan Kara
2026-03-04 14:14 ` Theodore Tso
2026-03-03 10:33 ` [PATCH 06/32] ext4: Use inode_has_buffers() Jan Kara
2026-03-04 14:14 ` Theodore Tso
2026-03-03 10:33 ` [PATCH 07/32] bfs: Sync and invalidate metadata buffers from bfs_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 08/32] affs: Sync and invalidate metadata buffers from affs_evict_inode() Jan Kara
2026-03-03 10:33 ` [PATCH 09/32] fs: Ignore inode metadata buffers in inode_lru_isolate() Jan Kara
2026-03-03 10:33 ` [PATCH 10/32] fs: Stop using i_private_data for metadata bh tracking Jan Kara
2026-03-03 10:34 ` [PATCH 11/32] gfs2: Don't zero i_private_data Jan Kara
2026-03-03 12:32 ` Andreas Gruenbacher
2026-03-04 10:39 ` Jan Kara
2026-03-03 10:34 ` [PATCH 12/32] hugetlbfs: Stop using i_private_data Jan Kara
2026-03-10 7:24 ` kernel test robot
2026-03-10 7:24 ` [LTP] " kernel test robot
2026-03-03 10:34 ` [PATCH 13/32] aio: Stop using i_private_data and i_private_lock Jan Kara
2026-03-03 10:34 ` [PATCH 14/32] fs: Remove i_private_data Jan Kara
2026-03-03 10:34 ` [PATCH 15/32] fs: Drop osync_buffers_list() Jan Kara
2026-03-03 10:34 ` [PATCH 16/32] fs: Fold fsync_buffers_list() into sync_mapping_buffers() Jan Kara
2026-03-04 13:38 ` Christian Brauner
2026-03-05 16:14 ` Jan Kara
2026-03-03 10:34 ` [PATCH 17/32] fs: Move metadata bhs tracking to a separate struct Jan Kara
2026-03-04 13:38 ` Christoph Hellwig
2026-03-05 16:42 ` Jan Kara
2026-03-04 13:40 ` Christoph Hellwig
2026-03-05 16:39 ` Jan Kara
2026-03-03 10:34 ` [PATCH 18/32] fs: Provide operation for fetching mapping_metadata_bhs Jan Kara
2026-03-04 12:48 ` Christian Brauner
2026-03-04 13:19 ` Christoph Hellwig
2026-03-04 13:38 ` Jan Kara
2026-03-04 13:44 ` Christoph Hellwig
2026-03-03 10:34 ` [PATCH 19/32] ntfs3: Drop pointless sync_mapping_buffers() call Jan Kara
2026-03-04 13:41 ` Christoph Hellwig
2026-03-05 16:26 ` Jan Kara
2026-03-03 10:34 ` [PATCH 20/32] ocfs2: Drop pointless sync_mapping_buffers() calls Jan Kara
2026-03-03 10:34 ` [PATCH 21/32] bdev: Drop pointless invalidate_mapping_buffers() call Jan Kara
2026-03-03 14:03 ` Christoph Hellwig
2026-03-04 10:30 ` Jan Kara
2026-03-03 14:09 ` Christoph Hellwig
2026-03-04 10:36 ` Jan Kara
2026-03-04 13:29 ` Christoph Hellwig
2026-03-04 13:39 ` Christian Brauner
2026-03-05 15:58 ` Jan Kara
2026-03-03 10:34 ` [PATCH 22/32] fs: Switch inode_has_buffers() to take mapping_metadata_bhs Jan Kara
2026-03-03 10:34 ` [PATCH 23/32] ext2: Track metadata bhs in fs-private inode part Jan Kara
2026-03-03 10:34 ` [PATCH 24/32] affs: " Jan Kara
2026-03-03 10:34 ` [PATCH 25/32] bfs: " Jan Kara
2026-03-03 10:34 ` [PATCH 26/32] fat: " Jan Kara
2026-03-03 10:34 ` [PATCH 27/32] udf: " Jan Kara
2026-03-03 10:34 ` [PATCH 28/32] minix: " Jan Kara
2026-03-03 10:34 ` [PATCH 29/32] ext4: " Jan Kara
2026-03-03 10:34 ` [PATCH 30/32] vfs: Drop mapping_metadata_bhs from address space Jan Kara
2026-03-03 10:34 ` [PATCH 31/32] kvm: Use private inode list instead of i_private_list Jan Kara
2026-03-04 13:40 ` Christian Brauner
2026-03-05 16:25 ` Jan Kara
2026-03-04 13:42 ` Christoph Hellwig
2026-03-05 16:25 ` Jan Kara
2026-03-03 10:34 ` [PATCH 32/32] fs: Drop i_private_list from address_space Jan Kara
2026-03-04 13:43 ` Christoph Hellwig
2026-03-03 23:35 ` syzbot ci [this message]
2026-03-04 12:32 ` [PATCH 0/32] fs: Move metadata bh tracking " Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69a77047.050a0220.21ae90.0011.GAE@google.com \
--to=syzbot+ciaf5532c890030251@syzkaller.appspotmail.com \
--cc=agruenba@redhat.com \
--cc=aivazian.tigran@gmail.com \
--cc=almaz.alexandrovich@paragon-software.com \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=brauner@kernel.org \
--cc=david@kernel.org \
--cc=dsterba@suse.com \
--cc=gfs2@lists.linux.dev \
--cc=hirofumi@mail.parknet.co.jp \
--cc=jack@suse.cz \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=linux-aio@kvack.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=muchun.song@linux.dev \
--cc=ntfs3@lists.linux.dev \
--cc=ocfs2-devel@lists.linux.dev \
--cc=osalvador@suse.de \
--cc=syzbot@lists.linux.dev \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.