From: syzbot <syzbot+32ec8b5bd050c78741c2@syzkaller.appspotmail.com>
To: daiky0325@gmail.com
Cc: daiky0325@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [karma?] kernel BUG in folio_set_bh (3)
Date: Thu, 14 May 2026 09:58:39 -0700 [thread overview]
Message-ID: <6a05ff3f.050a0220.2921a.0001.GAE@google.com> (raw)
In-Reply-To: <CAJZpSXuEDdiBEyagEHzv3QXmKrE9p8_gQ7WwBs=FFQx7ouDAQQ@mail.gmail.com>
> I was able to reproduce this bug with the following C reproducer:
>
> // repro.c
> #include <fcntl.h>
> #include <stdio.h>
> #include <sys/ioctl.h>
> #include <sys/mount.h>
> #include <sys/stat.h>
> #include <linux/loop.h>
> #include <unistd.h>
>
> int main(void) {
> int fd = open("/tmp/img", O_RDWR|O_CREAT|O_TRUNC, 0644);
> ftruncate(fd, 1<<20);
> close(fd);
> int lc = open("/dev/loop-control", O_RDWR);
> int nr = ioctl(lc, LOOP_CTL_GET_FREE);
> close(lc);
> char lo[64];
> snprintf(lo, sizeof(lo), "/dev/loop%d", nr);
> int lf = open(lo, O_RDWR);
> fd = open("/tmp/img", O_RDWR);
> ioctl(lf, LOOP_SET_FD, fd);
> close(fd);
> ioctl(lf, 0x4c09, 0x8000); // LOOP_SET_BLOCK_SIZE = 32768
> close(lf);
> mkdir("/tmp/mnt", 0755);
> mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT
> return 0;
> }
>
> A fix patch has been sent:
> https://lore.kernel.org/all/20260514160700.376172-1-daiky0325@gmail.com/
> <br><div class="gmail_quote gmail_quote_container"><div dir="ltr"
> class="gmail_attr">On Fri, May 15, 2026 at 1:45 AM Daiki
> <daiky0325@gmail.com> wrote:<br></div><blockquote
> class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px
> solid rgb(204, 204, 204); padding-left: 1ex;"><div dir="ltr"><div
> dir="ltr">I was able to reproduce this bug with the following C
> reproducer:<br><br>// repro.c<br>#include <fcntl.h><br>#include
> <stdio.h><br>#include <sys/ioctl.h><br>#include
> <sys/mount.h><br>#include <sys/stat.h><br>#include
> <linux/loop.h><br>#include <unistd.h><br><br>int
> main(void) {<br> int fd = open("/tmp/img",
> O_RDWR|O_CREAT|O_TRUNC, 0644);<br> ftruncate(fd,
> 1<<20);<br> close(fd);<br> int lc =
> open("/dev/loop-control", O_RDWR);<br> int nr = ioctl(lc,
> LOOP_CTL_GET_FREE);<br> close(lc);<br> char
> lo[64];<br> snprintf(lo, sizeof(lo), "/dev/loop%d",
> nr);<br> int lf = open(lo, O_RDWR);<br> fd =
> open("/tmp/img", O_RDWR);<br> ioctl(lf, LOOP_SET_FD,
> fd);<br> close(fd);<br> ioctl(lf, 0x4c09,
> 0x8000); // LOOP_SET_BLOCK_SIZE = 32768<br>
> close(lf);<br> mkdir("/tmp/mnt", 0755);<br>
> mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT<br>
> return 0;<br>}<br><br>A fix patch has been sent:<br><a
> href="https://lore.kernel.org/all/20260514160700.376172-1-daiky0325@gmail.com/"
> target="_blank">https://lore.kernel.org/all/<wbr>20260514160700.376172-1-<wbr>daiky0325@gmail.com/</a></div><br><div
> class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 14,
> 2026 at 7:36 PM syzbot <<a
> href="mailto:syzbot%2B32ec8b5bd050c78741c2@syzkaller.appspotmail.com"
> target="_blank">syzbot+32ec8b5bd050c78741c2@<wbr>syzkaller.appspotmail.com</a>>
> wrote:<br></div><blockquote class="gmail_quote" style="margin: 0px 0px
> 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left:
> 1ex;">Hello,<br>
> <br>
> syzbot found the following issue on:<br>
> <br>
> HEAD commit: 1d5dcaa3bd65 Merge tag
> 'probes-fixes-v7.1-rc3' of git://gi..<br>
> git tree: upstream<br>
> console output: <a
> href="https://syzkaller.appspot.com/x/log.txt?x=1592ed06580000"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>x/log.txt?x=1592ed06580000</a><br>
> kernel config: <a
> href="https://syzkaller.appspot.com/x/.config?x=7f195f6be48c12ec"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>x/.config?x=7f195f6be48c12ec</a><br>
> dashboard link: <a
> href="https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>bug?extid=32ec8b5bd050c78741c2</a><br>
> compiler: Debian clang version 21.1.8
> (++20251221033036+<wbr>2078da43e25a-1~exp1~<wbr>20251221153213.50),
> Debian LLD 21.1.8<br>
> <br>
> Unfortunately, I don't have any reproducer for this issue yet.<br>
> <br>
> Downloadable assets:<br>
> disk image (non-bootable): <a
> href="https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-1d5dcaa3.raw.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>d900f083ada3/non_bootable_<wbr>disk-1d5dcaa3.raw.xz</a><br>
> vmlinux: <a href="https://storage.googleapis.com/syzbot-assets/2cb31960a181/vmlinux-1d5dcaa3.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>2cb31960a181/vmlinux-1d5dcaa3.<wbr>xz</a><br>
> kernel image: <a
> href="https://storage.googleapis.com/syzbot-assets/6d3969d0ce3d/bzImage-1d5dcaa3.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>6d3969d0ce3d/bzImage-1d5dcaa3.<wbr>xz</a><br>
> <br>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:<br>
> Reported-by: <a
> href="mailto:syzbot%2B32ec8b5bd050c78741c2@syzkaller.appspotmail.com"
> target="_blank">syzbot+32ec8b5bd050c78741c2@<wbr>syzkaller.appspotmail.com</a><br>
> <br>
> loop0: detected capacity change from 0 to 2048<br>
> loop0: p2 p3 < > p4 < p5 ><br>
> loop0: partition table partially beyond EOD, truncated<br>
> loop0: p3 start 4284289 is beyond EOD, truncated<br>
> jfs: block size(32768) > page size(4096) not supported by filesystem<br>
> ------------[ cut here ]------------<br>
> kernel BUG at fs/buffer.c:1479!<br>
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI<br>
> CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0
> PREEMPT(full) <br>
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2 04/01/2014<br>
> RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479<br>
> Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df
> 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90
> <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
> 0f<br>
> RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287<br>
> RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000<br>
> RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44<br>
> RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0<br>
> R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003<br>
> R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000<br>
> FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000)
> knlGS:0000000000000000<br>
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br>
> CR2: 00007f86657e22b0 CR3: 00000000128ba000 CR4: 0000000000352ef0<br>
> Call Trace:<br>
> <TASK><br>
> folio_alloc_buffers+0x228/<wbr>0x640 fs/buffer.c:849<br>
> grow_dev_folio fs/buffer.c:979 [inline]<br>
> grow_buffers fs/buffer.c:1020 [inline]<br>
> __getblk_slow fs/buffer.c:1038 [inline]<br>
> bdev_getblk+0x2cb/0x6e0 fs/buffer.c:1358<br>
> __bread_gfp+0x89/0x3b0 fs/buffer.c:1412<br>
> sb_bread include/linux/buffer_head.h:<wbr>346 [inline]<br>
> readSuper+0xdb/0x270 fs/jfs/jfs_mount.c:462<br>
> chkSuper+0x5d/0xe00 fs/jfs/jfs_mount.c:299<br>
> jfs_mount+0x4b/0x870 fs/jfs/jfs_mount.c:83<br>
> jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523<br>
> get_tree_bdev_flags+0x431/<wbr>0x4f0 fs/super.c:1694<br>
> vfs_get_tree+0x92/0x2a0 fs/super.c:1754<br>
> fc_mount fs/namespace.c:1193 [inline]<br>
> do_new_mount_fc fs/namespace.c:3758 [inline]<br>
> do_new_mount+0x341/0xd30 fs/namespace.c:3834<br>
> do_mount fs/namespace.c:4167 [inline]<br>
> __do_sys_mount fs/namespace.c:4383 [inline]<br>
> __se_sys_mount+0x31d/0x420 fs/namespace.c:4360<br>
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br>
> do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94<br>
> entry_SYSCALL_64_after_<wbr>hwframe+0x77/0x7f<br>
> RIP: 0033:0x7fb7f9f9ce59<br>
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05
> <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01
> 48<br>
> RSP: 002b:00007fb7faee6fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5<br>
> RAX: ffffffffffffffda RBX: 00007fb7fa215fa0 RCX: 00007fb7f9f9ce59<br>
> RDX: 0000200000000040 RSI: 0000200000000140 RDI: 0000200000000080<br>
> RBP: 00007fb7fa032d6f R08: 0000000000000000 R09: 0000000000000000<br>
> R10: 000000000000c000 R11: 0000000000000246 R12: 0000000000000000<br>
> R13: 00007fb7fa216038 R14: 00007fb7fa215fa0 R15: 00007ffff2e0f5c8<br>
> </TASK><br>
> Modules linked in:<br>
> ---[ end trace 0000000000000000 ]---<br>
> RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479<br>
> Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df
> 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90
> <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
> 0f<br>
> RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287<br>
> RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000<br>
> RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44<br>
> RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0<br>
> R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003<br>
> R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000<br>
> FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000)
> knlGS:0000000000000000<br>
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br>
> CR2: 00007f8a5bc8038f CR3: 00000000128ba000 CR4: 0000000000352ef0<br>
> <br>
> <br>
> ---<br>
> This report is generated by a bot. It may contain errors.<br>
> See <a href="https://goo.gl/tpsmEJ" rel="noreferrer"
> target="_blank">https://goo.gl/tpsmEJ</a> for more information about
> syzbot.<br>
> syzbot engineers can be reached at <a
> href="mailto:syzkaller@googlegroups.com"
> target="_blank">syzkaller@googlegroups.com</a>.<br>
> <br>
> syzbot will keep track of this issue. See:<br>
> <a href="https://goo.gl/tpsmEJ#status" rel="noreferrer"
> target="_blank">https://goo.gl/tpsmEJ#status</a> for how to
> communicate with syzbot.<br>
> <br>
> If the report is already addressed, let syzbot know by replying with:<br>
> #syz fix: exact-commit-title<br>
> <br>
> If you want to overwrite report's subsystems, reply with:<br>
> #syz set subsystems: new-subsystem<br>
> (See the list of subsystem names on the web dashboard)<br>
> <br>
> If the report is a duplicate of another one, reply with:<br>
> #syz dup: exact-subject-of-another-<wbr>report<br>
> <br>
> If you want to undo deduplication, reply with:<br>
> #syz undup<br>
> <br>
> -- <br>
> You received this message because you are subscribed to the Google
> Groups "syzkaller-bugs" group.<br>
> To unsubscribe from this group and stop receiving emails from it, send
> an email to <a href="mailto:syzkaller-bugs%2Bunsubscribe@googlegroups.com"
> target="_blank">syzkaller-bugs+unsubscribe@<wbr>googlegroups.com</a>.<br>
> To view this discussion visit <a
> href="https://groups.google.com/d/msgid/syzkaller-bugs/6a05a5b0.170a0220.290639.01c7.GAE%40google.com"
> rel="noreferrer"
> target="_blank">https://groups.google.com/d/<wbr>msgid/syzkaller-bugs/6a05a5b0.<wbr>170a0220.290639.01c7.GAE%<wbr>40google.com</a>.<br>
> </blockquote></div></div>
> </blockquote></div>
Too many commands (4 > 3)
prev parent reply other threads:[~2026-05-14 16:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 10:36 [syzbot] [karma?] kernel BUG in folio_set_bh (3) syzbot
[not found] ` <CAJZpSXuxG8H8_5D1RgR6OnKd-DorPscGAzN40WT6uZTB6DKwow@mail.gmail.com>
2026-05-14 16:58 ` Daiki
2026-05-14 16:58 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a05ff3f.050a0220.2921a.0001.GAE@google.com \
--to=syzbot+32ec8b5bd050c78741c2@syzkaller.appspotmail.com \
--cc=daiky0325@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.