* [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) @ 2026-02-09 2:08 syzbot 2026-02-09 19:22 ` Ojaswin Mujoo 2026-03-03 19:19 ` syzbot 0 siblings, 2 replies; 17+ messages in thread From: syzbot @ 2026-02-09 2:08 UTC (permalink / raw) To: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso Hello, syzbot found the following issue on: HEAD commit: 0f8a890c4524 Add linux-next specific files for 20260204 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=12d547fa580000 kernel config: https://syzkaller.appspot.com/x/.config?x=c09aefae2687abea dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16420a52580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/3c923d50ef46/disk-0f8a890c.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/3a560206fcf3/vmlinux-0f8a890c.xz kernel image: https://storage.googleapis.com/syzbot-assets/e0826a2ee028/bzImage-0f8a890c.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/4532e6e390d7/mount_0.gz fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1533aa5a580000) IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #18: comm syz.0.37: ES cache extent failed: add [22,10,230,0x1] conflict with existing [17,15,145,0x2] EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #18: comm syz.0.37: ES cache extent failed: add [32,1,353,0x1] conflict with existing [32,1,161,0x2] EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #18: comm syz.0.37: ES cache extent failed: add [33,15,353,0x1] conflict with existing [33,15,161,0x2] ------------[ cut here ]------------ kernel BUG at fs/ext4/extents_status.c:1044! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6168 Comm: syz.0.37 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:ext4_es_cache_extent+0x875/0x9e0 fs/ext4/extents_status.c:1044 Code: e1 07 80 c1 03 38 c1 0f 8c 5c fe ff ff 48 8b 7c 24 18 e8 7e 15 ae ff e9 4d fe ff ff e8 a4 32 44 ff 90 0f 0b e8 9c 32 44 ff 90 <0f> 0b 65 8b 1d f6 c4 99 10 bf 07 00 00 00 89 de e8 c6 36 44 ff 83 RSP: 0018:ffffc90003dedb80 EFLAGS: 00010293 RAX: ffffffff82816b34 RBX: 0000000000000023 RCX: ffff8880271c9e40 RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000000000023 RBP: ffffc90003dedcc8 R08: ffffc90003dedc37 R09: 0000000000000000 R10: ffffc90003dedc20 R11: fffff520007bdb87 R12: ffffc90003dedc20 R13: 0000000000000030 R14: 000000000000000f R15: dffffc0000000000 FS: 000055556ddfe500(0000) GS:ffff88812546d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f56b9c15000 CR3: 0000000079388000 CR4: 00000000003526f0 Call Trace: <TASK> ext4_cache_extents fs/ext4/extents.c:539 [inline] __read_extent_tree_block+0x4b4/0x890 fs/ext4/extents.c:586 ext4_find_extent+0x76b/0xcc0 fs/ext4/extents.c:941 ext4_ext_map_blocks+0x283/0x58b0 fs/ext4/extents.c:4263 ext4_map_create_blocks+0x11d/0x540 fs/ext4/inode.c:616 ext4_map_blocks+0x7cd/0x11d0 fs/ext4/inode.c:809 _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 ext4_write_begin+0xb40/0x18c0 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x355/0xd80 fs/ext4/inode.c:3123 generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:300 ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 __kernel_write_iter+0x41e/0x880 fs/read_write.c:621 dump_emit_page fs/coredump.c:1299 [inline] dump_user_range+0xb89/0x12d0 fs/coredump.c:1373 elf_core_dump+0x34c2/0x3ad0 fs/binfmt_elf.c:2111 coredump_write+0x1219/0x1950 fs/coredump.c:1050 do_coredump fs/coredump.c:1127 [inline] vfs_coredump+0x36a9/0x4280 fs/coredump.c:1201 get_signal+0x1107/0x1330 kernel/signal.c:3019 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop kernel/entry/common.c:98 [inline] __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline] irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline] irqentry_exit+0x176/0x620 kernel/entry/common.c:219 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 RIP: 0033:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:0000200000000548 EFLAGS: 00010217 RAX: 0000000000000000 RBX: 00007efd00215fa0 RCX: 00007efcfff9aeb9 RDX: 0000000000000000 RSI: 0000200000000540 RDI: 0000000000000000 RBP: 00007efd00008c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efd00215fac R14: 00007efd00215fa0 R15: 00007efd00215fa0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ext4_es_cache_extent+0x875/0x9e0 fs/ext4/extents_status.c:1044 Code: e1 07 80 c1 03 38 c1 0f 8c 5c fe ff ff 48 8b 7c 24 18 e8 7e 15 ae ff e9 4d fe ff ff e8 a4 32 44 ff 90 0f 0b e8 9c 32 44 ff 90 <0f> 0b 65 8b 1d f6 c4 99 10 bf 07 00 00 00 89 de e8 c6 36 44 ff 83 RSP: 0018:ffffc90003dedb80 EFLAGS: 00010293 RAX: ffffffff82816b34 RBX: 0000000000000023 RCX: ffff8880271c9e40 RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000000000023 RBP: ffffc90003dedcc8 R08: ffffc90003dedc37 R09: 0000000000000000 R10: ffffc90003dedc20 R11: fffff520007bdb87 R12: ffffc90003dedc20 R13: 0000000000000030 R14: 000000000000000f R15: dffffc0000000000 FS: 000055556ddfe500(0000) GS:ffff88812556d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c00426e000 CR3: 0000000079388000 CR4: 00000000003526f0 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-09 2:08 [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) syzbot @ 2026-02-09 19:22 ` Ojaswin Mujoo 2026-02-09 19:42 ` syzbot 2026-03-03 19:19 ` syzbot 1 sibling, 1 reply; 17+ messages in thread From: Ojaswin Mujoo @ 2026-02-09 19:22 UTC (permalink / raw) To: syzbot; +Cc: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso On Sun, Feb 08, 2026 at 06:08:27PM -0800, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 0f8a890c4524 Add linux-next specific files for 20260204 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=12d547fa580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=c09aefae2687abea > dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16420a52580000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/3c923d50ef46/disk-0f8a890c.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/3a560206fcf3/vmlinux-0f8a890c.xz > kernel image: https://storage.googleapis.com/syzbot-assets/e0826a2ee028/bzImage-0f8a890c.xz > mounted in repro: https://storage.googleapis.com/syzbot-assets/4532e6e390d7/mount_0.gz > fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1533aa5a580000) > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com > > EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #18: comm syz.0.37: ES cache extent failed: add [22,10,230,0x1] conflict with existing [17,15,145,0x2] > EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #18: comm syz.0.37: ES cache extent failed: add [32,1,353,0x1] conflict with existing [32,1,161,0x2] > EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #18: comm syz.0.37: ES cache extent failed: add [33,15,353,0x1] conflict with existing [33,15,161,0x2] > ------------[ cut here ]------------ > kernel BUG at fs/ext4/extents_status.c:1044! > Oops: invalid opcode: 0000 [#1] SMP KASAN PTI > CPU: 0 UID: 0 PID: 6168 Comm: syz.0.37 Not tainted syzkaller #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 > RIP: 0010:ext4_es_cache_extent+0x875/0x9e0 fs/ext4/extents_status.c:1044 > Code: e1 07 80 c1 03 38 c1 0f 8c 5c fe ff ff 48 8b 7c 24 18 e8 7e 15 ae ff e9 4d fe ff ff e8 a4 32 44 ff 90 0f 0b e8 9c 32 44 ff 90 <0f> 0b 65 8b 1d f6 c4 99 10 bf 07 00 00 00 89 de e8 c6 36 44 ff 83 > RSP: 0018:ffffc90003dedb80 EFLAGS: 00010293 > RAX: ffffffff82816b34 RBX: 0000000000000023 RCX: ffff8880271c9e40 > RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000000000023 > RBP: ffffc90003dedcc8 R08: ffffc90003dedc37 R09: 0000000000000000 > R10: ffffc90003dedc20 R11: fffff520007bdb87 R12: ffffc90003dedc20 > R13: 0000000000000030 R14: 000000000000000f R15: dffffc0000000000 > FS: 000055556ddfe500(0000) GS:ffff88812546d000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f56b9c15000 CR3: 0000000079388000 CR4: 00000000003526f0 > Call Trace: > <TASK> > ext4_cache_extents fs/ext4/extents.c:539 [inline] > __read_extent_tree_block+0x4b4/0x890 fs/ext4/extents.c:586 > ext4_find_extent+0x76b/0xcc0 fs/ext4/extents.c:941 > ext4_ext_map_blocks+0x283/0x58b0 fs/ext4/extents.c:4263 > ext4_map_create_blocks+0x11d/0x540 fs/ext4/inode.c:616 > ext4_map_blocks+0x7cd/0x11d0 fs/ext4/inode.c:809 > _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 > ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 > ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 > ext4_write_begin+0xb40/0x18c0 fs/ext4/ext4_jbd2.h:-1 > ext4_da_write_begin+0x355/0xd80 fs/ext4/inode.c:3123 > generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 > ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:300 > ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 > __kernel_write_iter+0x41e/0x880 fs/read_write.c:621 > dump_emit_page fs/coredump.c:1299 [inline] > dump_user_range+0xb89/0x12d0 fs/coredump.c:1373 > elf_core_dump+0x34c2/0x3ad0 fs/binfmt_elf.c:2111 > coredump_write+0x1219/0x1950 fs/coredump.c:1050 > do_coredump fs/coredump.c:1127 [inline] > vfs_coredump+0x36a9/0x4280 fs/coredump.c:1201 > get_signal+0x1107/0x1330 kernel/signal.c:3019 > arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 > __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] > exit_to_user_mode_loop kernel/entry/common.c:98 [inline] > __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] > irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline] > irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline] > irqentry_exit+0x176/0x620 kernel/entry/common.c:219 > asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 > RIP: 0033:0x0 > Code: Unable to access opcode bytes at 0xffffffffffffffd6. > RSP: 002b:0000200000000548 EFLAGS: 00010217 > RAX: 0000000000000000 RBX: 00007efd00215fa0 RCX: 00007efcfff9aeb9 > RDX: 0000000000000000 RSI: 0000200000000540 RDI: 0000000000000000 > RBP: 00007efd00008c1f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007efd00215fac R14: 00007efd00215fa0 R15: 00007efd00215fa0 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:ext4_es_cache_extent+0x875/0x9e0 fs/ext4/extents_status.c:1044 > Code: e1 07 80 c1 03 38 c1 0f 8c 5c fe ff ff 48 8b 7c 24 18 e8 7e 15 ae ff e9 4d fe ff ff e8 a4 32 44 ff 90 0f 0b e8 9c 32 44 ff 90 <0f> 0b 65 8b 1d f6 c4 99 10 bf 07 00 00 00 89 de e8 c6 36 44 ff 83 > RSP: 0018:ffffc90003dedb80 EFLAGS: 00010293 > RAX: ffffffff82816b34 RBX: 0000000000000023 RCX: ffff8880271c9e40 > RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000000000023 > RBP: ffffc90003dedcc8 R08: ffffc90003dedc37 R09: 0000000000000000 > R10: ffffc90003dedc20 R11: fffff520007bdb87 R12: ffffc90003dedc20 > R13: 0000000000000030 R14: 000000000000000f R15: dffffc0000000000 > FS: 000055556ddfe500(0000) GS:ffff88812556d000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000c00426e000 CR3: 0000000079388000 CR4: 00000000003526f0 Okay so I've been looking into this and it is a bit confusing to me. I see that we crash because of this line in ext4_es_cache_extent() ext4_lblk_t end = lblk + len - 1; ... BUG_ON(end < lblk); which means out len was somehow 0 or negative which ideally shouldn't be possible. Further, seems like the syzcaller program itself segfaults causing a core dump which then calls ext4 to write the dump and we fail. Now, theres no C reproducer but I managed to run the syz repro in a VM with same commit and .config as syzcaller but I'm unable to hit the issue, syzbot however is able to hit it consistently. In the console logs I see [ 170.335935][ T5956] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 170.401257][ T6165] loop0: detected capacity change from 0 to 1024 [ 170.429239][ T6165] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 170.501277][ T6165] EXT4-fs error (device loop0): mb_free_blocks:2047: group 0, inode 15: block 369:freeing already freed block (bit 23); block bitmap corrupt. [ 170.516829][ T6168] EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #18: comm syz.0.37: ES cache extent failed: add [1,20,18446744073709551615,0x8] conflict with existing [1,15,129,0x2] before the crash which suggests we might have some sort of corruption going on, maybe the syscaller image is corrupted. Fsck.ext4 is returning Illegal block number passed to ext2fs_mark_block_bitmap #0 for check_desc map Superblock first_data_block = 1, should have been 0 debugfs is able to open it however, but I don't see any obvious signs of corruption yet. I'll check a bit more on this. In the mean time lets see if syzcaller can hit it on the Ted's latest branch as well. #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev Regards, ojaswin > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-09 19:22 ` Ojaswin Mujoo @ 2026-02-09 19:42 ` syzbot 2026-02-10 5:49 ` Ojaswin Mujoo 0 siblings, 1 reply; 17+ messages in thread From: syzbot @ 2026-02-09 19:42 UTC (permalink / raw) To: adilger.kernel, linux-ext4, linux-kernel, ojaswin, syzkaller-bugs, tytso Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: kernel BUG in ext4_ext_insert_extent inode 15: block 305:freeing already freed block (bit 19); block bitmap corrupt. ------------[ cut here ]------------ kernel BUG at fs/ext4/extents.c:2158! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 7267 Comm: syz.8.85 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:ext4_ext_insert_extent+0x4b19/0x4b50 fs/ext4/extents.c:2158 Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 98 e7 ff ff 48 89 df e8 4a 96 b1 ff e9 8b e7 ff ff e8 70 5b 49 ff 90 0f 0b e8 68 5b 49 ff 90 <0f> 0b e8 60 5b 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c RSP: 0018:ffffc90004d8ec20 EFLAGS: 00010293 RAX: ffffffff827ae338 RBX: 0000000000000021 RCX: ffff8880269d1e80 RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 RBP: ffffc90004d8edd0 R08: ffff88805b34b747 R09: 1ffff1100b6696e8 R10: dffffc0000000000 R11: ffffed100b6696e9 R12: 0000000000000021 R13: dffffc0000000000 R14: ffff88807090c43c R15: ffff88804dea8700 FS: 00007f7f021716c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdd8b3e1198 CR3: 000000005af88000 CR4: 00000000003526f0 Call Trace: <TASK> ext4_ext_map_blocks+0x168a/0x5760 fs/ext4/extents.c:4459 ext4_map_create_blocks+0x11d/0x540 fs/ext4/inode.c:616 ext4_map_blocks+0x7cd/0x11d0 fs/ext4/inode.c:809 _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 ext4_write_begin+0xb40/0x1870 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x355/0xd30 fs/ext4/inode.c:3123 generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1057 do_pwritev fs/read_write.c:1153 [inline] __do_sys_pwritev2 fs/read_write.c:1211 [inline] __se_sys_pwritev2+0x184/0x2a0 fs/read_write.c:1202 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7f0139aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7f02171028 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007f7f01615fa0 RCX: 00007f7f0139aeb9 RDX: 0000000000000001 RSI: 0000200000000100 RDI: 0000000000000004 RBP: 00007f7f01408c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000005412 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f7f01616038 R14: 00007f7f01615fa0 R15: 00007ffd34928518 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ext4_ext_insert_extent+0x4b19/0x4b50 fs/ext4/extents.c:2158 Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 98 e7 ff ff 48 89 df e8 4a 96 b1 ff e9 8b e7 ff ff e8 70 5b 49 ff 90 0f 0b e8 68 5b 49 ff 90 <0f> 0b e8 60 5b 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c RSP: 0018:ffffc90004d8ec20 EFLAGS: 00010293 RAX: ffffffff827ae338 RBX: 0000000000000021 RCX: ffff8880269d1e80 RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 RBP: ffffc90004d8edd0 R08: ffff88805b34b747 R09: 1ffff1100b6696e8 R10: dffffc0000000000 R11: ffffed100b6696e9 R12: 0000000000000021 R13: dffffc0000000000 R14: ffff88807090c43c R15: ffff88804dea8700 FS: 00007f7f021716c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdd8b1e8600 CR3: 000000005af88000 CR4: 00000000003526f0 Tested on: commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev console output: https://syzkaller.appspot.com/x/log.txt?x=15091b22580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 Note: no patches were applied. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-09 19:42 ` syzbot @ 2026-02-10 5:49 ` Ojaswin Mujoo 2026-02-10 6:20 ` syzbot 0 siblings, 1 reply; 17+ messages in thread From: Ojaswin Mujoo @ 2026-02-10 5:49 UTC (permalink / raw) To: syzbot; +Cc: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso On Mon, Feb 09, 2026 at 11:42:03AM -0800, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > kernel BUG in ext4_ext_insert_extent > > inode 15: block 305:freeing already freed block (bit 19); block bitmap corrupt. > ------------[ cut here ]------------ > kernel BUG at fs/ext4/extents.c:2158! > Oops: invalid opcode: 0000 [#1] SMP KASAN PTI > CPU: 0 UID: 0 PID: 7267 Comm: syz.8.85 Not tainted syzkaller #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 > RIP: 0010:ext4_ext_insert_extent+0x4b19/0x4b50 fs/ext4/extents.c:2158 > Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 98 e7 ff ff 48 89 df e8 4a 96 b1 ff e9 8b e7 ff ff e8 70 5b 49 ff 90 0f 0b e8 68 5b 49 ff 90 <0f> 0b e8 60 5b 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c > RSP: 0018:ffffc90004d8ec20 EFLAGS: 00010293 > RAX: ffffffff827ae338 RBX: 0000000000000021 RCX: ffff8880269d1e80 > RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 > RBP: ffffc90004d8edd0 R08: ffff88805b34b747 R09: 1ffff1100b6696e8 > R10: dffffc0000000000 R11: ffffed100b6696e9 R12: 0000000000000021 > R13: dffffc0000000000 R14: ffff88807090c43c R15: ffff88804dea8700 > FS: 00007f7f021716c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fdd8b3e1198 CR3: 000000005af88000 CR4: 00000000003526f0 > Call Trace: > <TASK> > ext4_ext_map_blocks+0x168a/0x5760 fs/ext4/extents.c:4459 > ext4_map_create_blocks+0x11d/0x540 fs/ext4/inode.c:616 > ext4_map_blocks+0x7cd/0x11d0 fs/ext4/inode.c:809 > _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 > ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 > ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 > ext4_write_begin+0xb40/0x1870 fs/ext4/ext4_jbd2.h:-1 > ext4_da_write_begin+0x355/0xd30 fs/ext4/inode.c:3123 > generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 > ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 > ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 > do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 > vfs_writev+0x33c/0x990 fs/read_write.c:1057 > do_pwritev fs/read_write.c:1153 [inline] > __do_sys_pwritev2 fs/read_write.c:1211 [inline] > __se_sys_pwritev2+0x184/0x2a0 fs/read_write.c:1202 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f7f0139aeb9 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007f7f02171028 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 > RAX: ffffffffffffffda RBX: 00007f7f01615fa0 RCX: 00007f7f0139aeb9 > RDX: 0000000000000001 RSI: 0000200000000100 RDI: 0000000000000004 > RBP: 00007f7f01408c1f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000005412 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007f7f01616038 R14: 00007f7f01615fa0 R15: 00007ffd34928518 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:ext4_ext_insert_extent+0x4b19/0x4b50 fs/ext4/extents.c:2158 > Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 98 e7 ff ff 48 89 df e8 4a 96 b1 ff e9 8b e7 ff ff e8 70 5b 49 ff 90 0f 0b e8 68 5b 49 ff 90 <0f> 0b e8 60 5b 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c > RSP: 0018:ffffc90004d8ec20 EFLAGS: 00010293 > RAX: ffffffff827ae338 RBX: 0000000000000021 RCX: ffff8880269d1e80 > RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 > RBP: ffffc90004d8edd0 R08: ffff88805b34b747 R09: 1ffff1100b6696e8 > R10: dffffc0000000000 R11: ffffed100b6696e9 R12: 0000000000000021 > R13: dffffc0000000000 R14: ffff88807090c43c R15: ffff88804dea8700 > FS: 00007f7f021716c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fdd8b1e8600 CR3: 000000005af88000 CR4: 00000000003526f0 Okay, so this time we tripped while adding an extent whose ee_block already existed, which should ideally have never happened. We should have just returned the extent in ext4_map_query_blocks(). I'll prepare a patch with debug logs, in the meantime lets see if the issue exists before recent extent codepath changes. #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git 26f260ce5828fc7897a regards, ojaswin > > > Tested on: > > commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev > console output: https://syzkaller.appspot.com/x/log.txt?x=15091b22580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 > dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > > Note: no patches were applied. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-10 5:49 ` Ojaswin Mujoo @ 2026-02-10 6:20 ` syzbot 2026-02-10 12:33 ` Ojaswin Mujoo 0 siblings, 1 reply; 17+ messages in thread From: syzbot @ 2026-02-10 6:20 UTC (permalink / raw) To: adilger.kernel, linux-ext4, linux-kernel, ojaswin, syzkaller-bugs, tytso Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: kernel BUG in ext4_es_cache_extent EXT4-fs warning (device loop7): ext4_es_cache_extent:1081: inode #18: comm syz.7.209: ES cache extent failed: add [33,3,18446744073709551615,0x8] conflict with existing [33,15,257,0x2] EXT4-fs warning (device loop7): ext4_es_cache_extent:1081: inode #18: comm syz.7.209: ES cache extent failed: add [36,12,292,0x1] conflict with existing [33,15,257,0x2] ------------[ cut here ]------------ kernel BUG at fs/ext4/extents_status.c:1043! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 9040 Comm: syz.7.209 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:ext4_es_cache_extent+0x86e/0x990 fs/ext4/extents_status.c:1043 Code: e1 07 80 c1 03 38 c1 0f 8c 5d fe ff ff 48 8b 7c 24 20 e8 25 4d af ff e9 4e fe ff ff e8 1b 12 47 ff 90 0f 0b e8 13 12 47 ff 90 <0f> 0b 65 8b 1d 9d 73 6e 10 bf 07 00 00 00 89 de e8 3d 16 47 ff 83 RSP: 0018:ffffc900054fdba0 EFLAGS: 00010293 RAX: ffffffff827d2c8d RBX: 0000000000000023 RCX: ffff88801dfe8000 RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000000000023 RBP: ffffc900054fdce8 R08: ffffc900054fdc57 R09: 0000000000000000 R10: ffffc900054fdc40 R11: fffff52000a9fb8b R12: 0000000000000030 R13: dffffc0000000000 R14: 000000000000000f R15: ffff88807d100638 FS: 00007efd221aa6c0(0000) GS:ffff888125866000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbc5c5e8600 CR3: 000000007569c000 CR4: 00000000003526f0 Call Trace: <TASK> ext4_cache_extents fs/ext4/extents.c:544 [inline] __read_extent_tree_block+0x4b4/0x840 fs/ext4/extents.c:591 ext4_find_extent+0x76b/0xcc0 fs/ext4/extents.c:944 ext4_ext_map_blocks+0x29d/0x6cd0 fs/ext4/extents.c:4239 ext4_map_create_blocks fs/ext4/inode.c:613 [inline] ext4_map_blocks+0x8da/0x1830 fs/ext4/inode.c:816 _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:916 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:949 ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1203 ext4_write_begin+0xb40/0x1870 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x355/0xd30 fs/ext4/inode.c:3130 generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1c10 fs/ext4/file.c:-1 __kernel_write_iter+0x41e/0x880 fs/read_write.c:619 dump_emit_page fs/coredump.c:1298 [inline] dump_user_range+0xb89/0x12d0 fs/coredump.c:1372 elf_core_dump+0x34c2/0x3ad0 fs/binfmt_elf.c:2111 coredump_write+0x1219/0x1950 fs/coredump.c:1049 do_coredump fs/coredump.c:1126 [inline] vfs_coredump+0x369e/0x4270 fs/coredump.c:1200 get_signal+0x1107/0x1330 kernel/signal.c:3019 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop kernel/entry/common.c:75 [inline] __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline] irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline] irqentry_exit+0x176/0x620 kernel/entry/common.c:196 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 RIP: 0033:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:0000200000000548 EFLAGS: 00010217 RAX: 0000000000000000 RBX: 00007efd21615fa0 RCX: 00007efd2139aeb9 RDX: 0000000000000000 RSI: 0000200000000540 RDI: 0000000000000000 RBP: 00007efd21408c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efd21616038 R14: 00007efd21615fa0 R15: 00007ffc2b2553f8 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ext4_es_cache_extent+0x86e/0x990 fs/ext4/extents_status.c:1043 Code: e1 07 80 c1 03 38 c1 0f 8c 5d fe ff ff 48 8b 7c 24 20 e8 25 4d af ff e9 4e fe ff ff e8 1b 12 47 ff 90 0f 0b e8 13 12 47 ff 90 <0f> 0b 65 8b 1d 9d 73 6e 10 bf 07 00 00 00 89 de e8 3d 16 47 ff 83 RSP: 0018:ffffc900054fdba0 EFLAGS: 00010293 RAX: ffffffff827d2c8d RBX: 0000000000000023 RCX: ffff88801dfe8000 RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000000000023 RBP: ffffc900054fdce8 R08: ffffc900054fdc57 R09: 0000000000000000 R10: ffffc900054fdc40 R11: fffff52000a9fb8b R12: 0000000000000030 R13: dffffc0000000000 R14: 000000000000000f R15: ffff88807d100638 FS: 00007efd221aa6c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f82eec0f000 CR3: 000000007569c000 CR4: 00000000003526f0 Tested on: commit: 26f260ce ext4: remove unnecessary zero-initialization .. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git console output: https://syzkaller.appspot.com/x/log.txt?x=12dcd78a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 Note: no patches were applied. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-10 6:20 ` syzbot @ 2026-02-10 12:33 ` Ojaswin Mujoo 2026-02-10 15:24 ` syzbot 0 siblings, 1 reply; 17+ messages in thread From: Ojaswin Mujoo @ 2026-02-10 12:33 UTC (permalink / raw) To: syzbot; +Cc: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso [-- Attachment #1: Type: text/plain, Size: 5656 bytes --] On Mon, Feb 09, 2026 at 10:20:03PM -0800, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > kernel BUG in ext4_es_cache_extent > > EXT4-fs warning (device loop7): ext4_es_cache_extent:1081: inode #18: comm syz.7.209: ES cache extent failed: add [33,3,18446744073709551615,0x8] conflict with existing [33,15,257,0x2] > EXT4-fs warning (device loop7): ext4_es_cache_extent:1081: inode #18: comm syz.7.209: ES cache extent failed: add [36,12,292,0x1] conflict with existing [33,15,257,0x2] > ------------[ cut here ]------------ > kernel BUG at fs/ext4/extents_status.c:1043! > Oops: invalid opcode: 0000 [#1] SMP KASAN PTI > CPU: 1 UID: 0 PID: 9040 Comm: syz.7.209 Not tainted syzkaller #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 > RIP: 0010:ext4_es_cache_extent+0x86e/0x990 fs/ext4/extents_status.c:1043 > Code: e1 07 80 c1 03 38 c1 0f 8c 5d fe ff ff 48 8b 7c 24 20 e8 25 4d af ff e9 4e fe ff ff e8 1b 12 47 ff 90 0f 0b e8 13 12 47 ff 90 <0f> 0b 65 8b 1d 9d 73 6e 10 bf 07 00 00 00 89 de e8 3d 16 47 ff 83 > RSP: 0018:ffffc900054fdba0 EFLAGS: 00010293 > RAX: ffffffff827d2c8d RBX: 0000000000000023 RCX: ffff88801dfe8000 > RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000000000023 > RBP: ffffc900054fdce8 R08: ffffc900054fdc57 R09: 0000000000000000 > R10: ffffc900054fdc40 R11: fffff52000a9fb8b R12: 0000000000000030 > R13: dffffc0000000000 R14: 000000000000000f R15: ffff88807d100638 > FS: 00007efd221aa6c0(0000) GS:ffff888125866000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fbc5c5e8600 CR3: 000000007569c000 CR4: 00000000003526f0 > Call Trace: > <TASK> > ext4_cache_extents fs/ext4/extents.c:544 [inline] > __read_extent_tree_block+0x4b4/0x840 fs/ext4/extents.c:591 > ext4_find_extent+0x76b/0xcc0 fs/ext4/extents.c:944 > ext4_ext_map_blocks+0x29d/0x6cd0 fs/ext4/extents.c:4239 > ext4_map_create_blocks fs/ext4/inode.c:613 [inline] > ext4_map_blocks+0x8da/0x1830 fs/ext4/inode.c:816 > _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:916 > ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:949 > ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1203 > ext4_write_begin+0xb40/0x1870 fs/ext4/ext4_jbd2.h:-1 > ext4_da_write_begin+0x355/0xd30 fs/ext4/inode.c:3130 > generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 > ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 > ext4_file_write_iter+0x298/0x1c10 fs/ext4/file.c:-1 > __kernel_write_iter+0x41e/0x880 fs/read_write.c:619 > dump_emit_page fs/coredump.c:1298 [inline] > dump_user_range+0xb89/0x12d0 fs/coredump.c:1372 > elf_core_dump+0x34c2/0x3ad0 fs/binfmt_elf.c:2111 > coredump_write+0x1219/0x1950 fs/coredump.c:1049 > do_coredump fs/coredump.c:1126 [inline] > vfs_coredump+0x369e/0x4270 fs/coredump.c:1200 > get_signal+0x1107/0x1330 kernel/signal.c:3019 > arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 > __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] > exit_to_user_mode_loop kernel/entry/common.c:75 [inline] > __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] > irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline] > irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline] > irqentry_exit+0x176/0x620 kernel/entry/common.c:196 > asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618 > RIP: 0033:0x0 > Code: Unable to access opcode bytes at 0xffffffffffffffd6. > RSP: 002b:0000200000000548 EFLAGS: 00010217 > RAX: 0000000000000000 RBX: 00007efd21615fa0 RCX: 00007efd2139aeb9 > RDX: 0000000000000000 RSI: 0000200000000540 RDI: 0000000000000000 > RBP: 00007efd21408c1f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007efd21616038 R14: 00007efd21615fa0 R15: 00007ffc2b2553f8 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:ext4_es_cache_extent+0x86e/0x990 fs/ext4/extents_status.c:1043 > Code: e1 07 80 c1 03 38 c1 0f 8c 5d fe ff ff 48 8b 7c 24 20 e8 25 4d af ff e9 4e fe ff ff e8 1b 12 47 ff 90 0f 0b e8 13 12 47 ff 90 <0f> 0b 65 8b 1d 9d 73 6e 10 bf 07 00 00 00 89 de e8 3d 16 47 ff 83 > RSP: 0018:ffffc900054fdba0 EFLAGS: 00010293 > RAX: ffffffff827d2c8d RBX: 0000000000000023 RCX: ffff88801dfe8000 > RDX: 0000000000000000 RSI: 0000000000000030 RDI: 0000000000000023 > RBP: ffffc900054fdce8 R08: ffffc900054fdc57 R09: 0000000000000000 > R10: ffffc900054fdc40 R11: fffff52000a9fb8b R12: 0000000000000030 > R13: dffffc0000000000 R14: 000000000000000f R15: ffff88807d100638 > FS: 00007efd221aa6c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f82eec0f000 CR3: 000000007569c000 CR4: 00000000003526f0 Okay, so this is hitting even before the recent changes. I've made a logging patch which might help narrow this down. #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev regards, ojaswin > > Tested on: > > commit: 26f260ce ext4: remove unnecessary zero-initialization .. > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git > console output: https://syzkaller.appspot.com/x/log.txt?x=12dcd78a580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 > dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > > Note: no patches were applied. [-- Attachment #2: 0001-ext4-add-logging-to-debug-issue.patch --] [-- Type: text/plain, Size: 5644 bytes --] From 3cbb86fa6f5d2c49fafb714e8ad3011eb17498b4 Mon Sep 17 00:00:00 2001 From: Ojaswin Mujoo <ojaswin@linux.ibm.com> Date: Tue, 10 Feb 2026 17:59:17 +0530 Subject: [PATCH] ext4: add logging to debug issue --- fs/ext4/extents.c | 21 +++++++++++++++++++++ fs/ext4/extents_status.c | 17 +++++++++++++++++ fs/ext4/mballoc.c | 27 +++++++++++++++++++++++++++ 3 files changed, 65 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 3630b27e4fd7..e6df9833a279 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -2006,6 +2006,22 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode, goto errout; } + ext4_warning_inode( + inode, + "%s: add newext [%d, %d, %lld, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newext->ee_block), + ext4_ext_get_actual_len(newext), ext4_ext_pblock(newext), + ext4_ext_is_unwritten(newext)); + + if (ex) { + ext4_warning_inode( + inode, + "%s: ext at current path: [%d, %d, %lld, unwrit:%d]\n", + __func__, le32_to_cpu(ex->ee_block), + ext4_ext_get_actual_len(ex), ext4_ext_pblock(ex), + ext4_ext_is_unwritten(ex)); + } + /* try to insert block into found extent and return */ if (ex && !(gb_flags & EXT4_GET_BLOCKS_SPLIT_NOMERGE)) { @@ -2832,6 +2848,11 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, int i = 0, err = 0; int flags = EXT4_EX_NOCACHE | EXT4_EX_NOFAIL; + ext4_warning_inode( + inode, + "%s: remove range [%d, %d] from extent tree\n", + __func__, start, end); + partial.pclu = 0; partial.lblk = 0; partial.state = initial; diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c index a1538bac51c6..0cfcf583bc37 100644 --- a/fs/ext4/extents_status.c +++ b/fs/ext4/extents_status.c @@ -847,6 +847,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes, struct rb_node *parent = NULL; struct extent_status *es; + ext4_warning_inode(inode, "%s: add [%d, %d, %llu, 0x%x]\n", __func__, + newes->es_lblk, newes->es_lblk + newes->es_len - 1, ext4_es_pblock(newes), + ext4_es_status(newes)); + while (*p) { parent = *p; es = rb_entry(parent, struct extent_status, rb_node); @@ -921,6 +925,10 @@ void ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("add [%u/%u) %llu %x %d to extent status tree of inode %lu\n", lblk, len, pblk, status, delalloc_reserve_used, inode->i_ino); + ext4_warning_inode( + inode, + "%s: add [%u, %u] %llu %x %d to extent status tree of inode %lu\n", + __func__, lblk, lblk + len - 1, pblk, status, delalloc_reserve_used, inode->i_ino); if (!len) return; @@ -1493,6 +1501,11 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, bool count_reserved = true; struct rsvd_count rc; + ext4_warning_inode( + inode, + "%s: remove [%u,%u] range from extent status tree of inode %lu\n", + __func__, lblk, end, inode->i_ino); + if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC)) count_reserved = false; if (status == 0) @@ -1633,6 +1646,10 @@ void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("remove [%u/%u) from extent status tree of inode %lu\n", lblk, len, inode->i_ino); + ext4_warning_inode( + inode, + "%s: remove [%u,%u] range from extent status tree of inode %lu\n", + __func__, lblk, end, inode->i_ino); if (!len) return; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index dbc82b65f810..35331d35f630 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -2004,6 +2004,18 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, int last = first + count - 1; struct super_block *sb = e4b->bd_sb; + ext4_fsblk_t pblk = + ext4_group_first_block_no(e4b->bd_sb, e4b->bd_group) + + (first << EXT4_SB(e4b->bd_sb)->s_cluster_bits); + + if (inode) + ext4_warning_inode(inode, "%s: trying to free blocks [%lld, %lld].\n", + __func__, pblk, pblk + count - 1); + else + ext4_warning(sb, "%s: trying to free blocks [%lld, %lld].\n", + __func__, pblk, pblk + count - 1); + + if (WARN_ON(count == 0)) return; BUG_ON(last >= (sb->s_blocksize << 3)); @@ -3101,6 +3113,12 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac) if (!err && ac->ac_status != AC_STATUS_FOUND && ac->ac_first_err) err = ac->ac_first_err; + ext4_warning_inode( + ac->ac_inode, + "%s: Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", + __func__, ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, + ac->ac_flags, ac->ac_criteria, err); + mb_debug(sb, "Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, ac->ac_flags, ac->ac_criteria, err); @@ -6251,6 +6269,10 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, sb = ar->inode->i_sb; sbi = EXT4_SB(sb); + ext4_warning_inode(ar->inode, + "%s: Allocation requested for: [%d, %d]\n", + __func__, ar->logical, ar->logical + ar->len - 1); + trace_ext4_request_blocks(ar); if (sbi->s_mount_state & EXT4_FC_REPLAY) return ext4_mb_new_blocks_simple(ar, errp); @@ -6334,6 +6356,11 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, ext4_mb_pa_put_free(ac); } if (likely(ac->ac_status == AC_STATUS_FOUND)) { + ext4_warning_inode( + ar->inode, + "%s: Allocation found: [%d, %d], pblk:%lld len:%u\n", + __func__, ar->logical, ar->logical + ac->ac_b_ex.fe_len - 1, + ext4_grp_offs_to_block(sb, &ac->ac_b_ex), ac->ac_b_ex.fe_len); *errp = ext4_mb_mark_diskspace_used(ac, handle); if (*errp) { ext4_discard_allocated_blocks(ac); -- 2.52.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-10 12:33 ` Ojaswin Mujoo @ 2026-02-10 15:24 ` syzbot 2026-02-10 18:06 ` Ojaswin Mujoo 0 siblings, 1 reply; 17+ messages in thread From: syzbot @ 2026-02-10 15:24 UTC (permalink / raw) To: adilger.kernel, linux-ext4, linux-kernel, ojaswin, syzkaller-bugs, tytso Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: kernel BUG in ext4_ext_insert_extent inode 15: block 305:freeing already freed block (bit 19); block bitmap corrupt. ------------[ cut here ]------------ kernel BUG at fs/ext4/extents.c:2174! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6747 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:ext4_ext_insert_extent+0x5248/0x5280 fs/ext4/extents.c:2174 Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 75 e4 ff ff 48 89 df e8 1b 8f b1 ff e9 68 e4 ff ff e8 41 54 49 ff 90 0f 0b e8 39 54 49 ff 90 <0f> 0b e8 31 54 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c RSP: 0018:ffffc9000426ebe0 EFLAGS: 00010293 RAX: ffffffff827aea67 RBX: 0000000000000021 RCX: ffff88802fe9db80 RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 RBP: ffffc9000426edd0 R08: ffff888076d2d0ef R09: 1ffff1100eda5a1d R10: dffffc0000000000 R11: ffffed100eda5a1e R12: ffff888063f4b43c R13: ffff888143ff8500 R14: ffff888063f4b400 R15: 0000000000000021 FS: 00007efc4003a6c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000003000 CR3: 0000000028bcc000 CR4: 00000000003526f0 Call Trace: <TASK> ext4_ext_map_blocks+0x168a/0x5760 fs/ext4/extents.c:4480 ext4_map_create_blocks+0x11d/0x540 fs/ext4/inode.c:616 ext4_map_blocks+0x7cd/0x11d0 fs/ext4/inode.c:809 _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 ext4_write_begin+0xb40/0x1870 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x355/0xd30 fs/ext4/inode.c:3123 generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1057 do_pwritev fs/read_write.c:1153 [inline] __do_sys_pwritev2 fs/read_write.c:1211 [inline] __se_sys_pwritev2+0x184/0x2a0 fs/read_write.c:1202 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc3f19aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007efc4003a028 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 RAX: ffffffffffffffda RBX: 00007efc3f415fa0 RCX: 00007efc3f19aeb9 RDX: 0000000000000001 RSI: 0000200000000100 RDI: 0000000000000004 RBP: 00007efc3f208c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000005412 R11: 0000000000000246 R12: 0000000000000000 R13: 00007efc3f416038 R14: 00007efc3f415fa0 R15: 00007ffefdbddaa8 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ext4_ext_insert_extent+0x5248/0x5280 fs/ext4/extents.c:2174 Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 75 e4 ff ff 48 89 df e8 1b 8f b1 ff e9 68 e4 ff ff e8 41 54 49 ff 90 0f 0b e8 39 54 49 ff 90 <0f> 0b e8 31 54 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c RSP: 0018:ffffc9000426ebe0 EFLAGS: 00010293 RAX: ffffffff827aea67 RBX: 0000000000000021 RCX: ffff88802fe9db80 RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 RBP: ffffc9000426edd0 R08: ffff888076d2d0ef R09: 1ffff1100eda5a1d R10: dffffc0000000000 R11: ffffed100eda5a1e R12: ffff888063f4b43c R13: ffff888143ff8500 R14: ffff888063f4b400 R15: 0000000000000021 FS: 00007efc4003a6c0(0000) GS:ffff888125866000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc4a9f45000 CR3: 0000000028bcc000 CR4: 00000000003526f0 Tested on: commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev console output: https://syzkaller.appspot.com/x/log.txt?x=1081d33a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=10c15194580000 ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-10 15:24 ` syzbot @ 2026-02-10 18:06 ` Ojaswin Mujoo 2026-02-10 19:59 ` Ojaswin Mujoo 0 siblings, 1 reply; 17+ messages in thread From: Ojaswin Mujoo @ 2026-02-10 18:06 UTC (permalink / raw) To: syzbot; +Cc: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso [-- Attachment #1: Type: text/plain, Size: 6555 bytes --] On Tue, Feb 10, 2026 at 07:24:03AM -0800, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > kernel BUG in ext4_ext_insert_extent Okay, so I see these logs: [ 131.589929][ T6747] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. ... [ 131.684962][ T6747] EXT4-fs warning (device loop0): __es_insert_extent:852: inode #15: comm syz.0.17: __es_insert_extent: add [0, -2, 576460752303423487, 0x8] ... [ 131.771155][ T6747] EXT4-fs warning (device loop0): ext4_mb_new_blocks:6274: inode #15: comm syz.0.17: ext4_mb_new_blocks: Allocation requested for: [0, 0] [ 131.966256][ T6747] EXT4-fs warning (device loop0): ext4_mb_new_blocks:6363: inode #15: comm syz.0.17: ext4_mb_new_blocks: Allocation found: [0, 0], pblk:113 len:1 Seems like we are trying to cache an extent that is of length -2. This seems like some sort of corruption with the disk but at the same time, this inode (#15) is actually an inline inode as pointed by debugfs: stat file1 Inode: 15 Type: regular Mode: 0755 Flags: 0x10000000 Generation: 1710885023 Version: 0x00000000:00000001 User: 0 Group: 0 Project: 0 Size: 10 File ACL: 0 Links: 1 Blockcount: 0 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x637cf1f3:929ce9b8 -- Tue Nov 22 21:29:47 2022 atime: 0x698af58d:e97a2a00 -- Tue Feb 10 14:38:29 2026 mtime: 0x637cf1f3:929ce9b8 -- Tue Nov 22 21:29:47 2022 crtime: 0x637cf1f3:929ce9b8 -- Tue Nov 22 21:29:47 2022 Size of extra inode fields: 32 Extended attributes: system.data (0) user.xattr1 (6) = "xattr1" user.xattr2 (6) = "xattr2" Size of inline data: 60 ex file1 file1: does not uses extent block maps And the logs also don't show any other operation between this and the mount. Seems like there is a disk corruption but somehow I'm unable to see it in debugfs, maybe I'm missing the case. Adding some more logging and fixing a few log cases to confirm this. Regards, ojaswin > > inode 15: block 305:freeing already freed block (bit 19); block bitmap corrupt. > ------------[ cut here ]------------ > kernel BUG at fs/ext4/extents.c:2174! > Oops: invalid opcode: 0000 [#1] SMP KASAN PTI > CPU: 0 UID: 0 PID: 6747 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 > RIP: 0010:ext4_ext_insert_extent+0x5248/0x5280 fs/ext4/extents.c:2174 > Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 75 e4 ff ff 48 89 df e8 1b 8f b1 ff e9 68 e4 ff ff e8 41 54 49 ff 90 0f 0b e8 39 54 49 ff 90 <0f> 0b e8 31 54 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c > RSP: 0018:ffffc9000426ebe0 EFLAGS: 00010293 > RAX: ffffffff827aea67 RBX: 0000000000000021 RCX: ffff88802fe9db80 > RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 > RBP: ffffc9000426edd0 R08: ffff888076d2d0ef R09: 1ffff1100eda5a1d > R10: dffffc0000000000 R11: ffffed100eda5a1e R12: ffff888063f4b43c > R13: ffff888143ff8500 R14: ffff888063f4b400 R15: 0000000000000021 > FS: 00007efc4003a6c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000200000003000 CR3: 0000000028bcc000 CR4: 00000000003526f0 > Call Trace: > <TASK> > ext4_ext_map_blocks+0x168a/0x5760 fs/ext4/extents.c:4480 > ext4_map_create_blocks+0x11d/0x540 fs/ext4/inode.c:616 > ext4_map_blocks+0x7cd/0x11d0 fs/ext4/inode.c:809 > _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 > ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 > ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 > ext4_write_begin+0xb40/0x1870 fs/ext4/ext4_jbd2.h:-1 > ext4_da_write_begin+0x355/0xd30 fs/ext4/inode.c:3123 > generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 > ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 > ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 > do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 > vfs_writev+0x33c/0x990 fs/read_write.c:1057 > do_pwritev fs/read_write.c:1153 [inline] > __do_sys_pwritev2 fs/read_write.c:1211 [inline] > __se_sys_pwritev2+0x184/0x2a0 fs/read_write.c:1202 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7efc3f19aeb9 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007efc4003a028 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 > RAX: ffffffffffffffda RBX: 00007efc3f415fa0 RCX: 00007efc3f19aeb9 > RDX: 0000000000000001 RSI: 0000200000000100 RDI: 0000000000000004 > RBP: 00007efc3f208c1f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000005412 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007efc3f416038 R14: 00007efc3f415fa0 R15: 00007ffefdbddaa8 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:ext4_ext_insert_extent+0x5248/0x5280 fs/ext4/extents.c:2174 > Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 75 e4 ff ff 48 89 df e8 1b 8f b1 ff e9 68 e4 ff ff e8 41 54 49 ff 90 0f 0b e8 39 54 49 ff 90 <0f> 0b e8 31 54 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c > RSP: 0018:ffffc9000426ebe0 EFLAGS: 00010293 > RAX: ffffffff827aea67 RBX: 0000000000000021 RCX: ffff88802fe9db80 > RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 > RBP: ffffc9000426edd0 R08: ffff888076d2d0ef R09: 1ffff1100eda5a1d > R10: dffffc0000000000 R11: ffffed100eda5a1e R12: ffff888063f4b43c > R13: ffff888143ff8500 R14: ffff888063f4b400 R15: 0000000000000021 > FS: 00007efc4003a6c0(0000) GS:ffff888125866000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fc4a9f45000 CR3: 0000000028bcc000 CR4: 00000000003526f0 > > > Tested on: > > commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev > console output: https://syzkaller.appspot.com/x/log.txt?x=1081d33a580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 > dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > patch: https://syzkaller.appspot.com/x/patch.diff?x=10c15194580000 > [-- Attachment #2: 0001-ext4-add-logging-to-debug-issue.patch --] [-- Type: text/plain, Size: 6386 bytes --] From 4e793c55c63757a604934dd4e14318cd66e9b900 Mon Sep 17 00:00:00 2001 From: Ojaswin Mujoo <ojaswin@linux.ibm.com> Date: Tue, 10 Feb 2026 17:59:17 +0530 Subject: [PATCH] ext4: add logging to debug issue --- fs/ext4/extents.c | 24 ++++++++++++++++++++++++ fs/ext4/extents_status.c | 22 ++++++++++++++++++++++ fs/ext4/mballoc.c | 27 +++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 3630b27e4fd7..95a3eadcee67 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -529,6 +529,9 @@ static void ext4_cache_extents(struct inode *inode, int i; KUNIT_STATIC_STUB_REDIRECT(ext4_cache_extents, inode, eh); + ext4_warning_inode(inode, "%s: caching extents\n", __func__); + if (strncmp(inode->i_sb->s_id, "loop", 4)) + dump_stack(); for (i = le16_to_cpu(eh->eh_entries); i > 0; i--, ex++) { unsigned int status = EXTENT_STATUS_WRITTEN; @@ -2006,6 +2009,22 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode, goto errout; } + ext4_warning_inode( + inode, + "%s: add newext [%d, %d, %lld, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newext->ee_block), + ext4_ext_get_actual_len(newext), ext4_ext_pblock(newext), + ext4_ext_is_unwritten(newext)); + + if (ex) { + ext4_warning_inode( + inode, + "%s: ext at current path: [%d, %d, %lld, unwrit:%d]\n", + __func__, le32_to_cpu(ex->ee_block), + ext4_ext_get_actual_len(ex), ext4_ext_pblock(ex), + ext4_ext_is_unwritten(ex)); + } + /* try to insert block into found extent and return */ if (ex && !(gb_flags & EXT4_GET_BLOCKS_SPLIT_NOMERGE)) { @@ -2832,6 +2851,11 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, int i = 0, err = 0; int flags = EXT4_EX_NOCACHE | EXT4_EX_NOFAIL; + ext4_warning_inode( + inode, + "%s: remove range [%d, %d] from extent tree\n", + __func__, start, end); + partial.pclu = 0; partial.lblk = 0; partial.state = initial; diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c index a1538bac51c6..285acca9a6de 100644 --- a/fs/ext4/extents_status.c +++ b/fs/ext4/extents_status.c @@ -847,6 +847,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes, struct rb_node *parent = NULL; struct extent_status *es; + ext4_warning_inode(inode, "%s: add [%d, %d, %llu, 0x%x]\n", __func__, + newes->es_lblk, newes->es_lblk + newes->es_len - 1, ext4_es_pblock(newes), + ext4_es_status(newes)); + while (*p) { parent = *p; es = rb_entry(parent, struct extent_status, rb_node); @@ -921,6 +925,10 @@ void ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("add [%u/%u) %llu %x %d to extent status tree of inode %lu\n", lblk, len, pblk, status, delalloc_reserve_used, inode->i_ino); + ext4_warning_inode( + inode, + "%s: add [%u, %u] %llu %x %d to extent status tree of inode %lu\n", + __func__, lblk, lblk + len - 1, pblk, status, delalloc_reserve_used, inode->i_ino); if (!len) return; @@ -1031,6 +1039,11 @@ void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk, bool conflict = false; int err; + ext4_warning_inode( + inode, + "%s: cache extent lblk:%d len:%d pblk:%lld status:0x%x\n", + __func__, lblk, len, pblk, status); + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) return; @@ -1493,6 +1506,11 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, bool count_reserved = true; struct rsvd_count rc; + ext4_warning_inode( + inode, + "%s: remove [%u,%u] range from extent status tree of inode %lu\n", + __func__, lblk, end, inode->i_ino); + if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC)) count_reserved = false; if (status == 0) @@ -1633,6 +1651,10 @@ void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("remove [%u/%u) from extent status tree of inode %lu\n", lblk, len, inode->i_ino); + ext4_warning_inode( + inode, + "%s: remove [%d,%lld] range from extent status tree of inode %lu\n", + __func__, lblk, (loff_t)lblk + len -1, inode->i_ino); if (!len) return; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index dbc82b65f810..35331d35f630 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -2004,6 +2004,18 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, int last = first + count - 1; struct super_block *sb = e4b->bd_sb; + ext4_fsblk_t pblk = + ext4_group_first_block_no(e4b->bd_sb, e4b->bd_group) + + (first << EXT4_SB(e4b->bd_sb)->s_cluster_bits); + + if (inode) + ext4_warning_inode(inode, "%s: trying to free blocks [%lld, %lld].\n", + __func__, pblk, pblk + count - 1); + else + ext4_warning(sb, "%s: trying to free blocks [%lld, %lld].\n", + __func__, pblk, pblk + count - 1); + + if (WARN_ON(count == 0)) return; BUG_ON(last >= (sb->s_blocksize << 3)); @@ -3101,6 +3113,12 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac) if (!err && ac->ac_status != AC_STATUS_FOUND && ac->ac_first_err) err = ac->ac_first_err; + ext4_warning_inode( + ac->ac_inode, + "%s: Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", + __func__, ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, + ac->ac_flags, ac->ac_criteria, err); + mb_debug(sb, "Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, ac->ac_flags, ac->ac_criteria, err); @@ -6251,6 +6269,10 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, sb = ar->inode->i_sb; sbi = EXT4_SB(sb); + ext4_warning_inode(ar->inode, + "%s: Allocation requested for: [%d, %d]\n", + __func__, ar->logical, ar->logical + ar->len - 1); + trace_ext4_request_blocks(ar); if (sbi->s_mount_state & EXT4_FC_REPLAY) return ext4_mb_new_blocks_simple(ar, errp); @@ -6334,6 +6356,11 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, ext4_mb_pa_put_free(ac); } if (likely(ac->ac_status == AC_STATUS_FOUND)) { + ext4_warning_inode( + ar->inode, + "%s: Allocation found: [%d, %d], pblk:%lld len:%u\n", + __func__, ar->logical, ar->logical + ac->ac_b_ex.fe_len - 1, + ext4_grp_offs_to_block(sb, &ac->ac_b_ex), ac->ac_b_ex.fe_len); *errp = ext4_mb_mark_diskspace_used(ac, handle); if (*errp) { ext4_discard_allocated_blocks(ac); -- 2.52.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-10 18:06 ` Ojaswin Mujoo @ 2026-02-10 19:59 ` Ojaswin Mujoo 2026-02-10 20:54 ` syzbot 0 siblings, 1 reply; 17+ messages in thread From: Ojaswin Mujoo @ 2026-02-10 19:59 UTC (permalink / raw) To: syzbot; +Cc: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso [-- Attachment #1: Type: text/plain, Size: 13718 bytes --] On Tue, Feb 10, 2026 at 11:36:53PM +0530, Ojaswin Mujoo wrote: > On Tue, Feb 10, 2026 at 07:24:03AM -0800, syzbot wrote: > > Hello, > > > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > > kernel BUG in ext4_ext_insert_extent > Forgot to add the tag: #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev > Okay, so I see these logs: > > [ 131.589929][ T6747] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. > ... > [ 131.684962][ T6747] EXT4-fs warning (device loop0): __es_insert_extent:852: inode #15: comm syz.0.17: __es_insert_extent: add [0, -2, 576460752303423487, 0x8] > ... > [ 131.771155][ T6747] EXT4-fs warning (device loop0): ext4_mb_new_blocks:6274: inode #15: comm syz.0.17: ext4_mb_new_blocks: Allocation requested for: [0, 0] > [ 131.966256][ T6747] EXT4-fs warning (device loop0): ext4_mb_new_blocks:6363: inode #15: comm syz.0.17: ext4_mb_new_blocks: Allocation found: [0, 0], pblk:113 len:1 > > Seems like we are trying to cache an extent that is of length -2. This > seems like some sort of corruption with the disk but at the same time, > this inode (#15) is actually an inline inode as pointed by debugfs: > > stat file1 > Inode: 15 Type: regular Mode: 0755 Flags: 0x10000000 > Generation: 1710885023 Version: 0x00000000:00000001 > User: 0 Group: 0 Project: 0 Size: 10 > File ACL: 0 > Links: 1 Blockcount: 0 > Fragment: Address: 0 Number: 0 Size: 0 > ctime: 0x637cf1f3:929ce9b8 -- Tue Nov 22 21:29:47 2022 > atime: 0x698af58d:e97a2a00 -- Tue Feb 10 14:38:29 2026 > mtime: 0x637cf1f3:929ce9b8 -- Tue Nov 22 21:29:47 2022 > crtime: 0x637cf1f3:929ce9b8 -- Tue Nov 22 21:29:47 2022 > Size of extra inode fields: 32 > Extended attributes: > system.data (0) > user.xattr1 (6) = "xattr1" > user.xattr2 (6) = "xattr2" > Size of inline data: 60 > > ex file1 > file1: does not uses extent block maps > > And the logs also don't show any other operation between this and the > mount. Seems like there is a disk corruption but somehow I'm unable to > see it in debugfs, maybe I'm missing the case. Adding some more logging > and fixing a few log cases to confirm this. > > Regards, > ojaswin > > > > > inode 15: block 305:freeing already freed block (bit 19); block bitmap corrupt. > > ------------[ cut here ]------------ > > kernel BUG at fs/ext4/extents.c:2174! > > Oops: invalid opcode: 0000 [#1] SMP KASAN PTI > > CPU: 0 UID: 0 PID: 6747 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 > > RIP: 0010:ext4_ext_insert_extent+0x5248/0x5280 fs/ext4/extents.c:2174 > > Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 75 e4 ff ff 48 89 df e8 1b 8f b1 ff e9 68 e4 ff ff e8 41 54 49 ff 90 0f 0b e8 39 54 49 ff 90 <0f> 0b e8 31 54 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c > > RSP: 0018:ffffc9000426ebe0 EFLAGS: 00010293 > > RAX: ffffffff827aea67 RBX: 0000000000000021 RCX: ffff88802fe9db80 > > RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 > > RBP: ffffc9000426edd0 R08: ffff888076d2d0ef R09: 1ffff1100eda5a1d > > R10: dffffc0000000000 R11: ffffed100eda5a1e R12: ffff888063f4b43c > > R13: ffff888143ff8500 R14: ffff888063f4b400 R15: 0000000000000021 > > FS: 00007efc4003a6c0(0000) GS:ffff888125766000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000200000003000 CR3: 0000000028bcc000 CR4: 00000000003526f0 > > Call Trace: > > <TASK> > > ext4_ext_map_blocks+0x168a/0x5760 fs/ext4/extents.c:4480 > > ext4_map_create_blocks+0x11d/0x540 fs/ext4/inode.c:616 > > ext4_map_blocks+0x7cd/0x11d0 fs/ext4/inode.c:809 > > _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 > > ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 > > ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 > > ext4_write_begin+0xb40/0x1870 fs/ext4/ext4_jbd2.h:-1 > > ext4_da_write_begin+0x355/0xd30 fs/ext4/inode.c:3123 > > generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 > > ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 > > ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 > > do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 > > vfs_writev+0x33c/0x990 fs/read_write.c:1057 > > do_pwritev fs/read_write.c:1153 [inline] > > __do_sys_pwritev2 fs/read_write.c:1211 [inline] > > __se_sys_pwritev2+0x184/0x2a0 fs/read_write.c:1202 > > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 > > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > RIP: 0033:0x7efc3f19aeb9 > > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > > RSP: 002b:00007efc4003a028 EFLAGS: 00000246 ORIG_RAX: 0000000000000148 > > RAX: ffffffffffffffda RBX: 00007efc3f415fa0 RCX: 00007efc3f19aeb9 > > RDX: 0000000000000001 RSI: 0000200000000100 RDI: 0000000000000004 > > RBP: 00007efc3f208c1f R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000005412 R11: 0000000000000246 R12: 0000000000000000 > > R13: 00007efc3f416038 R14: 00007efc3f415fa0 R15: 00007ffefdbddaa8 > > </TASK> > > Modules linked in: > > ---[ end trace 0000000000000000 ]--- > > RIP: 0010:ext4_ext_insert_extent+0x5248/0x5280 fs/ext4/extents.c:2174 > > Code: 89 d9 80 e1 07 fe c1 38 c1 0f 8c 75 e4 ff ff 48 89 df e8 1b 8f b1 ff e9 68 e4 ff ff e8 41 54 49 ff 90 0f 0b e8 39 54 49 ff 90 <0f> 0b e8 31 54 49 ff 90 0f 0b 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c > > RSP: 0018:ffffc9000426ebe0 EFLAGS: 00010293 > > RAX: ffffffff827aea67 RBX: 0000000000000021 RCX: ffff88802fe9db80 > > RDX: 0000000000000000 RSI: 0000000000000021 RDI: 0000000000000021 > > RBP: ffffc9000426edd0 R08: ffff888076d2d0ef R09: 1ffff1100eda5a1d > > R10: dffffc0000000000 R11: ffffed100eda5a1e R12: ffff888063f4b43c > > R13: ffff888143ff8500 R14: ffff888063f4b400 R15: 0000000000000021 > > FS: 00007efc4003a6c0(0000) GS:ffff888125866000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00007fc4a9f45000 CR3: 0000000028bcc000 CR4: 00000000003526f0 > > > > > > Tested on: > > > > commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. > > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev > > console output: https://syzkaller.appspot.com/x/log.txt?x=1081d33a580000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 > > dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c > > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > > patch: https://syzkaller.appspot.com/x/patch.diff?x=10c15194580000 > > > From 4e793c55c63757a604934dd4e14318cd66e9b900 Mon Sep 17 00:00:00 2001 > From: Ojaswin Mujoo <ojaswin@linux.ibm.com> > Date: Tue, 10 Feb 2026 17:59:17 +0530 > Subject: [PATCH] ext4: add logging to debug issue > > --- > fs/ext4/extents.c | 24 ++++++++++++++++++++++++ > fs/ext4/extents_status.c | 22 ++++++++++++++++++++++ > fs/ext4/mballoc.c | 27 +++++++++++++++++++++++++++ > 3 files changed, 73 insertions(+) > > diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c > index 3630b27e4fd7..95a3eadcee67 100644 > --- a/fs/ext4/extents.c > +++ b/fs/ext4/extents.c > @@ -529,6 +529,9 @@ static void ext4_cache_extents(struct inode *inode, > int i; > > KUNIT_STATIC_STUB_REDIRECT(ext4_cache_extents, inode, eh); > + ext4_warning_inode(inode, "%s: caching extents\n", __func__); > + if (strncmp(inode->i_sb->s_id, "loop", 4)) > + dump_stack(); > > for (i = le16_to_cpu(eh->eh_entries); i > 0; i--, ex++) { > unsigned int status = EXTENT_STATUS_WRITTEN; > @@ -2006,6 +2009,22 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode, > goto errout; > } > > + ext4_warning_inode( > + inode, > + "%s: add newext [%d, %d, %lld, unwrit:%d] to extent tree.\n", > + __func__, le32_to_cpu(newext->ee_block), > + ext4_ext_get_actual_len(newext), ext4_ext_pblock(newext), > + ext4_ext_is_unwritten(newext)); > + > + if (ex) { > + ext4_warning_inode( > + inode, > + "%s: ext at current path: [%d, %d, %lld, unwrit:%d]\n", > + __func__, le32_to_cpu(ex->ee_block), > + ext4_ext_get_actual_len(ex), ext4_ext_pblock(ex), > + ext4_ext_is_unwritten(ex)); > + } > + > /* try to insert block into found extent and return */ > if (ex && !(gb_flags & EXT4_GET_BLOCKS_SPLIT_NOMERGE)) { > > @@ -2832,6 +2851,11 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, > int i = 0, err = 0; > int flags = EXT4_EX_NOCACHE | EXT4_EX_NOFAIL; > > + ext4_warning_inode( > + inode, > + "%s: remove range [%d, %d] from extent tree\n", > + __func__, start, end); > + > partial.pclu = 0; > partial.lblk = 0; > partial.state = initial; > diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c > index a1538bac51c6..285acca9a6de 100644 > --- a/fs/ext4/extents_status.c > +++ b/fs/ext4/extents_status.c > @@ -847,6 +847,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes, > struct rb_node *parent = NULL; > struct extent_status *es; > > + ext4_warning_inode(inode, "%s: add [%d, %d, %llu, 0x%x]\n", __func__, > + newes->es_lblk, newes->es_lblk + newes->es_len - 1, ext4_es_pblock(newes), > + ext4_es_status(newes)); > + > while (*p) { > parent = *p; > es = rb_entry(parent, struct extent_status, rb_node); > @@ -921,6 +925,10 @@ void ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, > > es_debug("add [%u/%u) %llu %x %d to extent status tree of inode %lu\n", > lblk, len, pblk, status, delalloc_reserve_used, inode->i_ino); > + ext4_warning_inode( > + inode, > + "%s: add [%u, %u] %llu %x %d to extent status tree of inode %lu\n", > + __func__, lblk, lblk + len - 1, pblk, status, delalloc_reserve_used, inode->i_ino); > > if (!len) > return; > @@ -1031,6 +1039,11 @@ void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk, > bool conflict = false; > int err; > > + ext4_warning_inode( > + inode, > + "%s: cache extent lblk:%d len:%d pblk:%lld status:0x%x\n", > + __func__, lblk, len, pblk, status); > + > if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) > return; > > @@ -1493,6 +1506,11 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, > bool count_reserved = true; > struct rsvd_count rc; > > + ext4_warning_inode( > + inode, > + "%s: remove [%u,%u] range from extent status tree of inode %lu\n", > + __func__, lblk, end, inode->i_ino); > + > if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC)) > count_reserved = false; > if (status == 0) > @@ -1633,6 +1651,10 @@ void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, > > es_debug("remove [%u/%u) from extent status tree of inode %lu\n", > lblk, len, inode->i_ino); > + ext4_warning_inode( > + inode, > + "%s: remove [%d,%lld] range from extent status tree of inode %lu\n", > + __func__, lblk, (loff_t)lblk + len -1, inode->i_ino); > > if (!len) > return; > diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c > index dbc82b65f810..35331d35f630 100644 > --- a/fs/ext4/mballoc.c > +++ b/fs/ext4/mballoc.c > @@ -2004,6 +2004,18 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, > int last = first + count - 1; > struct super_block *sb = e4b->bd_sb; > > + ext4_fsblk_t pblk = > + ext4_group_first_block_no(e4b->bd_sb, e4b->bd_group) + > + (first << EXT4_SB(e4b->bd_sb)->s_cluster_bits); > + > + if (inode) > + ext4_warning_inode(inode, "%s: trying to free blocks [%lld, %lld].\n", > + __func__, pblk, pblk + count - 1); > + else > + ext4_warning(sb, "%s: trying to free blocks [%lld, %lld].\n", > + __func__, pblk, pblk + count - 1); > + > + > if (WARN_ON(count == 0)) > return; > BUG_ON(last >= (sb->s_blocksize << 3)); > @@ -3101,6 +3113,12 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac) > if (!err && ac->ac_status != AC_STATUS_FOUND && ac->ac_first_err) > err = ac->ac_first_err; > > + ext4_warning_inode( > + ac->ac_inode, > + "%s: Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", > + __func__, ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, > + ac->ac_flags, ac->ac_criteria, err); > + > mb_debug(sb, "Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", > ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, > ac->ac_flags, ac->ac_criteria, err); > @@ -6251,6 +6269,10 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, > sb = ar->inode->i_sb; > sbi = EXT4_SB(sb); > > + ext4_warning_inode(ar->inode, > + "%s: Allocation requested for: [%d, %d]\n", > + __func__, ar->logical, ar->logical + ar->len - 1); > + > trace_ext4_request_blocks(ar); > if (sbi->s_mount_state & EXT4_FC_REPLAY) > return ext4_mb_new_blocks_simple(ar, errp); > @@ -6334,6 +6356,11 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, > ext4_mb_pa_put_free(ac); > } > if (likely(ac->ac_status == AC_STATUS_FOUND)) { > + ext4_warning_inode( > + ar->inode, > + "%s: Allocation found: [%d, %d], pblk:%lld len:%u\n", > + __func__, ar->logical, ar->logical + ac->ac_b_ex.fe_len - 1, > + ext4_grp_offs_to_block(sb, &ac->ac_b_ex), ac->ac_b_ex.fe_len); > *errp = ext4_mb_mark_diskspace_used(ac, handle); > if (*errp) { > ext4_discard_allocated_blocks(ac); > -- > 2.52.0 > [-- Attachment #2: 0001-ext4-add-logging-to-debug-issue.patch --] [-- Type: text/plain, Size: 6386 bytes --] From 4e793c55c63757a604934dd4e14318cd66e9b900 Mon Sep 17 00:00:00 2001 From: Ojaswin Mujoo <ojaswin@linux.ibm.com> Date: Tue, 10 Feb 2026 17:59:17 +0530 Subject: [PATCH] ext4: add logging to debug issue --- fs/ext4/extents.c | 24 ++++++++++++++++++++++++ fs/ext4/extents_status.c | 22 ++++++++++++++++++++++ fs/ext4/mballoc.c | 27 +++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 3630b27e4fd7..95a3eadcee67 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -529,6 +529,9 @@ static void ext4_cache_extents(struct inode *inode, int i; KUNIT_STATIC_STUB_REDIRECT(ext4_cache_extents, inode, eh); + ext4_warning_inode(inode, "%s: caching extents\n", __func__); + if (strncmp(inode->i_sb->s_id, "loop", 4)) + dump_stack(); for (i = le16_to_cpu(eh->eh_entries); i > 0; i--, ex++) { unsigned int status = EXTENT_STATUS_WRITTEN; @@ -2006,6 +2009,22 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode, goto errout; } + ext4_warning_inode( + inode, + "%s: add newext [%d, %d, %lld, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newext->ee_block), + ext4_ext_get_actual_len(newext), ext4_ext_pblock(newext), + ext4_ext_is_unwritten(newext)); + + if (ex) { + ext4_warning_inode( + inode, + "%s: ext at current path: [%d, %d, %lld, unwrit:%d]\n", + __func__, le32_to_cpu(ex->ee_block), + ext4_ext_get_actual_len(ex), ext4_ext_pblock(ex), + ext4_ext_is_unwritten(ex)); + } + /* try to insert block into found extent and return */ if (ex && !(gb_flags & EXT4_GET_BLOCKS_SPLIT_NOMERGE)) { @@ -2832,6 +2851,11 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, int i = 0, err = 0; int flags = EXT4_EX_NOCACHE | EXT4_EX_NOFAIL; + ext4_warning_inode( + inode, + "%s: remove range [%d, %d] from extent tree\n", + __func__, start, end); + partial.pclu = 0; partial.lblk = 0; partial.state = initial; diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c index a1538bac51c6..285acca9a6de 100644 --- a/fs/ext4/extents_status.c +++ b/fs/ext4/extents_status.c @@ -847,6 +847,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes, struct rb_node *parent = NULL; struct extent_status *es; + ext4_warning_inode(inode, "%s: add [%d, %d, %llu, 0x%x]\n", __func__, + newes->es_lblk, newes->es_lblk + newes->es_len - 1, ext4_es_pblock(newes), + ext4_es_status(newes)); + while (*p) { parent = *p; es = rb_entry(parent, struct extent_status, rb_node); @@ -921,6 +925,10 @@ void ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("add [%u/%u) %llu %x %d to extent status tree of inode %lu\n", lblk, len, pblk, status, delalloc_reserve_used, inode->i_ino); + ext4_warning_inode( + inode, + "%s: add [%u, %u] %llu %x %d to extent status tree of inode %lu\n", + __func__, lblk, lblk + len - 1, pblk, status, delalloc_reserve_used, inode->i_ino); if (!len) return; @@ -1031,6 +1039,11 @@ void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk, bool conflict = false; int err; + ext4_warning_inode( + inode, + "%s: cache extent lblk:%d len:%d pblk:%lld status:0x%x\n", + __func__, lblk, len, pblk, status); + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) return; @@ -1493,6 +1506,11 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, bool count_reserved = true; struct rsvd_count rc; + ext4_warning_inode( + inode, + "%s: remove [%u,%u] range from extent status tree of inode %lu\n", + __func__, lblk, end, inode->i_ino); + if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC)) count_reserved = false; if (status == 0) @@ -1633,6 +1651,10 @@ void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("remove [%u/%u) from extent status tree of inode %lu\n", lblk, len, inode->i_ino); + ext4_warning_inode( + inode, + "%s: remove [%d,%lld] range from extent status tree of inode %lu\n", + __func__, lblk, (loff_t)lblk + len -1, inode->i_ino); if (!len) return; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index dbc82b65f810..35331d35f630 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -2004,6 +2004,18 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, int last = first + count - 1; struct super_block *sb = e4b->bd_sb; + ext4_fsblk_t pblk = + ext4_group_first_block_no(e4b->bd_sb, e4b->bd_group) + + (first << EXT4_SB(e4b->bd_sb)->s_cluster_bits); + + if (inode) + ext4_warning_inode(inode, "%s: trying to free blocks [%lld, %lld].\n", + __func__, pblk, pblk + count - 1); + else + ext4_warning(sb, "%s: trying to free blocks [%lld, %lld].\n", + __func__, pblk, pblk + count - 1); + + if (WARN_ON(count == 0)) return; BUG_ON(last >= (sb->s_blocksize << 3)); @@ -3101,6 +3113,12 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac) if (!err && ac->ac_status != AC_STATUS_FOUND && ac->ac_first_err) err = ac->ac_first_err; + ext4_warning_inode( + ac->ac_inode, + "%s: Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", + __func__, ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, + ac->ac_flags, ac->ac_criteria, err); + mb_debug(sb, "Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, ac->ac_flags, ac->ac_criteria, err); @@ -6251,6 +6269,10 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, sb = ar->inode->i_sb; sbi = EXT4_SB(sb); + ext4_warning_inode(ar->inode, + "%s: Allocation requested for: [%d, %d]\n", + __func__, ar->logical, ar->logical + ar->len - 1); + trace_ext4_request_blocks(ar); if (sbi->s_mount_state & EXT4_FC_REPLAY) return ext4_mb_new_blocks_simple(ar, errp); @@ -6334,6 +6356,11 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, ext4_mb_pa_put_free(ac); } if (likely(ac->ac_status == AC_STATUS_FOUND)) { + ext4_warning_inode( + ar->inode, + "%s: Allocation found: [%d, %d], pblk:%lld len:%u\n", + __func__, ar->logical, ar->logical + ac->ac_b_ex.fe_len - 1, + ext4_grp_offs_to_block(sb, &ac->ac_b_ex), ac->ac_b_ex.fe_len); *errp = ext4_mb_mark_diskspace_used(ac, handle); if (*errp) { ext4_discard_allocated_blocks(ac); -- 2.52.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-10 19:59 ` Ojaswin Mujoo @ 2026-02-10 20:54 ` syzbot 2026-02-11 8:29 ` Ojaswin Mujoo 0 siblings, 1 reply; 17+ messages in thread From: syzbot @ 2026-02-10 20:54 UTC (permalink / raw) To: adilger.kernel, linux-ext4, linux-kernel, ojaswin, syzkaller-bugs, tytso Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com Tested-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com Tested on: commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev console output: https://syzkaller.appspot.com/x/log.txt?x=15739b22580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=12d6f33a580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-10 20:54 ` syzbot @ 2026-02-11 8:29 ` Ojaswin Mujoo 2026-02-11 10:03 ` syzbot 0 siblings, 1 reply; 17+ messages in thread From: Ojaswin Mujoo @ 2026-02-11 8:29 UTC (permalink / raw) To: syzbot; +Cc: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso [-- Attachment #1: Type: text/plain, Size: 1044 bytes --] On Tue, Feb 10, 2026 at 12:54:03PM -0800, syzbot wrote: > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger any issue: > > Reported-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com > Tested-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com > > Tested on: > > commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev > console output: https://syzkaller.appspot.com/x/log.txt?x=15739b22580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 > dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > patch: https://syzkaller.appspot.com/x/patch.diff?x=12d6f33a580000 > > Note: testing is done by a robot and is best-effort only. #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev [-- Attachment #2: 0001-ext4-add-logging-to-debug-issue.patch --] [-- Type: text/plain, Size: 6799 bytes --] From b185657580be6f773d45821709ba4fd3467c0788 Mon Sep 17 00:00:00 2001 From: Ojaswin Mujoo <ojaswin@linux.ibm.com> Date: Tue, 10 Feb 2026 17:59:17 +0530 Subject: [PATCH] ext4: add logging to debug issue --- fs/ext4/extents.c | 30 ++++++++++++++++++++++++++++++ fs/ext4/extents_status.c | 23 +++++++++++++++++++++++ fs/ext4/mballoc.c | 27 +++++++++++++++++++++++++++ 3 files changed, 80 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 3630b27e4fd7..81dbe3a33777 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -529,6 +529,9 @@ static void ext4_cache_extents(struct inode *inode, int i; KUNIT_STATIC_STUB_REDIRECT(ext4_cache_extents, inode, eh); + ext4_warning_inode(inode, "%s: caching extents\n", __func__); + if (!strncmp(inode->i_sb->s_id, "loop", 4)) + dump_stack(); for (i = le16_to_cpu(eh->eh_entries); i > 0; i--, ex++) { unsigned int status = EXTENT_STATUS_WRITTEN; @@ -2006,6 +2009,22 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode, goto errout; } + ext4_warning_inode( + inode, + "%s: add newext [%u, %u, %llu, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newext->ee_block), + ext4_ext_get_actual_len(newext), ext4_ext_pblock(newext), + ext4_ext_is_unwritten(newext)); + + if (ex) { + ext4_warning_inode( + inode, + "%s: ext at current path: [%u, %u, %llu, unwrit:%d]\n", + __func__, le32_to_cpu(ex->ee_block), + ext4_ext_get_actual_len(ex), ext4_ext_pblock(ex), + ext4_ext_is_unwritten(ex)); + } + /* try to insert block into found extent and return */ if (ex && !(gb_flags & EXT4_GET_BLOCKS_SPLIT_NOMERGE)) { @@ -2832,6 +2851,11 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, int i = 0, err = 0; int flags = EXT4_EX_NOCACHE | EXT4_EX_NOFAIL; + ext4_warning_inode( + inode, + "%s: remove range [%u, %u] from extent tree\n", + __func__, start, end); + partial.pclu = 0; partial.lblk = 0; partial.state = initial; @@ -4456,6 +4480,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, map->m_flags |= EXT4_MAP_UNWRITTEN; } + ext4_warning_inode( + inode, + "%s: add newext [%u, %u, %llu, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newex.ee_block), + ext4_ext_get_actual_len(&newex), ext4_ext_pblock(&newex), + ext4_ext_is_unwritten(&newex)); path = ext4_ext_insert_extent(handle, inode, path, &newex, flags); if (IS_ERR(path)) { err = PTR_ERR(path); diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c index a1538bac51c6..ce582b3dc83c 100644 --- a/fs/ext4/extents_status.c +++ b/fs/ext4/extents_status.c @@ -847,6 +847,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes, struct rb_node *parent = NULL; struct extent_status *es; + ext4_warning_inode(inode, "%s: add lblk:%u len:%u pblk:%llu status:0x%x]\n", __func__, + newes->es_lblk, newes->es_len, ext4_es_pblock(newes), + ext4_es_status(newes)); + while (*p) { parent = *p; es = rb_entry(parent, struct extent_status, rb_node); @@ -921,6 +925,10 @@ void ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("add [%u/%u) %llu %x %d to extent status tree of inode %lu\n", lblk, len, pblk, status, delalloc_reserve_used, inode->i_ino); + ext4_warning_inode( + inode, + "%s: add lblk:%u len:%u pblk:%llu 0x%x to es\n", + __func__, lblk, len, pblk, status); if (!len) return; @@ -1031,6 +1039,11 @@ void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk, bool conflict = false; int err; + ext4_warning_inode( + inode, + "%s: cache extent lblk:%u len:%u pblk:%llu status:0x%x\n", + __func__, lblk, len, pblk, status); + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) return; @@ -1493,6 +1506,11 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, bool count_reserved = true; struct rsvd_count rc; + ext4_warning_inode( + inode, + "%s: remove [%u,%u] range from extent status tree of inode %lu\n", + __func__, lblk, end, inode->i_ino); + if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC)) count_reserved = false; if (status == 0) @@ -1631,8 +1649,13 @@ void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) return; + if (!strncmp(inode->i_sb->s_id, "loop", 4)) + dump_stack(); + es_debug("remove [%u/%u) from extent status tree of inode %lu\n", lblk, len, inode->i_ino); + ext4_warning_inode(inode, "%s: remove lblk:%u len:%u from es\n", + __func__, lblk, len); if (!len) return; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index dbc82b65f810..a37d6e3e004d 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -2004,6 +2004,18 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, int last = first + count - 1; struct super_block *sb = e4b->bd_sb; + ext4_fsblk_t pblk = + ext4_group_first_block_no(e4b->bd_sb, e4b->bd_group) + + (first << EXT4_SB(e4b->bd_sb)->s_cluster_bits); + + if (inode) + ext4_warning_inode(inode, "%s: trying to free pblk:%llu count:%d\n", + __func__, pblk, count); + else + ext4_warning(sb, "%s: trying to free pblk:%llu count:%d\n", + __func__, pblk, count); + + if (WARN_ON(count == 0)) return; BUG_ON(last >= (sb->s_blocksize << 3)); @@ -3101,6 +3113,12 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac) if (!err && ac->ac_status != AC_STATUS_FOUND && ac->ac_first_err) err = ac->ac_first_err; + ext4_warning_inode( + ac->ac_inode, + "%s: Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", + __func__, ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, + ac->ac_flags, ac->ac_criteria, err); + mb_debug(sb, "Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, ac->ac_flags, ac->ac_criteria, err); @@ -6251,6 +6269,10 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, sb = ar->inode->i_sb; sbi = EXT4_SB(sb); + ext4_warning_inode(ar->inode, + "%s: Allocation requested for: lblk:%u len:%d\n", + __func__, ar->logical, ar->len); + trace_ext4_request_blocks(ar); if (sbi->s_mount_state & EXT4_FC_REPLAY) return ext4_mb_new_blocks_simple(ar, errp); @@ -6334,6 +6356,11 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, ext4_mb_pa_put_free(ac); } if (likely(ac->ac_status == AC_STATUS_FOUND)) { + ext4_warning_inode( + ar->inode, + "%s: Allocation found: lblk:%u, len:%d, pblk:%llu\n", + __func__, ar->logical, ac->ac_b_ex.fe_len, + ext4_grp_offs_to_block(sb, &ac->ac_b_ex)); *errp = ext4_mb_mark_diskspace_used(ac, handle); if (*errp) { ext4_discard_allocated_blocks(ac); -- 2.52.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-11 8:29 ` Ojaswin Mujoo @ 2026-02-11 10:03 ` syzbot 2026-02-11 13:42 ` Ojaswin Mujoo 0 siblings, 1 reply; 17+ messages in thread From: syzbot @ 2026-02-11 10:03 UTC (permalink / raw) To: adilger.kernel, linux-ext4, linux-kernel, ojaswin, syzkaller-bugs, tytso Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com Tested-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com Tested on: commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev console output: https://syzkaller.appspot.com/x/log.txt?x=17815b22580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=120cccaa580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-11 10:03 ` syzbot @ 2026-02-11 13:42 ` Ojaswin Mujoo 2026-02-11 16:44 ` syzbot 0 siblings, 1 reply; 17+ messages in thread From: Ojaswin Mujoo @ 2026-02-11 13:42 UTC (permalink / raw) To: syzbot; +Cc: linux-ext4, linux-kernel, syzkaller-bugs [-- Attachment #1: Type: text/plain, Size: 1254 bytes --] On Wed, Feb 11, 2026 at 02:03:02AM -0800, syzbot wrote: > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger any issue: > > Reported-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com > Tested-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com > > Tested on: > > commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev > console output: https://syzkaller.appspot.com/x/log.txt?x=17815b22580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 > dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > patch: https://syzkaller.appspot.com/x/patch.diff?x=120cccaa580000 > > Note: testing is done by a robot and is best-effort only. Okay I think adding dump_stack() in the patches is leading to weird invalid opcodes in syzbot which is hiding the actual issue. Lets try again (sorry for the spam, somehow im unable to replicate in my vm): #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev [-- Attachment #2: 0001-ext4-add-logging-to-debug-issue.patch --] [-- Type: text/plain, Size: 6594 bytes --] From 7086e36d23ddbee429c3f0ca271f7e188f81bd61 Mon Sep 17 00:00:00 2001 From: Ojaswin Mujoo <ojaswin@linux.ibm.com> Date: Tue, 10 Feb 2026 17:59:17 +0530 Subject: [PATCH] ext4: add logging to debug issue --- fs/ext4/extents.c | 28 ++++++++++++++++++++++++++++ fs/ext4/extents_status.c | 20 ++++++++++++++++++++ fs/ext4/mballoc.c | 27 +++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 3630b27e4fd7..89a681f6e5ca 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -529,6 +529,7 @@ static void ext4_cache_extents(struct inode *inode, int i; KUNIT_STATIC_STUB_REDIRECT(ext4_cache_extents, inode, eh); + ext4_warning_inode(inode, "%s: caching extents\n", __func__); for (i = le16_to_cpu(eh->eh_entries); i > 0; i--, ex++) { unsigned int status = EXTENT_STATUS_WRITTEN; @@ -2006,6 +2007,22 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode, goto errout; } + ext4_warning_inode( + inode, + "%s: add newext [%u, %u, %llu, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newext->ee_block), + ext4_ext_get_actual_len(newext), ext4_ext_pblock(newext), + ext4_ext_is_unwritten(newext)); + + if (ex) { + ext4_warning_inode( + inode, + "%s: ext at current path: [%u, %u, %llu, unwrit:%d]\n", + __func__, le32_to_cpu(ex->ee_block), + ext4_ext_get_actual_len(ex), ext4_ext_pblock(ex), + ext4_ext_is_unwritten(ex)); + } + /* try to insert block into found extent and return */ if (ex && !(gb_flags & EXT4_GET_BLOCKS_SPLIT_NOMERGE)) { @@ -2832,6 +2849,11 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, int i = 0, err = 0; int flags = EXT4_EX_NOCACHE | EXT4_EX_NOFAIL; + ext4_warning_inode( + inode, + "%s: remove range [%u, %u] from extent tree\n", + __func__, start, end); + partial.pclu = 0; partial.lblk = 0; partial.state = initial; @@ -4456,6 +4478,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, map->m_flags |= EXT4_MAP_UNWRITTEN; } + ext4_warning_inode( + inode, + "%s: add newext [%u, %u, %llu, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newex.ee_block), + ext4_ext_get_actual_len(&newex), ext4_ext_pblock(&newex), + ext4_ext_is_unwritten(&newex)); path = ext4_ext_insert_extent(handle, inode, path, &newex, flags); if (IS_ERR(path)) { err = PTR_ERR(path); diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c index a1538bac51c6..009c22108a7f 100644 --- a/fs/ext4/extents_status.c +++ b/fs/ext4/extents_status.c @@ -847,6 +847,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes, struct rb_node *parent = NULL; struct extent_status *es; + ext4_warning_inode(inode, "%s: add lblk:%u len:%u pblk:%llu status:0x%x]\n", __func__, + newes->es_lblk, newes->es_len, ext4_es_pblock(newes), + ext4_es_status(newes)); + while (*p) { parent = *p; es = rb_entry(parent, struct extent_status, rb_node); @@ -921,6 +925,10 @@ void ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("add [%u/%u) %llu %x %d to extent status tree of inode %lu\n", lblk, len, pblk, status, delalloc_reserve_used, inode->i_ino); + ext4_warning_inode( + inode, + "%s: add lblk:%u len:%u pblk:%llu 0x%x to es\n", + __func__, lblk, len, pblk, status); if (!len) return; @@ -1031,6 +1039,11 @@ void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk, bool conflict = false; int err; + ext4_warning_inode( + inode, + "%s: cache extent lblk:%u len:%u pblk:%llu status:0x%x\n", + __func__, lblk, len, pblk, status); + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) return; @@ -1493,6 +1506,11 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, bool count_reserved = true; struct rsvd_count rc; + ext4_warning_inode( + inode, + "%s: remove [%u,%u] range from extent status tree of inode %lu\n", + __func__, lblk, end, inode->i_ino); + if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC)) count_reserved = false; if (status == 0) @@ -1633,6 +1651,8 @@ void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("remove [%u/%u) from extent status tree of inode %lu\n", lblk, len, inode->i_ino); + ext4_warning_inode(inode, "%s: remove lblk:%u len:%u from es\n", + __func__, lblk, len); if (!len) return; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index dbc82b65f810..a37d6e3e004d 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -2004,6 +2004,18 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, int last = first + count - 1; struct super_block *sb = e4b->bd_sb; + ext4_fsblk_t pblk = + ext4_group_first_block_no(e4b->bd_sb, e4b->bd_group) + + (first << EXT4_SB(e4b->bd_sb)->s_cluster_bits); + + if (inode) + ext4_warning_inode(inode, "%s: trying to free pblk:%llu count:%d\n", + __func__, pblk, count); + else + ext4_warning(sb, "%s: trying to free pblk:%llu count:%d\n", + __func__, pblk, count); + + if (WARN_ON(count == 0)) return; BUG_ON(last >= (sb->s_blocksize << 3)); @@ -3101,6 +3113,12 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac) if (!err && ac->ac_status != AC_STATUS_FOUND && ac->ac_first_err) err = ac->ac_first_err; + ext4_warning_inode( + ac->ac_inode, + "%s: Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", + __func__, ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, + ac->ac_flags, ac->ac_criteria, err); + mb_debug(sb, "Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, ac->ac_flags, ac->ac_criteria, err); @@ -6251,6 +6269,10 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, sb = ar->inode->i_sb; sbi = EXT4_SB(sb); + ext4_warning_inode(ar->inode, + "%s: Allocation requested for: lblk:%u len:%d\n", + __func__, ar->logical, ar->len); + trace_ext4_request_blocks(ar); if (sbi->s_mount_state & EXT4_FC_REPLAY) return ext4_mb_new_blocks_simple(ar, errp); @@ -6334,6 +6356,11 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, ext4_mb_pa_put_free(ac); } if (likely(ac->ac_status == AC_STATUS_FOUND)) { + ext4_warning_inode( + ar->inode, + "%s: Allocation found: lblk:%u, len:%d, pblk:%llu\n", + __func__, ar->logical, ac->ac_b_ex.fe_len, + ext4_grp_offs_to_block(sb, &ac->ac_b_ex)); *errp = ext4_mb_mark_diskspace_used(ac, handle); if (*errp) { ext4_discard_allocated_blocks(ac); -- 2.52.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-11 13:42 ` Ojaswin Mujoo @ 2026-02-11 16:44 ` syzbot 0 siblings, 0 replies; 17+ messages in thread From: syzbot @ 2026-02-11 16:44 UTC (permalink / raw) To: linux-ext4, linux-kernel, ojaswin, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com Tested-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com Tested on: commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev console output: https://syzkaller.appspot.com/x/log.txt?x=15aece5a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=166e8e5a580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-02-09 2:08 [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) syzbot 2026-02-09 19:22 ` Ojaswin Mujoo @ 2026-03-03 19:19 ` syzbot 2026-03-12 17:45 ` Ojaswin Mujoo 1 sibling, 1 reply; 17+ messages in thread From: syzbot @ 2026-03-03 19:19 UTC (permalink / raw) To: adilger.kernel, linux-ext4, linux-kernel, ojaswin, syzkaller-bugs, tytso syzbot has found a reproducer for the following issue on: HEAD commit: af4e9ef3d784 uaccess: Fix scoped_user_read_access() for 'p.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=13811b5a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=779072223d02a312 dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1620e552580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13810a02580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/f6b75c8f432f/disk-af4e9ef3.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/4513ad566789/vmlinux-af4e9ef3.xz kernel image: https://storage.googleapis.com/syzbot-assets/f7eea878db42/bzImage-af4e9ef3.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/8d81a7f0b7b8/mount_0.gz fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1351b006580000) IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ccf1421545dbe5caa20c@syzkaller.appspotmail.com EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #15: comm syz.0.36: ES cache extent failed: add [0,1,177,0x1] conflict with existing [0,1,113,0x2] EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #15: comm syz.0.36: ES cache extent failed: add [1,15,177,0x1] conflict with existing [1,35,576460752303423487,0x18] EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #15: comm syz.0.36: ES cache extent failed: add [16,1,177,0x1] conflict with existing [1,35,576460752303423487,0x18] EXT4-fs warning (device loop0): ext4_es_cache_extent:1082: inode #15: comm syz.0.36: ES cache extent failed: add [17,10,177,0x1] conflict with existing [1,35,576460752303423487,0x18] ------------[ cut here ]------------ kernel BUG at fs/ext4/extents_status.c:1044! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 6062 Comm: syz.0.36 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 RIP: 0010:ext4_es_cache_extent+0x875/0x9e0 fs/ext4/extents_status.c:1044 Code: e1 07 80 c1 03 38 c1 0f 8c 5c fe ff ff 48 8b 7c 24 18 e8 fe ac ad ff e9 4d fe ff ff e8 a4 6e 43 ff 90 0f 0b e8 9c 6e 43 ff 90 <0f> 0b 65 8b 1d e6 98 99 10 bf 07 00 00 00 89 de e8 c6 72 43 ff 83 RSP: 0018:ffffc90003456d20 EFLAGS: 00010293 RAX: ffffffff82822744 RBX: 0000000000000018 RCX: ffff88803155bd00 RDX: 0000000000000000 RSI: 000000000000001b RDI: 0000000000000018 RBP: ffffc90003456e68 R08: ffffc90003456dd7 R09: ffffc90003456dc0 R10: dffffc0000000000 R11: fffff5200068adbb R12: ffffc90003456dc0 R13: 000000000000001b R14: 000000000000000f R15: dffffc0000000000 FS: 00007fbdae25d6c0(0000) GS:ffff888125464000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbdad3e9e80 CR3: 00000000781f0000 CR4: 0000000000350ef0 Call Trace: <TASK> ext4_cache_extents fs/ext4/extents.c:539 [inline] __read_extent_tree_block+0x4b4/0x890 fs/ext4/extents.c:586 ext4_find_extent+0x76f/0xcc0 fs/ext4/extents.c:939 ext4_ext_map_blocks+0x283/0x58b0 fs/ext4/extents.c:4261 ext4_map_create_blocks+0x11d/0x540 fs/ext4/inode.c:616 ext4_map_blocks+0x7cd/0x11d0 fs/ext4/inode.c:809 _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 ext4_write_begin+0xb40/0x18c0 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x355/0xd80 fs/ext4/inode.c:3123 generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:300 ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 new_sync_write fs/read_write.c:595 [inline] vfs_write+0x61d/0xb90 fs/read_write.c:688 ksys_pwrite64 fs/read_write.c:795 [inline] __do_sys_pwrite64 fs/read_write.c:803 [inline] __se_sys_pwrite64 fs/read_write.c:800 [inline] __x64_sys_pwrite64+0x199/0x230 fs/read_write.c:800 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbdad39c799 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fbdae25d028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007fbdad615fa0 RCX: 00007fbdad39c799 RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000006 RBP: 00007fbdad432bd9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fbdad616038 R14: 00007fbdad615fa0 R15: 00007fff33d9aaf8 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ext4_es_cache_extent+0x875/0x9e0 fs/ext4/extents_status.c:1044 Code: e1 07 80 c1 03 38 c1 0f 8c 5c fe ff ff 48 8b 7c 24 18 e8 fe ac ad ff e9 4d fe ff ff e8 a4 6e 43 ff 90 0f 0b e8 9c 6e 43 ff 90 <0f> 0b 65 8b 1d e6 98 99 10 bf 07 00 00 00 89 de e8 c6 72 43 ff 83 RSP: 0018:ffffc90003456d20 EFLAGS: 00010293 RAX: ffffffff82822744 RBX: 0000000000000018 RCX: ffff88803155bd00 RDX: 0000000000000000 RSI: 000000000000001b RDI: 0000000000000018 RBP: ffffc90003456e68 R08: ffffc90003456dd7 R09: ffffc90003456dc0 R10: dffffc0000000000 R11: fffff5200068adbb R12: ffffc90003456dc0 R13: 000000000000001b R14: 000000000000000f R15: dffffc0000000000 FS: 00007fbdae25d6c0(0000) GS:ffff888125464000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbdad3e9e80 CR3: 00000000781f0000 CR4: 0000000000350ef0 --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-03-03 19:19 ` syzbot @ 2026-03-12 17:45 ` Ojaswin Mujoo 2026-03-12 18:05 ` syzbot 0 siblings, 1 reply; 17+ messages in thread From: Ojaswin Mujoo @ 2026-03-12 17:45 UTC (permalink / raw) To: syzbot; +Cc: adilger.kernel, linux-ext4, linux-kernel, syzkaller-bugs, tytso [-- Attachment #1: Type: text/plain, Size: 1292 bytes --] On Tue, Mar 03, 2026 at 11:19:35AM -0800, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit: af4e9ef3d784 uaccess: Fix scoped_user_read_access() for 'p.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13811b5a580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=779072223d02a312 > dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1620e552580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13810a02580000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/f6b75c8f432f/disk-af4e9ef3.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/4513ad566789/vmlinux-af4e9ef3.xz > kernel image: https://storage.googleapis.com/syzbot-assets/f7eea878db42/bzImage-af4e9ef3.xz > mounted in repro: https://storage.googleapis.com/syzbot-assets/8d81a7f0b7b8/mount_0.gz > fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1351b006580000) > #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev [-- Attachment #2: 2-0001-ext4-add-logging-to-debug-issue.patch --] [-- Type: text/plain, Size: 6594 bytes --] From 7086e36d23ddbee429c3f0ca271f7e188f81bd61 Mon Sep 17 00:00:00 2001 From: Ojaswin Mujoo <ojaswin@linux.ibm.com> Date: Tue, 10 Feb 2026 17:59:17 +0530 Subject: [PATCH] ext4: add logging to debug issue --- fs/ext4/extents.c | 28 ++++++++++++++++++++++++++++ fs/ext4/extents_status.c | 20 ++++++++++++++++++++ fs/ext4/mballoc.c | 27 +++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 3630b27e4fd7..89a681f6e5ca 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -529,6 +529,7 @@ static void ext4_cache_extents(struct inode *inode, int i; KUNIT_STATIC_STUB_REDIRECT(ext4_cache_extents, inode, eh); + ext4_warning_inode(inode, "%s: caching extents\n", __func__); for (i = le16_to_cpu(eh->eh_entries); i > 0; i--, ex++) { unsigned int status = EXTENT_STATUS_WRITTEN; @@ -2006,6 +2007,22 @@ ext4_ext_insert_extent(handle_t *handle, struct inode *inode, goto errout; } + ext4_warning_inode( + inode, + "%s: add newext [%u, %u, %llu, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newext->ee_block), + ext4_ext_get_actual_len(newext), ext4_ext_pblock(newext), + ext4_ext_is_unwritten(newext)); + + if (ex) { + ext4_warning_inode( + inode, + "%s: ext at current path: [%u, %u, %llu, unwrit:%d]\n", + __func__, le32_to_cpu(ex->ee_block), + ext4_ext_get_actual_len(ex), ext4_ext_pblock(ex), + ext4_ext_is_unwritten(ex)); + } + /* try to insert block into found extent and return */ if (ex && !(gb_flags & EXT4_GET_BLOCKS_SPLIT_NOMERGE)) { @@ -2832,6 +2849,11 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, int i = 0, err = 0; int flags = EXT4_EX_NOCACHE | EXT4_EX_NOFAIL; + ext4_warning_inode( + inode, + "%s: remove range [%u, %u] from extent tree\n", + __func__, start, end); + partial.pclu = 0; partial.lblk = 0; partial.state = initial; @@ -4456,6 +4478,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, map->m_flags |= EXT4_MAP_UNWRITTEN; } + ext4_warning_inode( + inode, + "%s: add newext [%u, %u, %llu, unwrit:%d] to extent tree.\n", + __func__, le32_to_cpu(newex.ee_block), + ext4_ext_get_actual_len(&newex), ext4_ext_pblock(&newex), + ext4_ext_is_unwritten(&newex)); path = ext4_ext_insert_extent(handle, inode, path, &newex, flags); if (IS_ERR(path)) { err = PTR_ERR(path); diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c index a1538bac51c6..009c22108a7f 100644 --- a/fs/ext4/extents_status.c +++ b/fs/ext4/extents_status.c @@ -847,6 +847,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes, struct rb_node *parent = NULL; struct extent_status *es; + ext4_warning_inode(inode, "%s: add lblk:%u len:%u pblk:%llu status:0x%x]\n", __func__, + newes->es_lblk, newes->es_len, ext4_es_pblock(newes), + ext4_es_status(newes)); + while (*p) { parent = *p; es = rb_entry(parent, struct extent_status, rb_node); @@ -921,6 +925,10 @@ void ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("add [%u/%u) %llu %x %d to extent status tree of inode %lu\n", lblk, len, pblk, status, delalloc_reserve_used, inode->i_ino); + ext4_warning_inode( + inode, + "%s: add lblk:%u len:%u pblk:%llu 0x%x to es\n", + __func__, lblk, len, pblk, status); if (!len) return; @@ -1031,6 +1039,11 @@ void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk, bool conflict = false; int err; + ext4_warning_inode( + inode, + "%s: cache extent lblk:%u len:%u pblk:%llu status:0x%x\n", + __func__, lblk, len, pblk, status); + if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY) return; @@ -1493,6 +1506,11 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk, bool count_reserved = true; struct rsvd_count rc; + ext4_warning_inode( + inode, + "%s: remove [%u,%u] range from extent status tree of inode %lu\n", + __func__, lblk, end, inode->i_ino); + if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC)) count_reserved = false; if (status == 0) @@ -1633,6 +1651,8 @@ void ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk, es_debug("remove [%u/%u) from extent status tree of inode %lu\n", lblk, len, inode->i_ino); + ext4_warning_inode(inode, "%s: remove lblk:%u len:%u from es\n", + __func__, lblk, len); if (!len) return; diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index dbc82b65f810..a37d6e3e004d 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -2004,6 +2004,18 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, int last = first + count - 1; struct super_block *sb = e4b->bd_sb; + ext4_fsblk_t pblk = + ext4_group_first_block_no(e4b->bd_sb, e4b->bd_group) + + (first << EXT4_SB(e4b->bd_sb)->s_cluster_bits); + + if (inode) + ext4_warning_inode(inode, "%s: trying to free pblk:%llu count:%d\n", + __func__, pblk, count); + else + ext4_warning(sb, "%s: trying to free pblk:%llu count:%d\n", + __func__, pblk, count); + + if (WARN_ON(count == 0)) return; BUG_ON(last >= (sb->s_blocksize << 3)); @@ -3101,6 +3113,12 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac) if (!err && ac->ac_status != AC_STATUS_FOUND && ac->ac_first_err) err = ac->ac_first_err; + ext4_warning_inode( + ac->ac_inode, + "%s: Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", + __func__, ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, + ac->ac_flags, ac->ac_criteria, err); + mb_debug(sb, "Best len %d, origin len %d, ac_status %u, ac_flags 0x%x, cr %d ret %d\n", ac->ac_b_ex.fe_len, ac->ac_o_ex.fe_len, ac->ac_status, ac->ac_flags, ac->ac_criteria, err); @@ -6251,6 +6269,10 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, sb = ar->inode->i_sb; sbi = EXT4_SB(sb); + ext4_warning_inode(ar->inode, + "%s: Allocation requested for: lblk:%u len:%d\n", + __func__, ar->logical, ar->len); + trace_ext4_request_blocks(ar); if (sbi->s_mount_state & EXT4_FC_REPLAY) return ext4_mb_new_blocks_simple(ar, errp); @@ -6334,6 +6356,11 @@ ext4_fsblk_t ext4_mb_new_blocks(handle_t *handle, ext4_mb_pa_put_free(ac); } if (likely(ac->ac_status == AC_STATUS_FOUND)) { + ext4_warning_inode( + ar->inode, + "%s: Allocation found: lblk:%u, len:%d, pblk:%llu\n", + __func__, ar->logical, ac->ac_b_ex.fe_len, + ext4_grp_offs_to_block(sb, &ac->ac_b_ex)); *errp = ext4_mb_mark_diskspace_used(ac, handle); if (*errp) { ext4_discard_allocated_blocks(ac); -- 2.52.0 ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) 2026-03-12 17:45 ` Ojaswin Mujoo @ 2026-03-12 18:05 ` syzbot 0 siblings, 0 replies; 17+ messages in thread From: syzbot @ 2026-03-12 18:05 UTC (permalink / raw) To: adilger.kernel, linux-ext4, linux-kernel, ojaswin, syzkaller-bugs, tytso Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: kernel BUG in ext4_es_cache_extent EXT4-fs warning (device loop0): ext4_mb_new_blocks:6274: inode #15: comm syz.0.55: ext4_mb_new_blocks: Allocation requested for: lblk:0 len:1 EXT4-fs warning (device loop0): ext4_mb_regular_allocator:3120: inode #15: comm syz.0.55: ext4_mb_regular_allocator: Best len 1, origin len 1, ac_status 2, ac_flags 0xa0, cr 5 ret 0 ------------[ cut here ]------------ kernel BUG at fs/ext4/extents_status.c:1057! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 6693 Comm: syz.0.55 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/27/2026 RIP: 0010:ext4_es_cache_extent+0x8eb/0xa10 fs/ext4/extents_status.c:1057 Code: e1 07 80 c1 03 38 c1 0f 8c 51 fe ff ff 48 8b 7c 24 18 e8 f8 54 af ff e9 42 fe ff ff e8 ee 19 47 ff 90 0f 0b e8 e6 19 47 ff 90 <0f> 0b 65 8b 1d 70 7b 6e 10 bf 07 00 00 00 89 de e8 10 1e 47 ff 83 RSP: 0018:ffffc900041aec20 EFLAGS: 00010293 RAX: ffffffff827d24ba RBX: 0000000000000060 RCX: ffff88802d9f3d00 RDX: 0000000000000000 RSI: 0000000000000064 RDI: 0000000000000060 RBP: ffffc900041aed80 R08: ffff88807eaeca47 R09: 1ffff1100fd5d948 R10: dffffc0000000000 R11: ffffed100fd5d949 R12: 0000000000000008 R13: dffffc0000000000 R14: 000000000000000f R15: 0000000000000064 FS: 00007fca40bd36c0(0000) GS:ffff888125866000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000011000 CR3: 000000007715a000 CR4: 0000000000350ef0 Call Trace: <TASK> ext4_cache_extents+0x143/0x2f0 fs/ext4/extents.c:540 __read_extent_tree_block+0x3b8/0x580 fs/ext4/extents.c:587 ext4_find_extent+0x5bb/0xa20 fs/ext4/extents.c:942 ext4_ext_map_blocks+0x27a/0x5730 fs/ext4/extents.c:4285 ext4_map_query_blocks+0x13b/0xa00 fs/ext4/inode.c:553 ext4_map_blocks+0x444/0x11d0 fs/ext4/inode.c:771 _ext4_get_block+0x1e3/0x470 fs/ext4/inode.c:909 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:942 ext4_block_write_begin+0xb14/0x1950 fs/ext4/inode.c:1196 ext4_write_begin+0xb40/0x1870 fs/ext4/ext4_jbd2.h:-1 ext4_da_write_begin+0x355/0xd30 fs/ext4/inode.c:3123 generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4314 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299 ext4_file_write_iter+0x298/0x1bf0 fs/ext4/file.c:-1 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x61d/0xb90 fs/read_write.c:686 ksys_pwrite64 fs/read_write.c:793 [inline] __do_sys_pwrite64 fs/read_write.c:801 [inline] __se_sys_pwrite64 fs/read_write.c:798 [inline] __x64_sys_pwrite64+0x199/0x230 fs/read_write.c:798 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fca3fd9c799 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fca40bd3028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 RAX: ffffffffffffffda RBX: 00007fca40016090 RCX: 00007fca3fd9c799 RDX: 00000000200000c1 RSI: 00002000000000c0 RDI: 0000000000000006 RBP: 00007fca3fe32bd9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000009000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fca40016128 R14: 00007fca40016090 R15: 00007ffe8193e178 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ext4_es_cache_extent+0x8eb/0xa10 fs/ext4/extents_status.c:1057 Code: e1 07 80 c1 03 38 c1 0f 8c 51 fe ff ff 48 8b 7c 24 18 e8 f8 54 af ff e9 42 fe ff ff e8 ee 19 47 ff 90 0f 0b e8 e6 19 47 ff 90 <0f> 0b 65 8b 1d 70 7b 6e 10 bf 07 00 00 00 89 de e8 10 1e 47 ff 83 RSP: 0018:ffffc900041aec20 EFLAGS: 00010293 RAX: ffffffff827d24ba RBX: 0000000000000060 RCX: ffff88802d9f3d00 RDX: 0000000000000000 RSI: 0000000000000064 RDI: 0000000000000060 RBP: ffffc900041aed80 R08: ffff88807eaeca47 R09: 1ffff1100fd5d948 R10: dffffc0000000000 R11: ffffed100fd5d949 R12: 0000000000000008 R13: dffffc0000000000 R14: 000000000000000f R15: 0000000000000064 FS: 00007fca40bd36c0(0000) GS:ffff888125866000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000011000 CR3: 000000007715a000 CR4: 0000000000350ef0 Tested on: commit: 4f5e8e6f et4: allow zeroout when doing written to unwr.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev console output: https://syzkaller.appspot.com/x/log.txt?x=1236cd52580000 kernel config: https://syzkaller.appspot.com/x/.config?x=a535ad5429f72a2 dashboard link: https://syzkaller.appspot.com/bug?extid=ccf1421545dbe5caa20c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1696cd52580000 ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2026-03-12 18:05 UTC | newest] Thread overview: 17+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-02-09 2:08 [syzbot] [ext4?] kernel BUG in ext4_es_cache_extent (4) syzbot 2026-02-09 19:22 ` Ojaswin Mujoo 2026-02-09 19:42 ` syzbot 2026-02-10 5:49 ` Ojaswin Mujoo 2026-02-10 6:20 ` syzbot 2026-02-10 12:33 ` Ojaswin Mujoo 2026-02-10 15:24 ` syzbot 2026-02-10 18:06 ` Ojaswin Mujoo 2026-02-10 19:59 ` Ojaswin Mujoo 2026-02-10 20:54 ` syzbot 2026-02-11 8:29 ` Ojaswin Mujoo 2026-02-11 10:03 ` syzbot 2026-02-11 13:42 ` Ojaswin Mujoo 2026-02-11 16:44 ` syzbot 2026-03-03 19:19 ` syzbot 2026-03-12 17:45 ` Ojaswin Mujoo 2026-03-12 18:05 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox