[syzbot] [iomap?] WARNING in ifs_free

[syzbot] [iomap?] WARNING in ifs_free

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f417b7ffcbef Add linux-next specific files for 20260109
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17e6943a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=63a1fc1b4011ac76
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a62bea0e61f9d121da
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1f048080a918/disk-f417b7ff.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dfd5ea190c96/vmlinux-f417b7ff.xz
kernel image: https://storage.googleapis.com/syzbot-assets/db24c176e0df/bzImage-f417b7ff.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d3a62bea0e61f9d121da@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: fs/iomap/buffered-io.c:255 at ifs_free+0x358/0x420 fs/iomap/buffered-io.c:254, CPU#1: syz-executor/9813
Modules linked in:
CPU: 1 UID: 0 PID: 9813 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:ifs_free+0x358/0x420 fs/iomap/buffered-io.c:254
Code: 41 5f 5d e9 aa ec c0 ff e8 05 d2 65 ff 90 0f 0b 90 e9 d0 fe ff ff e8 f7 d1 65 ff 90 0f 0b 90 e9 0a ff ff ff e8 e9 d1 65 ff 90 <0f> 0b 90 eb c3 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c 06 fe ff ff
RSP: 0018:ffffc90005287670 EFLAGS: 00010293
RAX: ffffffff825ae8d7 RBX: 0000000000000008 RCX: ffff88802f4c9e40
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
RBP: 00000000825b5701 R08: ffffea0002bb5887 R09: 1ffffd4000576b10
R10: dffffc0000000000 R11: fffff94000576b11 R12: ffff8880202d0144
R13: ffff8880202d0100 R14: ffffea0002bb5880 R15: 1ffffd4000576b11
FS:  00005555773e5500(0000) GS:ffff888125d07000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27239ff000 CR3: 0000000033afe000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 folio_invalidate mm/truncate.c:140 [inline]
 truncate_cleanup_folio+0x2d8/0x430 mm/truncate.c:160
 truncate_inode_pages_range+0x233/0xd90 mm/truncate.c:404
 ntfs_evict_inode+0x19/0x40 fs/ntfs3/inode.c:1799
 evict+0x5f4/0xae0 fs/inode.c:837
 dispose_list fs/inode.c:879 [inline]
 evict_inodes+0x753/0x7e0 fs/inode.c:933
 generic_shutdown_super+0x9a/0x2c0 fs/super.c:628
 kill_block_super+0x44/0x90 fs/super.c:1722
 ntfs3_kill_sb+0x44/0x1c0 fs/ntfs3/super.c:1860
 deactivate_locked_super+0xbc/0x130 fs/super.c:474
 cleanup_mnt+0x425/0x4c0 fs/namespace.c:1312
 task_work_run+0x1d4/0x260 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
 exit_to_user_mode_loop+0xef/0x4e0 kernel/entry/common.c:75
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
 do_syscall_64+0x2c1/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fba68d90a77
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffc83b0f988 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fba68e13d7d RCX: 00007fba68d90a77
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffc83b0fa40
RBP: 00007ffc83b0fa40 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffc83b10ad0
R13: 00007fba68e13d7d R14: 0000000000069557 R15: 00007ffc83b10b10
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [iomap?] WARNING in ifs_free

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    2b7a25df823d Merge tag 'mm-nonmm-stable-2026-02-18-19-56' ..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10c21722580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=65722f41f7edc17e
dashboard link: https://syzkaller.appspot.com/bug?extid=d3a62bea0e61f9d121da
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1501dc02580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1357f652580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-2b7a25df.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f3a54d09b17c/vmlinux-2b7a25df.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fb704901bce5/bzImage-2b7a25df.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/b778b9903de5/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d3a62bea0e61f9d121da@syzkaller.appspotmail.com

------------[ cut here ]------------
ifs_is_fully_uptodate(folio, ifs) != folio_test_uptodate(folio)
WARNING: fs/iomap/buffered-io.c:256 at ifs_free+0x358/0x420 fs/iomap/buffered-io.c:255, CPU#0: syz-executor/5453
Modules linked in:
CPU: 0 UID: 0 PID: 5453 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:ifs_free+0x358/0x420 fs/iomap/buffered-io.c:255
Code: 41 5f 5d e9 7a fb bd ff e8 45 5a 5e ff 90 0f 0b 90 e9 d0 fe ff ff e8 37 5a 5e ff 90 0f 0b 90 e9 0a ff ff ff e8 29 5a 5e ff 90 <0f> 0b 90 eb c3 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c 06 fe ff ff
RSP: 0018:ffffc9000dfcf688 EFLAGS: 00010293
RAX: ffffffff82674207 RBX: 0000000000000008 RCX: ffff88801f834900
RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
RBP: 000000008267bc01 R08: ffffea00010fb747 R09: 1ffffd400021f6e8
R10: dffffc0000000000 R11: fffff9400021f6e9 R12: ffff888051c7da44
R13: ffff888051c7da00 R14: ffffea00010fb740 R15: 1ffffd400021f6e9
FS:  0000555586def500(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555586e0aa28 CR3: 00000000591fe000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 folio_invalidate mm/truncate.c:140 [inline]
 truncate_cleanup_folio+0xcb/0x190 mm/truncate.c:160
 truncate_inode_pages_range+0x2ce/0xe30 mm/truncate.c:404
 ntfs_evict_inode+0x19/0x40 fs/ntfs3/inode.c:1861
 evict+0x61e/0xb10 fs/inode.c:846
 dispose_list fs/inode.c:888 [inline]
 evict_inodes+0x75a/0x7f0 fs/inode.c:942
 generic_shutdown_super+0xaa/0x2d0 fs/super.c:632
 kill_block_super+0x44/0x90 fs/super.c:1725
 ntfs3_kill_sb+0x44/0x1c0 fs/ntfs3/super.c:1889
 deactivate_locked_super+0xbc/0x130 fs/super.c:476
 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb0f859d897
Code: a2 c7 05 5c ee 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd23732b28 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fb0f8631ef0 RCX: 00007fb0f859d897
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd23732be0
RBP: 00007ffd23732be0 R08: 00007ffd23733be0 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd23733c70
R13: 00007fb0f8631ef0 R14: 000000000001b126 R15: 00007ffd23733cb0
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [iomap?] WARNING in ifs_free

[Joanne Koong]

On Thu, Feb 19, 2026 at 12:51 PM syzbot
<syzbot+d3a62bea0e61f9d121da@syzkaller.appspotmail.com> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:    2b7a25df823d Merge tag 'mm-nonmm-stable-2026-02-18-19-56' ..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10c21722580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=65722f41f7edc17e
> dashboard link: https://syzkaller.appspot.com/bug?extid=d3a62bea0e61f9d121da
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1501dc02580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1357f652580000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-2b7a25df.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/f3a54d09b17c/vmlinux-2b7a25df.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/fb704901bce5/bzImage-2b7a25df.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/b778b9903de5/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+d3a62bea0e61f9d121da@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> ifs_is_fully_uptodate(folio, ifs) != folio_test_uptodate(folio)
> WARNING: fs/iomap/buffered-io.c:256 at ifs_free+0x358/0x420 fs/iomap/buffered-io.c:255, CPU#0: syz-executor/5453
> Modules linked in:
> CPU: 0 UID: 0 PID: 5453 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:ifs_free+0x358/0x420 fs/iomap/buffered-io.c:255
> Code: 41 5f 5d e9 7a fb bd ff e8 45 5a 5e ff 90 0f 0b 90 e9 d0 fe ff ff e8 37 5a 5e ff 90 0f 0b 90 e9 0a ff ff ff e8 29 5a 5e ff 90 <0f> 0b 90 eb c3 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c 06 fe ff ff
> RSP: 0018:ffffc9000dfcf688 EFLAGS: 00010293
> RAX: ffffffff82674207 RBX: 0000000000000008 RCX: ffff88801f834900
> RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
> RBP: 000000008267bc01 R08: ffffea00010fb747 R09: 1ffffd400021f6e8
> R10: dffffc0000000000 R11: fffff9400021f6e9 R12: ffff888051c7da44
> R13: ffff888051c7da00 R14: ffffea00010fb740 R15: 1ffffd400021f6e9
> FS:  0000555586def500(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000555586e0aa28 CR3: 00000000591fe000 CR4: 0000000000352ef0
> Call Trace:
>  <TASK>
>  folio_invalidate mm/truncate.c:140 [inline]
>  truncate_cleanup_folio+0xcb/0x190 mm/truncate.c:160
>  truncate_inode_pages_range+0x2ce/0xe30 mm/truncate.c:404
>  ntfs_evict_inode+0x19/0x40 fs/ntfs3/inode.c:1861
>  evict+0x61e/0xb10 fs/inode.c:846
>  dispose_list fs/inode.c:888 [inline]
>  evict_inodes+0x75a/0x7f0 fs/inode.c:942
>  generic_shutdown_super+0xaa/0x2d0 fs/super.c:632
>  kill_block_super+0x44/0x90 fs/super.c:1725
>  ntfs3_kill_sb+0x44/0x1c0 fs/ntfs3/super.c:1889
>  deactivate_locked_super+0xbc/0x130 fs/super.c:476
>  cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
>  task_work_run+0x1d9/0x270 kernel/task_work.c:233
>  resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
>  __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
>  exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
>  __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
>  syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
>  syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
>  do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb0f859d897
> Code: a2 c7 05 5c ee 24 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8
> RSP: 002b:00007ffd23732b28 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
> RAX: 0000000000000000 RBX: 00007fb0f8631ef0 RCX: 00007fb0f859d897
> RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd23732be0
> RBP: 00007ffd23732be0 R08: 00007ffd23733be0 R09: 00000000ffffffff
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd23733c70
> R13: 00007fb0f8631ef0 R14: 000000000001b126 R15: 00007ffd23733cb0
>  </TASK>
>

I ran the repro locally to see if it's the same issue fixed by [1] but
this is a different unrelated issue.

The folio is uptodate but the ifs uptodate bitmap is not reflected as
fully uptodate. I think this is because ntfs3 handles writes for
compressed files through its own interface that doesn't go through
iomap where it calls folio_mark_uptodate() but the ifs bitmap doesn't
get updated. fuse-blk servers that operate in writethrough mode run
into something like this as well [2].

This doesn't lead to any data corruption issues. Should we get rid of
the  WARN_ON_ONCE(ifs_is_fully_uptodate(folio, ifs) !=
folio_test_uptodate(folio))? The alternative is to make a modified
version of the functionality in "iomap_set_range_uptodate()" a public
api callable by subsystems.

Thanks,
Joanne

[1] https://lore.kernel.org/linux-fsdevel/20260219003911.344478-1-joannelkoong@gmail.com/
[2] https://lore.kernel.org/linux-fsdevel/20251223223018.3295372-2-sashal@kernel.org/

Re: [syzbot] [iomap?] WARNING in ifs_free

[Christoph Hellwig]

On Thu, Feb 19, 2026 at 04:46:58PM -0800, Joanne Koong wrote:
> The folio is uptodate but the ifs uptodate bitmap is not reflected as
> fully uptodate. I think this is because ntfs3 handles writes for
> compressed files through its own interface that doesn't go through
> iomap where it calls folio_mark_uptodate() but the ifs bitmap doesn't
> get updated. fuse-blk servers that operate in writethrough mode run
> into something like this as well [2].
> 
> This doesn't lead to any data corruption issues. Should we get rid of
> the  WARN_ON_ONCE(ifs_is_fully_uptodate(folio, ifs) !=
> folio_test_uptodate(folio))? The alternative is to make a modified
> version of the functionality in "iomap_set_range_uptodate()" a public
> api callable by subsystems.

I'd honestly rather have ntfs3 come along and explain what their
doing.  They've copy and pasted large chunks of the buffered
read code for now reason, which already annoys me and I'd rather
not paper over random misuses.