[syzbot] [f2fs?] kernel BUG in f2fs_write_end_io

[syzbot] [f2fs?] kernel BUG in f2fs_write_end_io

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    4e82c87058f4 Merge tag 'rust-6.15' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17007198580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4253e469c0d32ef6
dashboard link: https://syzkaller.appspot.com/bug?extid=803dd716c4310d16ff3a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5e6f1c2744e3/disk-4e82c870.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5c1a60744d62/vmlinux-4e82c870.xz
kernel image: https://storage.googleapis.com/syzbot-assets/228bbd75bd12/bzImage-4e82c870.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+803dd716c4310d16ff3a@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/f2fs/data.c:358!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:f2fs_write_end_io+0x77a/0x790 fs/f2fs/data.c:357
Code: e8 8b 01 f2 fd e9 a2 fa ff ff 89 d9 80 e1 07 38 c1 0f 8c fe fa ff ff 48 89 df e8 11 01 f2 fd e9 f1 fa ff ff e8 87 92 8b fd 90 <0f> 0b e8 8f d4 ed 07 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0018:ffffc900001d79c0 EFLAGS: 00010246
RAX: ffffffff8437d9e9 RBX: 0000000000000000 RCX: ffff88801da85a00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000000a
RBP: ffffc900001d7ac8 R08: ffffffff8437d696 R09: 1ffffd400012b785
R10: dffffc0000000000 R11: fffff9400012b786 R12: 0000000000000001
R13: dffffc0000000000 R14: 000000000000000a R15: ffffea000095bc00
FS:  0000000000000000(0000) GS:ffff8881250e5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd1b21f9438 CR3: 000000007b684000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 blk_update_request+0x5e5/0x1160 block/blk-mq.c:983
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1145
 blk_complete_reqs block/blk-mq.c:1220 [inline]
 blk_done_softirq+0x100/0x150 block/blk-mq.c:1225
 handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:579
 run_ksoftirqd+0xcf/0x130 kernel/softirq.c:968
 smpboot_thread_fn+0x576/0xaa0 kernel/smpboot.c:164
 kthread+0x7b7/0x940 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:f2fs_write_end_io+0x77a/0x790 fs/f2fs/data.c:357
Code: e8 8b 01 f2 fd e9 a2 fa ff ff 89 d9 80 e1 07 38 c1 0f 8c fe fa ff ff 48 89 df e8 11 01 f2 fd e9 f1 fa ff ff e8 87 92 8b fd 90 <0f> 0b e8 8f d4 ed 07 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0018:ffffc900001d79c0 EFLAGS: 00010246
RAX: ffffffff8437d9e9 RBX: 0000000000000000 RCX: ffff88801da85a00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000000a
RBP: ffffc900001d7ac8 R08: ffffffff8437d696 R09: 1ffffd400012b785
R10: dffffc0000000000 R11: fffff9400012b786 R12: 0000000000000001
R13: dffffc0000000000 R14: 000000000000000a R15: ffffea000095bc00
FS:  0000000000000000(0000) GS:ffff8881250e5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd1b21f9438 CR3: 000000007b684000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [f2fs?] kernel BUG in f2fs_write_end_io

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    834a4a689699 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10051a3f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a972ee73c2fcf8ca
dashboard link: https://syzkaller.appspot.com/bug?extid=803dd716c4310d16ff3a
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145a2fe4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13382470580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-834a4a68.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4454365a3050/vmlinux-834a4a68.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2d99dbd9f6f4/bzImage-834a4a68.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/89819a66cafe/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=13420b98580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+803dd716c4310d16ff3a@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/f2fs/data.c:358!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 1033 Comm: kworker/u4:5 Not tainted 6.15.0-rc2-syzkaller-00037-g834a4a689699 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: loop0 loop_rootcg_workfn
RIP: 0010:f2fs_write_end_io+0x77a/0x790 fs/f2fs/data.c:357
Code: e8 fb d8 f0 fd e9 a2 fa ff ff 89 d9 80 e1 07 38 c1 0f 8c fe fa ff ff 48 89 df e8 81 d8 f0 fd e9 f1 fa ff ff e8 d7 9e 86 fd 90 <0f> 0b e8 9f 0a f4 07 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0000:ffffc90002597320 EFLAGS: 00010093
RAX: ffffffff843cb659 RBX: 0000000000000000 RCX: ffff888035d74880
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a
RBP: ffffc90002597430 R08: ffffffff843cb306 R09: 1ffffd4000219d7d
R10: dffffc0000000000 R11: fffff94000219d7e R12: 0000000000000001
R13: dffffc0000000000 R14: 000000000000000a R15: ffffea00010cebc0
FS:  0000000000000000(0000) GS:ffff88808c593000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f3f420000 CR3: 00000000430fc000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 blk_update_request+0x5e5/0x1160 block/blk-mq.c:983
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1145
 blk_flush_complete_seq+0x6bd/0xcf0 block/blk-flush.c:191
 flush_end_io+0xab4/0xdc0 block/blk-flush.c:250
 __blk_mq_end_request+0x492/0x5d0 block/blk-mq.c:1135
 loop_handle_cmd drivers/block/loop.c:1960 [inline]
 loop_process_work+0x1bdf/0x21d0 drivers/block/loop.c:1978
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xac3/0x18e0 kernel/workqueue.c:3319
 worker_thread+0x870/0xd50 kernel/workqueue.c:3400
 kthread+0x7b7/0x940 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:f2fs_write_end_io+0x77a/0x790 fs/f2fs/data.c:357
Code: e8 fb d8 f0 fd e9 a2 fa ff ff 89 d9 80 e1 07 38 c1 0f 8c fe fa ff ff 48 89 df e8 81 d8 f0 fd e9 f1 fa ff ff e8 d7 9e 86 fd 90 <0f> 0b e8 9f 0a f4 07 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
RSP: 0000:ffffc90002597320 EFLAGS: 00010093
RAX: ffffffff843cb659 RBX: 0000000000000000 RCX: ffff888035d74880
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a
RBP: ffffc90002597430 R08: ffffffff843cb306 R09: 1ffffd4000219d7d
R10: dffffc0000000000 R11: fffff94000219d7e R12: 0000000000000001
R13: dffffc0000000000 R14: 000000000000000a R15: ffffea00010cebc0
FS:  0000000000000000(0000) GS:ffff88808c593000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f3f420000 CR3: 00000000430fc000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [f2fs?] kernel BUG in f2fs_write_end_io

[Chao Yu]

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git bugfix/common

On 4/15/25 22:14, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    834a4a689699 Merge tag 'for-linus' of git://git.kernel.org..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10051a3f980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a972ee73c2fcf8ca
> dashboard link: https://syzkaller.appspot.com/bug?extid=803dd716c4310d16ff3a
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=145a2fe4580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13382470580000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-834a4a68.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/4454365a3050/vmlinux-834a4a68.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2d99dbd9f6f4/bzImage-834a4a68.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/89819a66cafe/mount_0.gz
>   fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=13420b98580000)
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+803dd716c4310d16ff3a@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> kernel BUG at fs/f2fs/data.c:358!
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 1033 Comm: kworker/u4:5 Not tainted 6.15.0-rc2-syzkaller-00037-g834a4a689699 #0 PREEMPT(full) 
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Workqueue: loop0 loop_rootcg_workfn
> RIP: 0010:f2fs_write_end_io+0x77a/0x790 fs/f2fs/data.c:357
> Code: e8 fb d8 f0 fd e9 a2 fa ff ff 89 d9 80 e1 07 38 c1 0f 8c fe fa ff ff 48 89 df e8 81 d8 f0 fd e9 f1 fa ff ff e8 d7 9e 86 fd 90 <0f> 0b e8 9f 0a f4 07 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
> RSP: 0000:ffffc90002597320 EFLAGS: 00010093
> RAX: ffffffff843cb659 RBX: 0000000000000000 RCX: ffff888035d74880
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a
> RBP: ffffc90002597430 R08: ffffffff843cb306 R09: 1ffffd4000219d7d
> R10: dffffc0000000000 R11: fffff94000219d7e R12: 0000000000000001
> R13: dffffc0000000000 R14: 000000000000000a R15: ffffea00010cebc0
> FS:  0000000000000000(0000) GS:ffff88808c593000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f7f3f420000 CR3: 00000000430fc000 CR4: 0000000000352ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  blk_update_request+0x5e5/0x1160 block/blk-mq.c:983
>  blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1145
>  blk_flush_complete_seq+0x6bd/0xcf0 block/blk-flush.c:191
>  flush_end_io+0xab4/0xdc0 block/blk-flush.c:250
>  __blk_mq_end_request+0x492/0x5d0 block/blk-mq.c:1135
>  loop_handle_cmd drivers/block/loop.c:1960 [inline]
>  loop_process_work+0x1bdf/0x21d0 drivers/block/loop.c:1978
>  process_one_work kernel/workqueue.c:3238 [inline]
>  process_scheduled_works+0xac3/0x18e0 kernel/workqueue.c:3319
>  worker_thread+0x870/0xd50 kernel/workqueue.c:3400
>  kthread+0x7b7/0x940 kernel/kthread.c:464
>  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>  </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:f2fs_write_end_io+0x77a/0x790 fs/f2fs/data.c:357
> Code: e8 fb d8 f0 fd e9 a2 fa ff ff 89 d9 80 e1 07 38 c1 0f 8c fe fa ff ff 48 89 df e8 81 d8 f0 fd e9 f1 fa ff ff e8 d7 9e 86 fd 90 <0f> 0b e8 9f 0a f4 07 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
> RSP: 0000:ffffc90002597320 EFLAGS: 00010093
> RAX: ffffffff843cb659 RBX: 0000000000000000 RCX: ffff888035d74880
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000000a
> RBP: ffffc90002597430 R08: ffffffff843cb306 R09: 1ffffd4000219d7d
> R10: dffffc0000000000 R11: fffff94000219d7e R12: 0000000000000001
> R13: dffffc0000000000 R14: 000000000000000a R15: ffffea00010cebc0
> FS:  0000000000000000(0000) GS:ffff88808c593000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f7f3f420000 CR3: 00000000430fc000 CR4: 0000000000352ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> 
> 
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [f2fs?] kernel BUG in f2fs_write_end_io

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in f2fs_update_inode

INFO: task syz.2.18:6729 blocked for more than 143 seconds.
      Not tainted 6.17.0-rc1-syzkaller-g5344e5bb8255 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18        state:D stack:23736 pid:6729  tgid:6728  ppid:6450   task_flags:0x400140 flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5357 [inline]
 __schedule+0x1742/0x4c70 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:7058
 io_schedule+0x81/0xe0 kernel/sched/core.c:7903
 folio_wait_bit_common+0x6b0/0xb90 mm/filemap.c:1317
 folio_wait_writeback+0xb0/0x100 mm/page-writeback.c:3124
 f2fs_folio_wait_writeback+0x16c/0x240 fs/f2fs/segment.c:4210
 f2fs_update_inode+0x65/0x2620 fs/f2fs/inode.c:668
 f2fs_update_inode_page+0x131/0x190 fs/f2fs/inode.c:783
 f2fs_evict_inode+0xd4a/0x19c0 fs/f2fs/inode.c:936
 evict+0x504/0x9c0 fs/inode.c:810
 __dentry_kill+0x209/0x660 fs/dcache.c:669
 dput+0x19f/0x2b0 fs/dcache.c:911
 __fput+0x68e/0xa70 fs/file_table.c:476
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 get_signal+0x11c5/0x1310 kernel/signal.c:2807
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f721d78e9a9
RSP: 002b:00007f721e541038 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
RAX: fffffffffffffffb RBX: 00007f721d9b5fa0 RCX: 00007f721d78e9a9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007f721d810d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f721d9b5fa0 R15: 00007ffe0a9ef388
 </TASK>
INFO: task syz.1.17:6734 blocked for more than 144 seconds.
      Not tainted 6.17.0-rc1-syzkaller-g5344e5bb8255 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.17        state:D stack:24136 pid:6734  tgid:6733  ppid:6439   task_flags:0x400140 flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5357 [inline]
 __schedule+0x1742/0x4c70 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:7058
 io_schedule+0x81/0xe0 kernel/sched/core.c:7903
 folio_wait_bit_common+0x6b0/0xb90 mm/filemap.c:1317
 folio_wait_writeback+0xb0/0x100 mm/page-writeback.c:3124
 f2fs_folio_wait_writeback+0x16c/0x240 fs/f2fs/segment.c:4210
 f2fs_update_inode+0x65/0x2620 fs/f2fs/inode.c:668
 f2fs_update_inode_page+0x131/0x190 fs/f2fs/inode.c:783
 f2fs_evict_inode+0xd4a/0x19c0 fs/f2fs/inode.c:936
 evict+0x504/0x9c0 fs/inode.c:810
 __dentry_kill+0x209/0x660 fs/dcache.c:669
 dput+0x19f/0x2b0 fs/dcache.c:911
 __fput+0x68e/0xa70 fs/file_table.c:476
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 get_signal+0x11c5/0x1310 kernel/signal.c:2807
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa12df8e9a9
RSP: 002b:00007fa12ee9c038 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
RAX: fffffffffffffffb RBX: 00007fa12e1b5fa0 RCX: 00007fa12df8e9a9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007fa12e010d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa12e1b5fa0 R15: 00007ffc4eecd1e8
 </TASK>
INFO: task syz.3.19:6741 blocked for more than 145 seconds.
      Not tainted 6.17.0-rc1-syzkaller-g5344e5bb8255 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.19        state:D stack:24600 pid:6741  tgid:6740  ppid:6451   task_flags:0x400140 flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5357 [inline]
 __schedule+0x1742/0x4c70 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:7058
 io_schedule+0x81/0xe0 kernel/sched/core.c:7903
 folio_wait_bit_common+0x6b0/0xb90 mm/filemap.c:1317
 folio_wait_writeback+0xb0/0x100 mm/page-writeback.c:3124
 f2fs_folio_wait_writeback+0x16c/0x240 fs/f2fs/segment.c:4210
 f2fs_update_inode+0x65/0x2620 fs/f2fs/inode.c:668
 f2fs_update_inode_page+0x131/0x190 fs/f2fs/inode.c:783
 f2fs_evict_inode+0xd4a/0x19c0 fs/f2fs/inode.c:936
 evict+0x504/0x9c0 fs/inode.c:810
 __dentry_kill+0x209/0x660 fs/dcache.c:669
 dput+0x19f/0x2b0 fs/dcache.c:911
 __fput+0x68e/0xa70 fs/file_table.c:476
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 get_signal+0x11c5/0x1310 kernel/signal.c:2807
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe96f58e9a9
RSP: 002b:00007fe9704b5038 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
RAX: fffffffffffffffb RBX: 00007fe96f7b5fa0 RCX: 00007fe96f58e9a9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007fe96f610d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fe96f7b5fa0 R15: 00007ffca3c68668
 </TASK>
INFO: task syz.4.20:6754 blocked for more than 147 seconds.
      Not tainted 6.17.0-rc1-syzkaller-g5344e5bb8255 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.20        state:D stack:24632 pid:6754  tgid:6753  ppid:6452   task_flags:0x400140 flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5357 [inline]
 __schedule+0x1742/0x4c70 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:7058
 io_schedule+0x81/0xe0 kernel/sched/core.c:7903
 folio_wait_bit_common+0x6b0/0xb90 mm/filemap.c:1317
 folio_wait_writeback+0xb0/0x100 mm/page-writeback.c:3124
 f2fs_folio_wait_writeback+0x16c/0x240 fs/f2fs/segment.c:4210
 f2fs_update_inode+0x65/0x2620 fs/f2fs/inode.c:668
 f2fs_update_inode_page+0x131/0x190 fs/f2fs/inode.c:783
 f2fs_evict_inode+0xd4a/0x19c0 fs/f2fs/inode.c:936
 evict+0x504/0x9c0 fs/inode.c:810
 __dentry_kill+0x209/0x660 fs/dcache.c:669
 dput+0x19f/0x2b0 fs/dcache.c:911
 __fput+0x68e/0xa70 fs/file_table.c:476
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 get_signal+0x11c5/0x1310 kernel/signal.c:2807
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff9cc98e9a9
RSP: 002b:00007ff9cd7f2038 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
RAX: fffffffffffffffb RBX: 00007ff9ccbb5fa0 RCX: 00007ff9cc98e9a9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007ff9cca10d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff9ccbb5fa0 R15: 00007ffee71ef8b8
 </TASK>
INFO: task syz.0.21:6781 blocked for more than 148 seconds.
      Not tainted 6.17.0-rc1-syzkaller-g5344e5bb8255 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.21        state:D stack:24136 pid:6781  tgid:6780  ppid:6438   task_flags:0x400140 flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5357 [inline]
 __schedule+0x1742/0x4c70 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:7058
 io_schedule+0x81/0xe0 kernel/sched/core.c:7903
 folio_wait_bit_common+0x6b0/0xb90 mm/filemap.c:1317
 folio_wait_writeback+0xb0/0x100 mm/page-writeback.c:3124
 f2fs_folio_wait_writeback+0x16c/0x240 fs/f2fs/segment.c:4210
 f2fs_update_inode+0x65/0x2620 fs/f2fs/inode.c:668
 f2fs_update_inode_page+0x131/0x190 fs/f2fs/inode.c:783
 f2fs_evict_inode+0xd4a/0x19c0 fs/f2fs/inode.c:936
 evict+0x504/0x9c0 fs/inode.c:810
 __dentry_kill+0x209/0x660 fs/dcache.c:669
 dput+0x19f/0x2b0 fs/dcache.c:911
 __fput+0x68e/0xa70 fs/file_table.c:476
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 get_signal+0x11c5/0x1310 kernel/signal.c:2807
 arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9d4a38e9a9
RSP: 002b:00007f9d4b2c5038 EFLAGS: 00000246 ORIG_RAX: 000000000000004b
RAX: fffffffffffffffb RBX: 00007f9d4a5b5fa0 RCX: 00007f9d4a38e9a9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007f9d4a410d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f9d4a5b5fa0 R15: 00007ffcd0c959d8
 </TASK>

Showing all locks held in the system:
5 locks held by kworker/u8:1/13:
2 locks held by ksoftirqd/1/23:
 #0: ffff8880b8739e18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:636
 #1: ffff8880b8724008 (psi_seq){-.-.}-{0:0}, at: psi_task_switch+0x53/0x880 kernel/sched/psi.c:933
1 lock held by khungtaskd/31:
 #0: ffffffff8e139ee0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8e139ee0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8e139ee0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
4 locks held by kworker/u8:2/36:
2 locks held by getty/5617:
 #0: ffff8880304d30a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
1 lock held by syz.2.18/6729:
 #0: ffff8880628e4618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
1 lock held by syz.1.17/6734:
 #0: ffff888026c9a618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
1 lock held by syz.3.19/6741:
 #0: ffff888029132618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
1 lock held by syz.4.20/6754:
 #0: ffff88802c33e618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
1 lock held by syz.0.21/6781:
 #0: ffff888059ebe618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
4 locks held by syz.6.23/7017:
 #0: ffff888062b55478 (&sbi->gc_lock){+.+.}-{4:4}, at: f2fs_down_write fs/f2fs/f2fs.h:2296 [inline]
 #0: ffff888062b55478 (&sbi->gc_lock){+.+.}-{4:4}, at: f2fs_issue_checkpoint+0x3a8/0x610 fs/f2fs/checkpoint.c:1902
 #1: ffff888062b54318 (&sbi->cp_global_sem){+.+.}-{4:4}, at: f2fs_down_write fs/f2fs/f2fs.h:2296 [inline]
 #1: ffff888062b54318 (&sbi->cp_global_sem){+.+.}-{4:4}, at: f2fs_write_checkpoint+0x27f/0x2440 fs/f2fs/checkpoint.c:1672
 #2: ffff888062b543b0 (&sbi->cp_rwsem){++++}-{4:4}, at: f2fs_down_write fs/f2fs/f2fs.h:2296 [inline]
 #2: ffff888062b543b0 (&sbi->cp_rwsem){++++}-{4:4}, at: f2fs_lock_all fs/f2fs/f2fs.h:2376 [inline]
 #2: ffff888062b543b0 (&sbi->cp_rwsem){++++}-{4:4}, at: block_operations fs/f2fs/checkpoint.c:1221 [inline]
 #2: ffff888062b543b0 (&sbi->cp_rwsem){++++}-{4:4}, at: f2fs_write_checkpoint+0x55f/0x2440 fs/f2fs/checkpoint.c:1687
 #3: ffff888062b54448 (&sbi->node_write){++++}-{4:4}, at: f2fs_down_write fs/f2fs/f2fs.h:2296 [inline]
 #3: ffff888062b54448 (&sbi->node_write){++++}-{4:4}, at: block_operations fs/f2fs/checkpoint.c:1271 [inline]
 #3: ffff888062b54448 (&sbi->node_write){++++}-{4:4}, at: f2fs_write_checkpoint+0xe29/0x2440 fs/f2fs/checkpoint.c:1687
1 lock held by syz.5.22/7014:
 #0: ffff88802ffba618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
1 lock held by syz.7.24/7016:
 #0: ffff88807dda4618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
1 lock held by syz.8.25/7019:
 #0: ffff88805beaa618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
1 lock held by syz.9.26/7021:
 #0: ffff8880339fe618 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x898/0x19c0 fs/f2fs/inode.c:892
1 lock held by syz.2.497/8114:
 #0: ffff8880b8739e18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:636
2 locks held by syz.4.499/8118:
2 locks held by syz.1.500/8120:

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.17.0-rc1-syzkaller-g5344e5bb8255 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:328 [inline]
 watchdog+0xf93/0xfe0 kernel/hung_task.c:491
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 16 Comm: rcu_preempt Not tainted 6.17.0-rc1-syzkaller-g5344e5bb8255 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:lookup_object lib/debugobjects.c:423 [inline]
RIP: 0010:lookup_object_or_alloc lib/debugobjects.c:662 [inline]
RIP: 0010:debug_object_assert_init+0xf8/0x380 lib/debugobjects.c:1008
Code: fd 4c 89 34 24 4c 8b 6d 00 45 31 f6 eb 07 4d 8b 6d 00 41 ff c6 4d 85 ed 74 3c 4d 8d 65 18 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 <74> 08 4c 89 e7 e8 0e b4 58 fd 49 39 1c 24 0f 84 ef 00 00 00 4c 89
RSP: 0018:ffffc900001578b8 EFLAGS: 00000046
RAX: 1ffff110082b7c26 RBX: ffffc90000157a80 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc900001577a0
RBP: ffffffff99d4d290 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff5200002aef4 R12: ffff8880415be130
R13: ffff8880415be118 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125d54000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f449da77000 CR3: 0000000076c48000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 debug_timer_assert_init kernel/time/timer.c:803 [inline]
 debug_assert_init kernel/time/timer.c:848 [inline]
 __try_to_del_timer_sync+0x29/0x3a0 kernel/time/timer.c:1457
 __timer_delete_sync+0x1fe/0x2d0 kernel/time/timer.c:1620
 schedule_timeout+0x133/0x270 kernel/time/sleep_timeout.c:100
 rcu_gp_fqs_loop+0x301/0x1540 kernel/rcu/tree.c:2083
 rcu_gp_kthread+0x99/0x390 kernel/rcu/tree.c:2285
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


Tested on:

commit:         5344e5bb f2fs: cover f2fs_update_inode_page() w/ node_..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git bugfix/common
console output: https://syzkaller.appspot.com/x/log.txt?x=1683f9a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1f6e4cb78ac1b7bb
dashboard link: https://syzkaller.appspot.com/bug?extid=803dd716c4310d16ff3a
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Note: no patches were applied.

Re: [syzbot] [f2fs?] kernel BUG in f2fs_write_end_io

[Chao Yu]

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git bugfix/common

On 4/2/25 08:00, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    4e82c87058f4 Merge tag 'rust-6.15' of git://git.kernel.org..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17007198580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4253e469c0d32ef6
> dashboard link: https://syzkaller.appspot.com/bug?extid=803dd716c4310d16ff3a
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/5e6f1c2744e3/disk-4e82c870.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/5c1a60744d62/vmlinux-4e82c870.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/228bbd75bd12/bzImage-4e82c870.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+803dd716c4310d16ff3a@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> kernel BUG at fs/f2fs/data.c:358!
> Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
> CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full) 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
> RIP: 0010:f2fs_write_end_io+0x77a/0x790 fs/f2fs/data.c:357
> Code: e8 8b 01 f2 fd e9 a2 fa ff ff 89 d9 80 e1 07 38 c1 0f 8c fe fa ff ff 48 89 df e8 11 01 f2 fd e9 f1 fa ff ff e8 87 92 8b fd 90 <0f> 0b e8 8f d4 ed 07 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
> RSP: 0018:ffffc900001d79c0 EFLAGS: 00010246
> RAX: ffffffff8437d9e9 RBX: 0000000000000000 RCX: ffff88801da85a00
> RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000000a
> RBP: ffffc900001d7ac8 R08: ffffffff8437d696 R09: 1ffffd400012b785
> R10: dffffc0000000000 R11: fffff9400012b786 R12: 0000000000000001
> R13: dffffc0000000000 R14: 000000000000000a R15: ffffea000095bc00
> FS:  0000000000000000(0000) GS:ffff8881250e5000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fd1b21f9438 CR3: 000000007b684000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  blk_update_request+0x5e5/0x1160 block/blk-mq.c:983
>  blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1145
>  blk_complete_reqs block/blk-mq.c:1220 [inline]
>  blk_done_softirq+0x100/0x150 block/blk-mq.c:1225
>  handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:579
>  run_ksoftirqd+0xcf/0x130 kernel/softirq.c:968
>  smpboot_thread_fn+0x576/0xaa0 kernel/smpboot.c:164
>  kthread+0x7b7/0x940 kernel/kthread.c:464
>  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>  </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:f2fs_write_end_io+0x77a/0x790 fs/f2fs/data.c:357
> Code: e8 8b 01 f2 fd e9 a2 fa ff ff 89 d9 80 e1 07 38 c1 0f 8c fe fa ff ff 48 89 df e8 11 01 f2 fd e9 f1 fa ff ff e8 87 92 8b fd 90 <0f> 0b e8 8f d4 ed 07 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
> RSP: 0018:ffffc900001d79c0 EFLAGS: 00010246
> RAX: ffffffff8437d9e9 RBX: 0000000000000000 RCX: ffff88801da85a00
> RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000000a
> RBP: ffffc900001d7ac8 R08: ffffffff8437d696 R09: 1ffffd400012b785
> R10: dffffc0000000000 R11: fffff9400012b786 R12: 0000000000000001
> R13: dffffc0000000000 R14: 000000000000000a R15: ffffea000095bc00
> FS:  0000000000000000(0000) GS:ffff8881250e5000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fd1b21f9438 CR3: 000000007b684000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [f2fs?] kernel BUG in f2fs_write_end_io

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in f2fs_write_end_io

F2FS-fs (loop3): inconsistent node block, node_type:0, nid:11, node_footer[nid:0,ino:0,ofs:0,cpver:0,blkaddr:0]
------------[ cut here ]------------
kernel BUG at fs/f2fs/data.c:362!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6596 Comm: udevd Not tainted 6.17.0-rc1-syzkaller-00023-g637a17c27a3d #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:f2fs_write_end_io+0xb52/0xb60 fs/f2fs/data.c:361
Code: e8 d3 f8 14 fe e9 91 f6 ff ff 89 d9 80 e1 07 38 c1 0f 8c e3 f6 ff ff 48 89 df e8 49 f9 14 fe e9 d6 f6 ff ff e8 2f bc b3 fd 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90000a08c98 EFLAGS: 00010246
RAX: ffffffff840bee61 RBX: 0000000000000000 RCX: ffff88802bcc1e00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000000b
RBP: ffff888032b70780 R08: ffffea0001c68b47 R09: 1ffffd400038d168
R10: dffffc0000000000 R11: fffff9400038d169 R12: 0000000000000006
R13: ffffea0001c68b40 R14: 000000000000000b R15: dffffc0000000000
FS:  00007ff87043e880(0000) GS:ffff888125d54000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555da2608 CR3: 00000000297cc000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 blk_update_request+0x57e/0xe60 block/blk-mq.c:989
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1151
 blk_complete_reqs block/blk-mq.c:1226 [inline]
 blk_done_softirq+0x107/0x160 block/blk-mq.c:1231
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_release+0x2b5/0x3e0 kernel/locking/lockdep.c:5893
Code: 51 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f7 44 24 20 00 02 00 00 75 56 f7 c3 00 02 00 00 74 01 fb 65 48 8b 05 8b 52 ff 10 <48> 3b 44 24 28 0f 85 8b 00 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e
RSP: 0018:ffffc9000405f7f0 EFLAGS: 00000206
RAX: c28614321895e300 RBX: 0000000000000202 RCX: c28614321895e300
RDX: 0000000000000000 RSI: ffffffff8db908ee RDI: ffffffff8be25680
RBP: ffff88802bcc28f0 R08: ffffc9000405fc88 R09: 0000000000000000
R10: ffffc9000405f978 R11: fffff5200080bf31 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff8e139ee0 R15: ffff88802bcc1e00
 rcu_lock_release include/linux/rcupdate.h:341 [inline]
 rcu_read_unlock include/linux/rcupdate.h:871 [inline]
 class_rcu_destructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0x19a9/0x2390 arch/x86/kernel/unwind_orc.c:680
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4782
 vfs_fstatat+0x122/0x170 fs/stat.c:376
 __do_sys_newfstatat fs/stat.c:542 [inline]
 __se_sys_newfstatat fs/stat.c:536 [inline]
 __x64_sys_newfstatat+0x116/0x190 fs/stat.c:536
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff86fd11b0a
Code: 48 8b 15 f1 f2 0d 00 f7 d8 64 89 02 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 41 89 ca b8 06 01 00 00 0f 05 <3d> 00 f0 ff ff 77 07 31 c0 c3 0f 1f 40 00 48 8b 15 b9 f2 0d 00 f7
RSP: 002b:00007ffe39f06778 EFLAGS: 00000246 ORIG_RAX: 0000000000000106
RAX: ffffffffffffffda RBX: 00007ffe39f06c10 RCX: 00007ff86fd11b0a
RDX: 00007ffe39f06780 RSI: 00007ffe39f06c10 RDI: 00000000ffffff9c
RBP: 0000559859a37910 R08: 0000000000000000 R09: 0000000000000020
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe39f06810
R13: 00007ffe39f07045 R14: 00005598470f0ca4 R15: 00005598470f0bcc
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:f2fs_write_end_io+0xb52/0xb60 fs/f2fs/data.c:361
Code: e8 d3 f8 14 fe e9 91 f6 ff ff 89 d9 80 e1 07 38 c1 0f 8c e3 f6 ff ff 48 89 df e8 49 f9 14 fe e9 d6 f6 ff ff e8 2f bc b3 fd 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90000a08c98 EFLAGS: 00010246
RAX: ffffffff840bee61 RBX: 0000000000000000 RCX: ffff88802bcc1e00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000000b
RBP: ffff888032b70780 R08: ffffea0001c68b47 R09: 1ffffd400038d168
R10: dffffc0000000000 R11: fffff9400038d169 R12: 0000000000000006
R13: ffffea0001c68b40 R14: 000000000000000b R15: dffffc0000000000
FS:  00007ff87043e880(0000) GS:ffff888125d54000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555da2608 CR3: 00000000297cc000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	51                   	push   %rcx
   1:	48 c7 44 24 20 00 00 	movq   $0x0,0x20(%rsp)
   8:	00 00
   a:	9c                   	pushf
   b:	8f 44 24 20          	pop    0x20(%rsp)
   f:	f7 44 24 20 00 02 00 	testl  $0x200,0x20(%rsp)
  16:	00
  17:	75 56                	jne    0x6f
  19:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  1f:	74 01                	je     0x22
  21:	fb                   	sti
  22:	65 48 8b 05 8b 52 ff 	mov    %gs:0x10ff528b(%rip),%rax        # 0x10ff52b5
  29:	10
* 2a:	48 3b 44 24 28       	cmp    0x28(%rsp),%rax <-- trapping instruction
  2f:	0f 85 8b 00 00 00    	jne    0xc0
  35:	48 83 c4 30          	add    $0x30,%rsp
  39:	5b                   	pop    %rbx
  3a:	41 5c                	pop    %r12
  3c:	41 5d                	pop    %r13
  3e:	41 5e                	pop    %r14


Tested on:

commit:         637a17c2 f2fs: fix to do sanity check on node footer i..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git bugfix/common
console output: https://syzkaller.appspot.com/x/log.txt?x=1026f434580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1f6e4cb78ac1b7bb
dashboard link: https://syzkaller.appspot.com/bug?extid=803dd716c4310d16ff3a
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7

Note: no patches were applied.

Re: [syzbot] [f2fs?] kernel BUG in f2fs_write_end_io

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in f2fs_write_end_io

------------[ cut here ]------------
kernel BUG at fs/f2fs/data.c:362!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 1159 Comm: kworker/u8:9 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: events_unbound nsim_dev_trap_report_work
RIP: 0010:f2fs_write_end_io+0xb52/0xb60 fs/f2fs/data.c:361
Code: e8 33 f1 14 fe e9 91 f6 ff ff 89 d9 80 e1 07 38 c1 0f 8c e3 f6 ff ff 48 89 df e8 a9 f1 14 fe e9 d6 f6 ff ff e8 8f b4 b3 fd 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90000007d38 EFLAGS: 00010246
RAX: ffffffff840bf6a1 RBX: 0000000000000000 RCX: ffff888027291e00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000000b
RBP: ffff8880744dd8c0 R08: ffffea0001685247 R09: 1ffffd40002d0a48
R10: dffffc0000000000 R11: fffff940002d0a49 R12: 0000000000000006
R13: ffffea0001685240 R14: 000000000000000b R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125c54000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2aab608000 CR3: 0000000033b1a000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 blk_update_request+0x57e/0xe60 block/blk-mq.c:989
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1151
 blk_complete_reqs block/blk-mq.c:1226 [inline]
 blk_done_softirq+0x107/0x160 block/blk-mq.c:1231
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 do_softirq+0xec/0x180 kernel/softirq.c:480
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:835 [inline]
 nsim_dev_trap_report_work+0x7c7/0xb80 drivers/net/netdevsim/dev.c:866
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:f2fs_write_end_io+0xb52/0xb60 fs/f2fs/data.c:361
Code: e8 33 f1 14 fe e9 91 f6 ff ff 89 d9 80 e1 07 38 c1 0f 8c e3 f6 ff ff 48 89 df e8 a9 f1 14 fe e9 d6 f6 ff ff e8 8f b4 b3 fd 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90000007d38 EFLAGS: 00010246
RAX: ffffffff840bf6a1 RBX: 0000000000000000 RCX: ffff888027291e00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 000000000000000b
RBP: ffff8880744dd8c0 R08: ffffea0001685247 R09: 1ffffd40002d0a48
R10: dffffc0000000000 R11: fffff940002d0a49 R12: 0000000000000006
R13: ffffea0001685240 R14: 000000000000000b R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125c54000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2aab608000 CR3: 0000000033b1a000 CR4: 00000000003526f0


Tested on:

commit:         e78352f9 f2fs: fix to do sanity check on node footer i..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git bugfix/syzbot
console output: https://syzkaller.appspot.com/x/log.txt?x=12306662580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4d8283cde63d6907
dashboard link: https://syzkaller.appspot.com/bug?extid=803dd716c4310d16ff3a
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.