From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oi1-f208.google.com (mail-oi1-f208.google.com [209.85.167.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DEA7A3358C2 for ; Thu, 14 May 2026 16:58:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.208 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778777925; cv=none; b=oUWxbdvlgsPAs4tsmYlNlqlA/T8VDu4do6XanpOjlh15iEgdZwuNFsguTrynmvs7xnN3kypo8Q+JtB4DhAyb/uWI/II5PKR9apc0oKHPMJgnZ7+M1JyaXa6JUVLRdlGkIsHDuBY8lNdaXdH+RQcfOvsQdwCu1x3WRPDXCx3nkf8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778777925; c=relaxed/simple; bh=/L+atmbLjlovfgESHWdYa6ZqfMVXi0eoY7HGmkyyL6Y=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:Cc: Content-Type; b=Y/6A+vmqSRRdRvfGZRRi9lzeFlWElt3PGZFMzi0A49eIrkWQp7Z5EosfQIwL3oUzFTDLEbJBh939O4tSnpk/dq24Lpmuo7rif8L+0g7t5Mk9+vYio+9FF/8fsxaHlQlE/mcX6vTfjqPoHErTGHPOyqhlO0cdw3O9bSuEUEUkJSA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.167.208 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oi1-f208.google.com with SMTP id 5614622812f47-482abfeea78so4531550b6e.1 for ; Thu, 14 May 2026 09:58:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778777920; x=1779382720; h=content-transfer-encoding:cc:to:from:subject:message-id:in-reply-to :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/L+atmbLjlovfgESHWdYa6ZqfMVXi0eoY7HGmkyyL6Y=; b=jw9AQ/ecNYxhZkttJf8sizXf4N5jYO891hc7XgOVL4SCq3+kinVD3vFJCPWJ8b24ZR bxIwliYQ1UBhiVO4tyT9H/CRhwhonDZ/JPHmW02oSvVfxSzZ2hqhiIS+x1K1czVciqyK 8m8kn7iiq0jQp3wU5oHV8a+1n/9bFn2yMNYPSGSvILGZ/oft7azI/AckktPNiyUlQwdM F/PG9O3BPQJRiCPI3prnQKXsS50xj14O+93O6Pv3P0ee/fItyD7/xwsY5eCi5oHaGb/h oMVi6wb3So/vuq25JpDYWNo39WLqGIDrqzD9V1VWLUOw7TDkck+pzXUbgkGWjKoFtZ1c /Izw== X-Forwarded-Encrypted: i=1; AFNElJ+9tcJIw2neRu07E6dYFCC6wGX8tE3nSeBLzFDLSAtu+G9uQ5fsYRe5YtgGxfTIq8RTose1I+3O7a27G4M=@vger.kernel.org X-Gm-Message-State: AOJu0YwF4bufaDBPVrMU1oKqyo8bhgcxZNO554XhL6ad51JDzy5wK9CL 9gyVxTKtsq8jFXHiMDgwO0nbmqf23A8cad+ZQxV95cf/DLiiZN3OIUsLBO5so3UR/vKTQYvMCyM uPSf55m8u99e629+qlppwqDllxcchlfLXzyv8QJYVt1XDWK62crnqGgjiEFc= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:2911:b0:67e:2988:15e1 with SMTP id 006d021491bc7-69c942ffc08mr167158eaf.16.1778777919890; Thu, 14 May 2026 09:58:39 -0700 (PDT) Date: Thu, 14 May 2026 09:58:39 -0700 In-Reply-To: X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a05ff3f.050a0220.2921a.0001.GAE@google.com> Subject: Re: [syzbot] [karma?] kernel BUG in folio_set_bh (3) From: syzbot To: daiky0325@gmail.com Cc: daiky0325@gmail.com, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > I was able to reproduce this bug with the following C reproducer: > > // repro.c > #include > #include > #include > #include > #include > #include > #include > > int main(void) { > int fd =3D open("/tmp/img", O_RDWR|O_CREAT|O_TRUNC, 0644); > ftruncate(fd, 1<<20); > close(fd); > int lc =3D open("/dev/loop-control", O_RDWR); > int nr =3D ioctl(lc, LOOP_CTL_GET_FREE); > close(lc); > char lo[64]; > snprintf(lo, sizeof(lo), "/dev/loop%d", nr); > int lf =3D open(lo, O_RDWR); > fd =3D open("/tmp/img", O_RDWR); > ioctl(lf, LOOP_SET_FD, fd); > close(fd); > ioctl(lf, 0x4c09, 0x8000); // LOOP_SET_BLOCK_SIZE =3D 32768 > close(lf); > mkdir("/tmp/mnt", 0755); > mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT > return 0; > } > > A fix patch has been sent: > https://lore.kernel.org/all/20260514160700.376172-1-daiky0325@gmail.com/ >
class=3D"gmail_attr">On Fri, May 15, 2026 at 1:45=E2=80=AFAM Daiki > <daiky0325@gmail.com> wrote:
class=3D"gmail_quote" style=3D"margin: 0px 0px 0px 0.8ex; border-left: 1p= x > solid rgb(204, 204, 204); padding-left: 1ex;">
dir=3D"ltr">I was able to reproduce this bug with the following C > reproducer:

// repro.c
#include <fcntl.h>
#include > <stdio.h>
#include <sys/ioctl.h>
#include > <sys/mount.h>
#include <sys/stat.h>
#include > <linux/loop.h>
#include <unistd.h>

int > main(void) {
    int fd =3D open("/tmp/img", > O_RDWR|O_CREAT|O_TRUNC, 0644);
    ftruncate(fd, > 1<<20);
    close(fd);
    int lc =3D > open("/dev/loop-control", O_RDWR);
    int nr =3D ioctl(lc, > LOOP_CTL_GET_FREE);
    close(lc);
    char > lo[64];
    snprintf(lo, sizeof(lo), "/dev/loop%d", > nr);
    int lf =3D open(lo, O_RDWR);
    fd = =3D > open("/tmp/img", O_RDWR);
    ioctl(lf, LOOP_SET_FD, > fd);
    close(fd);
    ioctl(lf, 0x4c09, > 0x8000); // LOOP_SET_BLOCK_SIZE =3D 32768
    > close(lf);
    mkdir("/tmp/mnt", 0755);
    > mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT
  >   return 0;
}

A fix patch has been sent:
href=3D"https://lore.kernel.org/all/20260514160700.376172-1-daiky0325@gma= il.com/" > target=3D"_blank">https://lore.kernel.org/all/20260514160700.376172-= 1-daiky0325@gmail.com/

class=3D"gmail_quote">
On Thu, May 1= 4, > 2026 at 7:36=E2=80=AFPM syzbot < href=3D"mailto:syzbot%2B32ec8b5bd050c78741c2@syzkaller.appspotmail.com" > target=3D"_blank">syzbot+32ec8b5bd050c78741c2@syzkaller.appspotmail.= com> > wrote:
0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: > 1ex;">Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    1d5dcaa3bd65 Merge tag > 'probes-fixes-v7.1-rc3' of git://gi..
> git tree:       upstream
> console output: href=3D"https://syzkaller.appspot.com/x/log.txt?x=3D1592ed06580000" > rel=3D"noreferrer" > target=3D"_blank">https://syzkaller.appspot.com/x/log.txt?x=3D1592ed= 06580000
> kernel config:  href=3D"https://syzkaller.appspot.com/x/.config?x=3D7f195f6be48c12ec" > rel=3D"noreferrer" > target=3D"_blank">https://syzkaller.appspot.com/x/.config?x=3D7f195f= 6be48c12ec
> dashboard link: href=3D"https://syzkaller.appspot.com/bug?extid=3D32ec8b5bd050c78741c2" > rel=3D"noreferrer" > target=3D"_blank">https://syzkaller.appspot.com/bug?extid=3D32ec8b5b= d050c78741c2
> compiler:       Debian clang version 21.1.8 > (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), > Debian LLD 21.1.8
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image (non-bootable): href=3D"https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_boo= table_disk-1d5dcaa3.raw.xz" > rel=3D"noreferrer" > target=3D"_blank">https://storage.googleapis.com/syzbot-assets/= d900f083ada3/non_bootable_disk-1d5dcaa3.raw.xz
> vmlinux: rel=3D"noreferrer" > target=3D"_blank">https://storage.googleapis.com/syzbot-assets/= 2cb31960a181/vmlinux-1d5dcaa3.xz
> kernel image: href=3D"https://storage.googleapis.com/syzbot-assets/6d3969d0ce3d/bzImage= -1d5dcaa3.xz" > rel=3D"noreferrer" > target=3D"_blank">https://storage.googleapis.com/syzbot-assets/= 6d3969d0ce3d/bzImage-1d5dcaa3.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the comm= it:
> Reported-by: href=3D"mailto:syzbot%2B32ec8b5bd050c78741c2@syzkaller.appspotmail.com" > target=3D"_blank">syzbot+32ec8b5bd050c78741c2@syzkaller.appspotmail.= com
>
> loop0: detected capacity change from 0 to 2048
>  loop0: p2 p3 < > p4 < p5 >
> loop0: partition table partially beyond EOD, truncated
> loop0: p3 start 4284289 is beyond EOD, truncated
> jfs: block size(32768) > page size(4096) not supported by filesystem > ------------[ cut here ]------------
> kernel BUG at fs/buffer.c:1479!
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 > PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479
> Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df > 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90 > <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 > 0f
> RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287
> RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000
> RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44
> RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0
> R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003
> R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000
> FS:  00007fb7faee76c0(0000) GS:ffff88808c881000(0000) > knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f86657e22b0 CR3: 00000000128ba000 CR4: 0000000000352ef0
> Call Trace:
>  <TASK>
>  folio_alloc_buffers+0x228/0x640 fs/buffer.c:849
>  grow_dev_folio fs/buffer.c:979 [inline]
>  grow_buffers fs/buffer.c:1020 [inline]
>  __getblk_slow fs/buffer.c:1038 [inline]
>  bdev_getblk+0x2cb/0x6e0 fs/buffer.c:1358
>  __bread_gfp+0x89/0x3b0 fs/buffer.c:1412
>  sb_bread include/linux/buffer_head.h:346 [inline]
>  readSuper+0xdb/0x270 fs/jfs/jfs_mount.c:462
>  chkSuper+0x5d/0xe00 fs/jfs/jfs_mount.c:299
>  jfs_mount+0x4b/0x870 fs/jfs/jfs_mount.c:83
>  jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523
>  get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
>  vfs_get_tree+0x92/0x2a0 fs/super.c:1754
>  fc_mount fs/namespace.c:1193 [inline]
>  do_new_mount_fc fs/namespace.c:3758 [inline]
>  do_new_mount+0x341/0xd30 fs/namespace.c:3834
>  do_mount fs/namespace.c:4167 [inline]
>  __do_sys_mount fs/namespace.c:4383 [inline]
>  __se_sys_mount+0x31d/0x420 fs/namespace.c:4360
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb7f9f9ce59
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 > <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 > 48
> RSP: 002b:00007fb7faee6fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 > RAX: ffffffffffffffda RBX: 00007fb7fa215fa0 RCX: 00007fb7f9f9ce59
> RDX: 0000200000000040 RSI: 0000200000000140 RDI: 0000200000000080
> RBP: 00007fb7fa032d6f R08: 0000000000000000 R09: 0000000000000000
> R10: 000000000000c000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007fb7fa216038 R14: 00007fb7fa215fa0 R15: 00007ffff2e0f5c8
>  </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479
> Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df > 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90 > <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 > 0f
> RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287
> RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000
> RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44
> RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0
> R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003
> R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000
> FS:  00007fb7faee76c0(0000) GS:ffff88808c881000(0000) > knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f8a5bc8038f CR3: 00000000128ba000 CR4: 0000000000352ef0
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See target=3D"_blank">https://goo.gl/tpsmEJ for more information about > syzbot.
> syzbot engineers can be reached at href=3D"mailto:syzkaller@googlegroups.com" > target=3D"_blank">syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> target=3D"_blank">https://goo.gl/tpsmEJ#status for how to > communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google > Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send > an email to target=3D"_blank">syzkaller-bugs+unsubscribe@googlegroups.com. > To view this discussion visit href=3D"https://groups.google.com/d/msgid/syzkaller-bugs/6a05a5b0.170a022= 0.290639.01c7.GAE%40google.com" > rel=3D"noreferrer" > target=3D"_blank">https://groups.google.com/d/msgid/syzkaller-bugs/6= a05a5b0.170a0220.290639.01c7.GAE%40google.com.
>
>
Too many commands (4 > 3)