[v6.6] kernel BUG in ocfs2_truncate_log_append
0 views
Skip to first unread message
syzbot
Sep 5, 2025, 3:08:37 PM (2 days ago) Sep 5
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 355bd0b51d2f Linux 6.6.104
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=124b887c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dac93b93d3de2741
dashboard link: https://syzkaller.appspot.com/bug?extid=3b744091a73503ebe237
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef00d28b2c5b/disk-355bd0b5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7627cd51eb0a/vmlinux-355bd0b5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3fdd0a51dd65/bzImage-355bd0b5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3b7440...@syzkaller.appspotmail.com
(syz.2.169,6607,0):ocfs2_truncate_log_append:5875 ERROR: Truncate record count on #77 invalid wanted 39, actual 40
------------[ cut here ]------------
kernel BUG at fs/ocfs2/alloc.c:5875!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6607 Comm: syz.2.169 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:ocfs2_truncate_log_append+0x92e/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 35 36 67 8c ba f3 16 00 00 48 c7 c1 00 77 e9 8a 4d 89 f0 41 89 d9 50 e8 46 d6 1c 00 48 83 c4 08 <0f> 0b e8 1b 25 3c fe 0f 0b e8 14 25 3c fe 0f 0b 66 90 55 41 57 41
RSP: 0018:ffffc900190eebe0 EFLAGS: 00010292
RAX: 4fc27b7d09953a00 RBX: 0000000000000027 RCX: 4fc27b7d09953a00
RDX: ffffc9000c72a000 RSI: 0000000000025cf9 RDI: 0000000000025cfa
RBP: ffffc900190eed10 R08: ffffc900190ee687 R09: 1ffff9200321dcd0
R10: dffffc0000000000 R11: fffff5200321dcd1 R12: ffff88805b072ac0
R13: ffffc900190eec80 R14: 000000000000004d R15: 1ffff1100b60e558
FS: 00007f6c592b16c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6c5926ef98 CR3: 000000002ba68000 CR4: 00000000003506f0
Call Trace:
<TASK>
ocfs2_remove_btree_range+0x102c/0x1480 fs/ocfs2/alloc.c:5790
ocfs2_commit_truncate+0xb4b/0x21a0 fs/ocfs2/alloc.c:7354
ocfs2_truncate_file+0xc86/0x13a0 fs/ocfs2/file.c:509
ocfs2_setattr+0x150d/0x1b20 fs/ocfs2/file.c:1211
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
handle_truncate fs/namei.c:3291 [inline]
do_open fs/namei.c:3636 [inline]
path_openat+0x298c/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_openat fs/open.c:1450 [inline]
__se_sys_openat fs/open.c:1445 [inline]
__x64_sys_openat+0x139/0x160 fs/open.c:1445
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f6c5838ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6c592b1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f6c585c5fa0 RCX: 00007f6c5838ebe9
RDX: 0000000000181242 RSI: 0000200000000180 RDI: ffffffffffffff9c
RBP: 00007f6c58411e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000148 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6c585c6038 R14: 00007f6c585c5fa0 R15: 00007ffe240ab798
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ocfs2_truncate_log_append+0x92e/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 35 36 67 8c ba f3 16 00 00 48 c7 c1 00 77 e9 8a 4d 89 f0 41 89 d9 50 e8 46 d6 1c 00 48 83 c4 08 <0f> 0b e8 1b 25 3c fe 0f 0b e8 14 25 3c fe 0f 0b 66 90 55 41 57 41
RSP: 0018:ffffc900190eebe0 EFLAGS: 00010292
RAX: 4fc27b7d09953a00 RBX: 0000000000000027 RCX: 4fc27b7d09953a00
RDX: ffffc9000c72a000 RSI: 0000000000025cf9 RDI: 0000000000025cfa
RBP: ffffc900190eed10 R08: ffffc900190ee687 R09: 1ffff9200321dcd0
R10: dffffc0000000000 R11: fffff5200321dcd1 R12: ffff88805b072ac0
R13: ffffc900190eec80 R14: 000000000000004d R15: 1ffff1100b60e558
FS: 00007f6c592b16c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa6ca153000 CR3: 000000002ba68000 CR4: 00000000003506f0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 355bd0b51d2f Linux 6.6.104
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=124b887c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=dac93b93d3de2741
dashboard link: https://syzkaller.appspot.com/bug?extid=3b744091a73503ebe237
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef00d28b2c5b/disk-355bd0b5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7627cd51eb0a/vmlinux-355bd0b5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3fdd0a51dd65/bzImage-355bd0b5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3b7440...@syzkaller.appspotmail.com
(syz.2.169,6607,0):ocfs2_truncate_log_append:5875 ERROR: Truncate record count on #77 invalid wanted 39, actual 40
------------[ cut here ]------------
kernel BUG at fs/ocfs2/alloc.c:5875!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6607 Comm: syz.2.169 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:ocfs2_truncate_log_append+0x92e/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 35 36 67 8c ba f3 16 00 00 48 c7 c1 00 77 e9 8a 4d 89 f0 41 89 d9 50 e8 46 d6 1c 00 48 83 c4 08 <0f> 0b e8 1b 25 3c fe 0f 0b e8 14 25 3c fe 0f 0b 66 90 55 41 57 41
RSP: 0018:ffffc900190eebe0 EFLAGS: 00010292
RAX: 4fc27b7d09953a00 RBX: 0000000000000027 RCX: 4fc27b7d09953a00
RDX: ffffc9000c72a000 RSI: 0000000000025cf9 RDI: 0000000000025cfa
RBP: ffffc900190eed10 R08: ffffc900190ee687 R09: 1ffff9200321dcd0
R10: dffffc0000000000 R11: fffff5200321dcd1 R12: ffff88805b072ac0
R13: ffffc900190eec80 R14: 000000000000004d R15: 1ffff1100b60e558
FS: 00007f6c592b16c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6c5926ef98 CR3: 000000002ba68000 CR4: 00000000003506f0
Call Trace:
<TASK>
ocfs2_remove_btree_range+0x102c/0x1480 fs/ocfs2/alloc.c:5790
ocfs2_commit_truncate+0xb4b/0x21a0 fs/ocfs2/alloc.c:7354
ocfs2_truncate_file+0xc86/0x13a0 fs/ocfs2/file.c:509
ocfs2_setattr+0x150d/0x1b20 fs/ocfs2/file.c:1211
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
handle_truncate fs/namei.c:3291 [inline]
do_open fs/namei.c:3636 [inline]
path_openat+0x298c/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_openat fs/open.c:1450 [inline]
__se_sys_openat fs/open.c:1445 [inline]
__x64_sys_openat+0x139/0x160 fs/open.c:1445
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f6c5838ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6c592b1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f6c585c5fa0 RCX: 00007f6c5838ebe9
RDX: 0000000000181242 RSI: 0000200000000180 RDI: ffffffffffffff9c
RBP: 00007f6c58411e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000148 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6c585c6038 R14: 00007f6c585c5fa0 R15: 00007ffe240ab798
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ocfs2_truncate_log_append+0x92e/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 35 36 67 8c ba f3 16 00 00 48 c7 c1 00 77 e9 8a 4d 89 f0 41 89 d9 50 e8 46 d6 1c 00 48 83 c4 08 <0f> 0b e8 1b 25 3c fe 0f 0b e8 14 25 3c fe 0f 0b 66 90 55 41 57 41
RSP: 0018:ffffc900190eebe0 EFLAGS: 00010292
RAX: 4fc27b7d09953a00 RBX: 0000000000000027 RCX: 4fc27b7d09953a00
RDX: ffffc9000c72a000 RSI: 0000000000025cf9 RDI: 0000000000025cfa
RBP: ffffc900190eed10 R08: ffffc900190ee687 R09: 1ffff9200321dcd0
R10: dffffc0000000000 R11: fffff5200321dcd1 R12: ffff88805b072ac0
R13: ffffc900190eec80 R14: 000000000000004d R15: 1ffff1100b60e558
FS: 00007f6c592b16c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa6ca153000 CR3: 000000002ba68000 CR4: 00000000003506f0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Sep 5, 2025, 4:21:35 PM (2 days ago) Sep 5
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 355bd0b51d2f Linux 6.6.104
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1402f162580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12236134580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef00d28b2c5b/disk-355bd0b5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7627cd51eb0a/vmlinux-355bd0b5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3fdd0a51dd65/bzImage-355bd0b5.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/038d00dfc785/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1002f162580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3b7440...@syzkaller.appspotmail.com
option from the mount to silence this warning.
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
(syz.0.17,5947,0):ocfs2_truncate_log_append:5875 ERROR: bug expression: tl_count > ocfs2_truncate_recs_per_inode(osb->sb) || tl_count == 0
(syz.0.17,5947,0):ocfs2_truncate_log_append:5875 ERROR: Truncate record count on #77 invalid wanted 39, actual 40
RAX: 1cb287771d739900 RBX: 0000000000000027 RCX: 1cb287771d739900
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003306d10 R08: ffffc90003306787 R09: 1ffff92000660cf0
R10: dffffc0000000000 R11: fffff52000660cf1 R12: ffff88806073cac0
R13: ffffc90003306c80 R14: 000000000000004d R15: 1ffff1100c0e7958
FS: 0000555556b71500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
RAX: ffffffffffffffda RBX: 00007f33037c5fa0 RCX: 00007f330358ebe9
RAX: 1cb287771d739900 RBX: 0000000000000027 RCX: 1cb287771d739900
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003306d10 R08: ffffc90003306787 R09: 1ffff92000660cf0
R10: dffffc0000000000 R11: fffff52000660cf1 R12: ffff88806073cac0
R13: ffffc90003306c80 R14: 000000000000004d R15: 1ffff1100c0e7958
FS: 0000555556b71500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 355bd0b51d2f Linux 6.6.104
git tree: linux-6.6.y
kernel config: https://syzkaller.appspot.com/x/.config?x=dac93b93d3de2741
dashboard link: https://syzkaller.appspot.com/bug?extid=3b744091a73503ebe237
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12f13a42580000
dashboard link: https://syzkaller.appspot.com/bug?extid=3b744091a73503ebe237
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12236134580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ef00d28b2c5b/disk-355bd0b5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7627cd51eb0a/vmlinux-355bd0b5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3fdd0a51dd65/bzImage-355bd0b5.xz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1002f162580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3b7440...@syzkaller.appspotmail.com
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
(syz.0.17,5947,0):ocfs2_truncate_log_append:5875 ERROR: bug expression: tl_count > ocfs2_truncate_recs_per_inode(osb->sb) || tl_count == 0
(syz.0.17,5947,0):ocfs2_truncate_log_append:5875 ERROR: Truncate record count on #77 invalid wanted 39, actual 40
------------[ cut here ]------------
kernel BUG at fs/ocfs2/alloc.c:5875!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5947 Comm: syz.0.17 Not tainted syzkaller #0
kernel BUG at fs/ocfs2/alloc.c:5875!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:ocfs2_truncate_log_append+0x92e/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 35 36 67 8c ba f3 16 00 00 48 c7 c1 00 77 e9 8a 4d 89 f0 41 89 d9 50 e8 46 d6 1c 00 48 83 c4 08 <0f> 0b e8 1b 25 3c fe 0f 0b e8 14 25 3c fe 0f 0b 66 90 55 41 57 41
RSP: 0018:ffffc90003306be0 EFLAGS: 00010292
RIP: 0010:ocfs2_truncate_log_append+0x92e/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 35 36 67 8c ba f3 16 00 00 48 c7 c1 00 77 e9 8a 4d 89 f0 41 89 d9 50 e8 46 d6 1c 00 48 83 c4 08 <0f> 0b e8 1b 25 3c fe 0f 0b e8 14 25 3c fe 0f 0b 66 90 55 41 57 41
RAX: 1cb287771d739900 RBX: 0000000000000027 RCX: 1cb287771d739900
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003306d10 R08: ffffc90003306787 R09: 1ffff92000660cf0
R10: dffffc0000000000 R11: fffff52000660cf1 R12: ffff88806073cac0
R13: ffffc90003306c80 R14: 000000000000004d R15: 1ffff1100c0e7958
FS: 0000555556b71500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdb3369c000 CR3: 00000000308f1000 CR4: 00000000003506f0
Call Trace:
<TASK>
ocfs2_remove_btree_range+0x102c/0x1480 fs/ocfs2/alloc.c:5790
ocfs2_commit_truncate+0xb4b/0x21a0 fs/ocfs2/alloc.c:7354
ocfs2_truncate_file+0xc86/0x13a0 fs/ocfs2/file.c:509
ocfs2_setattr+0x150d/0x1b20 fs/ocfs2/file.c:1211
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
handle_truncate fs/namei.c:3291 [inline]
do_open fs/namei.c:3636 [inline]
path_openat+0x298c/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_openat fs/open.c:1450 [inline]
__se_sys_openat fs/open.c:1445 [inline]
__x64_sys_openat+0x139/0x160 fs/open.c:1445
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f330358ebe9
<TASK>
ocfs2_remove_btree_range+0x102c/0x1480 fs/ocfs2/alloc.c:5790
ocfs2_commit_truncate+0xb4b/0x21a0 fs/ocfs2/alloc.c:7354
ocfs2_truncate_file+0xc86/0x13a0 fs/ocfs2/file.c:509
ocfs2_setattr+0x150d/0x1b20 fs/ocfs2/file.c:1211
notify_change+0xb0d/0xe10 fs/attr.c:499
do_truncate+0x19b/0x220 fs/open.c:66
handle_truncate fs/namei.c:3291 [inline]
do_open fs/namei.c:3636 [inline]
path_openat+0x298c/0x3190 fs/namei.c:3789
do_filp_open+0x1c5/0x3d0 fs/namei.c:3816
do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
do_sys_open fs/open.c:1434 [inline]
__do_sys_openat fs/open.c:1450 [inline]
__se_sys_openat fs/open.c:1445 [inline]
__x64_sys_openat+0x139/0x160 fs/open.c:1445
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc01ee5ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f33037c5fa0 RCX: 00007f330358ebe9
RDX: 0000000000181242 RSI: 0000200000000180 RDI: ffffffffffffff9c
RBP: 00007f3303611e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000148 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f33037c5fa0 R14: 00007f33037c5fa0 R15: 0000000000000004
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ocfs2_truncate_log_append+0x92e/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 35 36 67 8c ba f3 16 00 00 48 c7 c1 00 77 e9 8a 4d 89 f0 41 89 d9 50 e8 46 d6 1c 00 48 83 c4 08 <0f> 0b e8 1b 25 3c fe 0f 0b e8 14 25 3c fe 0f 0b 66 90 55 41 57 41
RSP: 0018:ffffc90003306be0 EFLAGS: 00010292
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ocfs2_truncate_log_append+0x92e/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 35 36 67 8c ba f3 16 00 00 48 c7 c1 00 77 e9 8a 4d 89 f0 41 89 d9 50 e8 46 d6 1c 00 48 83 c4 08 <0f> 0b e8 1b 25 3c fe 0f 0b e8 14 25 3c fe 0f 0b 66 90 55 41 57 41
RAX: 1cb287771d739900 RBX: 0000000000000027 RCX: 1cb287771d739900
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc90003306d10 R08: ffffc90003306787 R09: 1ffff92000660cf0
R10: dffffc0000000000 R11: fffff52000660cf1 R12: ffff88806073cac0
R13: ffffc90003306c80 R14: 000000000000004d R15: 1ffff1100c0e7958
FS: 0000555556b71500(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdb3369c000 CR3: 00000000308f1000 CR4: 00000000003506f0
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Sep 5, 2025, 4:50:29 PM (2 days ago) Sep 5
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 28c695c365e1 Linux 6.1.150
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1152f162580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cc3aff322420b627
dashboard link: https://syzkaller.appspot.com/bug?extid=521ac033491cfb9fa8a7
disk image: https://storage.googleapis.com/syzbot-assets/a317393ea4bb/disk-28c695c3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/150d84578d27/vmlinux-28c695c3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b4ce417b0911/bzImage-28c695c3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+521ac0...@syzkaller.appspotmail.com
(syz.0.26,4595,0):ocfs2_truncate_log_append:5875 ERROR: Truncate record count on #77 invalid wanted 39, actual 40
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 5e 2d 49 8c ba f3 16 00 00 48 c7 c1 00 c6 cb 8a 4d 89 f0 41 89 d9 50 e8 4a b1 1c 00 48 83 c4 08 <0f> 0b e8 6f 81 4b fe 0f 0b e8 68 81 4b fe 0f 0b 66 0f 1f 44 00 00
RSP: 0018:ffffc90006106bc0 EFLAGS: 00010296
RAX: 3a443a1bcc48a000 RBX: 0000000000000027 RCX: 3a443a1bcc48a000
RDX: ffffc90005489000 RSI: 0000000000022972 RDI: 0000000000022973
RBP: ffffc90006106cf0 R08: dffffc0000000000 R09: fffff52000c20ced
R10: fffff52000c20ced R11: 1ffff92000c20cec R12: ffff88805201dac0
R13: ffffc90006106c60 R14: 000000000000004d R15: 1ffff1100a403b58
FS: 00007f5e458666c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ocfs2_remove_btree_range+0x1028/0x1480 fs/ocfs2/alloc.c:5790
ocfs2_commit_truncate+0xaf5/0x1bf0 fs/ocfs2/alloc.c:7354
ocfs2_truncate_file+0xcd6/0x14d0 fs/ocfs2/file.c:505
ocfs2_setattr+0x16a9/0x1cf0 fs/ocfs2/file.c:1212
notify_change+0xc74/0xf40 fs/attr.c:499
do_truncate+0x197/0x220 fs/open.c:65
handle_truncate fs/namei.c:3285 [inline]
do_open fs/namei.c:3630 [inline]
path_openat+0x27f2/0x2e70 fs/namei.c:3783
do_filp_open+0x1c1/0x3c0 fs/namei.c:3810
do_sys_openat2+0x142/0x490 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x135/0x160 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f5e4498ebe9
RAX: ffffffffffffffda RBX: 00007f5e44bc5fa0 RCX: 00007f5e4498ebe9
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 5e 2d 49 8c ba f3 16 00 00 48 c7 c1 00 c6 cb 8a 4d 89 f0 41 89 d9 50 e8 4a b1 1c 00 48 83 c4 08 <0f> 0b e8 6f 81 4b fe 0f 0b e8 68 81 4b fe 0f 0b 66 0f 1f 44 00 00
RSP: 0018:ffffc90006106bc0 EFLAGS: 00010296
RAX: 3a443a1bcc48a000 RBX: 0000000000000027 RCX: 3a443a1bcc48a000
RDX: ffffc90005489000 RSI: 0000000000022972 RDI: 0000000000022973
RBP: ffffc90006106cf0 R08: dffffc0000000000 R09: fffff52000c20ced
R10: fffff52000c20ced R11: 1ffff92000c20cec R12: ffff88805201dac0
R13: ffffc90006106c60 R14: 000000000000004d R15: 1ffff1100a403b58
FS: 00007f5e458666c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
syzbot found the following issue on:
HEAD commit: 28c695c365e1 Linux 6.1.150
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1152f162580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cc3aff322420b627
dashboard link: https://syzkaller.appspot.com/bug?extid=521ac033491cfb9fa8a7
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a317393ea4bb/disk-28c695c3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/150d84578d27/vmlinux-28c695c3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b4ce417b0911/bzImage-28c695c3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
(syz.0.26,4595,0):ocfs2_truncate_log_append:5875 ERROR: Truncate record count on #77 invalid wanted 39, actual 40
------------[ cut here ]------------
kernel BUG at fs/ocfs2/alloc.c:5875!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 4595 Comm: syz.0.26 Not tainted syzkaller #0
kernel BUG at fs/ocfs2/alloc.c:5875!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:ocfs2_truncate_log_append+0x92a/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 5e 2d 49 8c ba f3 16 00 00 48 c7 c1 00 c6 cb 8a 4d 89 f0 41 89 d9 50 e8 4a b1 1c 00 48 83 c4 08 <0f> 0b e8 6f 81 4b fe 0f 0b e8 68 81 4b fe 0f 0b 66 0f 1f 44 00 00
RSP: 0018:ffffc90006106bc0 EFLAGS: 00010296
RAX: 3a443a1bcc48a000 RBX: 0000000000000027 RCX: 3a443a1bcc48a000
RDX: ffffc90005489000 RSI: 0000000000022972 RDI: 0000000000022973
RBP: ffffc90006106cf0 R08: dffffc0000000000 R09: fffff52000c20ced
R10: fffff52000c20ced R11: 1ffff92000c20cec R12: ffff88805201dac0
R13: ffffc90006106c60 R14: 000000000000004d R15: 1ffff1100a403b58
FS: 00007f5e458666c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2629b44000 CR3: 000000005914e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ocfs2_remove_btree_range+0x1028/0x1480 fs/ocfs2/alloc.c:5790
ocfs2_commit_truncate+0xaf5/0x1bf0 fs/ocfs2/alloc.c:7354
ocfs2_truncate_file+0xcd6/0x14d0 fs/ocfs2/file.c:505
ocfs2_setattr+0x16a9/0x1cf0 fs/ocfs2/file.c:1212
notify_change+0xc74/0xf40 fs/attr.c:499
do_truncate+0x197/0x220 fs/open.c:65
handle_truncate fs/namei.c:3285 [inline]
do_open fs/namei.c:3630 [inline]
path_openat+0x27f2/0x2e70 fs/namei.c:3783
do_filp_open+0x1c1/0x3c0 fs/namei.c:3810
do_sys_openat2+0x142/0x490 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x135/0x160 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f5e4498ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5e45866038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f5e44bc5fa0 RCX: 00007f5e4498ebe9
RDX: 0000000000181242 RSI: 0000200000000180 RDI: ffffffffffffff9c
RBP: 00007f5e44a11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000148 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5e44bc6038 R14: 00007f5e44bc5fa0 R15: 00007ffe56b82718
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ocfs2_truncate_log_append+0x92a/0x940 fs/ocfs2/alloc.c:5869
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 5e 2d 49 8c ba f3 16 00 00 48 c7 c1 00 c6 cb 8a 4d 89 f0 41 89 d9 50 e8 4a b1 1c 00 48 83 c4 08 <0f> 0b e8 6f 81 4b fe 0f 0b e8 68 81 4b fe 0f 0b 66 0f 1f 44 00 00
RSP: 0018:ffffc90006106bc0 EFLAGS: 00010296
RAX: 3a443a1bcc48a000 RBX: 0000000000000027 RCX: 3a443a1bcc48a000
RDX: ffffc90005489000 RSI: 0000000000022972 RDI: 0000000000022973
RBP: ffffc90006106cf0 R08: dffffc0000000000 R09: fffff52000c20ced
R10: fffff52000c20ced R11: 1ffff92000c20cec R12: ffff88805201dac0
R13: ffffc90006106c60 R14: 000000000000004d R15: 1ffff1100a403b58
FS: 00007f5e458666c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f262958c000 CR3: 000000005914e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
syzbot
Sep 5, 2025, 8:18:36 PM (2 days ago) Sep 5
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7a6c2d093c45 Linux 5.15.191
syzbot found the following issue on:
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1574e134580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4aee9f779ad20a6a
dashboard link: https://syzkaller.appspot.com/bug?extid=4515aa9cfd9b6eeccd4e
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5ab7658d1be2/disk-7a6c2d09.raw.xz
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/dc30f611bdaa/vmlinux-7a6c2d09.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ba4ba285539e/bzImage-7a6c2d09.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
(syz.4.18,4382,1):ocfs2_truncate_log_append:5875 ERROR: bug expression: tl_count > ocfs2_truncate_recs_per_inode(osb->sb) || tl_count == 0
(syz.4.18,4382,1):ocfs2_truncate_log_append:5875 ERROR: Truncate record count on #77 invalid wanted 39, actual 40
------------[ cut here ]------------
kernel BUG at fs/ocfs2/alloc.c:5875!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 4382 Comm: syz.4.18 Not tainted syzkaller #0
kernel BUG at fs/ocfs2/alloc.c:5875!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:ocfs2_truncate_log_append+0x92a/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 c6 e2 a7 8b ba f3 16 00 00 48 c7 c1 e0 59 47 8a 4d 89 f0 41 89 d9 50 e8 1a 15 1c 00 48 83 c4 08 <0f> 0b e8 ff 43 66 fe 0f 0b e8 f8 43 66 fe 0f 0b 66 0f 1f 44 00 00
RIP: 0010:ocfs2_truncate_log_append+0x92a/0x940 fs/ocfs2/alloc.c:5869
RSP: 0018:ffffc9000346ec00 EFLAGS: 00010296
RAX: 7b76b5fb62995700 RBX: 0000000000000027 RCX: 7b76b5fb62995700
RDX: ffffc9000e79a000 RSI: 00000000000214bf RDI: 00000000000214c0
RBP: ffffc9000346ed30 R08: dffffc0000000000 R09: ffffed10172267a8
R10: ffffed10172267a8 R11: 1ffff110172267a7 R12: ffff888071a5fac0
R13: ffffc9000346eca0 R14: 000000000000004d R15: 1ffff1100e34bf58
FS: 00007fd8647906c0(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd86474ed58 CR3: 000000005b831000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ocfs2_remove_btree_range+0x1028/0x1480 fs/ocfs2/alloc.c:5790
ocfs2_commit_truncate+0xab3/0x1b30 fs/ocfs2/alloc.c:7347
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ocfs2_remove_btree_range+0x1028/0x1480 fs/ocfs2/alloc.c:5790
ocfs2_truncate_file+0xca4/0x13b0 fs/ocfs2/file.c:505
ocfs2_setattr+0x143b/0x1a10 fs/ocfs2/file.c:1215
notify_change+0xbcd/0xee0 fs/attr.c:505
do_truncate+0x197/0x220 fs/open.c:65
handle_truncate fs/namei.c:3265 [inline]
do_open fs/namei.c:3612 [inline]
path_openat+0x28af/0x2f30 fs/namei.c:3742
do_filp_open+0x1b3/0x3e0 fs/namei.c:3769
do_sys_openat2+0x142/0x4a0 fs/open.c:1253
do_sys_open fs/open.c:1269 [inline]
__do_sys_openat fs/open.c:1285 [inline]
__se_sys_openat fs/open.c:1280 [inline]
__x64_sys_openat+0x135/0x160 fs/open.c:1280
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fd866528be9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd864790038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fd86675ffa0 RCX: 00007fd866528be9
RDX: 0000000000181242 RSI: 0000200000000180 RDI: ffffffffffffff9c
RBP: 00007fd8665abe19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000148 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd866760038 R14: 00007fd86675ffa0 R15: 00007ffdde936138
</TASK>
Modules linked in:
---[ end trace df7ecc485d14494a ]---
RIP: 0010:ocfs2_truncate_log_append+0x92a/0x940 fs/ocfs2/alloc.c:5869
Code: 0f b7 04 24 4c 89 ef 48 c7 c6 c6 e2 a7 8b ba f3 16 00 00 48 c7 c1 e0 59 47 8a 4d 89 f0 41 89 d9 50 e8 1a 15 1c 00 48 83 c4 08 <0f> 0b e8 ff 43 66 fe 0f 0b e8 f8 43 66 fe 0f 0b 66 0f 1f 44 00 00
RSP: 0018:ffffc9000346ec00 EFLAGS: 00010296
RAX: 7b76b5fb62995700 RBX: 0000000000000027 RCX: 7b76b5fb62995700
RDX: ffffc9000e79a000 RSI: 00000000000214bf RDI: 00000000000214c0
RBP: ffffc9000346ed30 R08: dffffc0000000000 R09: ffffed10172267a8
R10: ffffed10172267a8 R11: 1ffff110172267a7 R12: ffff888071a5fac0
R13: ffffc9000346eca0 R14: 000000000000004d R15: 1ffff1100e34bf58
FS: 00007fd8647906c0(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0c55f6ee9c CR3: 000000005b831000 CR4: 00000000003506e0
Reply all
Reply to author
Forward
0 new messages