[v6.1] WARNING in ext4_xattr_inode_update_ref
0 views
Skip to first unread message
syzbot
Sep 6, 2025, 9:50:27 PM (2 days ago) Sep 6
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 28c695c365e1 Linux 6.1.150
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12b93312580000
kernel config: https://syzkaller.appspot.com/x/.config?x=68aa5a3af1cb953a
dashboard link: https://syzkaller.appspot.com/bug?extid=23ef1ff7166a7f106a9d
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/16e807247bf6/disk-28c695c3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a2c735eaf8f9/vmlinux-28c695c3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/080f0096d6c9/Image-28c695c3.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23ef1f...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 512
------------[ cut here ]------------
EA inode 11 ref_count=-1
WARNING: CPU: 0 PID: 5564 at fs/ext4/xattr.c:1016 ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
Modules linked in:
CPU: 0 PID: 5564 Comm: syz.4.324 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
lr : ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
sp : ffff800021726fe0
x29: ffff800021727060 x28: 00000000ffffffff x27: dfff800000000000
x26: 1fffe0001c327317 x25: ffff7000042e4dfc x24: 00000000ffffffff
x23: ffff800017a8b000 x22: ffff0000e1939700 x21: ffffffffffffffff
x20: 0000000000000001 x19: ffff0000e19396c0 x18: ffff800011abbcc0
x17: 1fffe00033ed797e x16: ffff8000082d22d4 x15: 0000000040000000
x14: 0000000000000002 x13: 1ffff00002a180b1 x12: 0000000000ff0100
x11: ff0080000a8935f4 x10: 0000000000000003 x9 : 6bdf13c0ffd0bf00
x8 : 6bdf13c0ffd0bf00 x7 : ffff800008251e10 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : ffff800011abd7c0 x0 : ffff80018a6a7000
Call trace:
ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
ext4_xattr_inode_dec_ref fs/ext4/xattr.c:1044 [inline]
ext4_xattr_inode_dec_ref_all+0x8b4/0xd48 fs/ext4/xattr.c:1186
ext4_xattr_delete_inode+0x870/0xa00 fs/ext4/xattr.c:2914
ext4_evict_inode+0xcd0/0x1270 fs/ext4/inode.c:296
evict+0x3c8/0x810 fs/inode.c:705
iput_final fs/inode.c:1834 [inline]
iput+0x764/0x7f4 fs/inode.c:1860
ext4_process_orphan+0x240/0x2b4 fs/ext4/orphan.c:360
ext4_orphan_cleanup+0x908/0x104c fs/ext4/orphan.c:474
__ext4_fill_super fs/ext4/super.c:5537 [inline]
ext4_fill_super+0x6920/0x6e34 fs/ext4/super.c:5668
get_tree_bdev+0x358/0x544 fs/super.c:1366
ext4_get_tree+0x28/0x38 fs/ext4/super.c:5698
vfs_get_tree+0x90/0x274 fs/super.c:1573
do_new_mount+0x228/0x810 fs/namespace.c:3069
path_mount+0x5b4/0xe78 fs/namespace.c:3399
do_mount fs/namespace.c:3412 [inline]
__do_sys_mount fs/namespace.c:3620 [inline]
__se_sys_mount fs/namespace.c:3597 [inline]
__arm64_sys_mount+0x49c/0x584 fs/namespace.c:3597
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 2482
hardirqs last enabled at (2481): [<ffff800008251ea4>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline]
hardirqs last enabled at (2481): [<ffff800008251ea4>] finish_lock_switch+0xb0/0x1c4 kernel/sched/core.c:5003
hardirqs last disabled at (2482): [<ffff800011956c70>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (920): [<ffff8000081a967c>] softirq_handle_end kernel/softirq.c:439 [inline]
softirqs last enabled at (920): [<ffff8000081a967c>] handle_softirqs+0xaf8/0xc6c kernel/softirq.c:624
softirqs last disabled at (899): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
---[ end trace 0000000000000000 ]---
EXT4-fs error (device loop4): ext4_do_update_inode:5254: inode #15: comm syz.4.324: corrupted inode contents
EXT4-fs error (device loop4) in ext4_orphan_del:305: Corrupt filesystem
EXT4-fs error (device loop4): ext4_do_update_inode:5254: inode #15: comm syz.4.324: corrupted inode contents
EXT4-fs error (device loop4): ext4_evict_inode:327: inode #15: comm syz.4.324: mark_inode_dirty error
EXT4-fs (loop4): 1 orphan inode deleted
EXT4-fs (loop4): mounted filesystem without journal. Quota mode: none.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 28c695c365e1 Linux 6.1.150
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12b93312580000
kernel config: https://syzkaller.appspot.com/x/.config?x=68aa5a3af1cb953a
dashboard link: https://syzkaller.appspot.com/bug?extid=23ef1ff7166a7f106a9d
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/16e807247bf6/disk-28c695c3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a2c735eaf8f9/vmlinux-28c695c3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/080f0096d6c9/Image-28c695c3.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23ef1f...@syzkaller.appspotmail.com
loop4: detected capacity change from 0 to 512
------------[ cut here ]------------
EA inode 11 ref_count=-1
WARNING: CPU: 0 PID: 5564 at fs/ext4/xattr.c:1016 ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
Modules linked in:
CPU: 0 PID: 5564 Comm: syz.4.324 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
lr : ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
sp : ffff800021726fe0
x29: ffff800021727060 x28: 00000000ffffffff x27: dfff800000000000
x26: 1fffe0001c327317 x25: ffff7000042e4dfc x24: 00000000ffffffff
x23: ffff800017a8b000 x22: ffff0000e1939700 x21: ffffffffffffffff
x20: 0000000000000001 x19: ffff0000e19396c0 x18: ffff800011abbcc0
x17: 1fffe00033ed797e x16: ffff8000082d22d4 x15: 0000000040000000
x14: 0000000000000002 x13: 1ffff00002a180b1 x12: 0000000000ff0100
x11: ff0080000a8935f4 x10: 0000000000000003 x9 : 6bdf13c0ffd0bf00
x8 : 6bdf13c0ffd0bf00 x7 : ffff800008251e10 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000006 x1 : ffff800011abd7c0 x0 : ffff80018a6a7000
Call trace:
ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
ext4_xattr_inode_dec_ref fs/ext4/xattr.c:1044 [inline]
ext4_xattr_inode_dec_ref_all+0x8b4/0xd48 fs/ext4/xattr.c:1186
ext4_xattr_delete_inode+0x870/0xa00 fs/ext4/xattr.c:2914
ext4_evict_inode+0xcd0/0x1270 fs/ext4/inode.c:296
evict+0x3c8/0x810 fs/inode.c:705
iput_final fs/inode.c:1834 [inline]
iput+0x764/0x7f4 fs/inode.c:1860
ext4_process_orphan+0x240/0x2b4 fs/ext4/orphan.c:360
ext4_orphan_cleanup+0x908/0x104c fs/ext4/orphan.c:474
__ext4_fill_super fs/ext4/super.c:5537 [inline]
ext4_fill_super+0x6920/0x6e34 fs/ext4/super.c:5668
get_tree_bdev+0x358/0x544 fs/super.c:1366
ext4_get_tree+0x28/0x38 fs/ext4/super.c:5698
vfs_get_tree+0x90/0x274 fs/super.c:1573
do_new_mount+0x228/0x810 fs/namespace.c:3069
path_mount+0x5b4/0xe78 fs/namespace.c:3399
do_mount fs/namespace.c:3412 [inline]
__do_sys_mount fs/namespace.c:3620 [inline]
__se_sys_mount fs/namespace.c:3597 [inline]
__arm64_sys_mount+0x49c/0x584 fs/namespace.c:3597
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 2482
hardirqs last enabled at (2481): [<ffff800008251ea4>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline]
hardirqs last enabled at (2481): [<ffff800008251ea4>] finish_lock_switch+0xb0/0x1c4 kernel/sched/core.c:5003
hardirqs last disabled at (2482): [<ffff800011956c70>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (920): [<ffff8000081a967c>] softirq_handle_end kernel/softirq.c:439 [inline]
softirqs last enabled at (920): [<ffff8000081a967c>] handle_softirqs+0xaf8/0xc6c kernel/softirq.c:624
softirqs last disabled at (899): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
---[ end trace 0000000000000000 ]---
EXT4-fs error (device loop4): ext4_do_update_inode:5254: inode #15: comm syz.4.324: corrupted inode contents
EXT4-fs error (device loop4) in ext4_orphan_del:305: Corrupt filesystem
EXT4-fs error (device loop4): ext4_do_update_inode:5254: inode #15: comm syz.4.324: corrupted inode contents
EXT4-fs error (device loop4): ext4_evict_inode:327: inode #15: comm syz.4.324: mark_inode_dirty error
EXT4-fs (loop4): 1 orphan inode deleted
EXT4-fs (loop4): mounted filesystem without journal. Quota mode: none.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Sep 6, 2025, 10:02:26 PM (2 days ago) Sep 6
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 28c695c365e1 Linux 6.1.150
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15afd962580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13605134580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/16e807247bf6/disk-28c695c3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a2c735eaf8f9/vmlinux-28c695c3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/080f0096d6c9/Image-28c695c3.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/11b0c7cb95fa/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=11a9a562580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23ef1f...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 512
Modules linked in:
CPU: 1 PID: 4507 Comm: syz.0.17 Not tainted syzkaller #0
x29: ffff8000213b7060 x28: 00000000ffffffff x27: dfff800000000000
x26: 1fffe0001cac581b x25: ffff700004276dfc x24: 00000000ffffffff
x23: ffff800017a8b000 x22: ffff0000e562bf20 x21: ffffffffffffffff
x20: 0000000000000001 x19: ffff0000e562bee0 x18: ffff800011abbcc0
x17: 0000000000000000 x16: ffff8000082d22d4 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000ff0100
x11: ff00800008191ca8 x10: 0000000000000000 x9 : 5d2bfc233d26d100
x8 : 5d2bfc233d26d100 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000213b6a78 x4 : ffff8000151a4820 x3 : ffff80000852e3f8
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
irq event stamp: 4326
hardirqs last enabled at (4325): [<ffff800008308418>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (4326): [<ffff800011956c70>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (4182): [<ffff8000081a967c>] softirq_handle_end kernel/softirq.c:439 [inline]
softirqs last enabled at (4182): [<ffff8000081a967c>] handle_softirqs+0xaf8/0xc6c kernel/softirq.c:624
softirqs last disabled at (4127): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
EXT4-fs error (device loop0) in ext4_orphan_del:305: Corrupt filesystem
EXT4-fs error (device loop0): ext4_do_update_inode:5254: inode #15: comm syz.0.17: corrupted inode contents
EXT4-fs error (device loop0): ext4_evict_inode:327: inode #15: comm syz.0.17: mark_inode_dirty error
EXT4-fs (loop0): 1 orphan inode deleted
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 28c695c365e1 Linux 6.1.150
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=68aa5a3af1cb953a
dashboard link: https://syzkaller.appspot.com/bug?extid=23ef1ff7166a7f106a9d
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ed7a42580000
dashboard link: https://syzkaller.appspot.com/bug?extid=23ef1ff7166a7f106a9d
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13605134580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/16e807247bf6/disk-28c695c3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a2c735eaf8f9/vmlinux-28c695c3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/080f0096d6c9/Image-28c695c3.gz.xz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=11a9a562580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+23ef1f...@syzkaller.appspotmail.com
------------[ cut here ]------------
EA inode 11 ref_count=-1
WARNING: CPU: 1 PID: 4507 at fs/ext4/xattr.c:1016 ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
EA inode 11 ref_count=-1
Modules linked in:
CPU: 1 PID: 4507 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
lr : ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
sp : ffff8000213b6fe0
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
lr : ext4_xattr_inode_update_ref+0x3dc/0x4ac fs/ext4/xattr.c:1015
x29: ffff8000213b7060 x28: 00000000ffffffff x27: dfff800000000000
x26: 1fffe0001cac581b x25: ffff700004276dfc x24: 00000000ffffffff
x23: ffff800017a8b000 x22: ffff0000e562bf20 x21: ffffffffffffffff
x20: 0000000000000001 x19: ffff0000e562bee0 x18: ffff800011abbcc0
x17: 0000000000000000 x16: ffff8000082d22d4 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000ff0100
x11: ff00800008191ca8 x10: 0000000000000000 x9 : 5d2bfc233d26d100
x8 : 5d2bfc233d26d100 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000213b6a78 x4 : ffff8000151a4820 x3 : ffff80000852e3f8
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
hardirqs last enabled at (4325): [<ffff800008308418>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (4326): [<ffff800011956c70>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (4182): [<ffff8000081a967c>] softirq_handle_end kernel/softirq.c:439 [inline]
softirqs last enabled at (4182): [<ffff8000081a967c>] handle_softirqs+0xaf8/0xc6c kernel/softirq.c:624
softirqs last disabled at (4127): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
---[ end trace 0000000000000000 ]---
EXT4-fs error (device loop0): ext4_do_update_inode:5254: inode #15: comm syz.0.17: corrupted inode contents
EXT4-fs error (device loop0) in ext4_orphan_del:305: Corrupt filesystem
EXT4-fs error (device loop0): ext4_do_update_inode:5254: inode #15: comm syz.0.17: corrupted inode contents
EXT4-fs error (device loop0): ext4_evict_inode:327: inode #15: comm syz.0.17: mark_inode_dirty error
EXT4-fs (loop0): 1 orphan inode deleted
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages