[v6.1] kernel BUG in ext4_split_extent_at
0 views
Skip to first unread message
syzbot
Mar 11, 2026, 2:35:29 AM (4 days ago) Mar 11
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: f2ddafa93a25 Linux 6.1.166
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fd694a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=2bca6fe615e588a77cb9
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/28fc2cbac5cf/disk-f2ddafa9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b17a5a214fbc/vmlinux-f2ddafa9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c2564b1203e5/Image-f2ddafa9.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2bca6f...@syzkaller.appspotmail.com
EXT4-fs (loop2): pa 00000000fda08130: logic 128, phys. 385, len 8
EXT4-fs error (device loop2): ext4_mb_release_inode_pa:4890: group 0, free 0, pa_free 1
------------[ cut here ]------------
kernel BUG at fs/ext4/extents.c:3190!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 7270 Comm: syz.2.591 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
lr : ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
sp : ffff800021ac6b40
x29: ffff800021ac6c40 x28: 000000000000001b x27: 0000000000000002
x26: 000000000000001d x25: ffff0000ffc7f442 x24: ffff0000f6fd82b0
x23: ffff700004358d7c x22: ffff0000ffc7f440 x21: 0000000000000031
x20: ffff0000ffc7f43c x19: 0000000000008002 x18: 0000000000000000
x17: ffff80018a3ff000 x16: ffff8000082d7ca0 x15: 0000000000000002
x14: 0000000000000002 x13: 1fffe0001cd70fc8 x12: 0000000000080000
x11: 000000000007ffff x10: ffff800025c19000 x9 : ffff800008d32a30
x8 : 0000000000080000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 000000004000043b x4 : 0000000000000017 x3 : 0000000000000031
x2 : ffff800021ac6e80 x1 : 000000000000001d x0 : 0000000000000031
Call trace:
ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
ext4_split_extent+0x300/0x430 fs/ext4/extents.c:3391
ext4_split_convert_extents fs/ext4/extents.c:3721 [inline]
ext4_ext_handle_unwritten_extents fs/ext4/extents.c:3882 [inline]
ext4_ext_map_blocks+0x10b4/0x56f4 fs/ext4/extents.c:4237
ext4_map_blocks+0x860/0x1778 fs/ext4/inode.c:679
mpage_map_one_extent fs/ext4/inode.c:2434 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2487 [inline]
ext4_writepages+0xdbc/0x28b4 fs/ext4/inode.c:2855
do_writepages+0x2b0/0x504 mm/page-writeback.c:2491
filemap_fdatawrite_wbc+0x124/0x174 mm/filemap.c:388
__filemap_fdatawrite_range mm/filemap.c:421 [inline]
file_write_and_wait_range+0x11c/0x1f4 mm/filemap.c:774
ext4_sync_file+0x210/0xc70 fs/ext4/fsync.c:151
vfs_fsync_range+0x168/0x188 fs/sync.c:188
generic_write_sync include/linux/fs.h:2962 [inline]
ext4_buffered_write_iter+0x47c/0x528 fs/ext4/file.c:292
ext4_file_write_iter+0x18c/0x1574 fs/ext4/file.c:-1
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x3ec/0x7f0 fs/read_write.c:584
ksys_pwrite64 fs/read_write.c:699 [inline]
__do_sys_pwrite64 fs/read_write.c:709 [inline]
__se_sys_pwrite64 fs/read_write.c:706 [inline]
__arm64_sys_pwrite64+0x174/0x20c fs/read_write.c:706
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: aa1503e0 97eecb6b 17ffff05 97dde223 (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: f2ddafa93a25 Linux 6.1.166
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=12fd694a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=2bca6fe615e588a77cb9
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/28fc2cbac5cf/disk-f2ddafa9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b17a5a214fbc/vmlinux-f2ddafa9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c2564b1203e5/Image-f2ddafa9.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2bca6f...@syzkaller.appspotmail.com
EXT4-fs (loop2): pa 00000000fda08130: logic 128, phys. 385, len 8
EXT4-fs error (device loop2): ext4_mb_release_inode_pa:4890: group 0, free 0, pa_free 1
------------[ cut here ]------------
kernel BUG at fs/ext4/extents.c:3190!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 7270 Comm: syz.2.591 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
lr : ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
sp : ffff800021ac6b40
x29: ffff800021ac6c40 x28: 000000000000001b x27: 0000000000000002
x26: 000000000000001d x25: ffff0000ffc7f442 x24: ffff0000f6fd82b0
x23: ffff700004358d7c x22: ffff0000ffc7f440 x21: 0000000000000031
x20: ffff0000ffc7f43c x19: 0000000000008002 x18: 0000000000000000
x17: ffff80018a3ff000 x16: ffff8000082d7ca0 x15: 0000000000000002
x14: 0000000000000002 x13: 1fffe0001cd70fc8 x12: 0000000000080000
x11: 000000000007ffff x10: ffff800025c19000 x9 : ffff800008d32a30
x8 : 0000000000080000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 000000004000043b x4 : 0000000000000017 x3 : 0000000000000031
x2 : ffff800021ac6e80 x1 : 000000000000001d x0 : 0000000000000031
Call trace:
ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
ext4_split_extent+0x300/0x430 fs/ext4/extents.c:3391
ext4_split_convert_extents fs/ext4/extents.c:3721 [inline]
ext4_ext_handle_unwritten_extents fs/ext4/extents.c:3882 [inline]
ext4_ext_map_blocks+0x10b4/0x56f4 fs/ext4/extents.c:4237
ext4_map_blocks+0x860/0x1778 fs/ext4/inode.c:679
mpage_map_one_extent fs/ext4/inode.c:2434 [inline]
mpage_map_and_submit_extent fs/ext4/inode.c:2487 [inline]
ext4_writepages+0xdbc/0x28b4 fs/ext4/inode.c:2855
do_writepages+0x2b0/0x504 mm/page-writeback.c:2491
filemap_fdatawrite_wbc+0x124/0x174 mm/filemap.c:388
__filemap_fdatawrite_range mm/filemap.c:421 [inline]
file_write_and_wait_range+0x11c/0x1f4 mm/filemap.c:774
ext4_sync_file+0x210/0xc70 fs/ext4/fsync.c:151
vfs_fsync_range+0x168/0x188 fs/sync.c:188
generic_write_sync include/linux/fs.h:2962 [inline]
ext4_buffered_write_iter+0x47c/0x528 fs/ext4/file.c:292
ext4_file_write_iter+0x18c/0x1574 fs/ext4/file.c:-1
call_write_iter include/linux/fs.h:2265 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x3ec/0x7f0 fs/read_write.c:584
ksys_pwrite64 fs/read_write.c:699 [inline]
__do_sys_pwrite64 fs/read_write.c:709 [inline]
__se_sys_pwrite64 fs/read_write.c:706 [inline]
__arm64_sys_pwrite64+0x174/0x20c fs/read_write.c:706
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: aa1503e0 97eecb6b 17ffff05 97dde223 (d4210000)
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 11, 2026, 6:05:27 AM (4 days ago) Mar 11
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: f2ddafa93a25 Linux 6.1.166
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=13ccea02580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1566b75a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/28fc2cbac5cf/disk-f2ddafa9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b17a5a214fbc/vmlinux-f2ddafa9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c2564b1203e5/Image-f2ddafa9.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1e2b1950b5d5/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1103a8ba580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2bca6f...@syzkaller.appspotmail.com
x29: ffff800021df6c40 x28: 0000000000000011 x27: 000000000000000a
x26: 000000000000001b x25: ffff0000f7cca436 x24: ffff0000e9e402b0
x23: ffff7000043bed7c x22: ffff0000f7cca434 x21: 0000000000000031
x20: ffff0000f7cca430 x19: 000000000000000a x18: ffff800011b8bf60
x17: 1fffe00033ea877e x16: ffff8000082d7ca0 x15: 0000000000000000
x14: 0000000000000002 x13: 1fffe0001e609748 x12: 0000000000ff0100
x11: ff00800008d32a30 x10: 0000000000000000 x9 : ffff800008d32a30
x8 : ffff0000d9929bc0 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 000000004000043b x4 : 0000000000000010 x3 : 0000000000000031
x2 : ffff800021df6e80 x1 : 000000000000001b x0 : 0000000000000031
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: f2ddafa93a25 Linux 6.1.166
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=2bca6fe615e588a77cb9
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14956f5a580000
dashboard link: https://syzkaller.appspot.com/bug?extid=2bca6fe615e588a77cb9
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1566b75a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/28fc2cbac5cf/disk-f2ddafa9.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b17a5a214fbc/vmlinux-f2ddafa9.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c2564b1203e5/Image-f2ddafa9.gz.xz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1103a8ba580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2bca6f...@syzkaller.appspotmail.com
EXT4-fs error (device loop2): ext4_mb_release_inode_pa:4890: group 0, free 0, pa_free 1
------------[ cut here ]------------
kernel BUG at fs/ext4/extents.c:3190!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4715 Comm: syz.2.60 Not tainted syzkaller #0
------------[ cut here ]------------
kernel BUG at fs/ext4/extents.c:3190!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026
pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
lr : ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
sp : ffff800021df6b40
lr : ext4_split_extent_at+0xc38/0xc7c fs/ext4/extents.c:3190
x29: ffff800021df6c40 x28: 0000000000000011 x27: 000000000000000a
x26: 000000000000001b x25: ffff0000f7cca436 x24: ffff0000e9e402b0
x23: ffff7000043bed7c x22: ffff0000f7cca434 x21: 0000000000000031
x20: ffff0000f7cca430 x19: 000000000000000a x18: ffff800011b8bf60
x17: 1fffe00033ea877e x16: ffff8000082d7ca0 x15: 0000000000000000
x14: 0000000000000002 x13: 1fffe0001e609748 x12: 0000000000ff0100
x11: ff00800008d32a30 x10: 0000000000000000 x9 : ffff800008d32a30
x8 : ffff0000d9929bc0 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 000000004000043b x4 : 0000000000000010 x3 : 0000000000000031
x2 : ffff800021df6e80 x1 : 000000000000001b x0 : 0000000000000031
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages