[Android 6.1] kernel BUG in ext4_inline_data_truncate
1 view
Skip to first unread message
syzbot
Feb 8, 2025, 7:24:30 PMFeb 8
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1ac09f5c0571 ANDROID: GKI: Update symbol list for arg
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13d2cbdf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d23e14f5c2489bd7
dashboard link: https://syzkaller.appspot.com/bug?extid=ab6523e376a379e63cb0
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10fb2b18580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=113c3df8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/17f20c88138f/disk-1ac09f5c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/44addda8df12/vmlinux-1ac09f5c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab72da9edd3d/bzImage-1ac09f5c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/dea197142c54/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=15d411b0580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab6523...@syzkaller.appspotmail.com
loop0: detected capacity change from 1024 to 1023
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:2005!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 299 Comm: syz-executor348 Not tainted 6.1.124-syzkaller-00004-g1ac09f5c0571 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:ext4_inline_data_truncate+0xd54/0xd60 fs/ext4/inline.c:2005
Code: 80 e1 07 80 c1 03 38 c1 0f 8c 6e fd ff ff e8 f3 bf c9 ff 48 8d 94 24 e0 00 00 00 e9 5c fd ff ff e8 31 a1 28 03 e8 bc 39 82 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55
RSP: 0018:ffffc90000de7540 EFLAGS: 00010293
RAX: ffffffff81f35b04 RBX: 00000000ffffffc3 RCX: ffff88810f27e540
RDX: 0000000000000000 RSI: 00000000ffffffc3 RDI: 0000000000000000
RBP: ffffc90000de76b0 R08: ffffffff81f357ca R09: ffffed10200b2f0e
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920001bcebc
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888100597980
FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f63f03c7048 CR3: 000000000700f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_truncate+0x337/0xfb0 fs/ext4/inode.c:4246
ext4_evict_inode+0xd41/0x1550 fs/ext4/inode.c:286
evict+0x529/0x930 fs/inode.c:705
iput_final fs/inode.c:1834 [inline]
iput+0x616/0x690 fs/inode.c:1860
dentry_unlink_inode+0x34e/0x430 fs/dcache.c:405
__dentry_kill+0x447/0x650 fs/dcache.c:611
dentry_kill+0xc0/0x2a0
dput+0x40/0x80 fs/dcache.c:918
__fput+0x56c/0x870 fs/file_table.c:328
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x24d/0x2e0 kernel/task_work.c:203
exit_task_work include/linux/task_work.h:39 [inline]
do_exit+0xbd0/0x2b80 kernel/exit.c:877
do_group_exit+0x21a/0x2d0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
x64_sys_call+0x610/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f63f037d479
Code: Unable to access opcode bytes at 0x7f63f037d44f.
RSP: 002b:00007fffad650e18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f63f037d479
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007f63f03f9370 R08: ffffffffffffffb8 R09: 00007f63f03f8260
R10: 0000000000000007 R11: 0000000000000246 R12: 00007f63f03f9370
R13: 0000000000000000 R14: 00007f63f03fa0e0 R15: 00007f63f034bd70
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_inline_data_truncate+0xd54/0xd60 fs/ext4/inline.c:2005
Code: 80 e1 07 80 c1 03 38 c1 0f 8c 6e fd ff ff e8 f3 bf c9 ff 48 8d 94 24 e0 00 00 00 e9 5c fd ff ff e8 31 a1 28 03 e8 bc 39 82 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55
RSP: 0018:ffffc90000de7540 EFLAGS: 00010293
RAX: ffffffff81f35b04 RBX: 00000000ffffffc3 RCX: ffff88810f27e540
RDX: 0000000000000000 RSI: 00000000ffffffc3 RDI: 0000000000000000
RBP: ffffc90000de76b0 R08: ffffffff81f357ca R09: ffffed10200b2f0e
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920001bcebc
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888100597980
FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f63f03c7048 CR3: 000000010ee42000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 1ac09f5c0571 ANDROID: GKI: Update symbol list for arg
git tree: android14-6.1
console+strace: https://syzkaller.appspot.com/x/log.txt?x=13d2cbdf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=d23e14f5c2489bd7
dashboard link: https://syzkaller.appspot.com/bug?extid=ab6523e376a379e63cb0
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10fb2b18580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=113c3df8580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/17f20c88138f/disk-1ac09f5c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/44addda8df12/vmlinux-1ac09f5c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab72da9edd3d/bzImage-1ac09f5c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/dea197142c54/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=15d411b0580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ab6523...@syzkaller.appspotmail.com
loop0: detected capacity change from 1024 to 1023
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:2005!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 299 Comm: syz-executor348 Not tainted 6.1.124-syzkaller-00004-g1ac09f5c0571 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:ext4_inline_data_truncate+0xd54/0xd60 fs/ext4/inline.c:2005
Code: 80 e1 07 80 c1 03 38 c1 0f 8c 6e fd ff ff e8 f3 bf c9 ff 48 8d 94 24 e0 00 00 00 e9 5c fd ff ff e8 31 a1 28 03 e8 bc 39 82 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55
RSP: 0018:ffffc90000de7540 EFLAGS: 00010293
RAX: ffffffff81f35b04 RBX: 00000000ffffffc3 RCX: ffff88810f27e540
RDX: 0000000000000000 RSI: 00000000ffffffc3 RDI: 0000000000000000
RBP: ffffc90000de76b0 R08: ffffffff81f357ca R09: ffffed10200b2f0e
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920001bcebc
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888100597980
FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f63f03c7048 CR3: 000000000700f000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_truncate+0x337/0xfb0 fs/ext4/inode.c:4246
ext4_evict_inode+0xd41/0x1550 fs/ext4/inode.c:286
evict+0x529/0x930 fs/inode.c:705
iput_final fs/inode.c:1834 [inline]
iput+0x616/0x690 fs/inode.c:1860
dentry_unlink_inode+0x34e/0x430 fs/dcache.c:405
__dentry_kill+0x447/0x650 fs/dcache.c:611
dentry_kill+0xc0/0x2a0
dput+0x40/0x80 fs/dcache.c:918
__fput+0x56c/0x870 fs/file_table.c:328
____fput+0x15/0x20 fs/file_table.c:348
task_work_run+0x24d/0x2e0 kernel/task_work.c:203
exit_task_work include/linux/task_work.h:39 [inline]
do_exit+0xbd0/0x2b80 kernel/exit.c:877
do_group_exit+0x21a/0x2d0 kernel/exit.c:1027
__do_sys_exit_group kernel/exit.c:1038 [inline]
__se_sys_exit_group kernel/exit.c:1036 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
x64_sys_call+0x610/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f63f037d479
Code: Unable to access opcode bytes at 0x7f63f037d44f.
RSP: 002b:00007fffad650e18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f63f037d479
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 00007f63f03f9370 R08: ffffffffffffffb8 R09: 00007f63f03f8260
R10: 0000000000000007 R11: 0000000000000246 R12: 00007f63f03f9370
R13: 0000000000000000 R14: 00007f63f03fa0e0 R15: 00007f63f034bd70
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_inline_data_truncate+0xd54/0xd60 fs/ext4/inline.c:2005
Code: 80 e1 07 80 c1 03 38 c1 0f 8c 6e fd ff ff e8 f3 bf c9 ff 48 8d 94 24 e0 00 00 00 e9 5c fd ff ff e8 31 a1 28 03 e8 bc 39 82 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55
RSP: 0018:ffffc90000de7540 EFLAGS: 00010293
RAX: ffffffff81f35b04 RBX: 00000000ffffffc3 RCX: ffff88810f27e540
RDX: 0000000000000000 RSI: 00000000ffffffc3 RDI: 0000000000000000
RBP: ffffc90000de76b0 R08: ffffffff81f357ca R09: ffffed10200b2f0e
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff920001bcebc
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff888100597980
FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f63f03c7048 CR3: 000000010ee42000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Oct 27, 2025, 5:24:08 PM (10 days ago) Oct 27
to syzkaller-a...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 2817ac83cb4732597bf36853fe13ca616f4ee4e2
Author: Theodore Ts'o <ty...@mit.edu>
Date: Thu Jul 17 14:54:34 2025 +0000
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12b5a932580000
start commit: 1ac09f5c0571 ANDROID: GKI: Update symbol list for arg
git tree: android14-6.1
#syz fix: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 2817ac83cb4732597bf36853fe13ca616f4ee4e2
Author: Theodore Ts'o <ty...@mit.edu>
Date: Thu Jul 17 14:54:34 2025 +0000
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12b5a932580000
start commit: 1ac09f5c0571 ANDROID: GKI: Update symbol list for arg
git tree: android14-6.1
kernel config: https://syzkaller.appspot.com/x/.config?x=d23e14f5c2489bd7
dashboard link: https://syzkaller.appspot.com/bug?extid=ab6523e376a379e63cb0
dashboard link: https://syzkaller.appspot.com/bug?extid=ab6523e376a379e63cb0
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10fb2b18580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=113c3df8580000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=113c3df8580000
#syz fix: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages