[syzbot] [bfs?] WARNING in bfs_get_block
2 views
Skip to first unread message
syzbot
1:05 AM (19 hours ago) 1:05 AM
to aivazia...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3b058d1aeeef Add linux-next specific files for 20260327
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15c1ec73980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4acce231a75c746f
dashboard link: https://syzkaller.appspot.com/bug?extid=d083fd809394eab229a8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dd4c73980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16bdff52580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5a5b73363d45/disk-3b058d1a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecba5c3ac106/vmlinux-3b058d1a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/348124eb71de/bzImage-3b058d1a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5960870b4867/mount_7.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d083fd...@syzkaller.appspotmail.com
------------[ cut here ]------------
!buffer_uptodate(bh)
WARNING: fs/buffer.c:1180 at mark_buffer_dirty+0x299/0x410 fs/buffer.c:1180, CPU#1: syz.0.31/6148
Modules linked in:
CPU: 1 UID: 0 PID: 6148 Comm: syz.0.31 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:mark_buffer_dirty+0x299/0x410 fs/buffer.c:1180
Code: 4c 89 f7 e8 c9 67 da ff 49 8b 3e be 40 00 00 00 5b 41 5c 41 5e 41 5f 5d e9 54 5e fb ff e8 ff fd 70 ff eb 8c e8 f8 fd 70 ff 90 <0f> 0b 90 e9 a5 fd ff ff e8 ea fd 70 ff 90 0f 0b 90 e9 cf fd ff ff
RSP: 0018:ffffc90003957608 EFLAGS: 00010293
RAX: ffffffff82552488 RBX: ffff888071a17828 RCX: ffff88802d50bd00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffff8880329b8001 R08: ffff888071a1782f R09: 1ffff1100e342f05
R10: dffffc0000000000 R11: ffffed100e342f06 R12: ffff888069c75000
R13: ffff888071910d98 R14: ffff888071a17828 R15: 000000000000000f
FS: 00007fb4059fe6c0(0000) GS:ffff88812553f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000001000 CR3: 0000000072546000 CR4: 00000000003526f0
Call Trace:
<TASK>
bfs_move_block fs/bfs/file.c:44 [inline]
bfs_move_blocks fs/bfs/file.c:57 [inline]
bfs_get_block+0x5da/0xae0 fs/bfs/file.c:126
__block_write_begin_int+0x6c6/0x1910 fs/buffer.c:2142
block_write_begin+0x8d/0x120 fs/buffer.c:2253
bfs_write_begin+0x35/0xd0 fs/bfs/file.c:180
generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4325
generic_file_write_iter+0x14a/0x680 mm/filemap.c:4468
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x61d/0xb90 fs/read_write.c:688
ksys_pwrite64 fs/read_write.c:795 [inline]
__do_sys_pwrite64 fs/read_write.c:803 [inline]
__se_sys_pwrite64 fs/read_write.c:800 [inline]
__x64_sys_pwrite64+0x199/0x230 fs/read_write.c:800
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb40639c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb4059fe028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fb406616090 RCX: 00007fb40639c799
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000008
RBP: 00007fb406432c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000e7c R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb406616128 R14: 00007fb406616090 R15: 00007ffd7ddb9028
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 3b058d1aeeef Add linux-next specific files for 20260327
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15c1ec73980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4acce231a75c746f
dashboard link: https://syzkaller.appspot.com/bug?extid=d083fd809394eab229a8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10dd4c73980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16bdff52580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5a5b73363d45/disk-3b058d1a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ecba5c3ac106/vmlinux-3b058d1a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/348124eb71de/bzImage-3b058d1a.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/5960870b4867/mount_7.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d083fd...@syzkaller.appspotmail.com
------------[ cut here ]------------
!buffer_uptodate(bh)
WARNING: fs/buffer.c:1180 at mark_buffer_dirty+0x299/0x410 fs/buffer.c:1180, CPU#1: syz.0.31/6148
Modules linked in:
CPU: 1 UID: 0 PID: 6148 Comm: syz.0.31 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:mark_buffer_dirty+0x299/0x410 fs/buffer.c:1180
Code: 4c 89 f7 e8 c9 67 da ff 49 8b 3e be 40 00 00 00 5b 41 5c 41 5e 41 5f 5d e9 54 5e fb ff e8 ff fd 70 ff eb 8c e8 f8 fd 70 ff 90 <0f> 0b 90 e9 a5 fd ff ff e8 ea fd 70 ff 90 0f 0b 90 e9 cf fd ff ff
RSP: 0018:ffffc90003957608 EFLAGS: 00010293
RAX: ffffffff82552488 RBX: ffff888071a17828 RCX: ffff88802d50bd00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffff8880329b8001 R08: ffff888071a1782f R09: 1ffff1100e342f05
R10: dffffc0000000000 R11: ffffed100e342f06 R12: ffff888069c75000
R13: ffff888071910d98 R14: ffff888071a17828 R15: 000000000000000f
FS: 00007fb4059fe6c0(0000) GS:ffff88812553f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000001000 CR3: 0000000072546000 CR4: 00000000003526f0
Call Trace:
<TASK>
bfs_move_block fs/bfs/file.c:44 [inline]
bfs_move_blocks fs/bfs/file.c:57 [inline]
bfs_get_block+0x5da/0xae0 fs/bfs/file.c:126
__block_write_begin_int+0x6c6/0x1910 fs/buffer.c:2142
block_write_begin+0x8d/0x120 fs/buffer.c:2253
bfs_write_begin+0x35/0xd0 fs/bfs/file.c:180
generic_perform_write+0x2e2/0x8f0 mm/filemap.c:4325
generic_file_write_iter+0x14a/0x680 mm/filemap.c:4468
new_sync_write fs/read_write.c:595 [inline]
vfs_write+0x61d/0xb90 fs/read_write.c:688
ksys_pwrite64 fs/read_write.c:795 [inline]
__do_sys_pwrite64 fs/read_write.c:803 [inline]
__se_sys_pwrite64 fs/read_write.c:800 [inline]
__x64_sys_pwrite64+0x199/0x230 fs/read_write.c:800
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb40639c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb4059fe028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007fb406616090 RCX: 00007fb40639c799
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000008
RBP: 00007fb406432c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000e7c R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb406616128 R14: 00007fb406616090 R15: 00007ffd7ddb9028
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
5:04 AM (15 hours ago) 5:04 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] bfs: fix missing set_buffer_uptodate() in bfs_move_block()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
bfs_move_block() uses sb_getblk() to obtain a buffer for the destination
block, copies data into it via memcpy(), and then calls mark_buffer_dirty().
However, sb_getblk() only allocates a buffer head without reading the block
from disk, leaving BH_Uptodate unset. This causes mark_buffer_dirty() to
trigger a warning:
WARNING: fs/buffer.c:1180 at mark_buffer_dirty+0x299/0x410
!buffer_uptodate(bh)
Since bfs_move_block() fully overwrites the destination buffer via memcpy(),
reading the block from disk is unnecessary. Instead, call
set_buffer_uptodate() after the copy to indicate the buffer contains valid
data before marking it dirty.
Additionally, sb_getblk() can return NULL but the original code never
checked for this, which would cause a NULL pointer dereference. Add a
proper NULL check with cleanup of the source buffer on failure.
Reported-by: syzbot+d083fd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d083fd809394eab229a8
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/bfs/file.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/bfs/file.c b/fs/bfs/file.c
index d33d6bde992b..0a9b12b73324 100644
--- a/fs/bfs/file.c
+++ b/fs/bfs/file.c
@@ -40,7 +40,12 @@ static int bfs_move_block(unsigned long from, unsigned long to,
if (!bh)
return -EIO;
new = sb_getblk(sb, to);
+ if (!new) {
+ brelse(bh);
+ return -EIO;
+ }
memcpy(new->b_data, bh->b_data, bh->b_size);
+ set_buffer_uptodate(new);
mark_buffer_dirty(new);
bforget(bh);
brelse(new);
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] bfs: fix missing set_buffer_uptodate() in bfs_move_block()
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
bfs_move_block() uses sb_getblk() to obtain a buffer for the destination
block, copies data into it via memcpy(), and then calls mark_buffer_dirty().
However, sb_getblk() only allocates a buffer head without reading the block
from disk, leaving BH_Uptodate unset. This causes mark_buffer_dirty() to
trigger a warning:
WARNING: fs/buffer.c:1180 at mark_buffer_dirty+0x299/0x410
Since bfs_move_block() fully overwrites the destination buffer via memcpy(),
reading the block from disk is unnecessary. Instead, call
set_buffer_uptodate() after the copy to indicate the buffer contains valid
data before marking it dirty.
Additionally, sb_getblk() can return NULL but the original code never
checked for this, which would cause a NULL pointer dereference. Add a
proper NULL check with cleanup of the source buffer on failure.
Reported-by: syzbot+d083fd...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d083fd809394eab229a8
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/bfs/file.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/bfs/file.c b/fs/bfs/file.c
index d33d6bde992b..0a9b12b73324 100644
--- a/fs/bfs/file.c
+++ b/fs/bfs/file.c
@@ -40,7 +40,12 @@ static int bfs_move_block(unsigned long from, unsigned long to,
if (!bh)
return -EIO;
new = sb_getblk(sb, to);
+ if (!new) {
+ brelse(bh);
+ return -EIO;
+ }
memcpy(new->b_data, bh->b_data, bh->b_size);
+ set_buffer_uptodate(new);
mark_buffer_dirty(new);
bforget(bh);
brelse(new);
--
2.43.0
syzbot
5:29 AM (14 hours ago) 5:29 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d083fd...@syzkaller.appspotmail.com
Tested-by: syzbot+d083fd...@syzkaller.appspotmail.com
Tested on:
commit: 3b058d1a Add linux-next specific files for 20260327
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=147f6d02580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+d083fd...@syzkaller.appspotmail.com
Tested-by: syzbot+d083fd...@syzkaller.appspotmail.com
Tested on:
commit: 3b058d1a Add linux-next specific files for 20260327
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=147f6d02580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4acce231a75c746f
dashboard link: https://syzkaller.appspot.com/bug?extid=d083fd809394eab229a8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=13394648580000
dashboard link: https://syzkaller.appspot.com/bug?extid=d083fd809394eab229a8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages