[syzbot] [karma?] kernel BUG in folio_set_bh (3)
1 view
Skip to first unread message
syzbot
6:36 AM (9 hours ago) 6:36 AM
to jfs-dis...@lists.sourceforge.net, linux-ka...@lists.sourceforge.net, linux-...@vger.kernel.org, m...@bobcopeland.com, sha...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1d5dcaa3bd65 Merge tag 'probes-fixes-v7.1-rc3' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1592ed06580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7f195f6be48c12ec
dashboard link: https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-1d5dcaa3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2cb31960a181/vmlinux-1d5dcaa3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6d3969d0ce3d/bzImage-1d5dcaa3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+32ec8b...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 2048
loop0: p2 p3 < > p4 < p5 >
loop0: partition table partially beyond EOD, truncated
loop0: p3 start 4284289 is beyond EOD, truncated
jfs: block size(32768) > page size(4096) not supported by filesystem
------------[ cut here ]------------
kernel BUG at fs/buffer.c:1479!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479
Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287
RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000
RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44
RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0
R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003
R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000
FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f86657e22b0 CR3: 00000000128ba000 CR4: 0000000000352ef0
Call Trace:
<TASK>
folio_alloc_buffers+0x228/0x640 fs/buffer.c:849
grow_dev_folio fs/buffer.c:979 [inline]
grow_buffers fs/buffer.c:1020 [inline]
__getblk_slow fs/buffer.c:1038 [inline]
bdev_getblk+0x2cb/0x6e0 fs/buffer.c:1358
__bread_gfp+0x89/0x3b0 fs/buffer.c:1412
sb_bread include/linux/buffer_head.h:346 [inline]
readSuper+0xdb/0x270 fs/jfs/jfs_mount.c:462
chkSuper+0x5d/0xe00 fs/jfs/jfs_mount.c:299
jfs_mount+0x4b/0x870 fs/jfs/jfs_mount.c:83
jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523
get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
vfs_get_tree+0x92/0x2a0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount+0x341/0xd30 fs/namespace.c:3834
do_mount fs/namespace.c:4167 [inline]
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4360
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb7f9f9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb7faee6fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fb7fa215fa0 RCX: 00007fb7f9f9ce59
RDX: 0000200000000040 RSI: 0000200000000140 RDI: 0000200000000080
RBP: 00007fb7fa032d6f R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000c000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb7fa216038 R14: 00007fb7fa215fa0 R15: 00007ffff2e0f5c8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479
Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287
RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000
RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44
RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0
R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003
R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000
FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8a5bc8038f CR3: 00000000128ba000 CR4: 0000000000352ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 1d5dcaa3bd65 Merge tag 'probes-fixes-v7.1-rc3' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1592ed06580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7f195f6be48c12ec
dashboard link: https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-1d5dcaa3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2cb31960a181/vmlinux-1d5dcaa3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6d3969d0ce3d/bzImage-1d5dcaa3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+32ec8b...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 2048
loop0: p2 p3 < > p4 < p5 >
loop0: partition table partially beyond EOD, truncated
loop0: p3 start 4284289 is beyond EOD, truncated
jfs: block size(32768) > page size(4096) not supported by filesystem
------------[ cut here ]------------
kernel BUG at fs/buffer.c:1479!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479
Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287
RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000
RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44
RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0
R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003
R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000
FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f86657e22b0 CR3: 00000000128ba000 CR4: 0000000000352ef0
Call Trace:
<TASK>
folio_alloc_buffers+0x228/0x640 fs/buffer.c:849
grow_dev_folio fs/buffer.c:979 [inline]
grow_buffers fs/buffer.c:1020 [inline]
__getblk_slow fs/buffer.c:1038 [inline]
bdev_getblk+0x2cb/0x6e0 fs/buffer.c:1358
__bread_gfp+0x89/0x3b0 fs/buffer.c:1412
sb_bread include/linux/buffer_head.h:346 [inline]
readSuper+0xdb/0x270 fs/jfs/jfs_mount.c:462
chkSuper+0x5d/0xe00 fs/jfs/jfs_mount.c:299
jfs_mount+0x4b/0x870 fs/jfs/jfs_mount.c:83
jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523
get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
vfs_get_tree+0x92/0x2a0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount+0x341/0xd30 fs/namespace.c:3834
do_mount fs/namespace.c:4167 [inline]
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4360
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb7f9f9ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb7faee6fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fb7fa215fa0 RCX: 00007fb7f9f9ce59
RDX: 0000200000000040 RSI: 0000200000000140 RDI: 0000200000000080
RBP: 00007fb7fa032d6f R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000c000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fb7fa216038 R14: 00007fb7fa215fa0 R15: 00007ffff2e0f5c8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479
Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90 <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287
RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000
RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44
RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0
R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003
R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000
FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8a5bc8038f CR3: 00000000128ba000 CR4: 0000000000352ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
12:58 PM (3 hours ago) 12:58 PM
to daik...@gmail.com, daik...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> I was able to reproduce this bug with the following C reproducer:
>
> // repro.c
> #include <fcntl.h>
> #include <stdio.h>
> #include <sys/ioctl.h>
> #include <sys/mount.h>
> #include <sys/stat.h>
> #include <linux/loop.h>
> #include <unistd.h>
>
> int main(void) {
> int fd = open("/tmp/img", O_RDWR|O_CREAT|O_TRUNC, 0644);
> ftruncate(fd, 1<<20);
> close(fd);
> int lc = open("/dev/loop-control", O_RDWR);
> int nr = ioctl(lc, LOOP_CTL_GET_FREE);
> close(lc);
> char lo[64];
> snprintf(lo, sizeof(lo), "/dev/loop%d", nr);
> int lf = open(lo, O_RDWR);
> fd = open("/tmp/img", O_RDWR);
> ioctl(lf, LOOP_SET_FD, fd);
> close(fd);
> ioctl(lf, 0x4c09, 0x8000); // LOOP_SET_BLOCK_SIZE = 32768
> close(lf);
> mkdir("/tmp/mnt", 0755);
> mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT
> return 0;
> }
>
> A fix patch has been sent:
> https://lore.kernel.org/all/20260514160700.3...@gmail.com/
> <br><div class="gmail_quote gmail_quote_container"><div dir="ltr"
> class="gmail_attr">On Fri, May 15, 2026 at 1:45 AM Daiki
> <daik...@gmail.com> wrote:<br></div><blockquote
> class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px
> solid rgb(204, 204, 204); padding-left: 1ex;"><div dir="ltr"><div
> dir="ltr">I was able to reproduce this bug with the following C
> reproducer:<br><br>// repro.c<br>#include <fcntl.h><br>#include
> <stdio.h><br>#include <sys/ioctl.h><br>#include
> <sys/mount.h><br>#include <sys/stat.h><br>#include
> <linux/loop.h><br>#include <unistd.h><br><br>int
> main(void) {<br> int fd = open("/tmp/img",
> O_RDWR|O_CREAT|O_TRUNC, 0644);<br> ftruncate(fd,
> 1<<20);<br> close(fd);<br> int lc =
> open("/dev/loop-control", O_RDWR);<br> int nr = ioctl(lc,
> LOOP_CTL_GET_FREE);<br> close(lc);<br> char
> lo[64];<br> snprintf(lo, sizeof(lo), "/dev/loop%d",
> nr);<br> int lf = open(lo, O_RDWR);<br> fd =
> open("/tmp/img", O_RDWR);<br> ioctl(lf, LOOP_SET_FD,
> fd);<br> close(fd);<br> ioctl(lf, 0x4c09,
> 0x8000); // LOOP_SET_BLOCK_SIZE = 32768<br>
> close(lf);<br> mkdir("/tmp/mnt", 0755);<br>
> mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT<br>
> return 0;<br>}<br><br>A fix patch has been sent:<br><a
> href="https://lore.kernel.org/all/20260514160700.3...@gmail.com/"
> target="_blank">https://lore.kernel.org/all/<wbr>20260514160700.376172-1-<wbr>daik...@gmail.com/</a></div><br><div
> class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 14,
> 2026 at 7:36 PM syzbot <<a
> href="mailto:syzbot%2B32ec8b5bd...@syzkaller.appspotmail.com"
> target="_blank">syzbot+32ec8b5bd050c78741c2@<wbr>syzkaller.appspotmail.com</a>>
> wrote:<br></div><blockquote class="gmail_quote" style="margin: 0px 0px
> 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left:
> 1ex;">Hello,<br>
> <br>
> syzbot found the following issue on:<br>
> <br>
> HEAD commit: 1d5dcaa3bd65 Merge tag
> 'probes-fixes-v7.1-rc3' of git://gi..<br>
> git tree: upstream<br>
> console output: <a
> href="https://syzkaller.appspot.com/x/log.txt?x=1592ed06580000"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>x/log.txt?x=1592ed06580000</a><br>
> kernel config: <a
> href="https://syzkaller.appspot.com/x/.config?x=7f195f6be48c12ec"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>x/.config?x=7f195f6be48c12ec</a><br>
> dashboard link: <a
> href="https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>bug?extid=32ec8b5bd050c78741c2</a><br>
> compiler: Debian clang version 21.1.8
> (++20251221033036+<wbr>2078da43e25a-1~exp1~<wbr>20251221153213.50),
> Debian LLD 21.1.8<br>
> <br>
> Unfortunately, I don't have any reproducer for this issue yet.<br>
> <br>
> Downloadable assets:<br>
> disk image (non-bootable): <a
> href="https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-1d5dcaa3.raw.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>d900f083ada3/non_bootable_<wbr>disk-1d5dcaa3.raw.xz</a><br>
> vmlinux: <a href="https://storage.googleapis.com/syzbot-assets/2cb31960a181/vmlinux-1d5dcaa3.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>2cb31960a181/vmlinux-1d5dcaa3.<wbr>xz</a><br>
> kernel image: <a
> href="https://storage.googleapis.com/syzbot-assets/6d3969d0ce3d/bzImage-1d5dcaa3.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>6d3969d0ce3d/bzImage-1d5dcaa3.<wbr>xz</a><br>
> <br>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:<br>
> Reported-by: <a
> href="mailto:syzbot%2B32ec8b5bd...@syzkaller.appspotmail.com"
> target="_blank">syzbot+32ec8b5bd050c78741c2@<wbr>syzkaller.appspotmail.com</a><br>
> <br>
> loop0: detected capacity change from 0 to 2048<br>
> loop0: p2 p3 < > p4 < p5 ><br>
> loop0: partition table partially beyond EOD, truncated<br>
> loop0: p3 start 4284289 is beyond EOD, truncated<br>
> jfs: block size(32768) > page size(4096) not supported by filesystem<br>
> ------------[ cut here ]------------<br>
> kernel BUG at fs/buffer.c:1479!<br>
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI<br>
> RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479<br>
> 0f<br>
> RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287<br>
> RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000<br>
> RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44<br>
> RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0<br>
> R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003<br>
> R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000<br>
> FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000)
> knlGS:0000000000000000<br>
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br>
> CR2: 00007f86657e22b0 CR3: 00000000128ba000 CR4: 0000000000352ef0<br>
> Call Trace:<br>
> <TASK><br>
> folio_alloc_buffers+0x228/<wbr>0x640 fs/buffer.c:849<br>
> grow_dev_folio fs/buffer.c:979 [inline]<br>
> grow_buffers fs/buffer.c:1020 [inline]<br>
> __getblk_slow fs/buffer.c:1038 [inline]<br>
> bdev_getblk+0x2cb/0x6e0 fs/buffer.c:1358<br>
> __bread_gfp+0x89/0x3b0 fs/buffer.c:1412<br>
> sb_bread include/linux/buffer_head.h:<wbr>346 [inline]<br>
> readSuper+0xdb/0x270 fs/jfs/jfs_mount.c:462<br>
> chkSuper+0x5d/0xe00 fs/jfs/jfs_mount.c:299<br>
> jfs_mount+0x4b/0x870 fs/jfs/jfs_mount.c:83<br>
> jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523<br>
> get_tree_bdev_flags+0x431/<wbr>0x4f0 fs/super.c:1694<br>
> vfs_get_tree+0x92/0x2a0 fs/super.c:1754<br>
> fc_mount fs/namespace.c:1193 [inline]<br>
> do_new_mount_fc fs/namespace.c:3758 [inline]<br>
> do_new_mount+0x341/0xd30 fs/namespace.c:3834<br>
> do_mount fs/namespace.c:4167 [inline]<br>
> __do_sys_mount fs/namespace.c:4383 [inline]<br>
> __se_sys_mount+0x31d/0x420 fs/namespace.c:4360<br>
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br>
> do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94<br>
> entry_SYSCALL_64_after_<wbr>hwframe+0x77/0x7f<br>
> RIP: 0033:0x7fb7f9f9ce59<br>
> 48<br>
> RSP: 002b:00007fb7faee6fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5<br>
> RAX: ffffffffffffffda RBX: 00007fb7fa215fa0 RCX: 00007fb7f9f9ce59<br>
> RDX: 0000200000000040 RSI: 0000200000000140 RDI: 0000200000000080<br>
> RBP: 00007fb7fa032d6f R08: 0000000000000000 R09: 0000000000000000<br>
> R10: 000000000000c000 R11: 0000000000000246 R12: 0000000000000000<br>
> R13: 00007fb7fa216038 R14: 00007fb7fa215fa0 R15: 00007ffff2e0f5c8<br>
> </TASK><br>
> Modules linked in:<br>
> ---[ end trace 0000000000000000 ]---<br>
> RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479<br>
> 0f<br>
> RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287<br>
> RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000<br>
> RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44<br>
> RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0<br>
> R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003<br>
> R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000<br>
> FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000)
> knlGS:0000000000000000<br>
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br>
> CR2: 00007f8a5bc8038f CR3: 00000000128ba000 CR4: 0000000000352ef0<br>
> <br>
> <br>
> ---<br>
> This report is generated by a bot. It may contain errors.<br>
> See <a href="https://goo.gl/tpsmEJ" rel="noreferrer"
> target="_blank">https://goo.gl/tpsmEJ</a> for more information about
> syzbot.<br>
> syzbot engineers can be reached at <a
> href="mailto:syzk...@googlegroups.com"
> target="_blank">syzk...@googlegroups.com</a>.<br>
> <br>
> syzbot will keep track of this issue. See:<br>
> <a href="https://goo.gl/tpsmEJ#status" rel="noreferrer"
> target="_blank">https://goo.gl/tpsmEJ#status</a> for how to
> communicate with syzbot.<br>
> <br>
> If the report is already addressed, let syzbot know by replying with:<br>
> #syz fix: exact-commit-title<br>
> <br>
> If you want to overwrite report's subsystems, reply with:<br>
> #syz set subsystems: new-subsystem<br>
> (See the list of subsystem names on the web dashboard)<br>
> <br>
> If the report is a duplicate of another one, reply with:<br>
> #syz dup: exact-subject-of-another-<wbr>report<br>
> <br>
> If you want to undo deduplication, reply with:<br>
> #syz undup<br>
> <br>
> -- <br>
> You received this message because you are subscribed to the Google
> Groups "syzkaller-bugs" group.<br>
> To unsubscribe from this group and stop receiving emails from it, send
> an email to <a href="mailto:syzkaller-bugs%2Bunsu...@googlegroups.com"
> target="_blank">syzkaller-bugs+unsubscribe@<wbr>googlegroups.com</a>.<br>
> To view this discussion visit <a
> href="https://groups.google.com/d/msgid/syzkaller-bugs/6a05a5b0.170a0220.290639.01c7.GAE%40google.com"
> rel="noreferrer"
> target="_blank">https://groups.google.com/d/<wbr>msgid/syzkaller-bugs/6a05a5b0.<wbr>170a0220.290639.01c7.GAE%<wbr>40google.com</a>.<br>
> </blockquote></div></div>
> </blockquote></div>
Too many commands (4 > 3)
>
> // repro.c
> #include <fcntl.h>
> #include <stdio.h>
> #include <sys/ioctl.h>
> #include <sys/mount.h>
> #include <sys/stat.h>
> #include <linux/loop.h>
> #include <unistd.h>
>
> int main(void) {
> int fd = open("/tmp/img", O_RDWR|O_CREAT|O_TRUNC, 0644);
> ftruncate(fd, 1<<20);
> close(fd);
> int lc = open("/dev/loop-control", O_RDWR);
> int nr = ioctl(lc, LOOP_CTL_GET_FREE);
> close(lc);
> char lo[64];
> snprintf(lo, sizeof(lo), "/dev/loop%d", nr);
> int lf = open(lo, O_RDWR);
> fd = open("/tmp/img", O_RDWR);
> ioctl(lf, LOOP_SET_FD, fd);
> close(fd);
> ioctl(lf, 0x4c09, 0x8000); // LOOP_SET_BLOCK_SIZE = 32768
> close(lf);
> mkdir("/tmp/mnt", 0755);
> mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT
> return 0;
> }
>
> A fix patch has been sent:
> https://lore.kernel.org/all/20260514160700.3...@gmail.com/
> <br><div class="gmail_quote gmail_quote_container"><div dir="ltr"
> class="gmail_attr">On Fri, May 15, 2026 at 1:45 AM Daiki
> <daik...@gmail.com> wrote:<br></div><blockquote
> class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px
> solid rgb(204, 204, 204); padding-left: 1ex;"><div dir="ltr"><div
> dir="ltr">I was able to reproduce this bug with the following C
> reproducer:<br><br>// repro.c<br>#include <fcntl.h><br>#include
> <stdio.h><br>#include <sys/ioctl.h><br>#include
> <sys/mount.h><br>#include <sys/stat.h><br>#include
> <linux/loop.h><br>#include <unistd.h><br><br>int
> main(void) {<br> int fd = open("/tmp/img",
> O_RDWR|O_CREAT|O_TRUNC, 0644);<br> ftruncate(fd,
> 1<<20);<br> close(fd);<br> int lc =
> open("/dev/loop-control", O_RDWR);<br> int nr = ioctl(lc,
> LOOP_CTL_GET_FREE);<br> close(lc);<br> char
> lo[64];<br> snprintf(lo, sizeof(lo), "/dev/loop%d",
> nr);<br> int lf = open(lo, O_RDWR);<br> fd =
> open("/tmp/img", O_RDWR);<br> ioctl(lf, LOOP_SET_FD,
> fd);<br> close(fd);<br> ioctl(lf, 0x4c09,
> 0x8000); // LOOP_SET_BLOCK_SIZE = 32768<br>
> close(lf);<br> mkdir("/tmp/mnt", 0755);<br>
> mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT<br>
> return 0;<br>}<br><br>A fix patch has been sent:<br><a
> href="https://lore.kernel.org/all/20260514160700.3...@gmail.com/"
> target="_blank">https://lore.kernel.org/all/<wbr>20260514160700.376172-1-<wbr>daik...@gmail.com/</a></div><br><div
> class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 14,
> 2026 at 7:36 PM syzbot <<a
> href="mailto:syzbot%2B32ec8b5bd...@syzkaller.appspotmail.com"
> target="_blank">syzbot+32ec8b5bd050c78741c2@<wbr>syzkaller.appspotmail.com</a>>
> wrote:<br></div><blockquote class="gmail_quote" style="margin: 0px 0px
> 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left:
> 1ex;">Hello,<br>
> <br>
> syzbot found the following issue on:<br>
> <br>
> HEAD commit: 1d5dcaa3bd65 Merge tag
> 'probes-fixes-v7.1-rc3' of git://gi..<br>
> git tree: upstream<br>
> console output: <a
> href="https://syzkaller.appspot.com/x/log.txt?x=1592ed06580000"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>x/log.txt?x=1592ed06580000</a><br>
> kernel config: <a
> href="https://syzkaller.appspot.com/x/.config?x=7f195f6be48c12ec"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>x/.config?x=7f195f6be48c12ec</a><br>
> dashboard link: <a
> href="https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2"
> rel="noreferrer"
> target="_blank">https://syzkaller.appspot.com/<wbr>bug?extid=32ec8b5bd050c78741c2</a><br>
> compiler: Debian clang version 21.1.8
> (++20251221033036+<wbr>2078da43e25a-1~exp1~<wbr>20251221153213.50),
> Debian LLD 21.1.8<br>
> <br>
> Unfortunately, I don't have any reproducer for this issue yet.<br>
> <br>
> Downloadable assets:<br>
> disk image (non-bootable): <a
> href="https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-1d5dcaa3.raw.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>d900f083ada3/non_bootable_<wbr>disk-1d5dcaa3.raw.xz</a><br>
> vmlinux: <a href="https://storage.googleapis.com/syzbot-assets/2cb31960a181/vmlinux-1d5dcaa3.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>2cb31960a181/vmlinux-1d5dcaa3.<wbr>xz</a><br>
> kernel image: <a
> href="https://storage.googleapis.com/syzbot-assets/6d3969d0ce3d/bzImage-1d5dcaa3.xz"
> rel="noreferrer"
> target="_blank">https://storage.googleapis.<wbr>com/syzbot-assets/<wbr>6d3969d0ce3d/bzImage-1d5dcaa3.<wbr>xz</a><br>
> <br>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:<br>
> Reported-by: <a
> href="mailto:syzbot%2B32ec8b5bd...@syzkaller.appspotmail.com"
> target="_blank">syzbot+32ec8b5bd050c78741c2@<wbr>syzkaller.appspotmail.com</a><br>
> <br>
> loop0: detected capacity change from 0 to 2048<br>
> loop0: p2 p3 < > p4 < p5 ><br>
> loop0: partition table partially beyond EOD, truncated<br>
> loop0: p3 start 4284289 is beyond EOD, truncated<br>
> jfs: block size(32768) > page size(4096) not supported by filesystem<br>
> ------------[ cut here ]------------<br>
> kernel BUG at fs/buffer.c:1479!<br>
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI<br>
> CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0
> PREEMPT(full) <br>
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> 1.16.3-debian-1.16.3-2 04/01/2014<br>
> RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479<br>
> Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df
> 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90
> <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
> 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90
> 0f<br>
> RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287<br>
> RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000<br>
> RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44<br>
> RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0<br>
> R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003<br>
> R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000<br>
> FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000)
> knlGS:0000000000000000<br>
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br>
> CR2: 00007f86657e22b0 CR3: 00000000128ba000 CR4: 0000000000352ef0<br>
> Call Trace:<br>
> <TASK><br>
> folio_alloc_buffers+0x228/<wbr>0x640 fs/buffer.c:849<br>
> grow_dev_folio fs/buffer.c:979 [inline]<br>
> grow_buffers fs/buffer.c:1020 [inline]<br>
> __getblk_slow fs/buffer.c:1038 [inline]<br>
> bdev_getblk+0x2cb/0x6e0 fs/buffer.c:1358<br>
> __bread_gfp+0x89/0x3b0 fs/buffer.c:1412<br>
> sb_bread include/linux/buffer_head.h:<wbr>346 [inline]<br>
> readSuper+0xdb/0x270 fs/jfs/jfs_mount.c:462<br>
> chkSuper+0x5d/0xe00 fs/jfs/jfs_mount.c:299<br>
> jfs_mount+0x4b/0x870 fs/jfs/jfs_mount.c:83<br>
> jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523<br>
> get_tree_bdev_flags+0x431/<wbr>0x4f0 fs/super.c:1694<br>
> vfs_get_tree+0x92/0x2a0 fs/super.c:1754<br>
> fc_mount fs/namespace.c:1193 [inline]<br>
> do_new_mount_fc fs/namespace.c:3758 [inline]<br>
> do_new_mount+0x341/0xd30 fs/namespace.c:3834<br>
> do_mount fs/namespace.c:4167 [inline]<br>
> __do_sys_mount fs/namespace.c:4383 [inline]<br>
> __se_sys_mount+0x31d/0x420 fs/namespace.c:4360<br>
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br>
> do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94<br>
> entry_SYSCALL_64_after_<wbr>hwframe+0x77/0x7f<br>
> RIP: 0033:0x7fb7f9f9ce59<br>
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05
> <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05
> 48<br>
> RSP: 002b:00007fb7faee6fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5<br>
> RAX: ffffffffffffffda RBX: 00007fb7fa215fa0 RCX: 00007fb7f9f9ce59<br>
> RDX: 0000200000000040 RSI: 0000200000000140 RDI: 0000200000000080<br>
> RBP: 00007fb7fa032d6f R08: 0000000000000000 R09: 0000000000000000<br>
> R10: 000000000000c000 R11: 0000000000000246 R12: 0000000000000000<br>
> R13: 00007fb7fa216038 R14: 00007fb7fa215fa0 R15: 00007ffff2e0f5c8<br>
> </TASK><br>
> Modules linked in:<br>
> ---[ end trace 0000000000000000 ]---<br>
> RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479<br>
> Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df
> 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90
> <0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
> 48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90
> 0f<br>
> RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287<br>
> RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000<br>
> RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44<br>
> RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0<br>
> R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003<br>
> R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000<br>
> FS: 00007fb7faee76c0(0000) GS:ffff88808c881000(0000)
> knlGS:0000000000000000<br>
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br>
> CR2: 00007f8a5bc8038f CR3: 00000000128ba000 CR4: 0000000000352ef0<br>
> <br>
> <br>
> ---<br>
> This report is generated by a bot. It may contain errors.<br>
> See <a href="https://goo.gl/tpsmEJ" rel="noreferrer"
> target="_blank">https://goo.gl/tpsmEJ</a> for more information about
> syzbot.<br>
> syzbot engineers can be reached at <a
> href="mailto:syzk...@googlegroups.com"
> target="_blank">syzk...@googlegroups.com</a>.<br>
> <br>
> syzbot will keep track of this issue. See:<br>
> <a href="https://goo.gl/tpsmEJ#status" rel="noreferrer"
> target="_blank">https://goo.gl/tpsmEJ#status</a> for how to
> communicate with syzbot.<br>
> <br>
> If the report is already addressed, let syzbot know by replying with:<br>
> #syz fix: exact-commit-title<br>
> <br>
> If you want to overwrite report's subsystems, reply with:<br>
> #syz set subsystems: new-subsystem<br>
> (See the list of subsystem names on the web dashboard)<br>
> <br>
> If the report is a duplicate of another one, reply with:<br>
> #syz dup: exact-subject-of-another-<wbr>report<br>
> <br>
> If you want to undo deduplication, reply with:<br>
> #syz undup<br>
> <br>
> -- <br>
> You received this message because you are subscribed to the Google
> Groups "syzkaller-bugs" group.<br>
> To unsubscribe from this group and stop receiving emails from it, send
> an email to <a href="mailto:syzkaller-bugs%2Bunsu...@googlegroups.com"
> target="_blank">syzkaller-bugs+unsubscribe@<wbr>googlegroups.com</a>.<br>
> To view this discussion visit <a
> href="https://groups.google.com/d/msgid/syzkaller-bugs/6a05a5b0.170a0220.290639.01c7.GAE%40google.com"
> rel="noreferrer"
> target="_blank">https://groups.google.com/d/<wbr>msgid/syzkaller-bugs/6a05a5b0.<wbr>170a0220.290639.01c7.GAE%<wbr>40google.com</a>.<br>
> </blockquote></div></div>
> </blockquote></div>
Too many commands (4 > 3)
Reply all
Reply to author
Forward
0 new messages