[v6.1] BUG: unable to handle kernel paging request in ext4_ext_map_blocks
0 views
Skip to first unread message
syzbot
Mar 25, 2026, 6:41:29 AM (4 days ago) Mar 25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1989cd3d56e2 Linux 6.1.167
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16566752580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=5056dc3760175e1258d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/edd05d4d1a68/disk-1989cd3d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdc3181e838d/vmlinux-1989cd3d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a78aef5a3a25/Image-1989cd3d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5056dc...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_do_update_inode:5268: inode #3: comm syz.0.2599: corrupted inode contents
EXT4-fs error (device loop0): __ext4_ext_dirty:206: inode #3: comm syz.0.2599: mark_inode_dirty error
Unable to handle kernel paging request at virtual address ffffffffffffff93
KASAN: maybe wild-memory-access in range [0x0003fffffffffc98-0x0003fffffffffc9f]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000020dfcc000
[ffffffffffffff93] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 9727 Comm: syz.0.2599 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
pc : ext4_free_ext_path fs/ext4/extents.c:128 [inline]
pc : ext4_ext_map_blocks+0x2a70/0x570c fs/ext4/extents.c:4497
lr : ext4_ext_map_blocks+0x1528/0x570c fs/ext4/extents.c:4438
sp : ffff800020ca6800
x29: ffff800020ca6a80 x28: dfff800000000000 x27: 0000000000000001
x26: ffff800020ca6cc0 x25: 0000000000000001 x24: 0000000000000001
x23: 0000000000000001 x22: 0000000000000042 x21: 0000000000000029
x20: ffff800020ca6cc0 x19: ffffffffffffff8b x18: ffff800011b9bf60
x17: ffff80001835a000 x16: ffff8000082d7db8 x15: ffff800017e3b000
x14: 0000000000000001 x13: 1fffe0001f3a2ad7 x12: 0000000000080000
x11: 0000000000050433 x10: ffff8000219ea000 x9 : 262c93e87b22ab00
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : ffff0000fb98ccb0 x3 : ffff800008a90998
x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffffffffffff93
Call trace:
ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
ext4_free_ext_path fs/ext4/extents.c:128 [inline]
ext4_ext_map_blocks+0x2a70/0x570c fs/ext4/extents.c:4497
ext4_map_blocks+0x860/0x1778 fs/ext4/inode.c:679
ext4_getblk+0x178/0x664 fs/ext4/inode.c:890
ext4_bread+0x3c/0x1a8 fs/ext4/inode.c:946
ext4_quota_write+0x204/0x534 fs/ext4/super.c:7222
write_blk fs/quota/quota_tree.c:70 [inline]
get_free_dqblk+0x284/0x574 fs/quota/quota_tree.c:136
do_insert_tree+0x1c4/0xc34 fs/quota/quota_tree.c:347
do_insert_tree+0x790/0xc34 fs/quota/quota_tree.c:402
do_insert_tree+0x790/0xc34 fs/quota/quota_tree.c:402
do_insert_tree+0x790/0xc34 fs/quota/quota_tree.c:402
dq_insert_tree fs/quota/quota_tree.c:432 [inline]
qtree_write_dquot+0x3d4/0x4f0 fs/quota/quota_tree.c:451
v2_write_dquot+0xf0/0x180 fs/quota/quota_v2.c:361
dquot_acquire+0x2a8/0x4d8 fs/quota/dquot.c:472
ext4_acquire_dquot+0x270/0x428 fs/ext4/super.c:6831
dqget+0x654/0xcc4 fs/quota/dquot.c:988
__dquot_initialize+0x2fc/0xacc fs/quota/dquot.c:1517
dquot_initialize+0x24/0x34 fs/quota/dquot.c:1579
ext4_process_orphan+0x5c/0x2b4 fs/ext4/orphan.c:327
ext4_orphan_cleanup+0x920/0x1060 fs/ext4/orphan.c:472
__ext4_fill_super fs/ext4/super.c:5556 [inline]
ext4_fill_super+0x6188/0x660c fs/ext4/super.c:5687
get_tree_bdev+0x358/0x544 fs/super.c:1366
ext4_get_tree+0x28/0x38 fs/ext4/super.c:5717
vfs_get_tree+0x90/0x274 fs/super.c:1573
do_new_mount+0x228/0x810 fs/namespace.c:3078
path_mount+0x5bc/0xe80 fs/namespace.c:3408
do_mount fs/namespace.c:3421 [inline]
__do_sys_mount fs/namespace.c:3629 [inline]
__se_sys_mount fs/namespace.c:3606 [inline]
__arm64_sys_mount+0x49c/0x59c fs/namespace.c:3606
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 2a1803fb d343fc08 38fc6908 35006ba8 (79401276)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 2a1803fb mov w27, w24
4: d343fc08 lsr x8, x0, #3
8: 38fc6908 ldrsb w8, [x8, x28]
c: 35006ba8 cbnz w8, 0xd80
* 10: 79401276 ldrh w22, [x19, #8] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 1989cd3d56e2 Linux 6.1.167
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16566752580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=5056dc3760175e1258d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/edd05d4d1a68/disk-1989cd3d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdc3181e838d/vmlinux-1989cd3d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a78aef5a3a25/Image-1989cd3d.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5056dc...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_do_update_inode:5268: inode #3: comm syz.0.2599: corrupted inode contents
EXT4-fs error (device loop0): __ext4_ext_dirty:206: inode #3: comm syz.0.2599: mark_inode_dirty error
Unable to handle kernel paging request at virtual address ffffffffffffff93
KASAN: maybe wild-memory-access in range [0x0003fffffffffc98-0x0003fffffffffc9f]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000020dfcc000
[ffffffffffffff93] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 9727 Comm: syz.0.2599 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
pc : ext4_free_ext_path fs/ext4/extents.c:128 [inline]
pc : ext4_ext_map_blocks+0x2a70/0x570c fs/ext4/extents.c:4497
lr : ext4_ext_map_blocks+0x1528/0x570c fs/ext4/extents.c:4438
sp : ffff800020ca6800
x29: ffff800020ca6a80 x28: dfff800000000000 x27: 0000000000000001
x26: ffff800020ca6cc0 x25: 0000000000000001 x24: 0000000000000001
x23: 0000000000000001 x22: 0000000000000042 x21: 0000000000000029
x20: ffff800020ca6cc0 x19: ffffffffffffff8b x18: ffff800011b9bf60
x17: ffff80001835a000 x16: ffff8000082d7db8 x15: ffff800017e3b000
x14: 0000000000000001 x13: 1fffe0001f3a2ad7 x12: 0000000000080000
x11: 0000000000050433 x10: ffff8000219ea000 x9 : 262c93e87b22ab00
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : ffff0000fb98ccb0 x3 : ffff800008a90998
x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffffffffffff93
Call trace:
ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
ext4_free_ext_path fs/ext4/extents.c:128 [inline]
ext4_ext_map_blocks+0x2a70/0x570c fs/ext4/extents.c:4497
ext4_map_blocks+0x860/0x1778 fs/ext4/inode.c:679
ext4_getblk+0x178/0x664 fs/ext4/inode.c:890
ext4_bread+0x3c/0x1a8 fs/ext4/inode.c:946
ext4_quota_write+0x204/0x534 fs/ext4/super.c:7222
write_blk fs/quota/quota_tree.c:70 [inline]
get_free_dqblk+0x284/0x574 fs/quota/quota_tree.c:136
do_insert_tree+0x1c4/0xc34 fs/quota/quota_tree.c:347
do_insert_tree+0x790/0xc34 fs/quota/quota_tree.c:402
do_insert_tree+0x790/0xc34 fs/quota/quota_tree.c:402
do_insert_tree+0x790/0xc34 fs/quota/quota_tree.c:402
dq_insert_tree fs/quota/quota_tree.c:432 [inline]
qtree_write_dquot+0x3d4/0x4f0 fs/quota/quota_tree.c:451
v2_write_dquot+0xf0/0x180 fs/quota/quota_v2.c:361
dquot_acquire+0x2a8/0x4d8 fs/quota/dquot.c:472
ext4_acquire_dquot+0x270/0x428 fs/ext4/super.c:6831
dqget+0x654/0xcc4 fs/quota/dquot.c:988
__dquot_initialize+0x2fc/0xacc fs/quota/dquot.c:1517
dquot_initialize+0x24/0x34 fs/quota/dquot.c:1579
ext4_process_orphan+0x5c/0x2b4 fs/ext4/orphan.c:327
ext4_orphan_cleanup+0x920/0x1060 fs/ext4/orphan.c:472
__ext4_fill_super fs/ext4/super.c:5556 [inline]
ext4_fill_super+0x6188/0x660c fs/ext4/super.c:5687
get_tree_bdev+0x358/0x544 fs/super.c:1366
ext4_get_tree+0x28/0x38 fs/ext4/super.c:5717
vfs_get_tree+0x90/0x274 fs/super.c:1573
do_new_mount+0x228/0x810 fs/namespace.c:3078
path_mount+0x5bc/0xe80 fs/namespace.c:3408
do_mount fs/namespace.c:3421 [inline]
__do_sys_mount fs/namespace.c:3629 [inline]
__se_sys_mount fs/namespace.c:3606 [inline]
__arm64_sys_mount+0x49c/0x59c fs/namespace.c:3606
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 2a1803fb d343fc08 38fc6908 35006ba8 (79401276)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 2a1803fb mov w27, w24
4: d343fc08 lsr x8, x0, #3
8: 38fc6908 ldrsb w8, [x8, x28]
c: 35006ba8 cbnz w8, 0xd80
* 10: 79401276 ldrh w22, [x19, #8] <-- trapping instruction
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Mar 25, 2026, 7:12:28 AM (4 days ago) Mar 25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c09fbcd31ae6 Linux 6.6.130
syzbot found the following issue on:
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17aed6da580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c5b35c4db8465904
dashboard link: https://syzkaller.appspot.com/bug?extid=3ad17e94107dda6b6b03
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/58165bbf9941/disk-c09fbcd3.raw.xz
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/73cbb84fb36b/vmlinux-c09fbcd3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/744ea33ec44b/bzImage-c09fbcd3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
EXT4-fs error (device loop0): ext4_map_blocks:608: inode #3: block 2: comm syz.0.690: lblock 2 mapped to illegal pblock 2 (length 1)
Quota error (device loop0): qtree_write_dquot: dquota write failed
EXT4-fs error (device loop0): __ext4_get_inode_loc:4489: comm syz.0.690: Invalid inode table block 1 in block_group 0
EXT4-fs error (device loop0) in ext4_reserve_inode_write:5920: Corrupt filesystem
EXT4-fs error (device loop0): __ext4_ext_dirty:206: inode #3: comm syz.0.690: mark_inode_dirty error
BUG: unable to handle page fault for address: ffffffffffffff93
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD cf35067 P4D cf35067 PUD cf37067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7518 Comm: syz.0.690 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2d00/0x6800 fs/ext4/extents.c:4494
Code: 8b 7c 24 10 4d 85 ff 0f 84 bd 00 00 00 e8 78 dc 58 ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 3d 1e 00 00 <41> 0f b7 47 08 c1 e0 04 48 8d 04 40 48 89 44 24 10 4d 89 fc 49 8d
RSP: 0018:ffffc9000d0b6ee0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000080000
RDX: ffffc9000d169000 RSI: 000000000007ffff RDI: ffffffffffffff93
RBP: ffffc9000d0b7190 R08: ffffffff8e8b02af R09: 1ffffffff1d16055
R10: dffffc0000000000 R11: fffffbfff1d16056 R12: 0000000000000001
R13: 1ffff92001a16e08 R14: dffffc0000000000 R15: ffffffffffffff8b
FS: 00007fb3a47366c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff93 CR3: 0000000077a5e000 CR4: 00000000003506f0
Call Trace:
<TASK>
ext4_map_blocks+0x9e2/0x1b80 fs/ext4/inode.c:652
ext4_getblk+0x1d0/0x6f0 fs/ext4/inode.c:862
ext4_bread+0x2a/0x170 fs/ext4/inode.c:918
ext4_quota_write+0x23a/0x580 fs/ext4/super.c:7313
v2_write_file_info+0x24d/0x3b0 fs/quota/quota_v2.c:213
dquot_acquire+0x477/0x610 fs/quota/dquot.c:477
ext4_acquire_dquot+0x2e3/0x4b0 fs/ext4/super.c:6945
dqget+0x77c/0xeb0 fs/quota/dquot.c:990
__dquot_initialize+0x3c7/0xcd0 fs/quota/dquot.c:1518
ext4_process_orphan+0x54/0x300 fs/ext4/orphan.c:327
ext4_orphan_cleanup+0xbec/0x1420 fs/ext4/orphan.c:472
__ext4_fill_super fs/ext4/super.c:5617 [inline]
ext4_fill_super+0x5ed0/0x6790 fs/ext4/super.c:5740
get_tree_bdev+0x3f3/0x520 fs/super.c:1591
vfs_get_tree+0x8c/0x280 fs/super.c:1764
do_new_mount+0x24b/0xa40 fs/namespace.c:3386
do_mount fs/namespace.c:3726 [inline]
__do_sys_mount fs/namespace.c:3935 [inline]
__se_sys_mount+0x2e7/0x3d0 fs/namespace.c:3912
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fb3a379da0a
Code: 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb3a4735e58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fb3a4735ee0 RCX: 00007fb3a379da0a
RDX: 0000200000000140 RSI: 0000200000000040 RDI: 00007fb3a4735ea0
RBP: 0000200000000140 R08: 00007fb3a4735ee0 R09: 0000000000008000
R10: 0000000000008000 R11: 0000000000000246 R12: 0000200000000040
R13: 00007fb3a4735ea0 R14: 0000000000000605 R15: 0000200000000800
</TASK>
Modules linked in:
CR2: ffffffffffffff93
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2d00/0x6800 fs/ext4/extents.c:4494
Code: 8b 7c 24 10 4d 85 ff 0f 84 bd 00 00 00 e8 78 dc 58 ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 3d 1e 00 00 <41> 0f b7 47 08 c1 e0 04 48 8d 04 40 48 89 44 24 10 4d 89 fc 49 8d
RSP: 0018:ffffc9000d0b6ee0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000080000
RDX: ffffc9000d169000 RSI: 000000000007ffff RDI: ffffffffffffff93
RBP: ffffc9000d0b7190 R08: ffffffff8e8b02af R09: 1ffffffff1d16055
R10: dffffc0000000000 R11: fffffbfff1d16056 R12: 0000000000000001
R13: 1ffff92001a16e08 R14: dffffc0000000000 R15: ffffffffffffff8b
FS: 00007fb3a47366c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffff93 CR3: 0000000077a5e000 CR4: 00000000003506f0
----------------
Code disassembly (best guess):
0: 8b 7c 24 10 mov 0x10(%rsp),%edi
Code disassembly (best guess):
4: 4d 85 ff test %r15,%r15
7: 0f 84 bd 00 00 00 je 0xca
d: e8 78 dc 58 ff call 0xff58dc8a
12: 49 8d 7f 08 lea 0x8(%r15),%rdi
16: 48 89 f8 mov %rdi,%rax
19: 48 c1 e8 03 shr $0x3,%rax
1d: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax
22: 84 c0 test %al,%al
24: 0f 85 3d 1e 00 00 jne 0x1e67
* 2a: 41 0f b7 47 08 movzwl 0x8(%r15),%eax <-- trapping instruction
2f: c1 e0 04 shl $0x4,%eax
32: 48 8d 04 40 lea (%rax,%rax,2),%rax
36: 48 89 44 24 10 mov %rax,0x10(%rsp)
3b: 4d 89 fc mov %r15,%r12
3e: 49 rex.WB
3f: 8d .byte 0x8d
syzbot
Mar 25, 2026, 3:19:24 PM (3 days ago) Mar 25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 1989cd3d56e2 Linux 6.1.167
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17aa0eda580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118b4b52580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/edd05d4d1a68/disk-1989cd3d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdc3181e838d/vmlinux-1989cd3d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a78aef5a3a25/Image-1989cd3d.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6c5a2cf0675d/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=113e5e16580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5056dc...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_dirty_inode:6133: inode #3: comm syz.0.17: mark_inode_dirty error
EXT4-fs error (device loop0): ext4_do_update_inode:5268: inode #3: comm syz.0.17: corrupted inode contents
EXT4-fs error (device loop0): __ext4_ext_dirty:206: inode #3: comm syz.0.17: mark_inode_dirty error
x29: ffff800021406a80 x28: dfff800000000000 x27: 0000000000000001
x26: ffff800021406cc0 x25: 0000000000000001 x24: 0000000000000001
x11: ff00800008db745c x10: 0000000000000000 x9 : 7de237244664a300
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 1989cd3d56e2 Linux 6.1.167
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=5056dc3760175e1258d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12457af6580000
dashboard link: https://syzkaller.appspot.com/bug?extid=5056dc3760175e1258d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118b4b52580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/edd05d4d1a68/disk-1989cd3d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bdc3181e838d/vmlinux-1989cd3d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a78aef5a3a25/Image-1989cd3d.gz.xz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=113e5e16580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5056dc...@syzkaller.appspotmail.com
EXT4-fs error (device loop0): ext4_do_update_inode:5268: inode #3: comm syz.0.17: corrupted inode contents
EXT4-fs error (device loop0): __ext4_ext_dirty:206: inode #3: comm syz.0.17: mark_inode_dirty error
Unable to handle kernel paging request at virtual address ffffffffffffff93
KASAN: maybe wild-memory-access in range [0x0003fffffffffc98-0x0003fffffffffc9f]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000020dfcc000
[ffffffffffffff93] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4497 Comm: syz.0.17 Not tainted syzkaller #0
KASAN: maybe wild-memory-access in range [0x0003fffffffffc98-0x0003fffffffffc9f]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000020dfcc000
[ffffffffffffff93] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/26/2026
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
pc : ext4_free_ext_path fs/ext4/extents.c:128 [inline]
pc : ext4_ext_map_blocks+0x2a70/0x570c fs/ext4/extents.c:4497
lr : ext4_ext_map_blocks+0x1528/0x570c fs/ext4/extents.c:4438
sp : ffff800021406800
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
pc : ext4_free_ext_path fs/ext4/extents.c:128 [inline]
pc : ext4_ext_map_blocks+0x2a70/0x570c fs/ext4/extents.c:4497
lr : ext4_ext_map_blocks+0x1528/0x570c fs/ext4/extents.c:4438
x29: ffff800021406a80 x28: dfff800000000000 x27: 0000000000000001
x26: ffff800021406cc0 x25: 0000000000000001 x24: 0000000000000001
x23: 0000000000000001 x22: 0000000000000042 x21: 0000000000000029
x20: ffff800021406cc0 x19: ffffffffffffff8b x18: ffff800011b9bf60
x17: ffff80001835a000 x16: ffff8000082d7db8 x15: ffff800017e3b000
x14: 0000000000000001 x13: 1fffe000180c3f11 x12: 0000000000ff0100
x11: ff00800008db745c x10: 0000000000000000 x9 : 7de237244664a300
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : ffff0000c061f1d0 x3 : ffff800008a90998
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Mar 26, 2026, 5:04:28 AM (3 days ago) Mar 26
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: c09fbcd31ae6 Linux 6.6.130
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=109b5e16580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16932eda580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/58165bbf9941/disk-c09fbcd3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/73cbb84fb36b/vmlinux-c09fbcd3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/744ea33ec44b/bzImage-c09fbcd3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/37353eb79652/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=15708eda580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ad17e...@syzkaller.appspotmail.com
BUG: unable to handle page fault for address: ffffffffffffffec
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807dae8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffffffffec
RBP: ffffc900042e72f0 R08: ffff88805b8745d3 R09: 1ffff1100b70e8ba
R10: dffffc0000000000 R11: ffffed100b70e8bb R12: 0000000000000000
R13: 1ffff9200085ce34 R14: dffffc0000000000 R15: ffffffffffffffe4
FS: 00007ff6920b16c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:827
ext4_block_write_begin+0x55d/0x14f0 fs/ext4/inode.c:1091
ext4_write_begin+0x5de/0x1070 fs/ext4/ext4_jbd2.h:-1
ext4_da_write_begin+0x2df/0x9c0 fs/ext4/inode.c:2908
generic_perform_write+0x2fe/0x5c0 mm/filemap.c:4031
ext4_buffered_write_iter+0xcc/0x350 fs/ext4/file.c:299
ext4_file_write_iter+0x1d9/0x1880 fs/ext4/file.c:-1
call_write_iter include/linux/fs.h:2018 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x46c/0x990 fs/read_write.c:584
ksys_pwrite64 fs/read_write.c:699 [inline]
__do_sys_pwrite64 fs/read_write.c:709 [inline]
__se_sys_pwrite64 fs/read_write.c:706 [inline]
__x64_sys_pwrite64+0x19b/0x230 fs/read_write.c:706
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff6920b1028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007ff691415fa0 RCX: 00007ff69119c799
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007ff691232c99 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000fecc R11: 0000000000000246 R12: 0000000000000000
R13: 00007ff691416038 R14: 00007ff691415fa0 R15: 00007ffd4fe201c8
</TASK>
Modules linked in:
CR2: ffffffffffffffec
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807dae8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffffffffec
RBP: ffffc900042e72f0 R08: ffff88805b8745d3 R09: 1ffff1100b70e8ba
R10: dffffc0000000000 R11: ffffed100b70e8bb R12: 0000000000000000
R13: 1ffff9200085ce34 R14: dffffc0000000000 R15: ffffffffffffffe4
FS: 00007ff6920b16c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
HEAD commit: c09fbcd31ae6 Linux 6.6.130
git tree: linux-6.6.y
kernel config: https://syzkaller.appspot.com/x/.config?x=c5b35c4db8465904
dashboard link: https://syzkaller.appspot.com/bug?extid=3ad17e94107dda6b6b03
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13708eda580000
dashboard link: https://syzkaller.appspot.com/bug?extid=3ad17e94107dda6b6b03
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16932eda580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/58165bbf9941/disk-c09fbcd3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/73cbb84fb36b/vmlinux-c09fbcd3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/744ea33ec44b/bzImage-c09fbcd3.xz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=15708eda580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ad17e...@syzkaller.appspotmail.com
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD cf35067 P4D cf35067 PUD cf37067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 6081 Comm: syz.3.45 Not tainted syzkaller #0
#PF: error_code(0x0000) - not-present page
PGD cf35067 P4D cf35067 PUD cf37067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2d00/0x6800 fs/ext4/extents.c:4494
Code: 8b 7c 24 10 4d 85 ff 0f 84 bd 00 00 00 e8 78 dc 58 ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 3d 1e 00 00 <41> 0f b7 47 08 c1 e0 04 48 8d 04 40 48 89 44 24 10 4d 89 fc 49 8d
RSP: 0018:ffffc900042e7040 EFLAGS: 00010246
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2d00/0x6800 fs/ext4/extents.c:4494
Code: 8b 7c 24 10 4d 85 ff 0f 84 bd 00 00 00 e8 78 dc 58 ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 3d 1e 00 00 <41> 0f b7 47 08 c1 e0 04 48 8d 04 40 48 89 44 24 10 4d 89 fc 49 8d
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807dae8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffffffffec
RBP: ffffc900042e72f0 R08: ffff88805b8745d3 R09: 1ffff1100b70e8ba
R10: dffffc0000000000 R11: ffffed100b70e8bb R12: 0000000000000000
R13: 1ffff9200085ce34 R14: dffffc0000000000 R15: ffffffffffffffe4
FS: 00007ff6920b16c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffec CR3: 000000001c365000 CR4: 00000000003506e0
Call Trace:
<TASK>
ext4_map_blocks+0x9e2/0x1b80 fs/ext4/inode.c:652
_ext4_get_block+0x1eb/0x480 fs/ext4/inode.c:794
<TASK>
ext4_map_blocks+0x9e2/0x1b80 fs/ext4/inode.c:652
ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:827
ext4_block_write_begin+0x55d/0x14f0 fs/ext4/inode.c:1091
ext4_write_begin+0x5de/0x1070 fs/ext4/ext4_jbd2.h:-1
ext4_da_write_begin+0x2df/0x9c0 fs/ext4/inode.c:2908
generic_perform_write+0x2fe/0x5c0 mm/filemap.c:4031
ext4_buffered_write_iter+0xcc/0x350 fs/ext4/file.c:299
ext4_file_write_iter+0x1d9/0x1880 fs/ext4/file.c:-1
call_write_iter include/linux/fs.h:2018 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x46c/0x990 fs/read_write.c:584
ksys_pwrite64 fs/read_write.c:699 [inline]
__do_sys_pwrite64 fs/read_write.c:709 [inline]
__se_sys_pwrite64 fs/read_write.c:706 [inline]
__x64_sys_pwrite64+0x19b/0x230 fs/read_write.c:706
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7ff69119c799
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ff6920b1028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007ff691415fa0 RCX: 00007ff69119c799
RDX: 000000000000fdef RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007ff691232c99 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000fecc R11: 0000000000000246 R12: 0000000000000000
R13: 00007ff691416038 R14: 00007ff691415fa0 R15: 00007ffd4fe201c8
</TASK>
Modules linked in:
CR2: ffffffffffffffec
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2d00/0x6800 fs/ext4/extents.c:4494
Code: 8b 7c 24 10 4d 85 ff 0f 84 bd 00 00 00 e8 78 dc 58 ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 3d 1e 00 00 <41> 0f b7 47 08 c1 e0 04 48 8d 04 40 48 89 44 24 10 4d 89 fc 49 8d
RSP: 0018:ffffc900042e7040 EFLAGS: 00010246
RIP: 0010:ext4_ext_drop_refs fs/ext4/extents.c:119 [inline]
RIP: 0010:ext4_free_ext_path fs/ext4/extents.c:128 [inline]
RIP: 0010:ext4_ext_map_blocks+0x2d00/0x6800 fs/ext4/extents.c:4494
Code: 8b 7c 24 10 4d 85 ff 0f 84 bd 00 00 00 e8 78 dc 58 ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84 c0 0f 85 3d 1e 00 00 <41> 0f b7 47 08 c1 e0 04 48 8d 04 40 48 89 44 24 10 4d 89 fc 49 8d
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807dae8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffffffffec
RBP: ffffc900042e72f0 R08: ffff88805b8745d3 R09: 1ffff1100b70e8ba
R10: dffffc0000000000 R11: ffffed100b70e8bb R12: 0000000000000000
R13: 1ffff9200085ce34 R14: dffffc0000000000 R15: ffffffffffffffe4
FS: 00007ff6920b16c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffec CR3: 000000001c365000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
0: 8b 7c 24 10 mov 0x10(%rsp),%edi
4: 4d 85 ff test %r15,%r15
7: 0f 84 bd 00 00 00 je 0xca
d: e8 78 dc 58 ff call 0xff58dc8a
12: 49 8d 7f 08 lea 0x8(%r15),%rdi
16: 48 89 f8 mov %rdi,%rax
19: 48 c1 e8 03 shr $0x3,%rax
1d: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax
22: 84 c0 test %al,%al
24: 0f 85 3d 1e 00 00 jne 0x1e67
* 2a: 41 0f b7 47 08 movzwl 0x8(%r15),%eax <-- trapping instruction
2f: c1 e0 04 shl $0x4,%eax
32: 48 8d 04 40 lea (%rax,%rax,2),%rax
36: 48 89 44 24 10 mov %rax,0x10(%rsp)
3b: 4d 89 fc mov %r15,%r12
3e: 49 rex.WB
3f: 8d .byte 0x8d
---
Code disassembly (best guess):
0: 8b 7c 24 10 mov 0x10(%rsp),%edi
4: 4d 85 ff test %r15,%r15
7: 0f 84 bd 00 00 00 je 0xca
d: e8 78 dc 58 ff call 0xff58dc8a
12: 49 8d 7f 08 lea 0x8(%r15),%rdi
16: 48 89 f8 mov %rdi,%rax
19: 48 c1 e8 03 shr $0x3,%rax
1d: 42 0f b6 04 30 movzbl (%rax,%r14,1),%eax
22: 84 c0 test %al,%al
24: 0f 85 3d 1e 00 00 jne 0x1e67
* 2a: 41 0f b7 47 08 movzwl 0x8(%r15),%eax <-- trapping instruction
2f: c1 e0 04 shl $0x4,%eax
32: 48 8d 04 40 lea (%rax,%rax,2),%rax
36: 48 89 44 24 10 mov %rax,0x10(%rsp)
3b: 4d 89 fc mov %r15,%r12
3e: 49 rex.WB
3f: 8d .byte 0x8d
---
Reply all
Reply to author
Forward
0 new messages