[v6.1] UBSAN: shift-out-of-bounds in ext4_check_opt_consistency
0 views
Skip to first unread message
syzbot
Apr 19, 2026, 11:50:28 AM (yesterday) Apr 19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7c87defbd336 Linux 6.1.169
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=147e9906580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=943e137a1dc67bf6c5c7
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cf55a056d548/disk-7c87defb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/af13139876bb/vmlinux-7c87defb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/02c231cd5348/Image-7c87defb.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+943e13...@syzkaller.appspotmail.com
================================================================================
UBSAN: shift-out-of-bounds in fs/ext4/super.c:2766:15
shift exponent 1987084706 is too large for 32-bit type 'int'
CPU: 1 PID: 6002 Comm: syz.3.399 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
ubsan_epilogue+0x14/0x48 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x2b0/0x348 lib/ubsan.c:321
ext4_check_opt_consistency+0x16d0/0x1afc fs/ext4/super.c:2766
ext4_reconfigure+0xac/0x2268 fs/ext4/super.c:6694
reconfigure_super+0x1d4/0x79c fs/super.c:977
do_remount fs/namespace.c:2741 [inline]
path_mount+0xbdc/0xe80 fs/namespace.c:3400
do_mount fs/namespace.c:3421 [inline]
__do_sys_mount fs/namespace.c:3629 [inline]
__se_sys_mount fs/namespace.c:3606 [inline]
__arm64_sys_mount+0x49c/0x59c fs/namespace.c:3606
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
================================================================================
EXT4-fs: test_dummy_encryption requires encrypt feature
EXT4-fs error (device loop3): ext4_map_blocks:637: inode #2: block 3: comm syz.3.399: lblock 0 mapped to illegal pblock 3 (length 1)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 7c87defbd336 Linux 6.1.169
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=147e9906580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=943e137a1dc67bf6c5c7
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cf55a056d548/disk-7c87defb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/af13139876bb/vmlinux-7c87defb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/02c231cd5348/Image-7c87defb.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+943e13...@syzkaller.appspotmail.com
================================================================================
UBSAN: shift-out-of-bounds in fs/ext4/super.c:2766:15
shift exponent 1987084706 is too large for 32-bit type 'int'
CPU: 1 PID: 6002 Comm: syz.3.399 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack+0x30/0x40 lib/dump_stack.c:88
dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106
dump_stack+0x1c/0x5c lib/dump_stack.c:113
ubsan_epilogue+0x14/0x48 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x2b0/0x348 lib/ubsan.c:321
ext4_check_opt_consistency+0x16d0/0x1afc fs/ext4/super.c:2766
ext4_reconfigure+0xac/0x2268 fs/ext4/super.c:6694
reconfigure_super+0x1d4/0x79c fs/super.c:977
do_remount fs/namespace.c:2741 [inline]
path_mount+0xbdc/0xe80 fs/namespace.c:3400
do_mount fs/namespace.c:3421 [inline]
__do_sys_mount fs/namespace.c:3629 [inline]
__se_sys_mount fs/namespace.c:3606 [inline]
__arm64_sys_mount+0x49c/0x59c fs/namespace.c:3606
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
================================================================================
EXT4-fs: test_dummy_encryption requires encrypt feature
EXT4-fs error (device loop3): ext4_map_blocks:637: inode #2: block 3: comm syz.3.399: lblock 0 mapped to illegal pblock 3 (length 1)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 19, 2026, 12:33:30 PM (yesterday) Apr 19
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 7c87defbd336 Linux 6.1.169
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17fa8836580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10068836580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cf55a056d548/disk-7c87defb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/af13139876bb/vmlinux-7c87defb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/02c231cd5348/Image-7c87defb.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/27ecf4649e1a/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1006d4ce580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/38aa07ec58c8/mount_5.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=12c321ba580000)
mounted in repro #3: https://storage.googleapis.com/syzbot-assets/539ddc1d1661/mount_6.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=13fa8836580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+943e13...@syzkaller.appspotmail.com
EXT4-fs (loop0): 1 truncate cleaned up
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback.
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 7c87defbd336 Linux 6.1.169
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=943e137a1dc67bf6c5c7
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d81f16580000
dashboard link: https://syzkaller.appspot.com/bug?extid=943e137a1dc67bf6c5c7
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10068836580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cf55a056d548/disk-7c87defb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/af13139876bb/vmlinux-7c87defb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/02c231cd5348/Image-7c87defb.gz.xz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1006d4ce580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/38aa07ec58c8/mount_5.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=12c321ba580000)
mounted in repro #3: https://storage.googleapis.com/syzbot-assets/539ddc1d1661/mount_6.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=13fa8836580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+943e13...@syzkaller.appspotmail.com
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback.
================================================================================
UBSAN: shift-out-of-bounds in fs/ext4/super.c:2766:15
shift exponent 1987084706 is too large for 32-bit type 'int'
CPU: 1 PID: 4440 Comm: syz.0.17 Not tainted syzkaller #0
UBSAN: shift-out-of-bounds in fs/ext4/super.c:2766:15
shift exponent 1987084706 is too large for 32-bit type 'int'
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages