[moderation] [f2fs?] general protection fault in f2fs_in_warm_node_list
1 view
Skip to first unread message
syzbot
Jan 7, 2026, 7:08:25 PM (2 days ago) Jan 7
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: aacb0a6d604a Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14aac69a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1f2b6fe1fdf1a00b
dashboard link: https://syzkaller.appspot.com/bug?extid=7469575118ace3985adf
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [ch...@kernel.org jae...@kernel.org linux-f2...@lists.sourceforge.net linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6520a87da443/disk-aacb0a6d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/20f0acee1027/vmlinux-aacb0a6d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7058688e2b0b/bzImage-aacb0a6d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+746957...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:2172 [inline]
RIP: 0010:is_node_folio fs/f2fs/f2fs.h:2182 [inline]
RIP: 0010:f2fs_in_warm_node_list+0xbd/0x290 fs/f2fs/node.c:330
Code: 00 00 4d 03 3c 24 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 d1 99 13 fe 4d 8b 3f 49 83 c7 30 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 b4 99 13 fe 4d 3b 37 74 19 e8 6a
RSP: 0018:ffffc90000147930 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffffea0000bd3800 RCX: ffff88801b6dbc80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
RBP: ffff88804d45f780 R08: ffff88805ba956f3 R09: 1ffff1100b752ade
R10: dffffc0000000000 R11: ffffed100b752adf R12: ffff88802617a798
R13: dffffc0000000000 R14: ffff88805f220250 R15: 0000000000000030
FS: 0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe64dce5000 CR3: 000000003eb70000 CR4: 00000000003526f0
Call Trace:
<TASK>
f2fs_write_end_io+0x71c/0xb60 fs/f2fs/data.c:359
blk_update_request+0x57e/0xe60 block/blk-mq.c:1007
blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1169
blk_flush_complete_seq+0x687/0xce0 block/blk-flush.c:191
flush_end_io+0xc46/0xf30 block/blk-flush.c:250
__blk_mq_end_request+0x530/0x740 block/blk-mq.c:1159
blk_complete_reqs block/blk-mq.c:1244 [inline]
blk_done_softirq+0x10a/0x160 block/blk-mq.c:1249
handle_softirqs+0x1df/0x650 kernel/softirq.c:622
run_ksoftirqd+0x52/0x190 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:2172 [inline]
RIP: 0010:is_node_folio fs/f2fs/f2fs.h:2182 [inline]
RIP: 0010:f2fs_in_warm_node_list+0xbd/0x290 fs/f2fs/node.c:330
Code: 00 00 4d 03 3c 24 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 d1 99 13 fe 4d 8b 3f 49 83 c7 30 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 b4 99 13 fe 4d 3b 37 74 19 e8 6a
RSP: 0018:ffffc90000147930 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffffea0000bd3800 RCX: ffff88801b6dbc80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
RBP: ffff88804d45f780 R08: ffff88805ba956f3 R09: 1ffff1100b752ade
R10: dffffc0000000000 R11: ffffed100b752adf R12: ffff88802617a798
R13: dffffc0000000000 R14: ffff88805f220250 R15: 0000000000000030
FS: 0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe64dce5000 CR3: 000000003eb70000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 4d 03 3c 24 add (%r12),%r15
6: 4c 89 f8 mov %r15,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
12: 74 08 je 0x1c
14: 4c 89 ff mov %r15,%rdi
17: e8 d1 99 13 fe call 0xfe1399ed
1c: 4d 8b 3f mov (%r15),%r15
1f: 49 83 c7 30 add $0x30,%r15
23: 4c 89 f8 mov %r15,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 ff mov %r15,%rdi
34: e8 b4 99 13 fe call 0xfe1399ed
39: 4d 3b 37 cmp (%r15),%r14
3c: 74 19 je 0x57
3e: e8 .byte 0xe8
3f: 6a .byte 0x6a
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: aacb0a6d604a Merge tag 'pmdomain-v6.19-rc3' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14aac69a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1f2b6fe1fdf1a00b
dashboard link: https://syzkaller.appspot.com/bug?extid=7469575118ace3985adf
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
CC: [ch...@kernel.org jae...@kernel.org linux-f2...@lists.sourceforge.net linux-...@vger.kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6520a87da443/disk-aacb0a6d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/20f0acee1027/vmlinux-aacb0a6d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7058688e2b0b/bzImage-aacb0a6d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+746957...@syzkaller.appspotmail.com
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:2172 [inline]
RIP: 0010:is_node_folio fs/f2fs/f2fs.h:2182 [inline]
RIP: 0010:f2fs_in_warm_node_list+0xbd/0x290 fs/f2fs/node.c:330
Code: 00 00 4d 03 3c 24 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 d1 99 13 fe 4d 8b 3f 49 83 c7 30 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 b4 99 13 fe 4d 3b 37 74 19 e8 6a
RSP: 0018:ffffc90000147930 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffffea0000bd3800 RCX: ffff88801b6dbc80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
RBP: ffff88804d45f780 R08: ffff88805ba956f3 R09: 1ffff1100b752ade
R10: dffffc0000000000 R11: ffffed100b752adf R12: ffff88802617a798
R13: dffffc0000000000 R14: ffff88805f220250 R15: 0000000000000030
FS: 0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe64dce5000 CR3: 000000003eb70000 CR4: 00000000003526f0
Call Trace:
<TASK>
f2fs_write_end_io+0x71c/0xb60 fs/f2fs/data.c:359
blk_update_request+0x57e/0xe60 block/blk-mq.c:1007
blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1169
blk_flush_complete_seq+0x687/0xce0 block/blk-flush.c:191
flush_end_io+0xc46/0xf30 block/blk-flush.c:250
__blk_mq_end_request+0x530/0x740 block/blk-mq.c:1159
blk_complete_reqs block/blk-mq.c:1244 [inline]
blk_done_softirq+0x10a/0x160 block/blk-mq.c:1249
handle_softirqs+0x1df/0x650 kernel/softirq.c:622
run_ksoftirqd+0x52/0x190 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:2172 [inline]
RIP: 0010:is_node_folio fs/f2fs/f2fs.h:2182 [inline]
RIP: 0010:f2fs_in_warm_node_list+0xbd/0x290 fs/f2fs/node.c:330
Code: 00 00 4d 03 3c 24 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 d1 99 13 fe 4d 8b 3f 49 83 c7 30 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 b4 99 13 fe 4d 3b 37 74 19 e8 6a
RSP: 0018:ffffc90000147930 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffffea0000bd3800 RCX: ffff88801b6dbc80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
RBP: ffff88804d45f780 R08: ffff88805ba956f3 R09: 1ffff1100b752ade
R10: dffffc0000000000 R11: ffffed100b752adf R12: ffff88802617a798
R13: dffffc0000000000 R14: ffff88805f220250 R15: 0000000000000030
FS: 0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe64dce5000 CR3: 000000003eb70000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 4d 03 3c 24 add (%r12),%r15
6: 4c 89 f8 mov %r15,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
12: 74 08 je 0x1c
14: 4c 89 ff mov %r15,%rdi
17: e8 d1 99 13 fe call 0xfe1399ed
1c: 4d 8b 3f mov (%r15),%r15
1f: 49 83 c7 30 add $0x30,%r15
23: 4c 89 f8 mov %r15,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 4c 89 ff mov %r15,%rdi
34: e8 b4 99 13 fe call 0xfe1399ed
39: 4d 3b 37 cmp (%r15),%r14
3c: 74 19 je 0x57
3e: e8 .byte 0xe8
3f: 6a .byte 0x6a
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages