[Linux Kernel Bug] kernel BUG in bch2_write
3 views
Skip to first unread message
Jiaming Zhang
Sep 18, 2025, 10:47:07 PM (10 days ago) Sep 18
to kent.ov...@linux.dev, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com
Dear Linux kernel developers and maintainers:
We are writing to report a kernel bug discovered in the bcachefs
subsystem with our modified syzkaller. This bug is reproducible on the
latest version (v6.17-rc6, commit
f83ec76bf285bea5727f478a68b894f5543ca76e).
The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are attached to this email to help analysis. The bug report
from v6.17-rc6, formatted by syz-symbolize, is listed below:
==================================================================
loop0: detected capacity change from 0 to 32768
bcachefs (loop0): starting version 1.7: mi_btree_bitmap
opts=metadata_checksum=none,data_checksum=none,nojournal_transaction_names
allowing incompatible features above 0.0: (unknown version)
features: new_siphash,inline_data,new_extent_overwrite,btree_ptr_v2,new_varint,journal_no_flush,alloc_v2,extents_across_btree_nodes
bcachefs (loop0): Using encoding defined by superblock: utf8-12.1.0
bcachefs (loop0): recovering from clean shutdown, journal seq 8
bcachefs (loop0): Doing compatible version upgrade from 1.7:
mi_btree_bitmap to 1.28: inode_has_case_insensitive
running recovery passes:
check_allocations,check_extents_to_backpointers,check_inodes
bcachefs (loop0): accounting_read... done
bcachefs (loop0): alloc_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): check_allocations...
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 56308231fb2a3a03
written 24 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq efdd7a26d7396dd5
written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 17c752e9adf22e73
written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq adc4350e9aab42a2
written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq ef15a85bfc7569df
written 16 min_key POS_MIN durability: 1 ptr: 0:32:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 771f68864d6973cb
written 32 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing
done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay... done
bcachefs (loop0): check_extents_to_backpointers...
bcachefs (loop0): scanning for missing backpointers in 6/128 buckets
done
bcachefs (loop0): check_inodes... done
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): Fixed errors, running fsck a second time to verify fs is clean
bcachefs (loop0): check_extents_to_backpointers... done
bcachefs (loop0): check_inodes... done
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): done starting filesystem
------------[ cut here ]------------
kernel BUG at fs/bcachefs/io_write.c:1678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 9766 Comm: repro.out Not tainted 6.17.0-rc6 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:bch2_write+0x1356/0x13d0 fs/bcachefs/io_write.c:1678
Code: e1 07 38 c1 0f 8c 7c f9 ff ff be 08 00 00 00 4c 89 f7 e8 ed 80
d9 fd e9 6a f9 ff ff e8 13 d9 75 fd 90 0f 0b e8 0b d9 75 fd 90 <0f> 0b
e8 03 d9 75 fd 90 0f 0b e8 fb d8 75 fd 90 0f 0b e8 f3 d8 75
RSP: 0018:ffffc900109ef4c8 EFLAGS: 00010293
RAX: ffffffff8440f785 RBX: ffff888052e5d308 RCX: ffff888022008000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888052e5d360 R08: ffff888052e5d35b R09: 1ffff1100a5cba6b
R10: dffffc0000000000 R11: ffffed100a5cba6c R12: 0000000000110000
R13: dffffc0000000000 R14: ffff888052e5d380 R15: 1ffff1100a5cba70
FS: 00000000189db300(0000) GS:ffff8880ec41c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056153b081ca0 CR3: 000000005257b000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
closure_queue include/linux/closure.h:270 [inline]
closure_call include/linux/closure.h:432 [inline]
bch2_writepage_do_io fs/bcachefs/fs-io-buffered.c:486 [inline]
bch2_writepages+0x211/0x2d0 fs/bcachefs/fs-io-buffered.c:668
do_writepages+0x32b/0x550 mm/page-writeback.c:2634
filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
__filemap_fdatawrite_range mm/filemap.c:419 [inline]
filemap_write_and_wait_range+0x21f/0x320 mm/filemap.c:691
bchfs_truncate+0x6a3/0xc20
notify_change+0xb33/0xe40 fs/attr.c:552
do_truncate+0x1a4/0x220 fs/open.c:68
vfs_truncate+0x47e/0x510 fs/open.c:118
do_sys_truncate+0xdb/0x190 fs/open.c:141
__do_sys_truncate fs/open.c:153 [inline]
__se_sys_truncate fs/open.c:151 [inline]
__x64_sys_truncate+0x5b/0x70 fs/open.c:151
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x44fe39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffef6a67008 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00000000004004a0 RCX: 000000000044fe39
RDX: 0031656c69662f2e RSI: 0000000000000001 RDI: 0000000020000280
RBP: 00007ffef6a67010 R08: 0000000000000000 R09: 0000000000409600
R10: 00007ffef6a66e60 R11: 0000000000000246 R12: 0000000000409690
R13: 0000000000000000 R14: 00000000004c0018 R15: 00000000004004a0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_write+0x1356/0x13d0 fs/bcachefs/io_write.c:1678
Code: e1 07 38 c1 0f 8c 7c f9 ff ff be 08 00 00 00 4c 89 f7 e8 ed 80
d9 fd e9 6a f9 ff ff e8 13 d9 75 fd 90 0f 0b e8 0b d9 75 fd 90 <0f> 0b
e8 03 d9 75 fd 90 0f 0b e8 fb d8 75 fd 90 0f 0b e8 f3 d8 75
RSP: 0018:ffffc900109ef4c8 EFLAGS: 00010293
RAX: ffffffff8440f785 RBX: ffff888052e5d308 RCX: ffff888022008000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888052e5d360 R08: ffff888052e5d35b R09: 1ffff1100a5cba6b
R10: dffffc0000000000 R11: ffffed100a5cba6c R12: 0000000000110000
R13: dffffc0000000000 R14: ffff888052e5d380 R15: 1ffff1100a5cba70
FS: 00000000189db300(0000) GS:ffff8880ec41c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056153b081ca0 CR3: 000000005257b000 CR4: 0000000000752ef0
PKRU: 55555554
==================================================================
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang.
We are writing to report a kernel bug discovered in the bcachefs
subsystem with our modified syzkaller. This bug is reproducible on the
latest version (v6.17-rc6, commit
f83ec76bf285bea5727f478a68b894f5543ca76e).
The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are attached to this email to help analysis. The bug report
from v6.17-rc6, formatted by syz-symbolize, is listed below:
==================================================================
loop0: detected capacity change from 0 to 32768
bcachefs (loop0): starting version 1.7: mi_btree_bitmap
opts=metadata_checksum=none,data_checksum=none,nojournal_transaction_names
allowing incompatible features above 0.0: (unknown version)
features: new_siphash,inline_data,new_extent_overwrite,btree_ptr_v2,new_varint,journal_no_flush,alloc_v2,extents_across_btree_nodes
bcachefs (loop0): Using encoding defined by superblock: utf8-12.1.0
bcachefs (loop0): recovering from clean shutdown, journal seq 8
bcachefs (loop0): Doing compatible version upgrade from 1.7:
mi_btree_bitmap to 1.28: inode_has_case_insensitive
running recovery passes:
check_allocations,check_extents_to_backpointers,check_inodes
bcachefs (loop0): accounting_read... done
bcachefs (loop0): alloc_read... done
bcachefs (loop0): snapshots_read... done
bcachefs (loop0): check_allocations...
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 56308231fb2a3a03
written 24 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq efdd7a26d7396dd5
written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 17c752e9adf22e73
written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq adc4350e9aab42a2
written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq ef15a85bfc7569df
written 16 min_key POS_MIN durability: 1 ptr: 0:32:0 gen 0, fixing
bcachefs (loop0): btree ptr not marked in member info btree allocated bitmap
u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 771f68864d6973cb
written 32 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing
done
bcachefs (loop0): going read-write
bcachefs (loop0): journal_replay... done
bcachefs (loop0): check_extents_to_backpointers...
bcachefs (loop0): scanning for missing backpointers in 6/128 buckets
done
bcachefs (loop0): check_inodes... done
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): Fixed errors, running fsck a second time to verify fs is clean
bcachefs (loop0): check_extents_to_backpointers... done
bcachefs (loop0): check_inodes... done
bcachefs (loop0): resume_logged_ops... done
bcachefs (loop0): delete_dead_inodes... done
bcachefs (loop0): done starting filesystem
------------[ cut here ]------------
kernel BUG at fs/bcachefs/io_write.c:1678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 9766 Comm: repro.out Not tainted 6.17.0-rc6 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:bch2_write+0x1356/0x13d0 fs/bcachefs/io_write.c:1678
Code: e1 07 38 c1 0f 8c 7c f9 ff ff be 08 00 00 00 4c 89 f7 e8 ed 80
d9 fd e9 6a f9 ff ff e8 13 d9 75 fd 90 0f 0b e8 0b d9 75 fd 90 <0f> 0b
e8 03 d9 75 fd 90 0f 0b e8 fb d8 75 fd 90 0f 0b e8 f3 d8 75
RSP: 0018:ffffc900109ef4c8 EFLAGS: 00010293
RAX: ffffffff8440f785 RBX: ffff888052e5d308 RCX: ffff888022008000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888052e5d360 R08: ffff888052e5d35b R09: 1ffff1100a5cba6b
R10: dffffc0000000000 R11: ffffed100a5cba6c R12: 0000000000110000
R13: dffffc0000000000 R14: ffff888052e5d380 R15: 1ffff1100a5cba70
FS: 00000000189db300(0000) GS:ffff8880ec41c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056153b081ca0 CR3: 000000005257b000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
closure_queue include/linux/closure.h:270 [inline]
closure_call include/linux/closure.h:432 [inline]
bch2_writepage_do_io fs/bcachefs/fs-io-buffered.c:486 [inline]
bch2_writepages+0x211/0x2d0 fs/bcachefs/fs-io-buffered.c:668
do_writepages+0x32b/0x550 mm/page-writeback.c:2634
filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
__filemap_fdatawrite_range mm/filemap.c:419 [inline]
filemap_write_and_wait_range+0x21f/0x320 mm/filemap.c:691
bchfs_truncate+0x6a3/0xc20
notify_change+0xb33/0xe40 fs/attr.c:552
do_truncate+0x1a4/0x220 fs/open.c:68
vfs_truncate+0x47e/0x510 fs/open.c:118
do_sys_truncate+0xdb/0x190 fs/open.c:141
__do_sys_truncate fs/open.c:153 [inline]
__se_sys_truncate fs/open.c:151 [inline]
__x64_sys_truncate+0x5b/0x70 fs/open.c:151
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x44fe39
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffef6a67008 EFLAGS: 00000246 ORIG_RAX: 000000000000004c
RAX: ffffffffffffffda RBX: 00000000004004a0 RCX: 000000000044fe39
RDX: 0031656c69662f2e RSI: 0000000000000001 RDI: 0000000020000280
RBP: 00007ffef6a67010 R08: 0000000000000000 R09: 0000000000409600
R10: 00007ffef6a66e60 R11: 0000000000000246 R12: 0000000000409690
R13: 0000000000000000 R14: 00000000004c0018 R15: 00000000004004a0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_write+0x1356/0x13d0 fs/bcachefs/io_write.c:1678
Code: e1 07 38 c1 0f 8c 7c f9 ff ff be 08 00 00 00 4c 89 f7 e8 ed 80
d9 fd e9 6a f9 ff ff e8 13 d9 75 fd 90 0f 0b e8 0b d9 75 fd 90 <0f> 0b
e8 03 d9 75 fd 90 0f 0b e8 fb d8 75 fd 90 0f 0b e8 f3 d8 75
RSP: 0018:ffffc900109ef4c8 EFLAGS: 00010293
RAX: ffffffff8440f785 RBX: ffff888052e5d308 RCX: ffff888022008000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888052e5d360 R08: ffff888052e5d35b R09: 1ffff1100a5cba6b
R10: dffffc0000000000 R11: ffffed100a5cba6c R12: 0000000000110000
R13: dffffc0000000000 R14: ffff888052e5d380 R15: 1ffff1100a5cba70
FS: 00000000189db300(0000) GS:ffff8880ec41c000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056153b081ca0 CR3: 000000005257b000 CR4: 0000000000752ef0
PKRU: 55555554
==================================================================
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang.
Reply all
Reply to author
Forward
0 new messages