Re: [syzbot] [karma?] kernel BUG in folio_set_bh (3)

From: Daiki

Date: Thu May 14 2026 - 12:58:51 EST

I was able to reproduce this bug with the following C reproducer:

// repro.c
#include <fcntl.h>
#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <linux/loop.h>
#include <unistd.h>

int main(void) {
int fd = open("/tmp/img", O_RDWR|O_CREAT|O_TRUNC, 0644);
ftruncate(fd, 1<<20);
close(fd);
int lc = open("/dev/loop-control", O_RDWR);
int nr = ioctl(lc, LOOP_CTL_GET_FREE);
close(lc);
char lo[64];
snprintf(lo, sizeof(lo), "/dev/loop%d", nr);
int lf = open(lo, O_RDWR);
fd = open("/tmp/img", O_RDWR);
ioctl(lf, LOOP_SET_FD, fd);
close(fd);
ioctl(lf, 0x4c09, 0x8000); // LOOP_SET_BLOCK_SIZE = 32768
close(lf);
mkdir("/tmp/mnt", 0755);
mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT
return 0;
}

A fix patch has been sent:
https://lore.kernel.org/all/20260514160700.376172-1-daiky0325@xxxxxxxxx/
 <div class="gmail_quote gmail_quote_container"><div dir="ltr"
class="gmail_attr">On Fri, May 15, 2026 at 1:45 AM Daiki
<daiky0325@xxxxxxxxx> wrote: </div><blockquote
class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px
solid rgb(204, 204, 204); padding-left: 1ex;"><div dir="ltr"><div
dir="ltr">I was able to reproduce this bug with the following C
reproducer: // repro.c #include <fcntl.h> #include
<stdio.h> #include <sys/ioctl.h> #include
<sys/mount.h> #include <sys/stat.h> #include
<linux/loop.h> #include <unistd.h> int
main(void) {     int fd = open("/tmp/img",
O_RDWR|O_CREAT|O_TRUNC, 0644);     ftruncate(fd,
1<<20);     close(fd);     int lc =
open("/dev/loop-control", O_RDWR);     int nr = ioctl(lc,
LOOP_CTL_GET_FREE);     close(lc);     char
lo[64];     snprintf(lo, sizeof(lo), "/dev/loop%d",
nr);     int lf = open(lo, O_RDWR);     fd =
open("/tmp/img", O_RDWR);     ioctl(lf, LOOP_SET_FD,
fd);     close(fd);     ioctl(lf, 0x4c09,
0x8000); // LOOP_SET_BLOCK_SIZE = 32768    
close(lf);     mkdir("/tmp/mnt", 0755);    
mount(lo, "/tmp/mnt", "jfs", 0x8000, NULL); // MS_SILENT  
  return 0; } A fix patch has been sent: <a
href="https://lore.kernel.org/all/20260514160700.376172-1-daiky0325@xxxxxxxxx/";
target="_blank">https://lore.kernel.org/all/20260514160700.376172-1-daiky0325@xxxxxxxxx/</a></div> <div
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 14,
2026 at 7:36 PM syzbot <<a
href="mailto:syzbot%2B32ec8b5bd050c78741c2@xxxxxxxxxxxxxxxxxxxxxxxxx";
target="_blank">syzbot+32ec8b5bd050c78741c2@syzkaller.appspotmail.com</a>>
wrote: </div><blockquote class="gmail_quote" style="margin: 0px 0px
0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left:
1ex;">Hello, 
 
syzbot found the following issue on: 
 
HEAD commit:    1d5dcaa3bd65 Merge tag
'probes-fixes-v7.1-rc3' of git://gi.. 
git tree:       upstream 
console output: <a
href="https://syzkaller.appspot.com/x/log.txt?x=1592ed06580000";
rel="noreferrer"
target="_blank">https://syzkaller.appspot.com/x/log.txt?x=1592ed06580000</a> 
kernel config:  <a
href="https://syzkaller.appspot.com/x/.config?x=7f195f6be48c12ec";
rel="noreferrer"
target="_blank">https://syzkaller.appspot.com/x/.config?x=7f195f6be48c12ec</a> 
dashboard link: <a
href="https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2";
rel="noreferrer"
target="_blank">https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2</a> 
compiler:       Debian clang version 21.1.8
(++20251221033036+2078da43e25a-1~exp1~20251221153213.50),
Debian LLD 21.1.8 
 
Unfortunately, I don't have any reproducer for this issue yet. 
 
Downloadable assets: 
disk image (non-bootable): <a
href="https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-1d5dcaa3.raw.xz";
rel="noreferrer"
target="_blank">https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-1d5dcaa3.raw.xz</a> 
vmlinux: <a href="https://storage.googleapis.com/syzbot-assets/2cb31960a181/vmlinux-1d5dcaa3.xz";
rel="noreferrer"
target="_blank">https://storage.googleapis.com/syzbot-assets/2cb31960a181/vmlinux-1d5dcaa3.xz</a> 
kernel image: <a
href="https://storage.googleapis.com/syzbot-assets/6d3969d0ce3d/bzImage-1d5dcaa3.xz";
rel="noreferrer"
target="_blank">https://storage.googleapis.com/syzbot-assets/6d3969d0ce3d/bzImage-1d5dcaa3.xz</a> 
 
IMPORTANT: if you fix the issue, please add the following tag to the commit: 
Reported-by: <a
href="mailto:syzbot%2B32ec8b5bd050c78741c2@xxxxxxxxxxxxxxxxxxxxxxxxx";
target="_blank">syzbot+32ec8b5bd050c78741c2@syzkaller.appspotmail.com</a> 
 
loop0: detected capacity change from 0 to 2048 
 loop0: p2 p3 < > p4 < p5 > 
loop0: partition table partially beyond EOD, truncated 
loop0: p3 start 4284289 is beyond EOD, truncated 
jfs: block size(32768) > page size(4096) not supported by filesystem 
------------[ cut here ]------------ 
kernel BUG at fs/buffer.c:1479! 
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI 
CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0
PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.16.3-debian-1.16.3-2 04/01/2014 
RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479 
Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df
48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90
<0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
0f 
RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287 
RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000 
RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44 
RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0 
R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003 
R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000 
FS:  00007fb7faee76c0(0000) GS:ffff88808c881000(0000)
knlGS:0000000000000000 
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
CR2: 00007f86657e22b0 CR3: 00000000128ba000 CR4: 0000000000352ef0 
Call Trace: 
 <TASK> 
 folio_alloc_buffers+0x228/0x640 fs/buffer.c:849 
 grow_dev_folio fs/buffer.c:979 [inline] 
 grow_buffers fs/buffer.c:1020 [inline] 
 __getblk_slow fs/buffer.c:1038 [inline] 
 bdev_getblk+0x2cb/0x6e0 fs/buffer.c:1358 
 __bread_gfp+0x89/0x3b0 fs/buffer.c:1412 
 sb_bread include/linux/buffer_head.h:346 [inline] 
 readSuper+0xdb/0x270 fs/jfs/jfs_mount.c:462 
 chkSuper+0x5d/0xe00 fs/jfs/jfs_mount.c:299 
 jfs_mount+0x4b/0x870 fs/jfs/jfs_mount.c:83 
 jfs_fill_super+0x6bc/0xd80 fs/jfs/super.c:523 
 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694 
 vfs_get_tree+0x92/0x2a0 fs/super.c:1754 
 fc_mount fs/namespace.c:1193 [inline] 
 do_new_mount_fc fs/namespace.c:3758 [inline] 
 do_new_mount+0x341/0xd30 fs/namespace.c:3834 
 do_mount fs/namespace.c:4167 [inline] 
 __do_sys_mount fs/namespace.c:4383 [inline] 
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4360 
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] 
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 
 entry_SYSCALL_64_after_hwframe+0x77/0x7f 
RIP: 0033:0x7fb7f9f9ce59 
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05
<48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01
48 
RSP: 002b:00007fb7faee6fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 
RAX: ffffffffffffffda RBX: 00007fb7fa215fa0 RCX: 00007fb7f9f9ce59 
RDX: 0000200000000040 RSI: 0000200000000140 RDI: 0000200000000080 
RBP: 00007fb7fa032d6f R08: 0000000000000000 R09: 0000000000000000 
R10: 000000000000c000 R11: 0000000000000246 R12: 0000000000000000 
R13: 00007fb7fa216038 R14: 00007fb7fa215fa0 R15: 00007ffff2e0f5c8 
 </TASK> 
Modules linked in: 
---[ end trace 0000000000000000 ]--- 
RIP: 0010:folio_set_bh+0x1dc/0x1e0 fs/buffer.c:1479 
Code: 4c 89 e2 e8 b6 71 98 02 e9 42 ff ff ff e8 3c 80 6d ff 48 89 df
48 c7 c6 00 28 df 8b e8 6d bd cf fe 90 0f 0b e8 25 80 6d ff 90
<0f> 0b 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
0f 
RSP: 0018:ffffc9000e2378f0 EFLAGS: 00010287 
RAX: ffffffff8258511b RBX: ffffea0000391600 RCX: 0000000000100000 
RDX: ffffc9000ec4a000 RSI: 0000000000001a43 RDI: 0000000000001a44 
RBP: dffffc0000000000 R08: ffffea0000391607 R09: 1ffffd40000722c0 
R10: dffffc0000000000 R11: fffff940000722c1 R12: 0000000000000003 
R13: 0000000000008000 R14: ffff88804789f740 R15: 0000000000008000 
FS:  00007fb7faee76c0(0000) GS:ffff88808c881000(0000)
knlGS:0000000000000000 
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
CR2: 00007f8a5bc8038f CR3: 00000000128ba000 CR4: 0000000000352ef0 
 
 
--- 
This report is generated by a bot. It may contain errors. 
See <a href="https://goo.gl/tpsmEJ"; rel="noreferrer"
target="_blank">https://goo.gl/tpsmEJ</a> for more information about
syzbot. 
syzbot engineers can be reached at <a
href="mailto:syzkaller@xxxxxxxxxxxxxxxx";
target="_blank">syzkaller@xxxxxxxxxxxxxxxx</a>. 
 
syzbot will keep track of this issue. See: 
<a href="https://goo.gl/tpsmEJ#status"; rel="noreferrer"
target="_blank">https://goo.gl/tpsmEJ#status</a> for how to
communicate with syzbot. 
 
If the report is already addressed, let syzbot know by replying with: 
#syz fix: exact-commit-title 
 
If you want to overwrite report's subsystems, reply with: 
#syz set subsystems: new-subsystem 
(See the list of subsystem names on the web dashboard) 
 
If the report is a duplicate of another one, reply with: 
#syz dup: exact-subject-of-another-report 
 
If you want to undo deduplication, reply with: 
#syz undup 
 
-- 
You received this message because you are subscribed to the Google
Groups "syzkaller-bugs" group. 
To unsubscribe from this group and stop receiving emails from it, send
an email to <a href="mailto:syzkaller-bugs%2Bunsubscribe@xxxxxxxxxxxxxxxx";
target="_blank">syzkaller-bugs+unsubscribe@googlegroups.com</a>. 
To view this discussion visit <a
href="https://groups.google.com/d/msgid/syzkaller-bugs/6a05a5b0.170a0220.290639.01c7.GAE%40google.com";
rel="noreferrer"
target="_blank">https://groups.google.com/d/msgid/syzkaller-bugs/6a05a5b0.170a0220.290639.01c7.GAE%40google.com</a>. 
</blockquote></div></div>
</blockquote></div>