1. Patchew
  2. linux
  3. View series

[PATCH] ext4: fix unaligned preallocation with bigalloc

Ahmet Eray Karadag posted 1 patch 1 week, 4 days ago
There is a newer version of this series
fs/ext4/mballoc.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
[PATCH] ext4: fix unaligned preallocation with bigalloc
Posted by Ahmet Eray Karadag 1 week, 4 days ago 
Syzkaller reported a use-after-free in ext4_find_extent() when using
bigalloc. The crash occurs during the extent tree traversal when the
system tries to access a freed extent path.

The root cause is related to how the multi-block allocator (mballoc)
handles alignment in bigalloc filesystems (s_cluster_ratio > 1).
When a request for a block is made, mballoc might return a goal start
block that is not aligned to the cluster boundary (e.g., block 1 instead
of 0) because the cluster start is busy.

Previously, ext4_mb_new_inode_pa() and ext4_mb_new_group_pa() did not
strictly enforce cluster alignment or handle collisions where aligning
down would overlap with busy space. This resulted in the creation of
Preallocation (PA) extents that started in the middle of a cluster.
This misalignment causes metadata inconsistency between the physical
allocation (bitmap) and the logical extent tree, eventually leading to
a use-after-free during inode eviction or truncation.

This patch fixes the issue by enforcing strict cluster alignment for
both inode and group preallocations.

Using AC_STATUS_BREAK ensures that we do not manually free the PA
(avoiding double-free bugs in the caller's cleanup path) and allows
the allocator to find a more suitable block group.

Tested with kvm-xfstests -c bigalloc_4k -g quick, no regressions found.

Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
---
 fs/ext4/mballoc.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 9087183602e4..549d6cf58f3c 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -5291,6 +5291,21 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
 
 		ex.fe_logical = ac->ac_o_ex.fe_logical;
 adjust_bex:
+		if (sbi->s_cluster_ratio > 1) {
+			loff_t mask = ~(sbi->s_cluster_ratio - 1);
+			loff_t aligned_start = ex.fe_logical & mask;
+
+			if (aligned_start < ac->ac_g_ex.fe_logical) {
+				ac->ac_status = AC_STATUS_BREAK;
+				return;
+			}
+
+			ex.fe_len += (ex.fe_logical - aligned_start);
+			ex.fe_logical = aligned_start;
+
+			if (ex.fe_logical + ex.fe_len > orig_goal_end)
+				ex.fe_len = orig_goal_end - ex.fe_logical;
+		}
 		ac->ac_b_ex.fe_logical = ex.fe_logical;
 
 		BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical);
@@ -5336,6 +5351,7 @@ static noinline_for_stack void
 ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
 {
 	struct super_block *sb = ac->ac_sb;
+	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	struct ext4_locality_group *lg;
 	struct ext4_prealloc_space *pa;
 	struct ext4_group_info *grp;
@@ -5347,7 +5363,15 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
 	BUG_ON(ac->ac_pa == NULL);
 
 	pa = ac->ac_pa;
+	if (sbi->s_cluster_ratio > 1) {
+		loff_t mask = ~(sbi->s_cluster_ratio - 1);
+		loff_t pstart = ext4_grp_offs_to_block(sb, &ac->ac_b_ex);
 
+		if ((pstart & mask) < pstart) {
+			ac->ac_status = AC_STATUS_BREAK;
+			return;
+		}
+	}
 	pa->pa_pstart = ext4_grp_offs_to_block(sb, &ac->ac_b_ex);
 	pa->pa_lstart = pa->pa_pstart;
 	pa->pa_len = ac->ac_b_ex.fe_len;
-- 
2.43.0
[syzbot ci] Re: ext4: fix unaligned preallocation with bigalloc
Posted by syzbot ci 1 week, 3 days ago 
syzbot ci has tested the following series

[v1] ext4: fix unaligned preallocation with bigalloc
https://lore.kernel.org/all/20251121002209.416949-2-eraykrdg1@gmail.com
* [PATCH] ext4: fix unaligned preallocation with bigalloc

and found the following issue:
kernel BUG in ext4_mb_new_inode_pa

Full report is available here:
https://ci.syzbot.org/series/5fbb06a2-0d5c-4936-94b6-d73abad55373

***

kernel BUG in ext4_mb_new_inode_pa

tree:      torvalds
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base:      23cb64fb76257309e396ea4cec8396d4a1dbae68
arch:      amd64
compiler:  Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config:    https://ci.syzbot.org/builds/3beb0e0f-6449-481d-8a5c-870149d28caf/config
C repro:   https://ci.syzbot.org/findings/891b93f7-ef7e-4890-8c4b-ed438fa3fa28/c_repro
syz repro: https://ci.syzbot.org/findings/891b93f7-ef7e-4890-8c4b-ed438fa3fa28/syz_repro

loop0: detected capacity change from 0 to 1024
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
------------[ cut here ]------------
kernel BUG at fs/ext4/mballoc.c:5312!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 5990 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:ext4_mb_new_inode_pa+0x144e/0x1520 fs/ext4/mballoc.c:5312
Code: 5d 04 00 eb 2c e8 42 d8 43 ff 90 0f 0b e8 3a d8 43 ff 90 0f 0b e8 32 d8 43 ff eb 3c e8 2b d8 43 ff 90 0f 0b e8 23 d8 43 ff 90 <0f> 0b e8 1b d8 43 ff 31 f6 65 ff 0d 82 24 f2 0f 0f 94 c3 40 0f 94
RSP: 0018:ffffc900037c6a88 EFLAGS: 00010293
RAX: ffffffff827c2b9d RBX: 0000000000000201 RCX: ffff8881ba628000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000210
RBP: 0000000000000190 R08: ffffea000418ec37 R09: 1ffffd4000831d86
R10: dffffc0000000000 R11: fffff94000831d87 R12: 0000000000000004
R13: ffff88801b03f2b8 R14: dffffc0000000000 R15: 0000000000000210
FS:  0000555557696500(0000) GS:ffff88818eb3b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f863fff CR3: 000000016b520000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 ext4_mb_try_best_found+0x33e/0x440 fs/ext4/mballoc.c:2389
 ext4_mb_regular_allocator+0x9fa/0x2970 fs/ext4/mballoc.c:3040
 ext4_mb_new_blocks+0xd11/0x4720 fs/ext4/mballoc.c:6319
 ext4_ext_map_blocks+0x161a/0x6ac0 fs/ext4/extents.c:4383
 ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
 ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910
 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943
 ext4_block_write_begin+0x993/0x1710 fs/ext4/inode.c:1198
 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1
 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129
 generic_perform_write+0x2c5/0x900 mm/filemap.c:4254
 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x5c9/0xb30 fs/read_write.c:686
 ksys_pwrite64 fs/read_write.c:793 [inline]
 __do_sys_pwrite64 fs/read_write.c:801 [inline]
 __se_sys_pwrite64 fs/read_write.c:798 [inline]
 __x64_sys_pwrite64+0x193/0x220 fs/read_write.c:798
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3f2c38f6c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff15880d18 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 00007f3f2c5e5fa0 RCX: 00007f3f2c38f6c9
RDX: 0000000000000001 RSI: 00002000000005c0 RDI: 0000000000000004
RBP: 00007f3f2c411f91 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000004fed0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3f2c5e5fa0 R14: 00007f3f2c5e5fa0 R15: 0000000000000004
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_mb_new_inode_pa+0x144e/0x1520 fs/ext4/mballoc.c:5312
Code: 5d 04 00 eb 2c e8 42 d8 43 ff 90 0f 0b e8 3a d8 43 ff 90 0f 0b e8 32 d8 43 ff eb 3c e8 2b d8 43 ff 90 0f 0b e8 23 d8 43 ff 90 <0f> 0b e8 1b d8 43 ff 31 f6 65 ff 0d 82 24 f2 0f 0f 94 c3 40 0f 94
RSP: 0018:ffffc900037c6a88 EFLAGS: 00010293
RAX: ffffffff827c2b9d RBX: 0000000000000201 RCX: ffff8881ba628000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000210
RBP: 0000000000000190 R08: ffffea000418ec37 R09: 1ffffd4000831d86
R10: dffffc0000000000 R11: fffff94000831d87 R12: 0000000000000004
R13: ffff88801b03f2b8 R14: dffffc0000000000 R15: 0000000000000210
FS:  0000555557696500(0000) GS:ffff88818eb3b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f863fff CR3: 000000016b520000 CR4: 00000000000006f0


***

If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
  Tested-by: syzbot@syzkaller.appspotmail.com

---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.
[PATCH v2] ext4: fix unaligned preallocation with bigalloc
Posted by Ahmet Eray Karadag 1 week, 2 days ago 
Syzkaller reported a use-after-free in ext4_find_extent() when using
bigalloc. The crash occurs during the extent tree traversal when the
system tries to access a freed extent path.

The root cause is related to how the multi-block allocator (mballoc)
handles alignment in bigalloc filesystems (s_cluster_ratio > 1).
When a request for a block is made, mballoc might return a goal start
block that is not aligned to the cluster boundary (e.g., block 1 instead
of 0) because the cluster start is busy.

Previously, ext4_mb_new_inode_pa() and ext4_mb_new_group_pa() did not
strictly enforce cluster alignment or handle collisions where aligning
down would overlap with busy space. This resulted in the creation of
Preallocation (PA) extents that started in the middle of a cluster.
This misalignment causes metadata inconsistency between the physical
allocation (bitmap) and the logical extent tree, eventually leading to
a use-after-free during inode eviction or truncation.

This patch fixes the issue by enforcing strict cluster alignment for
both inode and group preallocations.

Using AC_STATUS_BREAK ensures that we do not manually free the PA
(avoiding double-free bugs in the caller's cleanup path) and allows
the allocator to find a more suitable block group.

Tested with kvm-xfstests -c bigalloc_4k -g auto, no regressions found.

Reported-by: syzbot+ee60e584b5c6bb229126@syzkaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=ee60e584b5c6bb229126
Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
---
v2:
 - Removed incorrect logic that was adding block offset to cluster length
   (fe_len), which caused unit mismatch between clusters and blocks.
---
 fs/ext4/mballoc.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 9087183602e4..fefa3cc6adf8 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -5291,6 +5291,22 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
 
 		ex.fe_logical = ac->ac_o_ex.fe_logical;
 adjust_bex:
+		if (sbi->s_cluster_ratio > 1) {
+			loff_t mask = ~(sbi->s_cluster_ratio - 1);
+			loff_t aligned_start = ex.fe_logical & mask;
+
+			if (aligned_start < ac->ac_g_ex.fe_logical) {
+				ac->ac_status = AC_STATUS_BREAK;
+				return;
+			}
+
+			ex.fe_logical = aligned_start;
+
+			if (extent_logical_end(sbi, &ex) > orig_goal_end) {
+				ac->ac_status = AC_STATUS_BREAK;
+				return;
+			}
+		}
 		ac->ac_b_ex.fe_logical = ex.fe_logical;
 
 		BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical);
@@ -5336,6 +5352,7 @@ static noinline_for_stack void
 ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
 {
 	struct super_block *sb = ac->ac_sb;
+	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	struct ext4_locality_group *lg;
 	struct ext4_prealloc_space *pa;
 	struct ext4_group_info *grp;
@@ -5347,7 +5364,15 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
 	BUG_ON(ac->ac_pa == NULL);
 
 	pa = ac->ac_pa;
+	if (sbi->s_cluster_ratio > 1) {
+		loff_t mask = ~(sbi->s_cluster_ratio - 1);
+		loff_t pstart = ext4_grp_offs_to_block(sb, &ac->ac_b_ex);
 
+		if ((pstart & mask) < pstart) {
+			ac->ac_status = AC_STATUS_BREAK;
+			return;
+		}
+	}
 	pa->pa_pstart = ext4_grp_offs_to_block(sb, &ac->ac_b_ex);
 	pa->pa_lstart = pa->pa_pstart;
 	pa->pa_len = ac->ac_b_ex.fe_len;
-- 
2.43.0
[syzbot ci] Re: ext4: fix unaligned preallocation with bigalloc
Posted by syzbot ci 1 week, 2 days ago 
syzbot ci has tested the following series

[v2] ext4: fix unaligned preallocation with bigalloc
https://lore.kernel.org/all/20251122024555.140798-2-eraykrdg1@gmail.com
* [PATCH v2] ext4: fix unaligned preallocation with bigalloc

and found the following issues:
* WARNING in ext4_mb_complex_scan_group
* WARNING in mb_update_avg_fragment_size

Full report is available here:
https://ci.syzbot.org/series/ba644d0c-b0cd-47e5-aac4-5bc33f8d2823

***

WARNING in ext4_mb_complex_scan_group

tree:      torvalds
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base:      23cb64fb76257309e396ea4cec8396d4a1dbae68
arch:      amd64
compiler:  Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config:    https://ci.syzbot.org/builds/3d0f1523-91b4-4aa0-b4ec-0f13803a4e4e/config
C repro:   https://ci.syzbot.org/findings/d24ca945-6ee1-4b64-827e-93a61ab96735/c_repro
syz repro: https://ci.syzbot.org/findings/d24ca945-6ee1-4b64-827e-93a61ab96735/syz_repro

EXT4-fs: Ignoring removed bh option
EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5962 at fs/ext4/mballoc.c:2531 ext4_mb_complex_scan_group+0xd64/0xf30 fs/ext4/mballoc.c:2531
Modules linked in:
CPU: 1 UID: 0 PID: 5962 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:ext4_mb_complex_scan_group+0xd64/0xf30 fs/ext4/mballoc.c:2531
Code: 81 c4 c8 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d e9 01 f8 cc 08 cc e8 1b 97 43 ff 90 0f 0b 90 e9 3d fe ff ff e8 0d 97 43 ff 90 <0f> 0b 65 48 8b 05 62 e3 f1 0f 48 3b 84 24 c0 00 00 00 75 20 90 eb
RSP: 0018:ffffc90003c069c8 EFLAGS: 00010293
RAX: ffffffff827c6cb3 RBX: 00000000fffffff8 RCX: ffff888114d61d00
RDX: 0000000000000000 RSI: 00000000fffffff8 RDI: 0000000000000001
RBP: ffff88816ef5b000 R08: ffff888114d61d00 R09: 0000000000000005
R10: 0000000000000004 R11: 0000000000000000 R12: ffff888166fec000
R13: ffff888166fec638 R14: ffff8881b7ac0000 R15: dffffc0000000000
FS:  0000555585e78500(0000) GS:ffff8882a9f3b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2ec63fff CR3: 000000011407a000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 __ext4_mb_scan_group fs/ext4/mballoc.c:2664 [inline]
 ext4_mb_scan_group+0x116e/0x18e0 fs/ext4/mballoc.c:2955
 ext4_mb_scan_groups_linear+0xe8/0x360 fs/ext4/mballoc.c:1146
 ext4_mb_scan_groups fs/ext4/mballoc.c:1180 [inline]
 ext4_mb_regular_allocator+0x90e/0x2970 fs/ext4/mballoc.c:3026
 ext4_mb_new_blocks+0xd11/0x4720 fs/ext4/mballoc.c:6320
 ext4_ext_map_blocks+0x161a/0x6ac0 fs/ext4/extents.c:4383
 ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
 ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
 _ext4_get_block+0x200/0x4c0 fs/ext4/inode.c:910
 ext4_get_block_unwritten+0x2e/0x100 fs/ext4/inode.c:943
 ext4_block_write_begin+0x993/0x1710 fs/ext4/inode.c:1198
 ext4_write_begin+0xc04/0x19a0 fs/ext4/ext4_jbd2.h:-1
 ext4_da_write_begin+0x445/0xda0 fs/ext4/inode.c:3129
 generic_perform_write+0x2c5/0x900 mm/filemap.c:4254
 ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
 ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x5c9/0xb30 fs/read_write.c:686
 ksys_write+0x145/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3f93f8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff83277a88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f3f941e5fa0 RCX: 00007f3f93f8f749
RDX: 0000000000001006 RSI: 0000200000000940 RDI: 0000000000000005
RBP: 00007f3f94013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3f941e5fa0 R14: 00007f3f941e5fa0 R15: 0000000000000003
 </TASK>


***

WARNING in mb_update_avg_fragment_size

tree:      torvalds
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux
base:      23cb64fb76257309e396ea4cec8396d4a1dbae68
arch:      amd64
compiler:  Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
config:    https://ci.syzbot.org/builds/3d0f1523-91b4-4aa0-b4ec-0f13803a4e4e/config
C repro:   https://ci.syzbot.org/findings/4f77b4c9-f795-4c41-ad77-5c5a174be3a1/c_repro
syz repro: https://ci.syzbot.org/findings/4f77b4c9-f795-4c41-ad77-5c5a174be3a1/syz_repro

EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
EXT4-fs: Ignoring removed orlov option
EXT4-fs (loop0): can't enable nombcache during remount
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5969 at fs/ext4/mballoc.c:839 mb_avg_fragment_size_order fs/ext4/mballoc.c:839 [inline]
WARNING: CPU: 1 PID: 5969 at fs/ext4/mballoc.c:839 mb_update_avg_fragment_size+0x304/0x450 fs/ext4/mballoc.c:856
Modules linked in:
CPU: 1 UID: 0 PID: 5969 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:mb_avg_fragment_size_order fs/ext4/mballoc.c:839 [inline]
RIP: 0010:mb_update_avg_fragment_size+0x304/0x450 fs/ext4/mballoc.c:856
Code: 5d 41 5e 41 5f 5d e9 1b 6a cd 08 e8 96 57 44 ff 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 7d 57 44 ff 90 <0f> 0b 90 48 bb 00 00 00 00 00 fc ff df 41 0f b6 44 1d 00 84 c0 0f
RSP: 0018:ffffc90003a56f48 EFLAGS: 00010293
RAX: ffffffff827bac43 RBX: 000000000000000d RCX: ffff8881037ad700
RDX: 0000000000000000 RSI: 000000000000000c RDI: 000000000000001e
RBP: 000000000000001e R08: ffff8881a9014007 R09: 1ffff11035202800
R10: dffffc0000000000 R11: ffffed1035202801 R12: ffff88810b77e014
R13: 1ffff110216efc02 R14: 000000000000001f R15: 000000000000000c
FS:  000055557ed08500(0000) GS:ffff8882a9f3b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9c75c3f000 CR3: 0000000112a5a000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 mb_mark_used+0xfd8/0x12f0 fs/ext4/mballoc.c:2195
 ext4_mb_use_best_found+0x192/0x7e0 fs/ext4/mballoc.c:2216
 ext4_mb_check_limits fs/ext4/mballoc.c:2280 [inline]
 ext4_mb_complex_scan_group+0xd27/0xf30 fs/ext4/mballoc.c:2596
 __ext4_mb_scan_group fs/ext4/mballoc.c:2664 [inline]
 ext4_mb_scan_group+0x116e/0x18e0 fs/ext4/mballoc.c:2955
 ext4_mb_scan_groups_linear+0xe8/0x360 fs/ext4/mballoc.c:1146
 ext4_mb_scan_groups fs/ext4/mballoc.c:1180 [inline]
 ext4_mb_regular_allocator+0x90e/0x2970 fs/ext4/mballoc.c:3026
 ext4_mb_new_blocks+0xd11/0x4720 fs/ext4/mballoc.c:6320
 ext4_ext_map_blocks+0x161a/0x6ac0 fs/ext4/extents.c:4383
 ext4_map_create_blocks fs/ext4/inode.c:609 [inline]
 ext4_map_blocks+0x860/0x1740 fs/ext4/inode.c:811
 ext4_convert_inline_data_nolock+0x249/0x970 fs/ext4/inline.c:1112
 ext4_convert_inline_data+0x4b3/0x5e0 fs/ext4/inline.c:1976
 ext4_fallocate+0x1e2/0x3d0 fs/ext4/extents.c:4793
 vfs_fallocate+0x669/0x7e0 fs/open.c:342
 ksys_fallocate fs/open.c:366 [inline]
 __do_sys_fallocate fs/open.c:371 [inline]
 __se_sys_fallocate fs/open.c:369 [inline]
 __x64_sys_fallocate+0xc0/0x110 fs/open.c:369
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9c7eb8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd1029f7c8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00007f9c7ede5fa0 RCX: 00007f9c7eb8f749
RDX: 0000000000004003 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f9c7ec13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000010000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9c7ede5fa0 R14: 00007f9c7ede5fa0 R15: 0000000000000004
 </TASK>


***

If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
  Tested-by: syzbot@syzkaller.appspotmail.com

---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.