syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1327]
Subsystems
🐞 Fixed [7155]
🐞 Invalid [18916]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

WARNING in __ocfs2_decrease_refcount

Status: upstream: reported on 2026/05/18 02:46
Subsystems: ocfs2
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+3ef989aae096b30f1663@syzkaller.appspotmail.com
Fix commit: ocfs2: fix out-of-bounds write in ocfs2_remove_refcount_extent
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-rust-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 30d, last: 5d11h
✨ AI Jobs (1)
ID Workflow Result Correct Bug Created Started Finished Revision Error
bd7c1e90-fd51-48f7-b170-32bc4ced1e65 assessment-security DenialOfService: ✅ Exploitable: ❌ FilesystemTrigger: ✅ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ✅ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ❌ WARNING in __ocfs2_decrease_refcount 2026/05/31 14:16 2026/05/31 14:16 2026/05/31 15:10 6b4a844333e83556da95d61d7f207e7ef5cd4bc6
Discussions (2)
Title Replies (including bot) Last reply
[PATCH] ocfs2: fix out-of-bounds write in ocfs2_remove_refcount_extent 2 (2) 2026/06/02 02:18
[syzbot] [ocfs2?] WARNING in __ocfs2_decrease_refcount 0 (1) 2026/05/18 02:46

Sample crash report:
loop0: detected capacity change from 0 to 32768
=======================================================
WARNING: The mand mount option has been deprecated and
         and is ignored by this kernel. Remove the mand
         option from the mount to silence this warning.
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------[ cut here ]------------
memset: detected buffer overflow: 384 byte write of buffer size 16
WARNING: lib/string_helpers.c:1037 at __fortify_report+0x6b/0xa0 lib/string_helpers.c:1036, CPU#0: syz.0.0/5324
Modules linked in:
CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__fortify_report+0x89/0xa0 lib/string_helpers.c:1036
Code: e8 6c bf 7e fd 48 8d 3d d5 53 87 0b 45 84 e4 49 8b 37 48 c7 c0 40 13 28 8c 48 c7 c1 60 13 28 8c 48 0f 44 c8 4c 89 f2 49 89 d8 <67> 48 0f b9 3a 5b 41 5c 41 5e 41 5f 5d e9 85 7b f8 06 cc cc cc cc
RSP: 0018:ffffc900034ae7e8 EFLAGS: 00010202
RAX: ffffffff8c281340 RBX: 0000000000000010 RCX: ffffffff8c281360
RDX: 0000000000000180 RSI: ffffffff8c281200 RDI: ffffffff903b4200
RBP: 000000000000000f R08: 0000000000000010 R09: 1ffffffff2060b5e
R10: dffffc0000000000 R11: fffffbfff2060b5f R12: 0000000000000001
R13: 1ffff110086e52d0 R14: 0000000000000180 R15: ffffffff8c281038
FS:  00007fcaf85296c0(0000) GS:ffff88808c894000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ba4e047168 CR3: 0000000043a97000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 __fortify_panic+0x9/0x10 lib/string_helpers.c:1043
 fortify_memset_chk include/linux/fortify-string.h:495 [inline]
 ocfs2_remove_refcount_extent fs/ocfs2/refcounttree.c:2134 [inline]
 ocfs2_decrease_refcount_rec fs/ocfs2/refcounttree.c:2203 [inline]
 __ocfs2_decrease_refcount+0x1990/0x19e0 fs/ocfs2/refcounttree.c:2249
 ocfs2_decrease_refcount+0x59c/0x7d0 fs/ocfs2/refcounttree.c:2312
 ocfs2_remove_btree_range+0x125b/0x1610 fs/ocfs2/alloc.c:5800
 ocfs2_commit_truncate+0xbb8/0x2310 fs/ocfs2/alloc.c:7383
 ocfs2_truncate_file+0xcf5/0x14e0 fs/ocfs2/file.c:510
 ocfs2_setattr+0x15e5/0x1ca0 fs/ocfs2/file.c:1219
 notify_change+0xc1a/0xf40 fs/attr.c:556
 do_truncate+0x1c2/0x250 fs/open.c:68
 handle_truncate fs/namei.c:4307 [inline]
 do_open fs/namei.c:4703 [inline]
 path_openat+0x2f89/0x3860 fs/namei.c:4858
 do_file_open+0x23e/0x4a0 fs/namei.c:4887
 do_sys_openat2+0x113/0x200 fs/open.c:1364
 do_sys_open fs/open.c:1370 [inline]
 __do_sys_openat fs/open.c:1386 [inline]
 __se_sys_openat fs/open.c:1381 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1381
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcaf759ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcaf8528fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fcaf7815fa0 RCX: 00007fcaf759ce59
RDX: 0000000000080281 RSI: 0000200000000100 RDI: ffffffffffffff9c
RBP: 00007fcaf7632d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcaf7816038 R14: 00007fcaf7815fa0 R15: 00007ffcf06c1518
 </TASK>
----------------
Code disassembly (best guess):
   0:	e8 6c bf 7e fd       	call   0xfd7ebf71
   5:	48 8d 3d d5 53 87 0b 	lea    0xb8753d5(%rip),%rdi        # 0xb8753e1
   c:	45 84 e4             	test   %r12b,%r12b
   f:	49 8b 37             	mov    (%r15),%rsi
  12:	48 c7 c0 40 13 28 8c 	mov    $0xffffffff8c281340,%rax
  19:	48 c7 c1 60 13 28 8c 	mov    $0xffffffff8c281360,%rcx
  20:	48 0f 44 c8          	cmove  %rax,%rcx
  24:	4c 89 f2             	mov    %r14,%rdx
  27:	49 89 d8             	mov    %rbx,%r8
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	5b                   	pop    %rbx
  30:	41 5c                	pop    %r12
  32:	41 5e                	pop    %r14
  34:	41 5f                	pop    %r15
  36:	5d                   	pop    %rbp
  37:	e9 85 7b f8 06       	jmp    0x6f87bc1
  3c:	cc                   	int3
  3d:	cc                   	int3
  3e:	cc                   	int3
  3f:	cc                   	int3

Crashes (11):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/08 02:04 upstream 33d8d8ec31b5 cc095639 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/06/06 10:48 upstream 06121e12c27a cc095639 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/29 19:58 upstream 8fde5d1d47f6 a3d70215 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/27 06:45 upstream d60ec36cab33 2b01f00e .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/25 18:41 upstream e7ae89a0c97c c69befb3 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/23 15:59 upstream 79bd2dded182 c69befb3 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/22 03:57 upstream 758c807bb943 70ae9b03 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/20 18:54 upstream df685633c3db 585486f8 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/18 17:13 upstream 5200f5f493f7 143ffb88 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/18 05:21 upstream e5d505e3664b de5aae85 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
2026/05/14 02:39 upstream e1914add2799 e8909b29 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING in __ocfs2_decrease_refcount
* Struck through repros no longer work on HEAD.