syzbot

 sign-in | mailing list | source | docs
🐞 Open [926]
🐞 Fixed [144]
🐞 Invalid [1145]
Missing Backports [73]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

kernel BUG in set_state_bits

Status: upstream: reported C repro on 2025/04/28 01:43
Bug presence: origin:upstream
Labels: missing-backport
[Documentation on labels]
Reported-by: syzbot+b13aa98c4b4044d807f7@syzkaller.appspotmail.com
First crash: 422d, last: 23h20m
Fix bisection: failed (error log, bisect log)
  
Bug presence (3)
Date Name Commit Repro Result
2025/08/10 linux-6.1.y (ToT) 3594f306da12 C [report] kernel BUG in set_state_bits
2025/04/30 upstream (ToT) b6ea1680d0ac C [report] BUG: MAX_LOCKDEP_CHAIN_HLOCKS too low!
2025/08/10 upstream (ToT) 8f5ae30d69d7 C Didn't crash
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 kernel BUG in set_state_bits origin:upstream -1 C error 21 23d 1177d 0/3 upstream: reported C repro on 2023/04/03 19:24
upstream kernel BUG in set_state_bits btrfs -1 C done done 97 717d 1300d 0/29 auto-obsoleted due to no activity on 2025/11/10 23:39
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2025/10/29 23:25 2h06m fix candidate upstream OK (0) job log
2025/05/31 12:46 14m bisect fix linux-6.1.y error job log

Sample crash report:
 el0_svc_common+0x13c/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x5c/0x134 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent-io-tree.c:381!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4461 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : set_state_bits+0x1b4/0x1b8 fs/btrfs/extent-io-tree.c:381
lr : set_state_bits+0x1b4/0x1b8 fs/btrfs/extent-io-tree.c:381
sp : ffff800020f06aa0
x29: ffff800020f06aa0 x28: 0000000000001000 x27: 0000000000000000
x26: ffff0000c4918600 x25: ffff0000cc054a80 x24: 0000000000001000
x23: dfff800000000000 x22: 0000000000001fff x21: 00000000fffffff4
x20: 0000000000001000 x19: ffff0000c4918600 x18: 0000000000000000
x17: 0000000000000000 x16: ffff800011b3e320 x15: 0000000000000000
x14: 0000000000000001 x13: 1ffff00002abcf8e x12: 0000000000000000
x11: ff0080000a1c2d70 x10: 0000000000000000 x9 : ffff80000a1c2d70
x8 : ffff0000d16d8000 x7 : 0000000000000001 x6 : 0000000000000001
x5 : 00000000ffffffff x4 : 0000000000000a20 x3 : 0000000000000a20
x2 : 0000000000000038 x1 : 00000000fffffff4 x0 : 0000000000000000
Call trace:
 set_state_bits+0x1b4/0x1b8 fs/btrfs/extent-io-tree.c:381
 __set_extent_bit+0x151c/0x189c fs/btrfs/extent-io-tree.c:1144
 set_record_extent_bits+0x68/0x98 fs/btrfs/extent-io-tree.c:1607
 qgroup_reserve_data+0x214/0x8c0 fs/btrfs/qgroup.c:3817
 btrfs_qgroup_reserve_data+0x40/0xd8 fs/btrfs/qgroup.c:3860
 btrfs_check_data_free_space+0x12c/0x208 fs/btrfs/delalloc-space.c:152
 btrfs_delalloc_reserve_space+0x4c/0x1ec fs/btrfs/delalloc-space.c:470
 btrfs_page_mkwrite+0x340/0xbb8 fs/btrfs/inode.c:8628
 do_page_mkwrite+0x140/0x35c mm/memory.c:3009
 wp_page_shared+0x14c/0x544 mm/memory.c:3358
 do_wp_page+0xc88/0xed4 mm/memory.c:3508
 handle_pte_fault mm/memory.c:5047 [inline]
 __handle_mm_fault mm/memory.c:5171 [inline]
 handle_mm_fault+0x1520/0x3018 mm/memory.c:5292
 faultin_page mm/gup.c:1026 [inline]
 __get_user_pages+0x340/0x770 mm/gup.c:1250
 __get_user_pages_locked mm/gup.c:1454 [inline]
 get_user_pages_unlocked+0x1b4/0x62c mm/gup.c:2371
 __gup_longterm_unlocked mm/gup.c:2982 [inline]
 internal_get_user_pages_fast+0x1694/0x1a4c mm/gup.c:3072
 get_user_pages_fast+0x60/0x94 mm/gup.c:3164
 __iov_iter_get_pages_alloc+0x2e0/0x808 lib/iov_iter.c:1460
 iov_iter_get_pages2+0x74/0xbc lib/iov_iter.c:1503
 fuse_copy_fill+0x328/0x800 fs/fuse/dev.c:735
 fuse_copy_one+0xd4/0x2d8 fs/fuse/dev.c:1002
 fuse_dev_do_read+0xa1c/0xf38 fs/fuse/dev.c:1297
 fuse_dev_read+0xdc/0x140 fs/fuse/dev.c:1366
 call_read_iter include/linux/fs.h:2259 [inline]
 new_sync_read fs/read_write.c:389 [inline]
 vfs_read+0x3cc/0x7b8 fs/read_write.c:470
 ksys_read+0x12c/0x228 fs/read_write.c:613
 __do_sys_read fs/read_write.c:623 [inline]
 __se_sys_read fs/read_write.c:621 [inline]
 __arm64_sys_read+0x7c/0x90 fs/read_write.c:621
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x290 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x13c/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x5c/0x134 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: 9101f260 979cc424 17ffffb7 978bbe2c (d4210000) 
---[ end trace 0000000000000000 ]---

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/23 03:34 linux-6.1.y fdb6fcb41cc7 5a630be6 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci2-linux-6-1-kasan-arm64 kernel BUG in set_state_bits
2025/04/28 01:42 linux-6.1.y 535ec20c5027 c6b4fb39 .config console log report syz / log C [disk image] [vmlinux] [kernel image] [mounted in repro (clean fs)] ci2-linux-6-1-kasan-arm64 kernel BUG in set_state_bits
2026/06/23 02:58 linux-6.1.y fdb6fcb41cc7 5a630be6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 kernel BUG in set_state_bits
* Struck through repros no longer work on HEAD.