Hi Kent, I'm investigating syzbot report 564efbe31172fe908429 and have successfully reproduced the crash with the C reproducer.
Link: https://syzkaller.appspot.com/bug?extid=564efbe31172fe908429 The issue: bch2_extent_ptr_to_text() crashes when called on a corrupted extent pointer (bucket 27 < first_bucket 1024). The validation already detected this: "invalid bkey: pointer before first bucket (27 < 1024), deleting" But bch2_extent_ptr_to_text() is still called afterward (for debug output) and crashes in dev_ptr_stale_rcu() when it tries to access bucket metadata at an invalid offset. Looking at the code in fs/bcachefs/extents.c:1247, the function calls dev_ptr_stale_rcu() without checking if the bucket number is valid. Should I add bounds checking like this: if (b < ca->mi.first_bucket || b >= ca->mi.nbuckets) { prt_str(out, " invalid"); } else { int stale = dev_ptr_stale_rcu(ca, ptr); ... } Or is there a better approach? I want to make sure I'm fixing this correctly since you reviewed my previous dirent patch. Thanks, Nirbhay Sharma
