[syzbot] [btrfs?] kernel BUG in prepare_to_merge
7 views
Skip to first unread message
syzbot
Jul 1, 2023, 4:46:05 PM7/1/23
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 533925cb7604 Merge tag 'riscv-for-linus-6.5-mw1' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d8b610a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=12464973c17d2b37
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7b23da6a6f6c/disk-533925cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f163e9ea9946/vmlinux-533925cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5b943aa5a1e1/bzImage-533925cb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9904 Comm: syz-executor.3 Not tainted 6.4.0-syzkaller-08881-g533925cb7604 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 6d 62 ec fd 48 c7 c7 20 5e 4b 8b 48 c7 c6 c0 6d 4b 8b 48 c7 c2 a0 5e 4b 8b b9 7f 07 00 00 e8 8e d8 15 07 <0f> 0b e8 d7 17 18 07 f3 0f 1e fa e8 3e 62 ec fd 43 80 3c 2f 00 74
RSP: 0018:ffffc9000325f760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff888075644030 RCX: 1481ccc522da5800
RDX: ffffc90005c09000 RSI: 00000000000364ca RDI: 00000000000364cb
RBP: ffffc9000325f870 R08: ffffffff816f33ac R09: 1ffff9200064bea0
R10: dffffc0000000000 R11: fffff5200064bea1 R12: ffff888075644000
R13: ffff88803b166000 R14: ffff88803b166560 R15: ffff88803b166558
FS: 00007f4e305fd700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056080679c000 CR3: 00000000193ad000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0xa5d/0xcd0 fs/btrfs/relocation.c:3749
btrfs_relocate_block_group+0x7ab/0xd70 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3283
__btrfs_balance+0x1b06/0x2690 fs/btrfs/volumes.c:4018
btrfs_balance+0xbdb/0x1120 fs/btrfs/volumes.c:4402
btrfs_ioctl_balance+0x496/0x7c0 fs/btrfs/ioctl.c:3604
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4e2f88c389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e305fd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4e2f9abf80 RCX: 00007f4e2f88c389
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007f4e2f8d7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdbefc213f R14: 00007f4e305fd300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 6d 62 ec fd 48 c7 c7 20 5e 4b 8b 48 c7 c6 c0 6d 4b 8b 48 c7 c2 a0 5e 4b 8b b9 7f 07 00 00 e8 8e d8 15 07 <0f> 0b e8 d7 17 18 07 f3 0f 1e fa e8 3e 62 ec fd 43 80 3c 2f 00 74
RSP: 0018:ffffc9000325f760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff888075644030 RCX: 1481ccc522da5800
RDX: ffffc90005c09000 RSI: 00000000000364ca RDI: 00000000000364cb
RBP: ffffc9000325f870 R08: ffffffff816f33ac R09: 1ffff9200064bea0
R10: dffffc0000000000 R11: fffff5200064bea1 R12: ffff888075644000
R13: ffff88803b166000 R14: ffff88803b166560 R15: ffff88803b166558
FS: 00007f4e305fd700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555657e888 CR3: 00000000193ad000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 533925cb7604 Merge tag 'riscv-for-linus-6.5-mw1' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d8b610a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=12464973c17d2b37
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7b23da6a6f6c/disk-533925cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f163e9ea9946/vmlinux-533925cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5b943aa5a1e1/bzImage-533925cb.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9904 Comm: syz-executor.3 Not tainted 6.4.0-syzkaller-08881-g533925cb7604 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 6d 62 ec fd 48 c7 c7 20 5e 4b 8b 48 c7 c6 c0 6d 4b 8b 48 c7 c2 a0 5e 4b 8b b9 7f 07 00 00 e8 8e d8 15 07 <0f> 0b e8 d7 17 18 07 f3 0f 1e fa e8 3e 62 ec fd 43 80 3c 2f 00 74
RSP: 0018:ffffc9000325f760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff888075644030 RCX: 1481ccc522da5800
RDX: ffffc90005c09000 RSI: 00000000000364ca RDI: 00000000000364cb
RBP: ffffc9000325f870 R08: ffffffff816f33ac R09: 1ffff9200064bea0
R10: dffffc0000000000 R11: fffff5200064bea1 R12: ffff888075644000
R13: ffff88803b166000 R14: ffff88803b166560 R15: ffff88803b166558
FS: 00007f4e305fd700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056080679c000 CR3: 00000000193ad000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0xa5d/0xcd0 fs/btrfs/relocation.c:3749
btrfs_relocate_block_group+0x7ab/0xd70 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3283
__btrfs_balance+0x1b06/0x2690 fs/btrfs/volumes.c:4018
btrfs_balance+0xbdb/0x1120 fs/btrfs/volumes.c:4402
btrfs_ioctl_balance+0x496/0x7c0 fs/btrfs/ioctl.c:3604
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4e2f88c389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e305fd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4e2f9abf80 RCX: 00007f4e2f88c389
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007f4e2f8d7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdbefc213f R14: 00007f4e305fd300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 6d 62 ec fd 48 c7 c7 20 5e 4b 8b 48 c7 c6 c0 6d 4b 8b 48 c7 c2 a0 5e 4b 8b b9 7f 07 00 00 e8 8e d8 15 07 <0f> 0b e8 d7 17 18 07 f3 0f 1e fa e8 3e 62 ec fd 43 80 3c 2f 00 74
RSP: 0018:ffffc9000325f760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff888075644030 RCX: 1481ccc522da5800
RDX: ffffc90005c09000 RSI: 00000000000364ca RDI: 00000000000364cb
RBP: ffffc9000325f870 R08: ffffffff816f33ac R09: 1ffff9200064bea0
R10: dffffc0000000000 R11: fffff5200064bea1 R12: ffff888075644000
R13: ffff88803b166000 R14: ffff88803b166560 R15: ffff88803b166558
FS: 00007f4e305fd700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555657e888 CR3: 00000000193ad000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jul 3, 2023, 1:10:57 AM7/3/23
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 995b406c7e97 Merge tag 'csky-for-linus-6.5' of https://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1172e02ca80000
kernel config: https://syzkaller.appspot.com/x/.config?x=71a52faf60231bc7
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/01122b567c73/disk-995b406c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/75b7a37e981e/vmlinux-995b406c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/758b5afcf092/bzImage-995b406c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/96451b8f418b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7760 Comm: syz-executor.5 Not tainted 6.4.0-syzkaller-10098-g995b406c7e97 #0
RSP: 0018:ffffc9000bf47760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff88807b35e030 RCX: ab28d7f10bef9500
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000bf47870 R08: ffffffff816f481c R09: 1ffff920017e8ea0
R10: dffffc0000000000 R11: fffff520017e8ea1 R12: ffff88807b35e000
R13: ffff888021ffc000 R14: ffff888021ffc560 R15: ffff888021ffc558
FS: 00007fef4adf9700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
RAX: ffffffffffffffda RBX: 00007fef4a1abf80 RCX: 00007fef4a08c389
RSP: 0018:ffffc9000bf47760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff88807b35e030 RCX: ab28d7f10bef9500
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000bf47870 R08: ffffffff816f481c R09: 1ffff920017e8ea0
R10: dffffc0000000000 R11: fffff520017e8ea1 R12: ffff88807b35e000
R13: ffff888021ffc000 R14: ffff888021ffc560 R15: ffff888021ffc558
FS: 00007fef4adf9700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 995b406c7e97 Merge tag 'csky-for-linus-6.5' of https://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1172e02ca80000
kernel config: https://syzkaller.appspot.com/x/.config?x=71a52faf60231bc7
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e6ddf0a80000
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/01122b567c73/disk-995b406c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/75b7a37e981e/vmlinux-995b406c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/758b5afcf092/bzImage-995b406c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/96451b8f418b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 9d ab eb fd 48 c7 c7 a0 67 4b 8b 48 c7 c6 40 77 4b 8b 48 c7 c2 20 68 4b 8b b9 7f 07 00 00 e8 0e 7a 17 07 <0f> 0b e8 57 b9 19 07 f3 0f 1e fa e8 6e ab eb fd 43 80 3c 2f 00 74
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
RSP: 0018:ffffc9000bf47760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff88807b35e030 RCX: ab28d7f10bef9500
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000bf47870 R08: ffffffff816f481c R09: 1ffff920017e8ea0
R10: dffffc0000000000 R11: fffff520017e8ea1 R12: ffff88807b35e000
R13: ffff888021ffc000 R14: ffff888021ffc560 R15: ffff888021ffc558
FS: 00007fef4adf9700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f846a5fe000 CR3: 000000001ec2d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0xa5d/0xcd0 fs/btrfs/relocation.c:3749
btrfs_relocate_block_group+0x7ab/0xd70 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3283
__btrfs_balance+0x1b06/0x2690 fs/btrfs/volumes.c:4018
btrfs_balance+0xbdb/0x1120 fs/btrfs/volumes.c:4402
btrfs_ioctl_balance+0x496/0x7c0 fs/btrfs/ioctl.c:3604
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fef4a08c389
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0xa5d/0xcd0 fs/btrfs/relocation.c:3749
btrfs_relocate_block_group+0x7ab/0xd70 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3283
__btrfs_balance+0x1b06/0x2690 fs/btrfs/volumes.c:4018
btrfs_balance+0xbdb/0x1120 fs/btrfs/volumes.c:4402
btrfs_ioctl_balance+0x496/0x7c0 fs/btrfs/ioctl.c:3604
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fef4adf9168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fef4a1abf80 RCX: 00007fef4a08c389
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007fef4a0d7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffec9c8752f R14: 00007fef4adf9300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 9d ab eb fd 48 c7 c7 a0 67 4b 8b 48 c7 c6 40 77 4b 8b 48 c7 c2 20 68 4b 8b b9 7f 07 00 00 e8 0e 7a 17 07 <0f> 0b e8 57 b9 19 07 f3 0f 1e fa e8 6e ab eb fd 43 80 3c 2f 00 74
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
RSP: 0018:ffffc9000bf47760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff88807b35e030 RCX: ab28d7f10bef9500
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000bf47870 R08: ffffffff816f481c R09: 1ffff920017e8ea0
R10: dffffc0000000000 R11: fffff520017e8ea1 R12: ffff88807b35e000
R13: ffff888021ffc000 R14: ffff888021ffc560 R15: ffff888021ffc558
FS: 00007fef4adf9700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f22c0e44000 CR3: 000000001ec2d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
If you want syzbot to run the reproducer, reply with:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Jul 30, 2023, 1:07:58 PM7/30/23
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: d31e3792919e Merge tag '6.5-rc3-smb3-client-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17afd745a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d670a4f6850b6f4
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15278939a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14dd3f31a80000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d31e3792.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6c2342933c9/vmlinux-d31e3792.xz
kernel image: https://storage.googleapis.com/syzbot-assets/42df60b42886/bzImage-d31e3792.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/78ffd1ddff6c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
BTRFS info (device loop1): relocating block group 5242880 flags data|metadata
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9 b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3283
__btrfs_balance fs/btrfs/volumes.c:4018 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4395
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb31abe6e49
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb31aba2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb31ac73728 RCX: 00007fb31abe6e49
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb31ac7372c
R13: 0000000000000006 R14: 00007ffe768d5660 R15: 00007ffe768d5748
Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9 b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
HEAD commit: d31e3792919e Merge tag '6.5-rc3-smb3-client-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17afd745a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d670a4f6850b6f4
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15278939a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14dd3f31a80000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d31e3792.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6c2342933c9/vmlinux-d31e3792.xz
kernel image: https://storage.googleapis.com/syzbot-assets/42df60b42886/bzImage-d31e3792.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/78ffd1ddff6c/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12638 Comm: syz-executor311 Not tainted 6.5.0-rc3-syzkaller-00297-gd31e3792919e #0
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9 b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3749
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3283
__btrfs_balance fs/btrfs/volumes.c:4018 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4395
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb31abe6e49
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb31aba2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb31ac73728 RCX: 00007fb31abe6e49
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007fb31ac73720 R08: 00007fb31aba26c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb31ac7372c
R13: 0000000000000006 R14: 00007ffe768d5660 R15: 00007ffe768d5748
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9 b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
syzbot
Jul 30, 2023, 10:13:30 PM7/30/23
to c...@fb.com, dst...@suse.com, h...@lst.de, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot has bisected this issue to:
commit 85724171b302914bb8999b9df091fd4616a36eb7
Author: Christoph Hellwig <h...@lst.de>
Date: Tue May 23 08:40:18 2023 +0000
btrfs: fix the btrfs_get_global_root return value
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12343ac5a80000
start commit: d192f5382581 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=11343ac5a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=16343ac5a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4507c291b5ab5d4
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1230cc11a80000
Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
Fixes: 85724171b302 ("btrfs: fix the btrfs_get_global_root return value")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 85724171b302914bb8999b9df091fd4616a36eb7
Author: Christoph Hellwig <h...@lst.de>
Date: Tue May 23 08:40:18 2023 +0000
btrfs: fix the btrfs_get_global_root return value
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12343ac5a80000
start commit: d192f5382581 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=11343ac5a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=16343ac5a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4507c291b5ab5d4
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1230cc11a80000
Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
Fixes: 85724171b302 ("btrfs: fix the btrfs_get_global_root return value")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Qu Wenruo
Jul 31, 2023, 1:11:12 AM7/31/23
to syzbot, c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
# syz test: git://github.com/kdave/btrfs-devel.git misc-next
Thanks,
Qu
Qu Wenruo
Jul 31, 2023, 1:26:12 AM7/31/23
to syzbot, c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Christoph Hellwig
Jul 31, 2023, 3:37:12 AM7/31/23
to syzbot, c...@fb.com, dst...@suse.com, h...@lst.de, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hmm, this seems to be missing the usual C reproducer?
Qu Wenruo
Jul 31, 2023, 4:12:58 AM7/31/23
to Christoph Hellwig, syzbot, c...@fb.com, dst...@suse.com, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 2023/7/31 15:37, Christoph Hellwig wrote:
> Hmm, this seems to be missing the usual C reproducer?
>
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14dd3f31a80000
Thanks,
Qu
Christoph Hellwig
Jul 31, 2023, 5:46:28 AM7/31/23
to Qu Wenruo, Christoph Hellwig, syzbot, c...@fb.com, dst...@suse.com, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Thanks. I've not been able to reproduce it on the apparent bisection
commit for more than half an hour, but running it on the originally
reported commit reproduces it after a few minutes. I'll see if I
can come up with a better bisection.
commit for more than half an hour, but running it on the originally
reported commit reproduces it after a few minutes. I'll see if I
can come up with a better bisection.
Qu Wenruo
Jul 31, 2023, 6:01:26 AM7/31/23
to Christoph Hellwig, Christoph Hellwig, syzbot, c...@fb.com, dst...@suse.com, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
But there is a chance that the image is intentionally corrupted so that
we got a reloc root but incorrect root owner.
Thus I sent out a patch to make that triggering ASSERT() to a more
graceful exit:
https://lore.kernel.org/linux-btrfs/24881cc9caf738f6248232709d735...@suse.com/T/#u
Although I never got the C reproducer to trigger, thus no confirmation
on that.
Thanks,
Qu
Christoph Hellwig
Aug 1, 2023, 7:39:28 AM8/1/23
to Qu Wenruo, Christoph Hellwig, Christoph Hellwig, syzbot, c...@fb.com, dst...@suse.com, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
With misc-next and your debug patch I first ran into another assert:
[ 250.848976][T35903] assertion failed: 0, in fs/btrfs/relocation.c:2042
[ 250.849963][T35903] ------------[ cut here ]------------
[ 250.850472][T35903] kernel BUG at fs/btrfs/relocation.c:2042!
and here is the output from your assert:
[ 1378.272143][T189001] BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
[ 1378.274019][T189001] ------------[ cut here ]------------
[ 1378.274540][T189001] BTRFS: Transaction aborted (error -117)
[ 1378.277110][T189001] WARNING: CPU: 3 PID: 189001 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460
[ 250.848976][T35903] assertion failed: 0, in fs/btrfs/relocation.c:2042
[ 250.849963][T35903] ------------[ cut here ]------------
[ 250.850472][T35903] kernel BUG at fs/btrfs/relocation.c:2042!
and here is the output from your assert:
[ 1378.272143][T189001] BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
[ 1378.274019][T189001] ------------[ cut here ]------------
[ 1378.274540][T189001] BTRFS: Transaction aborted (error -117)
[ 1378.277110][T189001] WARNING: CPU: 3 PID: 189001 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460
Aleksandr Nogikh
Aug 1, 2023, 10:37:43 AM8/1/23
to Qu Wenruo, syzbot, c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Aug 1, 2023, 10:58:45 AM8/1/23
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, quwenru...@gmx.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in prepare_to_merge
BTRFS error (device loop3): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
------------[ cut here ]------------
Modules linked in:
CPU: 1 PID: 10413 Comm: syz-executor.3 Not tainted 6.5.0-rc3-syzkaller-g9f2c8c9193cc #0
Code: 8b 7e 50 44 89 e2 48 c7 c6 20 d8 b6 8a e8 58 1b 10 00 eb c1 e8 d1 83 00 fe be 8b ff ff ff 48 c7 c7 80 d7 b6 8a e8 f0 4b c7 fd <0f> 0b e9 bf fe ff ff 48 8b 7c 24 28 e8 af 93 53 fe e9 3e f5 ff ff
RSP: 0018:ffffc90003ebf6b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880478f2b78 RCX: 0000000000000000
RDX: ffff8880466c9300 RSI: ffffffff814c5346 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000046525442 R12: 0000000000000000
R13: 0000000000000084 R14: ffff8880478f2b28 R15: ffff888030e28000
FS: 00007fcc9098a6c0(0000) GS:ffff88806b700000(0000) knlGS:0000000000000000
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4120
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3277
__btrfs_balance fs/btrfs/volumes.c:4012 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcc9098a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fcc8fd9bf80 RCX: 00007fcc8fc7cae9
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fcc8fd9bf80 R15: 00007ffd6ad55508
</TASK>
Tested on:
commit: 9f2c8c91 btrfs: exit gracefully if reloc roots don't m..
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=173afb31a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=23c579cf0ae1addd
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in prepare_to_merge
BTRFS error (device loop3): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
------------[ cut here ]------------
BTRFS: Transaction aborted (error -117)
WARNING: CPU: 1 PID: 10413 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
Modules linked in:
CPU: 1 PID: 10413 Comm: syz-executor.3 Not tainted 6.5.0-rc3-syzkaller-g9f2c8c9193cc #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
Code: 8b 7e 50 44 89 e2 48 c7 c6 20 d8 b6 8a e8 58 1b 10 00 eb c1 e8 d1 83 00 fe be 8b ff ff ff 48 c7 c7 80 d7 b6 8a e8 f0 4b c7 fd <0f> 0b e9 bf fe ff ff 48 8b 7c 24 28 e8 af 93 53 fe e9 3e f5 ff ff
RSP: 0018:ffffc90003ebf6b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880478f2b78 RCX: 0000000000000000
RDX: ffff8880466c9300 RSI: ffffffff814c5346 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000046525442 R12: 0000000000000000
R13: 0000000000000084 R14: ffff8880478f2b28 R15: ffff888030e28000
FS: 00007fcc9098a6c0(0000) GS:ffff88806b700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcc90968f28 CR3: 000000001fa0c000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3782
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4120
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3277
__btrfs_balance fs/btrfs/volumes.c:4012 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcc8fc7cae9
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcc9098a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fcc8fd9bf80 RCX: 00007fcc8fc7cae9
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007fcc8fcc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fcc8fd9bf80 R15: 00007ffd6ad55508
</TASK>
Tested on:
commit: 9f2c8c91 btrfs: exit gracefully if reloc roots don't m..
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=173afb31a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=23c579cf0ae1addd
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Christoph Hellwig
Aug 1, 2023, 11:26:18 AM8/1/23
to Qu Wenruo, Christoph Hellwig, Christoph Hellwig, syzbot, c...@fb.com, dst...@suse.com, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
In the meantime I've also reproduced it with just
"btrfs: fix the btrfs_get_global_root return value", but it took
a rather long time.
After wading through the code my suspicion is that before this fix
the ERR_PTR return made that for those cases btrfs_get_root_ref and
btrfs_get_fs_root_commit_root don't actually do the
btrfs_lookup_fs_root. Although that seemed unintentional as far
as I can tell it might have prevented some additional problems
with whatever syzcaller is fuzzing here. Not sure if anyone who
knows this code has any good idea where to start looking?
"btrfs: fix the btrfs_get_global_root return value", but it took
a rather long time.
After wading through the code my suspicion is that before this fix
the ERR_PTR return made that for those cases btrfs_get_root_ref and
btrfs_get_fs_root_commit_root don't actually do the
btrfs_lookup_fs_root. Although that seemed unintentional as far
as I can tell it might have prevented some additional problems
with whatever syzcaller is fuzzing here. Not sure if anyone who
knows this code has any good idea where to start looking?
Qu Wenruo
Aug 1, 2023, 6:19:50 PM8/1/23
to Christoph Hellwig, Christoph Hellwig, syzbot, c...@fb.com, dst...@suse.com, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 2023/8/1 19:39, Christoph Hellwig wrote:
> With misc-next and your debug patch I first ran into another assert:
>
> [ 250.848976][T35903] assertion failed: 0, in fs/btrfs/relocation.c:2042
> [ 250.849963][T35903] ------------[ cut here ]------------
> [ 250.850472][T35903] kernel BUG at fs/btrfs/relocation.c:2042!
>
> and here is the output from your assert:
>
> [ 1378.272143][T189001] BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
This indeed shows what I feared, on-disk corruption.
The root 8 is quota tree, which doesn't need to go through tree-reloc at
all.
The whole tree-relocation idea is for subvolume trees, which would do a
special snapshot for them, and then swap the highest tree nodes between
the tree reloc tree (the special snapshot) and the subvolume tree.
Thus for non-subvolume trees, relocation is done by just COWing the
involved tree blocks and call it a day.
This means we should never hit a reloc tree for non-subvolume trees, and
this looks like a on-disk format corruption.
Maybe I can reject those obviously incorrect reloc trees in tree-checker.
Thanks,
Qu
Qu Wenruo
Aug 2, 2023, 1:19:39 AM8/2/23
to syzbot, c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com
On 2023/8/1 22:58, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in prepare_to_merge
>
> BTRFS error (device loop3): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
at least we could have a more graceful rejection (without kernel warnings).
But the previous patch is still needed to catch not-so-obvious corrupted
reloc root keys.
Thanks,
Qu
syzbot
Aug 2, 2023, 1:35:32 AM8/2/23
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, quwenru...@gmx.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in prepare_to_merge
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in prepare_to_merge
------------[ cut here ]------------
BTRFS: Transaction aborted (error -117)
WARNING: CPU: 2 PID: 8050 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
BTRFS: Transaction aborted (error -117)
Modules linked in:
CPU: 2 PID: 8050 Comm: syz-executor.0 Not tainted 6.5.0-rc3-syzkaller-g8b6f9b585045 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
Code: 8b 7e 50 44 89 e2 48 c7 c6 20 d8 b6 8a e8 28 1d 10 00 eb c1 e8 d1 83 00 fe be 8b ff ff ff 48 c7 c7 80 d7 b6 8a e8 f0 4b c7 fd <0f> 0b e9 bf fe ff ff 48 8b 7c 24 28 e8 af 93 53 fe e9 3e f5 ff ff
RIP: 0010:prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
RSP: 0018:ffffc90022d4f6b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88804485e440 RCX: 0000000000000000
RDX: ffff888031a78480 RSI: ffffffff814c5346 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 000000002d2d2d2d R12: 0000000000000000
R13: 0000000000000084 R14: ffff88804485e3f0 R15: ffff88801d0eb000
FS: 00007f6a3df146c0(0000) GS:ffff88806b800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0a76ac56be CR3: 00000000300a1000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3779
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4117
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3277
__btrfs_balance fs/btrfs/volumes.c:4012 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6a3d27cae9
__btrfs_balance fs/btrfs/volumes.c:4012 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6a3df140c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6a3d39bf80 RCX: 00007f6a3d27cae9
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007f6a3d2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6a3d39bf80 R15: 00007ffd18ee1568
</TASK>
Tested on:
commit: 8b6f9b58 btrfs: reject invalid reloc tree root keys
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=115ab96ea80000
syzbot
Aug 2, 2023, 2:02:02 AM8/2/23
to quwenru...@gmx.com, quwenru...@gmx.com, syzkall...@googlegroups.com
>
>
> On 2023/8/2 13:35, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> WARNING in prepare_to_merge
>
Your commands are accepted, but please keep syzkall...@googlegroups.com mailing list in CC next time. It serves as a history of what happened with each bug report. Thank you.
>
> On 2023/8/2 13:35, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> WARNING in prepare_to_merge
>
syzbot
Aug 2, 2023, 2:18:34 AM8/2/23
to quwenru...@gmx.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __btrfs_free_extent
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
worker_thread+0x687/0x1110 kernel/workqueue.c:2748
kthread+0x33a/0x430 kernel/kthread.c:389
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:296
------------[ cut here ]------------
WARNING: CPU: 1 PID: 12 at fs/btrfs/extent-tree.c:3026 __btrfs_free_extent+0x119d/0x2c30 fs/btrfs/extent-tree.c:3026
Modules linked in:
CPU: 1 PID: 12 Comm: kworker/u16:1 Not tainted 6.5.0-rc3-syzkaller-gf47641f86054 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: btrfs-qgroup-rescan btrfs_work_helper
RIP: 0010:__btrfs_free_extent+0x119d/0x2c30 fs/btrfs/extent-tree.c:3026
Code: 2c 24 0f b6 e8 48 89 ef 4c 89 ee e8 9d 4c 1a fe 4c 39 ed 0f 84 b7 f3 ff ff e8 7f 51 1a fe 0f 0b e9 ab f3 ff ff e8 73 51 1a fe <0f> 0b be 08 00 00 00 48 89 df e8 04 68 6d fe f0 48 0f ba 2b 02 40
RSP: 0000:ffffc90000317588 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880327959e0 RCX: 0000000000000000
RDX: ffff888014a94300 RSI: ffffffff836b37fd RDI: 0000000000000005
RBP: 0000000000000101 R08: 0000000000000005 R09: 00000000fffffffe
R10: 00000000fffffffe R11: 0000000000000042 R12: ffff88802f9a76e0
R13: ffff888024e3dbf8 R14: 00000000fffffffe R15: 0000000000546000
FS: 0000000000000000(0000) GS:ffff88806b700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88a2150000 CR3: 000000002c185000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
run_delayed_tree_ref fs/btrfs/extent-tree.c:1657 [inline]
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
run_one_delayed_ref fs/btrfs/extent-tree.c:1681 [inline]
btrfs_run_delayed_refs_for_head fs/btrfs/extent-tree.c:1927 [inline]
__btrfs_run_delayed_refs+0xd3d/0x3b80 fs/btrfs/extent-tree.c:1988
btrfs_run_delayed_refs+0x1a1/0x510 fs/btrfs/extent-tree.c:2100
commit_cowonly_roots+0x750/0xa60 fs/btrfs/transaction.c:1331
btrfs_commit_transaction+0x107e/0x3ed0 fs/btrfs/transaction.c:2427
btrfs_qgroup_rescan_worker+0x567/0xa40 fs/btrfs/qgroup.c:3417
btrfs_work_helper+0x20b/0xba0 fs/btrfs/async-thread.c:314
process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
worker_thread+0x687/0x1110 kernel/workqueue.c:2748
kthread+0x33a/0x430 kernel/kthread.c:389
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:296
RIP: 0000:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Tested on:
commit: f47641f8 btrfs: reject invalid reloc tree root keys wi..
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=14efd3a1a80000
Qu Wenruo
Aug 2, 2023, 2:26:37 AM8/2/23
to syzbot, syzkall...@googlegroups.com
On 2023/8/2 14:18, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in __btrfs_free_extent
syzbot
Aug 2, 2023, 2:42:30 AM8/2/23
to quwenru...@gmx.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __btrfs_free_extent
entry_SYSCALL_64_after_hwframe+0x63/0xcd
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in __btrfs_free_extent
------------[ cut here ]------------
WARNING: CPU: 1 PID: 6346 at fs/btrfs/extent-tree.c:3026 __btrfs_free_extent+0x119d/0x2c30 fs/btrfs/extent-tree.c:3026
Modules linked in:
CPU: 1 PID: 6346 Comm: syz-executor.2 Not tainted 6.5.0-rc3-syzkaller-gf47641f86054 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:__btrfs_free_extent+0x119d/0x2c30 fs/btrfs/extent-tree.c:3026
Code: 2c 24 0f b6 e8 48 89 ef 4c 89 ee e8 9d 4c 1a fe 4c 39 ed 0f 84 b7 f3 ff ff e8 7f 51 1a fe 0f 0b e9 ab f3 ff ff e8 73 51 1a fe <0f> 0b be 08 00 00 00 48 89 df e8 04 68 6d fe f0 48 0f ba 2b 02 40
RSP: 0018:ffffc9000621f048 EFLAGS: 00010293
Code: 2c 24 0f b6 e8 48 89 ef 4c 89 ee e8 9d 4c 1a fe 4c 39 ed 0f 84 b7 f3 ff ff e8 7f 51 1a fe 0f 0b e9 ab f3 ff ff e8 73 51 1a fe <0f> 0b be 08 00 00 00 48 89 df e8 04 68 6d fe f0 48 0f ba 2b 02 40
RAX: 0000000000000000 RBX: ffff8880240ed9e0 RCX: 0000000000000000
RDX: ffff8880476281c0 RSI: ffffffff836b37fd RDI: 0000000000000005
RBP: 0000000000000101 R08: 0000000000000005 R09: 00000000fffffffe
R10: 00000000fffffffe R11: 0000000000094000 R12: ffff888032e382c0
R13: ffff88803ec1e610 R14: 00000000fffffffe R15: 000000000053f000
FS: 00007f53da4016c0(0000) GS:ffff88806b700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f53da3dff28 CR3: 000000002d71e000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
run_delayed_tree_ref fs/btrfs/extent-tree.c:1657 [inline]
run_one_delayed_ref fs/btrfs/extent-tree.c:1681 [inline]
btrfs_run_delayed_refs_for_head fs/btrfs/extent-tree.c:1927 [inline]
__btrfs_run_delayed_refs+0xd3d/0x3b80 fs/btrfs/extent-tree.c:1988
btrfs_run_delayed_refs+0x1a1/0x510 fs/btrfs/extent-tree.c:2100
commit_cowonly_roots+0x750/0xa60 fs/btrfs/transaction.c:1331
btrfs_commit_transaction+0x107e/0x3ed0 fs/btrfs/transaction.c:2427
prepare_to_merge+0x9a2/0x1460 fs/btrfs/relocation.c:1978
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
run_delayed_tree_ref fs/btrfs/extent-tree.c:1657 [inline]
run_one_delayed_ref fs/btrfs/extent-tree.c:1681 [inline]
btrfs_run_delayed_refs_for_head fs/btrfs/extent-tree.c:1927 [inline]
__btrfs_run_delayed_refs+0xd3d/0x3b80 fs/btrfs/extent-tree.c:1988
btrfs_run_delayed_refs+0x1a1/0x510 fs/btrfs/extent-tree.c:2100
commit_cowonly_roots+0x750/0xa60 fs/btrfs/transaction.c:1331
btrfs_commit_transaction+0x107e/0x3ed0 fs/btrfs/transaction.c:2427
relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3779
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4117
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3277
__btrfs_balance fs/btrfs/volumes.c:4012 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f53d967cae9
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4117
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3277
__btrfs_balance fs/btrfs/volumes.c:4012 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f53da4010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f53d979bf80 RCX: 00007f53d967cae9
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007f53d96c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f53d979bf80 R15: 00007fff5b561968
</TASK>
Tested on:
commit: f47641f8 btrfs: reject invalid reloc tree root keys wi..
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=10d3adbea80000
Tested on:
commit: f47641f8 btrfs: reject invalid reloc tree root keys wi..
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
Qu Wenruo
Aug 2, 2023, 2:53:24 AM8/2/23
to Christoph Hellwig, Christoph Hellwig, syzbot, c...@fb.com, dst...@suse.com, johannes....@wdc.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
some race between qgroup tree creation and relocation.
More rounds of syzbot testing shows it's not on-disk data corruption,
but runtime corruption lead to the invalid reloc tree key.
Normally if we're relocating tree 8 (quota tree), we should get
fs_info->quota_root, and it should not has ROOT_SHAREABLE flag, thus we
just go COW the involved quota tree block.
But by somehow, if the quota tree is created by btrfs_init_fs_root() it
would has the ROOT_SHAREABLE flag and leads to the incorrect reloc tree
creation.
My current guess is, some race like this:
Thread A | Thread B
---------------------------------+------------------------------
btrfs_quota_enable() |
| | btrfs_get_root_ref()
| | |- btrfs_get_global_root()
| | | Returned NULL
| | |- btrfs_lookup_fs_root()
| | | Returned NULL
|- btrfs_create_tree() | |
| Now quota root item is | |
| inserted | |- btrfs_read_tree_root()
| | | Got the newly inserted quota root
| | |- btrfs_init_fs_root()
| | | Set ROOT_SHAREABLE flag
By this, with a relocation and quota enabling, we create a race that we
can get a quota root with ROOT_SHAREABLE set, and lead to the problem.
Personally speaking, I don't have a particularly good idea on how to fix it.
We may skip any non-subvolume related trees in btrfs_init_fs_root(), but
that doesn't seem correct to me.
Any good ideas on this?
Thanks,
Qu
Qu Wenruo
Aug 2, 2023, 5:12:16 AM8/2/23
to syzbot, c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 2023/7/2 04:46, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 533925cb7604 Merge tag 'riscv-for-linus-6.5-mw1' of git://..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14d8b610a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=12464973c17d2b37
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/7b23da6a6f6c/disk-533925cb.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/f163e9ea9946/vmlinux-533925cb.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/5b943aa5a1e1/bzImage-533925cb.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+ae97a8...@syzkaller.appspotmail.com
>
syzbot
Aug 2, 2023, 5:32:29 AM8/2/23
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, quwenru...@gmx.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ae97a8...@syzkaller.appspotmail.com
Tested on:
commit: aa3cb01e btrfs: avoid race with qgroup tree creation a..
kernel config: https://syzkaller.appspot.com/x/.config?x=23c579cf0ae1addd
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+ae97a8...@syzkaller.appspotmail.com
Tested on:
commit: aa3cb01e btrfs: avoid race with qgroup tree creation a..
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=10ae0aa6a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=23c579cf0ae1addd
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
Note: no patches were applied.
Reply all
Reply to author
Forward
0 new messages