WARNING in bch2_dev_free
12 views
Skip to first unread message
Hui Guo
Apr 5, 2025, 10:43:11 PM4/5/25
to Kent Overstreet, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hi Kernel Maintainers,
we found a crash "WARNING in bch2_dev_free" in upstream, the detailed
information is as follows:
HEAD Commit: 9f867ba24d3665d9ac9d9ef1f51844eb4479b291
kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/.config
console output:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/0a9dd8e75f0f178fec81b7793432b6246c869988/repro.log
repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/0a9dd8e75f0f178fec81b7793432b6246c869988/repro.report
syz reproducer:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/0a9dd8e75f0f178fec81b7793432b6246c869988/repro.prog
c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/0a9dd8e75f0f178fec81b7793432b6246c869988/repro.cprog
Please let me know if there is anything I can help with.
Best,
Hui Guo
This is the report log.
=============================================================================================
------------[ cut here ]------------
WARNING: CPU: 2 PID: 39261 at fs/bcachefs/super.c:1229
bch2_dev_free+0x27b/0x2d0
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1229
Modules linked in:
CPU: 2 UID: 0 PID: 39261 Comm: syz.22.217 Not tainted
6.14.0-13408-g9f867ba24d36 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:bch2_dev_free+0x27b/0x2d0
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1229
Code: e3 02 89 de e8 76 7c 65 fd 84 db 0f 84 df fe ff ff e9 cd fe ff
ff e8 a4 81 65 fd 90 0f 0b 90 e9 e6 fd ff ff e8 96 81 65 fd 90 <0f> 0b
90 e9 b1 fd ff ff 4c 89 f7 e8 b5 44 c9 fd e9 07 fe ff ff e8
RSP: 0018:ffffc900040ef210 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8453d31c
RDX: ffff88802a070000 RSI: ffffffff8453d56a RDI: 0000000000000001
RBP: ffff8880326c6000 R08: 00000000fffffffc R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880326c60c0
R13: ffffc900040ef368 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fb1a3364640(0000) GS:ffff8880cf059000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc315791fc8 CR3: 0000000040d9c000 CR4: 0000000000350ef0
Call Trace:
<TASK>
__bch2_dev_alloc+0xa56/0xe10
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1398
bch2_dev_alloc+0xba/0x170
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1424
bch2_fs_alloc+0x1b7d/0x2430
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:969
bch2_fs_open+0x92c/0x1110
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:2219
bch2_fs_get_tree+0x10d0/0x1770
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/fs.c:2172
vfs_get_tree+0x93/0x340
data/ghui/docker_data/linux_kernel/upstream/linux/fs/super.c:1759
do_new_mount data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3879
[inline]
path_mount+0x6b0/0x1eb0
data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4206
do_mount data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4219
[inline]
__do_sys_mount data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4430
[inline]
__se_sys_mount data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4407
[inline]
__x64_sys_mount+0x27b/0x300
data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4407
do_syscall_x64 data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/syscall_64.c:63
[inline]
do_syscall_64+0xcb/0x250
data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb1a259fdfe
Code: 48 c7 c0 ff ff ff ff eb aa e8 5e 20 00 00 66 2e 0f 1f 84 00 00
00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb1a3363da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 000000000000fe88 RCX: 00007fb1a259fdfe
RDX: 000000002000fec0 RSI: 000000002000ff00 RDI: 00007fb1a3363e00
RBP: 00007fb1a3363e40 R08: 00007fb1a3363e40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000002000fec0
R13: 000000002000ff00 R14: 00007fb1a3363e00 R15: 000000002000ff40
</TASK>
we found a crash "WARNING in bch2_dev_free" in upstream, the detailed
information is as follows:
HEAD Commit: 9f867ba24d3665d9ac9d9ef1f51844eb4479b291
kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/.config
console output:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/0a9dd8e75f0f178fec81b7793432b6246c869988/repro.log
repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/0a9dd8e75f0f178fec81b7793432b6246c869988/repro.report
syz reproducer:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/0a9dd8e75f0f178fec81b7793432b6246c869988/repro.prog
c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/0a9dd8e75f0f178fec81b7793432b6246c869988/repro.cprog
Please let me know if there is anything I can help with.
Best,
Hui Guo
This is the report log.
=============================================================================================
------------[ cut here ]------------
WARNING: CPU: 2 PID: 39261 at fs/bcachefs/super.c:1229
bch2_dev_free+0x27b/0x2d0
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1229
Modules linked in:
CPU: 2 UID: 0 PID: 39261 Comm: syz.22.217 Not tainted
6.14.0-13408-g9f867ba24d36 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:bch2_dev_free+0x27b/0x2d0
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1229
Code: e3 02 89 de e8 76 7c 65 fd 84 db 0f 84 df fe ff ff e9 cd fe ff
ff e8 a4 81 65 fd 90 0f 0b 90 e9 e6 fd ff ff e8 96 81 65 fd 90 <0f> 0b
90 e9 b1 fd ff ff 4c 89 f7 e8 b5 44 c9 fd e9 07 fe ff ff e8
RSP: 0018:ffffc900040ef210 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8453d31c
RDX: ffff88802a070000 RSI: ffffffff8453d56a RDI: 0000000000000001
RBP: ffff8880326c6000 R08: 00000000fffffffc R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880326c60c0
R13: ffffc900040ef368 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fb1a3364640(0000) GS:ffff8880cf059000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc315791fc8 CR3: 0000000040d9c000 CR4: 0000000000350ef0
Call Trace:
<TASK>
__bch2_dev_alloc+0xa56/0xe10
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1398
bch2_dev_alloc+0xba/0x170
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:1424
bch2_fs_alloc+0x1b7d/0x2430
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:969
bch2_fs_open+0x92c/0x1110
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/super.c:2219
bch2_fs_get_tree+0x10d0/0x1770
data/ghui/docker_data/linux_kernel/upstream/linux/fs/bcachefs/fs.c:2172
vfs_get_tree+0x93/0x340
data/ghui/docker_data/linux_kernel/upstream/linux/fs/super.c:1759
do_new_mount data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:3879
[inline]
path_mount+0x6b0/0x1eb0
data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4206
do_mount data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4219
[inline]
__do_sys_mount data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4430
[inline]
__se_sys_mount data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4407
[inline]
__x64_sys_mount+0x27b/0x300
data/ghui/docker_data/linux_kernel/upstream/linux/fs/namespace.c:4407
do_syscall_x64 data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/syscall_64.c:63
[inline]
do_syscall_64+0xcb/0x250
data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb1a259fdfe
Code: 48 c7 c0 ff ff ff ff eb aa e8 5e 20 00 00 66 2e 0f 1f 84 00 00
00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb1a3363da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 000000000000fe88 RCX: 00007fb1a259fdfe
RDX: 000000002000fec0 RSI: 000000002000ff00 RDI: 00007fb1a3363e00
RBP: 00007fb1a3363e40 R08: 00007fb1a3363e40 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000002000fec0
R13: 000000002000ff00 R14: 00007fb1a3363e00 R15: 000000002000ff40
</TASK>
syzbot
Apr 8, 2025, 7:53:36 AM4/8/25
to kent.ov...@linux.dev, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: a4cda136f021 Add linux-next specific files for 20250404
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12c3db4c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a257c454bb1afb7
dashboard link: https://syzkaller.appspot.com/bug?extid=aec9606169fbc3a12ca6
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ca0c04580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11c3db4c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/59048bc9c206/disk-a4cda136.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ad2ba7306f20/vmlinux-a4cda136.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b3bef7acbf10/bzImage-a4cda136.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/110624be1513/mount_0.gz
The issue was bisected to:
commit dcffc3b1ae3251d796a25c673f614e3099ca83d3
Author: Kent Overstreet <kent.ov...@linux.dev>
Date: Sun Mar 30 03:11:08 2025 +0000
bcachefs: Split up bch_dev.io_ref
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13948c04580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10548c04580000
console output: https://syzkaller.appspot.com/x/log.txt?x=17948c04580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aec960...@syzkaller.appspotmail.com
Fixes: dcffc3b1ae32 ("bcachefs: Split up bch_dev.io_ref")
bcachefs (loop0): shutting down
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5844 at fs/bcachefs/super.c:1229 bch2_dev_free+0x228/0x290 fs/bcachefs/super.c:1229
Modules linked in:
CPU: 0 UID: 0 PID: 5844 Comm: syz-executor121 Not tainted 6.14.0-next-20250404-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:bch2_dev_free+0x228/0x290 fs/bcachefs/super.c:1229
Code: ff e8 4c cf 74 00 4c 89 ef e8 44 cf 74 00 48 89 df 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d e9 ee 53 96 07 e8 59 e9 32 fd 90 <0f> 0b 90 e9 09 fe ff ff e8 4b e9 32 fd 90 0f 0b 90 e9 15 fe ff ff
RSP: 0018:ffffc9000406fb88 EFLAGS: 00010293
RAX: ffffffff849073d7 RBX: ffff888035282000 RCX: ffff888034af9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880352820c0 R08: ffffffff850552f7 R09: 0000000000000000
R10: ffff888035282208 R11: ffffed1006a5044a R12: ffff888075e003f0
R13: ffff8880352820b0 R14: ffff888075e00000 R15: ffff888075e007b2
FS: 000055558bb20380(0000) GS:ffff888124f8f000(0000) knlGS:0000000000000000
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
bch2_fs_free+0x2b0/0x400 fs/bcachefs/super.c:688
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x422/0x4c0 fs/namespace.c:1435
task_work_run+0x251/0x310 kernel/task_work.c:227
ptrace_notify+0x2dc/0x390 kernel/signal.c:2520
ptrace_report_syscall include/linux/ptrace.h:415 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173
syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f49b0cec447
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd94723978 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f49b0cec447
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd94723a30
RBP: 00007ffd94723a30 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffd94724aa0
R13: 000055558bb216c0 R14: 0000000000000001 R15: 431bde82d7b634db
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: a4cda136f021 Add linux-next specific files for 20250404
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=12c3db4c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8a257c454bb1afb7
dashboard link: https://syzkaller.appspot.com/bug?extid=aec9606169fbc3a12ca6
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17ca0c04580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11c3db4c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/59048bc9c206/disk-a4cda136.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ad2ba7306f20/vmlinux-a4cda136.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b3bef7acbf10/bzImage-a4cda136.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/110624be1513/mount_0.gz
The issue was bisected to:
commit dcffc3b1ae3251d796a25c673f614e3099ca83d3
Author: Kent Overstreet <kent.ov...@linux.dev>
Date: Sun Mar 30 03:11:08 2025 +0000
bcachefs: Split up bch_dev.io_ref
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13948c04580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10548c04580000
console output: https://syzkaller.appspot.com/x/log.txt?x=17948c04580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+aec960...@syzkaller.appspotmail.com
Fixes: dcffc3b1ae32 ("bcachefs: Split up bch_dev.io_ref")
bcachefs (loop0): shutting down
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5844 at fs/bcachefs/super.c:1229 bch2_dev_free+0x228/0x290 fs/bcachefs/super.c:1229
Modules linked in:
CPU: 0 UID: 0 PID: 5844 Comm: syz-executor121 Not tainted 6.14.0-next-20250404-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:bch2_dev_free+0x228/0x290 fs/bcachefs/super.c:1229
Code: ff e8 4c cf 74 00 4c 89 ef e8 44 cf 74 00 48 89 df 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d e9 ee 53 96 07 e8 59 e9 32 fd 90 <0f> 0b 90 e9 09 fe ff ff e8 4b e9 32 fd 90 0f 0b 90 e9 15 fe ff ff
RSP: 0018:ffffc9000406fb88 EFLAGS: 00010293
RAX: ffffffff849073d7 RBX: ffff888035282000 RCX: ffff888034af9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880352820c0 R08: ffffffff850552f7 R09: 0000000000000000
R10: ffff888035282208 R11: ffffed1006a5044a R12: ffff888075e003f0
R13: ffff8880352820b0 R14: ffff888075e00000 R15: ffff888075e007b2
FS: 000055558bb20380(0000) GS:ffff888124f8f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045bdd0 CR3: 00000000122a0000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
bch2_fs_free+0x2b0/0x400 fs/bcachefs/super.c:688
deactivate_locked_super+0xc4/0x130 fs/super.c:473
cleanup_mnt+0x422/0x4c0 fs/namespace.c:1435
task_work_run+0x251/0x310 kernel/task_work.c:227
ptrace_notify+0x2dc/0x390 kernel/signal.c:2520
ptrace_report_syscall include/linux/ptrace.h:415 [inline]
ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline]
syscall_exit_work+0xc7/0x1d0 kernel/entry/common.c:173
syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline]
syscall_exit_to_user_mode+0x24a/0x340 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f49b0cec447
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffd94723978 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f49b0cec447
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd94723a30
RBP: 00007ffd94723a30 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000206 R12: 00007ffd94724aa0
R13: 000055558bb216c0 R14: 0000000000000001 R15: 431bde82d7b634db
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Charalampos Mitrodimas
Apr 9, 2025, 12:09:47 PM4/9/25
to syzbot, kent.ov...@linux.dev, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
From: Charalampos Mitrodimas <char...@posteo.net>
Subject: [PATCH] bcachefs: Fix WARN_ON in bch2_dev_free
After splitting bch_dev.io_ref into separate READ and WRITE refs, we
need to ensure both refs are properly stopped before freeing a device.
Add bch2_dev_io_ref_stop(ca, WRITE) to bch2_fs_free() to prevent the
WARNING in bch2_dev_free().
Reported-by: syzbot+aec960...@syzkaller.appspotmail.com
Fixes: dcffc3b1ae32 ("bcachefs: Split up bch_dev.io_ref")
---
fs/bcachefs/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/bcachefs/super.c b/fs/bcachefs/super.c
index a58edde43bee..089b69b685d9 100644
--- a/fs/bcachefs/super.c
+++ b/fs/bcachefs/super.c
@@ -684,6 +684,7 @@ void bch2_fs_free(struct bch_fs *c)
if (ca) {
EBUG_ON(atomic_long_read(&ca->ref) != 1);
bch2_dev_io_ref_stop(ca, READ);
+ bch2_dev_io_ref_stop(ca, WRITE);
bch2_free_super(&ca->disk_sb);
bch2_dev_free(ca);
}
--
2.39.5
syzbot
Apr 9, 2025, 1:02:06 PM4/9/25
to char...@posteo.net, kent.ov...@linux.dev, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for DEV to become free
unregister_netdevice: waiting for batadv0 to become free. Usage count = 3
Tested on:
commit: a2458824 Merge tag 'linux_kselftest-kunit-6.15-rc2' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=153ffb4c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=fb8650d88e9fb80f
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for DEV to become free
unregister_netdevice: waiting for batadv0 to become free. Usage count = 3
Tested on:
commit: a2458824 Merge tag 'linux_kselftest-kunit-6.15-rc2' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=153ffb4c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=fb8650d88e9fb80f
dashboard link: https://syzkaller.appspot.com/bug?extid=aec9606169fbc3a12ca6
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17b7fb4c580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Kent Overstreet
Apr 9, 2025, 5:51:33 PM4/9/25
to Charalampos Mitrodimas, syzbot, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
might be a deeper bug here
syzbot
Apr 12, 2025, 2:04:37 PM4/12/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test
Author: gshah...@gmail.com
Try to remove device but fails
Reinitialize reference counting for write operations for device
Shut down the filesystem
Make the filesystem read only
Read-write bit is not set so it skips trying to make the filesystem read-only, implying that the filesystem is already in read-only mode.
Encounter error because write operations are still assigned to a device
When the filesystem is starting up, it tries setting it to set the filesystem to read-only but it’s already set.
When failing to remove a device, it tries giving back write permissions to a device when the filesystem is read-only (not sure if this is nonsensical or not).
Since a device has write permissions, it tries to remove them but fails because the filesystem is in read-only mode.
So the fix here is to prevent it from giving the device write permissions if the filesystem is in read-only mode.
Signed-off-by: Gabriel Shahrouzi <gshah...@gmail.com>
---
fs/bcachefs/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/bcachefs/super.c b/fs/bcachefs/super.c
index b79e80a435e09..788e870bfef6a 100644
--- a/fs/bcachefs/super.c
+++ b/fs/bcachefs/super.c
@@ -1757,7 +1757,8 @@ int bch2_dev_remove(struct bch_fs *c, struct bch_dev *ca, int flags)
up_write(&c->state_lock);
return 0;
err:
- if (ca->mi.state == BCH_MEMBER_STATE_rw &&
+ if (test_bit(BCH_FS_rw, &c->flags) &&
+ ca->mi.state == BCH_MEMBER_STATE_rw &&
!percpu_ref_is_zero(&ca->io_ref[READ]))
__bch2_dev_read_write(c, ca);
up_write(&c->state_lock);
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test
Author: gshah...@gmail.com
Try to remove device but fails
Reinitialize reference counting for write operations for device
Shut down the filesystem
Make the filesystem read only
Read-write bit is not set so it skips trying to make the filesystem read-only, implying that the filesystem is already in read-only mode.
Encounter error because write operations are still assigned to a device
When the filesystem is starting up, it tries setting it to set the filesystem to read-only but it’s already set.
When failing to remove a device, it tries giving back write permissions to a device when the filesystem is read-only (not sure if this is nonsensical or not).
Since a device has write permissions, it tries to remove them but fails because the filesystem is in read-only mode.
So the fix here is to prevent it from giving the device write permissions if the filesystem is in read-only mode.
Signed-off-by: Gabriel Shahrouzi <gshah...@gmail.com>
---
fs/bcachefs/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/bcachefs/super.c b/fs/bcachefs/super.c
index b79e80a435e09..788e870bfef6a 100644
--- a/fs/bcachefs/super.c
+++ b/fs/bcachefs/super.c
@@ -1757,7 +1757,8 @@ int bch2_dev_remove(struct bch_fs *c, struct bch_dev *ca, int flags)
up_write(&c->state_lock);
return 0;
err:
- if (ca->mi.state == BCH_MEMBER_STATE_rw &&
+ if (test_bit(BCH_FS_rw, &c->flags) &&
+ ca->mi.state == BCH_MEMBER_STATE_rw &&
!percpu_ref_is_zero(&ca->io_ref[READ]))
__bch2_dev_read_write(c, ca);
up_write(&c->state_lock);
--
2.43.0
syzbot
Apr 12, 2025, 2:11:46 PM4/12/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5fc31936081919a8572a3d644f3fbb258038f337
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: gshah...@gmail.com
Another test with earlier branch because of unassociated error popping up:
unregister_netdevice: waiting for batadv0 to become free. Usage count = 3.
syzbot
Apr 12, 2025, 2:44:07 PM4/12/25
to gshah...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for DEV to become free
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for DEV to become free
unregister_netdevice: waiting for batadv0 to become free. Usage count = 3
Tested on:
commit: ecd5d67a Merge tag 'pwm/for-6.15-rc2-fixes' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12e4ca3f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=fb8650d88e9fb80f
dashboard link: https://syzkaller.appspot.com/bug?extid=aec9606169fbc3a12ca6
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11245c04580000
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Apr 12, 2025, 2:50:06 PM4/12/25
to gshah...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file fs/bcachefs/super.c
Hunk #1 FAILED at 1757.
1 out of 1 hunk FAILED
Tested on:
commit: 5fc31936 Merge tag 'net-6.14-rc8' of git://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=bae073f4634b7fd
patch: https://syzkaller.appspot.com/x/patch.diff?x=12f21f4c580000
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file fs/bcachefs/super.c
Hunk #1 FAILED at 1757.
1 out of 1 hunk FAILED
Tested on:
commit: 5fc31936 Merge tag 'net-6.14-rc8' of git://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=bae073f4634b7fd
patch: https://syzkaller.appspot.com/x/patch.diff?x=12f21f4c580000
syzbot
Apr 17, 2025, 8:37:49 PM4/17/25
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject:
Author: kent.ov...@linux.dev
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject:
#syz fix: bcachefs: Prevent granting write refs when filesystem is read-only
Reply all
Reply to author
Forward
0 new messages