[syzbot] [btrfs?] kernel BUG in submit_compressed_extents
0 views
Skip to first unread message
syzbot
Dec 27, 2025, 2:03:18 PM (11 hours ago) Dec 27
to c...@fb.com, dst...@suse.com, jo...@toxicpanda.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b927546677c8 Merge tag 'dma-mapping-6.19-2025-12-22' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1600df1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=513255d80ab78f2b
dashboard link: https://syzkaller.appspot.com/bug?extid=6bcfce568a4af2a909bc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-b9275466.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/16f89c42bab9/vmlinux-b9275466.xz
kernel image: https://storage.googleapis.com/syzbot-assets/54c5ab9b0ef0/bzImage-b9275466.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6bcfce...@syzkaller.appspotmail.com
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6a1
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x7ff00000000040(head|node=0|zone=0|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 007ff00000000001 ffffea000001a801 00000000ffffffff 00000000ffffffff
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
head: 007ff00000000040 ffff888040d47dc0 dead000000000122 0000000000000000
head: 0000000000000000 00000000800a000a 00000000f5000000 0000000000000000
head: 007ff00000000001 ffffea000001a801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: VM_BUG_ON_PAGE(page->compound_head & 1)
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2676, tgid 2676 (kworker/u4:12), ts 86875534140, free_ts 86855865505
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846
prep_new_page mm/page_alloc.c:1854 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
kmem_cache_alloc_noprof+0x40f/0x710 mm/slub.c:5270
mempool_alloc_noprof+0x1c9/0x2f0 mm/mempool.c:567
bio_alloc_bioset+0x337/0x14e0 block/bio.c:561
alloc_compressed_bio fs/btrfs/compression.c:68 [inline]
btrfs_submit_compressed_write+0x16f/0x430 fs/btrfs/compression.c:382
submit_one_async_extent fs/btrfs/inode.c:1188 [inline]
submit_compressed_extents+0xe7a/0x1670 fs/btrfs/inode.c:1599
run_ordered_work fs/btrfs/async-thread.c:243 [inline]
btrfs_work_helper+0x564/0xbf0 fs/btrfs/async-thread.c:322
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
page last free pid 78 tgid 78 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
free_unref_folios+0xdb3/0x14f0 mm/page_alloc.c:3000
shrink_folio_list+0x4800/0x5010 mm/vmscan.c:1603
evict_folios+0x473e/0x57f0 mm/vmscan.c:4711
try_to_shrink_lruvec+0x8a3/0xb50 mm/vmscan.c:4874
shrink_one+0x25c/0x720 mm/vmscan.c:4919
shrink_many mm/vmscan.c:4982 [inline]
lru_gen_shrink_node mm/vmscan.c:5060 [inline]
shrink_node+0x2f7d/0x35b0 mm/vmscan.c:6047
kswapd_shrink_node mm/vmscan.c:6901 [inline]
balance_pgdat mm/vmscan.c:7084 [inline]
kswapd+0x145a/0x2820 mm/vmscan.c:7354
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
------------[ cut here ]------------
kernel BUG at ./include/linux/page-flags.h:351!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 2676 Comm: kworker/u4:12 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: btrfs-delalloc btrfs_work_helper
RIP: 0010:const_folio_flags include/linux/page-flags.h:351 [inline]
RIP: 0010:folio_test_head include/linux/page-flags.h:844 [inline]
RIP: 0010:folio_test_large include/linux/page-flags.h:865 [inline]
RIP: 0010:folio_order include/linux/mm.h:1246 [inline]
RIP: 0010:folio_size include/linux/mm.h:2354 [inline]
RIP: 0010:submit_one_async_extent fs/btrfs/inode.c:1128 [inline]
RIP: 0010:submit_compressed_extents+0x161a/0x1670 fs/btrfs/inode.c:1599
Code: 8c 9d 53 fe 4d 8b 1e 4c 89 ff 2e 2e 2e 41 ff d3 e9 d6 fd ff ff e8 96 f2 eb fd 4c 89 ef 48 c7 c6 00 a6 af 8b e8 07 f4 52 fd 90 <0f> 0b e8 7f f2 eb fd 48 c7 c7 40 93 af 8b 48 c7 c6 e0 a8 af 8b 31
RSP: 0018:ffffc9000ff4f7e0 EFLAGS: 00010246
RAX: b7630c6330986b00 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8d798217 RDI: 00000000ffffffff
RBP: ffffc9000ff4f9d0 R08: ffffffff8f824277 R09: 1ffffffff1f0484e
R10: dffffc0000000000 R11: fffffbfff1f0484f R12: ffffffffffffffff
R13: ffffea000001a840 R14: 0000000000005000 R15: ffff888036c31410
FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc38501a000 CR3: 00000000110e3000 CR4: 0000000000352ef0
Call Trace:
<TASK>
run_ordered_work fs/btrfs/async-thread.c:243 [inline]
btrfs_work_helper+0x564/0xbf0 fs/btrfs/async-thread.c:322
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:const_folio_flags include/linux/page-flags.h:351 [inline]
RIP: 0010:folio_test_head include/linux/page-flags.h:844 [inline]
RIP: 0010:folio_test_large include/linux/page-flags.h:865 [inline]
RIP: 0010:folio_order include/linux/mm.h:1246 [inline]
RIP: 0010:folio_size include/linux/mm.h:2354 [inline]
RIP: 0010:submit_one_async_extent fs/btrfs/inode.c:1128 [inline]
RIP: 0010:submit_compressed_extents+0x161a/0x1670 fs/btrfs/inode.c:1599
Code: 8c 9d 53 fe 4d 8b 1e 4c 89 ff 2e 2e 2e 41 ff d3 e9 d6 fd ff ff e8 96 f2 eb fd 4c 89 ef 48 c7 c6 00 a6 af 8b e8 07 f4 52 fd 90 <0f> 0b e8 7f f2 eb fd 48 c7 c7 40 93 af 8b 48 c7 c6 e0 a8 af 8b 31
RSP: 0018:ffffc9000ff4f7e0 EFLAGS: 00010246
RAX: b7630c6330986b00 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8d798217 RDI: 00000000ffffffff
RBP: ffffc9000ff4f9d0 R08: ffffffff8f824277 R09: 1ffffffff1f0484e
R10: dffffc0000000000 R11: fffffbfff1f0484f R12: ffffffffffffffff
R13: ffffea000001a840 R14: 0000000000005000 R15: ffff888036c31410
FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc38501a000 CR3: 00000000373f0000 CR4: 0000000000352ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b927546677c8 Merge tag 'dma-mapping-6.19-2025-12-22' of gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1600df1a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=513255d80ab78f2b
dashboard link: https://syzkaller.appspot.com/bug?extid=6bcfce568a4af2a909bc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-b9275466.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/16f89c42bab9/vmlinux-b9275466.xz
kernel image: https://storage.googleapis.com/syzbot-assets/54c5ab9b0ef0/bzImage-b9275466.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6bcfce...@syzkaller.appspotmail.com
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6a1
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x7ff00000000040(head|node=0|zone=0|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 007ff00000000001 ffffea000001a801 00000000ffffffff 00000000ffffffff
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
head: 007ff00000000040 ffff888040d47dc0 dead000000000122 0000000000000000
head: 0000000000000000 00000000800a000a 00000000f5000000 0000000000000000
head: 007ff00000000001 ffffea000001a801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: VM_BUG_ON_PAGE(page->compound_head & 1)
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2676, tgid 2676 (kworker/u4:12), ts 86875534140, free_ts 86855865505
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846
prep_new_page mm/page_alloc.c:1854 [inline]
get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xe53/0x1820 mm/slub.c:4656
__slab_alloc+0x65/0x100 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
kmem_cache_alloc_noprof+0x40f/0x710 mm/slub.c:5270
mempool_alloc_noprof+0x1c9/0x2f0 mm/mempool.c:567
bio_alloc_bioset+0x337/0x14e0 block/bio.c:561
alloc_compressed_bio fs/btrfs/compression.c:68 [inline]
btrfs_submit_compressed_write+0x16f/0x430 fs/btrfs/compression.c:382
submit_one_async_extent fs/btrfs/inode.c:1188 [inline]
submit_compressed_extents+0xe7a/0x1670 fs/btrfs/inode.c:1599
run_ordered_work fs/btrfs/async-thread.c:243 [inline]
btrfs_work_helper+0x564/0xbf0 fs/btrfs/async-thread.c:322
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
page last free pid 78 tgid 78 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
free_unref_folios+0xdb3/0x14f0 mm/page_alloc.c:3000
shrink_folio_list+0x4800/0x5010 mm/vmscan.c:1603
evict_folios+0x473e/0x57f0 mm/vmscan.c:4711
try_to_shrink_lruvec+0x8a3/0xb50 mm/vmscan.c:4874
shrink_one+0x25c/0x720 mm/vmscan.c:4919
shrink_many mm/vmscan.c:4982 [inline]
lru_gen_shrink_node mm/vmscan.c:5060 [inline]
shrink_node+0x2f7d/0x35b0 mm/vmscan.c:6047
kswapd_shrink_node mm/vmscan.c:6901 [inline]
balance_pgdat mm/vmscan.c:7084 [inline]
kswapd+0x145a/0x2820 mm/vmscan.c:7354
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
------------[ cut here ]------------
kernel BUG at ./include/linux/page-flags.h:351!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 2676 Comm: kworker/u4:12 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: btrfs-delalloc btrfs_work_helper
RIP: 0010:const_folio_flags include/linux/page-flags.h:351 [inline]
RIP: 0010:folio_test_head include/linux/page-flags.h:844 [inline]
RIP: 0010:folio_test_large include/linux/page-flags.h:865 [inline]
RIP: 0010:folio_order include/linux/mm.h:1246 [inline]
RIP: 0010:folio_size include/linux/mm.h:2354 [inline]
RIP: 0010:submit_one_async_extent fs/btrfs/inode.c:1128 [inline]
RIP: 0010:submit_compressed_extents+0x161a/0x1670 fs/btrfs/inode.c:1599
Code: 8c 9d 53 fe 4d 8b 1e 4c 89 ff 2e 2e 2e 41 ff d3 e9 d6 fd ff ff e8 96 f2 eb fd 4c 89 ef 48 c7 c6 00 a6 af 8b e8 07 f4 52 fd 90 <0f> 0b e8 7f f2 eb fd 48 c7 c7 40 93 af 8b 48 c7 c6 e0 a8 af 8b 31
RSP: 0018:ffffc9000ff4f7e0 EFLAGS: 00010246
RAX: b7630c6330986b00 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8d798217 RDI: 00000000ffffffff
RBP: ffffc9000ff4f9d0 R08: ffffffff8f824277 R09: 1ffffffff1f0484e
R10: dffffc0000000000 R11: fffffbfff1f0484f R12: ffffffffffffffff
R13: ffffea000001a840 R14: 0000000000005000 R15: ffff888036c31410
FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc38501a000 CR3: 00000000110e3000 CR4: 0000000000352ef0
Call Trace:
<TASK>
run_ordered_work fs/btrfs/async-thread.c:243 [inline]
btrfs_work_helper+0x564/0xbf0 fs/btrfs/async-thread.c:322
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:const_folio_flags include/linux/page-flags.h:351 [inline]
RIP: 0010:folio_test_head include/linux/page-flags.h:844 [inline]
RIP: 0010:folio_test_large include/linux/page-flags.h:865 [inline]
RIP: 0010:folio_order include/linux/mm.h:1246 [inline]
RIP: 0010:folio_size include/linux/mm.h:2354 [inline]
RIP: 0010:submit_one_async_extent fs/btrfs/inode.c:1128 [inline]
RIP: 0010:submit_compressed_extents+0x161a/0x1670 fs/btrfs/inode.c:1599
Code: 8c 9d 53 fe 4d 8b 1e 4c 89 ff 2e 2e 2e 41 ff d3 e9 d6 fd ff ff e8 96 f2 eb fd 4c 89 ef 48 c7 c6 00 a6 af 8b e8 07 f4 52 fd 90 <0f> 0b e8 7f f2 eb fd 48 c7 c7 40 93 af 8b 48 c7 c6 e0 a8 af 8b 31
RSP: 0018:ffffc9000ff4f7e0 EFLAGS: 00010246
RAX: b7630c6330986b00 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8d798217 RDI: 00000000ffffffff
RBP: ffffc9000ff4f9d0 R08: ffffffff8f824277 R09: 1ffffffff1f0484e
R10: dffffc0000000000 R11: fffffbfff1f0484f R12: ffffffffffffffff
R13: ffffea000001a840 R14: 0000000000005000 R15: ffff888036c31410
FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc38501a000 CR3: 00000000373f0000 CR4: 0000000000352ef0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages