[Linux Kernel Bug] WARNING in find_free_extent
0 views
Skip to first unread message
Jiaming Zhang
8:45 AM (5 hours ago) 8:45 AM
to c...@fb.com, dst...@suse.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com
Dear Linux kernel developers and maintainers,
We are writing to report a warning discovered in the btrfs subsystem.
This issue is reproducible on the latest version (commit
b71e635feefc852405b14620a7fc58c4c80c0f73).
The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are attached to help with analysis. The KASAN report from
kernel, formatted by syz-symbolize, is listed below:
---
BTRFS: Transaction aborted (error -22)
WARNING: fs/btrfs/extent-tree.c:4208 at find_free_extent_update_loop
fs/btrfs/extent-tree.c:4208 [inline], CPU#0: repro.out/9758
WARNING: fs/btrfs/extent-tree.c:4208 at find_free_extent+0x52ee/0x5d20
fs/btrfs/extent-tree.c:4611, CPU#0: repro.out/9758
Modules linked in:
CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted
6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline]
RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611
Code: 36 b6 01 fe e9 95 03 00 00 e8 dc 04 e8 fd 84 c0 74 66 e8 23 b6
01 fe e9 82 03 00 00 e8 19 b6 01 fe 48 8d 3d e2 09 b1 0b 89 ee <67> 48
0f b9 3a e9 60 f6 ff ff 48 8b 4c 24 78 80 e1 07 38 c1 0f 8c
RSP: 0018:ffffc9000445eb28 EFLAGS: 00010293
RAX: ffffffff83b4ffc7 RBX: ffff88802ad30000 RCX: ffff88802804bd80
RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffffff8f6609b0
RBP: 00000000ffffffea R08: ffff88802804bd80 R09: 0000000000000003
R10: 00000000fffffffb R11: 0000000000000000 R12: ffff88802ad30060
R13: ffff88802ad30000 R14: 0000000000000000 R15: ffff88802ad30060
FS: 0000000000000000(0000) GS:ffff8880994e9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c1108 CR3: 00000000281ef000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705
btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157
btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517
btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708
btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130
btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499
btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628
evict+0x5f4/0xae0 fs/inode.c:837
__dentry_kill+0x209/0x660 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661
generic_shutdown_super+0x67/0x2c0 fs/super.c:621
kill_anon_super+0x3b/0x70 fs/super.c:1289
btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127
deactivate_locked_super+0xbc/0x130 fs/super.c:474
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318
task_work_run+0x1d4/0x260 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x694/0x22f0 kernel/exit.c:971
do_group_exit+0x21c/0x2d0 kernel/exit.c:1112
__do_sys_exit_group kernel/exit.c:1123 [inline]
__se_sys_exit_group kernel/exit.c:1121 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121
x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x44f639
Code: Unable to access opcode bytes at 0x44f60f.
RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 01 fe add %edi,%esi
2: e9 95 03 00 00 jmp 0x39c
7: e8 dc 04 e8 fd call 0xfde804e8
c: 84 c0 test %al,%al
e: 74 66 je 0x76
10: e8 23 b6 01 fe call 0xfe01b638
15: e9 82 03 00 00 jmp 0x39c
1a: e8 19 b6 01 fe call 0xfe01b638
1f: 48 8d 3d e2 09 b1 0b lea 0xbb109e2(%rip),%rdi # 0xbb10a08
26: 89 ee mov %ebp,%esi
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: e9 60 f6 ff ff jmp 0xfffff692
32: 48 8b 4c 24 78 mov 0x78(%rsp),%rcx
37: 80 e1 07 and $0x7,%cl
3a: 38 c1 cmp %al,%cl
3c: 0f .byte 0xf
3d: 8c .byte 0x8c
---
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang
We are writing to report a warning discovered in the btrfs subsystem.
This issue is reproducible on the latest version (commit
b71e635feefc852405b14620a7fc58c4c80c0f73).
The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are attached to help with analysis. The KASAN report from
kernel, formatted by syz-symbolize, is listed below:
---
BTRFS: Transaction aborted (error -22)
WARNING: fs/btrfs/extent-tree.c:4208 at find_free_extent_update_loop
fs/btrfs/extent-tree.c:4208 [inline], CPU#0: repro.out/9758
WARNING: fs/btrfs/extent-tree.c:4208 at find_free_extent+0x52ee/0x5d20
fs/btrfs/extent-tree.c:4611, CPU#0: repro.out/9758
Modules linked in:
CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted
6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline]
RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611
Code: 36 b6 01 fe e9 95 03 00 00 e8 dc 04 e8 fd 84 c0 74 66 e8 23 b6
01 fe e9 82 03 00 00 e8 19 b6 01 fe 48 8d 3d e2 09 b1 0b 89 ee <67> 48
0f b9 3a e9 60 f6 ff ff 48 8b 4c 24 78 80 e1 07 38 c1 0f 8c
RSP: 0018:ffffc9000445eb28 EFLAGS: 00010293
RAX: ffffffff83b4ffc7 RBX: ffff88802ad30000 RCX: ffff88802804bd80
RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffffff8f6609b0
RBP: 00000000ffffffea R08: ffff88802804bd80 R09: 0000000000000003
R10: 00000000fffffffb R11: 0000000000000000 R12: ffff88802ad30060
R13: ffff88802ad30000 R14: 0000000000000000 R15: ffff88802ad30060
FS: 0000000000000000(0000) GS:ffff8880994e9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c1108 CR3: 00000000281ef000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705
btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157
btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517
btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708
btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130
btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499
btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628
evict+0x5f4/0xae0 fs/inode.c:837
__dentry_kill+0x209/0x660 fs/dcache.c:670
finish_dput+0xc9/0x480 fs/dcache.c:879
shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661
generic_shutdown_super+0x67/0x2c0 fs/super.c:621
kill_anon_super+0x3b/0x70 fs/super.c:1289
btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127
deactivate_locked_super+0xbc/0x130 fs/super.c:474
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318
task_work_run+0x1d4/0x260 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x694/0x22f0 kernel/exit.c:971
do_group_exit+0x21c/0x2d0 kernel/exit.c:1112
__do_sys_exit_group kernel/exit.c:1123 [inline]
__se_sys_exit_group kernel/exit.c:1121 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121
x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x44f639
Code: Unable to access opcode bytes at 0x44f60f.
RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 01 fe add %edi,%esi
2: e9 95 03 00 00 jmp 0x39c
7: e8 dc 04 e8 fd call 0xfde804e8
c: 84 c0 test %al,%al
e: 74 66 je 0x76
10: e8 23 b6 01 fe call 0xfe01b638
15: e9 82 03 00 00 jmp 0x39c
1a: e8 19 b6 01 fe call 0xfe01b638
1f: 48 8d 3d e2 09 b1 0b lea 0xbb109e2(%rip),%rdi # 0xbb10a08
26: 89 ee mov %ebp,%esi
* 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2d: e9 60 f6 ff ff jmp 0xfffff692
32: 48 8b 4c 24 78 mov 0x78(%rsp),%rcx
37: 80 e1 07 and $0x7,%cl
3a: 38 c1 cmp %al,%cl
3c: 0f .byte 0xf
3d: 8c .byte 0x8c
---
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang
Reply all
Reply to author
Forward
0 new messages