syzbot


BUG: spinlock bad magic in btrfs_stop_all_workers

Status: moderation: reported on 2024/05/23 21:20
Subsystems: btrfs
[Documentation on labels]
Reported-by: syzbot+2cf55560fbd534a0cd2f@syzkaller.appspotmail.com
First crash: 26d, last: 6d05h
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: spinlock bad magic in lock_sock_nested (2) bluetooth 1 879d 879d 0/27 auto-closed as invalid on 2022/04/18 01:34
upstream BUG: spinlock bad magic in lock_sock_nested bluetooth 26 1021d 1376d 0/27 auto-closed as invalid on 2021/12/27 15:41
upstream BUG: unable to handle kernel paging request in take_dentry_name_snapshot reiserfs overlayfs C error done 30 70d 562d 0/27 closed as dup on 2023/10/04 08:35
upstream BUG: spinlock bad magic in skb_queue_tail afs net 1 544d 540d 0/27 auto-obsoleted due to no activity on 2023/03/19 17:50

Sample crash report:
BUG: spinlock bad magic on CPU#1, syz-executor.3/5267
==================================================================
BUG: KASAN: slab-out-of-bounds in task_pid_nr include/linux/pid.h:232 [inline]
BUG: KASAN: slab-out-of-bounds in spin_dump kernel/locking/spinlock_debug.c:64 [inline]
BUG: KASAN: slab-out-of-bounds in spin_bug+0x17d/0x1d0 kernel/locking/spinlock_debug.c:78
Read of size 4 at addr ffff88801dbc3dd8 by task syz-executor.3/5267

CPU: 1 PID: 5267 Comm: syz-executor.3 Not tainted 6.10.0-rc2-syzkaller-00361-g061d1af7b030 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 task_pid_nr include/linux/pid.h:232 [inline]
 spin_dump kernel/locking/spinlock_debug.c:64 [inline]
 spin_bug+0x17d/0x1d0 kernel/locking/spinlock_debug.c:78
 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
 do_raw_spin_lock+0x225/0x2c0 kernel/locking/spinlock_debug.c:115
 put_pwq_unlocked kernel/workqueue.c:1662 [inline]
 put_pwq_unlocked kernel/workqueue.c:1655 [inline]
 destroy_workqueue+0x5df/0xaa0 kernel/workqueue.c:5851
 btrfs_destroy_workqueue+0x41/0x260 fs/btrfs/async-thread.c:360
 btrfs_stop_all_workers+0x1de/0x370 fs/btrfs/disk-io.c:1799
 close_ctree+0x4e3/0xf90 fs/btrfs/disk-io.c:4365
 generic_shutdown_super+0x159/0x3d0 fs/super.c:642
 kill_anon_super+0x3a/0x60 fs/super.c:1226
 btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2096
 deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
 deactivate_super+0xde/0x100 fs/super.c:506
 cleanup_mnt+0x222/0x450 fs/namespace.c:1267
 task_work_run+0x14e/0x250 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x278/0x2a0 kernel/entry/common.c:218
 __do_fast_syscall_32+0x80/0x120 arch/x86/entry/common.c:389
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf7277579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000ff8879f8 EFLAGS: 00000292 ORIG_RAX: 0000000000000034
RAX: 0000000000000000 RBX: 00000000ff887aa0 RCX: 0000000000000009
RDX: 00000000f73cdff4 RSI: 00000000f731e361 RDI: 00000000ff888b44
RBP: 00000000ff887aa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Allocated by task 5668:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4122 [inline]
 __kmalloc_noprof+0x1ec/0x420 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 alloc_workqueue+0xe02/0x1ca0 kernel/workqueue.c:5667
 btrfs_alloc_ordered_workqueue+0x1ed/0x4c0 fs/btrfs/async-thread.c:140
 btrfs_init_workqueues fs/btrfs/disk-io.c:2018 [inline]
 open_ctree+0x16a5/0x52e0 fs/btrfs/disk-io.c:3362
 btrfs_fill_super fs/btrfs/super.c:946 [inline]
 btrfs_get_tree_super fs/btrfs/super.c:1863 [inline]
 btrfs_get_tree+0x11e9/0x1b90 fs/btrfs/super.c:2089
 vfs_get_tree+0x8f/0x380 fs/super.c:1780
 fc_mount+0x16/0xc0 fs/namespace.c:1125
 btrfs_get_tree_subvol fs/btrfs/super.c:2052 [inline]
 btrfs_get_tree+0xa53/0x1b90 fs/btrfs/super.c:2090
 vfs_get_tree+0x8f/0x380 fs/super.c:1780
 do_new_mount fs/namespace.c:3352 [inline]
 path_mount+0x6e1/0x1f10 fs/namespace.c:3679
 do_mount fs/namespace.c:3692 [inline]
 __do_sys_mount fs/namespace.c:3898 [inline]
 __se_sys_mount fs/namespace.c:3875 [inline]
 __ia32_sys_mount+0x295/0x320 fs/namespace.c:3875
 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
 __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e

The buggy address belongs to the object at ffff88801dbc3800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 960 bytes to the right of
 allocated 536-byte region [ffff88801dbc3800, ffff88801dbc3a18)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1dbc0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff888015442dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000040 ffff888015442dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000001ffffefff 0000000000000000
head: 00fff00000000003 ffffea000076f001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 13, tgid 13 (kworker/u32:1), ts 101505156219, free_ts 101464631600
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1468
 prep_new_page mm/page_alloc.c:1476 [inline]
 get_page_from_freelist+0x136a/0x2e50 mm/page_alloc.c:3420
 __alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4678
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x56/0x110 mm/slub.c:2265
 allocate_slab mm/slub.c:2428 [inline]
 new_slab+0x84/0x260 mm/slub.c:2481
 ___slab_alloc+0xdac/0x1870 mm/slub.c:3667
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3757
 __slab_alloc_node mm/slub.c:3810 [inline]
 slab_alloc_node mm/slub.c:3989 [inline]
 __do_kmalloc_node mm/slub.c:4121 [inline]
 __kmalloc_noprof+0x37f/0x420 mm/slub.c:4135
 kmalloc_noprof include/linux/slab.h:664 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 neigh_alloc net/core/neighbour.c:494 [inline]
 ___neigh_create+0x141e/0x2ae0 net/core/neighbour.c:648
 ip6_finish_output2+0x111a/0x1880 net/ipv6/ip6_output.c:128
 __ip6_finish_output net/ipv6/ip6_output.c:211 [inline]
 ip6_finish_output+0x3f9/0x1300 net/ipv6/ip6_output.c:222
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:243
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0xa2d/0x1c30 net/ipv6/ndisc.c:509
 ndisc_send_rs+0x12b/0x690 net/ipv6/ndisc.c:719
 addrconf_dad_completed+0x4a1/0x1060 net/ipv6/addrconf.c:4359
 addrconf_dad_begin net/ipv6/addrconf.c:4124 [inline]
 addrconf_dad_work+0xd7f/0x1500 net/ipv6/addrconf.c:4226
page last free pid 5265 tgid 5265 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_page+0x64a/0xe40 mm/page_alloc.c:2583
 __put_partials+0x14c/0x170 mm/slub.c:2995
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3941 [inline]
 slab_alloc_node mm/slub.c:4001 [inline]
 kmalloc_trace_noprof+0x11e/0x310 mm/slub.c:4148
 kmalloc_noprof include/linux/slab.h:660 [inline]
 netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:642 [inline]
 netdevice_event+0x368/0xa10 drivers/infiniband/core/roce_gid_mgmt.c:801
 notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992
 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
 call_netdevice_notifiers net/core/dev.c:2044 [inline]
 __dev_notify_flags+0x12d/0x2e0 net/core/dev.c:8820
 dev_change_flags+0x10c/0x160 net/core/dev.c:8858
 do_setlink+0x19a6/0x3ea0 net/core/rtnetlink.c:2900
 __rtnl_newlink+0xc3a/0x1960 net/core/rtnetlink.c:3696
 rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3743
 rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6635
 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2564

Memory state around the buggy address:
 ffff88801dbc3c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801dbc3d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801dbc3d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                    ^
 ffff88801dbc3e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801dbc3e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	10 06                	adc    %al,(%rsi)
   2:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
   6:	10 07                	adc    %al,(%rdi)
   8:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   c:	10 08                	adc    %cl,(%rax)
   e:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1e:	00 51 52             	add    %dl,0x52(%rcx)
  21:	55                   	push   %rbp
  22:	89 e5                	mov    %esp,%ebp
  24:	0f 34                	sysenter
  26:	cd 80                	int    $0x80
* 28:	5d                   	pop    %rbp <-- trapping instruction
  29:	5a                   	pop    %rdx
  2a:	59                   	pop    %rcx
  2b:	c3                   	ret
  2c:	90                   	nop
  2d:	90                   	nop
  2e:	90                   	nop
  2f:	90                   	nop
  30:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  37:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/06/09 13:23 upstream 061d1af7b030 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: spinlock bad magic in btrfs_stop_all_workers
2024/05/20 07:59 upstream eb6a9339efeb c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: spinlock bad magic in btrfs_stop_all_workers
2024/05/19 21:18 upstream 0450d2083be6 c2e07261 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: spinlock bad magic in btrfs_stop_all_workers
* Struck through repros no longer work on HEAD.