syzbot


kernel BUG in clear_state_bit

Status: upstream: reported C repro on 2022/11/25 09:46
Reported-by: syzbot+78dbea1c214b5413bdd3@syzkaller.appspotmail.com
First crash: 4d03h, last: 3d03h

Cause bisection: introduced by (bisect log) :
commit 4444a06981af66a49cf0cd08fec9759e8dd0a0fc
Author: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Date: Thu Sep 1 02:23:32 2022 +0000

  hwmon: (emc2305) Remove unused including <linux/version.h>

Crash: kernel BUG in close_ctree (log)
Repro: C syz .config

Sample crash report:
BTRFS: device fsid d552757d-9c39-40e3-95f0-16d819589928 devid 1 transid 8 /dev/loop0 scanned by syz-executor247 (3626)
BTRFS info (device loop0): using sha256 (sha256-avx2) checksum algorithm
BTRFS info (device loop0): using free space tree
BTRFS info (device loop0): enabling ssd optimizations
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent-io-tree.c:517!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 3626 Comm: syz-executor247 Not tainted 6.1.0-rc6-syzkaller-00015-gc3eb11fbb826 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:clear_state_bit+0x325/0x330 fs/btrfs/extent-io-tree.c:517
Code: 2f fe e9 9c fd ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c c7 fe ff ff 4c 89 ef e8 a5 0f 2f fe e9 ba fe ff ff e8 bb f7 da fd <0f> 0b 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41
RSP: 0018:ffffc90003cae8d0 EFLAGS: 00010293
RAX: ffffffff83afa0b5 RBX: 00000000fffffff4 RCX: ffff888022add7c0
RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff83af9ee2 R09: 00000000ffffffff
R10: fffffbfff1a42e97 R11: 1ffffffff1a42e96 R12: ffff88807f27c540
R13: ffffc90003caead8 R14: 0000000000001000 R15: dffffc0000000000
FS:  0000555555ca1300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 0000000023ed5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __clear_extent_bit+0x669/0xc60 fs/btrfs/extent-io-tree.c:674
 clear_record_extent_bits+0x4e/0x80 fs/btrfs/extent-io-tree.c:1614
 __btrfs_qgroup_release_data+0x4b9/0x850 fs/btrfs/qgroup.c:3870
 btrfs_add_ordered_extent+0xdf/0xbe0 fs/btrfs/ordered-data.c:188
 cow_file_range+0x73a/0xfa0 fs/btrfs/inode.c:1299
 btrfs_run_delalloc_range+0xed4/0x11a0 fs/btrfs/inode.c:2229
 writepage_delalloc+0x25e/0x540 fs/btrfs/extent_io.c:1968
 __extent_writepage+0x5d6/0x14d0 fs/btrfs/extent_io.c:2272
 extent_write_cache_pages+0x9e7/0x12d0 fs/btrfs/extent_io.c:3186
 extent_writepages+0x228/0x550 fs/btrfs/extent_io.c:3308
 do_writepages+0x3c3/0x680 mm/page-writeback.c:2469
 filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388
 __filemap_fdatawrite_range mm/filemap.c:421 [inline]
 filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439
 btrfs_fdatawrite_range+0x4b/0x110 fs/btrfs/file.c:4155
 btrfs_wait_ordered_range+0x65/0x270 fs/btrfs/ordered-data.c:774
 btrfs_punch_hole fs/btrfs/file.c:2913 [inline]
 btrfs_fallocate+0x421/0x2020 fs/btrfs/file.c:3367
 vfs_fallocate+0x515/0x670 fs/open.c:323
 do_vfs_ioctl+0x2187/0x29a0 fs/ioctl.c:849
 __do_sys_ioctl fs/ioctl.c:868 [inline]
 __se_sys_ioctl+0x83/0x170 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2e2246aac9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd222883d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2e2246aac9
RDX: 0000000020000100 RSI: 0000000040305829 RDI: 0000000000000005
RBP: 0000000000000006 R08: 0000000000000001 R09: 00007ffd00000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd22288460
R13: 00007f2e224ed780 R14: 0000000000000003 R15: 00007ffd2228842a
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:clear_state_bit+0x325/0x330 fs/btrfs/extent-io-tree.c:517
Code: 2f fe e9 9c fd ff ff 44 89 e9 80 e1 07 80 c1 03 38 c1 0f 8c c7 fe ff ff 4c 89 ef e8 a5 0f 2f fe e9 ba fe ff ff e8 bb f7 da fd <0f> 0b 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 41 55 41
RSP: 0018:ffffc90003cae8d0 EFLAGS: 00010293
RAX: ffffffff83afa0b5 RBX: 00000000fffffff4 RCX: ffff888022add7c0
RDX: 0000000000000000 RSI: 00000000fffffff4 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff83af9ee2 R09: 00000000ffffffff
R10: fffffbfff1a42e97 R11: 1ffffffff1a42e96 R12: ffff88807f27c540
R13: ffffc90003caead8 R14: 0000000000001000 R15: dffffc0000000000
FS:  0000555555ca1300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020010000 CR3: 0000000023ed5000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-upstream-fs 2022/11/25 08:39 upstream c3eb11fbb826 74a66371 .config log report syz C kernel BUG in clear_state_bit
ci-upstream-gce-arm64 2022/11/26 08:34 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 6d464646530f 74a66371 .config log report syz C kernel BUG in clear_state_bit
ci2-upstream-fs 2022/11/25 08:16 upstream c3eb11fbb826 74a66371 .config log report info kernel BUG in clear_state_bit
* Struck through repros no longer work on HEAD.