Warning: Permanently added '10.128.1.0' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 38.039254] BTRFS: device fsid 24c7a497-3402-47dd-bef8-82358f5f30e0 devid 1 transid 8 /dev/loop3 [ 38.080989] BTRFS warning (device ): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor228 (8131) [ 38.094830] BTRFS info (device loop3): enabling inode map caching [ 38.104801] BTRFS info (device loop3): force clearing of disk cache [ 38.107636] BTRFS warning (device ): duplicate device /dev/loop1 devid 1 generation 8 scanned by syz-executor228 (8130) [ 38.120396] BTRFS info (device loop3): disabling free space tree [ 38.134385] BTRFS info (device loop3): setting 8 feature flag [ 38.140577] BTRFS info (device loop3): use lzo compression, level 0 [ 38.145709] BTRFS warning (device ): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor228 (8129) [ 38.147225] BTRFS info (device loop3): has skinny extents [ 38.174367] BTRFS warning (device ): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor228 (8133) [ 38.193199] BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor228 (8134) [ 38.223606] BTRFS warning (device ): duplicate device /dev/loop0 devid 1 generation 8 scanned by systemd-udevd (8152) [ 38.263260] BTRFS warning (device ): duplicate device /dev/loop1 devid 1 generation 8 scanned by systemd-udevd (8154) [ 38.343723] BTRFS warning (device ): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (8161) [ 38.445006] BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (8164) [ 38.498847] BTRFS warning (device ): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (8162) [ 38.569970] BTRFS info (device loop3): clearing free space tree [ 38.607951] BTRFS info (device loop3): clearing 1 ro feature flag [ 38.649881] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 39.224964] BTRFS info (device loop3): enabling inode map caching [ 39.232407] BTRFS info (device loop3): force clearing of disk cache [ 39.239199] BTRFS info (device loop3): disabling free space tree [ 39.245812] BTRFS info (device loop3): setting 8 feature flag [ 39.251948] BTRFS info (device loop3): use lzo compression, level 0 [ 39.258640] BTRFS info (device loop3): has skinny extents [ 39.281612] BTRFS info (device loop3): clearing free space tree [ 39.287805] BTRFS info (device loop3): clearing 1 ro feature flag [ 39.294141] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 39.469819] BTRFS info (device loop3): enabling inode map caching [ 39.476131] BTRFS info (device loop3): force clearing of disk cache [ 39.482769] BTRFS info (device loop3): disabling free space tree [ 39.496811] BTRFS info (device loop3): setting 8 feature flag [ 39.502815] BTRFS info (device loop3): use lzo compression, level 0 [ 39.509216] BTRFS info (device loop3): has skinny extents [ 39.526202] BTRFS info (device loop3): clearing free space tree [ 39.532369] BTRFS info (device loop3): clearing 1 ro feature flag [ 39.539647] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 39.716242] BTRFS info (device loop3): enabling inode map caching [ 39.722817] BTRFS info (device loop3): force clearing of disk cache [ 39.729418] BTRFS info (device loop3): disabling free space tree [ 39.736040] BTRFS info (device loop3): setting 8 feature flag [ 39.741941] BTRFS info (device loop3): use lzo compression, level 0 [ 39.748773] BTRFS info (device loop3): has skinny extents [ 39.764271] BTRFS info (device loop3): clearing free space tree [ 39.770388] BTRFS info (device loop3): clearing 1 ro feature flag [ 39.778232] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 39.994649] BTRFS info (device loop3): enabling inode map caching [ 40.000901] BTRFS info (device loop3): force clearing of disk cache [ 40.010873] BTRFS info (device loop3): disabling free space tree [ 40.022246] BTRFS info (device loop3): setting 8 feature flag [ 40.031134] BTRFS info (device loop3): use lzo compression, level 0 [ 40.038736] BTRFS info (device loop3): has skinny extents [ 40.056768] BTRFS info (device loop3): clearing free space tree [ 40.063108] BTRFS info (device loop3): clearing 1 ro feature flag [ 40.069386] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 40.239803] BTRFS info (device loop3): enabling inode map caching [ 40.250657] BTRFS info (device loop3): force clearing of disk cache [ 40.262285] BTRFS info (device loop3): disabling free space tree [ 40.268591] BTRFS info (device loop3): setting 8 feature flag [ 40.274867] BTRFS info (device loop3): use lzo compression, level 0 [ 40.281409] BTRFS info (device loop3): has skinny extents [ 40.298160] BTRFS info (device loop3): clearing free space tree [ 40.304370] BTRFS info (device loop3): clearing 1 ro feature flag [ 40.310659] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 40.514849] BTRFS info (device loop3): enabling inode map caching [ 40.523612] BTRFS info (device loop3): force clearing of disk cache [ 40.530301] BTRFS info (device loop3): disabling free space tree [ 40.538440] BTRFS info (device loop3): setting 8 feature flag [ 40.544743] BTRFS info (device loop3): use lzo compression, level 0 [ 40.551156] BTRFS info (device loop3): has skinny extents [ 40.574919] BTRFS info (device loop3): clearing free space tree [ 40.581138] BTRFS info (device loop3): clearing 1 ro feature flag [ 40.587602] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 40.799768] BTRFS info (device loop3): enabling inode map caching [ 40.806172] BTRFS info (device loop3): force clearing of disk cache [ 40.813122] BTRFS info (device loop3): disabling free space tree [ 40.819427] BTRFS info (device loop3): setting 8 feature flag [ 40.825772] BTRFS info (device loop3): use lzo compression, level 0 [ 40.832667] BTRFS info (device loop3): has skinny extents [ 40.857551] BTRFS info (device loop3): clearing free space tree [ 40.863852] BTRFS info (device loop3): clearing 1 ro feature flag [ 40.870162] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 41.080001] BTRFS info (device loop3): enabling inode map caching [ 41.086509] BTRFS info (device loop3): force clearing of disk cache [ 41.093953] BTRFS info (device loop3): disabling free space tree [ 41.100336] BTRFS info (device loop3): setting 8 feature flag [ 41.106343] BTRFS info (device loop3): use lzo compression, level 0 [ 41.112847] BTRFS info (device loop3): has skinny extents [ 41.133912] BTRFS info (device loop3): clearing free space tree [ 41.140052] BTRFS info (device loop3): clearing 1 ro feature flag [ 41.148052] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 41.362847] BTRFS info (device loop3): enabling inode map caching [ 41.369323] BTRFS info (device loop3): force clearing of disk cache [ 41.376809] BTRFS info (device loop3): disabling free space tree [ 41.383815] BTRFS info (device loop3): setting 8 feature flag [ 41.389926] BTRFS info (device loop3): use lzo compression, level 0 [ 41.397888] BTRFS info (device loop3): has skinny extents [ 41.414256] BTRFS info (device loop3): clearing free space tree [ 41.420344] BTRFS info (device loop3): clearing 1 ro feature flag [ 41.426650] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 41.636782] BTRFS info (device loop3): enabling inode map caching [ 41.643350] BTRFS info (device loop3): force clearing of disk cache [ 41.649951] BTRFS info (device loop3): disabling free space tree [ 41.657724] BTRFS info (device loop3): setting 8 feature flag [ 41.664674] BTRFS info (device loop3): use lzo compression, level 0 [ 41.671548] BTRFS info (device loop3): has skinny extents [ 41.688487] BTRFS info (device loop3): clearing free space tree [ 41.695563] BTRFS info (device loop3): clearing 1 ro feature flag [ 41.702629] BTRFS info (device loop3): clearing 2 ro feature flag executing program [ 41.916542] BTRFS info (device loop3): enabling inode map caching executing program executing program [ 42.476469] block nbd5: shutting down sockets [ 42.484196] block nbd1: shutting down sockets [ 42.493706] block nbd0: shutting down sockets [ 42.493790] block nbd4: shutting down sockets [ 42.498274] block nbd2: shutting down sockets [ 42.533238] [ 42.534881] ====================================================== [ 42.541206] WARNING: possible circular locking dependency detected [ 42.547514] 4.19.211-syzkaller #0 Not tainted [ 42.551990] ------------------------------------------------------ [ 42.558295] syz-executor228/8129 is trying to acquire lock: [ 42.563995] 00000000da7025a4 ((wq_completion)"knbd%d-recv"nbd->index){+.+.}, at: flush_workqueue+0xe8/0x13e0 [ 42.573966] [ 42.573966] but task is already holding lock: executing program [ 42.579925] 000000003a5537cb (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock+0x4a/0x80 [ 42.588939] [ 42.588939] which lock already depends on the new lock. [ 42.588939] [ 42.597246] [ 42.597246] the existing dependency chain (in reverse order) is: [ 42.604857] [ 42.604857] -> #10 (&nbd->config_lock){+.+.}: [ 42.610839] nbd_open+0x2e2/0x6f0 [ 42.614808] __blkdev_get+0x372/0x1480 [ 42.619226] blkdev_get+0xb0/0x940 [ 42.623280] blkdev_open+0x202/0x290 [ 42.627512] do_dentry_open+0x4aa/0x1160 [ 42.632106] path_openat+0x793/0x2df0 [ 42.636422] do_filp_open+0x18c/0x3f0 [ 42.640736] do_sys_open+0x3b3/0x520 [ 42.644965] do_syscall_64+0xf9/0x620 [ 42.649283] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.654975] [ 42.654975] -> #9 (nbd_index_mutex){+.+.}: [ 42.660701] nbd_open+0x73/0x6f0 [ 42.664583] __blkdev_get+0x372/0x1480 [ 42.668983] blkdev_get+0xb0/0x940 [ 42.673045] blkdev_open+0x202/0x290 [ 42.677272] do_dentry_open+0x4aa/0x1160 [ 42.681861] path_openat+0x793/0x2df0 [ 42.686174] do_filp_open+0x18c/0x3f0 [ 42.690489] do_sys_open+0x3b3/0x520 [ 42.694722] do_syscall_64+0xf9/0x620 [ 42.699126] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.704819] [ 42.704819] -> #8 (&bdev->bd_mutex){+.+.}: [ 42.710534] blkdev_put+0x30/0x520 [ 42.714595] close_fs_devices.part.0+0x24d/0x8e0 [ 42.719866] btrfs_close_devices+0x95/0x1f0 [ 42.724702] close_ctree+0x3c8/0x850 [ 42.728939] generic_shutdown_super+0x144/0x370 executing program [ 42.734121] kill_anon_super+0x36/0x60 [ 42.738526] btrfs_kill_super+0x49/0x550 [ 42.743106] deactivate_locked_super+0x94/0x160 [ 42.748287] deactivate_super+0x174/0x1a0 [ 42.752939] cleanup_mnt+0x1a8/0x290 [ 42.757163] task_work_run+0x148/0x1c0 [ 42.761552] exit_to_usermode_loop+0x251/0x2a0 [ 42.766635] do_syscall_64+0x538/0x620 [ 42.771028] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.776710] [ 42.776710] -> #7 (&fs_devs->device_list_mutex){+.+.}: [ 42.783451] btrfs_run_dev_stats+0xbb/0xa80 [ 42.788271] commit_cowonly_roots+0x1ce/0xc30 [ 42.793269] btrfs_commit_transaction+0x94a/0x2480 [ 42.798699] btrfs_clear_free_space_tree+0x69d/0xa50 [ 42.804303] open_ctree.cold+0x30/0xc3d [ 42.808781] btrfs_mount_root+0x12e5/0x1830 [ 42.813601] mount_fs+0xa3/0x310 [ 42.817466] vfs_kern_mount.part.0+0x68/0x470 [ 42.822459] vfs_kern_mount+0x3c/0x60 [ 42.826761] btrfs_mount+0x23a/0xaa0 [ 42.830972] mount_fs+0xa3/0x310 [ 42.834837] vfs_kern_mount.part.0+0x68/0x470 [ 42.839830] do_mount+0x115c/0x2f50 [ 42.843957] ksys_mount+0xcf/0x130 [ 42.847997] __x64_sys_mount+0xba/0x150 [ 42.852470] do_syscall_64+0xf9/0x620 [ 42.856771] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.862454] [ 42.862454] -> #6 (&fs_info->tree_log_mutex){+.+.}: [ 42.868936] btrfs_commit_transaction+0x8c2/0x2480 [ 42.874368] btrfs_clear_free_space_tree+0x69d/0xa50 [ 42.879970] open_ctree.cold+0x30/0xc3d [ 42.884443] btrfs_mount_root+0x12e5/0x1830 [ 42.889263] mount_fs+0xa3/0x310 [ 42.893132] vfs_kern_mount.part.0+0x68/0x470 [ 42.898130] vfs_kern_mount+0x3c/0x60 [ 42.902434] btrfs_mount+0x23a/0xaa0 [ 42.906651] mount_fs+0xa3/0x310 [ 42.910522] vfs_kern_mount.part.0+0x68/0x470 [ 42.915517] do_mount+0x115c/0x2f50 [ 42.919646] ksys_mount+0xcf/0x130 [ 42.923689] __x64_sys_mount+0xba/0x150 [ 42.928163] do_syscall_64+0xf9/0x620 [ 42.932465] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.938147] [ 42.938147] -> #5 (&fs_info->reloc_mutex){+.+.}: [ 42.944366] btrfs_commit_transaction+0x80b/0x2480 [ 42.949801] btrfs_clear_free_space_tree+0x69d/0xa50 [ 42.955405] open_ctree.cold+0x30/0xc3d [ 42.959880] btrfs_mount_root+0x12e5/0x1830 [ 42.964703] mount_fs+0xa3/0x310 [ 42.968575] vfs_kern_mount.part.0+0x68/0x470 [ 42.973570] vfs_kern_mount+0x3c/0x60 [ 42.977872] btrfs_mount+0x23a/0xaa0 [ 42.982085] mount_fs+0xa3/0x310 [ 42.985953] vfs_kern_mount.part.0+0x68/0x470 [ 42.990947] do_mount+0x115c/0x2f50 [ 42.995075] ksys_mount+0xcf/0x130 [ 42.999125] __x64_sys_mount+0xba/0x150 [ 43.003616] do_syscall_64+0xf9/0x620 [ 43.007922] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.013607] [ 43.013607] -> #4 (sb_internal#2){.+.+}: [ 43.019141] start_transaction+0xa37/0xf90 [ 43.023879] btrfs_dirty_inode+0xe3/0x210 [ 43.028529] btrfs_update_time+0x33b/0x3d0 [ 43.033265] touch_atime+0x23c/0x2a0 [ 43.037478] btrfs_file_mmap+0x11b/0x160 [ 43.042036] mmap_region+0xc94/0x16b0 [ 43.046335] do_mmap+0x8e8/0x1080 [ 43.050288] vm_mmap_pgoff+0x197/0x200 [ 43.054759] ksys_mmap_pgoff+0x298/0x5a0 [ 43.059320] do_syscall_64+0xf9/0x620 [ 43.063627] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.069309] [ 43.069309] -> #3 (&mm->mmap_sem){++++}: [ 43.074834] _copy_to_iter+0x3d0/0xea0 [ 43.079226] skb_copy_datagram_iter+0x469/0x9e0 [ 43.084401] unix_stream_read_actor+0x78/0xc0 [ 43.089398] unix_stream_read_generic+0x8b9/0x1a40 [ 43.094828] unix_stream_recvmsg+0xb1/0xf0 [ 43.099566] sock_read_iter+0x339/0x470 [ 43.104043] __vfs_read+0x518/0x750 [ 43.108173] vfs_read+0x194/0x3c0 [ 43.112134] ksys_read+0x12b/0x2a0 [ 43.116175] do_syscall_64+0xf9/0x620 [ 43.120486] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.126173] [ 43.126173] -> #2 (&u->iolock){+.+.}: [ 43.131438] unix_stream_read_generic+0x2de/0x1a40 [ 43.136866] unix_stream_recvmsg+0xb1/0xf0 [ 43.141603] sock_recvmsg+0xca/0x110 [ 43.145912] sock_xmit+0x37d/0x5c0 [ 43.149953] recv_work+0x1e9/0x1100 [ 43.154080] process_one_work+0x864/0x1570 [ 43.158814] worker_thread+0x64c/0x1130 [ 43.163293] kthread+0x33f/0x460 [ 43.167175] ret_from_fork+0x24/0x30 [ 43.171381] [ 43.171381] -> #1 ((work_completion)(&args->work)){+.+.}: [ 43.178383] worker_thread+0x64c/0x1130 [ 43.182861] kthread+0x33f/0x460 [ 43.186727] ret_from_fork+0x24/0x30 [ 43.190941] [ 43.190941] -> #0 ((wq_completion)"knbd%d-recv"nbd->index){+.+.}: [ 43.198641] flush_workqueue+0x117/0x13e0 [ 43.203289] drain_workqueue+0x1a5/0x460 [ 43.207855] destroy_workqueue+0x75/0x790 [ 43.212502] nbd_config_put+0x3c5/0x870 [ 43.216979] nbd_release+0xf4/0x170 [ 43.221105] __blkdev_put+0x636/0x870 [ 43.225407] blkdev_close+0x86/0xb0 [ 43.229538] __fput+0x2ce/0x890 [ 43.233324] task_work_run+0x148/0x1c0 [ 43.237717] do_exit+0xbf3/0x2be0 [ 43.241672] do_group_exit+0x125/0x310 [ 43.246058] get_signal+0x3f2/0x1f70 [ 43.250270] do_signal+0x8f/0x1670 [ 43.254318] exit_to_usermode_loop+0x204/0x2a0 [ 43.259400] do_syscall_64+0x538/0x620 [ 43.263877] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.269564] [ 43.269564] other info that might help us debug this: [ 43.269564] [ 43.277684] Chain exists of: [ 43.277684] (wq_completion)"knbd%d-recv"nbd->index --> nbd_index_mutex --> &nbd->config_lock [ 43.277684] [ 43.290942] Possible unsafe locking scenario: [ 43.290942] [ 43.297071] CPU0 CPU1 [ 43.301717] ---- ---- [ 43.306361] lock(&nbd->config_lock); [ 43.310230] lock(nbd_index_mutex); [ 43.316437] lock(&nbd->config_lock); [ 43.322817] lock((wq_completion)"knbd%d-recv"nbd->index); [ 43.328503] [ 43.328503] *** DEADLOCK *** [ 43.328503] [ 43.334541] 2 locks held by syz-executor228/8129: [ 43.339356] #0: 000000001d3ce4bb (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0xfc/0x870 [ 43.347401] #1: 000000003a5537cb (&nbd->config_lock){+.+.}, at: refcount_dec_and_mutex_lock+0x4a/0x80 [ 43.356836] [ 43.356836] stack backtrace: [ 43.361315] CPU: 1 PID: 8129 Comm: syz-executor228 Not tainted 4.19.211-syzkaller #0 [ 43.369171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 43.378499] Call Trace: [ 43.381071] dump_stack+0x1fc/0x2ef [ 43.384686] print_circular_bug.constprop.0.cold+0x2d7/0x41e [ 43.390464] __lock_acquire+0x30c9/0x3ff0 [ 43.394602] ? lock_acquire+0x170/0x3c0 [ 43.398557] ? mark_held_locks+0xf0/0xf0 [ 43.402605] ? mark_held_locks+0xf0/0xf0 [ 43.406646] ? depot_save_stack+0x1e0/0x410 [ 43.410957] ? trace_hardirqs_off+0x64/0x200 [ 43.415537] lock_acquire+0x170/0x3c0 [ 43.419323] ? flush_workqueue+0xe8/0x13e0 [ 43.423544] flush_workqueue+0x117/0x13e0 [ 43.427673] ? flush_workqueue+0xe8/0x13e0 [ 43.431889] ? get_signal+0x3f2/0x1f70 [ 43.435761] ? lock_downgrade+0x720/0x720 [ 43.439890] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.445235] ? drain_workqueue+0x24/0x460 [ 43.449380] ? check_flush_dependency+0x400/0x400 [ 43.454222] ? trace_hardirqs_off+0x64/0x200 [ 43.458616] drain_workqueue+0x1a5/0x460 [ 43.462669] destroy_workqueue+0x75/0x790 [ 43.466806] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.471376] nbd_config_put+0x3c5/0x870 [ 43.475341] nbd_release+0xf4/0x170 [ 43.478965] ? nbd_queue_rq+0xe60/0xe60 [ 43.482924] __blkdev_put+0x636/0x870 [ 43.486710] ? fsync_bdev+0xc0/0xc0 [ 43.490319] ? locks_remove_file+0x2cd/0x450 [ 43.494709] ? blkdev_put+0x85/0x520 [ 43.498400] ? blkdev_put+0x520/0x520 [ 43.502181] blkdev_close+0x86/0xb0 [ 43.505790] __fput+0x2ce/0x890 [ 43.509054] task_work_run+0x148/0x1c0 [ 43.512933] do_exit+0xbf3/0x2be0 [ 43.516370] ? mm_update_next_owner+0x650/0x650 [ 43.521020] ? get_signal+0x388/0x1f70 [ 43.524890] ? lock_downgrade+0x720/0x720 [ 43.529018] ? lock_acquire+0x170/0x3c0 [ 43.532974] do_group_exit+0x125/0x310 [ 43.536847] get_signal+0x3f2/0x1f70 [ 43.540548] do_signal+0x8f/0x1670 [ 43.544071] ? block_ioctl+0xe9/0x130 [ 43.547853] ? blkdev_fallocate+0x3f0/0x3f0 [ 43.552156] ? do_vfs_ioctl+0x110/0x12e0 [ 43.556198] ? setup_sigcontext+0x820/0x820 [ 43.560506] ? lock_downgrade+0x720/0x720 [ 43.564641] ? ioctl_preallocate+0x200/0x200 [ 43.569035] ? check_preemption_disabled+0x41/0x280 [ 43.574031] ? __fd_install+0x1eb/0x610 [ 43.577992] ? __sys_socketpair+0x3ee/0x570 [ 43.582295] ? __ia32_sys_socket+0xb0/0xb0 [ 43.586508] ? filp_open+0x70/0x70 [ 43.590029] ? exit_to_usermode_loop+0x36/0x2a0 [ 43.594678] exit_to_usermode_loop+0x204/0x2a0 [ 43.599240] do_syscall_64+0x538/0x620 [ 43.603125] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.608295] RIP: 0033:0x7f64923ffc99 [ 43.611989] Code: Bad RIP value. [ 43.615330] RSP: 002b:00007fffe684ab58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 43.623101] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007f64923ffc99 [ 43.630436] RDX: 0000000000000000 RSI: 000000000000ab03 RDI: 0000000000000004 [ 43.637683] RBP: 0000000000000000 R08: 00007fffe684ab80 R09: 00007fffe684ab80 [ 43.645120] R10: 00007fffe684ab80 R11: 0000000000000246 R12: 00007f64923beab0 [ 43.652370] R13: 00007fffe684abb0 R14: 00007fffe684ab90 R15: 0000000000000000 executing program executing program executing program executing program [ 44.140102] BTRFS warning (device ): duplicate device /dev/loop3 devid 1 generation 8 scanned by syz-executor228 (8670) [ 44.160747] btrfs_printk: 26 callbacks suppressed [ 44.160757] BTRFS info (device loop1): enabling inode map caching [ 44.188475] BTRFS warning (device ): duplicate device /dev/loop3 devid 1 generation 8 scanned by systemd-udevd (8680) [ 44.203419] BTRFS info (device loop1): force clearing of disk cache [ 44.209993] BTRFS warning (device ): duplicate device /dev/loop4 devid 1 generation 8 scanned by syz-executor228 (8686) [ 44.236235] BTRFS info (device loop1): disabling free space tree [ 44.245226] BTRFS info (device loop1): setting 8 feature flag [ 44.252840] BTRFS info (device loop1): use lzo compression, level 0 [ 44.266889] BTRFS info (device loop1): has skinny extents [ 44.287553] BTRFS warning (device ): duplicate device /dev/loop0 devid 1 generation 8 scanned by syz-executor228 (8682) [ 44.313737] BTRFS warning (device ): duplicate device /dev/loop0 devid 1 generation 8 scanned by systemd-udevd (8677) [ 44.348165] BTRFS warning (device ): duplicate device /dev/loop4 devid 1 generation 8 scanned by systemd-udevd (8692) [ 44.396901] BTRFS warning (device ): duplicate device /dev/loop5 devid 1 generation 8 scanned by systemd-udevd (8708) [ 44.421802] BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by syz-executor228 (8685) [ 44.452394] BTRFS warning (device ): duplicate device /dev/loop2 devid 1 generation 8 scanned by systemd-udevd (8699) [ 44.485825] BTRFS warning (device ): duplicate device /dev/loop5 devid 1 generation 8 scanned by syz-executor228 (8684) [ 44.566832] BTRFS info (device loop1): clearing free space tree [ 44.577409] BTRFS info (device loop1): clearing 1 ro feature flag [ 44.630190] BTRFS info (device loop1): clearing 2 ro feature flag executing program [ 44.980982] BTRFS info (device loop1): enabling inode map caching [ 44.987250] BTRFS info (device loop1): force clearing of disk cache [ 44.994628] BTRFS info (device loop1): disabling free space tree [ 45.001434] BTRFS info (device loop1): setting 8 feature flag [ 45.007343] BTRFS info (device loop1): use lzo compression, level 0 [ 45.014723] BTRFS info (device loop1): has skinny extents [ 45.027111] BTRFS info (device loop1): clearing free space tree [ 45.034624] BTRFS info (device loop1): clearing 1 ro feature flag [ 45.041413] BTRFS info (device loop1): clearing 2 ro feature flag executing program [ 45.208017] BTRFS info (device loop1): enabling inode map caching [ 45.214341] BTRFS info (device loop1): force clearing of disk cache [ 45.221701] BTRFS info (device loop1): disabling free space tree [ 45.231262] BTRFS info (device loop1): setting 8 feature flag [ 45.237226] BTRFS info (device loop1): use lzo compression, level 0 [ 45.243918] BTRFS info (device loop1): has skinny extents [ 45.257565] BTRFS info (device loop1): clearing free space tree [ 45.264010] BTRFS info (device loop1): clearing 1 ro feature flag [ 45.270284] BTRFS info (device loop1): clearing 2 ro feature flag executing program [ 45.442708] BTRFS info (device loop1): enabling inode map caching [ 45.449853] BTRFS info (device loop1): force clearing of disk cache [ 45.456582] BTRFS info (device loop1): disabling free space tree [ 45.463012] BTRFS info (device loop1): setting 8 feature flag [ 45.469052] BTRFS info (device loop1): use lzo compression, level 0 [ 45.475610] BTRFS info (device loop1): has skinny extents [ 45.489031] BTRFS info (device loop1): clearing free space tree [ 45.495884] BTRFS info (device loop1): clearing 1 ro feature flag [ 45.502145] BTRFS info (device loop1): clearing 2 ro feature flag executing program [ 45.674215] BTRFS info (device loop1): enabling inode map caching [ 45.680595] BTRFS info (device loop1): force clearing of disk cache [ 45.687082] BTRFS info (device loop1): disabling free space tree [ 45.694310] BTRFS info (device loop1): setting 8 feature flag [ 45.705459] BTRFS info (device loop1): use lzo compression, level 0 [ 45.711903] BTRFS info (device loop1): has skinny extents executing program [ 45.725217] BTRFS info (device loop1): clearing free space tree [ 45.731622] BTRFS info (device loop1): clearing 1 ro feature flag [ 45.737922] BTRFS info (device loop1): clearing 2 ro feature flag [ 45.867343] BTRFS info (device loop1): enabling inode map caching [ 45.873816] BTRFS info (device loop1): force clearing of disk cache [ 45.880412] BTRFS info (device loop1): disabling free space tree [ 45.886647] BTRFS info (device loop1): setting 8 feature flag [ 45.892582] BTRFS info (device loop1): use lzo compression, level 0 [ 45.898982] BTRFS info (device loop1): has skinny extents [ 45.914711] BTRFS info (device loop1): clearing free space tree [ 45.921254] BTRFS info (device loop1): clearing 1 ro feature flag [ 45.927468] BTRFS info (device loop1): clearing 2 ro feature flag executing program [ 46.082835] BTRFS info (device loop1): enabling inode map caching [ 46.089759] BTRFS info (device loop1): force clearing of disk cache [ 46.096935] BTRFS info (device loop1): disabling free space tree [ 46.103917] BTRFS info (device loop1): setting 8 feature flag [ 46.109847] BTRFS info (device loop1): use lzo compression, level 0 [ 46.117082] BTRFS info (device loop1): has skinny extents [ 46.131019] BTRFS info (device loop1): clearing free space tree [ 46.137134] BTRFS info (device loop1): clearing 1 ro feature flag [ 46.144179] BTRFS info (device loop1): clearing 2 ro feature flag executing program [ 46.311277] BTRFS info (device loop1): enabling inode map caching [ 46.318696] BTRFS info (device loop1): force clearing of disk cache [ 46.326052] BTRFS info (device loop1): disabling free space tree [ 46.332759] BTRFS info (device loop1): setting 8 feature flag [ 46.343932] BTRFS info (device loop1): use lzo compression, level 0 [ 46.350517] BTRFS info (device loop1): has skinny extents [ 46.363657] BTRFS info (device loop1): clearing free space tree [ 46.369761] BTRFS info (device loop1): clearing 1 ro feature flag [ 46.376261] BTRFS info (device loop1): clearing 2 ro feature flag executing program [ 46.530265] BTRFS info (device loop1): enabling inode map caching [ 46.536526] BTRFS info (device loop1): force clearing of disk cache [ 46.543241] BTRFS info (device loop1): disabling free space tree [ 46.549402] BTRFS info (device loop1): setting 8 feature flag [ 46.555547] BTRFS info (device loop1): use lzo compression, level 0 [ 46.562032] BTRFS info (device loop1): has skinny extents executing program [ 46.576170] BTRFS info (device loop1): clearing free space tree [ 46.582316] BTRFS info (device loop1): clearing 1 ro feature flag [ 46.588572] BTRFS info (device loop1): clearing 2 ro feature flag [ 46.719240] BTRFS info (device loop1): enabling inode map caching [ 46.726511] BTRFS info (device loop1): force clearing of disk cache [ 46.733860] BTRFS info (device loop1): disabling free space tree [ 46.740527] BTRFS info (device loop1): setting 8 feature flag [ 46.752368] BTRFS info (device loop1): use lzo compression, level 0 [ 46.758766] BTRFS info (device loop1): has skinny extents executing program [ 46.773461] BTRFS info (device loop1): clearing free space tree [ 46.779566] BTRFS info (device loop1): clearing 1 ro feature flag [ 46.785882] BTRFS info (device loop1): clearing 2 ro feature flag [ 46.901631] BTRFS info (device loop1): enabling inode map caching [ 46.907891] BTRFS info (device loop1): force clearing of disk cache [ 46.914393] BTRFS info (device loop1): disabling free space tree [ 46.920649] BTRFS info (device loop1): setting 8 feature flag [ 46.926523] BTRFS info (device loop1): use lzo compression, level 0 [ 46.932956] BTRFS info (device loop1): has skinny extents executing program [ 46.947671] BTRFS info (device loop1): clearing free space tree [ 46.954030] BTRFS info (device loop1): clearing 1 ro feature flag [ 46.960937] BTRFS info (device loop1): clearing 2 ro feature flag [ 47.091136] BTRFS info (device loop1): enabling inode map caching executing program executing program executing program [ 47.508186] block nbd3: shutting down sockets executing program executing program executing program executing program [ 48.279092] ================================================================== [ 48.286464] BUG: KASAN: use-after-free in btrfs_search_slot+0x1cca/0x1ee0 [ 48.293397] Read of size 8 at addr ffff8880abe0c770 by task btrfs-ino-cache/9337 [ 48.300903] [ 48.302514] CPU: 0 PID: 9337 Comm: btrfs-ino-cache Not tainted 4.19.211-syzkaller #0 [ 48.310369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 48.319698] Call Trace: [ 48.322268] dump_stack+0x1fc/0x2ef [ 48.325877] print_address_description.cold+0x54/0x219 [ 48.331134] kasan_report_error.cold+0x8a/0x1b9 [ 48.335789] ? btrfs_search_slot+0x1cca/0x1ee0 [ 48.340359] __asan_report_load8_noabort+0x88/0x90 [ 48.345267] ? btrfs_search_slot+0x1cca/0x1ee0 [ 48.349825] btrfs_search_slot+0x1cca/0x1ee0 [ 48.354221] ? split_leaf+0x1240/0x1240 [ 48.358189] ? lock_acquire+0x170/0x3c0 [ 48.362143] ? caching_kthread+0x25d/0x970 [ 48.366363] caching_kthread+0x275/0x970 [ 48.370403] ? finish_task_switch+0x531/0x760 [ 48.374878] ? btrfs_unpin_free_ino+0x360/0x360 [ 48.379524] ? lock_acquire+0x170/0x3c0 [ 48.383492] ? trace_hardirqs_on+0x55/0x210 [ 48.387800] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 48.392884] ? __kthread_parkme+0x133/0x1e0 [ 48.397303] ? btrfs_unpin_free_ino+0x360/0x360 [ 48.401963] kthread+0x33f/0x460 [ 48.405317] ? kthread_park+0x180/0x180 [ 48.409273] ? kthread_park+0x180/0x180 [ 48.413228] ret_from_fork+0x24/0x30 [ 48.416919] [ 48.418521] Allocated by task 9306: [ 48.422131] kmem_cache_alloc_trace+0x12f/0x380 [ 48.426778] btrfs_read_tree_root+0x94/0x560 [ 48.431161] btrfs_get_fs_root+0x239/0x890 [ 48.435373] open_ctree+0x469c/0x61e0 [ 48.439153] btrfs_mount_root+0x12e5/0x1830 [ 48.443461] mount_fs+0xa3/0x310 [ 48.446834] vfs_kern_mount.part.0+0x68/0x470 [ 48.451314] vfs_kern_mount+0x3c/0x60 [ 48.455091] btrfs_mount+0x23a/0xaa0 [ 48.458782] mount_fs+0xa3/0x310 [ 48.462128] vfs_kern_mount.part.0+0x68/0x470 [ 48.466603] do_mount+0x115c/0x2f50 [ 48.470208] ksys_mount+0xcf/0x130 [ 48.473731] __x64_sys_mount+0xba/0x150 [ 48.477685] do_syscall_64+0xf9/0x620 [ 48.481473] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.486642] [ 48.488245] Freed by task 8123: [ 48.491502] kfree+0xcc/0x210 [ 48.494587] btrfs_free_fs_root+0x1e6/0x260 [ 48.498884] btrfs_free_fs_roots+0x2ef/0x4d0 [ 48.503266] close_ctree+0x306/0x850 [ 48.506959] generic_shutdown_super+0x144/0x370 [ 48.511608] kill_anon_super+0x36/0x60 [ 48.515475] btrfs_kill_super+0x49/0x550 [ 48.519514] deactivate_locked_super+0x94/0x160 [ 48.524168] deactivate_super+0x174/0x1a0 [ 48.528289] cleanup_mnt+0x1a8/0x290 [ 48.531980] task_work_run+0x148/0x1c0 [ 48.535848] exit_to_usermode_loop+0x251/0x2a0 [ 48.540402] do_syscall_64+0x538/0x620 [ 48.544266] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.549429] [ 48.551041] The buggy address belongs to the object at ffff8880abe0c580 [ 48.551041] which belongs to the cache kmalloc-4096 of size 4096 [ 48.563846] The buggy address is located 496 bytes inside of [ 48.563846] 4096-byte region [ffff8880abe0c580, ffff8880abe0d580) [ 48.575782] The buggy address belongs to the page: [ 48.580707] page:ffffea0002af8300 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0 [ 48.590650] flags: 0xfff00000008100(slab|head) [ 48.595209] raw: 00fff00000008100 ffffea000251f888 ffffea000254dd08 ffff88813bff0dc0 [ 48.603066] raw: 0000000000000000 ffff8880abe0c580 0000000100000001 0000000000000000 [ 48.610919] page dumped because: kasan: bad access detected [ 48.616602] [ 48.618204] Memory state around the buggy address: [ 48.623105] ffff8880abe0c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.630436] ffff8880abe0c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.637772] >ffff8880abe0c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.645103] ^ [ 48.652091] ffff8880abe0c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.659433] ffff8880abe0c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.666769] ================================================================== [ 48.679438] Kernel panic - not syncing: panic_on_warn set ... [ 48.679438] [ 48.686815] CPU: 1 PID: 9337 Comm: btrfs-ino-cache Tainted: G B 4.19.211-syzkaller #0 [ 48.696084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 48.705426] Call Trace: [ 48.707997] dump_stack+0x1fc/0x2ef [ 48.711604] panic+0x26a/0x50e [ 48.714772] ? __warn_printk+0xf3/0xf3 [ 48.718638] ? preempt_schedule_common+0x45/0xc0 [ 48.723369] ? ___preempt_schedule+0x16/0x18 [ 48.727755] ? trace_hardirqs_on+0x55/0x210 [ 48.732054] kasan_end_report+0x43/0x49 [ 48.736011] kasan_report_error.cold+0xa7/0x1b9 [ 48.740664] ? btrfs_search_slot+0x1cca/0x1ee0 [ 48.745230] __asan_report_load8_noabort+0x88/0x90 [ 48.750223] ? btrfs_search_slot+0x1cca/0x1ee0 [ 48.754786] btrfs_search_slot+0x1cca/0x1ee0 [ 48.759175] ? split_leaf+0x1240/0x1240 [ 48.763128] ? lock_acquire+0x170/0x3c0 [ 48.767077] ? caching_kthread+0x25d/0x970 [ 48.771299] caching_kthread+0x275/0x970 [ 48.775347] ? finish_task_switch+0x531/0x760 [ 48.779821] ? btrfs_unpin_free_ino+0x360/0x360 [ 48.781299] block nbd0: shutting down sockets [ 48.784477] ? lock_acquire+0x170/0x3c0 [ 48.784493] ? trace_hardirqs_on+0x55/0x210 [ 48.784509] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 48.802323] ? __kthread_parkme+0x133/0x1e0 [ 48.806639] ? btrfs_unpin_free_ino+0x360/0x360 [ 48.811307] kthread+0x33f/0x460 [ 48.814667] ? kthread_park+0x180/0x180 [ 48.818632] ? kthread_park+0x180/0x180 [ 48.822617] ret_from_fork+0x24/0x30 [ 48.826379] Kernel Offset: disabled [ 48.829986] Rebooting in 86400 seconds..