bcachefs (loop2): Doing compatible version upgrade from 1.7: mi_btree_bitmap to 1.25: extent_flags running recovery passes: check_allocations,check_extents_to_backpointers,check_inodes ================================================================== BUG: KASAN: slab-use-after-free in poly1305_update_arch+0x2a0/0x3f0 arch/arm64/crypto/poly1305-glue.c:165 Read of size 8 at addr ffff0000f935e110 by task syz.2.324/8671 CPU: 1 UID: 0 PID: 8671 Comm: syz.2.324 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105 poly1305_update_arch+0x2a0/0x3f0 arch/arm64/crypto/poly1305-glue.c:165 poly1305_update include/crypto/poly1305.h:83 [inline] bch2_checksum+0x1d4/0x4ac fs/bcachefs/checksum.c:157 bch2_btree_node_read_done+0xd20/0x4328 fs/bcachefs/btree_io.c:1133 btree_node_read_work+0x414/0xc68 fs/bcachefs/btree_io.c:1367 bch2_btree_node_read+0x1c88/0x2290 fs/bcachefs/btree_io.c:-1 __bch2_btree_root_read fs/bcachefs/btree_io.c:1801 [inline] bch2_btree_root_read+0x274/0x3b0 fs/bcachefs/btree_io.c:1823 read_btree_roots+0x220/0x6c0 fs/bcachefs/recovery.c:582 bch2_fs_recovery+0x1a60/0x2d30 fs/bcachefs/recovery.c:929 bch2_fs_start+0x5b0/0x908 fs/bcachefs/super.c:1096 bch2_fs_get_tree+0x834/0xf30 fs/bcachefs/fs.c:2507 vfs_get_tree+0x90/0x28c fs/super.c:1759 do_new_mount+0x228/0x814 fs/namespace.c:3881 path_mount+0x5b4/0xde0 fs/namespace.c:4208 do_mount fs/namespace.c:4221 [inline] __do_sys_mount fs/namespace.c:4432 [inline] __se_sys_mount fs/namespace.c:4409 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 8516: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x70/0x88 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4147 [inline] slab_alloc_node mm/slub.c:4196 [inline] kmem_cache_alloc_lru_noprof+0x23c/0x3ec mm/slub.c:4215 debugfs_alloc_inode+0x2c/0x3c fs/debugfs/inode.c:222 alloc_inode+0x68/0x19c fs/inode.c:346 new_inode+0x2c/0x130 fs/inode.c:1145 debugfs_get_inode fs/debugfs/inode.c:72 [inline] __debugfs_create_file+0x138/0x430 fs/debugfs/inode.c:447 debugfs_create_file_full+0x58/0x70 fs/debugfs/inode.c:474 bch2_fs_debug_btree_init fs/bcachefs/debug.c:918 [inline] bch2_fs_debug_init+0x378/0x414 fs/bcachefs/debug.c:964 bch2_fs_online+0x224/0x52c fs/bcachefs/super.c:707 bch2_fs_alloc fs/bcachefs/super.c:973 [inline] bch2_fs_open+0x22ac/0x22e8 fs/bcachefs/super.c:2210 bch2_fs_get_tree+0x384/0xf30 fs/bcachefs/fs.c:2491 vfs_get_tree+0x90/0x28c fs/super.c:1759 do_new_mount+0x228/0x814 fs/namespace.c:3881 path_mount+0x5b4/0xde0 fs/namespace.c:4208 do_mount fs/namespace.c:4221 [inline] __do_sys_mount fs/namespace.c:4432 [inline] __se_sys_mount fs/namespace.c:4409 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 15: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kmem_cache_free+0x184/0x550 mm/slub.c:4744 debugfs_free_inode+0x88/0xb8 fs/debugfs/inode.c:232 i_callback+0x50/0x78 fs/inode.c:325 rcu_do_batch kernel/rcu/tree.c:2568 [inline] rcu_core+0x848/0x17a4 kernel/rcu/tree.c:2824 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2841 handle_softirqs+0x328/0xc88 kernel/softirq.c:579 run_ksoftirqd+0x70/0xc0 kernel/softirq.c:968 smpboot_thread_fn+0x4d8/0x9cc kernel/smpboot.c:164 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 Last potentially related work creation: kasan_save_stack+0x40/0x6c mm/kasan/common.c:47 kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:548 __call_rcu_common kernel/rcu/tree.c:3082 [inline] call_rcu+0xfc/0x96c kernel/rcu/tree.c:3202 destroy_inode fs/inode.c:401 [inline] evict+0x754/0x928 fs/inode.c:834 iput_final fs/inode.c:1898 [inline] iput+0x6e4/0x83c fs/inode.c:1924 dentry_unlink_inode+0x384/0x45c fs/dcache.c:457 __dentry_kill+0x170/0x594 fs/dcache.c:660 dput+0x1b8/0x290 fs/dcache.c:902 find_next_child fs/libfs.c:603 [inline] simple_recursive_removal+0x240/0x718 fs/libfs.c:618 debugfs_remove+0x60/0x88 fs/debugfs/inode.c:805 bch2_fs_debug_exit+0x58/0x70 fs/bcachefs/debug.c:905 __bch2_fs_stop+0x270/0x564 fs/bcachefs/super.c:637 bch2_put_super+0x40/0x50 fs/bcachefs/fs.c:2384 generic_shutdown_super+0x12c/0x2b8 fs/super.c:642 bch2_kill_sb+0x40/0x58 fs/bcachefs/fs.c:2622 deactivate_locked_super+0xc4/0x12c fs/super.c:473 deactivate_super+0xe0/0x100 fs/super.c:506 cleanup_mnt+0x31c/0x3ac fs/namespace.c:1431 __cleanup_mnt+0x20/0x30 fs/namespace.c:1438 task_work_run+0x1dc/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] do_notify_resume+0x16c/0x1ec arch/arm64/kernel/entry-common.c:151 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xb4/0x17c arch/arm64/kernel/entry-common.c:768 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000f935de90 which belongs to the cache debugfs_inode_cache of size 1176 The buggy address is located 640 bytes inside of freed 1176-byte region [ffff0000f935de90, ffff0000f935e328) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13935c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff0000d675d701 flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c1dd4640 dead000000000122 0000000000000000 raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff0000d675d701 head: 05ffc00000000040 ffff0000c1dd4640 dead000000000122 0000000000000000 head: 0000000000000000 00000000000c000c 00000000f5000000 ffff0000d675d701 head: 05ffc00000000002 fffffdffc3e4d701 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000f935e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000f935e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000f935e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000f935e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000f935e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== bcachefs (loop2): bcachefs (loop2): error validating btree node on loop2 at btree alloc level 0/0 u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1818ce08861e3527 written 40 min_key POS_MIN durability: 1 ptr: 0:26:0 gen 0 node offset 16/40 bset u64s 63518: checksum error, type chacha20_poly1305_128: got c8cf0c16b7adf45e78d5353c0ccae458 should be d4669159f868458f2b4c55fc2a69f1aa, shutting down error not marked as autofix and not in fsck run fsck, and forward to devs so error can be marked for self-healing inconsistency detected - emergency read only at journal seq 13 bcachefs (loop2): flagging btree alloc lost data bcachefs (loop2): running explicit recovery pass check_topology (2), currently at recovery_pass_empty (0) bcachefs (loop2): running explicit recovery pass check_lrus (14), currently at recovery_pass_empty (0) bcachefs (loop2): running explicit recovery pass check_backpointers_to_extents (16), currently at recovery_pass_empty (0) bcachefs (loop2): running explicit recovery pass check_alloc_info (13), currently at recovery_pass_empty (0) bcachefs (loop2): error reading btree root btree=alloc level=0: btree_node_read_error, fixing bcachefs (loop2): check_topology... done bcachefs (loop2): accounting_read... done bcachefs (loop2): alloc_read... done bcachefs (loop2): snapshots_read... done bcachefs (loop2): check_allocations... bcachefs (loop2): bucket 0:34 data type user ptr gen 0 missing in alloc btree while marking u64s 8 type extent 4099:8:U32_MAX len 8 ver 1: durability: 1 crc: c_size 8 size 8 offset 0 nonce 0 csum chacha20_poly1305_80 e371:ac69b75b10c57971 compress incompressible ptr: 0:34:0 gen 0, fixing bcachefs (loop2): bucket 0:27 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 4e0410879b0c2f04 written 16 min_key POS_MIN durability: 1 ptr: 0:27:0 gen 0, fixing bcachefs (loop2): btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 2a20405ac3f40602 written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing bcachefs (loop2): bucket 0:38 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 2a20405ac3f40602 written 24 min_key POS_MIN durability: 1 ptr: 0:38:0 gen 0, fixing bcachefs (loop2): btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 267fcf747c875937 written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing bcachefs (loop2): bucket 0:41 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 267fcf747c875937 written 24 min_key POS_MIN durability: 1 ptr: 0:41:0 gen 0, fixing bcachefs (loop2): bucket 0:31 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1b881868e2a6abe1 written 16 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0, fixing bcachefs (loop2): btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq d682cebdf2a7eb26 written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing bcachefs (loop2): bucket 0:35 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq d682cebdf2a7eb26 written 16 min_key POS_MIN durability: 1 ptr: 0:35:0 gen 0, fixing bcachefs (loop2): btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq d771a06d670df06c written 16 min_key POS_MIN durability: 1 ptr: 0:32:0 gen 0, fixing bcachefs (loop2): bucket 0:32 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq d771a06d670df06c written 16 min_key POS_MIN durability: 1 ptr: 0:32:0 gen 0, fixing bcachefs (loop2): bucket 0:28 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 93dda84068e88b3f written 16 min_key POS_MIN durability: 1 ptr: 0:28:0 gen 0, fixing bcachefs (loop2): btree ptr not marked in member info btree allocated bitmap u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq b6c44d07df4e9bb7 written 48 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing bcachefs (loop2): bucket 0:29 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq b6c44d07df4e9bb7 written 48 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0, fixing bcachefs (loop2): bucket 0:36 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 3b468546fb27822d written 24 min_key POS_MIN durability: 1 ptr: 0:36:0 gen 0, fixing bcachefs (loop2): bucket 0:40 data type btree ptr gen 0 missing in alloc btree while marking u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 82036bda63714c10 written 8 min_key POS_MIN durability: 1 ptr: 0:40:0 gen 0, fixing Ratelimiting new instances of previous error done bcachefs (loop2): going read-write bcachefs (loop2): journal_replay... bcachefs (loop2): bch2_journal_replay(): error journal_shutdown bcachefs (loop2): bch2_fs_recovery(): error journal_shutdown bcachefs (loop2): bch2_fs_start(): error starting filesystem journal_shutdown bcachefs (loop2): shutting down bcachefs (loop2): going read-only bcachefs (loop2): flushing journal and stopping allocators, journal seq 13 bcachefs (loop2): flushing journal and stopping allocators complete, journal seq 13 bcachefs (loop2): unclean shutdown complete, journal seq 13 bcachefs (loop2): finished waiting for writes to stop bcachefs (loop2): done going read-only, filesystem not clean bcachefs (loop2): shutdown complete bcachefs: bch2_fs_get_tree() error: journal_shutdown