el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 ------------[ cut here ]------------ kernel BUG at fs/btrfs/extent-io-tree.c:572! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 7165 Comm: syz.3.84 Not tainted 6.16.0-rc7-syzkaller-g82af5ea7c611 #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : clear_state_bit+0x38c/0x390 fs/btrfs/extent-io-tree.c:572 lr : clear_state_bit+0x38c/0x390 fs/btrfs/extent-io-tree.c:572 sp : ffff8000a41161a0 x29: ffff8000a41161a0 x28: ffff0000f622e888 x27: 0000000000000000 x26: dfff800000000000 x25: 0000000000000800 x24: 0000000000000fff x23: 00000000fffffff4 x22: 0000000000000000 x21: 0000000000000fff x20: ffff0000f622e888 x19: ffff0000fb5c8e40 x18: 00000000ffffffff x17: ffff800093376000 x16: ffff80008af01c68 x15: 0000000000000001 x14: 1ffff00011f2f56a x13: 0000000000000000 x12: 0000000000000000 x11: ffff700011f2f56b x10: 0000000000ff0100 x9 : 0000000000000000 x8 : ffff0000d1f98000 x7 : ffff800080559678 x6 : 0000000000000000 x5 : 00000000ffffffff x4 : 0000000000000820 x3 : 0000000000000820 x2 : 0000000000000038 x1 : 00000000fffffff4 x0 : 0000000000000000 Call trace: clear_state_bit+0x38c/0x390 fs/btrfs/extent-io-tree.c:572 (P) btrfs_clear_extent_bit_changeset+0x8fc/0xdb8 fs/btrfs/extent-io-tree.c:748 btrfs_clear_record_extent_bits+0x64/0xa8 fs/btrfs/extent-io-tree.c:1879 __btrfs_qgroup_release_data+0x334/0x870 fs/btrfs/qgroup.c:4366 btrfs_qgroup_release_data+0x44/0x58 fs/btrfs/qgroup.c:4422 alloc_ordered_extent+0xec/0x590 fs/btrfs/ordered-data.c:170 btrfs_alloc_ordered_extent+0x188/0x920 fs/btrfs/ordered-data.c:-1 cow_file_range+0x588/0xc70 fs/btrfs/inode.c:1403 btrfs_run_delalloc_range+0x33c/0xd7c fs/btrfs/inode.c:2348 writepage_delalloc+0x8f0/0x103c fs/btrfs/extent_io.c:1386 extent_writepage fs/btrfs/extent_io.c:1717 [inline] extent_write_cache_pages fs/btrfs/extent_io.c:2403 [inline] btrfs_writepages+0x115c/0x20dc fs/btrfs/extent_io.c:2536 do_writepages+0x270/0x468 mm/page-writeback.c:2636 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] filemap_write_and_wait_range+0x1ac/0x29c mm/filemap.c:691 kiocb_write_and_wait+0xb8/0x194 mm/filemap.c:2801 __iomap_dio_rw+0x740/0x1c40 fs/iomap/direct-io.c:654 iomap_dio_rw+0x5c/0xa8 fs/iomap/direct-io.c:823 btrfs_dio_read fs/btrfs/direct-io.c:765 [inline] btrfs_direct_read+0x2f4/0x544 fs/btrfs/direct-io.c:1047 btrfs_file_read_iter+0x8c/0x184 fs/btrfs/file.c:3753 copy_splice_read+0x454/0x848 fs/splice.c:363 do_splice_read fs/splice.c:978 [inline] splice_direct_to_actor+0x38c/0x994 fs/splice.c:1083 do_splice_direct_actor fs/splice.c:1201 [inline] do_splice_direct+0x130/0x210 fs/splice.c:1227 do_sendfile+0x3cc/0x658 fs/read_write.c:1370 __do_sys_sendfile64 fs/read_write.c:1431 [inline] __se_sys_sendfile64 fs/read_write.c:1417 [inline] __arm64_sys_sendfile64+0x1b4/0x274 fs/read_write.c:1417 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 Code: aa1903e0 979c8366 17ffff37 97881079 (d4210000) ---[ end trace 0000000000000000 ]---