ci starts bisection 2022-12-05 17:34:09.950691913 +0000 UTC m=+10191.031293390 bisecting cause commit starting from a6afa4199d3d038fbfdff5511f7523b0e30cb774 building syzkaller on aea5da898f473385f3b66c94f8aa49ca9a1c9744 ensuring issue is reproducible on original commit a6afa4199d3d038fbfdff5511f7523b0e30cb774 testing commit a6afa4199d3d038fbfdff5511f7523b0e30cb774 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fe3c7a9ef9427b76934bbd30b83b1c8399e91e47f88e47d1b11d94ce0dcef2fa run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #1: crashed: INFO: rcu detected stall in corrupted run #2: crashed: INFO: rcu detected stall in corrupted run #3: crashed: INFO: rcu detected stall in corrupted run #4: crashed: INFO: rcu detected stall in corrupted run #5: crashed: INFO: rcu detected stall in corrupted run #6: crashed: INFO: rcu detected stall in corrupted run #7: crashed: INFO: rcu detected stall in corrupted run #8: crashed: INFO: rcu detected stall in corrupted run #9: crashed: INFO: rcu detected stall in corrupted run #10: crashed: INFO: rcu detected stall in corrupted run #11: crashed: INFO: rcu detected stall in corrupted run #12: crashed: INFO: rcu detected stall in corrupted run #13: crashed: INFO: rcu detected stall in corrupted run #14: crashed: KASAN: use-after-free Read in unregister_shrinker run #15: crashed: INFO: rcu detected stall in corrupted run #16: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #17: crashed: KASAN: use-after-free Read in unregister_shrinker run #18: crashed: KASAN: use-after-free Read in register_shrinker_prepared run #19: crashed: KASAN: use-after-free Read in unregister_shrinker testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 40171d2e73b1a37d627af141088e053ae3b24c0d90974c0e964802a3c3d31757 run #0: crashed: INFO: rcu detected stall in corrupted run #1: crashed: INFO: rcu detected stall in corrupted run #2: crashed: INFO: rcu detected stall in corrupted run #3: crashed: INFO: rcu detected stall in corrupted run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky testing release v5.19 testing commit 3d7cb6b04c3f3115719235cc6866b10326de34cd gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5ca74687e1d823ddc8077ac9b6cafb1efea3d995cb485e5af0e1e04d2ce1806a all runs: OK # git bisect start 4fe89d07dcc2804c8b562f6c7896a45643d34b2f 3d7cb6b04c3f3115719235cc6866b10326de34cd Bisecting: 8384 revisions left to test after this (roughly 13 steps) [78acd4ca433425e6dd4032cfc2156c60e34931f2] usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() testing commit 78acd4ca433425e6dd4032cfc2156c60e34931f2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ff0343f8439b1f4a5ec4556ad8c4d8a5d006dc9d9d8904c18a273155c8975704 run #0: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #1: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #2: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #3: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #4: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #5: basic kernel testing failed: BUG: program execution failed: executor NUM: EOF run #6: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #7: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #8: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #9: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #10: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #11: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #12: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #13: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #14: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #15: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #16: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #17: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #18: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed run #19: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed # git bisect skip 78acd4ca433425e6dd4032cfc2156c60e34931f2 Bisecting: 8384 revisions left to test after this (roughly 13 steps) [586fb2641371cf7f23a401ab1c79b17e3ec457f4] ASoC: soc-core.c: fixup snd_soc_of_get_dai_link_cpus() testing commit 586fb2641371cf7f23a401ab1c79b17e3ec457f4 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fc9e7277730353f475e2df88df30144d01b381a6ccc92fecec6bf779a6a2d721 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect good 586fb2641371cf7f23a401ab1c79b17e3ec457f4 Bisecting: 8057 revisions left to test after this (roughly 13 steps) [cfeafd94668910334a77c9437a18212baf9f5610] Merge tag 'driver-core-6.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core testing commit cfeafd94668910334a77c9437a18212baf9f5610 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1b66d111f91937b9af0201b6816feb522911d4144577546df6da5bd823ec9d89 all runs: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed # git bisect skip cfeafd94668910334a77c9437a18212baf9f5610 Bisecting: 8057 revisions left to test after this (roughly 13 steps) [332f1795ca202489c665a75e62e18ff6284de077] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression testing commit 332f1795ca202489c665a75e62e18ff6284de077 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d4f6c95a9e5548c23845796a6c211374f9bd809f9f89adcd3524c8b00c600099 all runs: basic kernel testing failed: WARNING: ODEBUG bug in mgmt_index_removed # git bisect skip 332f1795ca202489c665a75e62e18ff6284de077 Bisecting: 8057 revisions left to test after this (roughly 13 steps) [4a445b7b6178d88956192c0202463063f52e8667] btrfs: don't merge pages into bio if their page offset is not contiguous testing commit 4a445b7b6178d88956192c0202463063f52e8667 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: eece9d5bce98d6bc94d88c9e4ec4e85fbb7996215a4608c5a29c3bec598307ae run #0: crashed: SYZFATAL: executor failed NUM times: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad 4a445b7b6178d88956192c0202463063f52e8667 Bisecting: 86 revisions left to test after this (roughly 7 steps) [bfceac7fd3c47175fec75c32071051de5969a34c] btrfs: remove unused typedefs get_extent_t and btrfs_work_func_t testing commit bfceac7fd3c47175fec75c32071051de5969a34c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e761b2ea071733370ecb114114e5067c957f598fce3ece087fd5e86dee6368a4 all runs: OK # git bisect good bfceac7fd3c47175fec75c32071051de5969a34c Bisecting: 43 revisions left to test after this (roughly 6 steps) [8bfc9b2cf468c37870b980a16c345c9ba3a2010a] btrfs: use enum for btrfs_block_rsv::type testing commit 8bfc9b2cf468c37870b980a16c345c9ba3a2010a gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 12b535733bca461fbcd9b529d2dc36d629eb1e51c8ad21bf676f8c57bb2b4c1a all runs: OK # git bisect good 8bfc9b2cf468c37870b980a16c345c9ba3a2010a Bisecting: 21 revisions left to test after this (roughly 5 steps) [71ecfc133b035a18cbe4f0ddb55345a85cb16537] btrfs: send: introduce recorded_ref_alloc and recorded_ref_free testing commit 71ecfc133b035a18cbe4f0ddb55345a85cb16537 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b99edef3a47f5eb96edb4d7451f3a4428ce128ac70af343ae48b01792a018907 all runs: OK # git bisect good 71ecfc133b035a18cbe4f0ddb55345a85cb16537 Bisecting: 10 revisions left to test after this (roughly 4 steps) [0b078d9db8793b1bd911e97be854e3c964235c78] btrfs: don't call btrfs_page_set_checked in finish_compressed_bio_read testing commit 0b078d9db8793b1bd911e97be854e3c964235c78 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cf64bba21681b6ffced07565372d3a74c63cf013df207704d3dbfefa246e4661 all runs: OK # git bisect good 0b078d9db8793b1bd911e97be854e3c964235c78 Bisecting: 4 revisions left to test after this (roughly 3 steps) [769030e11847c5412270c0726ff21d3a1f0a3131] btrfs: fix warning during log replay when bumping inode link count testing commit 769030e11847c5412270c0726ff21d3a1f0a3131 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 351bb19cbce39fc13f693d3cbaf34959ee00a3ae7f9c77d1fe226e5e33277af9 all runs: OK # git bisect good 769030e11847c5412270c0726ff21d3a1f0a3131 Bisecting: 1 revision left to test after this (roughly 1 step) [9ea0106a7a3d8116860712e3f17cd52ce99f6707] btrfs: fix possible memory leak in btrfs_get_dev_args_from_path() testing commit 9ea0106a7a3d8116860712e3f17cd52ce99f6707 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5a66cd1fe4af837f2631678aef4e925faa3efa629b312ccc8fabd007063179e8 all runs: OK # git bisect good 9ea0106a7a3d8116860712e3f17cd52ce99f6707 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e6e3dec6c3c288d556b991a85d5d8e3ee71e9046] btrfs: update generation of hole file extent item when merging holes testing commit e6e3dec6c3c288d556b991a85d5d8e3ee71e9046 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6cc672b9eff387b4e0e96bc58eba95610ffbfb09a82bbcf28a8667e5cc12c490 all runs: OK # git bisect good e6e3dec6c3c288d556b991a85d5d8e3ee71e9046 4a445b7b6178d88956192c0202463063f52e8667 is the first bad commit commit 4a445b7b6178d88956192c0202463063f52e8667 Author: Qu Wenruo Date: Sat Aug 13 16:06:53 2022 +0800 btrfs: don't merge pages into bio if their page offset is not contiguous [BUG] Zygo reported on latest development branch, he could hit ASSERT()/BUG_ON() caused crash when doing RAID5 recovery (intentionally corrupt one disk, and let btrfs to recover the data during read/scrub). And The following minimal reproducer can cause extent state leakage at rmmod time: mkfs.btrfs -f -d raid5 -m raid5 $dev1 $dev2 $dev3 -b 1G > /dev/null mount $dev1 $mnt fsstress -w -d $mnt -n 25 -s 1660807876 sync fssum -A -f -w /tmp/fssum.saved $mnt umount $mnt # Wipe the dev1 but keeps its super block xfs_io -c "pwrite -S 0x0 1m 1023m" $dev1 mount $dev1 $mnt fssum -r /tmp/fssum.saved $mnt > /dev/null umount $mnt rmmod btrfs This will lead to the following extent states leakage: BTRFS: state leak: start 499712 end 503807 state 5 in tree 1 refs 1 BTRFS: state leak: start 495616 end 499711 state 5 in tree 1 refs 1 BTRFS: state leak: start 491520 end 495615 state 5 in tree 1 refs 1 BTRFS: state leak: start 487424 end 491519 state 5 in tree 1 refs 1 BTRFS: state leak: start 483328 end 487423 state 5 in tree 1 refs 1 BTRFS: state leak: start 479232 end 483327 state 5 in tree 1 refs 1 BTRFS: state leak: start 475136 end 479231 state 5 in tree 1 refs 1 BTRFS: state leak: start 471040 end 475135 state 5 in tree 1 refs 1 [CAUSE] Since commit 7aa51232e204 ("btrfs: pass a btrfs_bio to btrfs_repair_one_sector"), we always use btrfs_bio->file_offset to determine the file offset of a page. But that usage assume that, one bio has all its page having a continuous page offsets. Unfortunately that's not true, btrfs only requires the logical bytenr contiguous when assembling its bios. From above script, we have one bio looks like this: fssum-27671 submit_one_bio: bio logical=217739264 len=36864 fssum-27671 submit_one_bio: r/i=5/261 page_offset=466944 <<< fssum-27671 submit_one_bio: r/i=5/261 page_offset=724992 <<< fssum-27671 submit_one_bio: r/i=5/261 page_offset=729088 fssum-27671 submit_one_bio: r/i=5/261 page_offset=733184 fssum-27671 submit_one_bio: r/i=5/261 page_offset=737280 fssum-27671 submit_one_bio: r/i=5/261 page_offset=741376 fssum-27671 submit_one_bio: r/i=5/261 page_offset=745472 fssum-27671 submit_one_bio: r/i=5/261 page_offset=749568 fssum-27671 submit_one_bio: r/i=5/261 page_offset=753664 Note that the 1st and the 2nd page has non-contiguous page offsets. This means, at repair time, we will have completely wrong file offset passed in: kworker/u32:2-19927 btrfs_repair_one_sector: r/i=5/261 page_off=729088 file_off=475136 bio_offset=8192 Since the file offset is incorrect, we latter incorrectly set the extent states, and no way to really release them. Thus later it causes the leakage. In fact, this can be even worse, since the file offset is incorrect, we can hit cases like the incorrect file offset belongs to a HOLE, and later cause btrfs_num_copies() to trigger error, finally hit BUG_ON()/ASSERT() later. [FIX] Add an extra condition in btrfs_bio_add_page() for uncompressed IO. Now we will have more strict requirement for bio pages: - They should all have the same mapping (the mapping check is already implied by the call chain) - Their logical bytenr should be adjacent This is the same as the old condition. - Their page_offset() (file offset) should be adjacent This is the new check. This would result a slightly increased amount of bios from btrfs (needs holes and inside the same stripe boundary to trigger). But this would greatly reduce the confusion, as it's pretty common to assume a btrfs bio would only contain continuous page cache. Later we may need extra cleanups, as we no longer needs to handle gaps between page offsets in endio functions. Currently this should be the minimal patch to fix commit 7aa51232e204 ("btrfs: pass a btrfs_bio to btrfs_repair_one_sector"). Reported-by: Zygo Blaxell Fixes: 7aa51232e204 ("btrfs: pass a btrfs_bio to btrfs_repair_one_sector") Reviewed-by: Christoph Hellwig Signed-off-by: Qu Wenruo Signed-off-by: David Sterba fs/btrfs/extent_io.c | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) culprit signature: eece9d5bce98d6bc94d88c9e4ec4e85fbb7996215a4608c5a29c3bec598307ae parent signature: 6cc672b9eff387b4e0e96bc58eba95610ffbfb09a82bbcf28a8667e5cc12c490 Reproducer flagged being flaky revisions tested: 15, total time: 4h2m14.805135232s (build: 1h37m9.181509342s, test: 2h23m22.126309212s) first bad commit: 4a445b7b6178d88956192c0202463063f52e8667 btrfs: don't merge pages into bio if their page offset is not contiguous recipients (to): ["dsterba@suse.com" "hch@lst.de" "wqu@suse.com"] recipients (cc): [] crash: SYZFATAL: executor failed NUM times: executor NUM: failed to write control pipe: write |NUM: broken pipe 2022/12/05 19:20:03 SYZFATAL: executor failed 11 times: executor 3: failed to write control pipe: write |1: broken pipe SYZFAIL: wrong response packet (errno 16: Device or resource busy) loop exited with status 67