ci2 starts bisection 2023-06-11 12:59:14.709623321 +0000 UTC m=+95330.158955157 bisecting cause commit starting from 022ce8862dff83c859089cd14bc4dca0733e2f90 building syzkaller on 49519f067f7fc9bfbf869e6851a4d398a9f7863f ensuring issue is reproducible on original commit 022ce8862dff83c859089cd14bc4dca0733e2f90 testing commit 022ce8862dff83c859089cd14bc4dca0733e2f90 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7c5534fc64c2f46aba88f6368dfdcc00bf561cbcc824a9fe54242509a99d6e6b all runs: crashed: general protection fault in nilfs_clear_dirty_page testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 148cb755c614787d212d3660dca3802b1628412c9711686163cd5e892b777d30 all runs: crashed: general protection fault in nilfs_clear_dirty_page testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 04aeb6fe3280a7d72e07bfa18e61acf3ff831e64f19e828aa0370009a5bafb63 run #0: crashed: general protection fault in nilfs_clear_dirty_page run #1: crashed: general protection fault in nilfs_clear_dirty_page run #2: crashed: general protection fault in nilfs_clear_dirty_page run #3: crashed: general protection fault in nilfs_clear_dirty_page run #4: crashed: INFO: rcu detected stall in corrupted run #5: crashed: INFO: rcu detected stall in corrupted run #6: crashed: INFO: rcu detected stall in corrupted run #7: crashed: INFO: rcu detected stall in corrupted run #8: crashed: INFO: rcu detected stall in corrupted run #9: crashed: INFO: rcu detected stall in corrupted testing release v6.1 testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f8b982dc6293d4d8aae58157898b6dd5004b71e517a5bd9aa95fa93994fc7089 run #0: crashed: INFO: rcu detected stall in corrupted run #1: crashed: INFO: rcu detected stall in corrupted run #2: crashed: INFO: rcu detected stall in corrupted run #3: crashed: INFO: rcu detected stall in corrupted run #4: crashed: INFO: rcu detected stall in corrupted run #5: crashed: INFO: rcu detected stall in corrupted run #6: crashed: INFO: rcu detected stall in corrupted run #7: OK run #8: OK run #9: OK testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c577c6d975be7aab613a08550cac5f1ee1ee009f41412371751c12ba20eaaee6 run #0: crashed: INFO: rcu detected stall in corrupted run #1: crashed: INFO: rcu detected stall in corrupted run #2: crashed: INFO: rcu detected stall in corrupted run #3: crashed: INFO: rcu detected stall in corrupted run #4: crashed: INFO: rcu detected stall in corrupted run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK testing release v5.19 testing commit 3d7cb6b04c3f3115719235cc6866b10326de34cd gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e8b803d640f8460dec37111dc3bc1754cefe6b4155313fdb9d4b5eae2afe02c0 all runs: OK # git bisect start 4fe89d07dcc2804c8b562f6c7896a45643d34b2f 3d7cb6b04c3f3115719235cc6866b10326de34cd Bisecting: 8384 revisions left to test after this (roughly 13 steps) [78acd4ca433425e6dd4032cfc2156c60e34931f2] usb: cdns3: Don't use priv_dev uninitialized in cdns3_gadget_ep_enable() testing commit 78acd4ca433425e6dd4032cfc2156c60e34931f2 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d4e9b14ee47a1a451a7b9c3039c8caea4642cda441249d7f9af5b6bb72309c30 all runs: basic kernel testing failed: WARNING in mgmt_index_removed # git bisect skip 78acd4ca433425e6dd4032cfc2156c60e34931f2 Bisecting: 8384 revisions left to test after this (roughly 13 steps) [586fb2641371cf7f23a401ab1c79b17e3ec457f4] ASoC: soc-core.c: fixup snd_soc_of_get_dai_link_cpus() testing commit 586fb2641371cf7f23a401ab1c79b17e3ec457f4 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a04be14a50e2b3a8bcfcef05032b83aa6835eae0e247a47c8ef7ce4110535780 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 586fb2641371cf7f23a401ab1c79b17e3ec457f4 Bisecting: 8057 revisions left to test after this (roughly 13 steps) [cfeafd94668910334a77c9437a18212baf9f5610] Merge tag 'driver-core-6.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core testing commit cfeafd94668910334a77c9437a18212baf9f5610 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1e6c50c28598ef38f05ad8a4992a59020a63f2de68695b78b1084e9dff5f8207 all runs: basic kernel testing failed: WARNING in mgmt_index_removed # git bisect skip cfeafd94668910334a77c9437a18212baf9f5610 Bisecting: 8057 revisions left to test after this (roughly 13 steps) [332f1795ca202489c665a75e62e18ff6284de077] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression testing commit 332f1795ca202489c665a75e62e18ff6284de077 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 87a0175979f27d3a9772c0320ab24e43cf8787da71ad2f5f55213f2a25ec2e5f all runs: basic kernel testing failed: WARNING in mgmt_index_removed # git bisect skip 332f1795ca202489c665a75e62e18ff6284de077 Bisecting: 8057 revisions left to test after this (roughly 13 steps) [4a445b7b6178d88956192c0202463063f52e8667] btrfs: don't merge pages into bio if their page offset is not contiguous testing commit 4a445b7b6178d88956192c0202463063f52e8667 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ec57104b99225e3d6e736a5639d0eaec70bb3fdb3a56907d2cb04d2c6cad0e1d run #0: crashed: kernel BUG in find_lock_entries run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky # git bisect bad 4a445b7b6178d88956192c0202463063f52e8667 Bisecting: 86 revisions left to test after this (roughly 7 steps) [bfceac7fd3c47175fec75c32071051de5969a34c] btrfs: remove unused typedefs get_extent_t and btrfs_work_func_t testing commit bfceac7fd3c47175fec75c32071051de5969a34c gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1dfe76a57fe4519babdd14dc8fad6336534b5fd9ba7248e3d32febf174e65444 all runs: OK # git bisect good bfceac7fd3c47175fec75c32071051de5969a34c Bisecting: 43 revisions left to test after this (roughly 6 steps) [8bfc9b2cf468c37870b980a16c345c9ba3a2010a] btrfs: use enum for btrfs_block_rsv::type testing commit 8bfc9b2cf468c37870b980a16c345c9ba3a2010a gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 49fd681a99c6ffa806bae1e3379714785e6f8dcbd6617bbc93d55952dc559b8a all runs: OK # git bisect good 8bfc9b2cf468c37870b980a16c345c9ba3a2010a Bisecting: 21 revisions left to test after this (roughly 5 steps) [71ecfc133b035a18cbe4f0ddb55345a85cb16537] btrfs: send: introduce recorded_ref_alloc and recorded_ref_free testing commit 71ecfc133b035a18cbe4f0ddb55345a85cb16537 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3951a7ced85382a1d15b08296faad618c5e73aeb19c5dce0a3fc475f6a328191 all runs: OK # git bisect good 71ecfc133b035a18cbe4f0ddb55345a85cb16537 Bisecting: 10 revisions left to test after this (roughly 4 steps) [0b078d9db8793b1bd911e97be854e3c964235c78] btrfs: don't call btrfs_page_set_checked in finish_compressed_bio_read testing commit 0b078d9db8793b1bd911e97be854e3c964235c78 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 29e3d123d45bd6fd18123a08fd42187109d1433ad5fe4876c49ed8d7a1612b68 all runs: OK # git bisect good 0b078d9db8793b1bd911e97be854e3c964235c78 Bisecting: 4 revisions left to test after this (roughly 3 steps) [769030e11847c5412270c0726ff21d3a1f0a3131] btrfs: fix warning during log replay when bumping inode link count testing commit 769030e11847c5412270c0726ff21d3a1f0a3131 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: de8fe848eac53cc4972580783bec3e024dddfbcd665dc59a3bbac8e57ccaa14a all runs: OK # git bisect good 769030e11847c5412270c0726ff21d3a1f0a3131 Bisecting: 1 revision left to test after this (roughly 1 step) [9ea0106a7a3d8116860712e3f17cd52ce99f6707] btrfs: fix possible memory leak in btrfs_get_dev_args_from_path() testing commit 9ea0106a7a3d8116860712e3f17cd52ce99f6707 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3916d5ec4e3de0bfa1ed548f8eeef8fdb5edf1d0345d8d116a419f67fdff3669 all runs: OK # git bisect good 9ea0106a7a3d8116860712e3f17cd52ce99f6707 Bisecting: 0 revisions left to test after this (roughly 0 steps) [e6e3dec6c3c288d556b991a85d5d8e3ee71e9046] btrfs: update generation of hole file extent item when merging holes testing commit e6e3dec6c3c288d556b991a85d5d8e3ee71e9046 gcc compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5e89af03ad1de4166c0ccd1370bd3987031ac0bcb9f97542f38361ba5eaf371e all runs: OK # git bisect good e6e3dec6c3c288d556b991a85d5d8e3ee71e9046 4a445b7b6178d88956192c0202463063f52e8667 is the first bad commit commit 4a445b7b6178d88956192c0202463063f52e8667 Author: Qu Wenruo Date: Sat Aug 13 16:06:53 2022 +0800 btrfs: don't merge pages into bio if their page offset is not contiguous [BUG] Zygo reported on latest development branch, he could hit ASSERT()/BUG_ON() caused crash when doing RAID5 recovery (intentionally corrupt one disk, and let btrfs to recover the data during read/scrub). And The following minimal reproducer can cause extent state leakage at rmmod time: mkfs.btrfs -f -d raid5 -m raid5 $dev1 $dev2 $dev3 -b 1G > /dev/null mount $dev1 $mnt fsstress -w -d $mnt -n 25 -s 1660807876 sync fssum -A -f -w /tmp/fssum.saved $mnt umount $mnt # Wipe the dev1 but keeps its super block xfs_io -c "pwrite -S 0x0 1m 1023m" $dev1 mount $dev1 $mnt fssum -r /tmp/fssum.saved $mnt > /dev/null umount $mnt rmmod btrfs This will lead to the following extent states leakage: BTRFS: state leak: start 499712 end 503807 state 5 in tree 1 refs 1 BTRFS: state leak: start 495616 end 499711 state 5 in tree 1 refs 1 BTRFS: state leak: start 491520 end 495615 state 5 in tree 1 refs 1 BTRFS: state leak: start 487424 end 491519 state 5 in tree 1 refs 1 BTRFS: state leak: start 483328 end 487423 state 5 in tree 1 refs 1 BTRFS: state leak: start 479232 end 483327 state 5 in tree 1 refs 1 BTRFS: state leak: start 475136 end 479231 state 5 in tree 1 refs 1 BTRFS: state leak: start 471040 end 475135 state 5 in tree 1 refs 1 [CAUSE] Since commit 7aa51232e204 ("btrfs: pass a btrfs_bio to btrfs_repair_one_sector"), we always use btrfs_bio->file_offset to determine the file offset of a page. But that usage assume that, one bio has all its page having a continuous page offsets. Unfortunately that's not true, btrfs only requires the logical bytenr contiguous when assembling its bios. From above script, we have one bio looks like this: fssum-27671 submit_one_bio: bio logical=217739264 len=36864 fssum-27671 submit_one_bio: r/i=5/261 page_offset=466944 <<< fssum-27671 submit_one_bio: r/i=5/261 page_offset=724992 <<< fssum-27671 submit_one_bio: r/i=5/261 page_offset=729088 fssum-27671 submit_one_bio: r/i=5/261 page_offset=733184 fssum-27671 submit_one_bio: r/i=5/261 page_offset=737280 fssum-27671 submit_one_bio: r/i=5/261 page_offset=741376 fssum-27671 submit_one_bio: r/i=5/261 page_offset=745472 fssum-27671 submit_one_bio: r/i=5/261 page_offset=749568 fssum-27671 submit_one_bio: r/i=5/261 page_offset=753664 Note that the 1st and the 2nd page has non-contiguous page offsets. This means, at repair time, we will have completely wrong file offset passed in: kworker/u32:2-19927 btrfs_repair_one_sector: r/i=5/261 page_off=729088 file_off=475136 bio_offset=8192 Since the file offset is incorrect, we latter incorrectly set the extent states, and no way to really release them. Thus later it causes the leakage. In fact, this can be even worse, since the file offset is incorrect, we can hit cases like the incorrect file offset belongs to a HOLE, and later cause btrfs_num_copies() to trigger error, finally hit BUG_ON()/ASSERT() later. [FIX] Add an extra condition in btrfs_bio_add_page() for uncompressed IO. Now we will have more strict requirement for bio pages: - They should all have the same mapping (the mapping check is already implied by the call chain) - Their logical bytenr should be adjacent This is the same as the old condition. - Their page_offset() (file offset) should be adjacent This is the new check. This would result a slightly increased amount of bios from btrfs (needs holes and inside the same stripe boundary to trigger). But this would greatly reduce the confusion, as it's pretty common to assume a btrfs bio would only contain continuous page cache. Later we may need extra cleanups, as we no longer needs to handle gaps between page offsets in endio functions. Currently this should be the minimal patch to fix commit 7aa51232e204 ("btrfs: pass a btrfs_bio to btrfs_repair_one_sector"). Reported-by: Zygo Blaxell Fixes: 7aa51232e204 ("btrfs: pass a btrfs_bio to btrfs_repair_one_sector") Reviewed-by: Christoph Hellwig Signed-off-by: Qu Wenruo Signed-off-by: David Sterba fs/btrfs/extent_io.c | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) culprit signature: ec57104b99225e3d6e736a5639d0eaec70bb3fdb3a56907d2cb04d2c6cad0e1d parent signature: 5e89af03ad1de4166c0ccd1370bd3987031ac0bcb9f97542f38361ba5eaf371e Reproducer flagged being flaky revisions tested: 18, total time: 8h17m42.05057772s (build: 5h35m30.024251233s, test: 2h39m28.412083218s) first bad commit: 4a445b7b6178d88956192c0202463063f52e8667 btrfs: don't merge pages into bio if their page offset is not contiguous recipients (to): ["dsterba@suse.com" "hch@lst.de" "wqu@suse.com"] recipients (cc): [] crash: kernel BUG in find_lock_entries reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1371 [inline] free_pcp_prepare mm/page_alloc.c:1421 [inline] free_unref_page_prepare+0xf85/0x1130 mm/page_alloc.c:3343 free_unref_page+0x99/0x2d0 mm/page_alloc.c:3438 __vunmap+0x362/0x7a0 mm/vmalloc.c:2665 free_work+0x41/0x70 mm/vmalloc.c:97 process_one_work+0x7b9/0xef0 kernel/workqueue.c:2289 worker_thread+0x8c9/0xfd0 kernel/workqueue.c:2436 kthread+0x238/0x2b0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 ------------[ cut here ]------------ kernel BUG at mm/filemap.c:2134! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 5960 Comm: syz-executor.2 Not tainted 5.19.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 RIP: 0010:find_lock_entries+0x99d/0x9c0 mm/filemap.c:2133 Code: 12 d2 89 e8 c5 6e 0c 00 0f 0b 4c 89 f7 48 c7 c6 80 0f d2 89 e8 b4 6e 0c 00 0f 0b 4c 89 f7 48 c7 c6 c0 08 d2 89 e8 a3 6e 0c 00 <0f> 0b 4c 89 f7 48 c7 c6 00 14 d2 89 e8 92 6e 0c 00 0f 0b e8 eb 2a RSP: 0018:ffffc900034bf540 EFLAGS: 00010246 RAX: df493b88d94d9600 RBX: dffffc0000000000 RCX: df493b88d94d9600 RDX: 0000000000000001 RSI: ffffffff8a16fac0 RDI: 0000000000000001 RBP: ffffc900034bf690 R08: dffffc0000000000 R09: ffffed10173a69d9 R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea0001e2ee34 R13: fffffffffffffffe R14: ffffea0001e2ee00 R15: 1ffffd40003c5dc6 FS: 00007fd3dabc7700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000558b4acad618 CR3: 0000000063b24000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: truncate_inode_pages_range+0x1d8/0xfe0 mm/truncate.c:364 kill_bdev block/bdev.c:77 [inline] set_blocksize+0x254/0x2c0 block/bdev.c:153 sb_set_blocksize block/bdev.c:162 [inline] sb_min_blocksize+0x9d/0x130 block/bdev.c:178 init_nilfs+0xb5/0x6e0 fs/nilfs2/the_nilfs.c:571 nilfs_fill_super+0xe2/0x560 fs/nilfs2/super.c:1047 nilfs_mount+0x5c4/0x860 fs/nilfs2/super.c:1317 legacy_get_tree+0xe9/0x170 fs/fs_context.c:610 vfs_get_tree+0x7f/0x220 fs/super.c:1497 do_new_mount+0x1e5/0x940 fs/namespace.c:3040 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount+0x232/0x2c0 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd3d9e8d69a Code: 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd3dabc6f88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000a59 RCX: 00007fd3d9e8d69a RDX: 00000000200000c0 RSI: 00000000200001c0 RDI: 00007fd3dabc6fe0 RBP: 00007fd3dabc7020 R08: 00007fd3dabc7020 R09: 0000000000800000 R10: 0000000000800000 R11: 0000000000000246 R12: 00000000200000c0 R13: 00000000200001c0 R14: 00007fd3dabc6fe0 R15: 0000000020000000 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:find_lock_entries+0x99d/0x9c0 mm/filemap.c:2133 Code: 12 d2 89 e8 c5 6e 0c 00 0f 0b 4c 89 f7 48 c7 c6 80 0f d2 89 e8 b4 6e 0c 00 0f 0b 4c 89 f7 48 c7 c6 c0 08 d2 89 e8 a3 6e 0c 00 <0f> 0b 4c 89 f7 48 c7 c6 00 14 d2 89 e8 92 6e 0c 00 0f 0b e8 eb 2a RSP: 0018:ffffc900034bf540 EFLAGS: 00010246 RAX: df493b88d94d9600 RBX: dffffc0000000000 RCX: df493b88d94d9600 RDX: 0000000000000001 RSI: ffffffff8a16fac0 RDI: 0000000000000001 RBP: ffffc900034bf690 R08: dffffc0000000000 R09: ffffed10173a69d9 R10: 0000000000000000 R11: dffffc0000000001 R12: ffffea0001e2ee34 R13: fffffffffffffffe R14: ffffea0001e2ee00 R15: 1ffffd40003c5dc6 FS: 00007fd3dabc7700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000558b4acad618 CR3: 0000000063b24000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400