------------[ cut here ]------------ BTRFS: Transaction aborted (error -28) WARNING: fs/btrfs/extent-tree.c:3235 at 0x0, CPU#1: syz-executor.0/6116 Modules linked in: CPU: 1 UID: 0 PID: 6116 Comm: syz-executor.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__btrfs_free_extent.isra.0+0x7dd/0x4800 fs/btrfs/extent-tree.c:3235 Code: fd df fd 8d 43 1e 83 f8 19 77 0f ba 01 00 04 02 48 0f a3 c2 0f 82 6e 05 00 00 e8 5e 02 e0 fd 48 8d 3d 57 b8 b1 0c 8b 74 24 40 <67> 48 0f b9 3a bd 01 00 00 00 e8 44 02 e0 fd 8b 4c 24 40 48 8b 7c RSP: 0018:ffffc900044df140 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffffffffffffe4 RCX: ffffffff83dee146 RDX: ffff888024794980 RSI: 00000000ffffffe4 RDI: ffffffff909099c0 RBP: 0000000000000000 R08: 0000000000000005 R09: fffffffffffffffb R10: ffffffffffffffe4 R11: ffff8880247954b0 R12: ffff888035102f20 R13: ffff888026d01f60 R14: ffff888033161b68 R15: 0000000000623000 FS: 00007fd5c864d6c0(0000) GS:ffff8880d69fa000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fba0d7bc000 CR3: 000000002ac9b000 CR4: 0000000000352ef0 Call Trace: run_delayed_data_ref fs/btrfs/extent-tree.c:1600 [inline] run_one_delayed_ref fs/btrfs/extent-tree.c:1780 [inline] btrfs_run_delayed_refs_for_head fs/btrfs/extent-tree.c:1973 [inline] __btrfs_run_delayed_refs+0x9a2/0x3da0 fs/btrfs/extent-tree.c:2048 btrfs_run_delayed_refs+0x1a4/0x4b0 fs/btrfs/extent-tree.c:2160 btrfs_commit_transaction+0x851/0x4240 fs/btrfs/transaction.c:2229 btrfs_sync_file+0x9df/0x1060 fs/btrfs/file.c:1819 vfs_fsync_range+0x142/0x230 fs/sync.c:188 generic_write_sync include/linux/fs.h:2616 [inline] btrfs_do_write_iter+0x6ce/0x930 fs/btrfs/file.c:1470 iter_file_splice_write+0xa24/0x12b0 fs/splice.c:738 do_splice_from fs/splice.c:938 [inline] direct_splice_actor+0x192/0x6c0 fs/splice.c:1161 splice_direct_to_actor+0x345/0xa30 fs/splice.c:1105 do_splice_direct_actor fs/splice.c:1204 [inline] do_splice_direct+0x174/0x240 fs/splice.c:1230 do_sendfile+0xb06/0xe50 fs/read_write.c:1370 __do_sys_sendfile64 fs/read_write.c:1431 [inline] __se_sys_sendfile64 fs/read_write.c:1417 [inline] __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1417 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd5c787dda9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd5c864d0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007fd5c79abf80 RCX: 00007fd5c787dda9 RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004 RBP: 00007fd5c78ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 000000000880000c R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd5c79abf80 R15: 00007fff7928b5b8 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: fd std 1: 8d 43 1e lea 0x1e(%rbx),%eax 4: 83 f8 19 cmp $0x19,%eax 7: 77 0f ja 0x18 9: ba 01 00 04 02 mov $0x2040001,%edx e: 48 0f a3 c2 bt %rax,%rdx 12: 0f 82 6e 05 00 00 jb 0x586 18: e8 5e 02 e0 fd call 0xfde0027b 1d: 48 8d 3d 57 b8 b1 0c lea 0xcb1b857(%rip),%rdi # 0xcb1b87b 24: 8b 74 24 40 mov 0x40(%rsp),%esi * 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2d: bd 01 00 00 00 mov $0x1,%ebp 32: e8 44 02 e0 fd call 0xfde0027b 37: 8b 4c 24 40 mov 0x40(%rsp),%ecx 3b: 48 rex.W 3c: 8b .byte 0x8b 3d: 7c .byte 0x7c