Re: kernel BUG in set_state_bits

From: Qu Wenruo
Date: Mon Aug 14 2023 - 05:32:30 EST




On 2023/8/14 14:23, Yikebaer Aizezi wrote:
Hello,

When using Healer to fuzz the Linux-6.5-rc5, the following crash
was triggered.

HEAD commit: 52a93d39b17dc7eb98b6aa3edb93943248e03b2f (tag: v6.5-rc5)
git tree: upstream

console output:
https://drive.google.com/file/d/1KuE7x7TW_pt_aNWWr2GAdehfYixsgeOO/view?usp=drive_link
kernel config:https://drive.google.com/file/d/1b_em6R2Zl98np83b818BzE1FrxbiaGuh/view?usp=drive_link
C reproducer:https://drive.google.com/file/d/1HlzFbWr3wqzlLi8I2_ZCQumS71WDLXj1/view?usp=drive_link
Syzlang reproducer:
https://drive.google.com/file/d/1Bu70LrWxOzsbkilELLuxo8VnjcAFiH1Y/view?usp=drive_link

If you fix this issue, please add the following tag to the commit:
Reported-by: Yikebaer Aizezi <yikebaer61@xxxxxxxxx>


memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=8428 'syz-executor'
loop1: detected capacity change from 0 to 32768
BTRFS: device fsid 84eb0a0b-d357-4bc1-8741-9d3223c15974 devid 1
transid 7 /dev/loop1 scanned by syz-executor (8428)
BTRFS info (device loop1): using xxhash64 (xxhash64-generic) checksum algorithm
BTRFS info (device loop1): disk space caching is enabled
BTRFS info (device loop1): enabling ssd optimizations
BTRFS info (device loop1): auto enabling async discard
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 1
CPU: 0 PID: 8428 Comm: syz-executor Not tainted 6.5.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x132/0x150 lib/dump_stack.c:106
fail_dump lib/fault-inject.c:52 [inline]
should_fail_ex+0x49f/0x5b0 lib/fault-inject.c:153
should_failslab+0x5/0x10 mm/slab_common.c:1471
slab_pre_alloc_hook mm/slab.h:711 [inline]
slab_alloc_node mm/slub.c:3452 [inline]
__kmem_cache_alloc_node+0x61/0x350 mm/slub.c:3509
kmalloc_trace+0x22/0xd0 mm/slab_common.c:1076
kmalloc include/linux/slab.h:582 [inline]
ulist_add_merge fs/btrfs/ulist.c:210 [inline]
ulist_add_merge+0x16f/0x660 fs/btrfs/ulist.c:198
add_extent_changeset fs/btrfs/extent-io-tree.c:191 [inline]

If you checked the call site, it is doing GFP_ATOMIC allocation inside a
critical section.

Doing such error injection without any clue is not really helping here.
You can even inject error to NOFAIL call sites, and everyone would not
really treat it serious.

IIRC even syzbot is no longer reporting errors with blind error
injection anymore.

Thanks,
Qu
add_extent_changeset fs/btrfs/extent-io-tree.c:178 [inline]
set_state_bits.isra.0+0x11f/0x1c0 fs/btrfs/extent-io-tree.c:378
insert_state_fast fs/btrfs/extent-io-tree.c:437 [inline]
__set_extent_bit+0x418/0x15b0 fs/btrfs/extent-io-tree.c:1034
set_record_extent_bits+0x53/0x90 fs/btrfs/extent-io-tree.c:1705
qgroup_reserve_data+0x233/0xa80 fs/btrfs/qgroup.c:3800
btrfs_qgroup_reserve_data+0x2b/0xc0 fs/btrfs/qgroup.c:3843
btrfs_check_data_free_space+0x114/0x290 fs/btrfs/delalloc-space.c:154
btrfs_buffered_write+0x4ec/0x1330 fs/btrfs/file.c:1250
btrfs_do_write_iter+0xb75/0x11c0 fs/btrfs/file.c:1670
call_write_iter include/linux/fs.h:1877 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x989/0xdb0 fs/read_write.c:584
ksys_pwrite64 fs/read_write.c:699 [inline]
__do_sys_pwrite64 fs/read_write.c:709 [inline]
__se_sys_pwrite64 fs/read_write.c:706 [inline]
__x64_sys_pwrite64+0x1ef/0x240 fs/read_write.c:706
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x47959d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4717e0f068 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d
RDX: 0000000000000027 RSI: 0000000020005840 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 000000000059c0ac
R13: 000000000000000b R14: 0000000000437250 R15: 00007f4717def000
</TASK>
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent-io-tree.c:379!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8428 Comm: syz-executor Not tainted 6.5.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:set_state_bits.isra.0+0x17b/0x1c0 fs/btrfs/extent-io-tree.c:379
Code: 38 d0 7c 04 84 d2 75 31 44 8b 73 7c e8 be 72 f7 fd 44 89 e0 44
09 f0 89 43 7c 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 a5 72 f7 fd <0f> 0b
4c 89 ef e8 8b 3d 47 fe e9 e6 fe ff ff 4c 89 ef e8 7e 3d 47
RSP: 0018:ffffc9000675f850 EFLAGS: 00010212
RAX: 000000000003f702 RBX: ffff88802100cc00 RCX: ffffc90002e49000
RDX: 0000000000040000 RSI: ffffffff8388e7eb RDI: 0000000000000005
RBP: 00000000fffffff4 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000fffffff4 R11: 0000000032343854 R12: 0000000000000800
R13: ffff88802100cc7c R14: 0000000000000fff R15: 0000000000000000
FS: 00007f4717e0f640(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000505c10 CR3: 0000000018d77000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
insert_state_fast fs/btrfs/extent-io-tree.c:437 [inline]
__set_extent_bit+0x418/0x15b0 fs/btrfs/extent-io-tree.c:1034
set_record_extent_bits+0x53/0x90 fs/btrfs/extent-io-tree.c:1705
qgroup_reserve_data+0x233/0xa80 fs/btrfs/qgroup.c:3800
btrfs_qgroup_reserve_data+0x2b/0xc0 fs/btrfs/qgroup.c:3843
btrfs_check_data_free_space+0x114/0x290 fs/btrfs/delalloc-space.c:154
btrfs_buffered_write+0x4ec/0x1330 fs/btrfs/file.c:1250
btrfs_do_write_iter+0xb75/0x11c0 fs/btrfs/file.c:1670
call_write_iter include/linux/fs.h:1877 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x989/0xdb0 fs/read_write.c:584
ksys_pwrite64 fs/read_write.c:699 [inline]
__do_sys_pwrite64 fs/read_write.c:709 [inline]
__se_sys_pwrite64 fs/read_write.c:706 [inline]
__x64_sys_pwrite64+0x1ef/0x240 fs/read_write.c:706
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x47959d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4717e0f068 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d
RDX: 0000000000000027 RSI: 0000000020005840 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 000000000059c0ac
R13: 000000000000000b R14: 0000000000437250 R15: 00007f4717def000
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:set_state_bits.isra.0+0x17b/0x1c0 fs/btrfs/extent-io-tree.c:379
Code: 38 d0 7c 04 84 d2 75 31 44 8b 73 7c e8 be 72 f7 fd 44 89 e0 44
09 f0 89 43 7c 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 a5 72 f7 fd <0f> 0b
4c 89 ef e8 8b 3d 47 fe e9 e6 fe ff ff 4c 89 ef e8 7e 3d 47
RSP: 0018:ffffc9000675f850 EFLAGS: 00010212
RAX: 000000000003f702 RBX: ffff88802100cc00 RCX: ffffc90002e49000
RDX: 0000000000040000 RSI: ffffffff8388e7eb RDI: 0000000000000005
RBP: 00000000fffffff4 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000fffffff4 R11: 0000000032343854 R12: 0000000000000800
R13: ffff88802100cc7c R14: 0000000000000fff R15: 0000000000000000
FS: 00007f4717e0f640(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000505c10 CR3: 0000000018d77000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554


invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8428 Comm: syz-executor Not tainted 6.5.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:set_state_bits.isra.0+0x17b/0x1c0 fs/btrfs/extent-io-tree.c:379
Code: 38 d0 7c 04 84 d2 75 31 44 8b 73 7c e8 be 72 f7 fd 44 89 e0 44
09 f0 89 43 7c 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 a5 72 f7 fd <0f> 0b
4c 89 ef e8 8b 3d 47 fe e9 e6 fe ff ff 4c 89 ef e8 7e 3d 47
RSP: 0018:ffffc9000675f850 EFLAGS: 00010212
RAX: 000000000003f702 RBX: ffff88802100cc00 RCX: ffffc90002e49000
RDX: 0000000000040000 RSI: ffffffff8388e7eb RDI: 0000000000000005
RBP: 00000000fffffff4 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000fffffff4 R11: 0000000032343854 R12: 0000000000000800
R13: ffff88802100cc7c R14: 0000000000000fff R15: 0000000000000000
FS: 00007f4717e0f640(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000505c10 CR3: 0000000018d77000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
insert_state_fast fs/btrfs/extent-io-tree.c:437 [inline]
__set_extent_bit+0x418/0x15b0 fs/btrfs/extent-io-tree.c:1034
set_record_extent_bits+0x53/0x90 fs/btrfs/extent-io-tree.c:1705
qgroup_reserve_data+0x233/0xa80 fs/btrfs/qgroup.c:3800
btrfs_qgroup_reserve_data+0x2b/0xc0 fs/btrfs/qgroup.c:3843
btrfs_check_data_free_space+0x114/0x290 fs/btrfs/delalloc-space.c:154
btrfs_buffered_write+0x4ec/0x1330 fs/btrfs/file.c:1250
btrfs_do_write_iter+0xb75/0x11c0 fs/btrfs/file.c:1670
call_write_iter include/linux/fs.h:1877 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x989/0xdb0 fs/read_write.c:584
ksys_pwrite64 fs/read_write.c:699 [inline]
__do_sys_pwrite64 fs/read_write.c:709 [inline]
__se_sys_pwrite64 fs/read_write.c:706 [inline]
__x64_sys_pwrite64+0x1ef/0x240 fs/read_write.c:706
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x47959d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4717e0f068 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d
RDX: 0000000000000027 RSI: 0000000020005840 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 000000000059c0ac
R13: 000000000000000b R14: 0000000000437250 R15: 00007f4717def000
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:set_state_bits.isra.0+0x17b/0x1c0 fs/btrfs/extent-io-tree.c:379
Code: 38 d0 7c 04 84 d2 75 31 44 8b 73 7c e8 be 72 f7 fd 44 89 e0 44
09 f0 89 43 7c 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 a5 72 f7 fd <0f> 0b
4c 89 ef e8 8b 3d 47 fe e9 e6 fe ff ff 4c 89 ef e8 7e 3d 47
RSP: 0018:ffffc9000675f850 EFLAGS: 00010212
RAX: 000000000003f702 RBX: ffff88802100cc00 RCX: ffffc90002e49000
RDX: 0000000000040000 RSI: ffffffff8388e7eb RDI: 0000000000000005
RBP: 00000000fffffff4 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000fffffff4 R11: 0000000032343854 R12: 0000000000000800
R13: ffff88802100cc7c R14: 0000000000000fff R15: 0000000000000000
FS: 00007f4717e0f640(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000505c10 CR3: 0000000018d77000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554

RDX: 0000000000040000 RSI: ffffffff8388e7eb RDI: 0000000000000005
RBP: 00000000fffffff4 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000fffffff4 R11: 0000000032343854 R12: 0000000000000800
R13: ffff88802100cc7c R14: 0000000000000fff R15: 0000000000000000
FS: 00007f4717e0f640(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000505c10 CR3: 0000000018d77000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
insert_state_fast fs/btrfs/extent-io-tree.c:437 [inline]
__set_extent_bit+0x418/0x15b0 fs/btrfs/extent-io-tree.c:1034
set_record_extent_bits+0x53/0x90 fs/btrfs/extent-io-tree.c:1705
qgroup_reserve_data+0x233/0xa80 fs/btrfs/qgroup.c:3800
btrfs_qgroup_reserve_data+0x2b/0xc0 fs/btrfs/qgroup.c:3843
btrfs_check_data_free_space+0x114/0x290 fs/btrfs/delalloc-space.c:154
btrfs_buffered_write+0x4ec/0x1330 fs/btrfs/file.c:1250
btrfs_do_write_iter+0xb75/0x11c0 fs/btrfs/file.c:1670
call_write_iter include/linux/fs.h:1877 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x989/0xdb0 fs/read_write.c:584
ksys_pwrite64 fs/read_write.c:699 [inline]
__do_sys_pwrite64 fs/read_write.c:709 [inline]
__se_sys_pwrite64 fs/read_write.c:706 [inline]
__x64_sys_pwrite64+0x1ef/0x240 fs/read_write.c:706
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x47959d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4717e0f068 EFLAGS: 00000246 ORIG_RAX: 0000000000000012
RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d
RDX: 0000000000000027 RSI: 0000000020005840 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 000000000059c0ac
R13: 000000000000000b R14: 0000000000437250 R15: 00007f4717def000
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:set_state_bits.isra.0+0x17b/0x1c0 fs/btrfs/extent-io-tree.c:379
Code: 38 d0 7c 04 84 d2 75 31 44 8b 73 7c e8 be 72 f7 fd 44 89 e0 44
09 f0 89 43 7c 5b 5d 41 5c 41 5d 41 5e 41 5f c3 e8 a5 72 f7 fd <0f> 0b
4c 89 ef e8 8b 3d 47 fe e9 e6 fe ff ff 4c 89 ef e8 7e 3d 47
RSP: 0018:ffffc9000675f850 EFLAGS: 00010212
RAX: 000000000003f702 RBX: ffff88802100cc00 RCX: ffffc90002e49000
RDX: 0000000000040000 RSI: ffffffff8388e7eb RDI: 0000000000000005
RBP: 00000000fffffff4 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000fffffff4 R11: 0000000032343854 R12: 0000000000000800
R13: ffff88802100cc7c R14: 0000000000000fff R15: 0000000000000000
FS: 00007f4717e0f640(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000505c10 CR3: 0000000018d77000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 1 seconds..