[syzbot] WARNING in btrfs_block_rsv_release

[syzbot] WARNING in btrfs_block_rsv_release

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    493ffd6605b2 Merge tag 'ucount-rlimits-cleanups-for-v5.19'..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1025dd72880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
dashboard link: https://syzkaller.appspot.com/bug?extid=dde7e853812ed57835ea
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17d16e6e880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1672873c880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f1ff6481e26f/disk-493ffd66.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/101bd3c7ae47/vmlinux-493ffd66.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/df89d50ed284/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dde7e853812ed57835ea@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 btrfs_block_rsv_release+0x5d1/0x730 fs/btrfs/block-rsv.c:295
Modules linked in:
CPU: 0 PID: 3612 Comm: syz-executor894 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
RIP: 0010:btrfs_space_info_update_bytes_may_use fs/btrfs/space-info.h:122 [inline]
RIP: 0010:btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
RIP: 0010:block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
RIP: 0010:btrfs_block_rsv_release+0x5d1/0x730 fs/btrfs/block-rsv.c:295
Code: 8b 7c 24 10 74 08 4c 89 f7 e8 2b 94 33 fe 49 8b 1e 48 89 df 48 8b 2c 24 48 89 ee e8 a9 2b e0 fd 48 39 eb 73 0b e8 5f 29 e0 fd <0f> 0b 31 db eb 25 e8 54 29 e0 fd 48 b8 00 00 00 00 00 fc ff df 41
RSP: 0000:ffffc90003baf9e8 EFLAGS: 00010293
RAX: ffffffff83a657f1 RBX: 00000000000d0000 RCX: ffff888020c59d80
RDX: 0000000000000000 RSI: 00000000000e0000 RDI: 00000000000d0000
RBP: 00000000000e0000 R08: ffffffff83a657e7 R09: fffffbfff1c19fde
R10: fffffbfff1c19fde R11: 1ffffffff1c19fdd R12: 1ffff11004f2190c
R13: 00000000000e0000 R14: ffff88802790c860 R15: 0000000000000000
FS:  000055555651b300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f207ed54000 CR3: 0000000026ea2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 btrfs_release_global_block_rsv+0x2f/0x250 fs/btrfs/block-rsv.c:463
 btrfs_free_block_groups+0xb67/0xfd0 fs/btrfs/block-group.c:4053
 close_ctree+0x6c5/0xbde fs/btrfs/disk-io.c:4710
 generic_shutdown_super+0x130/0x310 fs/super.c:491
 kill_anon_super+0x36/0x60 fs/super.c:1085
 btrfs_kill_super+0x3d/0x50 fs/btrfs/super.c:2441
 deactivate_locked_super+0xa7/0xf0 fs/super.c:331
 cleanup_mnt+0x4ce/0x560 fs/namespace.c:1186
 task_work_run+0x146/0x1c0 kernel/task_work.c:177
 ptrace_notify+0x29a/0x340 kernel/signal.c:2354
 ptrace_report_syscall include/linux/ptrace.h:420 [inline]
 ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
 syscall_exit_work+0x8c/0xe0 kernel/entry/common.c:249
 syscall_exit_to_user_mode_prepare+0x63/0xc0 kernel/entry/common.c:276
 __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
 syscall_exit_to_user_mode+0xa/0x60 kernel/entry/common.c:294
 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f694614c2f7
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffee1dcd8e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f694614c2f7
RDX: 00007ffee1dcd9a9 RSI: 000000000000000a RDI: 00007ffee1dcd9a0
RBP: 00007ffee1dcd9a0 R08: 00000000ffffffff R09: 00007ffee1dcd780
R10: 000055555651c653 R11: 0000000000000206 R12: 00007ffee1dcea20
R13: 000055555651c5f0 R14: 00007ffee1dcd910 R15: 0000000000000004
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] WARNING in btrfs_block_rsv_release

[Hawkins Jiawei]

Hi, 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    493ffd6605b2 Merge tag 'ucount-rlimits-cleanups-for-v5.19'..
> git tree:       upstream
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=1025dd72880000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
> dashboard link: https://syzkaller.appspot.com/bug?extid=dde7e853812ed57835ea
> compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17d16e6e880000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1672873c880000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/f1ff6481e26f/disk-493ffd66.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/101bd3c7ae47/vmlinux-493ffd66.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/df89d50ed284/mount_0.gz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+dde7e853812ed57835ea@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
> WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
> WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 btrfs_block_rsv_release+0x5d1/0x730 fs/btrfs/block-rsv.c:295
> Modules linked in:
> CPU: 0 PID: 3612 Comm: syz-executor894 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
> RIP: 0010:btrfs_space_info_update_bytes_may_use fs/btrfs/space-info.h:122 [inline]
> RIP: 0010:btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
> RIP: 0010:block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
> RIP: 0010:btrfs_block_rsv_release+0x5d1/0x730 fs/btrfs/block-rsv.c:295
> Code: 8b 7c 24 10 74 08 4c 89 f7 e8 2b 94 33 fe 49 8b 1e 48 89 df 48 8b 2c 24 48 89 ee e8 a9 2b e0 fd 48 39 eb 73 0b e8 5f 29 e0 fd <0f> 0b 31 db eb 25 e8 54 29 e0 fd 48 b8 00 00 00 00 00 fc ff df 41
> RSP: 0000:ffffc90003baf9e8 EFLAGS: 00010293
> RAX: ffffffff83a657f1 RBX: 00000000000d0000 RCX: ffff888020c59d80
> RDX: 0000000000000000 RSI: 00000000000e0000 RDI: 00000000000d0000
> RBP: 00000000000e0000 R08: ffffffff83a657e7 R09: fffffbfff1c19fde
> R10: fffffbfff1c19fde R11: 1ffffffff1c19fdd R12: 1ffff11004f2190c
> R13: 00000000000e0000 R14: ffff88802790c860 R15: 0000000000000000
> FS:  000055555651b300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f207ed54000 CR3: 0000000026ea2000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  btrfs_release_global_block_rsv+0x2f/0x250 fs/btrfs/block-rsv.c:463
>  btrfs_free_block_groups+0xb67/0xfd0 fs/btrfs/block-group.c:4053
>  close_ctree+0x6c5/0xbde fs/btrfs/disk-io.c:4710
>  generic_shutdown_super+0x130/0x310 fs/super.c:491
>  kill_anon_super+0x36/0x60 fs/super.c:1085
>  btrfs_kill_super+0x3d/0x50 fs/btrfs/super.c:2441
>  deactivate_locked_super+0xa7/0xf0 fs/super.c:331
>  cleanup_mnt+0x4ce/0x560 fs/namespace.c:1186
>  task_work_run+0x146/0x1c0 kernel/task_work.c:177
>  ptrace_notify+0x29a/0x340 kernel/signal.c:2354
>  ptrace_report_syscall include/linux/ptrace.h:420 [inline]
>  ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
>  syscall_exit_work+0x8c/0xe0 kernel/entry/common.c:249
>  syscall_exit_to_user_mode_prepare+0x63/0xc0 kernel/entry/common.c:276
>  __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
>  syscall_exit_to_user_mode+0xa/0x60 kernel/entry/common.c:294
>  do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7f694614c2f7
> Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffee1dcd8e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f694614c2f7
> RDX: 00007ffee1dcd9a9 RSI: 000000000000000a RDI: 00007ffee1dcd9a0
> RBP: 00007ffee1dcd9a0 R08: 00000000ffffffff R09: 00007ffee1dcd780
> R10: 000055555651c653 R11: 0000000000000206 R12: 00007ffee1dcea20
> R13: 000055555651c5f0 R14: 00007ffee1dcd910 R15: 0000000000000004
>  </TASK>

According to my analysis, this bug seems to be related to
btrfs_free_reserved_bytes()(Please correct me if I am wrong).

To be more specific, in btrfs_new_extent_direct(), kernel will
reserves space for extent by btrfs_reserve_extent(), and
frees those space by btrfs_free_reserved_extent() if 
btrfs_create_dio_extent() fails(such as inject_fault in the syzkaller)

Yet the problem is that when reserving space for extent, kernel will
converts it from * ->bytes_may_use to ->bytes_reserved, in
btrfs_add_reserved_bytes(). But in freeing those space,
kernel does not convert it from ->bytes_reserved back to
* ->bytes_may_use in btrfs_free_reserved_bytes(),
which triggers the above warning.(Please correct me if I am wrong)

So I think we can convert space from ->bytes_reserved back to
* ->bytes_may_use in btrfs_free_reserved_bytes() to solve this bug,
as below:

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
index deebc8ddbd93..cb74fcbf7aaf 100644
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -3415,6 +3415,11 @@ void btrfs_free_reserved_bytes(struct btrfs_block_group *cache,
 	space_info->bytes_reserved -= num_bytes;
 	space_info->max_extent_size = 0;
 
+	trace_btrfs_space_reservation(cache->fs_info, "space_info",
+				      space_info->flags, -num_bytes, 1);
+	btrfs_space_info_update_bytes_may_use(cache->fs_info,
+					      space_info, num_bytes);
+
 	if (delalloc)
 		cache->delalloc_bytes -= num_bytes;
 	spin_unlock(&cache->lock);

Re: [syzbot] WARNING in btrfs_block_rsv_release

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

00
[   10.626735][    T1] IPVS: Registered protocols (TCP, UDP, SCTP, AH, ESP)
[   10.628295][    T1] IPVS: Connection hash table configured (size=4096, memory=32Kbytes)
[   10.630010][    T1] IPVS: ipvs loaded.
[   10.630584][    T1] IPVS: [rr] scheduler registered.
[   10.631355][    T1] IPVS: [wrr] scheduler registered.
[   10.632191][    T1] IPVS: [lc] scheduler registered.
[   10.632912][    T1] IPVS: [wlc] scheduler registered.
[   10.633714][    T1] IPVS: [fo] scheduler registered.
[   10.634448][    T1] IPVS: [ovf] scheduler registered.
[   10.635695][    T1] IPVS: [lblc] scheduler registered.
[   10.636621][    T1] IPVS: [lblcr] scheduler registered.
[   10.637562][    T1] IPVS: [dh] scheduler registered.
[   10.638341][    T1] IPVS: [sh] scheduler registered.
[   10.639064][    T1] IPVS: [mh] scheduler registered.
[   10.639829][    T1] IPVS: [sed] scheduler registered.
[   10.640648][    T1] IPVS: [nq] scheduler registered.
[   10.641358][    T1] IPVS: [twos] scheduler registered.
[   10.642344][    T1] IPVS: [sip] pe registered.
[   10.643158][    T1] ipip: IPv4 and MPLS over IPv4 tunneling driver
[   10.646785][    T1] gre: GRE over IPv4 demultiplexor driver
[   10.647988][    T1] ip_gre: GRE over IPv4 tunneling driver
[   10.657614][    T1] IPv4 over IPsec tunneling driver
[   10.661973][    T1] ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
[   10.663721][    T1] Initializing XFRM netlink socket
[   10.664715][    T1] IPsec XFRM device driver
[   10.667985][    T1] NET: Registered PF_INET6 protocol family
[   10.681339][    T1] Segment Routing with IPv6
[   10.682209][    T1] RPL Segment Routing with IPv6
[   10.683200][    T1] In-situ OAM (IOAM) with IPv6
[   10.684506][    T1] mip6: Mobile IPv6
[   10.688852][    T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[   10.697537][    T1] ip6_gre: GRE over IPv6 tunneling driver
[   10.702064][    T1] NET: Registered PF_PACKET protocol family
[   10.702972][    T1] NET: Registered PF_KEY protocol family
[   10.704733][    T1] Bridge firewalling registered
[   10.706424][    T1] NET: Registered PF_X25 protocol family
[   10.707669][    T1] X25: Linux Version 0.2
[   10.752465][    T1] NET: Registered PF_NETROM protocol family
[   10.784421][ T2696] kworker/u4:1 (2696) used greatest stack depth: 21784 bytes left
[   10.796283][    T1] NET: Registered PF_ROSE protocol family
[   10.797639][    T1] NET: Registered PF_AX25 protocol family
[   10.798728][    T1] can: controller area network core
[   10.800391][    T1] NET: Registered PF_CAN protocol family
[   10.801334][    T1] can: raw protocol
[   10.802160][    T1] can: broadcast manager protocol
[   10.803237][    T1] can: netlink gateway - max_hops=1
[   10.806626][    T1] can: SAE J1939
[   10.807406][    T1] can: isotp protocol
[   10.808488][    T1] Bluetooth: RFCOMM TTY layer initialized
[   10.809368][    T1] Bluetooth: RFCOMM socket layer initialized
[   10.810432][    T1] Bluetooth: RFCOMM ver 1.11
[   10.811200][    T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[   10.812344][    T1] Bluetooth: BNEP filters: protocol multicast
[   10.813472][    T1] Bluetooth: BNEP socket layer initialized
[   10.814580][    T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[   10.816401][    T1] Bluetooth: CMTP socket layer initialized
[   10.817384][    T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[   10.818502][    T1] Bluetooth: HIDP socket layer initialized
[   10.824139][    T1] NET: Registered PF_RXRPC protocol family
[   10.825345][    T1] Key type rxrpc registered
[   10.826078][    T1] Key type rxrpc_s registered
[   10.828240][    T1] NET: Registered PF_KCM protocol family
[   10.829783][    T1] lec:lane_module_init: lec.c: initialized
[   10.830626][    T1] mpoa:atm_mpoa_init: mpc.c: initialized
[   10.831616][    T1] l2tp_core: L2TP core driver, V2.0
[   10.832528][    T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[   10.833478][    T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[   10.834838][    T1] l2tp_netlink: L2TP netlink interface
[   10.836503][    T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[   10.837696][    T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[   10.839207][    T1] NET: Registered PF_PHONET protocol family
[   10.841155][    T1] 8021q: 802.1Q VLAN Support v1.8
[   10.862660][    T1] DCCP: Activated CCID 2 (TCP-like)
[   10.864236][    T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[   10.868242][    T1] sctp: Hash tables configured (bind 32/56)
[   10.871963][    T1] NET: Registered PF_RDS protocol family
[   10.874058][    T1] Registered RDS/infiniband transport
[   10.876434][    T1] Registered RDS/tcp transport
[   10.877245][    T1] tipc: Activated (version 2.0.0)
[   10.878883][    T1] NET: Registered PF_TIPC protocol family
[   10.880418][    T1] tipc: Started in single node mode
[   10.882583][    T1] NET: Registered PF_SMC protocol family
[   10.883886][    T1] 9pnet: Installing 9P2000 support
[   10.885340][    T1] NET: Registered PF_CAIF protocol family
[   10.893240][    T1] NET: Registered PF_IEEE802154 protocol family
[   10.894764][    T1] Key type dns_resolver registered
[   10.895597][    T1] Key type ceph registered
[   10.897286][    T1] libceph: loaded (mon/osd proto 15/24)
[   10.900756][    T1] batman_adv: B.A.T.M.A.N. advanced 2022.3 (compatibility version 15) loaded
[   10.902106][    T1] openvswitch: Open vSwitch switching datapath
[   10.905615][    T1] ------------[ cut here ]------------
[   10.906603][    T1] WARNING: CPU: 0 PID: 1 at net/netlink/genetlink.c:383 genl_register_family+0x13c0/0x1540
[   10.908115][    T1] Modules linked in:
[   10.908691][    T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc2-syzkaller-00189-g23758867219c-dirty #0
[   10.910145][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[   10.911770][    T1] RIP: 0010:genl_register_family+0x13c0/0x1540
[   10.912959][    T1] Code: 5d 41 5e 41 5f 5d c3 e8 fe 71 1b f9 0f 0b 41 be ea ff ff ff eb a2 e8 ef 71 1b f9 0f 0b 41 be ea ff ff ff eb 93 e8 e0 71 1b f9 <0f> 0b 41 be ea ff ff ff eb 84 44 89 e1 80 e1 07 38 c1 0f 8c bd ec
[   10.915895][    T1] RSP: 0000:ffffc90000067820 EFLAGS: 00010293
[   10.916967][    T1] RAX: ffffffff886c5e00 RBX: 0000000000000001 RCX: ffff888140170000
[   10.918151][    T1] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000000
[   10.919312][    T1] RBP: ffffc90000067950 R08: ffffffff886c4e33 R09: fffffbfff1c1b606
[   10.920882][    T1] R10: fffffbfff1c1b606 R11: 1ffffffff1c1b605 R12: dffffc0000000000
[   10.922497][    T1] R13: ffffffff8c582448 R14: 0000000000000000 R15: 0000000000000003
[   10.924081][    T1] FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
[   10.925774][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   10.926982][    T1] CR2: ffff88823ffff000 CR3: 000000000c88e000 CR4: 00000000003506f0
[   10.928082][    T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   10.929173][    T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   10.930397][    T1] Call Trace:
[   10.931035][    T1]  <TASK>
[   10.931558][    T1]  ? nlmsg_trim+0xa0/0xa0
[   10.932566][    T1]  ? genl_unlock+0x20/0x20
[   10.933372][    T1]  dp_register_genl+0x40/0x136
[   10.934400][    T1]  dp_init+0x11a/0x140
[   10.935312][    T1]  ? psample_module_init+0x11/0x11
[   10.936082][    T1]  do_one_initcall+0x1c9/0x400
[   10.936955][    T1]  ? IS_ERR_OR_NULL+0x20/0x20
[   10.937621][    T1]  ? lockdep_hardirqs_on_prepare+0x428/0x790
[   10.939048][    T1]  ? print_irqtrace_events+0x220/0x220
[   10.939975][    T1]  ? asm_sysvec_reschedule_ipi+0x16/0x20
[   10.941100][    T1]  ? lockdep_hardirqs_on+0x8d/0x130
[   10.942031][    T1]  ? asm_sysvec_reschedule_ipi+0x16/0x20
[   10.942955][    T1]  ? parameq+0xba/0x210
[   10.943611][    T1]  ? strlen+0x41/0x60
[   10.944217][    T1]  ? parameq+0x198/0x210
[   10.944962][    T1]  ? parse_one+0x141/0x520
[   10.945749][    T1]  ? do_initcall_level+0x218/0x218
[   10.946940][    T1]  ? ignore_unknown_bootoption+0x5/0x8
[   10.948340][    T1]  ? parse_args+0x4e1/0x590
[   10.949153][    T1]  ? rcu_read_lock_sched_held+0x87/0x110
[   10.950180][    T1]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   10.951083][    T1]  ? rcu_read_lock_sched_held+0x87/0x110
[   10.952908][    T1]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   10.953863][    T1]  do_initcall_level+0x168/0x218
[   10.954847][    T1]  do_initcalls+0x4b/0x8c
[   10.955707][    T1]  kernel_init_freeable+0x428/0x5d5
[   10.957030][    T1]  ? report_meminit+0x64/0x64
[   10.957791][    T1]  ? _raw_spin_lock_irq+0xba/0xf0
[   10.958675][    T1]  ? do_raw_spin_unlock+0x134/0x8a0
[   10.959494][    T1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   10.960315][    T1]  ? lockdep_hardirqs_on+0x8d/0x130
[   10.961095][    T1]  ? rest_init+0x270/0x270
[   10.961718][    T1]  kernel_init+0x19/0x2b0
[   10.962440][    T1]  ? rest_init+0x270/0x270
[   10.963209][    T1]  ret_from_fork+0x1f/0x30
[   10.964022][    T1]  </TASK>
[   10.964468][    T1] Kernel panic - not syncing: panic_on_warn set ...
[   10.965668][    T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc2-syzkaller-00189-g23758867219c-dirty #0
[   10.965668][    T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
[   10.965668][    T1] Call Trace:
[   10.965668][    T1]  <TASK>
[   10.965668][    T1]  dump_stack_lvl+0x1b1/0x28e
[   10.965668][    T1]  ? nf_tcp_handle_invalid+0x62e/0x62e
[   10.965668][    T1]  ? panic+0x710/0x710
[   10.965668][    T1]  ? vscnprintf+0x59/0x80
[   10.965668][    T1]  ? genl_register_family+0x13c0/0x1540
[   10.965668][    T1]  panic+0x2d6/0x710
[   10.965668][    T1]  ? __warn+0x131/0x220
[   10.965668][    T1]  ? memcpy_page_flushcache+0xfc/0xfc
[   10.965668][    T1]  ? ret_from_fork+0x1f/0x30
[   10.965668][    T1]  ? genl_register_family+0x13c0/0x1540
[   10.965668][    T1]  __warn+0x1fa/0x220
[   10.965668][    T1]  ? genl_register_family+0x13c0/0x1540
[   10.965668][    T1]  report_bug+0x1b3/0x2d0
[   10.965668][    T1]  handle_bug+0x3d/0x70
[   10.965668][    T1]  exc_invalid_op+0x16/0x40
[   10.965668][    T1]  asm_exc_invalid_op+0x16/0x20
[   10.965668][    T1] RIP: 0010:genl_register_family+0x13c0/0x1540
[   10.965668][    T1] Code: 5d 41 5e 41 5f 5d c3 e8 fe 71 1b f9 0f 0b 41 be ea ff ff ff eb a2 e8 ef 71 1b f9 0f 0b 41 be ea ff ff ff eb 93 e8 e0 71 1b f9 <0f> 0b 41 be ea ff ff ff eb 84 44 89 e1 80 e1 07 38 c1 0f 8c bd ec
[   10.965668][    T1] RSP: 0000:ffffc90000067820 EFLAGS: 00010293
[   10.965668][    T1] RAX: ffffffff886c5e00 RBX: 0000000000000001 RCX: ffff888140170000
[   10.965668][    T1] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000000
[   10.965668][    T1] RBP: ffffc90000067950 R08: ffffffff886c4e33 R09: fffffbfff1c1b606
[   10.965668][    T1] R10: fffffbfff1c1b606 R11: 1ffffffff1c1b605 R12: dffffc0000000000
[   10.965668][    T1] R13: ffffffff8c582448 R14: 0000000000000000 R15: 0000000000000003
[   10.965668][    T1]  ? genl_register_family+0x3f3/0x1540
[   10.965668][    T1]  ? genl_register_family+0x13c0/0x1540
[   10.965668][    T1]  ? nlmsg_trim+0xa0/0xa0
[   10.965668][    T1]  ? genl_unlock+0x20/0x20
[   10.965668][    T1]  dp_register_genl+0x40/0x136
[   10.965668][    T1]  dp_init+0x11a/0x140
[   10.965668][    T1]  ? psample_module_init+0x11/0x11
[   10.965668][    T1]  do_one_initcall+0x1c9/0x400
[   10.965668][    T1]  ? IS_ERR_OR_NULL+0x20/0x20
[   10.965668][    T1]  ? lockdep_hardirqs_on_prepare+0x428/0x790
[   10.965668][    T1]  ? print_irqtrace_events+0x220/0x220
[   10.965668][    T1]  ? asm_sysvec_reschedule_ipi+0x16/0x20
[   10.965668][    T1]  ? lockdep_hardirqs_on+0x8d/0x130
[   10.965668][    T1]  ? asm_sysvec_reschedule_ipi+0x16/0x20
[   10.965668][    T1]  ? parameq+0xba/0x210
[   10.965668][    T1]  ? strlen+0x41/0x60
[   10.965668][    T1]  ? parameq+0x198/0x210
[   10.965668][    T1]  ? parse_one+0x141/0x520
[   10.965668][    T1]  ? do_initcall_level+0x218/0x218
[   10.965668][    T1]  ? ignore_unknown_bootoption+0x5/0x8
[   10.965668][    T1]  ? parse_args+0x4e1/0x590
[   10.965668][    T1]  ? rcu_read_lock_sched_held+0x87/0x110
[   10.965668][    T1]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   10.965668][    T1]  ? rcu_read_lock_sched_held+0x87/0x110
[   10.965668][    T1]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   10.965668][    T1]  do_initcall_level+0x168/0x218
[   10.965668][    T1]  do_initcalls+0x4b/0x8c
[   10.965668][    T1]  kernel_init_freeable+0x428/0x5d5
[   10.965668][    T1]  ? report_meminit+0x64/0x64
[   10.965668][    T1]  ? _raw_spin_lock_irq+0xba/0xf0
[   10.965668][    T1]  ? do_raw_spin_unlock+0x134/0x8a0
[   10.965668][    T1]  ? _raw_spin_unlock_irq+0x1f/0x40
[   10.965668][    T1]  ? lockdep_hardirqs_on+0x8d/0x130
[   10.965668][    T1]  ? rest_init+0x270/0x270
[   10.965668][    T1]  kernel_init+0x19/0x2b0
[   10.965668][    T1]  ? rest_init+0x270/0x270
[   10.965668][    T1]  ret_from_fork+0x1f/0x30
[   10.965668][    T1]  </TASK>
[   10.965668][    T1] Kernel Offset: disabled
[   10.965668][    T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1720647648=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at a0fd4dab4
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a0fd4dab4eac71d7b3237bb1000352206a6a82f5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221020-182546'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a0fd4dab4eac71d7b3237bb1000352206a6a82f5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221020-182546'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=a0fd4dab4eac71d7b3237bb1000352206a6a82f5 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221020-182546'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"a0fd4dab4eac71d7b3237bb1000352206a6a82f5\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15b1c4ca880000


Tested on:

commit:         23758867 Merge tag 'net-6.1-rc3-2' of git://git.kernel..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=1d3548a4365ba17d
dashboard link: https://syzkaller.appspot.com/bug?extid=dde7e853812ed57835ea
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14540cfc880000

Re: [syzbot] WARNING in btrfs_block_rsv_release

[Hawkins Jiawei]

On Fri, 28 Oct 2022 at 19:14, Hawkins Jiawei <yin31149@gmail.com> wrote:
>
> Hi,
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    493ffd6605b2 Merge tag 'ucount-rlimits-cleanups-for-v5.19'..
> > git tree:       upstream
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1025dd72880000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
> > dashboard link: https://syzkaller.appspot.com/bug?extid=dde7e853812ed57835ea
> > compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17d16e6e880000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1672873c880000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/f1ff6481e26f/disk-493ffd66.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/101bd3c7ae47/vmlinux-493ffd66.xz
> > mounted in repro: https://storage.googleapis.com/syzbot-assets/df89d50ed284/mount_0.gz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+dde7e853812ed57835ea@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
> > WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
> > WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 btrfs_block_rsv_release+0x5d1/0x730 fs/btrfs/block-rsv.c:295
> > Modules linked in:
> > CPU: 0 PID: 3612 Comm: syz-executor894 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
> > RIP: 0010:btrfs_space_info_update_bytes_may_use fs/btrfs/space-info.h:122 [inline]
> > RIP: 0010:btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
> > RIP: 0010:block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
> > RIP: 0010:btrfs_block_rsv_release+0x5d1/0x730 fs/btrfs/block-rsv.c:295
> > Code: 8b 7c 24 10 74 08 4c 89 f7 e8 2b 94 33 fe 49 8b 1e 48 89 df 48 8b 2c 24 48 89 ee e8 a9 2b e0 fd 48 39 eb 73 0b e8 5f 29 e0 fd <0f> 0b 31 db eb 25 e8 54 29 e0 fd 48 b8 00 00 00 00 00 fc ff df 41
> > RSP: 0000:ffffc90003baf9e8 EFLAGS: 00010293
> > RAX: ffffffff83a657f1 RBX: 00000000000d0000 RCX: ffff888020c59d80
> > RDX: 0000000000000000 RSI: 00000000000e0000 RDI: 00000000000d0000
> > RBP: 00000000000e0000 R08: ffffffff83a657e7 R09: fffffbfff1c19fde
> > R10: fffffbfff1c19fde R11: 1ffffffff1c19fdd R12: 1ffff11004f2190c
> > R13: 00000000000e0000 R14: ffff88802790c860 R15: 0000000000000000
> > FS:  000055555651b300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007f207ed54000 CR3: 0000000026ea2000 CR4: 00000000003506f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  <TASK>
> >  btrfs_release_global_block_rsv+0x2f/0x250 fs/btrfs/block-rsv.c:463
> >  btrfs_free_block_groups+0xb67/0xfd0 fs/btrfs/block-group.c:4053
> >  close_ctree+0x6c5/0xbde fs/btrfs/disk-io.c:4710
> >  generic_shutdown_super+0x130/0x310 fs/super.c:491
> >  kill_anon_super+0x36/0x60 fs/super.c:1085
> >  btrfs_kill_super+0x3d/0x50 fs/btrfs/super.c:2441
> >  deactivate_locked_super+0xa7/0xf0 fs/super.c:331
> >  cleanup_mnt+0x4ce/0x560 fs/namespace.c:1186
> >  task_work_run+0x146/0x1c0 kernel/task_work.c:177
> >  ptrace_notify+0x29a/0x340 kernel/signal.c:2354
> >  ptrace_report_syscall include/linux/ptrace.h:420 [inline]
> >  ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
> >  syscall_exit_work+0x8c/0xe0 kernel/entry/common.c:249
> >  syscall_exit_to_user_mode_prepare+0x63/0xc0 kernel/entry/common.c:276
> >  __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
> >  syscall_exit_to_user_mode+0xa/0x60 kernel/entry/common.c:294
> >  do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
> >  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > RIP: 0033:0x7f694614c2f7
> > Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007ffee1dcd8e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
> > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f694614c2f7
> > RDX: 00007ffee1dcd9a9 RSI: 000000000000000a RDI: 00007ffee1dcd9a0
> > RBP: 00007ffee1dcd9a0 R08: 00000000ffffffff R09: 00007ffee1dcd780
> > R10: 000055555651c653 R11: 0000000000000206 R12: 00007ffee1dcea20
> > R13: 000055555651c5f0 R14: 00007ffee1dcd910 R15: 0000000000000004
> >  </TASK>
>
> According to my analysis, this bug seems to be related to
> btrfs_free_reserved_bytes()(Please correct me if I am wrong).
>
> To be more specific, in btrfs_new_extent_direct(), kernel will
> reserves space for extent by btrfs_reserve_extent(), and
> frees those space by btrfs_free_reserved_extent() if
> btrfs_create_dio_extent() fails(such as inject_fault in the syzkaller)
>
> Yet the problem is that when reserving space for extent, kernel will
> converts it from * ->bytes_may_use to ->bytes_reserved, in
> btrfs_add_reserved_bytes(). But in freeing those space,
> kernel does not convert it from ->bytes_reserved back to
> * ->bytes_may_use in btrfs_free_reserved_bytes(),
> which triggers the above warning.(Please correct me if I am wrong)
>
> So I think we can convert space from ->bytes_reserved back to
> * ->bytes_may_use in btrfs_free_reserved_bytes() to solve this bug,
> as below:
>

It seems that syzbot build/boot failed because of some
irrelevant reason. Try the specific kernel version.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
493ffd6605b2d3d4dc7008ab927dba319f36671f

diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
index deebc8ddbd93..cb74fcbf7aaf 100644
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -3415,6 +3415,11 @@ void btrfs_free_reserved_bytes(struct btrfs_block_group *cache,
        space_info->bytes_reserved -= num_bytes;
        space_info->max_extent_size = 0;

+       trace_btrfs_space_reservation(cache->fs_info, "space_info",
+                                     space_info->flags, -num_bytes, 1);
+       btrfs_space_info_update_bytes_may_use(cache->fs_info,
+                                             space_info, num_bytes);
+
        if (delalloc)
                cache->delalloc_bytes -= num_bytes;
        spin_unlock(&cache->lock);

Re: [syzbot] WARNING in btrfs_block_rsv_release

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/btrfs/block-group.c
patch: **** unexpected end of file in patch



Tested on:

commit:         493ffd66 Merge tag 'ucount-rlimits-cleanups-for-v5.19'..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=dde7e853812ed57835ea
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=121ea041880000

Re: [syzbot] WARNING in btrfs_block_rsv_release

[Hawkins Jiawei]

[-- Attachment #1: Type: text/plain, Size: 6400 bytes --]

On Fri, 28 Oct 2022 at 23:06, Hawkins Jiawei <yin31149@gmail.com> wrote:
>
> On Fri, 28 Oct 2022 at 19:14, Hawkins Jiawei <yin31149@gmail.com> wrote:
> >
> > Hi,
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    493ffd6605b2 Merge tag 'ucount-rlimits-cleanups-for-v5.19'..
> > > git tree:       upstream
> > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=1025dd72880000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=dde7e853812ed57835ea
> > > compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17d16e6e880000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1672873c880000
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/f1ff6481e26f/disk-493ffd66.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/101bd3c7ae47/vmlinux-493ffd66.xz
> > > mounted in repro: https://storage.googleapis.com/syzbot-assets/df89d50ed284/mount_0.gz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+dde7e853812ed57835ea@syzkaller.appspotmail.com
> > >
> > > ------------[ cut here ]------------
> > > WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
> > > WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
> > > WARNING: CPU: 0 PID: 3612 at fs/btrfs/space-info.h:122 btrfs_block_rsv_release+0x5d1/0x730 fs/btrfs/block-rsv.c:295
> > > Modules linked in:
> > > CPU: 0 PID: 3612 Comm: syz-executor894 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
> > > RIP: 0010:btrfs_space_info_update_bytes_may_use fs/btrfs/space-info.h:122 [inline]
> > > RIP: 0010:btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
> > > RIP: 0010:block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
> > > RIP: 0010:btrfs_block_rsv_release+0x5d1/0x730 fs/btrfs/block-rsv.c:295
> > > Code: 8b 7c 24 10 74 08 4c 89 f7 e8 2b 94 33 fe 49 8b 1e 48 89 df 48 8b 2c 24 48 89 ee e8 a9 2b e0 fd 48 39 eb 73 0b e8 5f 29 e0 fd <0f> 0b 31 db eb 25 e8 54 29 e0 fd 48 b8 00 00 00 00 00 fc ff df 41
> > > RSP: 0000:ffffc90003baf9e8 EFLAGS: 00010293
> > > RAX: ffffffff83a657f1 RBX: 00000000000d0000 RCX: ffff888020c59d80
> > > RDX: 0000000000000000 RSI: 00000000000e0000 RDI: 00000000000d0000
> > > RBP: 00000000000e0000 R08: ffffffff83a657e7 R09: fffffbfff1c19fde
> > > R10: fffffbfff1c19fde R11: 1ffffffff1c19fdd R12: 1ffff11004f2190c
> > > R13: 00000000000e0000 R14: ffff88802790c860 R15: 0000000000000000
> > > FS:  000055555651b300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
> > > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 00007f207ed54000 CR3: 0000000026ea2000 CR4: 00000000003506f0
> > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > Call Trace:
> > >  <TASK>
> > >  btrfs_release_global_block_rsv+0x2f/0x250 fs/btrfs/block-rsv.c:463
> > >  btrfs_free_block_groups+0xb67/0xfd0 fs/btrfs/block-group.c:4053
> > >  close_ctree+0x6c5/0xbde fs/btrfs/disk-io.c:4710
> > >  generic_shutdown_super+0x130/0x310 fs/super.c:491
> > >  kill_anon_super+0x36/0x60 fs/super.c:1085
> > >  btrfs_kill_super+0x3d/0x50 fs/btrfs/super.c:2441
> > >  deactivate_locked_super+0xa7/0xf0 fs/super.c:331
> > >  cleanup_mnt+0x4ce/0x560 fs/namespace.c:1186
> > >  task_work_run+0x146/0x1c0 kernel/task_work.c:177
> > >  ptrace_notify+0x29a/0x340 kernel/signal.c:2354
> > >  ptrace_report_syscall include/linux/ptrace.h:420 [inline]
> > >  ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
> > >  syscall_exit_work+0x8c/0xe0 kernel/entry/common.c:249
> > >  syscall_exit_to_user_mode_prepare+0x63/0xc0 kernel/entry/common.c:276
> > >  __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
> > >  syscall_exit_to_user_mode+0xa/0x60 kernel/entry/common.c:294
> > >  do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86
> > >  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > > RIP: 0033:0x7f694614c2f7
> > > Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> > > RSP: 002b:00007ffee1dcd8e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
> > > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f694614c2f7
> > > RDX: 00007ffee1dcd9a9 RSI: 000000000000000a RDI: 00007ffee1dcd9a0
> > > RBP: 00007ffee1dcd9a0 R08: 00000000ffffffff R09: 00007ffee1dcd780
> > > R10: 000055555651c653 R11: 0000000000000206 R12: 00007ffee1dcea20
> > > R13: 000055555651c5f0 R14: 00007ffee1dcd910 R15: 0000000000000004
> > >  </TASK>
> >
> > According to my analysis, this bug seems to be related to
> > btrfs_free_reserved_bytes()(Please correct me if I am wrong).
> >
> > To be more specific, in btrfs_new_extent_direct(), kernel will
> > reserves space for extent by btrfs_reserve_extent(), and
> > frees those space by btrfs_free_reserved_extent() if
> > btrfs_create_dio_extent() fails(such as inject_fault in the syzkaller)
> >
> > Yet the problem is that when reserving space for extent, kernel will
> > converts it from * ->bytes_may_use to ->bytes_reserved, in
> > btrfs_add_reserved_bytes(). But in freeing those space,
> > kernel does not convert it from ->bytes_reserved back to
> > * ->bytes_may_use in btrfs_free_reserved_bytes(),
> > which triggers the above warning.(Please correct me if I am wrong)
> >
> > So I think we can convert space from ->bytes_reserved back to
> > * ->bytes_may_use in btrfs_free_reserved_bytes() to solve this bug,
> > as below:
> >
>
> It seems that syzbot build/boot failed because of some
> irrelevant reason. Try the specific kernel version.

It seems that the syzbot got the incomplete patch from email,
so use a text attachment instead.

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
493ffd6605b2d3d4dc7008ab927dba319f36671f

[-- Attachment #2: 0001-btrfs-fix.patch --]
[-- Type: text/x-patch, Size: 899 bytes --]

From 73a1a6c012a5b89a31696bc8b0377243a08c875a Mon Sep 17 00:00:00 2001
From: Hawkins Jiawei <yin31149@gmail.com>
Date: Fri, 28 Oct 2022 16:45:30 +0800

Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
---
 fs/btrfs/block-group.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c
index deebc8ddbd93..cb74fcbf7aaf 100644
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -3415,6 +3415,11 @@ void btrfs_free_reserved_bytes(struct btrfs_block_group *cache,
 	space_info->bytes_reserved -= num_bytes;
 	space_info->max_extent_size = 0;
 
+	trace_btrfs_space_reservation(cache->fs_info, "space_info",
+				      space_info->flags, -num_bytes, 1);
+	btrfs_space_info_update_bytes_may_use(cache->fs_info,
+					      space_info, num_bytes);
+
 	if (delalloc)
 		cache->delalloc_bytes -= num_bytes;
 	spin_unlock(&cache->lock);
-- 
2.25.1

Re: [syzbot] WARNING in btrfs_block_rsv_release

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+dde7e853812ed57835ea@syzkaller.appspotmail.com

Tested on:

commit:         493ffd66 Merge tag 'ucount-rlimits-cleanups-for-v5.19'..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17bdd716880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d19f5d16783f901
dashboard link: https://syzkaller.appspot.com/bug?extid=dde7e853812ed57835ea
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11e315ce880000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [btrfs?] WARNING in btrfs_block_rsv_release

[syzbot]

syzbot suspects this issue was fixed by commit:

commit a1912f712188291f9d7d434fba155461f1ebef66
Author: Josef Bacik <josef@toxicpanda.com>
Date:   Wed Nov 22 17:17:55 2023 +0000

    btrfs: remove code for inode_cache and recovery mount options

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=149a0a38180000
start commit:   7287904c8771 Merge tag 'for-linus-2023011801' of git://git..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=d24faf5fc10540ae
dashboard link: https://syzkaller.appspot.com/bug?extid=dde7e853812ed57835ea
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14f7a805480000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10df5afe480000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: btrfs: remove code for inode_cache and recovery mount options

For information about bisection process see: https://goo.gl/tpsmEJ#bisection