2023-07-01 21:29:30

by syzbot

[permalink] [raw]
Subject: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

Hello,

syzbot found the following issue on:

HEAD commit: 533925cb7604 Merge tag 'riscv-for-linus-6.5-mw1' of git://..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d8b610a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=12464973c17d2b37
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7b23da6a6f6c/disk-533925cb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f163e9ea9946/vmlinux-533925cb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5b943aa5a1e1/bzImage-533925cb.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9904 Comm: syz-executor.3 Not tainted 6.4.0-syzkaller-08881-g533925cb7604 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 6d 62 ec fd 48 c7 c7 20 5e 4b 8b 48 c7 c6 c0 6d 4b 8b 48 c7 c2 a0 5e 4b 8b b9 7f 07 00 00 e8 8e d8 15 07 <0f> 0b e8 d7 17 18 07 f3 0f 1e fa e8 3e 62 ec fd 43 80 3c 2f 00 74
RSP: 0018:ffffc9000325f760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff888075644030 RCX: 1481ccc522da5800
RDX: ffffc90005c09000 RSI: 00000000000364ca RDI: 00000000000364cb
RBP: ffffc9000325f870 R08: ffffffff816f33ac R09: 1ffff9200064bea0
R10: dffffc0000000000 R11: fffff5200064bea1 R12: ffff888075644000
R13: ffff88803b166000 R14: ffff88803b166560 R15: ffff88803b166558
FS: 00007f4e305fd700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056080679c000 CR3: 00000000193ad000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0xa5d/0xcd0 fs/btrfs/relocation.c:3749
btrfs_relocate_block_group+0x7ab/0xd70 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3283
__btrfs_balance+0x1b06/0x2690 fs/btrfs/volumes.c:4018
btrfs_balance+0xbdb/0x1120 fs/btrfs/volumes.c:4402
btrfs_ioctl_balance+0x496/0x7c0 fs/btrfs/ioctl.c:3604
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4e2f88c389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e305fd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4e2f9abf80 RCX: 00007f4e2f88c389
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007f4e2f8d7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffdbefc213f R14: 00007f4e305fd300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 6d 62 ec fd 48 c7 c7 20 5e 4b 8b 48 c7 c6 c0 6d 4b 8b 48 c7 c2 a0 5e 4b 8b b9 7f 07 00 00 e8 8e d8 15 07 <0f> 0b e8 d7 17 18 07 f3 0f 1e fa e8 3e 62 ec fd 43 80 3c 2f 00 74
RSP: 0018:ffffc9000325f760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff888075644030 RCX: 1481ccc522da5800
RDX: ffffc90005c09000 RSI: 00000000000364ca RDI: 00000000000364cb
RBP: ffffc9000325f870 R08: ffffffff816f33ac R09: 1ffff9200064bea0
R10: dffffc0000000000 R11: fffff5200064bea1 R12: ffff888075644000
R13: ffff88803b166000 R14: ffff88803b166560 R15: ffff88803b166558
FS: 00007f4e305fd700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555657e888 CR3: 00000000193ad000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup


2023-07-03 05:34:51

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

syzbot has found a reproducer for the following issue on:

HEAD commit: 995b406c7e97 Merge tag 'csky-for-linus-6.5' of https://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1172e02ca80000
kernel config: https://syzkaller.appspot.com/x/.config?x=71a52faf60231bc7
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11e6ddf0a80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/01122b567c73/disk-995b406c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/75b7a37e981e/vmlinux-995b406c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/758b5afcf092/bzImage-995b406c.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/96451b8f418b/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 7760 Comm: syz-executor.5 Not tainted 6.4.0-syzkaller-10098-g995b406c7e97 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 9d ab eb fd 48 c7 c7 a0 67 4b 8b 48 c7 c6 40 77 4b 8b 48 c7 c2 20 68 4b 8b b9 7f 07 00 00 e8 0e 7a 17 07 <0f> 0b e8 57 b9 19 07 f3 0f 1e fa e8 6e ab eb fd 43 80 3c 2f 00 74
RSP: 0018:ffffc9000bf47760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff88807b35e030 RCX: ab28d7f10bef9500
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000bf47870 R08: ffffffff816f481c R09: 1ffff920017e8ea0
R10: dffffc0000000000 R11: fffff520017e8ea1 R12: ffff88807b35e000
R13: ffff888021ffc000 R14: ffff888021ffc560 R15: ffff888021ffc558
FS: 00007fef4adf9700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f846a5fe000 CR3: 000000001ec2d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0xa5d/0xcd0 fs/btrfs/relocation.c:3749
btrfs_relocate_block_group+0x7ab/0xd70 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3283
__btrfs_balance+0x1b06/0x2690 fs/btrfs/volumes.c:4018
btrfs_balance+0xbdb/0x1120 fs/btrfs/volumes.c:4402
btrfs_ioctl_balance+0x496/0x7c0 fs/btrfs/ioctl.c:3604
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fef4a08c389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fef4adf9168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fef4a1abf80 RCX: 00007fef4a08c389
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007fef4a0d7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffec9c8752f R14: 00007fef4adf9300 R15: 0000000000022000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
Code: fe e9 f5 f7 ff ff e8 9d ab eb fd 48 c7 c7 a0 67 4b 8b 48 c7 c6 40 77 4b 8b 48 c7 c2 20 68 4b 8b b9 7f 07 00 00 e8 0e 7a 17 07 <0f> 0b e8 57 b9 19 07 f3 0f 1e fa e8 6e ab eb fd 43 80 3c 2f 00 74
RSP: 0018:ffffc9000bf47760 EFLAGS: 00010246
RAX: 000000000000004f RBX: ffff88807b35e030 RCX: ab28d7f10bef9500
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000bf47870 R08: ffffffff816f481c R09: 1ffff920017e8ea0
R10: dffffc0000000000 R11: fffff520017e8ea1 R12: ffff88807b35e000
R13: ffff888021ffc000 R14: ffff888021ffc560 R15: ffff888021ffc558
FS: 00007fef4adf9700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f22c0e44000 CR3: 000000001ec2d000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

2023-07-30 18:08:15

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

syzbot has found a reproducer for the following issue on:

HEAD commit: d31e3792919e Merge tag '6.5-rc3-smb3-client-fixes' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17afd745a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d670a4f6850b6f4
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15278939a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14dd3f31a80000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d31e3792.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6c2342933c9/vmlinux-d31e3792.xz
kernel image: https://storage.googleapis.com/syzbot-assets/42df60b42886/bzImage-d31e3792.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/78ffd1ddff6c/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

BTRFS info (device loop1): relocating block group 5242880 flags data|metadata
assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
------------[ cut here ]------------
kernel BUG at fs/btrfs/relocation.c:1919!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 12638 Comm: syz-executor311 Not tainted 6.5.0-rc3-syzkaller-00297-gd31e3792919e #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9 b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3749
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4087
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3283
__btrfs_balance fs/btrfs/volumes.c:4018 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4395
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb31abe6e49
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb31aba2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb31ac73728 RCX: 00007fb31abe6e49
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007fb31ac73720 R08: 00007fb31aba26c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb31ac7372c
R13: 0000000000000006 R14: 00007ffe768d5660 R15: 00007ffe768d5748
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9 b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

2023-07-31 03:06:47

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

syzbot has bisected this issue to:

commit 85724171b302914bb8999b9df091fd4616a36eb7
Author: Christoph Hellwig <[email protected]>
Date: Tue May 23 08:40:18 2023 +0000

btrfs: fix the btrfs_get_global_root return value

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12343ac5a80000
start commit: d192f5382581 Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=11343ac5a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=16343ac5a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4507c291b5ab5d4
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1230cc11a80000

Reported-by: [email protected]
Fixes: 85724171b302 ("btrfs: fix the btrfs_get_global_root return value")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

2023-07-31 05:40:55

by Qu Wenruo

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge



On 2023/7/31 01:07, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: d31e3792919e Merge tag '6.5-rc3-smb3-client-fixes' of git:..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17afd745a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=9d670a4f6850b6f4
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15278939a80000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14dd3f31a80000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d31e3792.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/c6c2342933c9/vmlinux-d31e3792.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/42df60b42886/bzImage-d31e3792.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/78ffd1ddff6c/mount_0.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> BTRFS info (device loop1): relocating block group 5242880 flags data|metadata
> assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
> ------------[ cut here ]------------
> kernel BUG at fs/btrfs/relocation.c:1919!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 12638 Comm: syz-executor311 Not tainted 6.5.0-rc3-syzkaller-00297-gd31e3792919e #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
> Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9 b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
> RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
> RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
> RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
> R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
> FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3749
> btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4087
> btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3283
> __btrfs_balance fs/btrfs/volumes.c:4018 [inline]
> btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4395
> btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
> btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:870 [inline]
> __se_sys_ioctl fs/ioctl.c:856 [inline]
> __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fb31abe6e49
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fb31aba2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fb31ac73728 RCX: 00007fb31abe6e49
> RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
> RBP: 00007fb31ac73720 R08: 00007fb31aba26c0 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb31ac7372c
> R13: 0000000000000006 R14: 00007ffe768d5660 R15: 00007ffe768d5748
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
> Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9 b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
> RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
> RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
> RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
> R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
> R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
> FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>

I failed to reproduce it locally, although it's on David's misc-next.

# syz test: git://github.com/kdave/btrfs-devel.git misc-next

Thanks,
Qu
>
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.

2023-07-31 06:56:55

by Qu Wenruo

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge



On 2023/7/31 13:11, Qu Wenruo wrote:
>
>
> On 2023/7/31 01:07, syzbot wrote:
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit:    d31e3792919e Merge tag '6.5-rc3-smb3-client-fixes' of
>> git:..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=17afd745a80000
>> kernel config:
>> https://syzkaller.appspot.com/x/.config?x=9d670a4f6850b6f4
>> dashboard link:
>> https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
>> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils
>> for Debian) 2.40
>> syz repro:
>> https://syzkaller.appspot.com/x/repro.syz?x=15278939a80000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14dd3f31a80000
>>
>> Downloadable assets:
>> disk image (non-bootable):
>> https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d31e3792.raw.xz
>> vmlinux:
>> https://storage.googleapis.com/syzbot-assets/c6c2342933c9/vmlinux-d31e3792.xz
>> kernel image:
>> https://storage.googleapis.com/syzbot-assets/42df60b42886/bzImage-d31e3792.xz
>> mounted in repro:
>> https://storage.googleapis.com/syzbot-assets/78ffd1ddff6c/mount_0.gz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the
>> commit:
>> Reported-by: [email protected]
>>
>> BTRFS info (device loop1): relocating block group 5242880 flags
>> data|metadata
>> assertion failed: root->reloc_root == reloc_root, in
>> fs/btrfs/relocation.c:1919
>> ------------[ cut here ]------------
>> kernel BUG at fs/btrfs/relocation.c:1919!
>> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 0 PID: 12638 Comm: syz-executor311 Not tainted
>> 6.5.0-rc3-syzkaller-00297-gd31e3792919e #0
>> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
>> 1.16.2-debian-1.16.2-1 04/01/2014
>> RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
>> Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9
>> b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b
>> 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
>> RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
>> RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
>> RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
>> RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
>> R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
>> R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
>> FS:  00007fb31aba26c0(0000) GS:ffff88806b600000(0000)
>> knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>>   <TASK>
>>   relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3749
>>   btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4087
>>   btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3283
>>   __btrfs_balance fs/btrfs/volumes.c:4018 [inline]
>>   btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4395
>>   btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
>>   btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
>>   vfs_ioctl fs/ioctl.c:51 [inline]
>>   __do_sys_ioctl fs/ioctl.c:870 [inline]
>>   __se_sys_ioctl fs/ioctl.c:856 [inline]
>>   __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
>>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>   do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
>>   entry_SYSCALL_64_after_hwframe+0x63/0xcd
>> RIP: 0033:0x7fb31abe6e49
>> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48
>> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
>> 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
>> RSP: 002b:00007fb31aba2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
>> RAX: ffffffffffffffda RBX: 00007fb31ac73728 RCX: 00007fb31abe6e49
>> RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
>> RBP: 00007fb31ac73720 R08: 00007fb31aba26c0 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb31ac7372c
>> R13: 0000000000000006 R14: 00007ffe768d5660 R15: 00007ffe768d5748
>>   </TASK>
>> Modules linked in:
>> ---[ end trace 0000000000000000 ]---
>> RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
>> Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9
>> b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b
>> 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
>> RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
>> RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
>> RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
>> RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
>> R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
>> R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
>> FS:  00007fb31aba26c0(0000) GS:ffff88806b600000(0000)
>> knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>
>
> I failed to reproduce it locally, although it's on David's misc-next.
>
> # syz test: git://github.com/kdave/btrfs-devel.git misc-next

# syz test: git://github.com/adam900710/linux.git graceful_reloc_mismatch
>
> Thanks,
> Qu
>>
>> ---
>> If you want syzbot to run the reproducer, reply with:
>> #syz test: git://repo/address.git branch-or-commit-hash
>> If you attach or paste a git patch, syzbot will apply it before testing.

2023-07-31 08:06:56

by Christoph Hellwig

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

Hmm, this seems to be missing the usual C reproducer?


2023-07-31 09:43:50

by Qu Wenruo

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge



On 2023/7/31 15:37, Christoph Hellwig wrote:
> Hmm, this seems to be missing the usual C reproducer?
>
It has one in the original report:

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14dd3f31a80000

Thanks,
Qu

2023-07-31 10:55:15

by Christoph Hellwig

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

Thanks. I've not been able to reproduce it on the apparent bisection
commit for more than half an hour, but running it on the originally
reported commit reproduces it after a few minutes. I'll see if I
can come up with a better bisection.


2023-07-31 11:36:15

by Qu Wenruo

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge



On 2023/7/31 17:46, Christoph Hellwig wrote:
> Thanks. I've not been able to reproduce it on the apparent bisection
> commit for more than half an hour, but running it on the originally
> reported commit reproduces it after a few minutes. I'll see if I
> can come up with a better bisection.
>

I checked the related code, and didn't find anything obvious.

But there is a chance that the image is intentionally corrupted so that
we got a reloc root but incorrect root owner.

Thus I sent out a patch to make that triggering ASSERT() to a more
graceful exit:

https://lore.kernel.org/linux-btrfs/24881cc9caf738f6248232709d7357d3186773b5.1690782754.git.wqu@suse.com/T/#u

Although I never got the C reproducer to trigger, thus no confirmation
on that.

Thanks,
Qu

2023-08-01 12:51:01

by Christoph Hellwig

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

With misc-next and your debug patch I first ran into another assert:

[ 250.848976][T35903] assertion failed: 0, in fs/btrfs/relocation.c:2042
[ 250.849963][T35903] ------------[ cut here ]------------
[ 250.850472][T35903] kernel BUG at fs/btrfs/relocation.c:2042!

and here is the output from your assert:

[ 1378.272143][T189001] BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
[ 1378.274019][T189001] ------------[ cut here ]------------
[ 1378.274540][T189001] BTRFS: Transaction aborted (error -117)
[ 1378.277110][T189001] WARNING: CPU: 3 PID: 189001 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460


2023-08-01 15:39:41

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in prepare_to_merge

BTRFS error (device loop3): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
------------[ cut here ]------------
BTRFS: Transaction aborted (error -117)
WARNING: CPU: 1 PID: 10413 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
Modules linked in:
CPU: 1 PID: 10413 Comm: syz-executor.3 Not tainted 6.5.0-rc3-syzkaller-g9f2c8c9193cc #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
Code: 8b 7e 50 44 89 e2 48 c7 c6 20 d8 b6 8a e8 58 1b 10 00 eb c1 e8 d1 83 00 fe be 8b ff ff ff 48 c7 c7 80 d7 b6 8a e8 f0 4b c7 fd <0f> 0b e9 bf fe ff ff 48 8b 7c 24 28 e8 af 93 53 fe e9 3e f5 ff ff
RSP: 0018:ffffc90003ebf6b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880478f2b78 RCX: 0000000000000000
RDX: ffff8880466c9300 RSI: ffffffff814c5346 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000046525442 R12: 0000000000000000
R13: 0000000000000084 R14: ffff8880478f2b28 R15: ffff888030e28000
FS: 00007fcc9098a6c0(0000) GS:ffff88806b700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcc90968f28 CR3: 000000001fa0c000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3782
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4120
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3277
__btrfs_balance fs/btrfs/volumes.c:4012 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fcc8fc7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcc9098a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fcc8fd9bf80 RCX: 00007fcc8fc7cae9
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007fcc8fcc847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fcc8fd9bf80 R15: 00007ffd6ad55508
</TASK>


Tested on:

commit: 9f2c8c91 btrfs: exit gracefully if reloc roots don't m..
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=173afb31a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=23c579cf0ae1addd
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

2023-08-01 15:58:47

by Aleksandr Nogikh

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

On Mon, Jul 31, 2023 at 8:26 AM Qu Wenruo <[email protected]> wrote:
>
>
>
> On 2023/7/31 13:11, Qu Wenruo wrote:
> >
> >
> > On 2023/7/31 01:07, syzbot wrote:
> >> syzbot has found a reproducer for the following issue on:
> >>
> >> HEAD commit: d31e3792919e Merge tag '6.5-rc3-smb3-client-fixes' of
> >> git:..
> >> git tree: upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=17afd745a80000
> >> kernel config:
> >> https://syzkaller.appspot.com/x/.config?x=9d670a4f6850b6f4
> >> dashboard link:
> >> https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
> >> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils
> >> for Debian) 2.40
> >> syz repro:
> >> https://syzkaller.appspot.com/x/repro.syz?x=15278939a80000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14dd3f31a80000
> >>
> >> Downloadable assets:
> >> disk image (non-bootable):
> >> https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d31e3792.raw.xz
> >> vmlinux:
> >> https://storage.googleapis.com/syzbot-assets/c6c2342933c9/vmlinux-d31e3792.xz
> >> kernel image:
> >> https://storage.googleapis.com/syzbot-assets/42df60b42886/bzImage-d31e3792.xz
> >> mounted in repro:
> >> https://storage.googleapis.com/syzbot-assets/78ffd1ddff6c/mount_0.gz
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the
> >> commit:
> >> Reported-by: [email protected]
> >>
> >> BTRFS info (device loop1): relocating block group 5242880 flags
> >> data|metadata
> >> assertion failed: root->reloc_root == reloc_root, in
> >> fs/btrfs/relocation.c:1919
> >> ------------[ cut here ]------------
> >> kernel BUG at fs/btrfs/relocation.c:1919!
> >> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> >> CPU: 0 PID: 12638 Comm: syz-executor311 Not tainted
> >> 6.5.0-rc3-syzkaller-00297-gd31e3792919e #0
> >> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> >> 1.16.2-debian-1.16.2-1 04/01/2014
> >> RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
> >> Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9
> >> b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b
> >> 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
> >> RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
> >> RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
> >> RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
> >> RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
> >> R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
> >> R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
> >> FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000)
> >> knlGS:0000000000000000
> >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
> >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >> Call Trace:
> >> <TASK>
> >> relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3749
> >> btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4087
> >> btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3283
> >> __btrfs_balance fs/btrfs/volumes.c:4018 [inline]
> >> btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4395
> >> btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
> >> btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
> >> vfs_ioctl fs/ioctl.c:51 [inline]
> >> __do_sys_ioctl fs/ioctl.c:870 [inline]
> >> __se_sys_ioctl fs/ioctl.c:856 [inline]
> >> __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
> >> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> >> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> >> RIP: 0033:0x7fb31abe6e49
> >> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 18 00 00 90 48 89 f8 48
> >> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> >> 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> >> RSP: 002b:00007fb31aba2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> >> RAX: ffffffffffffffda RBX: 00007fb31ac73728 RCX: 00007fb31abe6e49
> >> RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
> >> RBP: 00007fb31ac73720 R08: 00007fb31aba26c0 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb31ac7372c
> >> R13: 0000000000000006 R14: 00007ffe768d5660 R15: 00007ffe768d5748
> >> </TASK>
> >> Modules linked in:
> >> ---[ end trace 0000000000000000 ]---
> >> RIP: 0010:prepare_to_merge+0x9cc/0xcd0 fs/btrfs/relocation.c:1919
> >> Code: c5 e9 81 fd ff ff e8 e3 59 00 fe b9 7f 07 00 00 48 c7 c2 40 d9
> >> b6 8a 48 c7 c6 20 e6 b6 8a 48 c7 c7 a0 da b6 8a e8 54 bc e3 fd <0f> 0b
> >> 4c 8b 7c 24 38 48 8b 5c 24 10 44 8b 6c 24 0c e8 ae 59 00 fe
> >> RSP: 0018:ffffc90023e176d0 EFLAGS: 00010282
> >> RAX: 000000000000004f RBX: ffff88801e898560 RCX: 0000000000000000
> >> RDX: 0000000000000000 RSI: ffffffff81698120 RDI: 0000000000000005
> >> RBP: ffff88801e898558 R08: 0000000000000005 R09: 0000000000000000
> >> R10: 0000000080000000 R11: 6f69747265737361 R12: dffffc0000000000
> >> R13: ffff88801e898000 R14: ffff88802d944000 R15: ffff888017616618
> >> FS: 00007fb31aba26c0(0000) GS:ffff88806b600000(0000)
> >> knlGS:0000000000000000
> >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: 00007fb31ac3a758 CR3: 000000002e1dc000 CR4: 0000000000350ef0
> >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >>
> >
> > I failed to reproduce it locally, although it's on David's misc-next.
> >
> > # syz test: git://github.com/kdave/btrfs-devel.git misc-next
>
> # syz test: git://github.com/adam900710/linux.git graceful_reloc_mismatch

#syz test: https://github.com/adam900710/linux graceful_reloc_mismatch

> >
> > Thanks,
> > Qu
> >>
> >> ---
> >> If you want syzbot to run the reproducer, reply with:
> >> #syz test: git://repo/address.git branch-or-commit-hash
> >> If you attach or paste a git patch, syzbot will apply it before testing.
>

2023-08-01 18:35:02

by Christoph Hellwig

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

In the meantime I've also reproduced it with just
"btrfs: fix the btrfs_get_global_root return value", but it took
a rather long time.

After wading through the code my suspicion is that before this fix
the ERR_PTR return made that for those cases btrfs_get_root_ref and
btrfs_get_fs_root_commit_root don't actually do the
btrfs_lookup_fs_root. Although that seemed unintentional as far
as I can tell it might have prevented some additional problems
with whatever syzcaller is fuzzing here. Not sure if anyone who
knows this code has any good idea where to start looking?


2023-08-01 23:41:20

by Qu Wenruo

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge



On 2023/8/1 19:39, Christoph Hellwig wrote:
> With misc-next and your debug patch I first ran into another assert:
>
> [ 250.848976][T35903] assertion failed: 0, in fs/btrfs/relocation.c:2042
> [ 250.849963][T35903] ------------[ cut here ]------------
> [ 250.850472][T35903] kernel BUG at fs/btrfs/relocation.c:2042!
>
> and here is the output from your assert:
>
> [ 1378.272143][T189001] BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17

Thanks a lot!

This indeed shows what I feared, on-disk corruption.

The root 8 is quota tree, which doesn't need to go through tree-reloc at
all.

The whole tree-relocation idea is for subvolume trees, which would do a
special snapshot for them, and then swap the highest tree nodes between
the tree reloc tree (the special snapshot) and the subvolume tree.

Thus for non-subvolume trees, relocation is done by just COWing the
involved tree blocks and call it a day.

This means we should never hit a reloc tree for non-subvolume trees, and
this looks like a on-disk format corruption.

Maybe I can reject those obviously incorrect reloc trees in tree-checker.

Thanks,
Qu

> [ 1378.274019][T189001] ------------[ cut here ]------------
> [ 1378.274540][T189001] BTRFS: Transaction aborted (error -117)
> [ 1378.277110][T189001] WARNING: CPU: 3 PID: 189001 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460
>

2023-08-02 05:57:35

by Qu Wenruo

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge



On 2023/8/1 22:58, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> WARNING in prepare_to_merge
>
> BTRFS error (device loop3): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17

#syz test: https://github.com/adam900710/linux graceful_reloc_mismatch

I have added another patch to reject those invalid reloc tree keys, thus
at least we could have a more graceful rejection (without kernel warnings).

But the previous patch is still needed to catch not-so-obvious corrupted
reloc root keys.

Thanks,
Qu
> ------------[ cut here ]------------
> BTRFS: Transaction aborted (error -117)
> WARNING: CPU: 1 PID: 10413 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
> Modules linked in:
> CPU: 1 PID: 10413 Comm: syz-executor.3 Not tainted 6.5.0-rc3-syzkaller-g9f2c8c9193cc #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> RIP: 0010:prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
> Code: 8b 7e 50 44 89 e2 48 c7 c6 20 d8 b6 8a e8 58 1b 10 00 eb c1 e8 d1 83 00 fe be 8b ff ff ff 48 c7 c7 80 d7 b6 8a e8 f0 4b c7 fd <0f> 0b e9 bf fe ff ff 48 8b 7c 24 28 e8 af 93 53 fe e9 3e f5 ff ff
> RSP: 0018:ffffc90003ebf6b0 EFLAGS: 00010286
> RAX: 0000000000000000 RBX: ffff8880478f2b78 RCX: 0000000000000000
> RDX: ffff8880466c9300 RSI: ffffffff814c5346 RDI: 0000000000000001
> RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000046525442 R12: 0000000000000000
> R13: 0000000000000084 R14: ffff8880478f2b28 R15: ffff888030e28000
> FS: 00007fcc9098a6c0(0000) GS:ffff88806b700000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fcc90968f28 CR3: 000000001fa0c000 CR4: 0000000000350ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3782
> btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4120
> btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3277
> __btrfs_balance fs/btrfs/volumes.c:4012 [inline]
> btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
> btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
> btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:870 [inline]
> __se_sys_ioctl fs/ioctl.c:856 [inline]
> __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fcc8fc7cae9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fcc9098a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fcc8fd9bf80 RCX: 00007fcc8fc7cae9
> RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
> RBP: 00007fcc8fcc847a R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 000000000000000b R14: 00007fcc8fd9bf80 R15: 00007ffd6ad55508
> </TASK>
>
>
> Tested on:
>
> commit: 9f2c8c91 btrfs: exit gracefully if reloc roots don't m..
> git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
> console output: https://syzkaller.appspot.com/x/log.txt?x=173afb31a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=23c579cf0ae1addd
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>
> Note: no patches were applied.

2023-08-02 06:45:09

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in prepare_to_merge

------------[ cut here ]------------
BTRFS: Transaction aborted (error -117)
WARNING: CPU: 2 PID: 8050 at fs/btrfs/relocation.c:1946 prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
Modules linked in:
CPU: 2 PID: 8050 Comm: syz-executor.0 Not tainted 6.5.0-rc3-syzkaller-g8b6f9b585045 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:prepare_to_merge+0x10e0/0x1460 fs/btrfs/relocation.c:1946
Code: 8b 7e 50 44 89 e2 48 c7 c6 20 d8 b6 8a e8 28 1d 10 00 eb c1 e8 d1 83 00 fe be 8b ff ff ff 48 c7 c7 80 d7 b6 8a e8 f0 4b c7 fd <0f> 0b e9 bf fe ff ff 48 8b 7c 24 28 e8 af 93 53 fe e9 3e f5 ff ff
RSP: 0018:ffffc90022d4f6b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88804485e440 RCX: 0000000000000000
RDX: ffff888031a78480 RSI: ffffffff814c5346 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 000000002d2d2d2d R12: 0000000000000000
R13: 0000000000000084 R14: ffff88804485e3f0 R15: ffff88801d0eb000
FS: 00007f6a3df146c0(0000) GS:ffff88806b800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0a76ac56be CR3: 00000000300a1000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
relocate_block_group+0x8d1/0xe70 fs/btrfs/relocation.c:3779
btrfs_relocate_block_group+0x714/0xd90 fs/btrfs/relocation.c:4117
btrfs_relocate_chunk+0x143/0x440 fs/btrfs/volumes.c:3277
__btrfs_balance fs/btrfs/volumes.c:4012 [inline]
btrfs_balance+0x20fc/0x3ef0 fs/btrfs/volumes.c:4389
btrfs_ioctl_balance fs/btrfs/ioctl.c:3604 [inline]
btrfs_ioctl+0x1362/0x5cf0 fs/btrfs/ioctl.c:4637
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl fs/ioctl.c:856 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6a3d27cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6a3df140c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6a3d39bf80 RCX: 00007f6a3d27cae9
RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
RBP: 00007f6a3d2c847a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f6a3d39bf80 R15: 00007ffd18ee1568
</TASK>


Tested on:

commit: 8b6f9b58 btrfs: reject invalid reloc tree root keys
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=115ab96ea80000
kernel config: https://syzkaller.appspot.com/x/.config?x=23c579cf0ae1addd
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

2023-08-02 07:29:31

by Qu Wenruo

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge



On 2023/8/1 23:26, Christoph Hellwig wrote:
> In the meantime I've also reproduced it with just
> "btrfs: fix the btrfs_get_global_root return value", but it took
> a rather long time.
>
> After wading through the code my suspicion is that before this fix
> the ERR_PTR return made that for those cases btrfs_get_root_ref and
> btrfs_get_fs_root_commit_root don't actually do the
> btrfs_lookup_fs_root. Although that seemed unintentional as far
> as I can tell it might have prevented some additional problems
> with whatever syzcaller is fuzzing here. Not sure if anyone who
> knows this code has any good idea where to start looking?
>


I'm also looking into the case, the weird part seems to be we're getting
some race between qgroup tree creation and relocation.

More rounds of syzbot testing shows it's not on-disk data corruption,
but runtime corruption lead to the invalid reloc tree key.

Normally if we're relocating tree 8 (quota tree), we should get
fs_info->quota_root, and it should not has ROOT_SHAREABLE flag, thus we
just go COW the involved quota tree block.

But by somehow, if the quota tree is created by btrfs_init_fs_root() it
would has the ROOT_SHAREABLE flag and leads to the incorrect reloc tree
creation.

My current guess is, some race like this:

Thread A | Thread B
---------------------------------+------------------------------
btrfs_quota_enable() |
| | btrfs_get_root_ref()
| | |- btrfs_get_global_root()
| | | Returned NULL
| | |- btrfs_lookup_fs_root()
| | | Returned NULL
|- btrfs_create_tree() | |
| Now quota root item is | |
| inserted | |- btrfs_read_tree_root()
| | | Got the newly inserted quota root
| | |- btrfs_init_fs_root()
| | | Set ROOT_SHAREABLE flag

By this, with a relocation and quota enabling, we create a race that we
can get a quota root with ROOT_SHAREABLE set, and lead to the problem.

Personally speaking, I don't have a particularly good idea on how to fix it.

We may skip any non-subvolume related trees in btrfs_init_fs_root(), but
that doesn't seem correct to me.

Any good ideas on this?

Thanks,
Qu

2023-08-02 09:58:56

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: [email protected]

Tested on:

commit: aa3cb01e btrfs: avoid race with qgroup tree creation a..
git tree: https://github.com/adam900710/linux graceful_reloc_mismatch
console output: https://syzkaller.appspot.com/x/log.txt?x=10ae0aa6a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=23c579cf0ae1addd
dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

2023-08-02 12:11:41

by Qu Wenruo

[permalink] [raw]
Subject: Re: [syzbot] [btrfs?] kernel BUG in prepare_to_merge



On 2023/7/2 04:46, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 533925cb7604 Merge tag 'riscv-for-linus-6.5-mw1' of git://..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14d8b610a80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=12464973c17d2b37
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae97a827ae1c3336bbb4
> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/7b23da6a6f6c/disk-533925cb.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/f163e9ea9946/vmlinux-533925cb.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/5b943aa5a1e1/bzImage-533925cb.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>

#syz test: https://github.com/adam900710/linux graceful_reloc_mismatch

> assertion failed: root->reloc_root == reloc_root, in fs/btrfs/relocation.c:1919
> ------------[ cut here ]------------
> kernel BUG at fs/btrfs/relocation.c:1919!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 9904 Comm: syz-executor.3 Not tainted 6.4.0-syzkaller-08881-g533925cb7604 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
> RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
> Code: fe e9 f5 f7 ff ff e8 6d 62 ec fd 48 c7 c7 20 5e 4b 8b 48 c7 c6 c0 6d 4b 8b 48 c7 c2 a0 5e 4b 8b b9 7f 07 00 00 e8 8e d8 15 07 <0f> 0b e8 d7 17 18 07 f3 0f 1e fa e8 3e 62 ec fd 43 80 3c 2f 00 74
> RSP: 0018:ffffc9000325f760 EFLAGS: 00010246
> RAX: 000000000000004f RBX: ffff888075644030 RCX: 1481ccc522da5800
> RDX: ffffc90005c09000 RSI: 00000000000364ca RDI: 00000000000364cb
> RBP: ffffc9000325f870 R08: ffffffff816f33ac R09: 1ffff9200064bea0
> R10: dffffc0000000000 R11: fffff5200064bea1 R12: ffff888075644000
> R13: ffff88803b166000 R14: ffff88803b166560 R15: ffff88803b166558
> FS: 00007f4e305fd700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056080679c000 CR3: 00000000193ad000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> relocate_block_group+0xa5d/0xcd0 fs/btrfs/relocation.c:3749
> btrfs_relocate_block_group+0x7ab/0xd70 fs/btrfs/relocation.c:4087
> btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3283
> __btrfs_balance+0x1b06/0x2690 fs/btrfs/volumes.c:4018
> btrfs_balance+0xbdb/0x1120 fs/btrfs/volumes.c:4402
> btrfs_ioctl_balance+0x496/0x7c0 fs/btrfs/ioctl.c:3604
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:870 [inline]
> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7f4e2f88c389
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f4e305fd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f4e2f9abf80 RCX: 00007f4e2f88c389
> RDX: 00000000200003c0 RSI: 00000000c4009420 RDI: 0000000000000005
> RBP: 00007f4e2f8d7493 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007ffdbefc213f R14: 00007f4e305fd300 R15: 0000000000022000
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:prepare_to_merge+0xbb2/0xc40 fs/btrfs/relocation.c:1919
> Code: fe e9 f5 f7 ff ff e8 6d 62 ec fd 48 c7 c7 20 5e 4b 8b 48 c7 c6 c0 6d 4b 8b 48 c7 c2 a0 5e 4b 8b b9 7f 07 00 00 e8 8e d8 15 07 <0f> 0b e8 d7 17 18 07 f3 0f 1e fa e8 3e 62 ec fd 43 80 3c 2f 00 74
> RSP: 0018:ffffc9000325f760 EFLAGS: 00010246
> RAX: 000000000000004f RBX: ffff888075644030 RCX: 1481ccc522da5800
> RDX: ffffc90005c09000 RSI: 00000000000364ca RDI: 00000000000364cb
> RBP: ffffc9000325f870 R08: ffffffff816f33ac R09: 1ffff9200064bea0
> R10: dffffc0000000000 R11: fffff5200064bea1 R12: ffff888075644000
> R13: ffff88803b166000 R14: ffff88803b166560 R15: ffff88803b166558
> FS: 00007f4e305fd700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055555657e888 CR3: 00000000193ad000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at [email protected].
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the bug is already fixed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want to change bug's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the bug is a duplicate of another bug, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup