Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 0ac06c96a62d33b94c264c6df6562e8c69942d6b ("[PATCH v2 1/3] btrfs: do not start relocation until in progress drops are done")
url: https://github.com/0day-ci/linux/commits/Josef-Bacik/btrfs-fix-problem-with-balance-recovery-and-snap-delete/20220220-181947
base: https://git.kernel.org/cgit/linux/kernel/git/kdave/linux.git for-next
patch link: https://lore.kernel.org/linux-btrfs/78d6f8e496b367fc520549ab00465cbd704ea22f.1645214059.git.josef@toxicpanda.com
in testcase: xfstests
version: xfstests-x86_64-1de1db8-1_20220217
with following parameters:
disk: 6HDD
fs: btrfs
test: btrfs-group-21
ucode: 0x28
test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
on test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz with 8G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>
[ 78.855835][ T9578] ==================================================================
[ 78.863642][ T9578] BUG: KASAN: use-after-free in btrfs_drop_snapshot+0x1299/0x19c0 [btrfs]
[ 78.871945][ T9578] Read of size 8 at addr ffff88810acc1038 by task btrfs/9578
[ 78.879066][ T9578]
[ 78.881220][ T9578] CPU: 0 PID: 9578 Comm: btrfs Not tainted 5.17.0-rc4-00117-g0ac06c96a62d #1
[ 78.889709][ T9578] Hardware name: Dell Inc. OptiPlex 9020/0DNKMN, BIOS A05 12/05/2013
[ 78.897512][ T9578] Call Trace:
[ 78.900607][ T9578] <TASK>
[ 78.903358][ T9578] dump_stack_lvl+0x34/0x44
[ 78.907656][ T9578] print_address_description+0x21/0x180
[ 78.914007][ T9578] ? btrfs_drop_snapshot+0x1299/0x19c0 [btrfs]
[ 78.919979][ T9578] kasan_report.cold+0x7f/0x11b
[ 78.924616][ T9578] ? btrfs_drop_snapshot+0x1299/0x19c0 [btrfs]
[ 78.930581][ T9578] kasan_check_range+0x14d/0x200
[ 78.935303][ T9578] btrfs_drop_snapshot+0x1299/0x19c0 [btrfs]
[ 78.941094][ T9578] ? btrfs_commit_transaction+0x1bf1/0x3040 [btrfs]
[ 78.947487][ T9578] ? btrfs_alloc_tree_block+0x780/0x780 [btrfs]
[ 78.953532][ T9578] ? join_transaction+0x26e/0xec0 [btrfs]
[ 78.959064][ T9578] ? btrfs_apply_pending_changes+0x80/0x80 [btrfs]
[ 78.965365][ T9578] ? btrfs_record_root_in_trans+0x4d/0x180 [btrfs]
[ 78.971670][ T9578] clean_dirty_subvols+0x19f/0x400 [btrfs]
[ 78.977301][ T9578] relocate_block_group+0x732/0xb40 [btrfs]
[ 78.983015][ T9578] ? merge_reloc_roots+0x7c0/0x7c0 [btrfs]
[ 78.988645][ T9578] ? mutex_lock+0x80/0x100
[ 78.992851][ T9578] ? __mutex_lock_slowpath+0x40/0x40
[ 78.997917][ T9578] btrfs_relocate_block_group+0x46e/0xac0 [btrfs]
[ 79.004143][ T9578] ? block_group_cache_tree_search+0x156/0x300 [btrfs]
[ 79.010802][ T9578] btrfs_relocate_chunk+0xe1/0x280 [btrfs]
[ 79.016428][ T9578] __btrfs_balance+0x8ef/0x1b00 [btrfs]
[ 79.021795][ T9578] ? describe_balance_start_or_resume.cold+0x91/0xa0 [btrfs]
[ 79.028967][ T9578] ? btrfs_relocate_chunk+0x280/0x280 [btrfs]
[ 79.034848][ T9578] ? mutex_unlock+0x80/0x100
[ 79.039226][ T9578] ? __mutex_unlock_slowpath+0x300/0x300
[ 79.045235][ T9578] ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e
[ 79.052355][ T9578] btrfs_balance+0xc65/0x17c0 [btrfs]
[ 79.057553][ T9578] btrfs_ioctl_balance+0x457/0x600 [btrfs]
[ 79.063179][ T9578] btrfs_ioctl+0x25f5/0x5200 [btrfs]
[ 79.068291][ T9578] ? folio_add_lru+0x4d/0x80
[ 79.072672][ T9578] ? do_anonymous_page+0x81c/0xfc0
[ 79.077566][ T9578] ? btrfs_ioctl_get_supported_features+0x40/0x40 [btrfs]
[ 79.084473][ T9578] ? __handle_mm_fault+0x1259/0x1640
[ 79.089538][ T9578] ? fiemap_prep+0x200/0x200
[ 79.093919][ T9578] ? copy_page_range+0x1040/0x1040
[ 79.098813][ T9578] ? userfaultfd_unmap_prep+0x440/0x440
[ 79.104136][ T9578] ? handle_mm_fault+0x1be/0x6c0
[ 79.108858][ T9578] ? __fget_light+0x57/0x540
[ 79.113239][ T9578] ? up_read+0x15/0xc0
[ 79.117109][ T9578] ? do_user_addr_fault+0x320/0xd80
[ 79.122089][ T9578] __x64_sys_ioctl+0x127/0x1c0
[ 79.126643][ T9578] do_syscall_64+0x3b/0xc0
[ 79.130854][ T9578] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 79.136518][ T9578] RIP: 0033:0x7f5d5b9cb427
[ 79.140729][ T9578] Code: 00 00 90 48 8b 05 69 aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 aa 0c 00 f7 d8 64 89 01 48
[ 79.159913][ T9578] RSP: 002b:00007ffd2e638178 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 79.168061][ T9578] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f5d5b9cb427
[ 79.175777][ T9578] RDX: 00007ffd2e638208 RSI: 00000000c4009420 RDI: 0000000000000004
[ 79.183493][ T9578] RBP: 00007ffd2e638208 R08: 0000000000000003 R09: 0000000000000078
[ 79.191208][ T9578] R10: fffffffffffffa4a R11: 0000000000000206 R12: 0000000000000004
[ 79.198924][ T9578] R13: 00007ffd2e63a91b R14: 0000000000000001 R15: 0000000000000000
[ 79.206639][ T9578] </TASK>
[ 79.209487][ T9578]
[ 79.211641][ T9578] Allocated by task 9578:
[ 79.215763][ T9578] kasan_save_stack+0x1e/0x40
[ 79.220228][ T9578] __kasan_kmalloc+0x81/0xc0
[ 79.224610][ T9578] btrfs_alloc_root+0x4f/0xf80 [btrfs]
[ 79.229879][ T9578] read_tree_root_path+0xb4/0x3c0 [btrfs]
[ 79.235404][ T9578] btrfs_read_tree_root+0x34/0x80 [btrfs]
[ 79.240944][ T9578] create_reloc_root+0x49e/0xb40 [btrfs]
[ 79.246395][ T9578] btrfs_init_reloc_root+0x3f1/0x540 [btrfs]
[ 79.252198][ T9578] record_root_in_trans+0x25b/0x340 [btrfs]
[ 79.257896][ T9578] btrfs_record_root_in_trans+0xda/0x180 [btrfs]
[ 79.264021][ T9578] relocate_tree_blocks+0xa51/0x1600 [btrfs]
[ 79.269815][ T9578] relocate_block_group+0x4b0/0xb40 [btrfs]
[ 79.275519][ T9578] btrfs_relocate_block_group+0x46e/0xac0 [btrfs]
[ 79.281741][ T9578] btrfs_relocate_chunk+0xe1/0x280 [btrfs]
[ 79.287359][ T9578] __btrfs_balance+0x8ef/0x1b00 [btrfs]
[ 79.292722][ T9578] btrfs_balance+0xc65/0x17c0 [btrfs]
[ 79.297910][ T9578] btrfs_ioctl_balance+0x457/0x600 [btrfs]
[ 79.303530][ T9578] btrfs_ioctl+0x25f5/0x5200 [btrfs]
[ 79.308632][ T9578] __x64_sys_ioctl+0x127/0x1c0
[ 79.313186][ T9578] do_syscall_64+0x3b/0xc0
[ 79.317395][ T9578] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 79.323059][ T9578]
[ 79.325210][ T9578] Freed by task 9578:
[ 79.328991][ T9578] kasan_save_stack+0x1e/0x40
[ 79.333464][ T9578] kasan_set_track+0x21/0x40
[ 79.337844][ T9578] kasan_set_free_info+0x20/0x40
[ 79.342567][ T9578] __kasan_slab_free+0xf9/0x140
[ 79.347203][ T9578] kfree+0x8e/0x400
[ 79.350814][ T9578] btrfs_drop_snapshot+0x12e7/0x19c0 [btrfs]
[ 79.356596][ T9578] clean_dirty_subvols+0x19f/0x400 [btrfs]
[ 79.362217][ T9578] relocate_block_group+0x732/0xb40 [btrfs]
[ 79.367929][ T9578] btrfs_relocate_block_group+0x46e/0xac0 [btrfs]
[ 79.374149][ T9578] btrfs_relocate_chunk+0xe1/0x280 [btrfs]
[ 79.379766][ T9578] __btrfs_balance+0x8ef/0x1b00 [btrfs]
[ 79.385126][ T9578] btrfs_balance+0xc65/0x17c0 [btrfs]
[ 79.390316][ T9578] btrfs_ioctl_balance+0x457/0x600 [btrfs]
[ 79.395936][ T9578] btrfs_ioctl+0x25f5/0x5200 [btrfs]
[ 79.401039][ T9578] __x64_sys_ioctl+0x127/0x1c0
[ 79.405589][ T9578] do_syscall_64+0x3b/0xc0
[ 79.409796][ T9578] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 79.415463][ T9578]
[ 79.417617][ T9578] Last potentially related work creation:
[ 79.423109][ T9578] kasan_save_stack+0x1e/0x40
[ 79.427575][ T9578] __kasan_record_aux_stack+0x97/0xc0
[ 79.432727][ T9578] call_rcu+0xd0/0x1200
[ 79.436677][ T9578] netlink_release+0x426/0x980
[ 79.441231][ T9578] __sock_release+0xc5/0x280
[ 79.445612][ T9578] sock_close+0x11/0x40
[ 79.449563][ T9578] __fput+0x1fd/0x8c0
[ 79.453345][ T9578] task_work_run+0xdb/0x180
[ 79.457641][ T9578] do_exit+0x92b/0x2640
[ 79.461594][ T9578] do_group_exit+0xab/0x280
[ 79.465885][ T9578] __x64_sys_exit_group+0x3a/0x80
[ 79.470692][ T9578] do_syscall_64+0x3b/0xc0
[ 79.474902][ T9578] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 79.480566][ T9578]
[ 79.482719][ T9578] The buggy address belongs to the object at ffff88810acc1000
[ 79.482719][ T9578] which belongs to the cache kmalloc-2k of size 2048
[ 79.496428][ T9578] The buggy address is located 56 bytes inside of
[ 79.496428][ T9578] 2048-byte region [ffff88810acc1000, ffff88810acc1800)
[ 79.509369][ T9578] The buggy address belongs to the page:
[ 79.514774][ T9578] page:00000000ba9d679b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10acc0
[ 79.524718][ T9578] head:00000000ba9d679b order:3 compound_mapcount:0 compound_pincount:0
[ 79.532779][ T9578] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 79.540755][ T9578] raw: 0017ffffc0010200 ffffea0004c09800 dead000000000002 ffff888100042f00
[ 79.549072][ T9578] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[ 79.557387][ T9578] page dumped because: kasan: bad access detected
[ 79.563563][ T9578]
[ 79.565716][ T9578] Memory state around the buggy address:
[ 79.571123][ T9578] ffff88810acc0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.578926][ T9578] ffff88810acc0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.586726][ T9578] >ffff88810acc1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.594529][ T9578] ^
[ 79.600194][ T9578] ffff88810acc1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.607995][ T9578] ffff88810acc1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.615798][ T9578] ==================================================================
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation
Thanks,
Oliver Sang