lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAFRLqsVDimnqBx0_pDF-bqEQ3epha2d3r6cKm-0b6UdzkkE42Q@mail.gmail.com>
Date: Thu, 26 Jun 2025 16:07:51 +0800
From: cen zhang <zzzccc427@...il.com>
To: clm@...com, josef@...icpanda.com, dsterba@...e.com
Cc: linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	baijiaju1990@...il.com, zhenghaoran154@...il.com
Subject: [BUG] btrfs: Assertion failed in btrfs_exclop_balance on balance ioctl

Hello Btrfs maintainers,

I would like to report a kernel BUG, which appears to be a state
management issue in the balance ioctl path.

The kernel panics due to a failed assertion in btrfs_exclop_balance()
at fs/btrfs/fs.c:127. The assertion fs_info->exclusive_operation ==
BTRFS_EXCLOP_BALANCE_PAUSED fails, indicating that the function was
called with an unexpected exclusive operation state.

Here are the relevant details:

Kernel Version: 6.16.0-rc1-g7f6432600434-dirty
Hardware: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996)

Crash Log:
assertion failed: fs_info->exclusive_operation ==
BTRFS_EXCLOP_BALANCE_PAUSED :: 0, in fs/btrfs/fs.c:127
------------[ cut here ]------------
kernel BUG at fs/btrfs/fs.c:127!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 95466 Comm: syz-executor.6 Not tainted
6.16.0-rc1-g7f6432600434-dirty #52 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:btrfs_exclop_balance+0x632/0x640 fs/btrfs/fs.c:127
Code: b5 fe e8 11 0c c7 fe 48 c7 c7 60 06 19 9c 48 c7 c6 80 08 19 9c
31 d2 48 c7 c1 40 08 19 9c 41 b8 7f 00 00 00 e8 7f 2e 7b fe 90 <0f> 0b
66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
RSP: 0018:ffff88811c37fd88 EFLAGS: 00010246
RAX: 0000000000000068 RBX: 0000000000000000 RCX: 7c00c5848baac500
RDX: ffffc9001dfc5000 RSI: 000000000000092e RDI: 000000000000092f
RBP: 1ffff110277c95ae R08: ffff88811c37fc2f R09: 1ffff1102386ff85
R10: dffffc0000000000 R11: ffffed102386ff86 R12: ffff88813be4ad70
R13: 1ffffda204ef92b5 R14: dffffc0000000000 R15: ffffed10277c95ae
FS:  00007fda4d92c6c0(0000) GS:ffff88840ff1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31222000 CR3: 000000012ebdb000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 btrfs_ioctl_balance+0x9bd/0xf10 fs/btrfs/ioctl.c:3548
 btrfs_ioctl+0x104f/0x1480 fs/btrfs/ioctl.c:5303
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xd1/0x130 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcf/0x240 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fda4e7fa35d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fda4d92c0a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fda4e94c1f0 RCX: 00007fda4e7fa35d
RDX: 0000000020008c40 RSI: 00000000c4009420 RDI: 0000000000000003
RBP: 00007fda4e86b4b1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: ffffffffffffffb8 R14: 00007fda4e94c1f0 R15: 00007ffc61c2f0d0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btrfs_exclop_balance+0x632/0x640 fs/btrfs/fs.c:127
Code: b5 fe e8 11 0c c7 fe 48 c7 c7 60 06 19 9c 48 c7 c6 80 08 19 9c
31 d2 48 c7 c1 40 08 19 9c 41 b8 7f 00 00 00 e8 7f 2e 7b fe 90 <0f> 0b
66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
RSP: 0018:ffff88811c37fd88 EFLAGS: 00010246
RAX: 0000000000000068 RBX: 0000000000000000 RCX: 7c00c5848baac500
RDX: ffffc9001dfc5000 RSI: 000000000000092e RDI: 000000000000092f
RBP: 1ffff110277c95ae R08: ffff88811c37fc2f R09: 1ffff1102386ff85
R10: dffffc0000000000 R11: ffffed102386ff86 R12: ffff88813be4ad70
R13: 1ffffda204ef92b5 R14: dffffc0000000000 R15: ffffed10277c95ae
FS:  00007fda4d92c6c0(0000) GS:ffff88840ff1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31222000 CR3: 000000012ebdb000 CR4: 00000000000006f0
note: syz-executor.6[95466] exited with preempt_count 1

Here is the machineinfo:
--------------------------------------------------------------------------------
QEMU emulator version 8.2.2 (Debian 1:8.2.2+ds-0ubuntu1.7)
qemu-system-x86_64 ["-m" "16384" "-smp" "4" "-chardev"
"socket,id=SOCKSYZ,server=on,wait=off,host=localhost,port=24674"
"-mon" "chardev=SOCKSYZ,mode=control" "-display" "none" "-serial"
"stdio" "-no-reboot" "-name" "VM-1" "-device" "virtio-rng-pci"
"-enable-kvm" "-hdb"
"/home/zzzccc/go-work/syzkaller-old/syzkaller/test/btrfs/disk.qcow2"
"-device" "e1000,netdev=net0" "-netdev"
"user,id=net0,restrict=on,hostfwd=tcp:127.0.0.1:35475-:22,hostfwd=tcp::7313-:6060"
"-hda" "/home/zzzccc/go-work/syzkaller-old/syzkaller/test/btrfs/bookworm.img"
"-snapshot" "-kernel" "/home/zzzccc/linux-DDRD/arch/x86/boot/bzImage"
"-append" "root=/dev/sda console=ttyS0 "]

[CPU Info]
processor           : 0, 1, 2, 3
vendor_id           : AuthenticAMD
cpu family          : 15
model               : 107
model name          : QEMU Virtual CPU version 2.5+
stepping            : 1
microcode           : 0x1000065
cpu MHz             : 3593.248
cache size          : 512 KB
physical id         : 0
siblings            : 4
core id             : 0, 1, 2, 3
cpu cores           : 4
apicid              : 0, 1, 2, 3
initial apicid      : 0, 1, 2, 3
fpu                 : yes
fpu_exception       : yes
cpuid level         : 13
wp                  : yes
flags               : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx lm rep_good
nopl cpuid extd_apicid tsc_known_freq pni cx16 x2apic hypervisor
lahf_lm cmp_legacy svm 3dnowprefetch vmmcall
bugs                : fxsave_leak sysret_ss_attrs null_seg
swapgs_fence amd_e400 spectre_v1 spectre_v2 spectre_v2_user
bogomips            : 7186.49
TLB size            : 1024 4K pages
clflush size        : 64
cache_alignment     : 64
address sizes       : 40 bits physical, 48 bits virtual
power management    :

--------------------------------------------------------------------------------

Here is the log of this
bug:https://github.com/zzzcccyyyggg/Syzkaller-log/blob/main/c206ec44dc552558339e6db76afe471d2dcee23b/log3

Thank you for your attention to this matter.

Best regards,
Cen Zhang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ