lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <69502d75.050a0220.35954c.0098.GAE@google.com>
Date: Sat, 27 Dec 2025 11:03:17 -0800
From: syzbot <syzbot+6bcfce568a4af2a909bc@...kaller.appspotmail.com>
To: clm@...com, dsterba@...e.com, josef@...icpanda.com, 
	linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: [syzbot] [btrfs?] kernel BUG in submit_compressed_extents

Hello,

syzbot found the following issue on:

HEAD commit:    b927546677c8 Merge tag 'dma-mapping-6.19-2025-12-22' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1600df1a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=513255d80ab78f2b
dashboard link: https://syzkaller.appspot.com/bug?extid=6bcfce568a4af2a909bc
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-b9275466.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/16f89c42bab9/vmlinux-b9275466.xz
kernel image: https://storage.googleapis.com/syzbot-assets/54c5ab9b0ef0/bzImage-b9275466.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+6bcfce568a4af2a909bc@...kaller.appspotmail.com

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x6a1
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x7ff00000000040(head|node=0|zone=0|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 007ff00000000001 ffffea000001a801 00000000ffffffff 00000000ffffffff
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
head: 007ff00000000040 ffff888040d47dc0 dead000000000122 0000000000000000
head: 0000000000000000 00000000800a000a 00000000f5000000 0000000000000000
head: 007ff00000000001 ffffea000001a801 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: VM_BUG_ON_PAGE(page->compound_head & 1)
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2676, tgid 2676 (kworker/u4:12), ts 86875534140, free_ts 86855865505
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1846
 prep_new_page mm/page_alloc.c:1854 [inline]
 get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab+0x86/0x3b0 mm/slub.c:3248
 new_slab mm/slub.c:3302 [inline]
 ___slab_alloc+0xe53/0x1820 mm/slub.c:4656
 __slab_alloc+0x65/0x100 mm/slub.c:4779
 __slab_alloc_node mm/slub.c:4855 [inline]
 slab_alloc_node mm/slub.c:5251 [inline]
 kmem_cache_alloc_noprof+0x40f/0x710 mm/slub.c:5270
 mempool_alloc_noprof+0x1c9/0x2f0 mm/mempool.c:567
 bio_alloc_bioset+0x337/0x14e0 block/bio.c:561
 alloc_compressed_bio fs/btrfs/compression.c:68 [inline]
 btrfs_submit_compressed_write+0x16f/0x430 fs/btrfs/compression.c:382
 submit_one_async_extent fs/btrfs/inode.c:1188 [inline]
 submit_compressed_extents+0xe7a/0x1670 fs/btrfs/inode.c:1599
 run_ordered_work fs/btrfs/async-thread.c:243 [inline]
 btrfs_work_helper+0x564/0xbf0 fs/btrfs/async-thread.c:322
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
 kthread+0x711/0x8a0 kernel/kthread.c:463
page last free pid 78 tgid 78 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 free_unref_folios+0xdb3/0x14f0 mm/page_alloc.c:3000
 shrink_folio_list+0x4800/0x5010 mm/vmscan.c:1603
 evict_folios+0x473e/0x57f0 mm/vmscan.c:4711
 try_to_shrink_lruvec+0x8a3/0xb50 mm/vmscan.c:4874
 shrink_one+0x25c/0x720 mm/vmscan.c:4919
 shrink_many mm/vmscan.c:4982 [inline]
 lru_gen_shrink_node mm/vmscan.c:5060 [inline]
 shrink_node+0x2f7d/0x35b0 mm/vmscan.c:6047
 kswapd_shrink_node mm/vmscan.c:6901 [inline]
 balance_pgdat mm/vmscan.c:7084 [inline]
 kswapd+0x145a/0x2820 mm/vmscan.c:7354
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
------------[ cut here ]------------
kernel BUG at ./include/linux/page-flags.h:351!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 2676 Comm: kworker/u4:12 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: btrfs-delalloc btrfs_work_helper
RIP: 0010:const_folio_flags include/linux/page-flags.h:351 [inline]
RIP: 0010:folio_test_head include/linux/page-flags.h:844 [inline]
RIP: 0010:folio_test_large include/linux/page-flags.h:865 [inline]
RIP: 0010:folio_order include/linux/mm.h:1246 [inline]
RIP: 0010:folio_size include/linux/mm.h:2354 [inline]
RIP: 0010:submit_one_async_extent fs/btrfs/inode.c:1128 [inline]
RIP: 0010:submit_compressed_extents+0x161a/0x1670 fs/btrfs/inode.c:1599
Code: 8c 9d 53 fe 4d 8b 1e 4c 89 ff 2e 2e 2e 41 ff d3 e9 d6 fd ff ff e8 96 f2 eb fd 4c 89 ef 48 c7 c6 00 a6 af 8b e8 07 f4 52 fd 90 <0f> 0b e8 7f f2 eb fd 48 c7 c7 40 93 af 8b 48 c7 c6 e0 a8 af 8b 31
RSP: 0018:ffffc9000ff4f7e0 EFLAGS: 00010246
RAX: b7630c6330986b00 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8d798217 RDI: 00000000ffffffff
RBP: ffffc9000ff4f9d0 R08: ffffffff8f824277 R09: 1ffffffff1f0484e
R10: dffffc0000000000 R11: fffffbfff1f0484f R12: ffffffffffffffff
R13: ffffea000001a840 R14: 0000000000005000 R15: ffff888036c31410
FS:  0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc38501a000 CR3: 00000000110e3000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 run_ordered_work fs/btrfs/async-thread.c:243 [inline]
 btrfs_work_helper+0x564/0xbf0 fs/btrfs/async-thread.c:322
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:const_folio_flags include/linux/page-flags.h:351 [inline]
RIP: 0010:folio_test_head include/linux/page-flags.h:844 [inline]
RIP: 0010:folio_test_large include/linux/page-flags.h:865 [inline]
RIP: 0010:folio_order include/linux/mm.h:1246 [inline]
RIP: 0010:folio_size include/linux/mm.h:2354 [inline]
RIP: 0010:submit_one_async_extent fs/btrfs/inode.c:1128 [inline]
RIP: 0010:submit_compressed_extents+0x161a/0x1670 fs/btrfs/inode.c:1599
Code: 8c 9d 53 fe 4d 8b 1e 4c 89 ff 2e 2e 2e 41 ff d3 e9 d6 fd ff ff e8 96 f2 eb fd 4c 89 ef 48 c7 c6 00 a6 af 8b e8 07 f4 52 fd 90 <0f> 0b e8 7f f2 eb fd 48 c7 c7 40 93 af 8b 48 c7 c6 e0 a8 af 8b 31
RSP: 0018:ffffc9000ff4f7e0 EFLAGS: 00010246
RAX: b7630c6330986b00 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8d798217 RDI: 00000000ffffffff
RBP: ffffc9000ff4f9d0 R08: ffffffff8f824277 R09: 1ffffffff1f0484e
R10: dffffc0000000000 R11: fffffbfff1f0484f R12: ffffffffffffffff
R13: ffffea000001a840 R14: 0000000000005000 R15: ffff888036c31410
FS:  0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc38501a000 CR3: 00000000373f0000 CR4: 0000000000352ef0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ