| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0d89dd1d-3233-4ce6-85c0-a97448b8cf64@suse.com> Date: Wed, 14 Jan 2026 06:49:11 +1030 From: Qu Wenruo <wqu@...e.com> To: Jiaming Zhang <r772577952@...il.com>, clm@...com, dsterba@...e.com, linux-btrfs@...r.kernel.org Cc: linux-kernel@...r.kernel.org, syzkaller@...glegroups.com Subject: Re: [Linux Kernel Bug] WARNING in find_free_extent 在 2026/1/14 00:14, Jiaming Zhang 写道: > Dear Linux kernel developers and maintainers, > > We are writing to report a warning discovered in the btrfs subsystem. > This issue is reproducible on the latest version (commit > b71e635feefc852405b14620a7fc58c4c80c0f73). Before the warning you have tons of fuzzed tree blocks and all rejected by tree-checker. I guess your grep script didn't really catch those warnings in the first place? > > The kernel console output, kernel config, syzkaller reproducer, and C > reproducer are attached to help with analysis. The KASAN report from > kernel, formatted by syz-symbolize, is listed below: > > --- > > BTRFS: Transaction aborted (error -22) Although by chance or whatever, this warning still has some value. For a fully RO mount with all the rescue mount options, we should not allow any transaction to be created in the first place. We can enhance the rescue RO mount to reject all transaction start by setting the fs as error in the first place. Other than that this report doesn't make much sense, if you're using rescue= mount option, it's already a screwed up fs. > WARNING: fs/btrfs/extent-tree.c:4208 at find_free_extent_update_loop > fs/btrfs/extent-tree.c:4208 [inline], CPU#0: repro.out/9758 > WARNING: fs/btrfs/extent-tree.c:4208 at find_free_extent+0x52ee/0x5d20 > fs/btrfs/extent-tree.c:4611, CPU#0: repro.out/9758 > Modules linked in: > CPU: 0 UID: 0 PID: 9758 Comm: repro.out Not tainted > 6.19.0-rc5-00002-gb71e635feefc #7 PREEMPT(full) > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > RIP: 0010:find_free_extent_update_loop fs/btrfs/extent-tree.c:4208 [inline] > RIP: 0010:find_free_extent+0x52f0/0x5d20 fs/btrfs/extent-tree.c:4611 > Code: 36 b6 01 fe e9 95 03 00 00 e8 dc 04 e8 fd 84 c0 74 66 e8 23 b6 > 01 fe e9 82 03 00 00 e8 19 b6 01 fe 48 8d 3d e2 09 b1 0b 89 ee <67> 48 > 0f b9 3a e9 60 f6 ff ff 48 8b 4c 24 78 80 e1 07 38 c1 0f 8c > RSP: 0018:ffffc9000445eb28 EFLAGS: 00010293 > RAX: ffffffff83b4ffc7 RBX: ffff88802ad30000 RCX: ffff88802804bd80 > RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffffff8f6609b0 > RBP: 00000000ffffffea R08: ffff88802804bd80 R09: 0000000000000003 > R10: 00000000fffffffb R11: 0000000000000000 R12: ffff88802ad30060 > R13: ffff88802ad30000 R14: 0000000000000000 R15: ffff88802ad30060 > FS: 0000000000000000(0000) GS:ffff8880994e9000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000004c1108 CR3: 00000000281ef000 CR4: 0000000000752ef0 > PKRU: 55555554 > Call Trace: > <TASK> > btrfs_reserve_extent+0x2cd/0x790 fs/btrfs/extent-tree.c:4705 > btrfs_alloc_tree_block+0x1e1/0x10e0 fs/btrfs/extent-tree.c:5157 > btrfs_force_cow_block+0x578/0x2410 fs/btrfs/ctree.c:517 > btrfs_cow_block+0x3c4/0xa80 fs/btrfs/ctree.c:708 > btrfs_search_slot+0xcad/0x2b50 fs/btrfs/ctree.c:2130 > btrfs_truncate_inode_items+0x45d/0x2350 fs/btrfs/inode-item.c:499 > btrfs_evict_inode+0x923/0xe70 fs/btrfs/inode.c:5628 > evict+0x5f4/0xae0 fs/inode.c:837 > __dentry_kill+0x209/0x660 fs/dcache.c:670 > finish_dput+0xc9/0x480 fs/dcache.c:879 > shrink_dcache_for_umount+0xa0/0x170 fs/dcache.c:1661 > generic_shutdown_super+0x67/0x2c0 fs/super.c:621 > kill_anon_super+0x3b/0x70 fs/super.c:1289 > btrfs_kill_super+0x41/0x50 fs/btrfs/super.c:2127 > deactivate_locked_super+0xbc/0x130 fs/super.c:474 > cleanup_mnt+0x425/0x4c0 fs/namespace.c:1318 > task_work_run+0x1d4/0x260 kernel/task_work.c:233 > exit_task_work include/linux/task_work.h:40 [inline] > do_exit+0x694/0x22f0 kernel/exit.c:971 > do_group_exit+0x21c/0x2d0 kernel/exit.c:1112 > __do_sys_exit_group kernel/exit.c:1123 [inline] > __se_sys_exit_group kernel/exit.c:1121 [inline] > __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121 > x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x44f639 > Code: Unable to access opcode bytes at 0x44f60f. > RSP: 002b:00007ffc15c4e088 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 > RAX: ffffffffffffffda RBX: 00000000004c32f0 RCX: 000000000044f639 > RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 > RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004c32f0 > R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 > </TASK> > ---------------- > Code disassembly (best guess), 2 bytes skipped: > 0: 01 fe add %edi,%esi > 2: e9 95 03 00 00 jmp 0x39c > 7: e8 dc 04 e8 fd call 0xfde804e8 > c: 84 c0 test %al,%al > e: 74 66 je 0x76 > 10: e8 23 b6 01 fe call 0xfe01b638 > 15: e9 82 03 00 00 jmp 0x39c > 1a: e8 19 b6 01 fe call 0xfe01b638 > 1f: 48 8d 3d e2 09 b1 0b lea 0xbb109e2(%rip),%rdi # 0xbb10a08 > 26: 89 ee mov %ebp,%esi > * 28: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction > 2d: e9 60 f6 ff ff jmp 0xfffff692 > 32: 48 8b 4c 24 78 mov 0x78(%rsp),%rcx > 37: 80 e1 07 and $0x7,%cl > 3a: 38 c1 cmp %al,%cl > 3c: 0f .byte 0xf > 3d: 8c .byte 0x8c > > --- > > Please let me know if any further information is required. > > Best Regards, > Jiaming Zhang
Powered by blists - more mailing lists