218720 – btrfs delalloc BUG: kernel NULL pointer dereference, address: 0000000000000208 in find_lock_delalloc_range on kernel 6.8.4

Bug 218720 - btrfs delalloc BUG: kernel NULL pointer dereference, address: 0000000000000208 in find_lock_delalloc_range on kernel 6.8.4

Summary: btrfs delalloc BUG: kernel NULL pointer dereference, address: 000000000000020...

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-04-13 02:17 UTC by michal+kernel
Modified:	2024-04-15 13:03 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	6.8.4
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Kernel config (143.36 KB, text/plain) 2024-04-13 02:17 UTC, michal+kernel	Details
Decoded backtrace for 6.8.6 kernel (7.28 KB, text/plain) 2024-04-14 23:43 UTC, michal+kernel	Details
Add an attachment (proposed patch, testcase, etc.)

Description michal+kernel 2024-04-13 02:17:58 UTC

Created attachment 306141 [details]
Kernel config

[    2.163982][    T1] BTRFS: selftest: running find delalloc tests
[    2.189610][    T1] BUG: kernel NULL pointer dereference, address: 0000000000000208
[    2.191307][    T1] #PF: supervisor read access in kernel mode
[    2.192656][    T1] #PF: error_code(0x0000) - not-present page
[    2.194019][    T1] PGD 0 P4D 0 
[    2.194828][    T1] Oops: 0000 [#1] PREEMPT SMP
[    2.195893][    T1] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G                T  6.8.4-gentoo #1 abb0330f21b742a99b9fd652457bd3b25faa28dd
[    2.198582][    T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 4.2023.08-4 02/15/2024
[    2.200501][    T1] RIP: 0010:find_lock_delalloc_range+0x39/0x2d0
[    2.201918][    T1] Code: 89 d4 55 53 bb 00 00 00 08 48 83 ec 30 4c 8b 39 48 89 4c 24 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 48 8b 87 40 fe ff ff <48> 8b 90 08 02 00 00 49 8b 04 24 48 85 d2 74 07 48 8b 9a a0 0c 00
[    2.206076][    T1] RSP: 0000:ffffbb7980023d78 EFLAGS: 00010286
[    2.207456][    T1] RAX: 0000000000000000 RBX: 0000000008000000 RCX: ffffbb7980023e08
[    2.209222][    T1] RDX: ffffbb7980023e00 RSI: ffffdbbf84086fc0 RDI: ffff9c93005d01c0
[    2.210955][    T1] RBP: ffffdbbf84086fc0 R08: 0000000000000000 R09: 0000000000000000
[    2.212718][    T1] R10: 0000000000000006 R11: 0000000000000009 R12: ffffbb7980023e00
[    2.214471][    T1] R13: ffff9c93005d01c0 R14: ffffdbbf84086fc0 R15: 0000000000000fff
[    2.216224][    T1] FS:  0000000000000000(0000) GS:ffff9c937bd00000(0000) knlGS:0000000000000000
[    2.218197][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.219720][    T1] CR2: 0000000000000208 CR3: 000000003fa44000 CR4: 00000000000406f0
[    2.221510][    T1] Call Trace:
[    2.222367][    T1]  <TASK>
[    2.223155][    T1]  ? __die+0x1a/0x60
[    2.224164][    T1]  ? page_fault_oops+0x17c/0x490
[    2.225371][    T1]  ? exc_page_fault+0x63/0x120
[    2.226521][    T1]  ? asm_exc_page_fault+0x22/0x30
[    2.227681][    T1]  ? find_lock_delalloc_range+0x39/0x2d0
[    2.228993][    T1]  btrfs_test_extent_io+0x11f/0x12e0
[    2.230214][    T1]  btrfs_run_sanity_tests+0x85/0x140
[    2.231452][    T1]  init_btrfs_fs+0x13/0x90
[    2.232510][    T1]  ? btrfs_print_mod_info+0x20/0x20
[    2.233768][    T1]  do_one_initcall+0x4f/0x200
[    2.234881][    T1]  kernel_init_freeable+0x19b/0x2d0
[    2.236087][    T1]  ? rest_init+0xc0/0xc0
[    2.237096][    T1]  kernel_init+0x11/0x190
[    2.238117][    T1]  ret_from_fork+0x28/0x40
[    2.239198][    T1]  ? rest_init+0xc0/0xc0
[    2.240238][    T1]  ret_from_fork_asm+0x11/0x20
[    2.241381][    T1]  </TASK>
[    2.242137][    T1] Modules linked in:
[    2.243113][    T1] CR2: 0000000000000208
[    2.244140][    T1] ---[ end trace 0000000000000000 ]---
[    2.245411][    T1] RIP: 0010:find_lock_delalloc_range+0x39/0x2d0
[    2.246800][    T1] Code: 89 d4 55 53 bb 00 00 00 08 48 83 ec 30 4c 8b 39 48 89 4c 24 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 48 8b 87 40 fe ff ff <48> 8b 90 08 02 00 00 49 8b 04 24 48 85 d2 74 07 48 8b 9a a0 0c 00
[    2.250895][    T1] RSP: 0000:ffffbb7980023d78 EFLAGS: 00010286
[    2.252273][    T1] RAX: 0000000000000000 RBX: 0000000008000000 RCX: ffffbb7980023e08
[    2.254009][    T1] RDX: ffffbb7980023e00 RSI: ffffdbbf84086fc0 RDI: ffff9c93005d01c0
[    2.255771][    T1] RBP: ffffdbbf84086fc0 R08: 0000000000000000 R09: 0000000000000000
[    2.257527][    T1] R10: 0000000000000006 R11: 0000000000000009 R12: ffffbb7980023e00
[    2.259228][    T1] R13: ffff9c93005d01c0 R14: ffffdbbf84086fc0 R15: 0000000000000fff
[    2.260936][    T1] FS:  0000000000000000(0000) GS:ffff9c937bd00000(0000) knlGS:0000000000000000
[    2.262847][    T1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.264300][    T1] CR2: 0000000000000208 CR3: 000000003fa44000 CR4: 00000000000406f0
[    2.266014][    T1] note: swapper/0[1] exited with irqs disabled
[    2.267436][    C1] vkms_vblank_simulate: vblank timer overrun
[    2.268821][    T1] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
[    2.270880][    T1] Kernel Offset: 0x25c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[    2.273453][    T1] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 ]---

Working on 6.8.1, broken on 6.8.4

Comment 1 michal+kernel 2024-04-14 23:43:19 UTC

Created attachment 306151 [details]
Decoded backtrace for 6.8.6 kernel

Comment 2 michal+kernel 2024-04-15 00:07:05 UTC

Some info about fs:
sudo btrfs filesystem  show /dev/sda2
Label: none  uuid: aa55857a-761f-41b9-9fcb-4a01efe7d8b2
	Total devices 1 FS bytes used 12.59GiB
	devid    1 size 14.51GiB used 14.51GiB path /dev/sda2
sudo btrfs subvolume show /
/
	Name: 			<FS_TREE>
	UUID: 			bac4b7fe-d1b6-45be-b02b-4567b21bc078
	Parent UUID: 		-
	Received UUID: 		-
	Creation time: 		2024-04-12 23:57:55 +0200
	Subvolume ID: 		5
	Generation: 		903
	Gen at creation: 	0
	Parent ID: 		0
	Top level ID: 		0
	Flags: 			-
	Send transid: 		0
	Send time: 		2024-04-12 23:57:55 +0200
	Receive transid: 	0
	Receive time: 		-
	Snapshot(s):
	Quota group:		n/a
$ lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda      8:0    0   16G  0 disk 
├─sda1   8:1    0  500M  0 part /boot/efi
├─sda2   8:2    0 14.5G  0 part /
└─sda3   8:3    0    1G  0 part 
After change of resolving btrfs_fs_info based on inode from path via superblock (resolved to NULL) to path via btrfs_root there is dereference of NULLed root from btrfs_inode.

Comment 3 The Linux kernel's regression tracker (Thorsten Leemhuis) 2024-04-15 07:30:49 UTC

Will be fixed with the next stable release, see https://lore.kernel.org/all/3b2d9a1c-37d2-47f4-b0b4-a9d6c34d2c7d@applied-asynchrony.com/

Comment 4 Lucas Bocchi 2024-04-15 13:03:30 UTC

Same error Here on 6.8.6. Error crash machine and cause OOPS in kernel, hanging up the OS.

[seg abr 15 09:50:00 2024] BUG: kernel NULL pointer dereference, address: 0000000000000208
[seg abr 15 09:50:00 2024] #PF: supervisor read access in kernel mode
[seg abr 15 09:50:00 2024] #PF: error_code(0x0000) - not-present page
[seg abr 15 09:50:00 2024] PGD 0 P4D 0
[seg abr 15 09:50:00 2024] Oops: 0000 [#1] PREEMPT SMP NOPTI
[seg abr 15 09:50:00 2024] CPU: 3 PID: 404 Comm: modprobe Tainted: G        W        N 6.8.6 #1
[seg abr 15 09:50:00 2024] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./H410M/ac, BIOS L1.32 04/01/2021
[seg abr 15 09:50:00 2024] RIP: 0010:find_lock_delalloc_range+0x42/0x2d0 [btrfs]
[seg abr 15 09:50:00 2024] Code: 89 d4 55 53 bb 00 00 00 08 48 83 ec 30 4c 8b 39 48 89 4c 24 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 48 8b 87 40 fe ff ff <48> 8b 90 08 02 00 00 49 8b 04 24 48 85 d2 74 07 48 8b 9a a0 0c 00
[seg abr 15 09:50:00 2024] RSP: 0018:ffffac060052f8b0 EFLAGS: 00010282
[seg abr 15 09:50:00 2024] RAX: 0000000000000000 RBX: 0000000008000000 RCX: ffffac060052f948
[seg abr 15 09:50:00 2024] RDX: ffffac060052f940 RSI: fffff94004769d40 RDI: ffff951a84c901c0
[seg abr 15 09:50:00 2024] RBP: fffff94004769d40 R08: 0000000000000000 R09: 0000000000000000
[seg abr 15 09:50:00 2024] R10: 0000000000000000 R11: 0000000000000c40 R12: ffffac060052f940
[seg abr 15 09:50:00 2024] R13: ffff951a84c901c0 R14: fffff94004769d40 R15: 0000000000000fff
[seg abr 15 09:50:00 2024] FS:  00007f0a73d57040(0000) GS:ffff9521bf980000(0000) knlGS:0000000000000000
[seg abr 15 09:50:00 2024] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[seg abr 15 09:50:00 2024] CR2: 0000000000000208 CR3: 00000001148b8005 CR4: 00000000003706f0
[seg abr 15 09:50:00 2024] Call Trace:
[seg abr 15 09:50:00 2024]  <TASK>
[seg abr 15 09:50:00 2024]  ? __die+0x23/0x70
[seg abr 15 09:50:00 2024]  ? page_fault_oops+0x159/0x460
[seg abr 15 09:50:00 2024]  ? exc_page_fault+0x7e/0x180
[seg abr 15 09:50:00 2024]  ? asm_exc_page_fault+0x26/0x30
[seg abr 15 09:50:00 2024]  ? find_lock_delalloc_range+0x42/0x2d0 [btrfs]
[seg abr 15 09:50:00 2024]  btrfs_test_extent_io+0x117/0x12e0 [btrfs]
[seg abr 15 09:50:00 2024]  btrfs_run_sanity_tests+0x8e/0x150 [btrfs]
[seg abr 15 09:50:00 2024]  init_btrfs_fs+0x1f/0xb0 [btrfs]
[seg abr 15 09:50:00 2024]  ? __pfx_init_btrfs_fs+0x10/0x10 [btrfs]
[seg abr 15 09:50:00 2024]  do_one_initcall+0x45/0x220
[seg abr 15 09:50:00 2024]  do_init_module+0x60/0x230
[seg abr 15 09:50:00 2024]  init_module_from_file+0x86/0xc0
[seg abr 15 09:50:00 2024]  idempotent_init_module+0x109/0x2a0
[seg abr 15 09:50:00 2024]  __x64_sys_finit_module+0x5e/0xb0
[seg abr 15 09:50:00 2024]  do_syscall_64+0x84/0x1a0
[seg abr 15 09:50:00 2024]  ? apparmor_file_permission+0x81/0x1a0
[seg abr 15 09:50:00 2024]  ? vfs_read+0x27f/0x350
[seg abr 15 09:50:00 2024]  ? vfs_read+0x27f/0x350
[seg abr 15 09:50:00 2024]  ? rseq_get_rseq_cs+0x1d/0x270
[seg abr 15 09:50:00 2024]  ? __rseq_handle_notify_resume+0x8a/0x2c0
[seg abr 15 09:50:00 2024]  ? restore_fpregs_from_fpstate+0x46/0xb0
[seg abr 15 09:50:00 2024]  ? switch_fpu_return+0x50/0xe0
[seg abr 15 09:50:00 2024]  ? syscall_exit_to_user_mode+0x88/0x210
[seg abr 15 09:50:00 2024]  ? do_syscall_64+0x90/0x1a0
[seg abr 15 09:50:00 2024]  ? rseq_syscall+0x4b/0x90
[seg abr 15 09:50:00 2024]  ? rseq_get_rseq_cs+0x1d/0x270
[seg abr 15 09:50:00 2024]  ? syscall_exit_to_user_mode_prepare+0x21/0x1c0
[seg abr 15 09:50:00 2024]  ? syscall_exit_to_user_mode+0x88/0x210
[seg abr 15 09:50:00 2024]  ? do_syscall_64+0x90/0x1a0
[seg abr 15 09:50:00 2024]  ? syscall_exit_to_user_mode_prepare+0x21/0x1c0
[seg abr 15 09:50:00 2024]  ? syscall_exit_to_user_mode+0x88/0x210
[seg abr 15 09:50:00 2024]  ? do_syscall_64+0x90/0x1a0
[seg abr 15 09:50:00 2024]  ? tick_sched_handle+0x21/0x60
[seg abr 15 09:50:00 2024]  ? rseq_get_rseq_cs+0x1d/0x270
[seg abr 15 09:50:00 2024]  ? rseq_syscall+0x4b/0x90
[seg abr 15 09:50:00 2024]  ? syscall_exit_to_user_mode_prepare+0x21/0x1c0
[seg abr 15 09:50:00 2024]  ? syscall_exit_to_user_mode+0x88/0x210
[seg abr 15 09:50:00 2024]  ? do_syscall_64+0x90/0x1a0
[seg abr 15 09:50:00 2024]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[seg abr 15 09:50:00 2024] RIP: 0033:0x7f0a7371f059
[seg abr 15 09:50:00 2024] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 1d 0d 00 f7 d8 64 89 01 48
[seg abr 15 09:50:00 2024] RSP: 002b:00007ffdedb7e908 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[seg abr 15 09:50:00 2024] RAX: ffffffffffffffda RBX: 000056432917de00 RCX: 00007f0a7371f059
[seg abr 15 09:50:00 2024] RDX: 0000000000000000 RSI: 000056432845998b RDI: 0000000000000004
[seg abr 15 09:50:00 2024] RBP: 0000000000000000 R08: 0000000000000060 R09: 0000564329181840
[seg abr 15 09:50:00 2024] R10: 0000000000000038 R11: 0000000000000246 R12: 000056432845998b
[seg abr 15 09:50:00 2024] R13: 0000000000040000 R14: 000056432917e020 R15: 0000000000000000
[seg abr 15 09:50:00 2024]  </TASK>
[seg abr 15 09:50:00 2024] Modules linked in: btrfs(+) x86_pkg_temp_thermal intel_powerclamp snd_pcm_oss snd_mixer_oss iwlwifi crct10dif_pclmul polyval_clmulni snd_pcm snd_timer ice(+) polyval_generic f2fs blake2b_generic gf128mul snd xor ghash_clmulni_intel sha512_ssse3 cfg80211 sha512_generic sha256_ssse3 sha1_ssse3 crc32_generic crc32_pclmul lz4hc_compress raid6_pq lz4_compress aesni_intel libcrc32c crypto_simd nvme cryptd soundcore gnss sg iTCO_wdt rfkill xhci_pci mei_hdcp rapl iTCO_vendor_support xhci_pci_renesas mei_me tiny_power_button xhci_hcd intel_cstate pcspkr wmi_bmof i2c_i801 usbcore intel_uncore e1000e i2c_smbus usb_common igc button acpi_tad acpi_pad mei nvme_fabrics dm_mod nvme_core efi_pstore loop nct6775 nct6775_core hwmon_vid nvme_auth coretemp fuse nfnetlink efivarfs ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod t10_pi crc64_rocksoft crc64 evdev i915 cec rc_core i2c_algo_bit drm_buddy ttm drm_display_helper drm_kms_helper ahci libahci libata crc32c_intel drm rtc_cmos scsi_mod
[seg abr 15 09:50:00 2024]  scsi_common video wmi
[seg abr 15 09:50:00 2024] CR2: 0000000000000208
[seg abr 15 09:50:00 2024] ---[ end trace 0000000000000000 ]---
[seg abr 15 09:50:00 2024] RIP: 0010:find_lock_delalloc_range+0x42/0x2d0 [btrfs]
[seg abr 15 09:50:00 2024] Code: 89 d4 55 53 bb 00 00 00 08 48 83 ec 30 4c 8b 39 48 89 4c 24 08 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 48 8b 87 40 fe ff ff <48> 8b 90 08 02 00 00 49 8b 04 24 48 85 d2 74 07 48 8b 9a a0 0c 00
[seg abr 15 09:50:00 2024] RSP: 0018:ffffac060052f8b0 EFLAGS: 00010282
[seg abr 15 09:50:00 2024] RAX: 0000000000000000 RBX: 0000000008000000 RCX: ffffac060052f948
[seg abr 15 09:50:00 2024] RDX: ffffac060052f940 RSI: fffff94004769d40 RDI: ffff951a84c901c0
[seg abr 15 09:50:00 2024] RBP: fffff94004769d40 R08: 0000000000000000 R09: 0000000000000000
[seg abr 15 09:50:00 2024] R10: 0000000000000000 R11: 0000000000000c40 R12: ffffac060052f940
[seg abr 15 09:50:00 2024] R13: ffff951a84c901c0 R14: fffff94004769d40 R15: 0000000000000fff
[seg abr 15 09:50:00 2024] FS:  00007f0a73d57040(0000) GS:ffff9521bf980000(0000) knlGS:0000000000000000
[seg abr 15 09:50:00 2024] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[seg abr 15 09:50:00 2024] CR2: 0000000000000208 CR3: 00000001148b8006 CR4: 00000000003706f0

Note You need to log in before you can comment on or make changes to this bug.