From: Leo Martins <loemra.dev@gmail.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: Qu Wenruo <quwenruo.btrfs@gmx.com>, linux-btrfs@vger.kernel.org
Subject: Re: btrfs/071 is unhappy on 6.18-rc2
Date: Mon, 20 Oct 2025 09:55:10 -0700 [thread overview]
Message-ID: <20251020165512.3843091-1-loemra.dev@gmail.com> (raw)
In-Reply-To: <aPZE--T-nj0dKB0A@infradead.org>
On Mon, 20 Oct 2025 07:19:39 -0700 Christoph Hellwig <hch@infradead.org> wrote:
> KASAN output:
>
> [ 75.341543] ==================================================================
> [ 75.341824] BUG: KASAN: slab-use-after-free in btrfs_kill_all_delayed_nodes+0x46f/0x4c0
> [ 75.342082] Read of size 8 at addr ffff88812389f380 by task btrfs-cleaner/4493
> [ 75.342310]
> [ 75.342369] CPU: 1 UID: 0 PID: 4493 Comm: btrfs-cleaner Tainted: G N 6.18.0-rc2+ #4115 PREEMPT(f
> [ 75.342372] Tainted: [N]=TEST
> [ 75.342373] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 75.342374] Call Trace:
> [ 75.342375] <TASK>
> [ 75.342376] dump_stack_lvl+0x4b/0x70
> [ 75.342379] print_report+0x174/0x4e7
> [ 75.342382] ? __virt_addr_valid+0x1bb/0x2f0
> [ 75.342384] ? btrfs_kill_all_delayed_nodes+0x46f/0x4c0
> [ 75.342385] kasan_report+0xd2/0x100
> [ 75.342387] ? btrfs_kill_all_delayed_nodes+0x46f/0x4c0
> [ 75.342388] btrfs_kill_all_delayed_nodes+0x46f/0x4c0
> [ 75.342389] ? _raw_spin_unlock+0x13/0x30
> [ 75.342392] ? __pfx_btrfs_kill_all_delayed_nodes+0x10/0x10
> [ 75.342393] ? do_raw_spin_lock+0x128/0x260
> [ 75.342395] ? __pfx_do_raw_spin_lock+0x10/0x10
> [ 75.342397] ? list_lru_add_obj+0xfb/0x1a0
> [ 75.342399] ? do_raw_spin_lock+0x128/0x260
> [ 75.342401] ? __pfx_do_raw_spin_lock+0x10/0x10
> [ 75.342402] btrfs_clean_one_deleted_snapshot+0x143/0x370
> [ 75.342405] cleaner_kthread+0x1ee/0x300
> [ 75.342406] ? __pfx_cleaner_kthread+0x10/0x10
> [ 75.342407] kthread+0x37f/0x6f0
> [ 75.342409] ? __pfx_kthread+0x10/0x10
> [ 75.342411] ? __pfx_kthread+0x10/0x10
> [ 75.342412] ? __pfx_kthread+0x10/0x10
> [ 75.342413] ret_from_fork+0x17d/0x240
> [ 75.342415] ? __pfx_kthread+0x10/0x10
> [ 75.342416] ret_from_fork_asm+0x1a/0x30
> [ 75.342419] </TASK>
> [ 75.342419]
> [ 75.345517] Allocated by task 4527:
> [ 75.345517] kasan_save_stack+0x22/0x40
> [ 75.345517] kasan_save_track+0x14/0x30
> [ 75.345517] __kasan_slab_alloc+0x6e/0x70
> [ 75.345517] kmem_cache_alloc_noprof+0x14c/0x400
> [ 75.345517] btrfs_get_or_create_delayed_node+0x9e/0x9e0
> [ 75.345517] btrfs_insert_delayed_dir_index+0xe4/0x8a0
> [ 75.345517] btrfs_insert_dir_item+0x4c1/0x720
> [ 75.345517] btrfs_add_link+0x173/0xa30
> [ 75.345517] btrfs_create_new_inode+0x1551/0x2650
> [ 75.345517] btrfs_create_common+0x17b/0x200
> [ 75.345517] vfs_mknod+0x3a7/0x600
> [ 75.345517] do_mknodat+0x34e/0x520
> [ 75.345517] __x64_sys_mknodat+0xaa/0xe0
> [ 75.345517] do_syscall_64+0x50/0xfa0
> [ 75.345517] entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [ 75.345517]
> [ 75.345517] Freed by task 4493:
> [ 75.345517] kasan_save_stack+0x22/0x40
> [ 75.345517] kasan_save_track+0x14/0x30
> [ 75.345517] __kasan_save_free_info+0x3b/0x70
> [ 75.345517] __kasan_slab_free+0x43/0x70
> [ 75.345517] kmem_cache_free+0x172/0x610
> [ 75.345517] btrfs_kill_all_delayed_nodes+0x2db/0x4c0
> [ 75.345517] btrfs_clean_one_deleted_snapshot+0x143/0x370
> [ 75.345517] cleaner_kthread+0x1ee/0x300
> [ 75.345517] kthread+0x37f/0x6f0
> [ 75.345517] ret_from_fork+0x17d/0x240
> [ 75.345517] ret_from_fork_asm+0x1a/0x30
> [ 75.345517]
> [ 75.345517] The buggy address belongs to the object at ffff88812389f370
> [ 75.345517] which belongs to the cache btrfs_delayed_node of size 440
> [ 75.345517] The buggy address is located 16 bytes inside of
> [ 75.345517] freed 440-byte region [ffff88812389f370, ffff88812389f528)
> [ 75.345517]
> [ 75.345517] The buggy address belongs to the physical page:
> [ 75.345517] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12389e
> [ 75.345517] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> [ 75.345517] flags: 0x4000000000000040(head|zone=2)
> [ 75.345517] page_type: f5(slab)
> [ 75.345517] raw: 4000000000000040 ffff88810bcaadc0 ffffea0004487a10 ffff88810c6e6d80
> [ 75.345517] raw: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000
> [ 75.345517] head: 4000000000000040 ffff88810bcaadc0 ffffea0004487a10 ffff88810c6e6d80
> [ 75.345517] head: 0000000000000000 00000000000e000e 00000000f5000000 0000000000000000
> [ 75.345517] head: 4000000000000001 ffffea00048e2781 00000000ffffffff 00000000ffffffff
> [ 75.345517] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
> [ 75.345517] page dumped because: kasan: bad access detected
> [ 75.345517]
> [ 75.345517] Memory state around the buggy address:
> [ 75.345517] ffff88812389f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 75.345517] ffff88812389f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fa fb
> [ 75.345517] >ffff88812389f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 75.345517] ^
> [ 75.345517] ffff88812389f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 75.345517] ffff88812389f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 75.345517] ==================================================================
> [ 75.501545] Disabling lock debugging due to kernel taint
>
>
> gdb) l *(btrfs_kill_all_delayed_nodes+0x46f)
> 0xffffffff82f2422f is in btrfs_kill_all_delayed_nodes (fs/btrfs/delayed-inode.h:219).
> 214 ref_tracker_dir_exit(&node->ref_dir.dir);
> 215 }
> 216
> 217 static inline void btrfs_delayed_node_ref_tracker_dir_print(struct btrfs_delayed_node *node)
> 218 {
> 219 if (!btrfs_test_opt(node->root->fs_info, REF_TRACKER))
> 220 return;
> 221
> 222 ref_tracker_dir_print(&node->ref_dir.dir,
> 223 BTRFS_DELAYED_NODE_REF_TRACKER_DISPLAY_LIMIT);
This is a use after free bug with my ref_tracker patch, it's trying to print delayed_node ref_tracker
stats after the delayed node has been freed. Will send a fix in a second.
next prev parent reply other threads:[~2025-10-20 16:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-20 7:22 btrfs/071 is unhappy on 6.18-rc2 Christoph Hellwig
2025-10-20 9:11 ` Qu Wenruo
2025-10-20 9:46 ` Christoph Hellwig
2025-10-20 10:26 ` Qu Wenruo
2025-10-20 14:19 ` Christoph Hellwig
2025-10-20 16:55 ` Leo Martins [this message]
2025-10-20 23:25 ` Leo Martins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251020165512.3843091-1-loemra.dev@gmail.com \
--to=loemra.dev@gmail.com \
--cc=hch@infradead.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=quwenruo.btrfs@gmx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.