[bug report]kernel BUG at fs/btrfs/zoned.c:2587! triggered by blktests zbd/009

[bug report]kernel BUG at fs/btrfs/zoned.c:2587! triggered by blktests zbd/009

[Yi Zhang]

Hello
The kernel BUG was triggered by blktests zbd/009 on v6.17-rc3, please
help check it and let me know if you need any infor/test for it,
thanks.

# ./check zbd/009
zbd/009 (test gap zone support with BTRFS)                   [failed]
    runtime  1.777s  ...  5.890s
    --- tests/zbd/009.out 2025-09-02 20:08:01.638628999 -0400
    +++ /root/blktests/results/nodev/zbd/009.out.bad 2025-09-03
04:18:32.360095891 -0400
    @@ -1,2 +1,4 @@
     Running zbd/009
    -Test complete
    +tests/zbd/009: line 42:  1461 Segmentation fault         mount -t
btrfs "${dev}" "${mount_dir}"
    +modprobe: FATAL: Module scsi_debug is in use.
    +Test failed
modprobe: FATAL: Module scsi_debug is in use.

[  317.501900] run blktests zbd/009 at 2025-09-03 04:33:43
[  317.661628] sd 13:0:0:0: [sdn] Synchronizing SCSI cache
[  318.464792] scsi_debug:sdebug_driver_probe: scsi_debug: trim
poll_queues to 0. poll_q/nr_hw = (0/1)
[  318.474936] scsi host13: scsi_debug: version 0191 [20210520]
                 dev_size_mb=1024, opts=0x0, submit_queues=1, statistics=0
[  318.502019] scsi 13:0:0:0: Direct-Access-ZBC Linux    scsi_debug
   0191 PQ: 0 ANSI: 7
[  318.514301] scsi 13:0:0:0: Power-on or device reset occurred
[  318.526186] sd 13:0:0:0: Attached scsi generic sg13 type 20
[  318.527006] sd 13:0:0:0: [sdn] Host-managed zoned block device
[  318.543292] sd 13:0:0:0: [sdn] 262144 4096-byte logical blocks:
(1.07 GB/1.00 GiB)
[  318.552614] sd 13:0:0:0: [sdn] Write Protect is off
[  318.558137] sd 13:0:0:0: [sdn] Mode Sense: 5b 00 10 08
[  318.558555] sd 13:0:0:0: [sdn] Write cache: enabled, read cache:
enabled, supports DPO and FUA
[  318.568950] sd 13:0:0:0: [sdn] permanent stream count = 5
[  318.576121] sd 13:0:0:0: [sdn] Preferred minimum I/O size 4096 bytes
[  318.583446] sd 13:0:0:0: [sdn] Optimal transfer size 4194304 bytes
[  318.593500] sd 13:0:0:0: [sdn] 256 zones of 1024 logical blocks
[  318.651787] sd 13:0:0:0: [sdn] Attached SCSI disk
[  319.736198] BTRFS: device fsid 2c2dcb97-3f07-481c-ad31-dce6d400c303
devid 1 transid 8 /dev/sdn (8:208) scanned by mount (1370)
[  319.755053] BTRFS info (device sdn): first mount of filesystem
2c2dcb97-3f07-481c-ad31-dce6d400c303
[  319.765257] BTRFS info (device sdn): using crc32c (crc32c-lib)
checksum algorithm
[  319.795471] BTRFS info (device sdn): host-managed zoned block
device /dev/sdn, 256 zones of 4194304 bytes
[  319.806542] BTRFS info (device sdn): zoned mode enabled with zone
size 4194304
[  319.819821] assertion failed: bg->zone_unusable == 0 :: 0, in
fs/btrfs/zoned.c:2587
[  319.828449] ------------[ cut here ]------------
[  319.833618] kernel BUG at fs/btrfs/zoned.c:2587!
[  319.838793] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
[  319.844829] CPU: 3 UID: 0 PID: 1370 Comm: mount Tainted: G        W
         ------  ---
6.17.0-0.rc3.250826gfab1beda7597.32.fc44.x86_64+debug #1 PREEMPT(lazy)
[  319.860948] Tainted: [W]=WARN
[  319.864259] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS
2.19.0 12/12/2023
[  319.872704] RIP: 0010:btrfs_zoned_reserve_data_reloc_bg.cold+0xb2/0xb4
[  319.880014] Code: ab e8 7e ab f7 ff 0f 0b 41 b8 1b 0a 00 00 48 c7
c1 80 9f 59 ab 31 d2 48 c7 c6 20 b8 59 ab 48 c7 c7 20 a0 59 ab e8 5a
ab f7 ff <0f> 0b 41 b8 5f 0a 00 00 48 c7 c1 80 9f 59 ab 31 d2 48 c7 c6
00 b9
[  319.900977] RSP: 0018:ffffc9000c21f930 EFLAGS: 00010282
[  319.906816] RAX: 0000000000000047 RBX: ffff8888d1a54000 RCX: 0000000000000000
[  319.914783] RDX: 0000000000000047 RSI: 1ffffffff629cc84 RDI: fffff52001843f18
[  319.922742] RBP: ffff888121b7c000 R08: ffffffffa802cbb5 R09: fffff52001843edc
[  319.930709] R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000000
[  319.938666] R13: 0000000000000001 R14: ffff888121b7c128 R15: ffff88810f379800
[  319.946625] FS:  00007fbd89e98840(0000) GS:ffff8890af8e8000(0000)
knlGS:0000000000000000
[  319.955661] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  319.962077] CR2: 0000559e0ad4b540 CR3: 00000008e14ce003 CR4: 00000000003726f0
[  319.970046] Call Trace:
[  319.972767]  <TASK>
[  319.975102]  ? create_space_info+0x155/0x390
[  319.979880]  open_ctree+0x1874/0x2203
[  319.983977]  btrfs_fill_super.cold+0x2c/0x16d
[  319.988850]  btrfs_get_tree_super+0x936/0xd60
[  319.993725]  btrfs_get_tree_subvol+0x230/0x5f0
[  319.998692]  vfs_get_tree+0x8b/0x2f0
[  320.002690]  ? capable+0x58/0xc0
[  320.006299]  vfs_cmd_create+0xbd/0x280
[  320.010490]  __do_sys_fsconfig+0x659/0xa40
[  320.015066]  ? __pfx___do_sys_fsconfig+0x10/0x10
[  320.020223]  ? rcu_is_watching+0x15/0xe0
[  320.024608]  ? __pfx___mutex_lock+0x10/0x10
[  320.029282]  ? fscontext_read+0x24e/0x2a0
[  320.033761]  ? file_has_perm+0x25b/0x320
[  320.038149]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[  320.043892]  do_syscall_64+0x98/0x3c0
[  320.047991]  ? fscontext_read+0x24e/0x2a0
[  320.052468]  ? rw_verify_area+0x6f/0x5f0
[  320.056855]  ? vfs_read+0x171/0xb20
[  320.060753]  ? vfs_fstatat+0x75/0xa0
[  320.064752]  ? __pfx_vfs_read+0x10/0x10
[  320.069038]  ? vfs_fstatat+0x75/0xa0
[  320.073032]  ? __pfx_map_id_range_up+0x10/0x10
[  320.078002]  ? __do_sys_newfstatat+0x83/0xe0
[  320.082773]  ? __pfx___do_sys_newfstatat+0x10/0x10
[  320.088128]  ? from_kgid_munged+0x8c/0x120
[  320.092707]  ? ksys_read+0xff/0x200
[  320.096606]  ? __pfx_ksys_read+0x10/0x10
[  320.100987]  ? trace_hardirqs_on_prepare+0x1d/0x30
[  320.106342]  ? do_syscall_64+0x161/0x3c0
[  320.110725]  ? trace_irq_enable.constprop.0+0xc0/0x100
[  320.116465]  ? rcu_is_watching+0x15/0xe0
[  320.120847]  ? trace_irq_enable.constprop.0+0xc0/0x100
[  320.126587]  ? trace_hardirqs_on_prepare+0x1d/0x30
[  320.131938]  ? do_syscall_64+0x161/0x3c0
[  320.136322]  ? trace_hardirqs_on_prepare+0x1d/0x30
[  320.141674]  ? do_syscall_64+0x161/0x3c0
[  320.146055]  ? rcu_is_watching+0x15/0xe0
[  320.150438]  ? trace_irq_enable.constprop.0+0xc0/0x100
[  320.156178]  ? trace_hardirqs_on_prepare+0x1d/0x30
[  320.161529]  ? do_syscall_64+0x161/0x3c0
[  320.165912]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  320.171556] RIP: 0033:0x7fbd8a0782ce
[  320.175566] Code: 73 01 c3 48 8b 0d 32 3b 0f 00 f7 d8 64 89 01 48
83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 02 3b 0f 00 f7 d8 64 89
01 48
[  320.196527] RSP: 002b:00007ffee3b47c88 EFLAGS: 00000246 ORIG_RAX:
00000000000001af
[  320.204984] RAX: ffffffffffffffda RBX: 0000557b66ff26f0 RCX: 00007fbd8a0782ce
[  320.212951] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
[  320.220917] RBP: 00007ffee3b47dd0 R08: 0000000000000000 R09: 0000000000000000
[  320.228876] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  320.236843] R13: 0000557b66ff3860 R14: 00007fbd8a1f9a60 R15: 0000557b66ff3928
[  320.244817]  </TASK>
[  320.247257] Modules linked in: scsi_debug null_blk platform_profile
dell_wmi dell_smbios dell_wmi_descriptor sparse_keymap iTCO_wdt rfkill
intel_rapl_msr video intel_pmc_bxt iTCO_vendor_support
intel_rapl_common dcdbas intel_uncore_frequency
intel_uncore_frequency_common sb_edac x86_pkg_temp_thermal
intel_powerclamp coretemp kvm_intel kvm irqbypass rapl intel_cstate
intel_uncore bnx2x mxm_wmi i40e mei_me mei mdio libie bna lpc_ich
libie_adminq ipmi_ssif ipmi_si acpi_power_meter acpi_ipmi ipmi_devintf
ipmi_msghandler fuse loop nfnetlink zram lz4hc_compress lz4_compress
nvme mgag200 polyval_clmulni nvme_core i2c_algo_bit
ghash_clmulni_intel nvme_keyring bfa nvme_auth megaraid_sas
scsi_transport_fc wmi i2c_dev [last unloaded: scsi_debug]
[  320.320131] ---[ end trace 0000000000000000 ]---
[  320.389848] RIP: 0010:btrfs_zoned_reserve_data_reloc_bg.cold+0xb2/0xb4
[  320.397161] Code: ab e8 7e ab f7 ff 0f 0b 41 b8 1b 0a 00 00 48 c7
c1 80 9f 59 ab 31 d2 48 c7 c6 20 b8 59 ab 48 c7 c7 20 a0 59 ab e8 5a
ab f7 ff <0f> 0b 41 b8 5f 0a 00 00 48 c7 c1 80 9f 59 ab 31 d2 48 c7 c6
00 b9
[  320.418138] RSP: 0018:ffffc9000c21f930 EFLAGS: 00010282
[  320.423987] RAX: 0000000000000047 RBX: ffff8888d1a54000 RCX: 0000000000000000
[  320.431967] RDX: 0000000000000047 RSI: 1ffffffff629cc84 RDI: fffff52001843f18
[  320.439947] RBP: ffff888121b7c000 R08: ffffffffa802cbb5 R09: fffff52001843edc
[  320.447924] R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000000
[  320.455903] R13: 0000000000000001 R14: ffff888121b7c128 R15: ffff88810f379800
[  320.463881] FS:  00007fbd89e98840(0000) GS:ffff8890af8e8000(0000)
knlGS:0000000000000000
[  320.472926] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  320.479353] CR2: 0000559e0ad4b540 CR3: 00000008e14ce003 CR4: 00000000003726f0
[  320.487333] note: mount[1370] exited with preempt_count 1


-- 
Best Regards,
  Yi Zhang

Re: [bug report]kernel BUG at fs/btrfs/zoned.c:2587! triggered by blktests zbd/009

[Johannes Thumshirn]

On 9/3/25 10:36 AM, Yi Zhang wrote:
> The kernel BUG was triggered by blktests zbd/009 on v6.17-rc3, please
> help check it and let me know if you need any infor/test for it,
> thanks.
[...]
> [  319.819821] assertion failed: bg->zone_unusable == 0 :: 0, in
> fs/btrfs/zoned.c:2587
> [  319.828449] ------------[ cut here ]------------
> [  319.833618] kernel BUG at fs/btrfs/zoned.c:2587!
> [  319.838793] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
> [  319.844829] CPU: 3 UID: 0 PID: 1370 Comm: mount Tainted: G        W
>           ------  ---
> 6.17.0-0.rc3.250826gfab1beda7597.32.fc44.x86_64+debug #1 PREEMPT(lazy)
> [  319.860948] Tainted: [W]=WARN
> [  319.864259] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS
> 2.19.0 12/12/2023
> [  319.872704] RIP: 0010:btrfs_zoned_reserve_data_reloc_bg.cold+0xb2/0xb4
> [  319.880014] Code: ab e8 7e ab f7 ff 0f 0b 41 b8 1b 0a 00 00 48 c7
> c1 80 9f 59 ab 31 d2 48 c7 c6 20 b8 59 ab 48 c7 c7 20 a0 59 ab e8 5a
> ab f7 ff <0f> 0b 41 b8 5f 0a 00 00 48 c7 c1 80 9f 59 ab 31 d2 48 c7 c6
> 00 b9
> [  319.900977] RSP: 0018:ffffc9000c21f930 EFLAGS: 00010282
> [  319.906816] RAX: 0000000000000047 RBX: ffff8888d1a54000 RCX: 0000000000000000
> [  319.914783] RDX: 0000000000000047 RSI: 1ffffffff629cc84 RDI: fffff52001843f18
> [  319.922742] RBP: ffff888121b7c000 R08: ffffffffa802cbb5 R09: fffff52001843edc
> [  319.930709] R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000000
> [  319.938666] R13: 0000000000000001 R14: ffff888121b7c128 R15: ffff88810f379800
> [  319.946625] FS:  00007fbd89e98840(0000) GS:ffff8890af8e8000(0000)
> knlGS:0000000000000000
> [  319.955661] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  319.962077] CR2: 0000559e0ad4b540 CR3: 00000008e14ce003 CR4: 00000000003726f0
> [  319.970046] Call Trace:
> [  319.972767]  <TASK>
> [  319.975102]  ? create_space_info+0x155/0x390
> [  319.979880]  open_ctree+0x1874/0x2203
> [  319.983977]  btrfs_fill_super.cold+0x2c/0x16d
> [  319.988850]  btrfs_get_tree_super+0x936/0xd60
> [  319.993725]  btrfs_get_tree_subvol+0x230/0x5f0
>

OK the problem is, we're ASSERTing if zone_unusable is 0 and that 
obviously fails, because zbd/009 configures scsi_debug with a zone_size 
of 4MB and a zone_capacity of 3MB. This automatically leads to an 
assertion failure as bg->zone_unusable is 1MB.

The test in there is to check if we have an empty block-group.
@Naohiro what do you think of the following:

diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c
index 6e66ec491181..f897f914b78e 100644
--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -2590,7 +2590,8 @@ void btrfs_zoned_reserve_data_reloc_bg(struct 
btrfs_fs_info *fs_info)
                         space_info->disk_total -= bg->length * factor;
                         /* There is no allocation ever happened. */
                         ASSERT(bg->used == 0);
-                       ASSERT(bg->zone_unusable == 0);
+                       ASSERT(bg->zone_unusable == 0 ||
+                              bg->length - bg->zone_unusable == 
bg->zone_capacity);
                         /* No super block in a block group on the zoned 
setup. */
                         ASSERT(bg->bytes_super == 0);
                         spin_unlock(&space_info->lock);

Re: [bug report]kernel BUG at fs/btrfs/zoned.c:2587! triggered by blktests zbd/009

[Naohiro Aota]

On Wed Sep 3, 2025 at 7:40 PM JST, Johannes Thumshirn wrote:
> On 9/3/25 10:36 AM, Yi Zhang wrote:
>> The kernel BUG was triggered by blktests zbd/009 on v6.17-rc3, please
>> help check it and let me know if you need any infor/test for it,
>> thanks.
> [...]
>> [  319.819821] assertion failed: bg->zone_unusable == 0 :: 0, in
>> fs/btrfs/zoned.c:2587
>> [  319.828449] ------------[ cut here ]------------
>> [  319.833618] kernel BUG at fs/btrfs/zoned.c:2587!
>> [  319.838793] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
>> [  319.844829] CPU: 3 UID: 0 PID: 1370 Comm: mount Tainted: G        W
>>           ------  ---
>> 6.17.0-0.rc3.250826gfab1beda7597.32.fc44.x86_64+debug #1 PREEMPT(lazy)
>> [  319.860948] Tainted: [W]=WARN
>> [  319.864259] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS
>> 2.19.0 12/12/2023
>> [  319.872704] RIP: 0010:btrfs_zoned_reserve_data_reloc_bg.cold+0xb2/0xb4
>> [  319.880014] Code: ab e8 7e ab f7 ff 0f 0b 41 b8 1b 0a 00 00 48 c7
>> c1 80 9f 59 ab 31 d2 48 c7 c6 20 b8 59 ab 48 c7 c7 20 a0 59 ab e8 5a
>> ab f7 ff <0f> 0b 41 b8 5f 0a 00 00 48 c7 c1 80 9f 59 ab 31 d2 48 c7 c6
>> 00 b9
>> [  319.900977] RSP: 0018:ffffc9000c21f930 EFLAGS: 00010282
>> [  319.906816] RAX: 0000000000000047 RBX: ffff8888d1a54000 RCX: 0000000000000000
>> [  319.914783] RDX: 0000000000000047 RSI: 1ffffffff629cc84 RDI: fffff52001843f18
>> [  319.922742] RBP: ffff888121b7c000 R08: ffffffffa802cbb5 R09: fffff52001843edc
>> [  319.930709] R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000000
>> [  319.938666] R13: 0000000000000001 R14: ffff888121b7c128 R15: ffff88810f379800
>> [  319.946625] FS:  00007fbd89e98840(0000) GS:ffff8890af8e8000(0000)
>> knlGS:0000000000000000
>> [  319.955661] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [  319.962077] CR2: 0000559e0ad4b540 CR3: 00000008e14ce003 CR4: 00000000003726f0
>> [  319.970046] Call Trace:
>> [  319.972767]  <TASK>
>> [  319.975102]  ? create_space_info+0x155/0x390
>> [  319.979880]  open_ctree+0x1874/0x2203
>> [  319.983977]  btrfs_fill_super.cold+0x2c/0x16d
>> [  319.988850]  btrfs_get_tree_super+0x936/0xd60
>> [  319.993725]  btrfs_get_tree_subvol+0x230/0x5f0
>>
>
> OK the problem is, we're ASSERTing if zone_unusable is 0 and that 
> obviously fails, because zbd/009 configures scsi_debug with a zone_size 
> of 4MB and a zone_capacity of 3MB. This automatically leads to an 
> assertion failure as bg->zone_unusable is 1MB.
>
> The test in there is to check if we have an empty block-group.
> @Naohiro what do you think of the following:
>
> diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c
> index 6e66ec491181..f897f914b78e 100644
> --- a/fs/btrfs/zoned.c
> +++ b/fs/btrfs/zoned.c
> @@ -2590,7 +2590,8 @@ void btrfs_zoned_reserve_data_reloc_bg(struct 
> btrfs_fs_info *fs_info)
>                          space_info->disk_total -= bg->length * factor;
>                          /* There is no allocation ever happened. */
>                          ASSERT(bg->used == 0);
> -                       ASSERT(bg->zone_unusable == 0);
> +                       ASSERT(bg->zone_unusable == 0 ||
> +                              bg->length - bg->zone_unusable == 
> bg->zone_capacity);

Nah, then, we must handle the space_info->bytes_zone_unsable properly.
We need to do "space_info->disk_total -= bg->zone_unusable;" and we can
just drop the ASSERT.

>                          /* No super block in a block group on the zoned 
> setup. */
>                          ASSERT(bg->bytes_super == 0);
>                          spin_unlock(&space_info->lock);