[BUG] btrfs: Assertion failed in btrfs_exclop_balance on balance ioctl

[BUG] btrfs: Assertion failed in btrfs_exclop_balance on balance ioctl

[cen zhang]

Hello Btrfs maintainers,

I would like to report a kernel BUG, which appears to be a state
management issue in the balance ioctl path.

The kernel panics due to a failed assertion in btrfs_exclop_balance()
at fs/btrfs/fs.c:127. The assertion fs_info->exclusive_operation ==
BTRFS_EXCLOP_BALANCE_PAUSED fails, indicating that the function was
called with an unexpected exclusive operation state.

Here are the relevant details:

Kernel Version: 6.16.0-rc1-g7f6432600434-dirty
Hardware: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996)

Crash Log:
assertion failed: fs_info->exclusive_operation ==
BTRFS_EXCLOP_BALANCE_PAUSED :: 0, in fs/btrfs/fs.c:127
------------[ cut here ]------------
kernel BUG at fs/btrfs/fs.c:127!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 95466 Comm: syz-executor.6 Not tainted
6.16.0-rc1-g7f6432600434-dirty #52 PREEMPT(voluntary)
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:btrfs_exclop_balance+0x632/0x640 fs/btrfs/fs.c:127
Code: b5 fe e8 11 0c c7 fe 48 c7 c7 60 06 19 9c 48 c7 c6 80 08 19 9c
31 d2 48 c7 c1 40 08 19 9c 41 b8 7f 00 00 00 e8 7f 2e 7b fe 90 <0f> 0b
66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
RSP: 0018:ffff88811c37fd88 EFLAGS: 00010246
RAX: 0000000000000068 RBX: 0000000000000000 RCX: 7c00c5848baac500
RDX: ffffc9001dfc5000 RSI: 000000000000092e RDI: 000000000000092f
RBP: 1ffff110277c95ae R08: ffff88811c37fc2f R09: 1ffff1102386ff85
R10: dffffc0000000000 R11: ffffed102386ff86 R12: ffff88813be4ad70
R13: 1ffffda204ef92b5 R14: dffffc0000000000 R15: ffffed10277c95ae
FS:  00007fda4d92c6c0(0000) GS:ffff88840ff1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31222000 CR3: 000000012ebdb000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 btrfs_ioctl_balance+0x9bd/0xf10 fs/btrfs/ioctl.c:3548
 btrfs_ioctl+0x104f/0x1480 fs/btrfs/ioctl.c:5303
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xd1/0x130 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcf/0x240 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fda4e7fa35d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fda4d92c0a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fda4e94c1f0 RCX: 00007fda4e7fa35d
RDX: 0000000020008c40 RSI: 00000000c4009420 RDI: 0000000000000003
RBP: 00007fda4e86b4b1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: ffffffffffffffb8 R14: 00007fda4e94c1f0 R15: 00007ffc61c2f0d0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btrfs_exclop_balance+0x632/0x640 fs/btrfs/fs.c:127
Code: b5 fe e8 11 0c c7 fe 48 c7 c7 60 06 19 9c 48 c7 c6 80 08 19 9c
31 d2 48 c7 c1 40 08 19 9c 41 b8 7f 00 00 00 e8 7f 2e 7b fe 90 <0f> 0b
66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
RSP: 0018:ffff88811c37fd88 EFLAGS: 00010246
RAX: 0000000000000068 RBX: 0000000000000000 RCX: 7c00c5848baac500
RDX: ffffc9001dfc5000 RSI: 000000000000092e RDI: 000000000000092f
RBP: 1ffff110277c95ae R08: ffff88811c37fc2f R09: 1ffff1102386ff85
R10: dffffc0000000000 R11: ffffed102386ff86 R12: ffff88813be4ad70
R13: 1ffffda204ef92b5 R14: dffffc0000000000 R15: ffffed10277c95ae
FS:  00007fda4d92c6c0(0000) GS:ffff88840ff1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31222000 CR3: 000000012ebdb000 CR4: 00000000000006f0
note: syz-executor.6[95466] exited with preempt_count 1

Here is the machineinfo:
--------------------------------------------------------------------------------
QEMU emulator version 8.2.2 (Debian 1:8.2.2+ds-0ubuntu1.7)
qemu-system-x86_64 ["-m" "16384" "-smp" "4" "-chardev"
"socket,id=SOCKSYZ,server=on,wait=off,host=localhost,port=24674"
"-mon" "chardev=SOCKSYZ,mode=control" "-display" "none" "-serial"
"stdio" "-no-reboot" "-name" "VM-1" "-device" "virtio-rng-pci"
"-enable-kvm" "-hdb"
"/home/zzzccc/go-work/syzkaller-old/syzkaller/test/btrfs/disk.qcow2"
"-device" "e1000,netdev=net0" "-netdev"
"user,id=net0,restrict=on,hostfwd=tcp:127.0.0.1:35475-:22,hostfwd=tcp::7313-:6060"
"-hda" "/home/zzzccc/go-work/syzkaller-old/syzkaller/test/btrfs/bookworm.img"
"-snapshot" "-kernel" "/home/zzzccc/linux-DDRD/arch/x86/boot/bzImage"
"-append" "root=/dev/sda console=ttyS0 "]

[CPU Info]
processor           : 0, 1, 2, 3
vendor_id           : AuthenticAMD
cpu family          : 15
model               : 107
model name          : QEMU Virtual CPU version 2.5+
stepping            : 1
microcode           : 0x1000065
cpu MHz             : 3593.248
cache size          : 512 KB
physical id         : 0
siblings            : 4
core id             : 0, 1, 2, 3
cpu cores           : 4
apicid              : 0, 1, 2, 3
initial apicid      : 0, 1, 2, 3
fpu                 : yes
fpu_exception       : yes
cpuid level         : 13
wp                  : yes
flags               : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx lm rep_good
nopl cpuid extd_apicid tsc_known_freq pni cx16 x2apic hypervisor
lahf_lm cmp_legacy svm 3dnowprefetch vmmcall
bugs                : fxsave_leak sysret_ss_attrs null_seg
swapgs_fence amd_e400 spectre_v1 spectre_v2 spectre_v2_user
bogomips            : 7186.49
TLB size            : 1024 4K pages
clflush size        : 64
cache_alignment     : 64
address sizes       : 40 bits physical, 48 bits virtual
power management    :

--------------------------------------------------------------------------------

Here is the log of this
bug:https://github.com/zzzcccyyyggg/Syzkaller-log/blob/main/c206ec44dc552558339e6db76afe471d2dcee23b/log3

Thank you for your attention to this matter.

Best regards,
Cen Zhang

Re: [BUG] btrfs: Assertion failed in btrfs_exclop_balance on balance ioctl

[Qu Wenruo]

在 2025/6/26 17:37, cen zhang 写道:
> Hello Btrfs maintainers,
> 
> I would like to report a kernel BUG, which appears to be a state
> management issue in the balance ioctl path.
> 
> The kernel panics due to a failed assertion in btrfs_exclop_balance()
> at fs/btrfs/fs.c:127. The assertion fs_info->exclusive_operation ==
> BTRFS_EXCLOP_BALANCE_PAUSED fails, indicating that the function was
> called with an unexpected exclusive operation state.
> 
> Here are the relevant details:
> 
> Kernel Version: 6.16.0-rc1-g7f6432600434-dirty
> Hardware: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996)

Reproducer please?

I guess you guys are running syzbot, then please provide the usual 
syzbot assets.

> 
> Crash Log:
> assertion failed: fs_info->exclusive_operation ==
> BTRFS_EXCLOP_BALANCE_PAUSED :: 0, in fs/btrfs/fs.c:127
> ------------[ cut here ]------------
> kernel BUG at fs/btrfs/fs.c:127!
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 95466 Comm: syz-executor.6 Not tainted
> 6.16.0-rc1-g7f6432600434-dirty #52 PREEMPT(voluntary)
> Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
> 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:btrfs_exclop_balance+0x632/0x640 fs/btrfs/fs.c:127
> Code: b5 fe e8 11 0c c7 fe 48 c7 c7 60 06 19 9c 48 c7 c6 80 08 19 9c
> 31 d2 48 c7 c1 40 08 19 9c 41 b8 7f 00 00 00 e8 7f 2e 7b fe 90 <0f> 0b
> 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
> RSP: 0018:ffff88811c37fd88 EFLAGS: 00010246
> RAX: 0000000000000068 RBX: 0000000000000000 RCX: 7c00c5848baac500
> RDX: ffffc9001dfc5000 RSI: 000000000000092e RDI: 000000000000092f
> RBP: 1ffff110277c95ae R08: ffff88811c37fc2f R09: 1ffff1102386ff85
> R10: dffffc0000000000 R11: ffffed102386ff86 R12: ffff88813be4ad70
> R13: 1ffffda204ef92b5 R14: dffffc0000000000 R15: ffffed10277c95ae
> FS:  00007fda4d92c6c0(0000) GS:ffff88840ff1b000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b31222000 CR3: 000000012ebdb000 CR4: 00000000000006f0
> Call Trace:
>   <TASK>
>   btrfs_ioctl_balance+0x9bd/0xf10 fs/btrfs/ioctl.c:3548
>   btrfs_ioctl+0x104f/0x1480 fs/btrfs/ioctl.c:5303
>   vfs_ioctl fs/ioctl.c:51 [inline]
>   __do_sys_ioctl fs/ioctl.c:907 [inline]
>   __se_sys_ioctl+0xd1/0x130 fs/ioctl.c:893
>   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>   do_syscall_64+0xcf/0x240 arch/x86/entry/syscall_64.c:94
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fda4e7fa35d
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fda4d92c0a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fda4e94c1f0 RCX: 00007fda4e7fa35d
> RDX: 0000000020008c40 RSI: 00000000c4009420 RDI: 0000000000000003
> RBP: 00007fda4e86b4b1 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: ffffffffffffffb8 R14: 00007fda4e94c1f0 R15: 00007ffc61c2f0d0
>   </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:btrfs_exclop_balance+0x632/0x640 fs/btrfs/fs.c:127
> Code: b5 fe e8 11 0c c7 fe 48 c7 c7 60 06 19 9c 48 c7 c6 80 08 19 9c
> 31 d2 48 c7 c1 40 08 19 9c 41 b8 7f 00 00 00 e8 7f 2e 7b fe 90 <0f> 0b
> 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
> RSP: 0018:ffff88811c37fd88 EFLAGS: 00010246
> RAX: 0000000000000068 RBX: 0000000000000000 RCX: 7c00c5848baac500
> RDX: ffffc9001dfc5000 RSI: 000000000000092e RDI: 000000000000092f
> RBP: 1ffff110277c95ae R08: ffff88811c37fc2f R09: 1ffff1102386ff85
> R10: dffffc0000000000 R11: ffffed102386ff86 R12: ffff88813be4ad70
> R13: 1ffffda204ef92b5 R14: dffffc0000000000 R15: ffffed10277c95ae
> FS:  00007fda4d92c6c0(0000) GS:ffff88840ff1b000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b31222000 CR3: 000000012ebdb000 CR4: 00000000000006f0
> note: syz-executor.6[95466] exited with preempt_count 1
> 
> Here is the machineinfo:
> --------------------------------------------------------------------------------
> QEMU emulator version 8.2.2 (Debian 1:8.2.2+ds-0ubuntu1.7)
> qemu-system-x86_64 ["-m" "16384" "-smp" "4" "-chardev"
> "socket,id=SOCKSYZ,server=on,wait=off,host=localhost,port=24674"
> "-mon" "chardev=SOCKSYZ,mode=control" "-display" "none" "-serial"
> "stdio" "-no-reboot" "-name" "VM-1" "-device" "virtio-rng-pci"
> "-enable-kvm" "-hdb"
> "/home/zzzccc/go-work/syzkaller-old/syzkaller/test/btrfs/disk.qcow2"
> "-device" "e1000,netdev=net0" "-netdev"
> "user,id=net0,restrict=on,hostfwd=tcp:127.0.0.1:35475-:22,hostfwd=tcp::7313-:6060"
> "-hda" "/home/zzzccc/go-work/syzkaller-old/syzkaller/test/btrfs/bookworm.img"
> "-snapshot" "-kernel" "/home/zzzccc/linux-DDRD/arch/x86/boot/bzImage"
> "-append" "root=/dev/sda console=ttyS0 "]
> 
> [CPU Info]
> processor           : 0, 1, 2, 3
> vendor_id           : AuthenticAMD
> cpu family          : 15
> model               : 107
> model name          : QEMU Virtual CPU version 2.5+
> stepping            : 1
> microcode           : 0x1000065
> cpu MHz             : 3593.248
> cache size          : 512 KB
> physical id         : 0
> siblings            : 4
> core id             : 0, 1, 2, 3
> cpu cores           : 4
> apicid              : 0, 1, 2, 3
> initial apicid      : 0, 1, 2, 3
> fpu                 : yes
> fpu_exception       : yes
> cpuid level         : 13
> wp                  : yes
> flags               : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge
> mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx lm rep_good
> nopl cpuid extd_apicid tsc_known_freq pni cx16 x2apic hypervisor
> lahf_lm cmp_legacy svm 3dnowprefetch vmmcall
> bugs                : fxsave_leak sysret_ss_attrs null_seg
> swapgs_fence amd_e400 spectre_v1 spectre_v2 spectre_v2_user
> bogomips            : 7186.49
> TLB size            : 1024 4K pages
> clflush size        : 64
> cache_alignment     : 64
> address sizes       : 40 bits physical, 48 bits virtual
> power management    :
> 
> --------------------------------------------------------------------------------
> 
> Here is the log of this
> bug:https://github.com/zzzcccyyyggg/Syzkaller-log/blob/main/c206ec44dc552558339e6db76afe471d2dcee23b/log3
> 
> Thank you for your attention to this matter.
> 
> Best regards,
> Cen Zhang
> 

Re: [BUG] btrfs: Assertion failed in btrfs_exclop_balance on balance ioctl

[David Sterba]

On Thu, Jun 26, 2025 at 06:50:17PM +0930, Qu Wenruo wrote:
> 
> 
> 在 2025/6/26 17:37, cen zhang 写道:
> > Hello Btrfs maintainers,
> > 
> > I would like to report a kernel BUG, which appears to be a state
> > management issue in the balance ioctl path.
> > 
> > The kernel panics due to a failed assertion in btrfs_exclop_balance()
> > at fs/btrfs/fs.c:127. The assertion fs_info->exclusive_operation ==
> > BTRFS_EXCLOP_BALANCE_PAUSED fails, indicating that the function was
> > called with an unexpected exclusive operation state.
> > 
> > Here are the relevant details:
> > 
> > Kernel Version: 6.16.0-rc1-g7f6432600434-dirty
> > Hardware: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996)
> 
> Reproducer please?
> 
> I guess you guys are running syzbot, then please provide the usual 
> syzbot assets.

This might be the but that was once reported, I'll try to look it up,
some edge case of the exclusive ops and the convoluted balance states.

Re: [BUG] btrfs: Assertion failed in btrfs_exclop_balance on balance ioctl

[David Sterba]

On Thu, Jun 26, 2025 at 04:11:51PM +0200, David Sterba wrote:
> On Thu, Jun 26, 2025 at 06:50:17PM +0930, Qu Wenruo wrote:
> > 
> > 
> > 在 2025/6/26 17:37, cen zhang 写道:
> > > Hello Btrfs maintainers,
> > > 
> > > I would like to report a kernel BUG, which appears to be a state
> > > management issue in the balance ioctl path.
> > > 
> > > The kernel panics due to a failed assertion in btrfs_exclop_balance()
> > > at fs/btrfs/fs.c:127. The assertion fs_info->exclusive_operation ==
> > > BTRFS_EXCLOP_BALANCE_PAUSED fails, indicating that the function was
> > > called with an unexpected exclusive operation state.
> > > 
> > > Here are the relevant details:
> > > 
> > > Kernel Version: 6.16.0-rc1-g7f6432600434-dirty
> > > Hardware: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996)
> > 
> > Reproducer please?
> > 
> > I guess you guys are running syzbot, then please provide the usual 
> > syzbot assets.
> 
> This might be the but that was once reported, I'll try to look it up,
> some edge case of the exclusive ops and the convoluted balance states.

There were several reports and proposed fixes, some of them got merged
https://lore.kernel.org/linux-btrfs/?q=xiaoshoukui

The possible and not merged fix is
https://lore.kernel.org/linux-btrfs/20230810034810.23934-1-xiaoshoukui@gmail.com/

it's adding more balance state bits, this just adds to the number of
possible states and maybe adds more unhandled cases.