[syzbot] WARNING in btrfs_space_info_update_bytes_may_use

Hello,

syzbot found the following issue on:

HEAD commit: b229b6ca5abb Merge tag 'perf-tools-fixes-for-v6.1-2022-10-..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=158eaff6880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a66c6c673fb555e8
dashboard link: https://syzkaller.appspot.com/bug?extid=8edfa01e46fd9fe3fbfb
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17db9ab1880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124e21b6880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ba5b49fa77de/disk-b229b6ca.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7c061f2ae4dc/vmlinux-b229b6ca.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bc45c1300e9b/bzImage-b229b6ca.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/17cf7ba1084e/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

BTRFS info (device loop0): enabling ssd optimizations
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3604 at fs/btrfs/space-info.h:122 btrfs_space_info_update_bytes_may_use+0x524/0x820 fs/btrfs/space-info.h:122
Modules linked in:
CPU: 0 PID: 3604 Comm: syz-executor245 Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
RIP: 0010:btrfs_space_info_update_bytes_may_use+0x524/0x820 fs/btrfs/space-info.h:122
Code: fd e9 77 fb ff ff e8 3b 4b fd fd 4d 89 e6 48 89 de 49 f7 de 4c 89 f7 e8 9a 47 fd fd 49 39 de 0f 86 b5 fc ff ff e8 1c 4b fd fd <0f> 0b 31 db e9 af fc ff ff e8 0e 4b fd fd 48 8d 7d 18 be ff ff ff
RSP: 0018:ffffc90003f4f9c0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 00000000000d0000 RCX: 0000000000000000
RDX: ffff888021f78000 RSI: ffffffff837f5164 RDI: 0000000000000006
RBP: ffff88807da53000 R08: 0000000000000006 R09: 00000000000e0000
R10: 00000000000d0000 R11: 000000000008c07e R12: fffffffffff20000
R13: ffff88807da53060 R14: 00000000000e0000 R15: 0000000000000002
FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007faff6153690 CR3: 000000000bc8e000 CR4: 0000000000350ef0
Call Trace:
<TASK>
btrfs_space_info_free_bytes_may_use fs/btrfs/space-info.h:154 [inline]
block_rsv_release_bytes fs/btrfs/block-rsv.c:151 [inline]
btrfs_block_rsv_release+0x515/0x650 fs/btrfs/block-rsv.c:295
btrfs_release_global_block_rsv+0x22/0x2e0 fs/btrfs/block-rsv.c:463
btrfs_free_block_groups+0x954/0x1100 fs/btrfs/block-group.c:4051
close_ctree+0xd17/0xdc3 fs/btrfs/disk-io.c:4710
generic_shutdown_super+0x154/0x410 fs/super.c:491
kill_anon_super+0x36/0x60 fs/super.c:1085
btrfs_kill_super+0x38/0x50 fs/btrfs/super.c:2441
deactivate_locked_super+0x94/0x160 fs/super.c:331
deactivate_super+0xad/0xd0 fs/super.c:362
cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1186
task_work_run+0x16b/0x270 kernel/task_work.c:179
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xb35/0x2a20 kernel/exit.c:820
do_group_exit+0xd0/0x2a0 kernel/exit.c:950
__do_sys_exit_group kernel/exit.c:961 [inline]
__se_sys_exit_group kernel/exit.c:959 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:959
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f87197f03e9
Code: Unable to access opcode bytes at 0x7f87197f03bf.
RSP: 002b:00007ffebfd5c0d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f871987d470 RCX: 00007f87197f03e9
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 00007ffebf003031
R10: 0000000080000009 R11: 0000000000000246 R12: 00007f871987d470
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

syzbot has bisected this issue to:

commit 0c7c575df56b957390206deb018c41acbb412159
Author: Matthew Wilcox (Oracle) <[email protected]>
Date: Wed Feb 24 20:01:52 2021 +0000

mm/filemap: remove dynamically allocated array from filemap_read

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=119e21b6880000
start commit: b229b6ca5abb Merge tag 'perf-tools-fixes-for-v6.1-2022-10-..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=139e21b6880000
console output: https://syzkaller.appspot.com/x/log.txt?x=159e21b6880000
Reported-by: [email protected]
Fixes: 0c7c575df56b ("mm/filemap: remove dynamically allocated array from filemap_read")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Dmitry, I don't see a way to tell syzbot that its bisection has gone
astray. Can you add one or document it if it already exists?
This change affects the read path. The crash happens in the unmount
path. The data structure that's being checked is modified in the write
path. I just can't see how this commit is in any way related.

Yeah I agree the bisection hasn't identified the correct commit.
The starting commit is not related to btrfs but the bisection hit the
warning basically on each run so it's not completely random. There might
be some timing change that triggers the warning, likely it's caused by
some the space accounting bug.

No, unfortunately it's not possible now. I've filed an issue:
https://github.com/google/syzkaller/issues/3491
Most likely the bisection pointed at your patch because it removed
kmalloc while the reproducer for the bug does fault injection (see the
"(fail_nth: 10)" line in syz repro). So it might have inadvertently
made the issue more visible to the fuzzer.
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/Y1/SqIuP4tbszPAW%40casper.infradead.org.

FWIW there's an attempt to fix a very similarly looking problem
(https://lore.kernel.org/all/[email protected]/)
by Hawkins Jiawei (cc'd):
https://lore.kernel.org/linux-btrfs/[email protected]/t/

If the bugs are indeed related, we might want to tell the bot to
deduplicate one to another.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000000d9d6f05ec498263%40google.com.