From nobody Thu Apr 16 08:24:08 2026 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0725D23ABBD for ; Sun, 1 Mar 2026 08:08:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772352539; cv=none; b=PG+VKMxcug/nveuqRNg36OIsd7F8j+7NSmBGlGP3uz/RDHQS54gtaFt61oze4EMj8YLJ354k8G9wTdVgHrpk7JPLrIDniew4kuu7ZqQ8jJ2aIZa1rAHLNgRqtKGAfqty36aoPQXNT1371I3o1wo5zsqqnRzAiZ58DGzYRjlqT6Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772352539; c=relaxed/simple; bh=7iOYDwCgKMgH1ttBNtFMfrgKVvwATVLXflWE6ATV4fs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Ju+c5DJ2GqXavUxIjIJe6TlfbtR7xjw7lNXyGovahyBShJslkzXyUCbauorfXBboa7ce0xovTNo27YINcUkFzFbmp6QXDGH2dGrGRqUNP9Qui6Pjy1GvoI+vDFhk4jP4gZQV1clqlY4WLdAizf8mGI1XYWBX2VzcUmh7OjxgT7U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WCMXtbGq; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WCMXtbGq" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-3598a09fcb3so53994a91.0 for ; Sun, 01 Mar 2026 00:08:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772352537; x=1772957337; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=khxUoYDm3JEEBakTGGDixS5AmQe5irgmRZaJ0irTmec=; b=WCMXtbGqYAeUJqxM38/+LXBqhrPmn0wZlO0i5H/ew60TIjYG2i9h6p/jZLegO88Ady t0gIUzC+wOmyIrD42hJ70jpAI/0Ss3SP9KEYc95zH8olI+YUMb+Wc+FuIB7SPfV0rKIX 29bPVB8YeAwDlOyb7zJLaiHgSuyz9xL10C0DIJDLVSn5Nbx0jrk0iin3374J8KA9XOzE tV9uUptL5YjP3uWgQqqgPDDlZ8Hqy/1rp8kj8A6Rs2JHVoXHiQ0heOc6Af5NOE/Hk9u7 bzLWk/50xGDyPmqRLSVD88Xdbvm4AAQXCRLp+Rb4+uInkqGqF17spMLSjBkFU7x4Nw7n be5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772352537; x=1772957337; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=khxUoYDm3JEEBakTGGDixS5AmQe5irgmRZaJ0irTmec=; b=QFFuia7MDF4+HrjuvZy6oEUoTleDN4jUt7F47vBL3ieRJitLDNBBrPt+iTSD+NMC6P hawueFEB6CnFoL58MTivMfdsHpc7h9H1GWdQFzqsM9as9axQd36lW3AME1+Y13ex9+n2 bObRK4b6tK8TiZRooomG/xdTLvzLKLoEiXGvqUdCJktRbMeuExB5w+Aw+naqNPDUH7Oi KgByi+WjLXcFxnoUH2BVZ+t7uaGyJAQwL41vdpuRpVyMiRWwhKU8SjiWTWOx5hUPjJF3 ai412ukqWS/o9d2vRyVJEAF6ByDTqKMYtrL5pQusSOwJm8/p2rUB07BMD4J7/+PQe2CJ w8Dg== X-Forwarded-Encrypted: i=1; AJvYcCUVk0YeGafEUnVQpM2Wq8BiYTz1mJzb1FPMdmhu0Q9m0g6j7RhC+EEhRJ1o4OZxUJfLRRUJ1YxolI/GmWA=@vger.kernel.org X-Gm-Message-State: AOJu0YwvXjX/ryZOhh0LuiNMR8sd6zjdwGmOkC4wJTA7oUzHU9PeeCef VeEo4ritCZfc0HHrAH9EjYGSw0LVqhv5lq6Q6eN4xKJBk5yaEwLMwKT6NEyd0nVC2oQ= X-Gm-Gg: ATEYQzy6AhGfgQJCPExkLuRv/hhC4mIXKJCs3WqoSpZf9hSbNxSpidtRT4hK+dwkUB2 OWEm2UtXj+tHYneAyhlz4oh+QiDUFj7db7Owp58f+RwpiBNyciJGFk015mdsUdUUn3z1AVqqvI1 bH0XzExETrJxftv1W7Q1TLtjsq2z7eYnS79qz5bin8FT9VTPBgvu+JSpTok2Ch+aAl+8eCKBRCt c4EzzTyQ9vy5GNcQobmKnCh+tpZMR93FMFTATYwVh8KZDZVoHa+e3Ip3F7NEgZWWmvPOWxNPsVj cje2dAz11+F8R39TbLwFyzZw5oYJOlqlv5Wlq/yqr8SZMdrW0Ossdk5h2cwDsxo4qmGYnuPsvRy DA+zbmNiqnwH+FzVgOOWAAAzyZyxmSPKlka5vHmiXgQJcyZO7wyGQoe1aprjoryyDqnYm/1R4i+ lCWg5la8SrT/GPF3N9of1O5MOH X-Received: by 2002:a17:90b:5205:b0:356:22b5:704f with SMTP id 98e67ed59e1d1-35965c4fd27mr7748479a91.15.1772352537349; Sun, 01 Mar 2026 00:08:57 -0800 (PST) Received: from archlinux ([103.208.68.234]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c70fa82dab1sm8336442a12.27.2026.03.01.00.08.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Mar 2026 00:08:57 -0800 (PST) From: Adarsh Das To: clm@fb.com, dsterba@suse.com Cc: linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, Adarsh Das , syzbot+6d30e046bbd449d3f6f1@syzkaller.appspotmail.com Subject: [PATCH] btrfs: don't add delayed refs to an aborted transaction Date: Sun, 1 Mar 2026 13:38:47 +0530 Message-ID: <20260301080847.16153-1-adarshdas950@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When a transaction aborts, cleanup_transaction() calls btrfs_cleanup_one_transaction() which drains all pending delayed refs via btrfs_destroy_delayed_refs(). But, btrfs_cleanup_one_transaction() then wakes up tasks waiting on transaction_blocked_wait and sets the transaction state to TRANS_STATE_UNBLOCKED. These woken tasks can then call btrfs_add_delayed_tr= ee_ref(), btrfs_add_delayed_data_ref(), or btrfs_add_delayed_extent_op() on the already-aborted transaction, inserting new entries into the head_refs xarray after it was just drained. When btrfs_put_transaction() subsequently drops the refcount to zero, it hits: WARN_ON(!xa_empty(&transaction->delayed_refs.head_refs)); This patch fixes this by checking TRANS_ABORTED() at the start of add_delay= ed_ref() and btrfs_add_delayed_extent_op() before inserting into the xarray. btrfs_abort_transaction() is called at the start of cleanup_transaction(), before btrfs_destroy_delayed_refs(), so the aborted flag should always be s= et before any wakeups occur. Reported-by: syzbot+6d30e046bbd449d3f6f1@syzkaller.appspotmail.com Signed-off-by: Adarsh Das --- fs/btrfs/delayed-ref.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c index 3766ff29fbbb..b994f9702c32 100644 --- a/fs/btrfs/delayed-ref.c +++ b/fs/btrfs/delayed-ref.c @@ -327,7 +327,7 @@ static int cmp_refs_node(const struct rb_node *new, con= st struct rb_node *exist) return comp_refs(new_node, exist_node, true); } =20 -static struct btrfs_delayed_ref_node* tree_insert(struct rb_root_cached *r= oot, +static struct btrfs_delayed_ref_node *tree_insert(struct rb_root_cached *r= oot, struct btrfs_delayed_ref_node *ins) { struct rb_node *node =3D &ins->ref_node; @@ -1025,6 +1025,10 @@ static int add_delayed_ref(struct btrfs_trans_handle= *trans, } =20 delayed_refs =3D &trans->transaction->delayed_refs; + if (TRANS_ABORTED(trans->transaction)) { + ret =3D -EIO; + goto free_head_ref; + } =20 if (btrfs_qgroup_full_accounting(fs_info) && !generic_ref->skip_qgroup) { record =3D kzalloc_obj(*record, GFP_NOFS); @@ -1153,6 +1157,10 @@ int btrfs_add_delayed_extent_op(struct btrfs_trans_h= andle *trans, head_ref->extent_op =3D extent_op; =20 delayed_refs =3D &trans->transaction->delayed_refs; + if (TRANS_ABORTED(trans->transaction)) { + kmem_cache_free(btrfs_delayed_ref_head_cachep, head_ref); + return -EIO; + } =20 ret =3D xa_reserve(&delayed_refs->head_refs, index, GFP_NOFS); if (ret) { --=20 2.53.0