Re: [PATCH v2] btrfs: Fix BTRFS arm64 tagged KASAN false-positive

[Qu Wenruo]

在 2026/3/23 16:48, Daniel J Blueman 写道:
> When booting Linux 7.0-rc5 on a Qualcomm Snapdragon X1 with KASAN
> software tagging with a BTRFS filesystem, we see:
>
> BUG: KASAN: invalid-access in xxh64_update (lib/xxhash.c:143 lib/xxhash.c:283)
> Read of size 8 at addr 7bff000804fe1000 by task kworker/u49:2/138
> Pointer tag: [7b], memory tag: [b2]
>
> CPU: 0 UID: 0 PID: 138 Comm: kworker/u49:2 Not tainted 7.0.0-rc4+ #34 PREEMPTLAZY
> Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025
> Workqueue: btrfs-endio-meta simple_end_io_work
> Call trace:
> show_stack (arch/arm64/kernel/stacktrace.c:501) (C)
> dump_stack_lvl (lib/dump_stack.c:122)
> print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
> kasan_report (mm/kasan/report.c:597)
> kasan_check_range (mm/kasan/sw_tags.c:86 (discriminator 1))
> __hwasan_loadN_noabort (mm/kasan/sw_tags.c:158)
> xxh64_update (lib/xxhash.c:143 lib/xxhash.c:283)
> btrfs_csum_update (fs/btrfs/fs.c:106)
> csum_tree_block (fs/btrfs/disk-io.c:103 (discriminator 3))
> btrfs_validate_extent_buffer (fs/btrfs/disk-io.c:389)
> end_bbio_meta_read (fs/btrfs/extent_io.c:3853 (discriminator 1))
> btrfs_bio_end_io (fs/btrfs/bio.c:152)
> simple_end_io_work (fs/btrfs/bio.c:388)
> process_one_work (./arch/arm64/include/asm/jump_label.h:36 ./include/trace/events/workqueue.h:110 kernel/workqueue.c:3281)
> worker_thread (kernel/workqueue.c:3353 (discriminator 2) kernel/workqueue.c:3440 (discriminator 2))
> kthread (kernel/kthread.c:436)
> ret_from_fork (arch/arm64/kernel/entry.S:861)
>
> The buggy address belongs to the physical page:
> page: refcount:3 mapcount:0 mapping:f1ff00080055dee8 index:0x2467bd pfn:0x884fe1
> memcg:51ff000800e68ec0 aops:btree_aops ino:1
> flags: 0x9340000000004000(private|zone=2|kasantag=0x4d)
> raw: 9340000000004000 0000000000000000 dead000000000122 f1ff00080055dee8
> raw: 00000000002467bd 43ff00081d0cc6f0 00000003ffffffff 51ff000800e68ec0
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff000804fe0e00: 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b
> ffff000804fe0f00: 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b 7b
> > ffff000804fe1000: b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2
> ^
> ffff000804fe1100: b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2
> ffff000804fe1200: b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2 b2
>
> This occurs as allocation in btrfs_alloc_page_array is from multiple
> discrete pages thus different KASAN tags by design, leading to a tag
> mismatch when linear access is used where the pages are physically
> contiguous.
>
> Fix this by retagging all the EB pages with the same KASAN tag.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Daniel J Blueman <daniel@xxxxxxxxx>
> Fixes: 397239ed6a6c ("btrfs: allow extent buffer helpers to skip cross-page handling")
> Changelog:
>   v2: Retag pages rather than bypass linear access optimisation
>   v1: https://lore.kernel.org/lkml/20260319053413.14771-1-daniel@xxxxxxxxx/
> ---
>   fs/btrfs/extent_io.c | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index 5f97a3d2a8d7..37836d685f21 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -10,6 +10,7 @@
>   #include <linux/spinlock.h>
>   #include <linux/blkdev.h>
>   #include <linux/swap.h>
> +#include <linux/kasan.h>
>   #include <linux/writeback.h>
>   #include <linux/pagevec.h>
>   #include <linux/prefetch.h>
> @@ -706,6 +707,18 @@ static int alloc_eb_folio_array(struct extent_buffer *eb, bool nofail)
>   	if (ret < 0)
>   		return ret;
>   
> +	/*
> +	 * Since separate page allocations are used for the same extent with
> +	 * linear addressing where physically contiguous, apply the same KASAN
> +	 * tag to prevent false-positive warnings when crossing page boundaries
> +	 */
> +	u8 tag = page_kasan_tag(page_array[0]);

We do not mix definition and code.

> +
> +	for (int i = 1; i < num_pages; i++) {
> +		page_kasan_tag_set(page_array[i], tag);

Please note that, at alloc_eb_folio_array() we have no idea if the 
folios are contig yet.

And if they are not contig, tagging them with the same tag will mask 
some real bugs.

To me, the proper re-tagging timing should be inside 
alloc_extent_buffer(), under the "if (page_contig)" branch.

Thanks,
Qu

> +		kasan_unpoison_range(page_address(page_array[i]), PAGE_SIZE);
> +	}
> +


>   	for (int i = 0; i < num_pages; i++)
>   		eb->folios[i] = page_folio(page_array[i]);
>   	eb->folio_size = PAGE_SIZE;