Bug 202765

Summary: NULL pointer dereference when mounting a crafted btrfs image
Product: File System Reporter: Jungyeon (jungyeon)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: dsterba, wqu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.0-rc8 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash

Description Jungyeon 2019-03-04 21:12:07 UTC 
- Overview
After mounting crafted image, I got this kernel panic.

- Produces
mkdir test
mount -t btrfs 18.img test
(and just wait a few seconds to get errors)

- Kernel messages
[   70.988519] BUG: unable to handle kernel NULL pointer dereference at 0000000000000012
[   70.991445] #PF error: [WRITE]
[   70.992668] PGD 0 P4D 0 
[   70.993631] Oops: 0002 [#1] SMP PTI
[   70.994939] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.0.0-rc8+ #9
[   70.997266] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[   71.000218] RIP: 0010:_raw_spin_lock_bh+0x18/0x40
[   71.001406] Code: 04 31 c0 5d c3 b8 01 00 00 00 5d c3 66 0f 1f 44 00 00 66 66 66 66 90 65 81 05 c0 9d ad 4e 00 02 00 00 31 c0 41 b8 01 00 00 00 <3e> 44 0f b1 07 41 0f 94 c0 45 84 c0 74 01 c3 55 89 c6 48 89 e5 e8
[   71.006067] RSP: 0018:ffff96cf77a03e00 EFLAGS: 00010246
[   71.007374] RAX: 0000000000000000 RBX: ffffffffb221f380 RCX: 0000000000000000
[   71.009157] RDX: ffffffffb221fcf8 RSI: 00000000fffffe01 RDI: 0000000000000012
[   71.010922] RBP: ffff96cf77a03e48 R08: 0000000000000001 R09: 0000000000000000
[   71.012712] R10: 000000000000002d R11: 0000000000000020 R12: fffffffffffffffe
[   71.014484] R13: 0000000000000012 R14: 0000000000000000 R15: ffffffffb14b8980
[   71.016315] FS:  0000000000000000(0000) GS:ffff96cf77a00000(0000) knlGS:0000000000000000
[   71.018327] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.019773] CR2: 0000000000000012 CR3: 000000020a626003 CR4: 00000000000206f0
[   71.021546] Call Trace:
[   71.022175]  <IRQ>
[   71.022702]  ? __fib6_clean_all+0x52/0xa0
[   71.023795]  ? fib6_run_gc+0x100/0x100
[   71.024764]  fib6_run_gc+0x66/0x100
[   71.025661]  fib6_gc_timer_cb+0x1c/0x20
[   71.026649]  call_timer_fn+0x32/0x140
[   71.027590]  run_timer_softirq+0x1ed/0x450
[   71.028713]  ? kvm_clock_get_cycles+0x11/0x20
[   71.029823]  ? ktime_get+0x3e/0xa0
[   71.030695]  ? lapic_next_deadline+0x26/0x30
[   71.031789]  __do_softirq+0xf9/0x2c3
[   71.032701]  irq_exit+0xca/0xd0
[   71.033506]  smp_apic_timer_interrupt+0x79/0x150
[   71.034673]  apic_timer_interrupt+0xf/0x20
[   71.035727]  </IRQ>
[   71.036286] RIP: 0010:native_safe_halt+0x6/0x10
[   71.037444] Code: 4e ff ff ff 7f 5d c3 65 48 8b 04 25 00 5c 01 00 3e 80 48 02 20 48 8b 00 a8 08 74 8b eb c1 90 90 90 90 90 90 55 48 89 e5 fb f4 <5d> c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 f4 5d c3 90 90 90 90 90
[   71.042129] RSP: 0018:ffffffffb2003e00 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
[   71.044029] RAX: ffffffffb153b440 RBX: 0000000000000000 RCX: 0000000000000001
[   71.045817] RDX: ffff96cf77a238c0 RSI: 0000000000000083 RDI: 0000000000000000
[   71.047602] RBP: ffffffffb2003e00 R08: 0000000000000004 R09: 000000000001ca40
[   71.049415] R10: ffffaef040ffbd50 R11: 0000000000000000 R12: 0000000000000000
[   71.051200] R13: ffffffffb202f740 R14: 0000000000000000 R15: 0000000000000000
[   71.052996]  ? __cpuidle_text_start+0x8/0x8
[   71.054057]  default_idle+0x20/0x150
[   71.054970]  arch_cpu_idle+0x15/0x20
[   71.055894]  default_idle_call+0x23/0x30
[   71.056899]  do_idle+0x1c8/0x280
[   71.057730]  ? do_idle+0xd/0x280
[   71.058564]  cpu_startup_entry+0x1d/0x20
[   71.059570]  rest_init+0xaa/0xb0
[   71.060442]  arch_call_rest_init+0xe/0x1b
[   71.061466]  start_kernel+0x50e/0x52f
[   71.062406]  x86_64_start_reservations+0x24/0x26
[   71.063578]  x86_64_start_kernel+0x74/0x77
[   71.064630]  secondary_startup_64+0xa4/0xb0
[   71.065689] Modules linked in:
[   71.066471] CR2: 0000000000000012
[   71.067315] ---[ end trace 711c3ece6c480d42 ]---
[   71.068494] RIP: 0010:_raw_spin_lock_bh+0x18/0x40
[   71.069681] Code: 04 31 c0 5d c3 b8 01 00 00 00 5d c3 66 0f 1f 44 00 00 66 66 66 66 90 65 81 05 c0 9d ad 4e 00 02 00 00 31 c0 41 b8 01 00 00 00 <3e> 44 0f b1 07 41 0f 94 c0 45 84 c0 74 01 c3 55 89 c6 48 89 e5 e8
[   71.074350] RSP: 0018:ffff96cf77a03e00 EFLAGS: 00010246
[   71.075667] RAX: 0000000000000000 RBX: ffffffffb221f380 RCX: 0000000000000000
[   71.077470] RDX: ffffffffb221fcf8 RSI: 00000000fffffe01 RDI: 0000000000000012
[   71.079259] RBP: ffff96cf77a03e48 R08: 0000000000000001 R09: 0000000000000000
[   71.081065] R10: 000000000000002d R11: 0000000000000020 R12: fffffffffffffffe
[   71.082855] R13: 0000000000000012 R14: 0000000000000000 R15: ffffffffb14b8980
[   71.084673] FS:  0000000000000000(0000) GS:ffff96cf77a00000(0000) knlGS:0000000000000000
[   71.086695] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.088150] CR2: 0000000000000012 CR3: 000000020a626003 CR4: 00000000000206f0
[   71.089945] Kernel panic - not syncing: Fatal exception in interrupt
[   71.091769] Kernel Offset: 0x2f800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   71.094490] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
Comment 1 Qu Wenruo 2019-03-12 07:26:45 UTC 
Where is the crafted image?

Thanks,
Qu
Comment 2 Jungyeon 2019-03-12 09:45:20 UTC 
Created attachment 281753 [details]
The (compressed) crafted image which causes crash
Comment 3 David Sterba 2019-05-21 12:12:18 UTC 
Fixed by 80e46cf22ba0bcb57 "btrfs: tree-checker: Enhance chunk checker to validate chunk profile", now in 5.2-rc.