Bug 202827
Summary: | unable to handle kernel NULL pointer dereference (kernel panic) | ||
---|---|---|---|
Product: | File System | Reporter: | Jungyeon (jungyeon) |
Component: | btrfs | Assignee: | BTRFS virtual assignee (fs_btrfs) |
Status: | RESOLVED CODE_FIX | ||
Severity: | normal | CC: | dsterba, wqu |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 5.0-rc8 | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: |
poc_07.c
The (compressed) crafted image which causes crash |
Created attachment 281611 [details]
The (compressed) crafted image which causes crash
It looks like it also get fixed by 448de471cd4c ("btrfs: Check the first key and level for cached extent buffer") upstream fix too. |
Created attachment 281609 [details] poc_07.c - Overview After mounting crafted image, I got this kernel panic while running attached program. - Produces mkdir test mount -t btrfs 07.img test gcc poc_07.c cp a.out test cd test ./a.out - Kernel messages [ 86.316386] btrfs bad mapping eb start 29761536 len 4096, wanted 1852 18446744072635812036 [ 86.319717] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 86.321727] #PF error: [INSTR] [ 86.322514] PGD 800000022b29e067 P4D 800000022b29e067 PUD 2354ff067 PMD 0 [ 86.324259] Oops: 0010 [#1] SMP PTI [ 86.325159] CPU: 0 PID: 1113 Comm: a.out Tainted: G W 5.0.0-rc8+ #9 [ 86.327064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 86.329321] RIP: 0010: (null) [ 86.330286] Code: Bad RIP value. [ 86.331125] RSP: 0018:ffff9b7ff7a03d88 EFLAGS: 00010046 [ 86.332467] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 86.334257] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9b7febaf8de0 [ 86.336044] RBP: ffff9b7ff7a03dd0 R08: 0000000000000000 R09: 0000000000000000 [ 86.337867] R10: 0000000000000400 R11: 001dcd6500000000 R12: ffff9b7ff7a03de8 [ 86.339675] R13: ffffffffffffffe8 R14: ffffffffaee7e018 R15: 0000000000000000 [ 86.341488] FS: 00007fe048ab6700(0000) GS:ffff9b7ff7a00000(0000) knlGS:0000000000000000 [ 86.343509] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.344963] CR2: ffffffffffffffd6 CR3: 000000022e384006 CR4: 00000000000206f0 [ 86.346747] Call Trace: [ 86.347386] <IRQ> [ 86.347919] ? __wake_up_common+0x8c/0x130 [ 86.348976] __wake_up_common_lock+0x80/0xc0 [ 86.350064] __wake_up+0x13/0x20 [ 86.350896] wake_up_klogd_work_func+0x40/0x60 [ 86.352023] irq_work_run_list+0x55/0x80 [ 86.353048] ? tick_sched_do_timer+0x60/0x60 [ 86.354144] irq_work_tick+0x40/0x50 [ 86.355071] update_process_times+0x42/0x60 [ 86.356158] tick_sched_handle+0x29/0x60 [ 86.357171] tick_sched_timer+0x3c/0x80 [ 86.358161] __hrtimer_run_queues+0x106/0x270 [ 86.359290] hrtimer_interrupt+0x116/0x240 [ 86.360358] smp_apic_timer_interrupt+0x6f/0x150 [ 86.361545] apic_timer_interrupt+0xf/0x20 [ 86.362598] </IRQ> [ 86.363160] RIP: 0010:__memset+0x24/0x30 [ 86.364182] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3 [ 86.368848] RSP: 0018:ffffa785c10efb98 EFLAGS: 00010206 ORIG_RAX: ffffffffffffff13 [ 86.370745] RAX: 0000000000000000 RBX: ffffffffc00008c4 RCX: 1ffffffff7f01377 [ 86.372543] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9b7fec1ea860 [ 86.374328] RBP: ffffa785c10efbb0 R08: 0000000000000001 R09: ffff9b7feb9f3b58 [ 86.376123] R10: 0000000000000000 R11: ffffa785c10ef9ed R12: ffff9b7feb9f3b58 [ 86.377909] R13: 0000000000000000 R14: 0000000004c00000 R15: 0000000000001000 [ 86.379704] ? read_extent_buffer+0x137/0x140 [ 86.380821] __btrfs_lookup_bio_sums+0x449/0x690 [ 86.381994] btrfs_lookup_bio_sums+0x16/0x20 [ 86.383078] btrfs_submit_bio_hook+0xc3/0x180 [ 86.384194] submit_one_bio+0x5d/0x80 [ 86.385129] extent_read_full_page+0x56/0x70 [ 86.386215] btrfs_readpage+0x25/0x30 [ 86.387149] generic_file_read_iter+0x615/0xc70 [ 86.388312] ? __page_cache_alloc+0x20/0x20 [ 86.389374] __vfs_read+0x11f/0x1a0 [ 86.390265] vfs_read+0x95/0x140 [ 86.391093] ksys_read+0x55/0xc0 [ 86.391923] __x64_sys_read+0x1a/0x20 [ 86.392870] do_syscall_64+0x5a/0x110 [ 86.393815] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 86.395094] RIP: 0033:0x7fe0485d14d9 [ 86.396009] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48 [ 86.400692] RSP: 002b:00007fff0313ad98 EFLAGS: 00000203 ORIG_RAX: 0000000000000000 [ 86.402593] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe0485d14d9 [ 86.404390] RDX: 00000000000009e4 RSI: 00007fff0313af20 RDI: 0000000000000003 [ 86.406179] RBP: 00007fff0313ef30 R08: 00007fff0313f018 R09: 00007fff0313f018 [ 86.407968] R10: 00007fe0488aaab0 R11: 0000000000000203 R12: 00000000004004e0 [ 86.409773] R13: 00007fff0313f010 R14: 0000000000000000 R15: 0000000000000000 [ 86.411569] Modules linked in: [ 86.412365] CR2: 0000000000000000 [ 86.413220] ---[ end trace 2d53181631a5c86c ]--- [ 86.414392] RIP: 0010: (null) [ 86.415351] Code: Bad RIP value. [ 86.416185] RSP: 0018:ffff9b7ff7a03d88 EFLAGS: 00010046 [ 86.417504] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 86.419289] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9b7febaf8de0 [ 86.421089] RBP: ffff9b7ff7a03dd0 R08: 0000000000000000 R09: 0000000000000000 [ 86.422886] R10: 0000000000000400 R11: 001dcd6500000000 R12: ffff9b7ff7a03de8 [ 86.424685] R13: ffffffffffffffe8 R14: ffffffffaee7e018 R15: 0000000000000000 [ 86.426479] FS: 00007fe048ab6700(0000) GS:ffff9b7ff7a00000(0000) knlGS:0000000000000000 [ 86.428514] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.429963] CR2: ffffffffffffffd6 CR3: 000000022e384006 CR4: 00000000000206f0 [ 86.431758] Kernel panic - not syncing: Fatal exception in interrupt [ 86.445655] Kernel Offset: 0x2c600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 86.448376] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---