Bug 202833

Summary: kernel BUG at fs/btrfs/ctree.c:3188!
Product: File System Reporter: Jungyeon (jungyeon)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.0-rc8 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash
min_27.c

Description Jungyeon 2019-03-08 09:47:26 UTC 
Created attachment 281621 [details]
The (compressed) crafted image which causes crash

- Overview
After mounting crafted image, I got this kernel panic while running attached program.
Need to wait few seconds after program finished to get the error.

- Produces
mkdir test
mount -t btrfs tmp.img test 
gcc min_27.c
cp a.out test
cd test
./a.out

- Kernel messages

[ 97.225716] BTRFS critical (device sdb): corrupt leaf: root=7 block=29745152 slot=0, unexpected item end, have 2101147 expect 3995
[ 97.231205] BTRFS critical (device sdb): corrupt leaf: root=7 block=29753344 slot=0, invalid key objectid for csum item, have 18446744073457893366 expect 18446744073709551606
[ 97.235910] kernel BUG at fs/btrfs/ctree.c:3188!
[ 97.237165] invalid opcode: 0000 [#1] SMP PTI
[ 97.238259] CPU: 0 PID: 1156 Comm: btrfs-transacti Not tainted 5.0.0-rc8+ #9
[ 97.239978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 97.242155] RIP: 0010:btrfs_set_item_key_safe+0x16c/0x180
[ 97.243470] Code: b7 48 8d 7d bf 4c 89 fe 48 89 45 c8 0f b6 45 b6 88 45 c7 48 8b 45 ae 48 89 45 bf e8 ce f2 ff ff 85 c0 0f 8f 48 ff ff ff 0f 0b <0f> 0b e8 dd 8d be ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 66 66
[ 97.247991] RSP: 0018:ffff976141257ab8 EFLAGS: 00010202
[ 97.249288] RAX: 0000000000000001 RBX: ffff898a6b890930 RCX: 0000000004b70000
[ 97.251023] RDX: 0000000000000000 RSI: ffff976141257bae RDI: ffff976141257acf
[ 97.252768] RBP: ffff976141257b10 R08: 0000000000001000 R09: ffff9761412579a8
[ 97.254499] R10: 0000000000000000 R11: 0000000000000000 R12: ffff976141257abe
[ 97.256231] R13: 0000000000000003 R14: ffff898a6a8be578 R15: ffff976141257bae
[ 97.257971] FS: 0000000000000000(0000) GS:ffff898a77a00000(0000) knlGS:0000000000000000
[ 97.259932] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 97.261341] CR2: 00007f779d9cd624 CR3: 000000022b2b4006 CR4: 00000000000206f0
[ 97.263072] Call Trace:
[ 97.263692] truncate_one_csum+0xac/0xf0
[ 97.264665] btrfs_del_csums+0x24f/0x3a0
[ 97.265647] __btrfs_free_extent.isra.72+0x5a7/0xbe0
[ 97.266867] __btrfs_run_delayed_refs+0x539/0x1120
[ 97.268043] btrfs_run_delayed_refs+0xdb/0x1b0
[ 97.269150] btrfs_commit_transaction+0x52/0x950
[ 97.270285] ? start_transaction+0x94/0x450
[ 97.271321] transaction_kthread+0x163/0x190
[ 97.272378] kthread+0x105/0x140
[ 97.273193] ? btrfs_cleanup_transaction+0x560/0x560
[ 97.274410] ? kthread_destroy_worker+0x50/0x50
[ 97.275527] ret_from_fork+0x35/0x40
[ 97.276414] Modules linked in:
[ 97.277200] ---[ end trace 93bf9db00e6c374e ]---
[ 97.278349] RIP: 0010:btrfs_set_item_key_safe+0x16c/0x180
[ 97.279679] Code: b7 48 8d 7d bf 4c 89 fe 48 89 45 c8 0f b6 45 b6 88 45 c7 48 8b 45 ae 48 89 45 bf e8 ce f2 ff ff 85 c0 0f 8f 48 ff ff ff 0f 0b <0f> 0b e8 dd 8d be ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 66 66
[ 97.284236] RSP: 0018:ffff976141257ab8 EFLAGS: 00010202
[ 97.285555] RAX: 0000000000000001 RBX: ffff898a6b890930 RCX: 0000000004b70000
[ 97.287312] RDX: 0000000000000000 RSI: ffff976141257bae RDI: ffff976141257acf
[ 97.289083] RBP: ffff976141257b10 R08: 0000000000001000 R09: ffff9761412579a8
[ 97.290836] R10: 0000000000000000 R11: 0000000000000000 R12: ffff976141257abe
[ 97.292585] R13: 0000000000000003 R14: ffff898a6a8be578 R15: ffff976141257bae
[ 97.294345] FS: 0000000000000000(0000) GS:ffff898a77a00000(0000) knlGS:0000000000000000
[ 97.296332] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 97.297763] CR2: 00007f779d9cd624 CR3: 000000022b2b4006 CR4: 00000000000206f0
Comment 1 Jungyeon 2019-03-08 09:47:43 UTC 
Created attachment 281623 [details]
min_27.c