Bug 203253

Summary: kernel BUG at fs/btrfs/delayed-inode.c:1538! and target busy
Product: File System Reporter: Jungyeon (jungyeon)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.0.0 Subsystem:
Regression: No Bisected commit-id:
Attachments: poc_01.c
The (compressed) crafted image which causes crash
poc_02.c
min_02.c

Description Jungyeon 2019-04-10 18:36:21 UTC 
Created attachment 282279 [details]
poc_01.c

- Overview
When mounting the attached crafted image, following errors are reported.
Additionally, unmounting fails since the target is busy.

The image is intentionally fuzzed from a normal btrfs image for testing.
Compile options for BTRFS are as follows.
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BTRFS_FS_CHECK_INTEGRITY=y
# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
CONFIG_BTRFS_DEBUG=y
CONFIG_BTRFS_ASSERT=y
CONFIG_BTRFS_FS_REF_VERIFY=y

- Reproduces
gcc poc_01.c
mkdir test
mount -t btrfs tmp.img test
cp a.out test
cd test
sudo ./a.out
sync
umount test

- Kernel messages
[   19.207531] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 8 /dev/sdb
[   26.974967] lsb_release (1833) used greatest stack depth: 13288 bytes left
[   36.976140] cc1 (1894) used greatest stack depth: 13240 bytes left
[   43.389135] BTRFS info (device sdb): disk space caching is enabled
[   43.389137] BTRFS info (device sdb): has skinny extents
[   43.390118] BTRFS critical (device sdb): corrupt leaf: root=1 block=29417472 slot=8, unexpected item end, have 2002 expect 2013
[   43.392208] BTRFS info (device sdb): read error corrected: ino 0 off 29417472 (dev /dev/sdb sector 73840)
[   43.392699] BTRFS critical (device sdb): corrupt leaf: root=4 block=29396992 slot=2, unexpected item end, have 536870912 expect 3907
[   43.394939] BTRFS info (device sdb): read error corrected: ino 0 off 29396992 (dev /dev/sdb sector 73800)
[   43.422689] BTRFS error (device sdb): err add delayed dir index item(index: 9) into the deletion tree of the delayed node(root id: 5, inode id: 258, errno: -17)
[   43.424708] ------------[ cut here ]------------
[   43.424709] kernel BUG at fs/btrfs/delayed-inode.c:1538!
[   43.425438] invalid opcode: 0000 [#1] SMP PTI
[   43.426071] CPU: 0 PID: 1931 Comm: a.out Not tainted 5.0.0 #11
[   43.426855] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   43.428130] RIP: 0010:btrfs_delete_delayed_dir_index+0x291/0x310
[   43.428939] Code: 10 4c 8b 03 41 b9 ef ff ff ff 48 8b 14 24 48 c7 c6 40 06 04 91 48 8b 88 df 01 00 00 48 8b 44 24 08 48 8b 78 50 e8 b2 3a f7 ff <0f> 0b 0f 1f 44 00 00 4c 89 75 50 e9 48 fe ff ff 65 8b 05 68 4e e7
[   43.431382] RSP: 0018:ffffae2300d23d40 EFLAGS: 00010286
[   43.432067] RAX: 0000000000000000 RBX: ffffa1d2b22513a8 RCX: 0000000000000000
[   43.433017] RDX: 0000000000000000 RSI: ffffa1d2b7a15418 RDI: ffffa1d2b7a15418
[   43.433970] RBP: ffffa1d2b6649b80 R08: 0000000000067321 R09: 0000000000000005
[   43.434922] R10: 0000000000000000 R11: ffffae2300d23b6d R12: ffffa1d2b6649e98
[   43.435882] R13: ffffa1d2b2251400 R14: ffffa1d2b22513f0 R15: 0000000000000001
[   43.436834] FS:  00007f5c10f8f700(0000) GS:ffffa1d2b7a00000(0000) knlGS:0000000000000000
[   43.437917] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.438692] CR2: 00007f5c10aaa4c0 CR3: 000000022b5dc001 CR4: 00000000001606f0
[   43.439655] Call Trace:
[   43.440011]  __btrfs_unlink_inode+0x28a/0x490
[   43.440608]  btrfs_unlink_inode+0x12/0x40
[   43.441157]  btrfs_unlink+0x76/0xc0
[   43.441637]  vfs_unlink+0xeb/0x190
[   43.442102]  do_unlinkat+0x261/0x2c0
[   43.442591]  do_syscall_64+0x43/0xf0
[   43.443081]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   43.443771] RIP: 0033:0x7f5c10aaa4d9
[   43.444257] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[   43.446677] RSP: 002b:00007ffe1a2549b8 EFLAGS: 00000217 ORIG_RAX: 0000000000000057
[   43.447686] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c10aaa4d9
[   43.448636] RDX: 00007f5c10aaa4d9 RSI: 00007f5c10aaa4d9 RDI: 00007ffe1a254a90
[   43.449587] RBP: 00007ffe1a258b60 R08: 00007ffe1a258c48 R09: 00007ffe1a258c48
[   43.450538] R10: 00007ffe1a258c48 R11: 0000000000000217 R12: 00000000004004e0
[   43.451526] R13: 00007ffe1a258c40 R14: 0000000000000000 R15: 0000000000000000
[   43.452477] Modules linked in:
[   43.452908] ---[ end trace 8395a48bc6cdd98a ]---
[   43.453544] RIP: 0010:btrfs_delete_delayed_dir_index+0x291/0x310
[   43.454356] Code: 10 4c 8b 03 41 b9 ef ff ff ff 48 8b 14 24 48 c7 c6 40 06 04 91 48 8b 88 df 01 00 00 48 8b 44 24 08 48 8b 78 50 e8 b2 3a f7 ff <0f> 0b 0f 1f 44 00 00 4c 89 75 50 e9 48 fe ff ff 65 8b 05 68 4e e7
[   43.456817] RSP: 0018:ffffae2300d23d40 EFLAGS: 00010286
[   43.457503] RAX: 0000000000000000 RBX: ffffa1d2b22513a8 RCX: 0000000000000000
[   43.458428] RDX: 0000000000000000 RSI: ffffa1d2b7a15418 RDI: ffffa1d2b7a15418
[   43.459374] RBP: ffffa1d2b6649b80 R08: 0000000000067321 R09: 0000000000000005
[   43.460353] R10: 0000000000000000 R11: ffffae2300d23b6d R12: ffffa1d2b6649e98
[   43.461319] R13: ffffa1d2b2251400 R14: ffffa1d2b22513f0 R15: 0000000000000001
[   43.462249] FS:  00007f5c10f8f700(0000) GS:ffffa1d2b7a00000(0000) knlGS:0000000000000000
[   43.463327] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.464110] CR2: 00007f5c10aaa4c0 CR3: 000000022b5dc001 CR4: 00000000001606f0
[   49.426947] BTRFS error (device sdb): trying to drop 1 refs but we only have 0 for bytenr 29376512
[   49.428281] ------------[ cut here ]------------
[   49.428955] BTRFS: Transaction aborted (error -22)
[   49.429666] WARNING: CPU: 0 PID: 1935 at fs/btrfs/extent-tree.c:7079 __btrfs_free_extent.isra.77+0x918/0xa60
[   49.431074] Modules linked in:
[   49.431529] CPU: 0 PID: 1935 Comm: sync Tainted: G      D           5.0.0 #11
[   49.432531] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   49.433855] RIP: 0010:__btrfs_free_extent.isra.77+0x918/0xa60
[   49.434660] Code: e8 60 8b fe ff 48 8b 04 24 48 8b 40 50 3e 48 0f ba a8 c0 0c 00 00 02 72 13 be ea ff ff ff 48 c7 c7 88 9e 03 91 e8 98 a1 d3 ff <0f> 0b 48 8b 3c 24 b9 ea ff ff ff ba a7 1b 00 00 48 c7 c6 80 5e e4
[   49.437283] RSP: 0018:ffffae2300d23c50 EFLAGS: 00010286
[   49.438021] RAX: 0000000000000000 RBX: 0000000001c04000 RCX: 0000000000000000
[   49.439025] RDX: ffffa1d2b7a1d290 RSI: ffffa1d2b7a15418 RDI: ffffa1d2b7a15418
[   49.440035] RBP: 0000000000000000 R08: 0000000000068b9b R09: 0000000000000005
[   49.441003] R10: 0000000000000000 R11: ffffae2300d23afd R12: 0000000000000007
[   49.441971] R13: 0000000000000eff R14: 0000000000000000 R15: ffffa1d2b1c73070
[   49.442940] FS:  00007f3e00332700(0000) GS:ffffa1d2b7a00000(0000) knlGS:0000000000000000
[   49.444079] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   49.444889] CR2: 00007f3dffe366e0 CR3: 000000022fdae001 CR4: 00000000001606f0
[   49.445889] Call Trace:
[   49.446249]  __btrfs_run_delayed_refs+0x7b1/0x10a0
[   49.446929]  ? syscall_return_via_sysret+0x1f/0x7f
[   49.447615]  ? __ia32_sys_fdatasync+0x20/0x20
[   49.448232]  btrfs_run_delayed_refs+0xcb/0x180
[   49.448862]  ? __ia32_sys_fdatasync+0x20/0x20
[   49.449484]  btrfs_commit_transaction+0x4b/0x970
[   49.450114]  ? btrfs_attach_transaction_barrier+0x19/0x40
[   49.450845]  ? __ia32_sys_fdatasync+0x20/0x20
[   49.451458]  iterate_supers+0x9f/0xf0
[   49.451983]  ksys_sync+0x5b/0xb0
[   49.452449]  __ia32_sys_sync+0x5/0x10
[   49.452976]  do_syscall_64+0x43/0xf0
[   49.453490]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   49.454208] RIP: 0033:0x7f3dffe497c7
[   49.454721] Code: 83 c4 08 48 3d 01 f0 ff ff 73 01 c3 48 8b 0d c8 66 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 66 2c 00 f7 d8 64 89 01 48
[   49.457347] RSP: 002b:00007ffdbdd8c4d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a2
[   49.458373] RAX: ffffffffffffffda RBX: 00007ffdbdd8c608 RCX: 00007f3dffe497c7
[   49.459348] RDX: 00007f3e00112ea0 RSI: 0000000000404740 RDI: 00007f3dffeda421
[   49.460316] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   49.461282] R10: 000000000000081d R11: 0000000000000206 R12: 0000000000000000
[   49.462265] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
[   49.463265] ---[ end trace 8395a48bc6cdd98b ]---
[   49.463926] BTRFS: error (device sdb) in __btrfs_free_extent:7079: errno=-22 unknown
[   49.465024] BTRFS info (device sdb): forced readonly
[   49.465734] BTRFS: error (device sdb) in btrfs_run_delayed_refs:3011: errno=-22 unknown
Comment 1 Jungyeon 2019-04-10 18:42:23 UTC 
Created attachment 282281 [details]
The (compressed) crafted image which causes crash
Comment 2 Jungyeon 2019-04-10 18:43:47 UTC 
Created attachment 282283 [details]
poc_02.c

Sorry. Please use this one for compiling.
Comment 3 Jungyeon 2019-04-10 19:24:20 UTC 
Created attachment 282299 [details]
min_02.c

Please refer this source too.
This includes much smaller system calls which occurs the same error with poc_02.c