Bug 203255

Summary: kernel BUG at fs/btrfs/delayed-ref.c:486! and hangs on sync
Product: File System Reporter: Jungyeon (jungyeon)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: NEW ---    
Severity: normal CC: wqu
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.0.0 Subsystem:
Regression: No Bisected commit-id:
Attachments: The (compressed) crafted image which causes crash
poc_03.c
min_03.c

Description Jungyeon 2019-04-10 18:47:56 UTC 
Created attachment 282285 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting the attached crafted image, following errors are reported.
Additionally, it hangs on sync after running the program.

The image is intentionally fuzzed from a normal btrfs image for testing.
Compile options for BTRFS are as follows.
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BTRFS_FS_CHECK_INTEGRITY=y
# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
CONFIG_BTRFS_DEBUG=y
CONFIG_BTRFS_ASSERT=y
CONFIG_BTRFS_FS_REF_VERIFY=y

- Reproduces
gcc poc_03.c
mkdir test
mount -t btrfs tmp.img test
cp a.out test
cd test
sudo ./a.out
sync

- Kernel messages
[   19.214738] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 8 /dev/sdb
[   43.869952] BTRFS info (device sdb): disk space caching is enabled
[   43.869953] BTRFS info (device sdb): has skinny extents
[   43.870786] BTRFS critical (device sdb): corrupt leaf: root=1 block=29417472 slot=6, bad key order, prev (6 12 6) current (6 0 0)
[   43.873089] BTRFS info (device sdb): read error corrected: ino 0 off 29417472 (dev /dev/sdb sector 73840)
[   43.874093] BTRFS info (device sdb): bdev /dev/sdb errs: wr 0, rd 0, flush 14680064, corrupt 0, gen 0
[   43.874715] BTRFS critical (device sdb): corrupt leaf: root=5 block=29409280 slot=2 ino=256, xattr dir type found for non-XATTR key
[   43.876981] BTRFS info (device sdb): read error corrected: ino 0 off 29409280 (dev /dev/sdb sector 73824)
[   43.914916] ------------[ cut here ]------------
[   43.914918] kernel BUG at fs/btrfs/delayed-ref.c:486!
[   43.915693] invalid opcode: 0000 [#1] SMP PTI
[   43.916340] CPU: 0 PID: 1929 Comm: a.out Not tainted 5.0.0 #11
[   43.917191] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   43.918590] RIP: 0010:update_existing_head_ref+0x18e/0x1c0
[   43.919391] Code: 40 12 01 48 8b 75 78 80 7e 13 00 0f 84 15 ff ff ff 48 8b 43 78 e9 f8 fe ff ff 89 d0 e9 2f ff ff ff 48 89 73 78 e9 0d ff ff ff <0f> 0b 48 8b 4b 08 49 29 8f 68 01 00 00 89 c6 4c 89 f7 89 54 24 0c
[   43.922094] RSP: 0018:ffffaee980d0b6d0 EFLAGS: 00010202
[   43.922863] RAX: 0000000000000003 RBX: ffff9e2e760a95a0 RCX: ffffaee980d0b850
[   43.923901] RDX: ffff9e2e760a95a0 RSI: ffff9e2e760a9280 RDI: ffff9e2e6f39e1a0
[   43.924941] RBP: ffff9e2e760a9280 R08: ffffaee980d0b7dc R09: ffffaee980d0b850
[   43.925992] R10: ffff9e2e7085a400 R11: 0000000000000000 R12: ffff9e2e6f39e1a0
[   43.927038] R13: ffff9e2e7669e000 R14: ffff9e2e7669e000 R15: ffff9e2e7531da00
[   43.928078] FS:  00007f7312c33700(0000) GS:ffff9e2e77a00000(0000) knlGS:0000000000000000
[   43.929260] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.930106] CR2: 00007f731274e4c0 CR3: 0000000235e48004 CR4: 00000000001606f0
[   43.931150] Call Trace:
[   43.931531]  add_delayed_ref_head+0x1ad/0x230
[   43.932172]  btrfs_add_delayed_tree_ref+0x1c1/0x340
[   43.932889]  btrfs_free_tree_block+0xca/0x2a0
[   43.933547]  __btrfs_cow_block+0x43c/0x520
[   43.934160]  btrfs_cow_block+0xe4/0x1e0
[   43.934728]  btrfs_search_slot+0x517/0xa10
[   43.935332]  ? btrfs_search_slot+0x99b/0xa10
[   43.935964]  btrfs_insert_empty_items+0x62/0xb0
[   43.936633]  alloc_reserved_file_extent+0x97/0x300
[   43.937342]  __btrfs_run_delayed_refs+0x896/0x10a0
[   43.938056]  ? mutex_lock+0x9/0x30
[   43.938563]  ? space_info_add_old_bytes+0x20/0x1f0
[   43.939269]  btrfs_run_delayed_refs+0xcb/0x180
[   43.939924]  btrfs_commit_transaction+0x4b/0x970
[   43.940608]  ? btrfs_log_new_name+0x9a/0x163
[   43.941239]  btrfs_rename2+0xfdf/0x1cb0
[   43.941814]  ? vfs_rename+0x630/0x810
[   43.942359]  vfs_rename+0x630/0x810
[   43.942881]  ? security_d_instantiate+0x10/0x40
[   43.943548]  do_renameat2+0x4c9/0x550
[   43.944091]  __x64_sys_rename+0x17/0x20
[   43.944660]  do_syscall_64+0x43/0xf0
[   43.945192]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   43.945943] RIP: 0033:0x7f731274e4d9
[   43.946474] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[   43.949174] RSP: 002b:00007ffcac10d558 EFLAGS: 00000207 ORIG_RAX: 0000000000000052
[   43.950280] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f731274e4d9
[   43.951320] RDX: 00007f731274e4d9 RSI: 00007ffcac10d600 RDI: 00007ffcac10d5e0
[   43.952361] RBP: 00007ffcac111720 R08: 00007ffcac111808 R09: 00007ffcac111808
[   43.953415] R10: 00007ffcac111808 R11: 0000000000000207 R12: 00000000004004e0
[   43.954457] R13: 00007ffcac111800 R14: 0000000000000000 R15: 0000000000000000
[   43.955494] Modules linked in:
[   43.955961] ---[ end trace 9a0a7982efda3a73 ]---
[   43.956645] RIP: 0010:update_existing_head_ref+0x18e/0x1c0
[   43.957458] Code: 40 12 01 48 8b 75 78 80 7e 13 00 0f 84 15 ff ff ff 48 8b 43 78 e9 f8 fe ff ff 89 d0 e9 2f ff ff ff 48 89 73 78 e9 0d ff ff ff <0f> 0b 48 8b 4b 08 49 29 8f 68 01 00 00 89 c6 4c 89 f7 89 54 24 0c
[   43.960165] RSP: 0018:ffffaee980d0b6d0 EFLAGS: 00010202
[   43.960939] RAX: 0000000000000003 RBX: ffff9e2e760a95a0 RCX: ffffaee980d0b850
[   43.961993] RDX: ffff9e2e760a95a0 RSI: ffff9e2e760a9280 RDI: ffff9e2e6f39e1a0
[   43.963045] RBP: ffff9e2e760a9280 R08: ffffaee980d0b7dc R09: ffffaee980d0b850
[   43.964095] R10: ffff9e2e7085a400 R11: 0000000000000000 R12: ffff9e2e6f39e1a0
[   43.965141] R13: ffff9e2e7669e000 R14: ffff9e2e7669e000 R15: ffff9e2e7531da00
[   43.966202] FS:  00007f7312c33700(0000) GS:ffff9e2e77a00000(0000) knlGS:0000000000000000
[   43.967388] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.968241] CR2: 00007f731274e4c0 CR3: 0000000235e48004 CR4: 00000000001606f0
[   43.970111] a.out (1929) used greatest stack depth: 12232 bytes left
Comment 1 Jungyeon 2019-04-10 18:48:11 UTC 
Created attachment 282287 [details]
poc_03.c
Comment 2 Jungyeon 2019-04-10 19:27:33 UTC 
Created attachment 282301 [details]
min_03.c

Please refer this source too.
This includes much smaller system calls which occurs the same error with poc_03.c
The only difference is that when running this program, the error occurs after sync.
Comment 3 Qu Wenruo 2019-07-16 07:05:34 UTC 
I have to comment for this image.

It's 3 different factors contributing to this bug.

Great job to find such a tricky one!
And thank goodness, this bug only affects MIXED_GROUP, which is already a niche feature.

I have no doubt your newer reports will be more and more tricky to pin down.

Thanks,
Qu