Bug 215289

Summary: general protection fault at fs/btrfs/struct-funcs.c:btrfs_get_32() when mount a corrupted image
Product: File System Reporter: Wenqing Liu (wenqingliu0120)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: RESOLVED CODE_FIX    
Severity: normal CC: dsterba, l, wenqingliu0120
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.16-rc3, 5.16-rc4 Subsystem:
Regression: No Bisected commit-id:
Attachments: poc and .config file

Description Wenqing Liu 2021-12-10 03:44:34 UTC 
Created attachment 299977 [details]
poc and .config file

- Overview 
General protection fault at fs/btrfs/struct-funcs.c:btrfs_get_32() when mount a corrupted image

- Reproduce 
tested on kernel 5.16-rc3, 5.16-rc4

# mkdir mnt
# mount -t btrfs tmp1.img mnt


- Kernel dump

[   70.448784] loop0: detected capacity change from 0 to 262144
[   70.479411] BTRFS info (device loop0): disk space caching is enabled
[   70.479416] BTRFS info (device loop0): has skinny extents
[   70.480033] BTRFS warning (device loop0): bad eb member start: ptr 0xfd8 start 29396992 member offset 4108 size 4
[   70.480051] general protection fault, probably for non-canonical address 0x3f2ae0000000c: 0000 [#1] PREEMPT SMP NOPTI
[   70.480077] CPU: 3 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1
[   70.480090] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   70.480104] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs]
[   70.480207] RIP: 0010:btrfs_get_32+0x86/0x160 [btrfs]
[   70.480244] Code: 48 2b 1d dd be 1d d8 48 c1 fb 06 48 c1 e3 0c 48 03 1d de be 1d d8 e8 c9 f5 ff ff 49 8d 46 04 4c 01 f3 48 3d 00 10 00 00 77 25 <8b> 03 48 8b 4c 24 10 65 48 33 0c 25 28 00 00 00 0f 85 83 00 00 00
[   70.480275] RSP: 0018:ffffa83b00053bf8 EFLAGS: 00010283
[   70.480286] RAX: 0000000000000010 RBX: 0003f2ae0000000c RCX: 0000000000000001
[   70.480299] RDX: 0000000000000000 RSI: ffffffff9872e181 RDI: 00000000ffffffff
[   70.480312] RBP: ffff8cbf03140900 R08: 0000000000000000 R09: 0000000000000001
[   70.480324] R10: 00000000697d8a5a R11: 0000000000000034 R12: 0000000000000001
[   70.480338] R13: ffff8cbf03140908 R14: 000000000000000c R15: 0000000000000fd8
[   70.480351] FS:  0000000000000000(0000) GS:ffff8cc0f5d80000(0000) knlGS:0000000000000000
[   70.480365] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.480376] CR2: 0000555bbe534880 CR3: 0000000113862006 CR4: 0000000000370ee0
[   70.480392] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.480425] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   70.480438] Call Trace:
[   70.480453]  <TASK>
[   70.480459]  ? check_inode_key+0x41/0x160 [btrfs]
[   70.480519]  check_leaf+0x523/0x1a40 [btrfs]
[   70.480563]  ? filemap_read+0x34a/0x390
[   70.480574]  validate_extent_buffer+0x244/0x310 [btrfs]
[   70.480609]  btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs]
[   70.480639]  end_bio_extent_readpage+0x3af/0x850 [btrfs]
[   70.480696]  ? newidle_balance+0x259/0x480
[   70.480707]  end_workqueue_fn+0x29/0x40 [btrfs]
[   70.480737]  btrfs_work_helper+0x71/0x330 [btrfs]
[   70.480781]  ? __schedule+0x2fb/0xa40
[   70.480791]  process_one_work+0x1f6/0x400
[   70.480802]  ? process_one_work+0x400/0x400
[   70.480810]  worker_thread+0x2d/0x3d0
[   70.480819]  ? process_one_work+0x400/0x400
[   70.480827]  kthread+0x165/0x190
[   70.480836]  ? set_kthread_struct+0x40/0x40
[   70.480845]  ret_from_fork+0x1f/0x30
[   70.480856]  </TASK>
[   70.480860] Modules linked in: input_leds joydev serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm hid_generic psmouse crct10dif_pclmul crc32_pclmul ghash_clmulni_intel usbhid aesni_intel crypto_simd hid cryptd
[   70.480996] ---[ end trace 134fcab26bd36b90 ]---
[   70.481005] RIP: 0010:btrfs_get_32+0x86/0x160 [btrfs]
[   70.481436] Code: 48 2b 1d dd be 1d d8 48 c1 fb 06 48 c1 e3 0c 48 03 1d de be 1d d8 e8 c9 f5 ff ff 49 8d 46 04 4c 01 f3 48 3d 00 10 00 00 77 25 <8b> 03 48 8b 4c 24 10 65 48 33 0c 25 28 00 00 00 0f 85 83 00 00 00
[   70.482305] RSP: 0018:ffffa83b00053bf8 EFLAGS: 00010283
[   70.482720] RAX: 0000000000000010 RBX: 0003f2ae0000000c RCX: 0000000000000001
[   70.483204] RDX: 0000000000000000 RSI: ffffffff9872e181 RDI: 00000000ffffffff
[   70.483609] RBP: ffff8cbf03140900 R08: 0000000000000000 R09: 0000000000000001
[   70.484042] R10: 00000000697d8a5a R11: 0000000000000034 R12: 0000000000000001
[   70.484555] R13: ffff8cbf03140908 R14: 000000000000000c R15: 0000000000000fd8
[   70.485017] FS:  0000000000000000(0000) GS:ffff8cc0f5d80000(0000) knlGS:0000000000000000
[   70.485392] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.485784] CR2: 0000555bbe534880 CR3: 0000000113862006 CR4: 0000000000370ee0
[   70.486351] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.486983] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Comment 1 Su Yue 2022-02-18 15:30:38 UTC 
The bug should be fixed by https://lore.kernel.org/linux-btrfs/20220121093335.1840306-1-l@damenly.su/T/#t .
The Link and dmesg in the commit message are wrongly pasted by me even the code prevents the crafted image mount.