Bug 215717

Summary: kernel BUG() at fs/inode.c:611 triggered when mount and operate a corrupted image
Product: File System Reporter: Wenqing Liu (wenqingliu0120)
Component: btrfsAssignee: BTRFS virtual assignee (fs_btrfs)
Status: NEW ---    
Severity: normal CC: regressions, wenqingliu0120
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.17, 5.17-rc8 Subsystem:
Regression: No Bisected commit-id:
Attachments: poc and .config

Description Wenqing Liu 2022-03-21 16:03:05 UTC 
Created attachment 300594 [details]
poc and .config

- Overview 
kernel BUG() at fs/inode.c:611 triggered when mount and operate a corrupted btrfs image

- Reproduce 
tested on kernel 5.17-rc8, 5.17

# mkdir test_crash
# cd test_crash 
# unzip tmp2.zip
# mkdir mnt
# ./single_test.sh btrfs 2


- Kernel dump

[  162.618578] loop0: detected capacity change from 0 to 262144
[  162.645922] BTRFS info (device loop0): disk space caching is enabled
[  162.645931] BTRFS info (device loop0): has skinny extents
[  162.861717] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.861929] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.862124] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.862239] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867557] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867715] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867798] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867872] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867959] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.868040] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.868113] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.870828] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.870966] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.871074] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.871189] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.871322] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873104] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873236] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873317] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873444] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873528] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.876127] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.876288] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.887419] ------------[ cut here ]------------
[  162.887424] kernel BUG at fs/inode.c:611!
[  162.887470] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[  162.887490] CPU: 3 PID: 1215 Comm: umount Not tainted 5.17.0 #1
[  162.887512] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  162.887540] RIP: 0010:clear_inode+0x8e/0xe0
[  162.887559] Code: 48 8d 83 28 01 00 00 48 39 c2 75 5e 48 c7 83 98 00 00 00 60 00 00 00 48 83 05 85 2c 2f 02 01 5b 5d c3 48 83 05 2a 2c 2f 02 01 <0f> 0b 48 83 05 30 2c 2f 02 01 48 83 05 30 2c 2f 02 01 0f 0b 48 83
[  162.887619] RSP: 0018:ffffafd080bcbd28 EFLAGS: 00010002
[  162.887638] RAX: 0000000000000000 RBX: ffff9be406274cb8 RCX: 00000000801a0017
[  162.887663] RDX: 0000000000000001 RSI: 00000000801a0017 RDI: 0000000000000000
[  162.887687] RBP: ffff9be406274e38 R08: 0000000000000001 R09: 0000000000000001
[  162.887712] R10: fffffffe1be12700 R11: ffffffff9cd5ea80 R12: ffff9be406274ac0
[  162.887735] R13: ffff9be406274ac8 R14: ffff9be406274aec R15: ffff9be406273ec0
[  162.887760] FS:  00007f72cddfd080(0000) GS:ffff9be5f5d80000(0000) knlGS:0000000000000000
[  162.887787] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  162.887807] CR2: 000055878f4a3068 CR3: 0000000111270005 CR4: 0000000000370ee0
[  162.888367] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  162.888907] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  162.889428] Call Trace:
[  162.889973]  <TASK>
[  162.890438]  btrfs_evict_inode+0x415/0x770
[  162.890884]  ? init_wait_var_entry+0x50/0x50
[  162.891353]  evict+0x109/0x270
[  162.891771]  dispose_list+0x45/0x70
[  162.892174]  evict_inodes+0x1a6/0x210
[  162.892590]  generic_shutdown_super+0x63/0x1f0
[  162.893025]  kill_anon_super+0x16/0x40
[  162.893463]  btrfs_kill_super+0x1a/0x40
[  162.893895]  deactivate_locked_super+0x60/0xc0
[  162.894364]  deactivate_super+0x70/0xb0
[  162.894838]  cleanup_mnt+0x11a/0x200
[  162.895253]  __cleanup_mnt+0x16/0x20
[  162.895524]  task_work_run+0x67/0xa0
[  162.895799]  exit_to_user_mode_prepare+0x18c/0x1a0
[  162.896084]  syscall_exit_to_user_mode+0x26/0x40
[  162.896380]  do_syscall_64+0x46/0xb0
[  162.896687]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  162.896993] RIP: 0033:0x7f72cd6bd657
[  162.897295] Code: 98 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 98 2c 00 f7 d8 64 89 01 48
[  162.897963] RSP: 002b:00007fff31865178 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  162.898328] RAX: 0000000000000000 RBX: 000055878f49b420 RCX: 00007f72cd6bd657
[  162.898684] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055878f4a30b0
[  162.899046] RBP: 0000000000000000 R08: 000055878f4a3580 R09: 0000000000000005
[  162.899428] R10: 000000000000000b R11: 0000000000000246 R12: 000055878f4a30b0
[  162.899809] R13: 00007f72cdbdf8a4 R14: 000055878f49b600 R15: 0000000000000000
[  162.900190]  </TASK>
[  162.900592] Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi input_leds joydev serio_raw xfs qemu_fw_cfg autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear hid_generic usbhid hid qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd psmouse cryptd
[  162.902280] ---[ end trace 0000000000000000 ]---
[  162.902700] RIP: 0010:clear_inode+0x8e/0xe0
[  162.903131] Code: 48 8d 83 28 01 00 00 48 39 c2 75 5e 48 c7 83 98 00 00 00 60 00 00 00 48 83 05 85 2c 2f 02 01 5b 5d c3 48 83 05 2a 2c 2f 02 01 <0f> 0b 48 83 05 30 2c 2f 02 01 48 83 05 30 2c 2f 02 01 0f 0b 48 83
[  162.903957] RSP: 0018:ffffafd080bcbd28 EFLAGS: 00010002
[  162.904369] RAX: 0000000000000000 RBX: ffff9be406274cb8 RCX: 00000000801a0017
[  162.904811] RDX: 0000000000000001 RSI: 00000000801a0017 RDI: 0000000000000000
[  162.905248] RBP: ffff9be406274e38 R08: 0000000000000001 R09: 0000000000000001
[  162.905674] R10: fffffffe1be12700 R11: ffffffff9cd5ea80 R12: ffff9be406274ac0
[  162.906103] R13: ffff9be406274ac8 R14: ffff9be406274aec R15: ffff9be406273ec0
[  162.906527] FS:  00007f72cddfd080(0000) GS:ffff9be5f5d80000(0000) knlGS:0000000000000000
[  162.906956] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  162.907395] CR2: 000055878f4a3068 CR3: 0000000111270005 CR4: 0000000000370ee0
[  162.907835] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  162.908273] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  162.908699] note: umount[1215] exited with preempt_count 1
Comment 1 The Linux kernel's regression tracker (Thorsten Leemhuis) 2022-03-29 12:50:31 UTC 
Is this a regression or did this happen with earlier kernels (say 5.16) as well?
Comment 2 Wenqing Liu 2022-03-29 18:32:16 UTC 
(In reply to The Linux kernel's regression tracker (Thorsten Leemhuis) from comment #1)
> Is this a regression or did this happen with earlier kernels (say 5.16) as
> well?
Other than 5.17, I tested on 5.16.8, 5.15.32, 5.10.99 and 5.4.171
The bug is triggered on 5.16.8, 5.15.32, but not on 5.10.99 or 5.4.171