Bug 200411 - BUG() triggered in walk_up_proc() when mount a btrfs image
Summary: BUG() triggered in walk_up_proc() when mount a btrfs image
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: btrfs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: BTRFS virtual assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-04 17:50 UTC by Wen Xu
Modified: 2019-05-21 12:27 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.18
Subsystem:
Regression: No
Bisected commit-id:

Attachments
The (compressed) crafted image which causes crash (135.23 KB, application/zip)
2018-07-04 17:50 UTC, Wen Xu 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Wen Xu 2018-07-04 17:50:08 UTC 
Created attachment 277175 [details]
The (compressed) crafted image which causes crash

- Reproduce
# mkdir mnt
# mount -t btrfs 21.img mnt

- Kernel message
[  332.230503] BTRFS: device fsid 3381d111-94a3-4ac7-8f39-611bbbdab7e6 devid 1 transid 8 /dev/loop0
[  332.234560] BTRFS info (device loop0): disk space caching is enabled
[  332.234572] BTRFS info (device loop0): has skinny extents
[  332.331480] ------------[ cut here ]------------
[  332.331488] kernel BUG at fs/btrfs/extent-tree.c:8944!
[  332.332781] invalid opcode: 0000 [#1] SMP KASAN PTI
[  332.333831] CPU: 0 PID: 1430 Comm: mount Not tainted 4.18.0-rc1+ #8
[  332.335126] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[  332.337142] RIP: 0010:walk_up_proc+0x56d/0x6b0
[  332.338062] Code: 08 00 00 00 49 c1 fe 06 49 c1 e6 0c 4c 03 35 7a f4 74 01 49 8d 7e 58 e8 91 fc bd ff 48 8b 45 c8 49 3b 46 58 0f 84 18 fc ff ff <0f> 0b 48 8b 55 d0 48 8b 7d b8 31 c9 4c 89 ee e8 8f 17 ff ff e9 b3
[  332.341914] RSP: 0018:ffff8801f341f100 EFLAGS: 00010202
[  332.342995] RAX: fffffffffffffff8 RBX: ffff8801f570fe00 RCX: ffffffffa57bdf1f
[  332.344456] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8801f15e6058
[  332.345903] RBP: ffff8801f341f160 R08: ffffed003e2bcc0c R09: ffffed003e2bcc0c
[  332.347352] R10: 0000000000000001 R11: ffffed003e2bcc0b R12: 0000000000000000
[  332.348811] R13: ffff8801f2f89980 R14: ffff8801f15e6000 R15: 0000000000000000
[  332.350252] FS:  00007f6072b98840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  332.351900] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  332.353067] CR2: 000055dac03caef8 CR3: 00000001f06cc000 CR4: 00000000000006f0
[  332.354525] Call Trace:
[  332.355053]  walk_up_tree+0x20d/0x2e0
[  332.359842]  btrfs_drop_snapshot+0x775/0xec0
[  332.360731]  ? btrfs_alloc_logged_file_extent+0x180/0x180
[  332.362181]  ? __mutex_lock_slowpath+0x20/0x20
[  332.363168]  ? btrfs_commit_transaction+0xcab/0xfa0
[  332.364232]  merge_reloc_roots+0x21a/0x490
[  332.365090]  ? merge_reloc_root+0x960/0x960
[  332.365961]  btrfs_recover_relocation+0x638/0x750
[  332.366937]  ? btrfs_relocate_block_group+0x370/0x370
[  332.368001]  ? qgroup_reserve+0x650/0x650
[  332.368876]  ? kasan_check_read+0x11/0x20
[  332.369717]  ? mutex_lock+0x99/0xf0
[  332.370450]  open_ctree+0x2f9b/0x35c6
[  332.371221]  ? close_ctree+0x460/0x460
[  332.372031]  ? bdi_register_va+0x44/0x50
[  332.372863]  ? super_setup_bdi_name+0x11b/0x1a0
[  332.373806]  ? kill_block_super+0x80/0x80
[  332.374654]  ? snprintf+0x96/0xd0
[  332.375366]  btrfs_mount_root+0xae6/0xc60
[  332.376219]  ? btrfs_mount_root+0xae6/0xc60
[  332.377092]  ? pcpu_block_update_hint_alloc+0x1d2/0x2a0
[  332.378173]  ? btrfs_decode_error+0x40/0x40
[  332.379071]  ? find_next_bit+0x57/0x90
[  332.379879]  ? cpumask_next+0x1a/0x20
[  332.380648]  ? pcpu_alloc+0x449/0x8c0
[  332.381415]  ? pcpu_free_area+0x410/0x410
[  332.382259]  ? memcg_kmem_put_cache+0x1b/0xa0
[  332.383170]  ? memcpy+0x45/0x50
[  332.383854]  mount_fs+0x60/0x1a0
[  332.384533]  ? btrfs_decode_error+0x40/0x40
[  332.385402]  ? mount_fs+0x60/0x1a0
[  332.386127]  ? alloc_vfsmnt+0x309/0x360
[  332.386930]  vfs_kern_mount+0x6b/0x1a0
[  332.387727]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  332.388808]  btrfs_mount+0x209/0xb71
[  332.389558]  ? find_next_zero_bit+0x2c/0xa0
[  332.390431]  ? pcpu_block_update_hint_alloc+0x1d2/0x2a0
[  332.391512]  ? btrfs_remount+0x8e0/0x8e0
[  332.392333]  ? find_next_zero_bit+0x2c/0xa0
[  332.393203]  ? find_next_bit+0x57/0x90
[  332.393986]  ? cpumask_next+0x1a/0x20
[  332.394751]  ? pcpu_alloc+0x449/0x8c0
[  332.395519]  ? pcpu_free_area+0x410/0x410
[  332.396365]  ? memcg_kmem_put_cache+0x1b/0xa0
[  332.397269]  ? memcpy+0x45/0x50
[  332.397930]  mount_fs+0x60/0x1a0
[  332.398610]  ? btrfs_remount+0x8e0/0x8e0
[  332.399427]  ? mount_fs+0x60/0x1a0
[  332.400148]  ? alloc_vfsmnt+0x309/0x360
[  332.400949]  vfs_kern_mount+0x6b/0x1a0
[  332.401734]  do_mount+0x34a/0x18c0
[  332.402458]  ? lockref_put_or_lock+0xcf/0x160
[  332.403369]  ? copy_mount_string+0x20/0x20
[  332.404237]  ? memcg_kmem_put_cache+0x1b/0xa0
[  332.405144]  ? kasan_check_write+0x14/0x20
[  332.406005]  ? _copy_from_user+0x6a/0x90
[  332.406840]  ? memdup_user+0x42/0x60
[  332.407604]  ksys_mount+0x83/0xd0
[  332.408302]  __x64_sys_mount+0x67/0x80
[  332.409103]  do_syscall_64+0x78/0x170
[  332.409876]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  332.410933] RIP: 0033:0x7f6072478b9a
[  332.411688] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[  332.415551] RSP: 002b:00007ffd2ef69bd8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  332.417107] RAX: ffffffffffffffda RBX: 000000000151b030 RCX: 00007f6072478b9a
[  332.418556] RDX: 000000000151b210 RSI: 000000000151cf30 RDI: 0000000001523ec0
[  332.420019] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014
[  332.421474] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001523ec0
[  332.422929] R13: 000000000151b210 R14: 0000000000000000 R15: 0000000000000003
[  332.424402] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
[  332.434310] ---[ end trace 2e85051acb5f6dc1 ]---
[  332.435324] RIP: 0010:walk_up_proc+0x56d/0x6b0
[  332.436262] Code: 08 00 00 00 49 c1 fe 06 49 c1 e6 0c 4c 03 35 7a f4 74 01 49 8d 7e 58 e8 91 fc bd ff 48 8b 45 c8 49 3b 46 58 0f 84 18 fc ff ff <0f> 0b 48 8b 55 d0 48 8b 7d b8 31 c9 4c 89 ee e8 8f 17 ff ff e9 b3
[  332.440311] RSP: 0018:ffff8801f341f100 EFLAGS: 00010202
[  332.441403] RAX: fffffffffffffff8 RBX: ffff8801f570fe00 RCX: ffffffffa57bdf1f
[  332.442871] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff8801f15e6058
[  332.444382] RBP: ffff8801f341f160 R08: ffffed003e2bcc0c R09: ffffed003e2bcc0c
[  332.445841] R10: 0000000000000001 R11: ffffed003e2bcc0b R12: 0000000000000000
[  332.447332] R13: ffff8801f2f89980 R14: ffff8801f15e6000 R15: 0000000000000000
[  332.448804] FS:  00007f6072b98840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000
[  332.450456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  332.451685] CR2: 000055dac03caef8 CR3: 00000001f06cc000 CR4: 00000000000006f0

- Location
https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/btrfs/extent-tree.c#L8943
	if (eb == root->node) {
		if (wc->flags[level] & BTRFS_BLOCK_FLAG_FULL_BACKREF)
			parent = eb->start;
		else
			BUG_ON(root->root_key.objectid !=  <---
			       btrfs_header_owner(eb));

Found by Wen Xu and Po-Ning Tseng from SSLab at Gatech.
Comment 1 David Sterba 2019-05-21 12:27:12 UTC 
Thanks for the report. Fixed by 65c6e82becec3373 "btrfs: Handle owner mismatch gracefully when walking up tree", in 4.20.
Note You need to log in before you can comment on or make changes to this bug.