202753 – NULL pointer dereference on mounting a corrupted filesystem

Bug 202753 - NULL pointer dereference on mounting a corrupted filesystem

Summary: NULL pointer dereference on mounting a corrupted filesystem

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-04 19:16 UTC by Jungyeon
Modified:	2019-07-09 01:07 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	5.0-rc8
Tree:	Mainline
Regression:	No

Attachments
img (166.67 KB, application/zip) 2019-03-04 19:16 UTC, Jungyeon	Details
Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-03-04 19:16:45 UTC

Created attachment 281481 [details]
img

While trying to mount this attached image, btrfs crashes with segmentation fault.
Reproduces & messages are as follows.

---
Reproduces:

mkdir test
mount -t btrfs 20.img test 

---
Messages:

[   21.669312] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
[   21.671328] #PF error: [normal kernel read fault]
[   21.672534] PGD 800000022a817067 P4D 800000022a817067 PUD 22a816067 PMD 0
[   21.674284] Oops: 0000 [#1] SMP PTI
[   21.675203] CPU: 0 PID: 146 Comm: kworker/u2:4 Not tainted 5.0.0-rc8+ #9
[   21.676894] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[   21.679167] Workqueue: btrfs-endio-meta btrfs_endio_meta_helper
[   21.680663] RIP: 0010:btrfs_root_node+0x10/0x50
[   21.681813] Code: ff 48 8b 3d ca ce ad 01 48 89 de e8 2a e3 db ff 5b 5d f3 c3 66 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5 53 48 89 fb 48 8b 13 <8b> 42 24 85 c0 74 31 8d 48 01 48 8d 72 24 3e 0f b1 4a 24 0f 94 c1
[   21.686495] RSP: 0018:ffffa0fcc0ffb9f0 EFLAGS: 00010282
[   21.687813] RAX: 0000000000000000 RBX: ffff8e64eb3ce800 RCX: ffff8e64f55d0460
[   21.689605] RDX: 0000000000000000 RSI: ffff8e64eb3ce800 RDI: ffff8e64eb3ce800
[   21.691414] RBP: ffffa0fcc0ffb9f8 R08: 0000000000000000 R09: 0000000000000000
[   21.693203] R10: ffffa0fcc0ffbb58 R11: 0000000000028180 R12: ffff8e64eb3ce800
[   21.695004] R13: ffff8e64eb3ce800 R14: 00000000ffffffff R15: ffffa0fcc0ffbc4f
[   21.696792] FS:  0000000000000000(0000) GS:ffff8e64f7a00000(0000) knlGS:0000000000000000
[   21.698833] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   21.700288] CR2: 0000000000000024 CR3: 0000000230680005 CR4: 00000000000206f0
[   21.702090] Call Trace:
[   21.702744]  btrfs_read_lock_root_node+0x29/0x50
[   21.703916]  btrfs_search_slot+0x529/0x920
[   21.704958]  ? __switch_to_asm+0x34/0x70
[   21.705955]  ? __switch_to_asm+0x40/0x70
[   21.706970]  btrfs_find_root+0x56/0x240
[   21.707953]  ? __slab_alloc+0x20/0x40
[   21.708887]  ? __switch_to+0x9b/0x470
[   21.709824]  ? _cond_resched+0x1a/0x50
[   21.713806]  btrfs_read_tree_root+0x8b/0x130
[   21.714905]  ? btrfs_read_tree_root+0x8b/0x130
[   21.716042]  btrfs_read_fs_root+0x12/0x40
[   21.717071]  btrfs_get_fs_root.part.49+0x53/0x170
[   21.718276]  ? schedule_timeout+0x179/0x360
[   21.719361]  btrfs_get_fs_root+0x44/0xa0
[   21.720368]  check_leaf+0xc0/0xa90
[   21.721247]  ? csum_tree_block+0x107/0x1b0
[   21.722303]  btrfs_check_leaf_full+0x13/0x20
[   21.723413]  btree_readpage_end_io_hook+0x242/0x290
[   21.724659]  end_bio_extent_readpage+0x14f/0x660
[   21.725836]  ? __switch_to_asm+0x34/0x70
[   21.726851]  ? __switch_to_asm+0x34/0x70
[   21.727854]  bio_endio+0xc4/0x140
[   21.728704]  end_workqueue_fn+0x3d/0x40
[   21.729682]  normal_work_helper+0xcb/0x320
[   21.730746]  ? __schedule+0x3f9/0x8b0
[   21.731688]  btrfs_endio_meta_helper+0x12/0x20
[   21.732820]  process_one_work+0x167/0x410
[   21.733845]  worker_thread+0x4d/0x460
[   21.734799]  kthread+0x105/0x140
[   21.735631]  ? rescuer_thread+0x360/0x360
[   21.736658]  ? kthread_destroy_worker+0x50/0x50
[   21.737813]  ret_from_fork+0x35/0x40
[   21.738747] Modules linked in:
[   21.739543] CR2: 0000000000000024
[   21.740400] ---[ end trace 964b8ea29af3cbf8 ]---
[   21.741584] RIP: 0010:btrfs_root_node+0x10/0x50
[   21.742760] Code: ff 48 8b 3d ca ce ad 01 48 89 de e8 2a e3 db ff 5b 5d f3 c3 66 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5 53 48 89 fb 48 8b 13 <8b> 42 24 85 c0 74 31 8d 48 01 48 8d 72 24 3e 0f b1 4a 24 0f 94 c1
[   21.747467] RSP: 0018:ffffa0fcc0ffb9f0 EFLAGS: 00010282
[   21.748805] RAX: 0000000000000000 RBX: ffff8e64eb3ce800 RCX: ffff8e64f55d0460
[   21.750627] RDX: 0000000000000000 RSI: ffff8e64eb3ce800 RDI: ffff8e64eb3ce800
[   21.752437] RBP: ffffa0fcc0ffb9f8 R08: 0000000000000000 R09: 0000000000000000
[   21.754245] R10: ffffa0fcc0ffbb58 R11: 0000000000028180 R12: ffff8e64eb3ce800
[   21.756059] R13: ffff8e64eb3ce800 R14: 00000000ffffffff R15: ffffa0fcc0ffbc4f
[   21.757866] FS:  0000000000000000(0000) GS:ffff8e64f7a00000(0000) knlGS:0000000000000000
[   21.759922] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   21.761387] CR2: 0000000000000024 CR3: 0000000230680005 CR4: 00000000000206f0

Note You need to log in before you can comment on or make changes to this bug.