Created attachment 281507 [details] The (compressed) crafted image which causes crash - Overview After mounting crafted image, I got this NULL pointer dereference while running attached program. - Produces mkdir test mount -t btrfs 22.img test gcc 22.c cp a.out test cd test ./a.out (and just wait a few second to get errors) - Kernel messages [ 81.231074] BUG: unable to handle kernel NULL pointer dereference at 0000000000000098 [ 81.233956] #PF error: [normal kernel read fault] [ 81.235685] PGD 80000002355cd067 P4D 80000002355cd067 PUD 2355cc067 PMD 0 [ 81.237940] Oops: 0000 [#1] SMP PTI [ 81.238835] CPU: 0 PID: 1134 Comm: btrfs-transacti Not tainted 5.0.0-rc8+ #9 [ 81.240607] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 81.242862] RIP: 0010:__btrfs_cow_block+0x21f/0x580 [ 81.244095] Code: 89 e2 48 89 de 4c 89 ef e8 be fa ff ff 85 c0 0f 85 61 02 00 00 48 8b 43 20 a8 02 0f 85 23 01 00 00 4c 3b 23 0f 84 a8 01 00 00 <49> 8b 86 98 00 00 00 48 2b 05 9b f2 1d 01 48 8b 15 a4 f2 1d 01 48 [ 81.248776] RSP: 0018:ffffaaa4c122f9e8 EFLAGS: 00010202 [ 81.250117] RAX: 0000000000000104 RBX: ffff8d2f6b7eb800 RCX: ffff8d2f70724a00 [ 81.251909] RDX: ffff8d2d40000000 RSI: ffff8d2f6b347118 RDI: ffff8d2f75700000 [ 81.253712] RBP: ffffaaa4c122fa60 R08: ffffaaa4c122fa18 R09: ffff8d2f6b322920 [ 81.255508] R10: ffffaaa4c122f9e8 R11: ffff8d2f70724a00 R12: ffff8d2f6b347118 [ 81.257303] R13: ffff8d2f6ae2b4e0 R14: 0000000000000000 R15: ffff8d2f6b347690 [ 81.259111] FS: 0000000000000000(0000) GS:ffff8d2f77a00000(0000) knlGS:0000000000000000 [ 81.261141] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 81.265238] CR2: 0000000000000098 CR3: 000000022e380002 CR4: 00000000000206f0 [ 81.268691] Call Trace: [ 81.269927] btrfs_cow_block+0xf8/0x1f0 [ 81.271773] btrfs_search_slot+0x447/0x920 [ 81.273752] btrfs_del_csums+0xc3/0x3a0 [ 81.275594] __btrfs_free_extent.isra.72+0x5a7/0xbe0 [ 81.277941] __btrfs_run_delayed_refs+0x539/0x1120 [ 81.280044] btrfs_run_delayed_refs+0xdb/0x1b0 [ 81.281924] btrfs_commit_transaction+0x52/0x950 [ 81.283445] ? start_transaction+0x94/0x450 [ 81.284826] transaction_kthread+0x163/0x190 [ 81.286246] kthread+0x105/0x140 [ 81.287316] ? btrfs_cleanup_transaction+0x560/0x560 [ 81.288944] ? kthread_destroy_worker+0x50/0x50 [ 81.290233] ret_from_fork+0x35/0x40 [ 81.291397] Modules linked in: [ 81.292407] CR2: 0000000000000098 [ 81.293505] ---[ end trace c9ebaababb72398a ]--- [ 81.295035] RIP: 0010:__btrfs_cow_block+0x21f/0x580 [ 81.296631] Code: 89 e2 48 89 de 4c 89 ef e8 be fa ff ff 85 c0 0f 85 61 02 00 00 48 8b 43 20 a8 02 0f 85 23 01 00 00 4c 3b 23 0f 84 a8 01 00 00 <49> 8b 86 98 00 00 00 48 2b 05 9b f2 1d 01 48 8b 15 a4 f2 1d 01 48 [ 81.302344] RSP: 0018:ffffaaa4c122f9e8 EFLAGS: 00010202 [ 81.304052] RAX: 0000000000000104 RBX: ffff8d2f6b7eb800 RCX: ffff8d2f70724a00 [ 81.306391] RDX: ffff8d2d40000000 RSI: ffff8d2f6b347118 RDI: ffff8d2f75700000 [ 81.308527] RBP: ffffaaa4c122fa60 R08: ffffaaa4c122fa18 R09: ffff8d2f6b322920 [ 81.310849] R10: ffffaaa4c122f9e8 R11: ffff8d2f70724a00 R12: ffff8d2f6b347118 [ 81.313156] R13: ffff8d2f6ae2b4e0 R14: 0000000000000000 R15: ffff8d2f6b347690 [ 81.315390] FS: 0000000000000000(0000) GS:ffff8d2f77a00000(0000) knlGS:0000000000000000 [ 81.317914] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 81.319781] CR2: 0000000000000098 CR3: 000000022e380002 CR4: 00000000000206f0
Created attachment 281509 [details] 22.c
Created attachment 281559 [details] Minimized test code Attaching minimized version of program with the same result. (Plz use this)
Thanks for the report. Fixed by 448de471cd4cab0ced "btrfs: Check the first key and level for cached extent buffer", now in 5.2-rc.