Created attachment 281591 [details] The (compressed) crafted image which causes crash - Overview After mounting crafted image, I got this kernel BUG message while running the attached program. - Produces mkdir test mount -t btrfs 02.img test gcc 02.c cp a.out test cd test ./a.out - Kernel messages [ 150.859918] kernel BUG at fs/btrfs/extent-tree.c:7109! [ 150.861232] invalid opcode: 0000 [#1] SMP PTI [ 150.862364] CPU: 0 PID: 1187 Comm: btrfs-transacti Not tainted 5.0.0-rc8+ #9 [ 150.864128] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 150.866376] RIP: 0010:__btrfs_free_extent.isra.72+0x81a/0xbe0 [ 150.867819] Code: 40 44 89 e1 41 b8 02 00 00 00 e9 57 fd ff ff 0f 0b 48 8b 55 a0 49 8b 3f 49 8d 77 40 e8 cf 90 ff ff 3b 45 18 0f 84 1e fd ff ff <0f> 0b 48 8b 5d 80 31 d2 45 31 c0 4c 89 ee 48 89 df e8 10 4d 03 00 [ 150.872458] RSP: 0018:ffff9bacc125bc10 EFLAGS: 00010206 [ 150.873781] RAX: 0000000000f50001 RBX: 0000000001100000 RCX: 0000000000000000 [ 150.875557] RDX: 0000000000001000 RSI: 0000000000000edb RDI: 0000000000000000 [ 150.877338] RBP: ffff9bacc125bcc0 R08: ffff9bacc125bb78 R09: ffff9bacc125bb80 [ 150.879110] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000006 [ 150.880883] R13: 0000000000000eaa R14: 0000000000000000 R15: ffff900ceb346070 [ 150.882665] FS: 0000000000000000(0000) GS:ffff900cf7a00000(0000) knlGS:0000000000000000 [ 150.884673] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.886129] CR2: 000000000203e808 CR3: 000000022ec4a002 CR4: 00000000000206f0 [ 150.887901] Call Trace: [ 150.888538] __btrfs_run_delayed_refs+0x539/0x1120 [ 150.889754] ? __switch_to_asm+0x34/0x70 [ 150.890745] ? __switch_to_asm+0x40/0x70 [ 150.891735] ? __switch_to_asm+0x34/0x70 [ 150.892726] ? __switch_to_asm+0x40/0x70 [ 150.893724] ? __switch_to_asm+0x34/0x70 [ 150.894716] ? __switch_to_asm+0x40/0x70 [ 150.895708] btrfs_run_delayed_refs+0xdb/0x1b0 [ 150.896828] btrfs_commit_transaction+0x52/0x950 [ 150.898000] ? start_transaction+0x94/0x450 [ 150.899056] transaction_kthread+0x163/0x190 [ 150.900130] kthread+0x105/0x140 [ 150.900953] ? btrfs_cleanup_transaction+0x560/0x560 [ 150.902202] ? kthread_destroy_worker+0x50/0x50 [ 150.903336] ret_from_fork+0x35/0x40 [ 150.904237] Modules linked in: [ 150.905035] ---[ end trace 2f4303137971399c ]--- [ 150.906223] RIP: 0010:__btrfs_free_extent.isra.72+0x81a/0xbe0 [ 150.907667] Code: 40 44 89 e1 41 b8 02 00 00 00 e9 57 fd ff ff 0f 0b 48 8b 55 a0 49 8b 3f 49 8d 77 40 e8 cf 90 ff ff 3b 45 18 0f 84 1e fd ff ff <0f> 0b 48 8b 5d 80 31 d2 45 31 c0 4c 89 ee 48 89 df e8 10 4d 03 00 [ 150.912317] RSP: 0018:ffff9bacc125bc10 EFLAGS: 00010206 [ 150.913648] RAX: 0000000000f50001 RBX: 0000000001100000 RCX: 0000000000000000 [ 150.915422] RDX: 0000000000001000 RSI: 0000000000000edb RDI: 0000000000000000 [ 150.917208] RBP: ffff9bacc125bcc0 R08: ffff9bacc125bb78 R09: ffff9bacc125bb80 [ 150.918997] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000006 [ 150.920785] R13: 0000000000000eaa R14: 0000000000000000 R15: ffff900ceb346070 [ 150.922579] FS: 0000000000000000(0000) GS:ffff900cf7a00000(0000) knlGS:0000000000000000 [ 150.924607] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.926066] CR2: 000000000203e808 CR3: 000000022ec4a002 CR4: 00000000000206f0
Created attachment 281599 [details] 02.c Need to wait few seconds after program finished to get the error.