Created attachment 281605 [details] min_06.c - Overview After mounting crafted image, I got this kernel panic while running attached program. Need to wait few seconds after program finished to get the error. - Produces mkdir test mount -t btrfs 06.img test gcc min_06.c cp a.out test cd test ./a.out - Kernel messages [ 68.936604] kernel BUG at fs/btrfs/ctree.c:3192! [ 68.937845] invalid opcode: 0000 [#1] SMP PTI [ 68.938962] CPU: 0 PID: 1097 Comm: btrfs-transacti Not tainted 5.0.0-rc8+ #9 [ 68.940757] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 68.943004] RIP: 0010:btrfs_set_item_key_safe+0x16a/0x180 [ 68.944377] Code: 8b 45 b7 48 8d 7d bf 4c 89 fe 48 89 45 c8 0f b6 45 b6 88 45 c7 48 8b 45 ae 48 89 45 bf e8 ce f2 ff ff 85 c0 0f 8f 48 ff ff ff <0f> 0b 0f 0b e8 dd 8d be ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 [ 68.949119] RSP: 0018:ffffaac141203ab8 EFLAGS: 00010246 [ 68.950436] RAX: 0000000000000000 RBX: ffff9aac6fb83e00 RCX: 0000000001100000 [ 68.952361] RDX: 0000000000000000 RSI: ffffaac141203bae RDI: ffffaac141203acf [ 68.954133] RBP: ffffaac141203b10 R08: 0000000000001000 R09: ffffaac1412039a8 [ 68.955905] R10: 0000000000000000 R11: 0000000000000000 R12: ffffaac141203abe [ 68.957740] R13: 0000000000000001 R14: ffff9aac756a37a8 R15: ffffaac141203bae [ 68.959620] FS: 0000000000000000(0000) GS:ffff9aac77a00000(0000) knlGS:0000000000000000 [ 68.961651] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 68.963092] CR2: 00007f9d43ac8624 CR3: 00000001cfe26003 CR4: 00000000000206f0 [ 68.964995] Call Trace: [ 68.965731] truncate_one_csum+0xac/0xf0 [ 68.966726] btrfs_del_csums+0x24f/0x3a0 [ 68.967716] __btrfs_free_extent.isra.72+0x5a7/0xbe0 [ 68.968968] __btrfs_run_delayed_refs+0x539/0x1120 [ 68.970169] ? __switch_to_asm+0x34/0x70 [ 68.971155] ? __switch_to_asm+0x40/0x70 [ 68.972332] ? __switch_to_asm+0x34/0x70 [ 68.973390] ? __switch_to_asm+0x40/0x70 [ 68.974388] ? __switch_to_asm+0x34/0x70 [ 68.975380] ? __switch_to_asm+0x40/0x70 [ 68.976386] btrfs_run_delayed_refs+0xdb/0x1b0 [ 68.977504] btrfs_commit_transaction+0x52/0x950 [ 68.978663] ? start_transaction+0x94/0x450 [ 68.979747] transaction_kthread+0x163/0x190 [ 68.981023] kthread+0x105/0x140 [ 68.981853] ? btrfs_cleanup_transaction+0x560/0x560 [ 68.983097] ? kthread_destroy_worker+0x50/0x50 [ 68.984250] ret_from_fork+0x35/0x40 [ 68.985154] Modules linked in: [ 68.985957] ---[ end trace 80e0dd11ada44930 ]--- [ 68.987186] RIP: 0010:btrfs_set_item_key_safe+0x16a/0x180 [ 68.988749] Code: 8b 45 b7 48 8d 7d bf 4c 89 fe 48 89 45 c8 0f b6 45 b6 88 45 c7 48 8b 45 ae 48 89 45 bf e8 ce f2 ff ff 85 c0 0f 8f 48 ff ff ff <0f> 0b 0f 0b e8 dd 8d be ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 [ 68.993432] RSP: 0018:ffffaac141203ab8 EFLAGS: 00010246 [ 68.994870] RAX: 0000000000000000 RBX: ffff9aac6fb83e00 RCX: 0000000001100000 [ 68.996788] RDX: 0000000000000000 RSI: ffffaac141203bae RDI: ffffaac141203acf [ 68.998586] RBP: ffffaac141203b10 R08: 0000000000001000 R09: ffffaac1412039a8 [ 69.000390] R10: 0000000000000000 R11: 0000000000000000 R12: ffffaac141203abe [ 69.002178] R13: 0000000000000001 R14: ffff9aac756a37a8 R15: ffffaac141203bae [ 69.004184] FS: 0000000000000000(0000) GS:ffff9aac77a00000(0000) knlGS:0000000000000000 [ 69.006259] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 69.007720] CR2: 00007f9d43ac8624 CR3: 00000001cfe26003 CR4: 00000000000206f0
Created attachment 281607 [details] The (compressed) crafted image which causes crash
It looks like current kernel can already detect it and reject further damage. It's upstream commit 448de471cd4c ("btrfs: Check the first key and level for cached extent buffer") in v5.2-rc1 fixed the pitfall of cached tree block bypassing the first key check.