Bug 202827 - unable to handle kernel NULL pointer dereference (kernel panic)
Summary: unable to handle kernel NULL pointer dereference (kernel panic)
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: btrfs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: BTRFS virtual assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-08 06:24 UTC by Jungyeon
Modified: 2022-10-06 21:45 UTC (History)
2 users (show)

See Also:
Kernel Version: 5.0-rc8
Subsystem:
Regression: No
Bisected commit-id:


Attachments
poc_07.c (1.43 KB, text/x-csrc)
2019-03-08 06:24 UTC, Jungyeon
Details
The (compressed) crafted image which causes crash (167.58 KB, application/zip)
2019-03-08 06:24 UTC, Jungyeon
Details

Description Jungyeon 2019-03-08 06:24:11 UTC
Created attachment 281609 [details]
poc_07.c

- Overview
After mounting crafted image, I got this kernel panic while running attached program.

- Produces
mkdir test
mount -t btrfs 07.img test 
gcc poc_07.c
cp a.out test
cd test
./a.out

- Kernel messages
[ 86.316386] btrfs bad mapping eb start 29761536 len 4096, wanted 1852 18446744072635812036
[ 86.319717] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[ 86.321727] #PF error: [INSTR]
[ 86.322514] PGD 800000022b29e067 P4D 800000022b29e067 PUD 2354ff067 PMD 0 
[ 86.324259] Oops: 0010 [#1] SMP PTI
[ 86.325159] CPU: 0 PID: 1113 Comm: a.out Tainted: G W 5.0.0-rc8+ #9
[ 86.327064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 86.329321] RIP: 0010: (null)
[ 86.330286] Code: Bad RIP value.
[ 86.331125] RSP: 0018:ffff9b7ff7a03d88 EFLAGS: 00010046
[ 86.332467] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
[ 86.334257] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9b7febaf8de0
[ 86.336044] RBP: ffff9b7ff7a03dd0 R08: 0000000000000000 R09: 0000000000000000
[ 86.337867] R10: 0000000000000400 R11: 001dcd6500000000 R12: ffff9b7ff7a03de8
[ 86.339675] R13: ffffffffffffffe8 R14: ffffffffaee7e018 R15: 0000000000000000
[ 86.341488] FS: 00007fe048ab6700(0000) GS:ffff9b7ff7a00000(0000) knlGS:0000000000000000
[ 86.343509] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 86.344963] CR2: ffffffffffffffd6 CR3: 000000022e384006 CR4: 00000000000206f0
[ 86.346747] Call Trace:
[ 86.347386] <IRQ>
[ 86.347919] ? __wake_up_common+0x8c/0x130
[ 86.348976] __wake_up_common_lock+0x80/0xc0
[ 86.350064] __wake_up+0x13/0x20
[ 86.350896] wake_up_klogd_work_func+0x40/0x60
[ 86.352023] irq_work_run_list+0x55/0x80
[ 86.353048] ? tick_sched_do_timer+0x60/0x60
[ 86.354144] irq_work_tick+0x40/0x50
[ 86.355071] update_process_times+0x42/0x60
[ 86.356158] tick_sched_handle+0x29/0x60
[ 86.357171] tick_sched_timer+0x3c/0x80
[ 86.358161] __hrtimer_run_queues+0x106/0x270
[ 86.359290] hrtimer_interrupt+0x116/0x240
[ 86.360358] smp_apic_timer_interrupt+0x6f/0x150
[ 86.361545] apic_timer_interrupt+0xf/0x20
[ 86.362598] </IRQ>
[ 86.363160] RIP: 0010:__memset+0x24/0x30
[ 86.364182] Code: 90 90 90 90 90 90 66 66 90 66 90 49 89 f9 48 89 d1 83 e2 07 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 <f3> 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 f3
[ 86.368848] RSP: 0018:ffffa785c10efb98 EFLAGS: 00010206 ORIG_RAX: ffffffffffffff13
[ 86.370745] RAX: 0000000000000000 RBX: ffffffffc00008c4 RCX: 1ffffffff7f01377
[ 86.372543] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9b7fec1ea860
[ 86.374328] RBP: ffffa785c10efbb0 R08: 0000000000000001 R09: ffff9b7feb9f3b58
[ 86.376123] R10: 0000000000000000 R11: ffffa785c10ef9ed R12: ffff9b7feb9f3b58
[ 86.377909] R13: 0000000000000000 R14: 0000000004c00000 R15: 0000000000001000
[ 86.379704] ? read_extent_buffer+0x137/0x140
[ 86.380821] __btrfs_lookup_bio_sums+0x449/0x690
[ 86.381994] btrfs_lookup_bio_sums+0x16/0x20
[ 86.383078] btrfs_submit_bio_hook+0xc3/0x180
[ 86.384194] submit_one_bio+0x5d/0x80
[ 86.385129] extent_read_full_page+0x56/0x70
[ 86.386215] btrfs_readpage+0x25/0x30
[ 86.387149] generic_file_read_iter+0x615/0xc70
[ 86.388312] ? __page_cache_alloc+0x20/0x20
[ 86.389374] __vfs_read+0x11f/0x1a0
[ 86.390265] vfs_read+0x95/0x140
[ 86.391093] ksys_read+0x55/0xc0
[ 86.391923] __x64_sys_read+0x1a/0x20
[ 86.392870] do_syscall_64+0x5a/0x110
[ 86.393815] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 86.395094] RIP: 0033:0x7fe0485d14d9
[ 86.396009] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[ 86.400692] RSP: 002b:00007fff0313ad98 EFLAGS: 00000203 ORIG_RAX: 0000000000000000
[ 86.402593] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe0485d14d9
[ 86.404390] RDX: 00000000000009e4 RSI: 00007fff0313af20 RDI: 0000000000000003
[ 86.406179] RBP: 00007fff0313ef30 R08: 00007fff0313f018 R09: 00007fff0313f018
[ 86.407968] R10: 00007fe0488aaab0 R11: 0000000000000203 R12: 00000000004004e0
[ 86.409773] R13: 00007fff0313f010 R14: 0000000000000000 R15: 0000000000000000
[ 86.411569] Modules linked in:
[ 86.412365] CR2: 0000000000000000
[ 86.413220] ---[ end trace 2d53181631a5c86c ]---
[ 86.414392] RIP: 0010: (null)
[ 86.415351] Code: Bad RIP value.
[ 86.416185] RSP: 0018:ffff9b7ff7a03d88 EFLAGS: 00010046
[ 86.417504] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
[ 86.419289] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff9b7febaf8de0
[ 86.421089] RBP: ffff9b7ff7a03dd0 R08: 0000000000000000 R09: 0000000000000000
[ 86.422886] R10: 0000000000000400 R11: 001dcd6500000000 R12: ffff9b7ff7a03de8
[ 86.424685] R13: ffffffffffffffe8 R14: ffffffffaee7e018 R15: 0000000000000000
[ 86.426479] FS: 00007fe048ab6700(0000) GS:ffff9b7ff7a00000(0000) knlGS:0000000000000000
[ 86.428514] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 86.429963] CR2: ffffffffffffffd6 CR3: 000000022e384006 CR4: 00000000000206f0
[ 86.431758] Kernel panic - not syncing: Fatal exception in interrupt
[ 86.445655] Kernel Offset: 0x2c600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 86.448376] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
Comment 1 Jungyeon 2019-03-08 06:24:36 UTC
Created attachment 281611 [details]
The (compressed) crafted image which causes crash
Comment 2 Qu Wenruo 2019-07-10 02:50:45 UTC
It looks like it also get fixed by 448de471cd4c ("btrfs: Check the first key and level for cached extent buffer") upstream fix too.

Note You need to log in before you can comment on or make changes to this bug.