Bug 202829 - Kernel BUG at fs/btrfs/extent-tree.c:1857!
Summary: Kernel BUG at fs/btrfs/extent-tree.c:1857!
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: btrfs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: BTRFS virtual assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-08 08:27 UTC by Jungyeon
Modified: 2019-03-08 08:28 UTC (History)
0 users

See Also:
Kernel Version: 5.0-rc8
Tree: Mainline
Regression: No


Attachments
The (compressed) crafted image which causes crash (166.87 KB, application/zip)
2019-03-08 08:27 UTC, Jungyeon
Details
min_22.c (579 bytes, text/x-csrc)
2019-03-08 08:28 UTC, Jungyeon
Details

Description Jungyeon 2019-03-08 08:27:48 UTC
Created attachment 281613 [details]
The (compressed) crafted image which causes crash

- Overview
After mounting crafted image, I got this kernel panic while running attached program.
Need to wait few seconds after program finished to get the error.

- Produces
mkdir test
mount -t btrfs tmp.img test 
gcc min_22.c
cp a.out test
cd test
./a.out

- Kernel messages
[ 73.016526] kernel BUG at fs/btrfs/extent-tree.c:1857!
[ 73.017847] invalid opcode: 0000 [#1] SMP PTI
[ 73.018964] CPU: 0 PID: 1117 Comm: btrfs-transacti Not tainted 5.0.0-rc8+ #9
[ 73.020765] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 73.023015] RIP: 0010:insert_inline_extent_backref+0xcc/0xe0
[ 73.024459] Code: 45 20 49 8b 7e 50 49 89 d8 4c 8b 4d 10 48 8b 55 c8 4c 89 e1 41 57 4c 89 ee 50 ff 75 18 e8 cc bf ff ff 31 c0 48 83 c4 18 eb b2 <0f> 0b e8 9d df bd ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 66 66
[ 73.029168] RSP: 0018:ffffac4dc1287be8 EFLAGS: 00010293
[ 73.030497] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000000001
[ 73.032306] RDX: 0000000000001000 RSI: 0000000000000000 RDI: 0000000000000000
[ 73.034118] RBP: ffffac4dc1287c28 R08: ffffac4dc1287ab8 R09: ffffac4dc1287ac0
[ 73.035932] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 73.037733] R13: ffff8febef88a540 R14: ffff8febeaa7bc30 R15: 0000000000000000
[ 73.039545] FS: 0000000000000000(0000) GS:ffff8febf7a00000(0000) knlGS:0000000000000000
[ 73.041581] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 73.043038] CR2: 00007f663ace94c0 CR3: 0000000235698006 CR4: 00000000000206f0
[ 73.044851] Call Trace:
[ 73.045496] ? _cond_resched+0x1a/0x50
[ 73.046458] __btrfs_inc_extent_ref.isra.64+0x7e/0x240
[ 73.047776] ? btrfs_merge_delayed_refs+0xa5/0x330
[ 73.048990] __btrfs_run_delayed_refs+0x653/0x1120
[ 73.050207] btrfs_run_delayed_refs+0xdb/0x1b0
[ 73.051352] btrfs_commit_transaction+0x52/0x950
[ 73.052533] ? start_transaction+0x94/0x450
[ 73.053603] transaction_kthread+0x163/0x190
[ 73.054692] kthread+0x105/0x140
[ 73.055536] ? btrfs_cleanup_transaction+0x560/0x560
[ 73.056796] ? kthread_destroy_worker+0x50/0x50
[ 73.057952] ret_from_fork+0x35/0x40
[ 73.058868] Modules linked in:
[ 73.059689] ---[ end trace 2ad8b3de903cf825 ]---
[ 73.060891] RIP: 0010:insert_inline_extent_backref+0xcc/0xe0
[ 73.062341] Code: 45 20 49 8b 7e 50 49 89 d8 4c 8b 4d 10 48 8b 55 c8 4c 89 e1 41 57 4c 89 ee 50 ff 75 18 e8 cc bf ff ff 31 c0 48 83 c4 18 eb b2 <0f> 0b e8 9d df bd ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 66 66
[ 73.067070] RSP: 0018:ffffac4dc1287be8 EFLAGS: 00010293
[ 73.068434] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000000001
[ 73.070258] RDX: 0000000000001000 RSI: 0000000000000000 RDI: 0000000000000000
[ 73.072086] RBP: ffffac4dc1287c28 R08: ffffac4dc1287ab8 R09: ffffac4dc1287ac0
[ 73.073900] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 73.075736] R13: ffff8febef88a540 R14: ffff8febeaa7bc30 R15: 0000000000000000
[ 73.077553] FS: 0000000000000000(0000) GS:ffff8febf7a00000(0000) knlGS:0000000000000000
[ 73.079621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 73.081090] CR2: 00007f663ace94c0 CR3: 0000000235698006 CR4: 00000000000206f0
Comment 1 Jungyeon 2019-03-08 08:28:05 UTC
Created attachment 281615 [details]
min_22.c

Note You need to log in before you can comment on or make changes to this bug.