202839 – Kernel page fault at RIP: 0010:__etree_search.constprop.58+0xc/0x90

Bug 202839 - Kernel page fault at RIP: 0010:__etree_search.constprop.58+0xc/0x90

Summary: Kernel page fault at RIP: 0010:__etree_search.constprop.58+0xc/0x90

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-08 11:20 UTC by Jungyeon
Modified:	2019-07-09 01:07 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	5.0-rc8
Tree:	Mainline
Regression:	No

Attachments
The (compressed) crafted image which causes crash (168.84 KB, application/zip) 2019-03-08 11:21 UTC, Jungyeon	Details
poc_03.c (5.30 KB, text/x-csrc) 2019-03-08 11:21 UTC, Jungyeon	Details
Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-03-08 11:20:48 UTC

- Overview
After mounting crafted image, I got this kernel page fault while running attached program.

- Produces
mkdir test
mount -t btrfs tmp.img test 
gcc poc_03.c
cp a.out test
cd test
./a.out

- Kernel messages (I used /dev/sdb as a way to get tmp.img)
[  216.608813] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 0
[  216.610907] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  216.612975] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  216.615164] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 0
[  216.617217] BTRFS: end < start 4095 4096
[  216.618272] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  216.620996] BTRFS: end < start 8191 8192
[  216.622042] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  216.624709] BTRFS: end < start 12287 12288
[  216.625799] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.628540] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.630675] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.632848] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.635040] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.637135] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.639319] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.641428] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.643624] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.645729] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.647936] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.650049] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.652249] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.654363] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.656545] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.658660] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.660841] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.663049] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.665141] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.667330] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.669431] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.671630] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.673736] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.675948] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.678042] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.680304] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.682426] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.684618] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.686724] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.688907] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.691116] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.693219] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.695652] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.698169] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.700683] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.702957] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.705064] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.707290] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.709461] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.711690] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.713778] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.715982] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.718080] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.720276] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.722386] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.724592] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.726711] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.728902] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.731118] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.733223] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.735433] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.737543] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.739752] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.741871] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.744083] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.746182] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.748389] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.750519] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.752721] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.754938] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.757045] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.759250] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.761368] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.763580] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.765694] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.767899] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.770003] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.772212] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.774337] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.776536] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.778659] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.780854] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.783073] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.785181] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.787398] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.789510] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.791713] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.793822] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.796031] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.798142] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.800357] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.802487] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.804685] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.806910] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.809032] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.811298] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.813421] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.815649] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.817758] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.819964] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.822082] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.824290] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.826406] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.828600] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.830726] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.832925] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.835135] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.837254] BTRFS critical (device sdb): unable to find logical 9223372036934467584 length 4096
[  216.839802] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  216.846126] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  216.848257] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  216.850369] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  216.852581] BTRFS error (device sdb): partial page read in btrfs with offset 0 and length 0
[  243.830934] BUG: unable to handle kernel paging request at fffffffffffffff1
[  243.832702] #PF error: [normal kernel read fault]
[  243.833888] PGD 1f6e2a067 P4D 1f6e2a067 PUD 1f6e2c067 PMD 0 
[  243.835391] Oops: 0000 [#1] SMP PTI
[  243.836278] CPU: 0 PID: 1169 Comm: btrfs-transacti Tainted: G        W         5.0.0-rc8+ #9
[  243.838370] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[  243.840604] RIP: 0010:__etree_search.constprop.58+0xc/0x90
[  243.841986] Code: 66 66 90 48 8b 47 10 55 48 89 e5 48 d1 e8 83 e0 01 5d c3 90 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 45 31 d2 31 c0 eb 1b <49> 39 71 f0 4d 8d 51 f0 49 8d 79 10 77 0a 49 3b 71 f8 76 5e 49 8d
[  243.846634] RSP: 0018:ffffa95d8128f820 EFLAGS: 00010202
[  243.847954] RAX: ffff98862fb88010 RBX: 0000000001c0c000 RCX: ffffa95d8128f870
[  243.849736] RDX: ffffa95d8128f880 RSI: 0000000001c0c000 RDI: ffff98862fb88020
[  243.851534] RBP: ffffa95d8128f8b8 R08: ffffa95d8128f878 R09: 0000000000000001
[  243.853324] R10: ffff98862fb88000 R11: 0000000000000001 R12: 0000000000001000
[  243.855121] R13: ffff98862ff87038 R14: ffff98862bee0000 R15: ffff98862fb88000
[  243.856910] FS:  0000000000000000(0000) GS:ffff988637a00000(0000) knlGS:0000000000000000
[  243.858938] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  243.860380] CR2: fffffffffffffff1 CR3: 000000022b34a002 CR4: 00000000000206f0
[  243.862169] Call Trace:
[  243.862816]  ? __set_extent_bit+0xca/0x590
[  243.863863]  ? _cond_resched+0x1a/0x50
[  243.864820]  set_extent_bit+0x1c/0x20
[  243.865756]  btrfs_alloc_tree_block+0x384/0x5f0
[  243.866910]  alloc_tree_block_no_bg_flush+0x46/0x60
[  243.868145]  __btrfs_cow_block+0x11d/0x580
[  243.869188]  btrfs_cow_block+0xf8/0x1f0
[  243.870166]  btrfs_search_slot+0x447/0x920
[  243.871218]  lookup_inline_extent_backref+0xf8/0x5c0
[  243.872477]  ? _cond_resched+0x1a/0x50
[  243.873441]  __btrfs_free_extent.isra.72+0xf6/0xbe0
[  243.874748]  ? __switch_to_asm+0x40/0x70
[  243.875743]  ? __switch_to_asm+0x34/0x70
[  243.876739]  __btrfs_run_delayed_refs+0x539/0x1120
[  243.877947]  ? __switch_to_asm+0x34/0x70
[  243.878959]  ? __switch_to_asm+0x40/0x70
[  243.879958]  ? __switch_to_asm+0x34/0x70
[  243.880958]  ? __switch_to_asm+0x40/0x70
[  243.881956]  ? __switch_to_asm+0x34/0x70
[  243.882962]  ? __switch_to_asm+0x40/0x70
[  243.883964]  btrfs_run_delayed_refs+0xdb/0x1b0
[  243.885091]  btrfs_commit_transaction+0x52/0x950
[  243.886261]  ? start_transaction+0x94/0x450
[  243.887333]  transaction_kthread+0x163/0x190
[  243.888416]  kthread+0x105/0x140
[  243.889243]  ? btrfs_cleanup_transaction+0x560/0x560
[  243.890509]  ? kthread_destroy_worker+0x50/0x50
[  243.891658]  ret_from_fork+0x35/0x40
[  243.892572] Modules linked in:
[  243.893357] CR2: fffffffffffffff1
[  243.894206] ---[ end trace bc98d5b95ce85890 ]---
[  243.896289] RIP: 0010:__etree_search.constprop.58+0xc/0x90
[  243.897687] Code: 66 66 90 48 8b 47 10 55 48 89 e5 48 d1 e8 83 e0 01 5d c3 90 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 45 31 d2 31 c0 eb 1b <49> 39 71 f0 4d 8d 51 f0 49 8d 79 10 77 0a 49 3b 71 f8 76 5e 49 8d
[  243.902352] RSP: 0018:ffffa95d8128f820 EFLAGS: 00010202
[  243.903688] RAX: ffff98862fb88010 RBX: 0000000001c0c000 RCX: ffffa95d8128f870
[  243.905487] RDX: ffffa95d8128f880 RSI: 0000000001c0c000 RDI: ffff98862fb88020
[  243.907296] RBP: ffffa95d8128f8b8 R08: ffffa95d8128f878 R09: 0000000000000001
[  243.909099] R10: ffff98862fb88000 R11: 0000000000000001 R12: 0000000000001000
[  243.910905] R13: ffff98862ff87038 R14: ffff98862bee0000 R15: ffff98862fb88000
[  243.912697] FS:  0000000000000000(0000) GS:ffff988637a00000(0000) knlGS:0000000000000000
[  243.914732] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  243.916184] CR2: fffffffffffffff1 CR3: 000000022b34a002 CR4: 00000000000206f0

Comment 1 Jungyeon 2019-03-08 11:21:08 UTC

Created attachment 281631 [details]
The (compressed) crafted image which causes crash

Comment 2 Jungyeon 2019-03-08 11:21:27 UTC

Created attachment 281633 [details]
poc_03.c

Note You need to log in before you can comment on or make changes to this bug.