Created attachment 282275 [details] The (compressed) crafted image which causes crash - Overview When mounting the attached crafted image, following errors are reported. Additionally, it hangs on sync after running the program. The image is intentionally fuzzed from a normal btrfs image for testing. Compile options for BTRFS are as follows. CONFIG_BTRFS_FS=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_BTRFS_FS_CHECK_INTEGRITY=y # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set CONFIG_BTRFS_DEBUG=y CONFIG_BTRFS_ASSERT=y CONFIG_BTRFS_FS_REF_VERIFY=y - Reproduces gcc poc_07.c mkdir test mount -t btrfs tmp.img test cp a.out test cd test sudo ./a.out sync - Kernel messages [ 19.212932] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 8 /dev/sdb [ 34.858314] BTRFS warning (device sdb): suspicious: generation < cache_generation: 8 < 65534 [ 34.858317] BTRFS info (device sdb): disk space caching is enabled [ 34.858318] BTRFS info (device sdb): has skinny extents [ 34.858968] BTRFS error (device sdb): bad tree block start, want 20975616 have 39125021783756800 [ 34.860684] BTRFS info (device sdb): read error corrected: ino 0 off 20975616 (dev /dev/sdb sector 40968) [ 34.860976] BTRFS critical (device sdb): corrupt leaf: root=1 block=29417472 slot=1, unexpected item end, have 16867 expect 3556 [ 34.863131] BTRFS info (device sdb): read error corrected: ino 0 off 29417472 (dev /dev/sdb sector 73840) [ 34.863722] BTRFS error (device sdb): bad fsid on block 29376512 [ 34.865090] BTRFS info (device sdb): read error corrected: ino 0 off 29376512 (dev /dev/sdb sector 73760) [ 34.865911] BTRFS critical (device sdb): corrupt leaf: root=5 block=29409280 slot=11 ino=258, name hash mismatch with key, have 0x000000002144f665 expect 0x000000002132f665 [ 34.868475] BTRFS info (device sdb): read error corrected: ino 0 off 29409280 (dev /dev/sdb sector 73824) [ 56.189265] BTRFS warning (device sdb): suspicious: generation < cache_generation: 8 < 65534 [ 56.191848] BTRFS warning (device sdb): suspicious: generation < cache_generation: 8 < 65534 [ 56.195255] BTRFS warning (device sdb): suspicious: generation < cache_generation: 8 < 65534 [ 56.197929] BTRFS info (device sdb): leaf 29437952 gen 9 total ptrs 39 free space 1273 owner 1 [ 56.197931] BTRFS info (device sdb): refs 3 lock (w:1 r:0 bw:1 br:0 sw:0 sr:0) lock_owner 1923 current 1923 [ 56.197932] item 0 key (256 1 0) itemoff 3835 itemsize 160 [ 56.197933] inode generation 3 size 16 mode 40755 [ 56.197934] item 1 key (256 12 256) itemoff 3823 itemsize 12 [ 56.197935] item 2 key (256 24 2377875928) itemoff 3763 itemsize 60 [ 56.197936] item 3 key (256 60 0) itemoff 3755 itemsize 8 [ 56.197936] item 4 key (256 72 0) itemoff 3747 itemsize 8 [ 56.197937] item 5 key (256 84 1302592627) itemoff 3712 itemsize 35 [ 56.197938] dir oid 265 type 1 [ 56.197939] item 6 key (256 84 2507850652) itemoff 3679 itemsize 33 [ 56.197939] dir oid 257 type 2 [ 56.197940] item 7 key (256 96 2) itemoff 3646 itemsize 33 [ 56.197941] item 8 key (256 96 3) itemoff 3611 itemsize 35 [ 56.197941] item 9 key (257 1 0) itemoff 3451 itemsize 160 [ 56.197942] inode generation 7 size 6 mode 40755 [ 56.197943] item 10 key (257 12 256) itemoff 3438 itemsize 13 [ 56.197944] item 11 key (257 60 0) itemoff 3430 itemsize 8 [ 56.197944] item 12 key (257 72 0) itemoff 3422 itemsize 8 [ 56.197945] item 13 key (257 84 1342799536) itemoff 3389 itemsize 33 [ 56.197946] dir oid 258 type 2 [ 56.197947] item 14 key (257 96 2) itemoff 3356 itemsize 33 [ 56.197947] item 15 key (258 1 0) itemoff 3196 itemsize 160 [ 56.197948] inode generation 7 size 54 mode 40755 [ 56.197949] item 16 key (258 12 257) itemoff 3183 itemsize 13 [ 56.197949] item 17 key (258 60 0) itemoff 3175 itemsize 8 [ 56.197950] item 18 key (258 72 0) itemoff 3167 itemsize 8 [ 56.197951] item 19 key (258 84 415998952) itemoff 3134 itemsize 33 [ 56.197952] dir oid 264 type 7 [ 56.197952] item 20 key (258 84 558167653) itemoff 3101 itemsize 33 [ 56.197953] dir oid 261 type 1 [ 56.197954] item 21 key (258 84 2584030031) itemoff 3065 itemsize 36 [ 56.197954] dir oid 262 type 1 [ 56.197955] item 22 key (258 84 3122012372) itemoff 3032 itemsize 33 [ 56.197955] dir oid 259 type 1 [ 56.197956] item 23 key (258 84 3215739802) itemoff 2998 itemsize 34 [ 56.197956] dir oid 263 type 5 [ 56.197957] item 24 key (258 84 3671074431) itemoff 2965 itemsize 33 [ 56.197958] dir oid 259 type 1 [ 56.197958] item 25 key (258 84 3972760053) itemoff 2930 itemsize 35 [ 56.197959] dir oid 260 type 1 [ 56.197960] item 26 key (258 96 2) itemoff 2897 itemsize 33 [ 56.197960] item 27 key (258 96 3) itemoff 2862 itemsize 35 [ 56.197961] item 28 key (258 96 4) itemoff 2829 itemsize 33 [ 56.197962] item 29 key (258 96 5) itemoff 2793 itemsize 36 [ 56.197963] item 30 key (258 96 6) itemoff 2759 itemsize 34 [ 56.197963] item 31 key (258 96 7) itemoff 2726 itemsize 33 [ 56.197964] item 32 key (258 96 8) itemoff 2693 itemsize 33 [ 56.197965] item 33 key (259 1 0) itemoff 2533 itemsize 160 [ 56.197965] inode generation 7 size 4286 mode 100644 [ 56.197966] item 34 key (259 108 0) itemoff 2480 itemsize 53 [ 56.197967] extent data disk bytenr 12582912 nr 4096 [ 56.197968] extent data offset 0 nr 4096 ram 4096 [ 56.197969] item 35 key (259 108 4096) itemoff 2427 itemsize 53 [ 56.197969] extent data disk bytenr 0 nr 0 [ 56.197970] extent data offset 0 nr 4096 ram 4096 [ 56.197970] item 36 key (265 1 0) itemoff 2267 itemsize 160 [ 56.197971] inode generation 0 size 0 mode 100755 [ 56.197972] item 37 key (265 12 256) itemoff 2252 itemsize 15 [ 56.197973] item 38 key (18446744073709551606 128 12582912) itemoff 2248 itemsize 4 [ 56.197974] BTRFS critical (device sdb): unable to update root key 5 132 0 [ 56.199033] ------------[ cut here ]------------ [ 56.199034] kernel BUG at fs/btrfs/root-tree.c:144! [ 56.199739] invalid opcode: 0000 [#1] SMP PTI [ 56.200365] CPU: 0 PID: 1923 Comm: a.out Not tainted 5.0.0 #11 [ 56.201179] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 56.202531] RIP: 0010:btrfs_update_root+0x1f6/0x300 [ 56.203228] Code: 21 ff ff ff 48 8b 3b e8 88 f8 ff ff 48 8b 04 24 48 c7 c6 58 b4 83 91 4c 89 e7 0f b6 48 08 4c 8b 40 09 48 8b 10 e8 6d 09 fe ff <0f> 0b 49 8b 47 50 3e 48 0f ba a8 c0 0c 00 00 02 72 15 83 fd fb 74 [ 56.205859] RSP: 0018:ffffb42980d53d18 EFLAGS: 00010296 [ 56.206609] RAX: 0000000000000000 RBX: ffff96cdabc1d000 RCX: 0000000000000000 [ 56.207625] RDX: 0000000000000000 RSI: ffff96cdb7a15418 RDI: ffff96cdb7a15418 [ 56.208636] RBP: 0000000000000001 R08: 0000000000030556 R09: 0000000000000005 [ 56.209644] R10: 0000000000000000 R11: ffffb42980d53b45 R12: ffff96cdabf0a000 [ 56.210684] R13: ffff96cdb6309000 R14: ffff96cdac5bd028 R15: ffff96cdb5b30888 [ 56.211703] FS: 00007f5760e80700(0000) GS:ffff96cdb7a00000(0000) knlGS:0000000000000000 [ 56.212842] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 56.213661] CR2: 00007f576099b4c0 CR3: 0000000235cf6004 CR4: 00000000001606f0 [ 56.214676] Call Trace: [ 56.215046] commit_fs_roots+0x117/0x180 [ 56.215618] ? btrfs_run_delayed_refs+0x74/0x180 [ 56.216279] btrfs_commit_transaction+0x30c/0x970 [ 56.216957] ? _cond_resched+0x11/0x40 [ 56.217499] ? dput+0x8d/0x100 [ 56.217942] ? btrfs_log_dentry_safe+0x4f/0x60 [ 56.218585] btrfs_sync_file+0x358/0x3a0 [ 56.219154] ? dput+0x80/0x100 [ 56.219599] do_fsync+0x33/0x60 [ 56.220063] __x64_sys_fsync+0xb/0x10 [ 56.220596] do_syscall_64+0x43/0xf0 [ 56.221114] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 56.221837] RIP: 0033:0x7f576099b4d9 [ 56.222356] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48 [ 56.224937] RSP: 002b:00007ffe72e1aa08 EFLAGS: 00000217 ORIG_RAX: 000000000000004a [ 56.226004] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f576099b4d9 [ 56.227017] RDX: 00007f576099b4d9 RSI: 00007ffe72e1ac20 RDI: 0000000000000004 [ 56.228026] RBP: 00007ffe72e1ecb0 R08: 00007ffe72e1ed98 R09: 00007ffe72e1ed98 [ 56.229034] R10: 0000000000000001 R11: 0000000000000217 R12: 00000000004004e0 [ 56.230044] R13: 00007ffe72e1ed90 R14: 0000000000000000 R15: 0000000000000000 [ 56.231064] Modules linked in: [ 56.231515] ---[ end trace 97a13a19158e9cf2 ]--- [ 56.232203] RIP: 0010:btrfs_update_root+0x1f6/0x300 [ 56.232908] Code: 21 ff ff ff 48 8b 3b e8 88 f8 ff ff 48 8b 04 24 48 c7 c6 58 b4 83 91 4c 89 e7 0f b6 48 08 4c 8b 40 09 48 8b 10 e8 6d 09 fe ff <0f> 0b 49 8b 47 50 3e 48 0f ba a8 c0 0c 00 00 02 72 15 83 fd fb 74 [ 56.235530] RSP: 0018:ffffb42980d53d18 EFLAGS: 00010296 [ 56.236278] RAX: 0000000000000000 RBX: ffff96cdabc1d000 RCX: 0000000000000000 [ 56.237289] RDX: 0000000000000000 RSI: ffff96cdb7a15418 RDI: ffff96cdb7a15418 [ 56.238308] RBP: 0000000000000001 R08: 0000000000030556 R09: 0000000000000005 [ 56.239320] R10: 0000000000000000 R11: ffffb42980d53b45 R12: ffff96cdabf0a000 [ 56.240331] R13: ffff96cdb6309000 R14: ffff96cdac5bd028 R15: ffff96cdb5b30888 [ 56.241344] FS: 00007f5760e80700(0000) GS:ffff96cdb7a00000(0000) knlGS:0000000000000000 [ 56.242493] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 56.243312] CR2: 00007f576099b4c0 CR3: 0000000235cf6004 CR4: 00000000001606f0
Created attachment 282277 [details] poc_07.c
Created attachment 282303 [details] min_07.c Please refer this source code too. This includes much smaller system calls which occurs the same error with poc_07.c The only difference is that when running this program, the error occurs after sync.
This is already addressed by upstream commit 7ac1e464c4d4 ("btrfs: Don't panic when we can't find a root key"). Thanks, Qu