Bug 203255 - kernel BUG at fs/btrfs/delayed-ref.c:486! and hangs on sync
Summary: kernel BUG at fs/btrfs/delayed-ref.c:486! and hangs on sync
Status: NEW
Alias: None
Product: File System
Classification: Unclassified
Component: btrfs (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: BTRFS virtual assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-10 18:47 UTC by Jungyeon
Modified: 2019-07-16 07:05 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.0.0
Subsystem:
Regression: No
Bisected commit-id:


Attachments
The (compressed) crafted image which causes crash (135.16 KB, application/zip)
2019-04-10 18:47 UTC, Jungyeon
Details
poc_03.c (3.51 KB, text/x-csrc)
2019-04-10 18:48 UTC, Jungyeon
Details
min_03.c (1.40 KB, text/x-csrc)
2019-04-10 19:27 UTC, Jungyeon
Details

Description Jungyeon 2019-04-10 18:47:56 UTC
Created attachment 282285 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting the attached crafted image, following errors are reported.
Additionally, it hangs on sync after running the program.

The image is intentionally fuzzed from a normal btrfs image for testing.
Compile options for BTRFS are as follows.
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BTRFS_FS_CHECK_INTEGRITY=y
# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
CONFIG_BTRFS_DEBUG=y
CONFIG_BTRFS_ASSERT=y
CONFIG_BTRFS_FS_REF_VERIFY=y

- Reproduces
gcc poc_03.c
mkdir test
mount -t btrfs tmp.img test
cp a.out test
cd test
sudo ./a.out
sync

- Kernel messages
[   19.214738] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 8 /dev/sdb
[   43.869952] BTRFS info (device sdb): disk space caching is enabled
[   43.869953] BTRFS info (device sdb): has skinny extents
[   43.870786] BTRFS critical (device sdb): corrupt leaf: root=1 block=29417472 slot=6, bad key order, prev (6 12 6) current (6 0 0)
[   43.873089] BTRFS info (device sdb): read error corrected: ino 0 off 29417472 (dev /dev/sdb sector 73840)
[   43.874093] BTRFS info (device sdb): bdev /dev/sdb errs: wr 0, rd 0, flush 14680064, corrupt 0, gen 0
[   43.874715] BTRFS critical (device sdb): corrupt leaf: root=5 block=29409280 slot=2 ino=256, xattr dir type found for non-XATTR key
[   43.876981] BTRFS info (device sdb): read error corrected: ino 0 off 29409280 (dev /dev/sdb sector 73824)
[   43.914916] ------------[ cut here ]------------
[   43.914918] kernel BUG at fs/btrfs/delayed-ref.c:486!
[   43.915693] invalid opcode: 0000 [#1] SMP PTI
[   43.916340] CPU: 0 PID: 1929 Comm: a.out Not tainted 5.0.0 #11
[   43.917191] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   43.918590] RIP: 0010:update_existing_head_ref+0x18e/0x1c0
[   43.919391] Code: 40 12 01 48 8b 75 78 80 7e 13 00 0f 84 15 ff ff ff 48 8b 43 78 e9 f8 fe ff ff 89 d0 e9 2f ff ff ff 48 89 73 78 e9 0d ff ff ff <0f> 0b 48 8b 4b 08 49 29 8f 68 01 00 00 89 c6 4c 89 f7 89 54 24 0c
[   43.922094] RSP: 0018:ffffaee980d0b6d0 EFLAGS: 00010202
[   43.922863] RAX: 0000000000000003 RBX: ffff9e2e760a95a0 RCX: ffffaee980d0b850
[   43.923901] RDX: ffff9e2e760a95a0 RSI: ffff9e2e760a9280 RDI: ffff9e2e6f39e1a0
[   43.924941] RBP: ffff9e2e760a9280 R08: ffffaee980d0b7dc R09: ffffaee980d0b850
[   43.925992] R10: ffff9e2e7085a400 R11: 0000000000000000 R12: ffff9e2e6f39e1a0
[   43.927038] R13: ffff9e2e7669e000 R14: ffff9e2e7669e000 R15: ffff9e2e7531da00
[   43.928078] FS:  00007f7312c33700(0000) GS:ffff9e2e77a00000(0000) knlGS:0000000000000000
[   43.929260] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.930106] CR2: 00007f731274e4c0 CR3: 0000000235e48004 CR4: 00000000001606f0
[   43.931150] Call Trace:
[   43.931531]  add_delayed_ref_head+0x1ad/0x230
[   43.932172]  btrfs_add_delayed_tree_ref+0x1c1/0x340
[   43.932889]  btrfs_free_tree_block+0xca/0x2a0
[   43.933547]  __btrfs_cow_block+0x43c/0x520
[   43.934160]  btrfs_cow_block+0xe4/0x1e0
[   43.934728]  btrfs_search_slot+0x517/0xa10
[   43.935332]  ? btrfs_search_slot+0x99b/0xa10
[   43.935964]  btrfs_insert_empty_items+0x62/0xb0
[   43.936633]  alloc_reserved_file_extent+0x97/0x300
[   43.937342]  __btrfs_run_delayed_refs+0x896/0x10a0
[   43.938056]  ? mutex_lock+0x9/0x30
[   43.938563]  ? space_info_add_old_bytes+0x20/0x1f0
[   43.939269]  btrfs_run_delayed_refs+0xcb/0x180
[   43.939924]  btrfs_commit_transaction+0x4b/0x970
[   43.940608]  ? btrfs_log_new_name+0x9a/0x163
[   43.941239]  btrfs_rename2+0xfdf/0x1cb0
[   43.941814]  ? vfs_rename+0x630/0x810
[   43.942359]  vfs_rename+0x630/0x810
[   43.942881]  ? security_d_instantiate+0x10/0x40
[   43.943548]  do_renameat2+0x4c9/0x550
[   43.944091]  __x64_sys_rename+0x17/0x20
[   43.944660]  do_syscall_64+0x43/0xf0
[   43.945192]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   43.945943] RIP: 0033:0x7f731274e4d9
[   43.946474] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[   43.949174] RSP: 002b:00007ffcac10d558 EFLAGS: 00000207 ORIG_RAX: 0000000000000052
[   43.950280] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f731274e4d9
[   43.951320] RDX: 00007f731274e4d9 RSI: 00007ffcac10d600 RDI: 00007ffcac10d5e0
[   43.952361] RBP: 00007ffcac111720 R08: 00007ffcac111808 R09: 00007ffcac111808
[   43.953415] R10: 00007ffcac111808 R11: 0000000000000207 R12: 00000000004004e0
[   43.954457] R13: 00007ffcac111800 R14: 0000000000000000 R15: 0000000000000000
[   43.955494] Modules linked in:
[   43.955961] ---[ end trace 9a0a7982efda3a73 ]---
[   43.956645] RIP: 0010:update_existing_head_ref+0x18e/0x1c0
[   43.957458] Code: 40 12 01 48 8b 75 78 80 7e 13 00 0f 84 15 ff ff ff 48 8b 43 78 e9 f8 fe ff ff 89 d0 e9 2f ff ff ff 48 89 73 78 e9 0d ff ff ff <0f> 0b 48 8b 4b 08 49 29 8f 68 01 00 00 89 c6 4c 89 f7 89 54 24 0c
[   43.960165] RSP: 0018:ffffaee980d0b6d0 EFLAGS: 00010202
[   43.960939] RAX: 0000000000000003 RBX: ffff9e2e760a95a0 RCX: ffffaee980d0b850
[   43.961993] RDX: ffff9e2e760a95a0 RSI: ffff9e2e760a9280 RDI: ffff9e2e6f39e1a0
[   43.963045] RBP: ffff9e2e760a9280 R08: ffffaee980d0b7dc R09: ffffaee980d0b850
[   43.964095] R10: ffff9e2e7085a400 R11: 0000000000000000 R12: ffff9e2e6f39e1a0
[   43.965141] R13: ffff9e2e7669e000 R14: ffff9e2e7669e000 R15: ffff9e2e7531da00
[   43.966202] FS:  00007f7312c33700(0000) GS:ffff9e2e77a00000(0000) knlGS:0000000000000000
[   43.967388] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.968241] CR2: 00007f731274e4c0 CR3: 0000000235e48004 CR4: 00000000001606f0
[   43.970111] a.out (1929) used greatest stack depth: 12232 bytes left
Comment 1 Jungyeon 2019-04-10 18:48:11 UTC
Created attachment 282287 [details]
poc_03.c
Comment 2 Jungyeon 2019-04-10 19:27:33 UTC
Created attachment 282301 [details]
min_03.c

Please refer this source too.
This includes much smaller system calls which occurs the same error with poc_03.c
The only difference is that when running this program, the error occurs after sync.
Comment 3 Qu Wenruo 2019-07-16 07:05:34 UTC
I have to comment for this image.

It's 3 different factors contributing to this bug.

Great job to find such a tricky one!
And thank goodness, this bug only affects MIXED_GROUP, which is already a niche feature.

I have no doubt your newer reports will be more and more tricky to pin down.

Thanks,
Qu

Note You need to log in before you can comment on or make changes to this bug.