203257 – WARN_ON at fs/btrfs/disk-io.c:427

Bug 203257 - WARN_ON at fs/btrfs/disk-io.c:427

Summary: WARN_ON at fs/btrfs/disk-io.c:427

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-04-10 18:52 UTC by Jungyeon
Modified:	2019-07-16 07:09 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.0.0
Tree:	Mainline
Regression:	No

Attachments
The (compressed) crafted image which causes crash (135.36 KB, application/zip) 2019-04-10 18:52 UTC, Jungyeon	Details
poc_04.c (1.38 KB, text/x-csrc) 2019-04-10 18:53 UTC, Jungyeon	Details
Add an attachment (proposed patch, testcase, etc.)

Description Jungyeon 2019-04-10 18:52:56 UTC

Created attachment 282289 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting the attached crafted image, following errors are reported.

The image is intentionally fuzzed from a normal btrfs image for testing.
Compile options for BTRFS are as follows.
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BTRFS_FS_CHECK_INTEGRITY=y
# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
CONFIG_BTRFS_DEBUG=y
CONFIG_BTRFS_ASSERT=y
CONFIG_BTRFS_FS_REF_VERIFY=y

- Reproduces
gcc poc_04.c
mkdir test
mount -t btrfs tmp.img test
cp a.out test
cd test
sudo ./a.out

- Kernel messages
[   19.238071] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 8 /dev/sdb
[   42.280746] BTRFS info (device sdb): disk space caching is enabled
[   42.280748] BTRFS info (device sdb): has skinny extents
[   42.281425] BTRFS critical (device sdb): corrupt node: root=3 block=20975616 slot=0, unaligned pointer, have 420906798905 should be aligned to 4096
[   42.283765] BTRFS info (device sdb): read error corrected: ino 0 off 20975616 (dev /dev/sdb sector 40968)
[   42.284340] WARNING: CPU: 0 PID: 1893 at fs/btrfs/disk-io.c:427 btree_read_extent_buffer_pages+0x1c1/0x230
[   42.284340] Modules linked in:
[   42.284343] CPU: 0 PID: 1893 Comm: mount Not tainted 5.0.0 #11
[   42.284344] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   42.284369] RIP: 0010:btree_read_extent_buffer_pages+0x1c1/0x230
[   42.284370] Code: 83 c4 58 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8d 74 24 3f b9 11 00 00 00 ba 65 00 00 00 48 89 ef e8 04 f0 02 00 e9 72 ff ff ff <0f> 0b 8b 4c 24 1c 48 8b 55 00 48 c7 c6 10 b7 43 a6 48 8b 3c 24 e8
[   42.284371] RSP: 0018:ffffadb880d039d0 EFLAGS: 00010206
[   42.284372] RAX: ffffa0e93035a000 RBX: 0000000000000000 RCX: 0000000000000000
[   42.284373] RDX: 000000023035a000 RSI: ffffa0e92b6f9b00 RDI: ffffa0e700000000
[   42.284373] RBP: ffffa0e92b475000 R08: 0000000000000000 R09: 0000000000000001
[   42.284374] R10: ffffadb880c8bd88 R11: 0000000000000009 R12: 0000000000000000
[   42.284375] R13: 0000000000000000 R14: ffffa0e92b475010 R15: ffffa0e92f3f0048
[   42.284376] FS:  00007f2463e89840(0000) GS:ffffa0e937a00000(0000) knlGS:0000000000000000
[   42.284379] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   42.284380] CR2: 00007f7f7e80c008 CR3: 0000000236666003 CR4: 00000000001606f0
[   42.284380] Call Trace:
[   42.284397]  ? alloc_extent_buffer+0x3fa/0x430
[   42.284399]  read_tree_block+0x38/0x60
[   42.284402]  btrfs_read_tree_root+0xd5/0x120
[   42.284404]  open_ctree+0x1522/0x2264
[   42.284409]  btrfs_mount_root+0x5ad/0x680
[   42.284412]  ? pcpu_alloc_area+0xc3/0x130
[   42.284414]  ? pcpu_next_unpop+0x32/0x40
[   42.284418]  ? mount_fs+0x4a/0x170
[   42.284419]  ? btrfs_decode_error+0x20/0x20
[   42.284421]  mount_fs+0x4a/0x170
[   42.284424]  vfs_kern_mount+0x5d/0x100
[   42.284426]  btrfs_mount+0x16e/0x8c8
[   42.284428]  ? pcpu_alloc_area+0xc3/0x130
[   42.284428]  ? pcpu_next_unpop+0x32/0x40
[   42.284430]  ? mount_fs+0x4a/0x170
[   42.284432]  mount_fs+0x4a/0x170
[   42.284433]  vfs_kern_mount+0x5d/0x100
[   42.284435]  do_mount+0x200/0xcf0
[   42.284438]  ? memdup_user+0x39/0x60
[   42.284439]  ksys_mount+0x79/0xc0
[   42.284441]  __x64_sys_mount+0x1c/0x20
[   42.284443]  do_syscall_64+0x43/0xf0
[   42.284447]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   42.284449] RIP: 0033:0x7f2463768b9a
[   42.284451] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[   42.284451] RSP: 002b:00007ffe878c5f78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   42.284453] RAX: ffffffffffffffda RBX: 00000000013ea050 RCX: 00007f2463768b9a
[   42.284453] RDX: 00000000013ea230 RSI: 00000000013eaf20 RDI: 00000000013ea250
[   42.284454] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014
[   42.284455] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000013ea250
[   42.284455] R13: 00000000013ea230 R14: 0000000000000000 R15: 0000000000000003
[   42.284457] ---[ end trace 4095898c7f3e8608 ]---
[   42.284459] BTRFS error (device sdb): tree level mismatch detected, bytenr=29421568 level expected=255 has=0
[   42.286482] WARNING: CPU: 0 PID: 1893 at fs/btrfs/disk-io.c:427 btree_read_extent_buffer_pages+0x1c1/0x230
[   42.286482] Modules linked in:
[   42.286484] CPU: 0 PID: 1893 Comm: mount Tainted: G        W         5.0.0 #11
[   42.286485] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   42.286486] RIP: 0010:btree_read_extent_buffer_pages+0x1c1/0x230
[   42.286487] Code: 83 c4 58 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 8d 74 24 3f b9 11 00 00 00 ba 65 00 00 00 48 89 ef e8 04 f0 02 00 e9 72 ff ff ff <0f> 0b 8b 4c 24 1c 48 8b 55 00 48 c7 c6 10 b7 43 a6 48 8b 3c 24 e8
[   42.286488] RSP: 0018:ffffadb880d039d0 EFLAGS: 00010206
[   42.286489] RAX: ffffa0e93035a000 RBX: 0000000000000002 RCX: 0000000000000000
[   42.286490] RDX: 000000023035a000 RSI: ffffa0e92b6f9b00 RDI: ffffa0e700000000
[   42.286490] RBP: ffffa0e92b475000 R08: 0000000000000000 R09: 0000000000000001
[   42.286491] R10: ffffadb880ca3d90 R11: 000000000000023b R12: 0000000000000001
[   42.286492] R13: 0000000000000000 R14: ffffa0e92b475010 R15: ffffa0e92f3f0048
[   42.286493] FS:  00007f2463e89840(0000) GS:ffffa0e937a00000(0000) knlGS:0000000000000000
[   42.286495] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   42.286496] CR2: 00007f7f7e811000 CR3: 0000000236666003 CR4: 00000000001606f0
[   42.286496] Call Trace:
[   42.286500]  ? alloc_extent_buffer+0x3fa/0x430
[   42.286501]  read_tree_block+0x38/0x60
[   42.286503]  btrfs_read_tree_root+0xd5/0x120
[   42.286505]  open_ctree+0x1522/0x2264
[   42.286507]  btrfs_mount_root+0x5ad/0x680
[   42.286509]  ? pcpu_alloc_area+0xc3/0x130
[   42.286510]  ? pcpu_next_unpop+0x32/0x40
[   42.286512]  ? mount_fs+0x4a/0x170
[   42.286514]  ? btrfs_decode_error+0x20/0x20
[   42.286515]  mount_fs+0x4a/0x170
[   42.286517]  vfs_kern_mount+0x5d/0x100
[   42.286519]  btrfs_mount+0x16e/0x8c8
[   42.286520]  ? pcpu_alloc_area+0xc3/0x130
[   42.286521]  ? pcpu_next_unpop+0x32/0x40
[   42.286523]  ? mount_fs+0x4a/0x170
[   42.286524]  mount_fs+0x4a/0x170
[   42.286526]  vfs_kern_mount+0x5d/0x100
[   42.286554]  do_mount+0x200/0xcf0
[   42.286556]  ? memdup_user+0x39/0x60
[   42.286558]  ksys_mount+0x79/0xc0
[   42.286559]  __x64_sys_mount+0x1c/0x20
[   42.286561]  do_syscall_64+0x43/0xf0
[   42.286563]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   42.286564] RIP: 0033:0x7f2463768b9a
[   42.286565] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[   42.286566] RSP: 002b:00007ffe878c5f78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   42.286567] RAX: ffffffffffffffda RBX: 00000000013ea050 RCX: 00007f2463768b9a
[   42.286568] RDX: 00000000013ea230 RSI: 00000000013eaf20 RDI: 00000000013ea250
[   42.286569] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014
[   42.286569] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000013ea250
[   42.286570] R13: 00000000013ea230 R14: 0000000000000000 R15: 0000000000000003
[   42.286571] ---[ end trace 4095898c7f3e8609 ]---
[   42.286573] BTRFS error (device sdb): tree level mismatch detected, bytenr=29421568 level expected=255 has=0
[   42.288594] BTRFS warning (device sdb): failed to read root (objectid=2): -117
[   42.288778] BTRFS error (device sdb): open_ctree failed
[   42.292850] mount (1893) used greatest stack depth: 12992 bytes left

Comment 1 Jungyeon 2019-04-10 18:53:11 UTC

Created attachment 282291 [details]
poc_04.c

Comment 2 Jungyeon 2019-04-10 18:58:38 UTC

(In reply to Jungyeon from comment #1)
> Created attachment 282291 [details]
> poc_04.c

In this case, mount fails.
No need to execute this program. Please just ignore it.
So reproduces would be like as following. Sorry for making you confused.

- Reproduces
mkdir test
mount -t btrfs tmp.img test

Comment 3 Qu Wenruo 2019-07-16 07:09:15 UTC

This WARN() is completely designed for developer.
Thus we won't remove it, since even the most careless developer (like me) can't ignore the dump stack.

It's only enable for CONFIG_BTRFS_DEBUG build, thus end user should not get affected.

Thanks,
Qu

Note You need to log in before you can comment on or make changes to this bug.