Created attachment 282293 [details]
The (compressed) crafted image which causes crash

When mounting the attached crafted image and running the attached, following errors are reported.
Additionally, it hangs on sync after running the program.

The image is intentionally fuzzed from a normal btrfs image for testing.
Compile options for BTRFS are as follows.
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BTRFS_FS_CHECK_INTEGRITY=y
# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
CONFIG_BTRFS_DEBUG=y
CONFIG_BTRFS_ASSERT=y
CONFIG_BTRFS_FS_REF_VERIFY=y

- Reproduces
gcc poc_05.c
mkdir test
mount -t btrfs tmp.img test
cp a.out test
cd test
sudo ./a.out
sync

- Kernel messages
[   50.272305] BTRFS info (device sdb): disk space caching is enabled
[   50.272307] BTRFS info (device sdb): has skinny extents
[   50.273966] BTRFS info (device sdb): bdev /dev/sdb errs: wr 0, rd 4294901760, flush 0, corrupt 0, gen 0
[   50.274518] BTRFS critical (device sdb): corrupt leaf: root=5 block=29409280 slot=26, unexpected item end, have 2677 expect 2685
[   50.276593] BTRFS info (device sdb): read error corrected: ino 0 off 29409280 (dev /dev/sdb sector 73824)
[   59.799637] assertion failed: !memcmp_extent_buffer(b, &disk_key, offsetof(struct btrfs_leaf, items[0].key), sizeof(disk_key)), file: fs/btrfs/ctree.c, line: 2544
[   59.801739] ------------[ cut here ]------------
[   59.801740] kernel BUG at fs/btrfs/ctree.h:3500!
[   59.802418] invalid opcode: 0000 [#1] SMP PTI
[   59.803041] CPU: 0 PID: 1934 Comm: a.out Not tainted 5.0.0 #11
[   59.803866] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   59.805193] RIP: 0010:assfail.constprop.34+0x18/0x27
[   59.805903] Code: 24 40 e9 7a ff ff ff 31 c0 eb b9 e8 59 69 d4 ff 0f 0b 89 f1 48 c7 c2 08 9e 63 8d 48 89 fe 48 c7 c7 60 98 63 8d e8 98 86 d9 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 41 54 55 49 89 fc 53
[   59.808509] RSP: 0018:ffffaba540d13c08 EFLAGS: 00010286
[   59.809247] RAX: 0000000000000096 RBX: ffffa1b96b69f000 RCX: 0000000000000000
[   59.810252] RDX: 0000000000000000 RSI: ffffa1b977a15418 RDI: ffffa1b977a15418
[   59.811252] RBP: 0000000000000000 R08: 00000000000c3395 R09: 0000000000000005
[   59.812252] R10: 00000000ffffffff R11: ffffaba540d13ac5 R12: ffffa1b975c09000
[   59.813251] R13: ffffa1b97656dd98 R14: 0000000000000000 R15: 0000000000000000
[   59.814273] FS:  00007fcce57f6700(0000) GS:ffffa1b977a00000(0000) knlGS:0000000000000000
[   59.815396] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   59.816181] CR2: 00007ffd94778000 CR3: 00000002366a2004 CR4: 00000000001606f0
[   59.817151] Call Trace:
[   59.817509]  btrfs_search_slot+0x914/0xa10
[   59.818115]  btrfs_delete_delayed_items+0xb7/0x330
[   59.818776]  ? __btrfs_update_delayed_inode+0x1b2/0x230
[   59.819524]  ? _cond_resched+0x11/0x40
[   59.820063]  __btrfs_run_delayed_items+0x4e8/0x5f0
[   59.820744]  ? __wake_up_common_lock+0x84/0xb0
[   59.821377]  btrfs_commit_transaction+0x1e5/0x970
[   59.822060]  ? _cond_resched+0x11/0x40
[   59.822596]  ? dput+0x8d/0x100
[   59.823036]  ? btrfs_log_dentry_safe+0x4f/0x60
[   59.823668]  btrfs_sync_file+0x358/0x3a0
[   59.824228]  ? _cond_resched+0x10/0x40
[   59.824764]  do_fsync+0x33/0x60
[   59.825216]  __x64_sys_fsync+0xb/0x10
[   59.825744]  do_syscall_64+0x43/0xf0
[   59.826260]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   59.826980] RIP: 0033:0x7fcce53114d9
[   59.827494] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8f 29 2c 00 f7 d8 64 89 01 48
[   59.830116] RSP: 002b:00007ffd94776448 EFLAGS: 00000217 ORIG_RAX: 000000000000004a
[   59.831182] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcce53114d9
[   59.832187] RDX: 00007fcce53114d9 RSI: 00007fcce53114d9 RDI: 0000000000000003
[   59.833191] RBP: 00007ffd9477a600 R08: 00007ffd9477a6e8 R09: 00007ffd9477a6e8
[   59.834200] R10: 00007ffd9477a6e8 R11: 0000000000000217 R12: 00000000004004e0
[   59.835173] R13: 00007ffd9477a6e0 R14: 0000000000000000 R15: 0000000000000000
[   59.836171] Modules linked in:
[   59.836627] ---[ end trace 9b87d2acfe684720 ]---
[   59.837287] RIP: 0010:assfail.constprop.34+0x18/0x27
[   59.838002] Code: 24 40 e9 7a ff ff ff 31 c0 eb b9 e8 59 69 d4 ff 0f 0b 89 f1 48 c7 c2 08 9e 63 8d 48 89 fe 48 c7 c7 60 98 63 8d e8 98 86 d9 ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 41 54 55 49 89 fc 53
[   59.840611] RSP: 0018:ffffaba540d13c08 EFLAGS: 00010286
[   59.841356] RAX: 0000000000000096 RBX: ffffa1b96b69f000 RCX: 0000000000000000
[   59.842394] RDX: 0000000000000000 RSI: ffffa1b977a15418 RDI: ffffa1b977a15418
[   59.843412] RBP: 0000000000000000 R08: 00000000000c3395 R09: 0000000000000005
[   59.844430] R10: 00000000ffffffff R11: ffffaba540d13ac5 R12: ffffa1b975c09000
[   59.845435] R13: ffffa1b97656dd98 R14: 0000000000000000 R15: 0000000000000000
[   59.846468] FS:  00007fcce57f6700(0000) GS:ffffa1b977a00000(0000) knlGS:0000000000000000
[   59.847613] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   59.848435] CR2: 00007ffd94778000 CR3: 00000002366a2004 CR4: 00000000001606f0