Created attachment 282297 [details]
The (compressed) crafted image which causes crash

- Overview
When mounting the attached crafted image, following errors are reported.
Additionally, it hangs on sync after trying to mount.

The image is intentionally fuzzed from a normal btrfs image for testing.
Compile options for BTRFS are as follows.
CONFIG_BTRFS_FS=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_BTRFS_FS_CHECK_INTEGRITY=y
# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set
CONFIG_BTRFS_DEBUG=y
CONFIG_BTRFS_ASSERT=y
CONFIG_BTRFS_FS_REF_VERIFY=y

- Reproduces
mkdir test
mount -t btrfs tmp.img test
sync

- Kernel messages
[   42.279691] BTRFS info (device sdb): disk space caching is enabled
[   42.279693] BTRFS info (device sdb): has skinny extents
[   42.280376] BTRFS error (device sdb): bad fsid on block 20975616
[   42.281686] BTRFS info (device sdb): read error corrected: ino 0 off 20975616 (dev /dev/sdb sector 40968)
[   42.282181] BTRFS critical (device sdb): corrupt leaf: root=2 block=29421568 slot=2, bad key order, prev (72057594058899456 192 8388608) current (20975616 169 0)
[   42.284608] BTRFS info (device sdb): read error corrected: ino 0 off 29421568 (dev /dev/sdb sector 73848)
[   42.284806] BTRFS critical (device sdb): corrupt leaf: root=4 block=29396992 slot=5, unexpected item end, have 2181825088 expect 3763
[   42.286973] BTRFS info (device sdb): read error corrected: ino 0 off 29396992 (dev /dev/sdb sector 73800)
[   42.287507] BTRFS warning (device sdb): mismatching generation and generation_v2 found in root item. This root was probably mounted with an older kernel. Resetting all new fields.
[   42.287753] BTRFS error (device sdb): bad tree block start, want 29380608 have 0
[   42.289334] BTRFS info (device sdb): read error corrected: ino 0 off 29380608 (dev /dev/sdb sector 73768)
[   42.295096] ------------[ cut here ]------------
[   42.295098] kernel BUG at fs/btrfs/extent-tree.c:9312!
[   42.295848] invalid opcode: 0000 [#1] SMP PTI
[   42.296454] CPU: 0 PID: 1896 Comm: mount Not tainted 5.0.0 #11
[   42.297257] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   42.298551] RIP: 0010:btrfs_drop_snapshot+0x601/0x7f0
[   42.299254] Code: e9 c1 fd ff ff 48 89 ef 4c 89 3c 24 89 44 24 10 e8 64 eb fe ff 44 8b 4c 24 10 41 83 f9 f5 41 0f 95 c4 45 31 f6 e9 89 fc ff ff <0f> 0b 83 bb 94 00 00 00 01 4c 89 3c 24 0f 85 fc 00 00 00 48 89 ef
[   42.301774] RSP: 0018:ffffa55f00cfb958 EFLAGS: 00010246
[   42.302490] RAX: 0000000000000000 RBX: ffffa2dceb65b9c0 RCX: 0000000000000040
[   42.303464] RDX: 0000000000000000 RSI: ffffa2dcf7a2acb0 RDI: 000000000002acb0
[   42.304435] RBP: ffffa2dceed34070 R08: ffffa2dcf7a2acb0 R09: 0000000000000000
[   42.305406] R10: ffffe45fc8bb4d00 R11: ffffa2dceb871300 R12: ffffa55f00cfb9f0
[   42.306379] R13: ffffa2dcebae3800 R14: ffffa2dcebae0d78 R15: ffffa2dcebae3800
[   42.307357] FS:  00007f4171430840(0000) GS:ffffa2dcf7a00000(0000) knlGS:0000000000000000
[   42.308460] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   42.309247] CR2: 00007f30cd904000 CR3: 0000000231b4c004 CR4: 00000000001606f0
[   42.310218] Call Trace:
[   42.310639]  merge_reloc_roots+0xda/0x240
[   42.311246]  btrfs_recover_relocation+0x397/0x430
[   42.311898]  open_ctree+0x1de6/0x2264
[   42.312408]  btrfs_mount_root+0x5ad/0x680
[   42.312963]  ? pcpu_alloc_area+0xc3/0x130
[   42.313518]  ? pcpu_next_unpop+0x32/0x40
[   42.314061]  ? mount_fs+0x4a/0x170
[   42.314535]  ? btrfs_decode_error+0x20/0x20
[   42.315183]  mount_fs+0x4a/0x170
[   42.315635]  vfs_kern_mount+0x5d/0x100
[   42.316156]  btrfs_mount+0x16e/0x8c8
[   42.316652]  ? pcpu_alloc_area+0xc3/0x130
[   42.317206]  ? pcpu_next_unpop+0x32/0x40
[   42.317748]  ? mount_fs+0x4a/0x170
[   42.318219]  mount_fs+0x4a/0x170
[   42.318715]  vfs_kern_mount+0x5d/0x100
[   42.319269]  do_mount+0x200/0xcf0
[   42.319729]  ? memdup_user+0x39/0x60
[   42.320226]  ksys_mount+0x79/0xc0
[   42.320686]  __x64_sys_mount+0x1c/0x20
[   42.321205]  do_syscall_64+0x43/0xf0
[   42.321703]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   42.322395] RIP: 0033:0x7f4170d0fb9a
[   42.322926] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48
[   42.325449] RSP: 002b:00007fff1f7fc878 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   42.326481] RAX: ffffffffffffffda RBX: 0000000001303050 RCX: 00007f4170d0fb9a
[   42.327507] RDX: 0000000001303230 RSI: 0000000001303f20 RDI: 0000000001303250
[   42.328477] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014
[   42.329446] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001303250
[   42.330416] R13: 0000000001303230 R14: 0000000000000000 R15: 0000000000000003
[   42.331419] Modules linked in:
[   42.331860] ---[ end trace a14aa29d7a6881d8 ]---
[   42.332507] RIP: 0010:btrfs_drop_snapshot+0x601/0x7f0
[   42.333207] Code: e9 c1 fd ff ff 48 89 ef 4c 89 3c 24 89 44 24 10 e8 64 eb fe ff 44 8b 4c 24 10 41 83 f9 f5 41 0f 95 c4 45 31 f6 e9 89 fc ff ff <0f> 0b 83 bb 94 00 00 00 01 4c 89 3c 24 0f 85 fc 00 00 00 48 89 ef
[   42.335808] RSP: 0018:ffffa55f00cfb958 EFLAGS: 00010246
[   42.336529] RAX: 0000000000000000 RBX: ffffa2dceb65b9c0 RCX: 0000000000000040
[   42.337507] RDX: 0000000000000000 RSI: ffffa2dcf7a2acb0 RDI: 000000000002acb0
[   42.338486] RBP: ffffa2dceed34070 R08: ffffa2dcf7a2acb0 R09: 0000000000000000
[   42.339539] R10: ffffe45fc8bb4d00 R11: ffffa2dceb871300 R12: ffffa55f00cfb9f0
[   42.340513] R13: ffffa2dcebae3800 R14: ffffa2dcebae0d78 R15: ffffa2dcebae3800
[   42.341491] FS:  00007f4171430840(0000) GS:ffffa2dcf7a00000(0000) knlGS:0000000000000000
[   42.342621] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   42.343433] CR2: 00007f30cd904000 CR3: 0000000231b4c004 CR4: 00000000001606f0
[   42.345265] mount (1896) used greatest stack depth: 12872 bytes left