215289 – general protection fault at fs/btrfs/struct-funcs.c:btrfs_get_32() when mount a corrupted image

Bug 215289 - general protection fault at fs/btrfs/struct-funcs.c:btrfs_get_32() when mount a corrupted image

Summary: general protection fault at fs/btrfs/struct-funcs.c:btrfs_get_32() when mount...

Status:	RESOLVED CODE_FIX

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-12-10 03:44 UTC by Wenqing Liu
Modified:	2022-10-06 22:26 UTC (History)
CC List:	3 users (show)

See Also:
Kernel Version:	5.16-rc3, 5.16-rc4
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
poc and .config file (168.14 KB, application/zip) 2021-12-10 03:44 UTC, Wenqing Liu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wenqing Liu 2021-12-10 03:44:34 UTC

Created attachment 299977 [details]
poc and .config file

- Overview 
General protection fault at fs/btrfs/struct-funcs.c:btrfs_get_32() when mount a corrupted image

- Reproduce 
tested on kernel 5.16-rc3, 5.16-rc4

# mkdir mnt
# mount -t btrfs tmp1.img mnt


- Kernel dump

[   70.448784] loop0: detected capacity change from 0 to 262144
[   70.479411] BTRFS info (device loop0): disk space caching is enabled
[   70.479416] BTRFS info (device loop0): has skinny extents
[   70.480033] BTRFS warning (device loop0): bad eb member start: ptr 0xfd8 start 29396992 member offset 4108 size 4
[   70.480051] general protection fault, probably for non-canonical address 0x3f2ae0000000c: 0000 [#1] PREEMPT SMP NOPTI
[   70.480077] CPU: 3 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1
[   70.480090] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[   70.480104] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs]
[   70.480207] RIP: 0010:btrfs_get_32+0x86/0x160 [btrfs]
[   70.480244] Code: 48 2b 1d dd be 1d d8 48 c1 fb 06 48 c1 e3 0c 48 03 1d de be 1d d8 e8 c9 f5 ff ff 49 8d 46 04 4c 01 f3 48 3d 00 10 00 00 77 25 <8b> 03 48 8b 4c 24 10 65 48 33 0c 25 28 00 00 00 0f 85 83 00 00 00
[   70.480275] RSP: 0018:ffffa83b00053bf8 EFLAGS: 00010283
[   70.480286] RAX: 0000000000000010 RBX: 0003f2ae0000000c RCX: 0000000000000001
[   70.480299] RDX: 0000000000000000 RSI: ffffffff9872e181 RDI: 00000000ffffffff
[   70.480312] RBP: ffff8cbf03140900 R08: 0000000000000000 R09: 0000000000000001
[   70.480324] R10: 00000000697d8a5a R11: 0000000000000034 R12: 0000000000000001
[   70.480338] R13: ffff8cbf03140908 R14: 000000000000000c R15: 0000000000000fd8
[   70.480351] FS:  0000000000000000(0000) GS:ffff8cc0f5d80000(0000) knlGS:0000000000000000
[   70.480365] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.480376] CR2: 0000555bbe534880 CR3: 0000000113862006 CR4: 0000000000370ee0
[   70.480392] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.480425] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   70.480438] Call Trace:
[   70.480453]  <TASK>
[   70.480459]  ? check_inode_key+0x41/0x160 [btrfs]
[   70.480519]  check_leaf+0x523/0x1a40 [btrfs]
[   70.480563]  ? filemap_read+0x34a/0x390
[   70.480574]  validate_extent_buffer+0x244/0x310 [btrfs]
[   70.480609]  btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs]
[   70.480639]  end_bio_extent_readpage+0x3af/0x850 [btrfs]
[   70.480696]  ? newidle_balance+0x259/0x480
[   70.480707]  end_workqueue_fn+0x29/0x40 [btrfs]
[   70.480737]  btrfs_work_helper+0x71/0x330 [btrfs]
[   70.480781]  ? __schedule+0x2fb/0xa40
[   70.480791]  process_one_work+0x1f6/0x400
[   70.480802]  ? process_one_work+0x400/0x400
[   70.480810]  worker_thread+0x2d/0x3d0
[   70.480819]  ? process_one_work+0x400/0x400
[   70.480827]  kthread+0x165/0x190
[   70.480836]  ? set_kthread_struct+0x40/0x40
[   70.480845]  ret_from_fork+0x1f/0x30
[   70.480856]  </TASK>
[   70.480860] Modules linked in: input_leds joydev serio_raw qemu_fw_cfg iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm hid_generic psmouse crct10dif_pclmul crc32_pclmul ghash_clmulni_intel usbhid aesni_intel crypto_simd hid cryptd
[   70.480996] ---[ end trace 134fcab26bd36b90 ]---
[   70.481005] RIP: 0010:btrfs_get_32+0x86/0x160 [btrfs]
[   70.481436] Code: 48 2b 1d dd be 1d d8 48 c1 fb 06 48 c1 e3 0c 48 03 1d de be 1d d8 e8 c9 f5 ff ff 49 8d 46 04 4c 01 f3 48 3d 00 10 00 00 77 25 <8b> 03 48 8b 4c 24 10 65 48 33 0c 25 28 00 00 00 0f 85 83 00 00 00
[   70.482305] RSP: 0018:ffffa83b00053bf8 EFLAGS: 00010283
[   70.482720] RAX: 0000000000000010 RBX: 0003f2ae0000000c RCX: 0000000000000001
[   70.483204] RDX: 0000000000000000 RSI: ffffffff9872e181 RDI: 00000000ffffffff
[   70.483609] RBP: ffff8cbf03140900 R08: 0000000000000000 R09: 0000000000000001
[   70.484042] R10: 00000000697d8a5a R11: 0000000000000034 R12: 0000000000000001
[   70.484555] R13: ffff8cbf03140908 R14: 000000000000000c R15: 0000000000000fd8
[   70.485017] FS:  0000000000000000(0000) GS:ffff8cc0f5d80000(0000) knlGS:0000000000000000
[   70.485392] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   70.485784] CR2: 0000555bbe534880 CR3: 0000000113862006 CR4: 0000000000370ee0
[   70.486351] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   70.486983] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Comment 1 Su Yue 2022-02-18 15:30:38 UTC

The bug should be fixed by https://lore.kernel.org/linux-btrfs/20220121093335.1840306-1-l@damenly.su/T/#t .
The Link and dmesg in the commit message are wrongly pasted by me even the code prevents the crafted image mount.

Note You need to log in before you can comment on or make changes to this bug.