215717 – kernel BUG() at fs/inode.c:611 triggered when mount and operate a corrupted image

Bug 215717 - kernel BUG() at fs/inode.c:611 triggered when mount and operate a corrupted image

Summary: kernel BUG() at fs/inode.c:611 triggered when mount and operate a corrupted i...

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-21 16:03 UTC by Wenqing Liu
Modified:	2022-03-29 18:32 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	5.17, 5.17-rc8
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
poc and .config (186.81 KB, application/zip) 2022-03-21 16:03 UTC, Wenqing Liu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wenqing Liu 2022-03-21 16:03:05 UTC

Created attachment 300594 [details]
poc and .config

- Overview 
kernel BUG() at fs/inode.c:611 triggered when mount and operate a corrupted btrfs image

- Reproduce 
tested on kernel 5.17-rc8, 5.17

# mkdir test_crash
# cd test_crash 
# unzip tmp2.zip
# mkdir mnt
# ./single_test.sh btrfs 2


- Kernel dump

[  162.618578] loop0: detected capacity change from 0 to 262144
[  162.645922] BTRFS info (device loop0): disk space caching is enabled
[  162.645931] BTRFS info (device loop0): has skinny extents
[  162.861717] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.861929] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.862124] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.862239] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867557] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867715] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867798] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867872] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.867959] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.868040] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.868113] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.870828] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.870966] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.871074] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.871189] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.871322] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873104] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873236] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873317] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873444] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.873528] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.876127] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.876288] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0]
[  162.887419] ------------[ cut here ]------------
[  162.887424] kernel BUG at fs/inode.c:611!
[  162.887470] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[  162.887490] CPU: 3 PID: 1215 Comm: umount Not tainted 5.17.0 #1
[  162.887512] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  162.887540] RIP: 0010:clear_inode+0x8e/0xe0
[  162.887559] Code: 48 8d 83 28 01 00 00 48 39 c2 75 5e 48 c7 83 98 00 00 00 60 00 00 00 48 83 05 85 2c 2f 02 01 5b 5d c3 48 83 05 2a 2c 2f 02 01 <0f> 0b 48 83 05 30 2c 2f 02 01 48 83 05 30 2c 2f 02 01 0f 0b 48 83
[  162.887619] RSP: 0018:ffffafd080bcbd28 EFLAGS: 00010002
[  162.887638] RAX: 0000000000000000 RBX: ffff9be406274cb8 RCX: 00000000801a0017
[  162.887663] RDX: 0000000000000001 RSI: 00000000801a0017 RDI: 0000000000000000
[  162.887687] RBP: ffff9be406274e38 R08: 0000000000000001 R09: 0000000000000001
[  162.887712] R10: fffffffe1be12700 R11: ffffffff9cd5ea80 R12: ffff9be406274ac0
[  162.887735] R13: ffff9be406274ac8 R14: ffff9be406274aec R15: ffff9be406273ec0
[  162.887760] FS:  00007f72cddfd080(0000) GS:ffff9be5f5d80000(0000) knlGS:0000000000000000
[  162.887787] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  162.887807] CR2: 000055878f4a3068 CR3: 0000000111270005 CR4: 0000000000370ee0
[  162.888367] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  162.888907] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  162.889428] Call Trace:
[  162.889973]  <TASK>
[  162.890438]  btrfs_evict_inode+0x415/0x770
[  162.890884]  ? init_wait_var_entry+0x50/0x50
[  162.891353]  evict+0x109/0x270
[  162.891771]  dispose_list+0x45/0x70
[  162.892174]  evict_inodes+0x1a6/0x210
[  162.892590]  generic_shutdown_super+0x63/0x1f0
[  162.893025]  kill_anon_super+0x16/0x40
[  162.893463]  btrfs_kill_super+0x1a/0x40
[  162.893895]  deactivate_locked_super+0x60/0xc0
[  162.894364]  deactivate_super+0x70/0xb0
[  162.894838]  cleanup_mnt+0x11a/0x200
[  162.895253]  __cleanup_mnt+0x16/0x20
[  162.895524]  task_work_run+0x67/0xa0
[  162.895799]  exit_to_user_mode_prepare+0x18c/0x1a0
[  162.896084]  syscall_exit_to_user_mode+0x26/0x40
[  162.896380]  do_syscall_64+0x46/0xb0
[  162.896687]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  162.896993] RIP: 0033:0x7f72cd6bd657
[  162.897295] Code: 98 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 98 2c 00 f7 d8 64 89 01 48
[  162.897963] RSP: 002b:00007fff31865178 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[  162.898328] RAX: 0000000000000000 RBX: 000055878f49b420 RCX: 00007f72cd6bd657
[  162.898684] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055878f4a30b0
[  162.899046] RBP: 0000000000000000 R08: 000055878f4a3580 R09: 0000000000000005
[  162.899428] R10: 000000000000000b R11: 0000000000000246 R12: 000055878f4a30b0
[  162.899809] R13: 00007f72cdbdf8a4 R14: 000055878f49b600 R15: 0000000000000000
[  162.900190]  </TASK>
[  162.900592] Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi input_leds joydev serio_raw xfs qemu_fw_cfg autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear hid_generic usbhid hid qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd psmouse cryptd
[  162.902280] ---[ end trace 0000000000000000 ]---
[  162.902700] RIP: 0010:clear_inode+0x8e/0xe0
[  162.903131] Code: 48 8d 83 28 01 00 00 48 39 c2 75 5e 48 c7 83 98 00 00 00 60 00 00 00 48 83 05 85 2c 2f 02 01 5b 5d c3 48 83 05 2a 2c 2f 02 01 <0f> 0b 48 83 05 30 2c 2f 02 01 48 83 05 30 2c 2f 02 01 0f 0b 48 83
[  162.903957] RSP: 0018:ffffafd080bcbd28 EFLAGS: 00010002
[  162.904369] RAX: 0000000000000000 RBX: ffff9be406274cb8 RCX: 00000000801a0017
[  162.904811] RDX: 0000000000000001 RSI: 00000000801a0017 RDI: 0000000000000000
[  162.905248] RBP: ffff9be406274e38 R08: 0000000000000001 R09: 0000000000000001
[  162.905674] R10: fffffffe1be12700 R11: ffffffff9cd5ea80 R12: ffff9be406274ac0
[  162.906103] R13: ffff9be406274ac8 R14: ffff9be406274aec R15: ffff9be406273ec0
[  162.906527] FS:  00007f72cddfd080(0000) GS:ffff9be5f5d80000(0000) knlGS:0000000000000000
[  162.906956] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  162.907395] CR2: 000055878f4a3068 CR3: 0000000111270005 CR4: 0000000000370ee0
[  162.907835] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  162.908273] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  162.908699] note: umount[1215] exited with preempt_count 1

Comment 1 The Linux kernel's regression tracker (Thorsten Leemhuis) 2022-03-29 12:50:31 UTC

Is this a regression or did this happen with earlier kernels (say 5.16) as well?

Comment 2 Wenqing Liu 2022-03-29 18:32:16 UTC

(In reply to The Linux kernel's regression tracker (Thorsten Leemhuis) from comment #1)
> Is this a regression or did this happen with earlier kernels (say 5.16) as
> well?
Other than 5.17, I tested on 5.16.8, 5.15.32, 5.10.99 and 5.4.171
The bug is triggered on 5.16.8, 5.15.32, but not on 5.10.99 or 5.4.171

Note You need to log in before you can comment on or make changes to this bug.