Created attachment 300594 [details] poc and .config - Overview kernel BUG() at fs/inode.c:611 triggered when mount and operate a corrupted btrfs image - Reproduce tested on kernel 5.17-rc8, 5.17 # mkdir test_crash # cd test_crash # unzip tmp2.zip # mkdir mnt # ./single_test.sh btrfs 2 - Kernel dump [ 162.618578] loop0: detected capacity change from 0 to 262144 [ 162.645922] BTRFS info (device loop0): disk space caching is enabled [ 162.645931] BTRFS info (device loop0): has skinny extents [ 162.861717] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.861929] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.862124] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.862239] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.867557] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.867715] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.867798] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.867872] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.867959] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.868040] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.868113] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.870828] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.870966] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.871074] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.871189] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.871322] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.873104] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.873236] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.873317] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.873444] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.873528] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.876127] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.876288] BTRFS error (device loop0): bad extent! em: [0 0] passed [0 0] [ 162.887419] ------------[ cut here ]------------ [ 162.887424] kernel BUG at fs/inode.c:611! [ 162.887470] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 162.887490] CPU: 3 PID: 1215 Comm: umount Not tainted 5.17.0 #1 [ 162.887512] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 162.887540] RIP: 0010:clear_inode+0x8e/0xe0 [ 162.887559] Code: 48 8d 83 28 01 00 00 48 39 c2 75 5e 48 c7 83 98 00 00 00 60 00 00 00 48 83 05 85 2c 2f 02 01 5b 5d c3 48 83 05 2a 2c 2f 02 01 <0f> 0b 48 83 05 30 2c 2f 02 01 48 83 05 30 2c 2f 02 01 0f 0b 48 83 [ 162.887619] RSP: 0018:ffffafd080bcbd28 EFLAGS: 00010002 [ 162.887638] RAX: 0000000000000000 RBX: ffff9be406274cb8 RCX: 00000000801a0017 [ 162.887663] RDX: 0000000000000001 RSI: 00000000801a0017 RDI: 0000000000000000 [ 162.887687] RBP: ffff9be406274e38 R08: 0000000000000001 R09: 0000000000000001 [ 162.887712] R10: fffffffe1be12700 R11: ffffffff9cd5ea80 R12: ffff9be406274ac0 [ 162.887735] R13: ffff9be406274ac8 R14: ffff9be406274aec R15: ffff9be406273ec0 [ 162.887760] FS: 00007f72cddfd080(0000) GS:ffff9be5f5d80000(0000) knlGS:0000000000000000 [ 162.887787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 162.887807] CR2: 000055878f4a3068 CR3: 0000000111270005 CR4: 0000000000370ee0 [ 162.888367] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 162.888907] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 162.889428] Call Trace: [ 162.889973] <TASK> [ 162.890438] btrfs_evict_inode+0x415/0x770 [ 162.890884] ? init_wait_var_entry+0x50/0x50 [ 162.891353] evict+0x109/0x270 [ 162.891771] dispose_list+0x45/0x70 [ 162.892174] evict_inodes+0x1a6/0x210 [ 162.892590] generic_shutdown_super+0x63/0x1f0 [ 162.893025] kill_anon_super+0x16/0x40 [ 162.893463] btrfs_kill_super+0x1a/0x40 [ 162.893895] deactivate_locked_super+0x60/0xc0 [ 162.894364] deactivate_super+0x70/0xb0 [ 162.894838] cleanup_mnt+0x11a/0x200 [ 162.895253] __cleanup_mnt+0x16/0x20 [ 162.895524] task_work_run+0x67/0xa0 [ 162.895799] exit_to_user_mode_prepare+0x18c/0x1a0 [ 162.896084] syscall_exit_to_user_mode+0x26/0x40 [ 162.896380] do_syscall_64+0x46/0xb0 [ 162.896687] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 162.896993] RIP: 0033:0x7f72cd6bd657 [ 162.897295] Code: 98 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 01 98 2c 00 f7 d8 64 89 01 48 [ 162.897963] RSP: 002b:00007fff31865178 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 162.898328] RAX: 0000000000000000 RBX: 000055878f49b420 RCX: 00007f72cd6bd657 [ 162.898684] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055878f4a30b0 [ 162.899046] RBP: 0000000000000000 R08: 000055878f4a3580 R09: 0000000000000005 [ 162.899428] R10: 000000000000000b R11: 0000000000000246 R12: 000055878f4a30b0 [ 162.899809] R13: 00007f72cdbdf8a4 R14: 000055878f49b600 R15: 0000000000000000 [ 162.900190] </TASK> [ 162.900592] Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi input_leds joydev serio_raw xfs qemu_fw_cfg autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear hid_generic usbhid hid qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd psmouse cryptd [ 162.902280] ---[ end trace 0000000000000000 ]--- [ 162.902700] RIP: 0010:clear_inode+0x8e/0xe0 [ 162.903131] Code: 48 8d 83 28 01 00 00 48 39 c2 75 5e 48 c7 83 98 00 00 00 60 00 00 00 48 83 05 85 2c 2f 02 01 5b 5d c3 48 83 05 2a 2c 2f 02 01 <0f> 0b 48 83 05 30 2c 2f 02 01 48 83 05 30 2c 2f 02 01 0f 0b 48 83 [ 162.903957] RSP: 0018:ffffafd080bcbd28 EFLAGS: 00010002 [ 162.904369] RAX: 0000000000000000 RBX: ffff9be406274cb8 RCX: 00000000801a0017 [ 162.904811] RDX: 0000000000000001 RSI: 00000000801a0017 RDI: 0000000000000000 [ 162.905248] RBP: ffff9be406274e38 R08: 0000000000000001 R09: 0000000000000001 [ 162.905674] R10: fffffffe1be12700 R11: ffffffff9cd5ea80 R12: ffff9be406274ac0 [ 162.906103] R13: ffff9be406274ac8 R14: ffff9be406274aec R15: ffff9be406273ec0 [ 162.906527] FS: 00007f72cddfd080(0000) GS:ffff9be5f5d80000(0000) knlGS:0000000000000000 [ 162.906956] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 162.907395] CR2: 000055878f4a3068 CR3: 0000000111270005 CR4: 0000000000370ee0 [ 162.907835] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 162.908273] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 162.908699] note: umount[1215] exited with preempt_count 1
Is this a regression or did this happen with earlier kernels (say 5.16) as well?
(In reply to The Linux kernel's regression tracker (Thorsten Leemhuis) from comment #1) > Is this a regression or did this happen with earlier kernels (say 5.16) as > well? Other than 5.17, I tested on 5.16.8, 5.15.32, 5.10.99 and 5.4.171 The bug is triggered on 5.16.8, 5.15.32, but not on 5.10.99 or 5.4.171