215722 – general protection fault at fs/btrfs/tree-checker.c: check_dir_item() when mount a corrupted image

Bug 215722 - general protection fault at fs/btrfs/tree-checker.c: check_dir_item() when mount a corrupted image

Summary: general protection fault at fs/btrfs/tree-checker.c: check_dir_item() when mo...

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	BTRFS virtual assignee

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-22 03:52 UTC by Wenqing Liu
Modified:	2022-03-22 03:52 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	5.15.30
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
corrupted image and .config (167.61 KB, application/zip) 2022-03-22 03:52 UTC, Wenqing Liu	Details
Add an attachment (proposed patch, testcase, etc.)

Description Wenqing Liu 2022-03-22 03:52:41 UTC

Created attachment 300598 [details]
corrupted image and .config

- Overview 
general protection fault at fs/btrfs/tree-checker.c: check_dir_item() when mount a corrupted image

- Reproduce 
tested on kernel 5.15.30

$ mkdir mnt
$ sudo mount tmp4.img mnt

- Kernel dump
[  121.577598] loop0: detected capacity change from 0 to 262144
[  121.594472] BTRFS: device fsid a62e00e8-e94e-4200-8217-12444de93c2e devid 1 transid 8 /dev/loop0 scanned by mount (1069)
[  121.595220] BTRFS info (device loop0): disk space caching is enabled
[  121.595222] BTRFS info (device loop0): has skinny extents
[  121.595585] BTRFS critical (device loop0): corrupt leaf: root=3 block=20975616 slot=0 devid=72027907223977985 invalid objectid: has=72027907223977985 expect=1
[  121.595628] BTRFS error (device loop0): block=20975616 read time tree block corruption detected
[  121.595912] BTRFS info (device loop0): read error corrected: ino 0 off 20975616 (dev /dev/loop0 sector 40968)
[  121.595952] BTRFS critical (device loop0): corrupt leaf: block=29421568 slot=4 extent bytenr=29364224 len=4096 invalid generation, have 7599824371187718 expect (0, 9]
[  121.595999] BTRFS error (device loop0): block=29421568 read time tree block corruption detected
[  121.596051] BTRFS info (device loop0): read error corrected: ino 0 off 29421568 (dev /dev/loop0 sector 73848)
[  121.596059] BTRFS critical (device loop0): corrupt leaf: root=4 block=29396992 slot=0, unexpected item end, have 3880 expect 3995
[  121.596082] BTRFS error (device loop0): block=29396992 read time tree block corruption detected
[  121.596288] BTRFS info (device loop0): read error corrected: ino 0 off 29396992 (dev /dev/loop0 sector 73800)
[  121.596312] BTRFS error (device loop0): parent transid verify failed on 29380608 wanted 4 found 2164195332
[  121.596344] BTRFS info (device loop0): read error corrected: ino 0 off 29380608 (dev /dev/loop0 sector 73768)
[  121.596670] BTRFS warning (device loop0): access to eb bytenr 29409280 len 4096 out of range start 7442 len 17
[  121.596673] BTRFS warning (device loop0): bad eb member start: ptr 0x1d12 start 29409280 member offset 7471 size 1
[  121.596693] general protection fault, probably for non-canonical address 0x8832200000d2f: 0000 [#1] SMP NOPTI
[  121.596716] CPU: 1 PID: 7 Comm: kworker/u8:0 Not tainted 5.15.30 #1
[  121.596730] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  121.596746] Workqueue: btrfs-endio-meta btrfs_work_helper
[  121.596760] RIP: 0010:btrfs_get_8+0x5a/0x90
[  121.596770] Code: 8b 5c dc 70 48 2b 1d 95 44 12 01 4c 89 ee 4c 89 e7 b9 01 00 00 00 48 c1 fb 06 48 c1 e3 0c 48 03 1d 8b 44 12 01 e8 76 fe ff ff <0f> b6 04 2b 48 83 c4 08 5b 5d 41 5c 41 5d c3 48 89 de 48 c7 c7 c0
[  121.596803] RSP: 0018:ffffafa1c0043aa8 EFLAGS: 00010246
[  121.596813] RAX: 0000000000000000 RBX: 0008832200000000 RCX: 0000000000000027
[  121.596827] RDX: 0000000000000000 RSI: ffffa014f5c9c8d0 RDI: ffffa014f5c9c8d8
[  121.596841] RBP: 0000000000000d2f R08: 0000000000000000 R09: 0000000000000001
[  121.596854] R10: 0000000000000003 R11: 0000000000000034 R12: ffffa013024b9b00
[  121.596867] R13: 0000000000001d12 R14: 00000000fffff221 R15: ffffafa1c0043c8f
[  121.596881] FS:  0000000000000000(0000) GS:ffffa014f5c80000(0000) knlGS:0000000000000000
[  121.596897] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  121.596908] CR2: 000055ab382c1288 CR3: 0000000100c7e004 CR4: 0000000000370ee0
[  121.596925] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  121.596939] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  121.596953] Call Trace:
[  121.596961]  <TASK>
[  121.596967]  check_dir_item+0x100/0x3e0
[  121.596978]  ? crc32c_pcl_intel_update+0x92/0xa0
[  121.596990]  ? csum_tree_block+0x13c/0x180
[  121.597001]  ? current_time+0x42/0x80
[  121.597011]  ? update_load_avg+0x1cc/0x620
[  121.597023]  ? btrfs_get_32+0x77/0x160
[  121.597032]  ? check_inode_key+0x41/0x160
[  121.597041]  check_leaf+0xc64/0x1ad0
[  121.597050]  ? check_preempt_wakeup+0x1b6/0x330
[  121.597062]  validate_extent_buffer+0x244/0x310
[  121.597072]  btrfs_validate_metadata_buffer+0xf8/0x100
[  121.597083]  end_bio_extent_readpage+0x3af/0x860
[  121.597094]  ? update_load_avg+0x1cc/0x620
[  121.597104]  end_workqueue_fn+0x29/0x40
[  121.597113]  btrfs_work_helper+0x7d/0x2e0
[  121.597566]  ? __schedule+0x2b4/0x910
[  121.598020]  process_one_work+0x1ff/0x3d0
[  121.598455]  worker_thread+0x2d/0x3e0
[  121.598889]  ? process_one_work+0x3d0/0x3d0
[  121.599320]  kthread+0x118/0x140
[  121.599735]  ? set_kthread_struct+0x40/0x40
[  121.600197]  ret_from_fork+0x1f/0x30
[  121.600547]  </TASK>
[  121.600960] Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi xfs joydev input_leds serio_raw qemu_fw_cfg autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear qxl drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd hid_generic usbhid psmouse hid cryptd
[  121.602502] ---[ end trace 6e609471ab2b813c ]---
[  121.603013] RIP: 0010:btrfs_get_8+0x5a/0x90
[  121.603555] Code: 8b 5c dc 70 48 2b 1d 95 44 12 01 4c 89 ee 4c 89 e7 b9 01 00 00 00 48 c1 fb 06 48 c1 e3 0c 48 03 1d 8b 44 12 01 e8 76 fe ff ff <0f> b6 04 2b 48 83 c4 08 5b 5d 41 5c 41 5d c3 48 89 de 48 c7 c7 c0
[  121.604771] RSP: 0018:ffffafa1c0043aa8 EFLAGS: 00010246
[  121.605151] RAX: 0000000000000000 RBX: 0008832200000000 RCX: 0000000000000027
[  121.605589] RDX: 0000000000000000 RSI: ffffa014f5c9c8d0 RDI: ffffa014f5c9c8d8
[  121.606161] RBP: 0000000000000d2f R08: 0000000000000000 R09: 0000000000000001
[  121.606666] R10: 0000000000000003 R11: 0000000000000034 R12: ffffa013024b9b00
[  121.607066] R13: 0000000000001d12 R14: 00000000fffff221 R15: ffffafa1c0043c8f
[  121.607621] FS:  0000000000000000(0000) GS:ffffa014f5c80000(0000) knlGS:0000000000000000
[  121.608191] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  121.608753] CR2: 000055ab382c1288 CR3: 0000000100c7e004 CR4: 0000000000370ee0
[  121.609397] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  121.610009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Note You need to log in before you can comment on or make changes to this bug.