88611 – Divide error at bio_add_page+0x5e/0x70

Bug 88611 - Divide error at bio_add_page+0x5e/0x70

Summary: Divide error at bio_add_page+0x5e/0x70

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	btrfs (show other bugs)
Hardware:	x86-64 Linux

Importance:	P1 normal
Assignee:	Josef Bacik

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-11-21 09:43 UTC by R.Nageswara Sastry
Modified:	2016-03-20 11:18 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	3.18.0-rc5
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
fuzzed btrfs image (1.21 MB, application/x-bzip) 2015-03-05 06:43 UTC, Eryu Guan	Details
Add an attachment (proposed patch, testcase, etc.)

Description R.Nageswara Sastry 2014-11-21 09:43:22 UTC

While fuzzing btrfs with fsfuzzer the following kernel crash occured. Upon request mangled fs image will be provided.

[  259.913388] BTRFS: super block crcs don't match, older mkfs detected
[  259.913397] BTRFS info (device loop0): disk space caching is enabled
[  259.916892] divide error: 0000 [#1] SMP 
[  259.917027] Modules linked in: loop btrfs xor raid6_pq nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack cfg80211 rfkill ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_mangle iptable_security iptable_raw ppdev microcode serio_raw pcspkr parport_pc pvpanic i2c_piix4 parport floppy i2c_core nfsd auth_rpcgss nfs_acl lockd grace sunrpc virtio_blk virtio_pci virtio_ring virtio e1000 ata_generic pata_acpi
[  259.917027] CPU: 0 PID: 5710 Comm: mount Not tainted 3.18.0-rc5 #1
[  259.917027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140709_153950- 04/01/2014
[  259.917027] task: ffff88003c84d340 ti: ffff88002d018000 task.ti: ffff88002d018000
[  259.917027] RIP: 0010:[<ffffffffa0332ea3>]  [<ffffffffa0332ea3>] __btrfs_map_block+0x143/0x1020 [btrfs]
[  259.917027] RSP: 0018:ffff88002d01b938  EFLAGS: 00010206
[  259.917027] RAX: 0000000000020000 RBX: 0000000000020000 RCX: 00000000000000a5
[  259.917027] RDX: 0000000000000000 RSI: 0000000000400000 RDI: 0000000000010000
[  259.917027] RBP: ffff88002d01ba18 R08: 0000000000000000 R09: 0000000000000001
[  259.917027] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000020000
[  259.917027] R13: ffff8800370b9e80 R14: 0000000000010000 R15: 0000000000000000
[  259.917027] FS:  00007f0be3a8f880(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[  259.917027] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  259.917027] CR2: 00007fb232c77000 CR3: 000000002d162000 CR4: 00000000000006f0
[  259.917027] Stack:
[  259.917027]  0000000000001000 ffff88003bc4fe28 0000000000000000 ffff880031e12040
[  259.917027]  ffff88002d01b968 ffffffff8131459e ffff88002d01b9c8 ffffffffa032c9d2
[  259.917027]  ffff88002d01b9c8 ffff88003b40a000 0000000000000002 ffff88003b40af20
[  259.917027] Call Trace:
[  259.917027]  [<ffffffff8131459e>] ? bio_add_page+0x5e/0x70
[  259.917027]  [<ffffffffa032c9d2>] ? submit_extent_page.isra.34+0xe2/0x1d0 [btrfs]
[  259.917027]  [<ffffffffa032e8f0>] ? btrfs_create_repair_bio+0x110/0x110 [btrfs]
[  259.917027]  [<ffffffffa0338f97>] btrfs_map_bio+0x87/0x510 [btrfs]
[  259.917027]  [<ffffffff811c9845>] ? kmem_cache_alloc+0x35/0x1f0
[  259.917027]  [<ffffffffa0306b6a>] btree_submit_bio_hook+0x5a/0x100 [btrfs]
[  259.917027]  [<ffffffffa0328e38>] submit_one_bio+0x68/0xa0 [btrfs]
[  259.917027]  [<ffffffffa0330790>] read_extent_buffer_pages+0x250/0x310 [btrfs]
[  259.917027]  [<ffffffffa0304a40>] ? free_root_pointers+0x60/0x60 [btrfs]
[  259.917027]  [<ffffffffa0305c63>] btree_read_extent_buffer_pages.constprop.50+0xb3/0x120 [btrfs]
[  259.917027]  [<ffffffffa0306e10>] read_tree_block+0x40/0x70 [btrfs]
[  259.917027]  [<ffffffffa030b24c>] open_ctree+0x13fc/0x2110 [btrfs]
[  259.917027]  [<ffffffff8132ee52>] ? disk_name+0xa2/0xb0
[  259.917027]  [<ffffffffa02e25ce>] btrfs_mount+0x75e/0x8f0 [btrfs]
[  259.917027]  [<ffffffff811e92d9>] mount_fs+0x39/0x1b0
[  259.917027]  [<ffffffff811923e5>] ? __alloc_percpu+0x15/0x20
[  259.917027]  [<ffffffff812038b7>] vfs_kern_mount+0x67/0x110
[  259.917027]  [<ffffffff812065b4>] do_mount+0x204/0xad0
[  259.917027]  [<ffffffff812071bb>] SyS_mount+0x8b/0xe0
[  259.917027]  [<ffffffff816e6b69>] system_call_fastpath+0x12/0x17
[  259.917027] Code: ff 44 89 e0 48 81 c4 b8 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 45 89 c8 31 d2 41 29 c0 48 89 d8 4d 63 c0 4c 0f af c7 45 89 c2 <49> f7 f2 4c 0f af c0 f7 c1 f8 01 00 00 4c 89 45 90 0f 85 7e 06 
[  259.917027] RIP  [<ffffffffa0332ea3>] __btrfs_map_block+0x143/0x1020 [btrfs]
[  259.917027]  RSP <ffff88002d01b938>
[  259.961303] ---[ end trace 550378f70e506606 ]---

Comment 1 Eryu Guan 2015-03-05 06:42:32 UTC

I hit similar oops, the fuzzed btrfs image is attached.

[  309.200469] loop: module loaded
[  309.372689] BTRFS: device fsid 1c0ed5d6-550d-4010-b1b4-ce1828270713 devid 1 transid 4 /dev/loop0
[  309.384037] BTRFS: super block crcs don't match, older mkfs detected
[  309.385449] BTRFS info (device loop0): disk space caching is enabled
[  309.390429] divide error: 0000 [#1] SMP 
[  309.390791] Modules linked in: loop btrfs xor raid6_pq ppdev parport_pc i2c_piix4 parport virtio_balloon pcspkr i2c_core serio_raw xfs sd_mod ata_generic pata_acpi virtio_pci virtio virtio_ring floppy ata_piix libata 8139too 8139cp mii
[  309.391373] CPU: 2 PID: 1855 Comm: mount Not tainted 3.19.0 #15
[  309.391373] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007
[  309.391373] task: ffff880035068d70 ti: ffff8800360f0000 task.ti: ffff8800360f0000
[  309.391373] RIP: 0010:[<ffffffffa03073a6>]  [<ffffffffa03073a6>] __btrfs_map_block+0x176/0x1180 [btrfs]
[  309.391373] RSP: 0018:ffff8800360f38f8  EFLAGS: 00010206
[  309.391373] RAX: 0000000000020000 RBX: 0000000000020000 RCX: 000000d9000000a9
[  309.391373] RDX: 0000000000000000 RSI: 00000000c1400000 RDI: ffffffff8f018100
[  309.391373] RBP: ffff8800360f39e8 R08: 0000000000000000 R09: 0000000000000001
[  309.391373] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000020000
[  309.391373] R13: ffff8802157e56c0 R14: 0000000000020000 R15: 000000008f018100
[  309.391373] FS:  00007fcf592eb880(0000) GS:ffff88021fd00000(0000) knlGS:0000000000000000
[  309.391373] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  309.391373] CR2: 00007f9e367fc034 CR3: 0000000035e6e000 CR4: 00000000000006e0
[  309.391373] Stack:
[  309.391373]  0000000000001000 ffff880212fc6a68 0000000000000000 ffff880211a98040
[  309.391373]  ffff8800360f3928 ffffffff812eb7be ffff8800360f3988 ffffffffa0300a82
[  309.391373]  ffff8800360f3a50 ffff880035e7f000 0000000000000000 ffff880035e7ff60
[  309.391373] Call Trace:
[  309.391373]  [<ffffffff812eb7be>] ? bio_add_page+0x5e/0x70
[  309.391373]  [<ffffffffa0300a82>] ? submit_extent_page.isra.34+0xe2/0x1d0 [btrfs]
[  309.406845]  [<ffffffffa0302a20>] ? btrfs_create_repair_bio+0x110/0x110 [btrfs]
[  309.406845]  [<ffffffffa030d8d6>] btrfs_map_bio+0x96/0x550 [btrfs]
[  309.406845]  [<ffffffff811d10b1>] ? kmem_cache_alloc+0x1a1/0x220
[  309.406845]  [<ffffffffa02d9fca>] btree_submit_bio_hook+0x5a/0x100 [btrfs]
[  309.406845]  [<ffffffffa02fcc38>] submit_one_bio+0x68/0xa0 [btrfs]
[  309.406845]  [<ffffffffa0304ab0>] read_extent_buffer_pages+0x270/0x330 [btrfs]
[  309.406845]  [<ffffffffa02d7120>] ? free_root_pointers+0x60/0x60 [btrfs]
[  309.406845]  [<ffffffffa02d8393>] btree_read_extent_buffer_pages.constprop.52+0xb3/0x120 [btrfs]
[  309.406845]  [<ffffffffa02da270>] read_tree_block+0x40/0x70 [btrfs]
[  309.406845]  [<ffffffffa02ddcdc>] open_ctree+0x143c/0x2140 [btrfs]
[  309.406845]  [<ffffffffa02b333e>] btrfs_mount+0x76e/0x900 [btrfs]
[  309.406845]  [<ffffffff81197604>] ? pcpu_alloc+0x364/0x680
[  309.406845]  [<ffffffff811f2e09>] mount_fs+0x39/0x1b0
[  309.406845]  [<ffffffff81197955>] ? __alloc_percpu+0x15/0x20
[  309.406845]  [<ffffffff8120ea0b>] vfs_kern_mount+0x6b/0x110
[  309.406845]  [<ffffffff812117fc>] do_mount+0x22c/0xb60
[  309.406845]  [<ffffffff811926e6>] ? memdup_user+0x46/0x80
[  309.406845]  [<ffffffff81212472>] SyS_mount+0xa2/0x110
[  309.406845]  [<ffffffff816b76e9>] system_call_fastpath+0x12/0x17
[  309.406845] Code: 23 10 00 00 48 81 c4 c8 00 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 45 89 c8 31 d2 41 29 c0 48 89 d8 4d 63 c0 4c 0f af c7 45 89 c2 <49> f7 f2 4c 0f af c0 f7 c1 f8 01 00 00 4c 89 85 70 ff ff ff 0f 
[  309.406845] RIP  [<ffffffffa03073a6>] __btrfs_map_block+0x176/0x1180 [btrfs]
[  309.406845]  RSP <ffff8800360f38f8>

Comment 2 Eryu Guan 2015-03-05 06:43:54 UTC

Created attachment 169141 [details]
fuzzed btrfs image

umcompress the image and mount it, kernel will oops, tested on 3.19 and 4.0-rc1 kernel

Note You need to log in before you can comment on or make changes to this bug.