URL: https://bugzilla.kernel.org/show_bug.cgi?id=156811
Lukas Lueg 2016-09-14 19:19:46 UTC

More news from the fuzzer. The attached image causes btrfsck to engage in
undefined behavior; using btrfs-progs v4.7-42-g56e9586. You need to compile
with UBSAN in order to reproduce.

The juicy parts:

qgroup-verify.c:333:15: runtime error: member access within null pointer of type 'struct ref'
    #0 0x88684f in find_parent_roots /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:333:15
    #1 0x877a71 in account_all_refs /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:525:11
    #2 0x87513b in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:1372:8
    #3 0x536d3a in cmd_check /home/lukas/dev/btrfsfuzz/src-ubsan/cmds-check.c:11637:9
    #4 0x490560 in main /home/lukas/dev/btrfsfuzz/src-ubsan/btrfs.c:243:8
    #5 0x7f35b46ab730 in __libc_start_main (/lib64/libc.so.6+0x20730)
    #6 0x422188 in _start (/home/lukas/dev/btrfsfuzz/bin-ubsan/bin/btrfs+0x422188)


We don't strictly need UBSAN as the error can be spotted by naked eye in
find_parent_root(): The line "node = &ref->bytenr_node" gets a reference to a
member of a NULL pointer before the pointer is checked against being NULL on
the next line. It should be the other way around...

crc32c.c:75:19: runtime error: load of misaligned address 0x74200001cc9c for type 'unsigned long', which requires 8 byte alignment
0x74200001cc9c: note: pointer points here
  00 00 00 00 b7 0e 65 6c  64 61 40 4b a5 0d 0f ba  33 0c 75 27 00 00 02 00  00 00 00 00 01 00 00 00
              ^ 
    #0 0x907c52 in crc32c_intel /home/lukas/dev/btrfsfuzz/src-ubsan/crc32c.c:75:19
    #1 0x6f9845 in __csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:139:8
    #2 0x6f96b8 in csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:159:9
    #3 0x6fda28 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:348:19
    #4 0x71669f in btrfs_setup_chunk_tree_and_device_map /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1210:30
    #5 0x7187e4 in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1322:8
    #6 0x717a6d in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1381:9
    #7 0x533791 in cmd_check /home/lukas/dev/btrfsfuzz/src-ubsan/cmds-check.c:11449:9
    #8 0x490560 in main /home/lukas/dev/btrfsfuzz/src-ubsan/btrfs.c:243:8
    #9 0x7f35b46ab730 in __libc_start_main (/lib64/libc.so.6+0x20730)
    #10 0x422188 in _start (/home/lukas/dev/btrfsfuzz/bin-ubsan/bin/btrfs+0x422188)

SUMMARY: MemorySanitizer: undefined-behavior crc32c.c:75:19 in 
checking extents
Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent
Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent
Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent
ref mismatch on [131072 4096] extent item 0, found 1
Backref 131072 parent 3 root 3 not found in extent tree
backpointer mismatch on [131072 4096]
ref mismatch on [4194304 4096] extent item 0, found 1
Backref 4194304 parent 5 root 5 not found in extent tree
backpointer mismatch on [4194304 4096]
ref mismatch on [4198400 4096] extent item 0, found 1
Backref 4198400 parent 1 root 1 not found in extent tree
backpointer mismatch on [4198400 4096]
ref mismatch on [4231168 4096] extent item 0, found 1
Backref 4231168 parent 7 root 7 not found in extent tree
backpointer mismatch on [4231168 4096]
ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1
Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree
Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x70c00000ed00
backpointer mismatch on [3472328296227680304 3472328296227680304]
Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1]
Errors found in extent allocation tree or chunk allocation
checking free space cache
checking fs roots
checking csums
checking root refs
checking quota groups
qgroup-verify.c:333:15: runtime error: member access within null pointer of type 'struct ref'
    #0 0x88684f in find_parent_roots /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:333:15
    #1 0x877a71 in account_all_refs /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:525:11
    #2 0x87513b in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:1372:8
    #3 0x536d3a in cmd_check /home/lukas/dev/btrfsfuzz/src-ubsan/cmds-check.c:11637:9
    #4 0x490560 in main /home/lukas/dev/btrfsfuzz/src-ubsan/btrfs.c:243:8
    #5 0x7f35b46ab730 in __libc_start_main (/lib64/libc.so.6+0x20730)
    #6 0x422188 in _start (/home/lukas/dev/btrfsfuzz/bin-ubsan/bin/btrfs+0x422188)

SUMMARY: MemorySanitizer: undefined-behavior qgroup-verify.c:333:15 in 
qgroup-verify.c:334: find_parent_roots: Assertion `ref == NULL` failed.
btrfs check(backtrace+0x51)[0x43f6d1]
btrfs check[0x883611]
btrfs check[0x880ce9]
btrfs check[0x8868b1]
btrfs check[0x877a72]
btrfs check(qgroup_verify_all+0x26c)[0x87513c]
btrfs check(cmd_check+0x457b)[0x536d3b]
btrfs check(main+0x6a1)[0x490561]
/lib64/libc.so.6(__libc_start_main+0xf1)[0x7f35b46ab731]
btrfs check(_start+0x29)[0x422189]
Checking filesystem on ubsan_logs/id:002289,src:001702+002037,op:splice,rep:4.img
UUID: b70e656c-6461-404b-a50d-0fba330c7527