[B/F/G][PATCH 0/7] btrfs: Fix kernel BUG at fs/btrfs/ctree.c:3233 / btrfs_set_item_key_safe()

Mauricio Faria de Oliveira mfo at canonical.com
Fri Oct 30 15:27:51 UTC 2020

BugLink: https://bugs.launchpad.net/bugs/1902254


 * Users of btrfs started hitting a kernel BUG() (below)
   after upgrade from 4.15.0-99.100 to 4.15.0-109.110,
   which has 55 btrfs changes.

     kernel BUG at /build/linux-eTBZpZ/linux-4.15.0/fs/btrfs/ctree.c:3233!
     Krnl PSW : 00000000be9cb874 00000000ef3786e8 (btrfs_set_item_key_safe+0x152/0x1c0 [btrfs])
     [...] Call Trace:
     [...] btrfs_set_item_key_safe+0x11c/0x1c0 [btrfs])
     [...] __btrfs_drop_extents+0xb5a/0xda8 [btrfs]
     [...] btrfs_log_changed_extents+0x35c/0xaf0 [btrfs]
     [...] btrfs_log_inode+0x9ee/0x1080 [btrfs]
     [...] btrfs_log_inode_parent+0x224/0xa10 [btrfs]
     [...] btrfs_log_dentry_safe+0x80/0xa8 [btrfs]
     [...] btrfs_sync_file+0x392/0x550 [btrfs]
     [...] do_fsync+0x5e/0x90
     [...] SyS_fdatasync+0x32/0x48
     [...] system_call+0xd8/0x2c8

     $ git log --oneline Ubuntu-4.15.0-99.100..Ubuntu-4.15.0-109.110 -- fs/btrfs/ | wc -l

 * The error happens at random moments, regardless of a
   particular activity/load. Workaround is to downgrade.


 * This BUG()/function is addressed in patch 4/4 [1] of series
   'btrfs: Enhanced runtime defence against fuzzed images' [2],
   after issues in the real world, not just crafted fs images:
   'one internal report has hit one BUG_ON() with real world fs'
     kernel BUG at fs/btrfs/ctree.c:3188!
     RIP: 0010:btrfs_set_item_key_safe+0x16c/0x180
 * The patch/set [3] is applied in v5.10-rc1 and Ubuntu Unstable:
   - d16c702fe4f2 btrfs: ctree: check key order before merging tree blocks
   - 07cce5cf3b48 btrfs: extent-tree: kill the BUG_ON() in insert_inline_extent_backref()
   - 1c2a07f598d5 btrfs: extent-tree: kill BUG_ON() in __btrfs_free_extent()
   - f98b6215d7d1 btrfs: extent_io: do extra check for extent buffer read write functions
[Test Case]

 * There is working synthetic reproducer for this issue,
   which is hard to reproduce as reported in commit [4]
   that introduces debugging for the issue.
 * Regression tests with xfstests and stress-ng shows
   no regressions between un/patched kernels.

[Other Info]

 * Trivial backports (only refreshing a few context lines)
   with 3 more dependency patches on Bionic and 1 on Focal.
   And Bionic needed one extra hunk to '#include' a header.
   Groovy all apply cleanly.

 * Build/tested on top of master-next btrfs patches at
   these commit IDs; still apply on top of the latest:
   - Bionic: commit 5252180a25fa ("bcache: reap from tail of c->btree_cache in bch_mca_scan()")
   - Focal:  commit 35981110f74d ("selftests: rtnetlink: load fou module for kci_test_encap_fou() test")
   - Groovy: commit 280f13e61a24 ("ALSA: hda: fix jack detection with Realtek codecs when in D3")

[1] https://lore.kernel.org/linux-btrfs/20200819063550.62832-5-wqu@suse.com/
[2] https://lore.kernel.org/linux-btrfs/20200819063550.62832-1-wqu@suse.com/
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d16c702fe4f274bd77b47d3ab737eadcf24e0b93
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c15d41016dc886cc011e3854d855e219759ae68

Arnd Bergmann (1):
  btrfs: use BUG() instead of BUG_ON(1)

David Sterba (1):
  btrfs: drop unnecessary offset_in_page in extent buffer helpers

Johannes Thumshirn (1):
  btrfs: use offset_in_page instead of open-coding it

Qu Wenruo (4):
  btrfs: extent_io: do extra check for extent buffer read write
  btrfs: extent-tree: kill BUG_ON() in __btrfs_free_extent()
  btrfs: extent-tree: kill the BUG_ON() in
  btrfs: ctree: check key order before merging tree blocks

 fs/btrfs/backref.c         |   4 +-
 fs/btrfs/check-integrity.c |  12 +--
 fs/btrfs/compression.c     |   2 +-
 fs/btrfs/ctree.c           |  78 +++++++++++++++-
 fs/btrfs/extent-tree.c     | 177 ++++++++++++++++++++++++++++++++++---
 fs/btrfs/extent_io.c       | 151 ++++++++++++++++---------------
 fs/btrfs/file.c            |   6 +-
 fs/btrfs/inode.c           |   9 +-
 fs/btrfs/send.c            |   2 +-
 fs/btrfs/volumes.c         |   4 +-
 10 files changed, 332 insertions(+), 113 deletions(-)


More information about the kernel-team mailing list