Bionic: btrfs: kernel BUG at /build/linux-eTBZpZ/linux-4.15.0/fs/btrfs/ctree.c:3233!
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Medium
|
Mauricio Faria de Oliveira | ||
Bionic |
Fix Released
|
High
|
Mauricio Faria de Oliveira | ||
Focal |
Fix Released
|
Medium
|
Mauricio Faria de Oliveira | ||
Groovy |
Fix Released
|
Medium
|
Mauricio Faria de Oliveira |
Bug Description
[Impact]
* Users of btrfs started hitting a kernel BUG() (below)
after upgrade from 4.15.0-99.100 to 4.15.0-109.110,
which has 55 btrfs changes.
kernel BUG at /build/
...
Krnl PSW : 00000000be9cb874 00000000ef3786e8 (btrfs_
...
[...] Call Trace:
[...] btrfs_set_
[...] __btrfs_
[...] btrfs_log_
[...] btrfs_log_
[...] btrfs_log_
[...] btrfs_log_
[...] btrfs_sync_
[...] do_fsync+0x5e/0x90
[...] SyS_fdatasync+
[...] system_
$ git log --oneline Ubuntu-
55
* The error happens at random moments, regardless of a
particular activity/load. Workaround is to downgrade.
[Fix]
* This BUG()/function is addressed in patch 4/4 [1] of series
'btrfs: Enhanced runtime defence against fuzzed images' [2],
after issues in the real world, not just crafted fs images:
'one internal report has hit one BUG_ON() with real world fs'
kernel BUG at fs/btrfs/
...
RIP: 0010:btrfs_
* The patch/set [3] is applied in v5.10-rc1 and Ubuntu Unstable:
- d16c702fe4f2 btrfs: ctree: check key order before merging tree blocks
- 07cce5cf3b48 btrfs: extent-tree: kill the BUG_ON() in insert_
- 1c2a07f598d5 btrfs: extent-tree: kill BUG_ON() in __btrfs_
- f98b6215d7d1 btrfs: extent_io: do extra check for extent buffer read write functions
[Test Case]
* There is working synthetic reproducer for this issue,
which is hard to reproduce as reported in commit [4]
that introduces debugging for the issue.
* Regression tests with xfstests and stress-ng shows
no regressions between un/patched kernels.
[Other Info]
* Trivial backports (only refreshing a few context lines)
with 3 more dependency patches on Bionic and 1 on Focal.
And Bionic needed one extra hunk to '#include' a header.
Groovy all apply cleanly.
[1] https://<email address hidden>/
[2] https://<email address hidden>/
[3] https:/
[4] https:/
CVE References
tags: | added: architecture-s39064 bugnameltc-188988 severity-high targetmilestone-inin2004 |
Changed in linux (Ubuntu Groovy): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | New → Fix Released |
[224259.453356] ------------[ cut here ]------------ linux-eTBZpZ/ linux-4. 15.0/fs/ btrfs/ctree. c:3233! masquerade_ ipv4 nf_conntrack_ netlink nfnetlink xfrm_user xfrm_algo xt_addr virtio_ transport_ common vhost vsock algif_skcipher af_alg xt_tcpudp xt_multiport aufs bonding 8 set_item_ key_safe+ 0x152/0x1c0 [btrfs]) 177150 000003ff80177fc c 807c>] btrfs_set_ item_key_ safe+0x11c/ 0x1c0 [btrfs]) 322>] __btrfs_ drop_extents+ 0xb5a/0xda8 [btrfs] 8a4>] btrfs_log_ changed_ extents+ 0x35c/0xaf0 [btrfs] a26>] btrfs_log_ inode+0x9ee/ 0x1080 [btrfs] 384>] btrfs_log_ inode_parent+ 0x224/0xa10 [btrfs] ea8>] btrfs_log_ dentry_ safe+0x80/ 0xa8 [btrfs] ea2>] btrfs_sync_ file+0x392/ 0x550 [btrfs] e5e>] do_fsync+0x5e/0x90 15a>] SyS_fdatasync+ 0x32/0x48 314>] system_ call+0xd8/ 0x2c8 Event-Address: 0ae>] btrfs_set_ item_key_ safe+0x14e/ 0x1c0 [btrfs]
[224259.453360] kernel BUG at /build/
[224259.453390] illegal operation: 0001 ilc:1 [#1] SMP
[224259.453392] Modules linked in: vhost_net xt_nat macvtap tap veth macvlan ipt_MASQUERADE nf_nat_
type iptable_nat nf_nat_ipv4 nf_nat br_netfilter bridge vhost_vsock vmw_vsock_
021q garp stp mrp llc overlay nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c scsi_dh_rdac scsi_dh_emc scsi_dh_alua ip6
table_filter ip6_tables qeth_l2 s390_trng qeth chsc_sch ccwgroup vfio_ccw eadm_sch iptable_filter sch_fq_codel zFPC_proc(OE) zFPC_diag(OE) vfio_ap vfio_mdev mdev vfio_iommu_
type1 vfio ip_tables x_tables ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common
[224259.453415] crc32_vx_s390 btrfs xor zstd_compress raid6_pq dm_crypt virtio_blk dm_service_time dm_multipath zfcp scsi_transport_fc qdio dasd_eckd_mod dasd_mod zlib_defl
ate
[224259.453423] CPU: 6 PID: 57332 Comm: qemu-system-s39 Tainted: G OE 4.15.0-109-generic #110-Ubuntu
[224259.453423] Hardware name: IBM 3907 LR1 A00 (LPAR)
[224259.453425] Krnl PSW : 00000000be9cb874 00000000ef3786e8 (btrfs_
[224259.453492] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
[224259.453493] Krnl GPRS: 0000000000000001 00000056bdc00000 0000000000000000 0000000cbf93795d
[224259.453493] 000003ff0000006c 0000000000631468 000000136a230000 0000000cbf937826
[224259.453494] 00000007ee281d88 0000000cbf93795d 00000007000000a1 00000013188a58c0
[224259.453495] 00000012eb889701 00000056bdb00000 000003ff801780a8 0000000cbf937780
[224259.453503] Krnl Code: 000003ff801780a2: c0e5fffff857 brasl %r14,000003ff80
000003ff801780a8: ec22ff92007e cij %r2,0,2,
#000003ff801780ae: a7f40001 brc 15,000003ff801780b0
>000003ff801780b2: ec2affff00d8 ahik %r2,%r10,-1
000003ff801780b8: b9140022 lgfr %r2,%r2
000003ff801780bc: eb120001000d sllg %r1,%r2,1
000003ff801780c2: b9080012 agr %r1,%r2
000003ff801780c6: eb110003000d sllg %r1,%r1,3
[224259.453514] Call Trace:
[224259.453527] ([<000003ff8017
[224259.453544] [<000003ff801c3
[224259.453561] [<000003ff801f9
[224259.453577] [<000003ff801fa
[224259.453594] [<000003ff801fb
[224259.453611] [<000003ff801fc
[224259.453627] [<000003ff801c5
[224259.453634] [<00000000003cc
[224259.453636] [<00000000003cd
[224259.453640] [<00000000008fd
[224259.453640] Last Breaking-
[224259.453652] [<000003ff80178
[224259.453653]
[224259.4536...