segfault in btrfs repair

[ralisi]

Hello everyone,

I compiled the tag v5.7 for a static binary and ran btrfs in repair mode. The filesystem is working fine with older kernels but was converted from ext4 ages ago and has issues with newer kernels.

Anyways, I am getting a segmentation fault with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
balance_level (level=1, path=0x33c7e430, root=, trans=) at ctree.c:930
930 root_sub_used(root, right->len);
(gdb) bt
#0 balance_level (level=1, path=0x33c7e430, root=, trans=) at ctree.c:930
#1 btrfs_search_slot (trans=trans@entry=0x63c50e40, root=root@entry=0x82bca0, key=key@entry=0x7fffffffd7c0, p=p@entry=0x33c7e430,
ins_len=ins_len@entry=-1, cow=cow@entry=1) at ctree.c:1320
#2 0x000000000045cfa8 in lookup_inline_extent_backref (trans=trans@entry=0x63c50e40, root=root@entry=0x82bca0, path=path@entry=0x33c7e430,
ref_ret=ref_ret@entry=0x7fffffffd958, bytenr=bytenr@entry=55829827584, num_bytes=num_bytes@entry=4096, parent=0, root_objectid=2, owner=0,
offset=0, insert=0) at extent-tree.c:885
#3 0x000000000045e8f1 in lookup_extent_backref (offset=0, owner=0, root_objectid=2, parent=0, num_bytes=4096, bytenr=55829827584,
ref_ret=0x7fffffffd958, path=0x33c7e430, root=0x82bca0, trans=0x63c50e40) at extent-tree.c:1085
#4 __free_extent (trans=trans@entry=0x63c50e40, bytenr=55829827584, num_bytes=, parent=0, root_objectid=2, owner_objectid=0,
owner_offset=, refs_to_drop=) at extent-tree.c:1938
#5 0x0000000000461937 in run_delayed_tree_ref (insert_reserved=, extent_op=0x0, node=0x328387f0, fs_info=0x82b830, trans=0x63c50e40)
at extent-tree.c:3758
#6 run_one_delayed_ref (insert_reserved=, extent_op=0x0, node=0x328387f0, fs_info=0x82b830, trans=0x63c50e40) at extent-tree.c:3778
#7 btrfs_run_delayed_refs (trans=trans@entry=0x63c50e40, nr=nr@entry=18446744073709551615) at extent-tree.c:3862
#8 0x000000000046d8bf in btrfs_commit_transaction (trans=trans@entry=0x63c50e40, root=root@entry=0x82bca0) at transaction.c:209
#9 0x0000000000425c3a in check_extent_refs (root=0x82bca0, root@entry=0xcc0500, extent_cache=extent_cache@entry=0x7fffffffded0) at check/main.c:8115
#10 0x000000000042dcdd in check_chunks_and_extents (fs_info=0x82b830) at check/main.c:8804
#11 do_check_chunks_and_extents (fs_info=0x82b830) at check/main.c:8860
#12 cmd_check (cmd=, argc=, argv=) at check/main.c:10353
#13 0x0000000000401493 in cmd_execute (argv=0x7fffffffe3f0, argc=3, cmd=0x811980 <cmd_struct_check>) at cmds/commands.h:125
#14 main (argc=3, argv=0x7fffffffe3f0) at btrfs.c:402

Just looking at the offending location, ctree.c:930 is insightful. right is being dereferenced but is was assigned NULL just five lines earlier. My guess is that blocksize was meant here, which contains a copy of the last value before the deletion of right.

Best regards

[L3P3]

I seem to have the same issue. My fs is broken and I cannot repair it! Very bad.
I use the lastest commit from this repository. btrfs-progs v5.11.1

(gdb) run check --repair /dev/sdc
Starting program: /usr/local/bin/btrfs check --repair /dev/sdc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
enabling repair mode
WARNING:

	Do not use --repair unless you are advised to do so by a developer
	or an experienced user, and then only after having accepted that no
	fsck can successfully repair all types of filesystem corruption. Eg.
	some software or hardware bugs can fatally damage a volume.
	The operation will start in 10 seconds.
	Use Ctrl-C to stop it.
10 9 8 7 6 5 4 3 2 1
Starting repair.
Opening filesystem to check...
Checking filesystem on /dev/sdc
UUID: c47af666-5bdf-4757-a541-717ae53a9616
[1/7] checking root items
Fixed 0 roots.
[2/7] checking extents
ref mismatch on [725450752 16384] extent item 1, found 0
backref 725450752 root 7 not referenced back 0x555563745a60
incorrect global backref count on 725450752 found 1 wanted 0
backpointer mismatch on [725450752 16384]
owner ref check failed [725450752 16384]
repair deleting extent record: key [725450752,169,0]

Program received signal SIGSEGV, Segmentation fault.
balance_level (level=1, path=0x5555610b0670, root=0x5555556442b0, trans=0x55555d885c20) at kernel-shared/ctree.c:930
930				root_sub_used(root, right->len);
(gdb) bt
#0  balance_level (level=1, path=0x5555610b0670, root=0x5555556442b0, trans=0x55555d885c20) at kernel-shared/ctree.c:930
#1  btrfs_search_slot (trans=trans@entry=0x55555d885c20, root=root@entry=0x5555556442b0, key=key@entry=0x7fffffffdac0, p=p@entry=0x5555610b0670, ins_len=ins_len@entry=-1, cow=cow@entry=1) at kernel-shared/ctree.c:1320
#2  0x00005555555cba85 in lookup_inline_extent_backref (trans=trans@entry=0x55555d885c20, root=root@entry=0x5555556442b0, path=path@entry=0x5555610b0670, ref_ret=ref_ret@entry=0x7fffffffdc38, bytenr=bytenr@entry=30408704, 
    num_bytes=num_bytes@entry=16384, parent=0, root_objectid=2, owner=2, offset=0, insert=0) at kernel-shared/extent-tree.c:885
#3  0x00005555555cc69c in lookup_extent_backref (offset=0, owner=2, root_objectid=2, parent=0, num_bytes=16384, bytenr=30408704, ref_ret=0x7fffffffdc38, path=0x5555610b0670, root=0x5555556442b0, trans=0x55555d885c20)
    at kernel-shared/extent-tree.c:1085
#4  __free_extent (trans=trans@entry=0x55555d885c20, bytenr=30408704, num_bytes=16384, parent=0, root_objectid=root_objectid@entry=2, owner_objectid=2, owner_offset=0, refs_to_drop=1) at kernel-shared/extent-tree.c:1938
#5  0x00005555555d0d5e in run_delayed_tree_ref (insert_reserved=<optimized out>, extent_op=0x0, node=0x555555647140, fs_info=0x555555643e40, trans=0x55555d885c20) at kernel-shared/extent-tree.c:3758
#6  run_one_delayed_ref (insert_reserved=<optimized out>, extent_op=0x0, node=0x555555647140, fs_info=0x555555643e40, trans=0x55555d885c20) at kernel-shared/extent-tree.c:3778
#7  btrfs_run_delayed_refs (trans=trans@entry=0x55555d885c20, nr=nr@entry=18446744073709551615) at kernel-shared/extent-tree.c:3862
#8  0x00005555555dce54 in btrfs_commit_transaction (trans=trans@entry=0x55555d885c20, root=0x5555556442b0) at kernel-shared/transaction.c:172
#9  0x0000555555596ea0 in fixup_extent_refs (rec=0x555563745990, extent_cache=0x7fffffffdec0) at check/main.c:7689
#10 check_extent_refs (extent_cache=0x7fffffffdec0, root=0x5555566acb20) at check/main.c:8122
#11 check_chunks_and_extents () at check/main.c:8871
#12 do_check_chunks_and_extents () at check/main.c:8927
#13 0x000055555559ab0d in cmd_check (cmd=0x555555634f40 <cmd_struct_check>, argc=<optimized out>, argv=<optimized out>) at check/main.c:10586
#14 0x000055555556b1d5 in cmd_execute (argv=0x7fffffffe610, argc=3, cmd=0x555555634f40 <cmd_struct_check>) at cmds/commands.h:125
#15 main (argc=3, argv=0x7fffffffe610) at btrfs.c:405

[lorddoskias]

Should be fixed by https://lore.kernel.org/linux-btrfs/20210406135503.164590-1-nborisov@suse.com/T/#u

[L3P3]

Got an reply from Nikolay Borisov, thanks a lot!

Huhz, good point indeed. This should fix it:

diff --git a/kernel-shared/ctree.c b/kernel-shared/ctree.c
index 4cc3aebc1412..3a82286cc914 100644
--- a/kernel-shared/ctree.c
+++ b/kernel-shared/ctree.c
@@ -927,7 +927,7 @@ static int balance_level(struct btrfs_trans_handle
*trans,
                        if (wret)
                                ret = wret;

-                       root_sub_used(root, right->len);
+                       root_sub_used(root, blocksize);
                        wret = btrfs_free_extent(trans, root, bytenr,
                                                 blocksize, 0,
                                                 root->root_key.objectid,

[L3P3]

Oh, I thought I was supposed to create a pull request. I don't know if merging that one is right way to go now. 😉

[kdave]

Thanks for the report, and fix. The workflow is flexible, if the fix is known and tested it gets to the code in some way. Nikolay sent a proper patch so you don't need to send pull request. I'll add the fix to devel branch, targeting release 5.12 soonish.