--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=156731
+Lukas Lueg 2016-09-13 19:53:59 UTC
+
+More news from the fuzzer. The attached image causes btrfsck to
+buffer-overflow. Using btrfs-progs v4.7-42-g56e9586, compiled with ASAN
+(doesn't crash without)
+
+==17647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x00000052dde3 bp 0x7ffecc974fe0 sp 0x7ffecc974fd8
+READ of size 4 at 0x621000017980 thread T0
+ #0 0x52dde2 in btrfs_extent_data_ref_count /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1
+ #1 0x5329ae in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6380:6
+ #2 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10
+ #3 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8
+ #4 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9
+ #5 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #6 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #7 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+cat crashing_images/id:000047,sig:11,src:000343+000051,op:splice,rep:4.log
+=================================================================
+==17647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x00000052dde3 bp 0x7ffecc974fe0 sp 0x7ffecc974fd8
+READ of size 4 at 0x621000017980 thread T0
+ #0 0x52dde2 in btrfs_extent_data_ref_count /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1
+ #1 0x5329ae in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6380:6
+ #2 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10
+ #3 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8
+ #4 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9
+ #5 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #6 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #7 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+0x621000017980 is located 0 bytes to the right of 4224-byte region [0x621000016900,0x621000017980)
+allocated by thread T0 here:
+ #0 0x4bfca0 in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0)
+ #1 0x5c16ca in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7
+ #2 0x5c1b26 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8
+ #3 0x58de0c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9
+ #4 0x58e880 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7
+ #5 0x5918a2 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
+ #6 0x591712 in find_and_setup_root /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:647:15
+ #7 0x593243 in setup_root_or_create_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:966:8
+ #8 0x592850 in btrfs_setup_all_roots /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1031:8
+ #9 0x5948fe in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1341:8
+ #10 0x5942b5 in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1387:9
+ #11 0x51dff2 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9
+ #12 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #13 0x7faced2c8730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1582:1 in btrfs_extent_data_ref_count
+Shadow bytes around the buggy address:
+ 0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0c427fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c427fffaf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+==17647==ABORTING
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=156741
+Lukas Lueg 2016-09-13 19:56:16 UTC
+
+More news from the fuzzer. The attached image causes btrfsck to
+buffer-overflow. Using btrfs-progs v4.7-42-g56e9586, compiled with ASAN
+(doesn't crash without).
+
+==23161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x0000005299d3 bp 0x7fff110ce980 sp 0x7fff110ce978
+READ of size 1 at 0x621000017980 thread T0
+ #0 0x5299d2 in btrfs_extent_inline_ref_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1
+ #1 0x540f54 in build_roots_info_cache /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:10965:10
+ #2 0x52163e in repair_root_items /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11108:8
+ #3 0x51e5c3 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11497:8
+ #4 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #5 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #6 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+cat crashing_images/id:000073,sig:11,src:000504+000275,op:splice,rep:4.log
+parent transid verify failed on 1122304 wanted 3472328296227680304 found 1
+parent transid verify failed on 1122304 wanted 3472328296227680304 found 1
+Ignoring transid failure
+Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
+Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
+Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
+ref mismatch on [131072 4096] extent item 0, found 1
+Backref 131072 parent 3 root 3 not found in extent tree
+backpointer mismatch on [131072 4096]
+ref mismatch on [1118208 4096] extent item 1, found 0
+Backref 1118208 root 1 not referenced back 0x60300000ee00
+Incorrect global backref count on 1118208 found 1 wanted 0
+backpointer mismatch on [1118208 4096]
+owner ref check failed [1118208 4096]
+ref mismatch on [1126400 4096] extent item 1, found 0
+Backref 1126400 root 3 not referenced back 0x60300000edd0
+Incorrect global backref count on 1126400 found 1 wanted 0
+backpointer mismatch on [1126400 4096]
+owner ref check failed [1126400 4096]
+ref mismatch on [1130496 4096] extent item 1, found 0
+Backref 1130496 root 4 not referenced back 0x60300000eda0
+Incorrect global backref count on 1130496 found 1 wanted 0
+backpointer mismatch on [1130496 4096]
+owner ref check failed [1130496 4096]
+ref mismatch on [1134592 4096] extent item 1, found 0
+Backref 1134592 root 5 not referenced back 0x60300000ed70
+Incorrect global backref count on 1134592 found 1 wanted 0
+backpointer mismatch on [1134592 4096]
+owner ref check failed [1134592 4096]
+ref mismatch on [1138688 4096] extent item 1, found 0
+Backref 1138688 root 7 not referenced back 0x60300000ed40
+Incorrect global backref count on 1138688 found 1 wanted 0
+backpointer mismatch on [1138688 4096]
+owner ref check failed [1138688 4096]
+ref mismatch on [4194304 4096] extent item 0, found 1
+Backref 4194304 parent 5 root 5 not found in extent tree
+backpointer mismatch on [4194304 4096]
+ref mismatch on [4198400 4096] extent item 0, found 1
+Backref 4198400 parent 1 root 1 not found in extent tree
+backpointer mismatch on [4198400 4096]
+ref mismatch on [4227072 4096] extent item 0, found 1
+Backref 4227072 parent 4 root 4 not found in extent tree
+backpointer mismatch on [4227072 4096]
+ref mismatch on [4231168 4096] extent item 0, found 1
+Backref 4231168 parent 7 root 7 not found in extent tree
+backpointer mismatch on [4231168 4096]
+ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1
+Backref 3472328296227680304 root 1 owner 6 offset 0 num_refs 0 not found in extent tree
+Incorrect local backref count on 3472328296227680304 root 1 owner 6 offset 0 found 1 wanted 0 back 0x60700000dca0
+backpointer mismatch on [3472328296227680304 3472328296227680304]
+=================================================================
+==23161==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000017980 at pc 0x0000005299d3 bp 0x7fff110ce980 sp 0x7fff110ce978
+READ of size 1 at 0x621000017980 thread T0
+ #0 0x5299d2 in btrfs_extent_inline_ref_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1
+ #1 0x540f54 in build_roots_info_cache /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:10965:10
+ #2 0x52163e in repair_root_items /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11108:8
+ #3 0x51e5c3 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11497:8
+ #4 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #5 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #6 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+0x621000017980 is located 0 bytes to the right of 4224-byte region [0x621000016900,0x621000017980)
+allocated by thread T0 here:
+ #0 0x4bfca0 in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0)
+ #1 0x5c16ca in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7
+ #2 0x5c1b26 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8
+ #3 0x58de0c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9
+ #4 0x58e880 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7
+ #5 0x5918a2 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
+ #6 0x591712 in find_and_setup_root /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:647:15
+ #7 0x593243 in setup_root_or_create_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:966:8
+ #8 0x592850 in btrfs_setup_all_roots /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1031:8
+ #9 0x5948fe in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1341:8
+ #10 0x5942b5 in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:1387:9
+ #11 0x51dff2 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9
+ #12 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #13 0x7f067cc9f730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1588:1 in btrfs_extent_inline_ref_type
+Shadow bytes around the buggy address:
+ 0x0c427fffaee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0c427fffaef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0c427fffaf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0c427fffaf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0c427fffaf20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c427fffaf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+==23161==ABORTING
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=161811
+Lukas Lueg 2016-09-16 20:03:35 UTC
+
+More news from the fuzzer. The attached image causes a global-buffer-overflow
+in btrfsck; using btrfs-progs v4.7-42-g56e9586. You need to compile with ASAN
+in order to reproduce.
+
+The juicy parts:
+
+==16657==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064726f at pc 0x00000054eadd bp 0x7ffec6d9b980 sp 0x7ffec6d9b978
+READ of size 1 at 0x00000064726f thread T0
+ #0 0x54eadc in imode_to_type /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9
+ #1 0x54673a in maybe_free_inode_rec /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:932:13
+ #2 0x54a79a in add_inode_backref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1104:2
+ #3 0x54b6d2 in process_inode_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1549:3
+ #4 0x5489e4 in process_one_leaf /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1810:10
+ #5 0x54522e in walk_down_tree /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1958:10
+ #6 0x54372e in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3668:10
+ #7 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10
+ #8 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8
+ #9 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #10 0x7f4a5c29f730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #11 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+bad full backref, on [4198400]
+checking free space cache
+checking fs roots
+=================================================================
+==16657==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000064726f at pc 0x00000054eadd bp 0x7ffec6d9b980 sp 0x7ffec6d9b978
+READ of size 1 at 0x00000064726f thread T0
+ #0 0x54eadc in imode_to_type /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9
+ #1 0x54673a in maybe_free_inode_rec /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:932:13
+ #2 0x54a79a in add_inode_backref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1104:2
+ #3 0x54b6d2 in process_inode_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1549:3
+ #4 0x5489e4 in process_one_leaf /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1810:10
+ #5 0x54522e in walk_down_tree /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:1958:10
+ #6 0x54372e in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3668:10
+ #7 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10
+ #8 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8
+ #9 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #10 0x7f4a5c29f730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #11 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+0x00000064726f is located 49 bytes to the left of global variable '<string literal>' defined in 'cmds-check.c:3051:2' (0x6472a0) of size 17
+ '<string literal>' is ascii string 'check_inode_recs'
+0x00000064726f is located 0 bytes to the right of global variable 'btrfs_type_by_mode' defined in 'cmds-check.c:625:23' (0x647260) of size 15
+SUMMARY: AddressSanitizer: global-buffer-overflow /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:635:9 in imode_to_type
+Shadow bytes around the buggy address:
+ 0x0000800c0df0: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 02 f9
+ 0x0000800c0e00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 07 f9 f9
+ 0x0000800c0e10: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 01
+ 0x0000800c0e20: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 01 f9
+ 0x0000800c0e30: f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9 00 00 05 f9
+=>0x0000800c0e40: f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 00[07]f9 f9
+ 0x0000800c0e50: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 00 00 07
+ 0x0000800c0e60: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
+ 0x0000800c0e70: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
+ 0x0000800c0e80: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 00 00 00
+ 0x0000800c0e90: 00 00 03 f9 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
+Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+==16657==ABORTING
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=161821
+Lukas Lueg 2016-09-16 20:45:58 UTC
+
+More news from the fuzzer. The attached image causes a segmentation fault when
+running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507
+
+The juicy parts:
+
+==29097==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x000000581939 bp 0x7fff1f168590 sp 0x7fff1f168590 T0)
+ #0 0x581938 in extent_buffer_get /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10
+ #1 0x583daf in btrfs_search_slot /home/lukas/dev/btrfsfuzz/src-asan/ctree.c:1118:2
+ #2 0x538652 in check_owner_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4043:8
+ #3 0x535ca5 in check_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4433:10
+ #4 0x532464 in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6292:8
+ #5 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10
+ #6 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8
+ #7 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9
+ #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #9 0x7f42d367b730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+parent transid verify failed on 4198400 wanted 14 found 1114126
+parent transid verify failed on 4198400 wanted 14 found 1114126
+Ignoring transid failure
+ASAN:DEADLYSIGNAL
+=================================================================
+==29097==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000070 (pc 0x000000581939 bp 0x7fff1f168590 sp 0x7fff1f168590 T0)
+ #0 0x581938 in extent_buffer_get /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10
+ #1 0x583daf in btrfs_search_slot /home/lukas/dev/btrfsfuzz/src-asan/ctree.c:1118:2
+ #2 0x538652 in check_owner_ref /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4043:8
+ #3 0x535ca5 in check_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:4433:10
+ #4 0x532464 in run_next_block /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:6292:8
+ #5 0x52f584 in deal_root_from_list /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8391:10
+ #6 0x520f81 in check_chunks_and_extents /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:8558:8
+ #7 0x51e5a9 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11493:9
+ #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #9 0x7f42d367b730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /home/lukas/dev/btrfsfuzz/src-asan/./extent_io.h:105:10 in extent_buffer_get
+==29097==ABORTING
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=167551
+Lukas Lueg 2016-09-17 18:32:31 UTC
+
+More news from the fuzzer. The attached image causes btrfsck to enter what
+seems to be an endless loop; using btrfs-progs v4.7.2-55-g2b7c507
+
+Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck hang000022.img
+Missing separate debuginfos, use: dnf debuginfo-install glibc-2.23.1-10.fc24.x86_64
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+
+Program received signal SIGINT, Interrupt.
+0x00000000004576b7 in alloc_extent_buffer (tree=0x6b5420, bytenr=4198400, blocksize=4096) at extent_io.c:628
+628 {
+Missing separate debuginfos, use: dnf debuginfo-install libblkid-2.28.2-1.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 lzo-2.08-8.fc24.x86_64 zlib-1.2.8-10.fc24.x86_64
+#0 0x00000000004576b7 in alloc_extent_buffer (tree=0x6b5420, bytenr=4198400, blocksize=4096) at extent_io.c:628
+#1 0x0000000000444be3 in read_tree_block_fs_info (fs_info=0x6b53a0, bytenr=4198400, blocksize=4096, parent_transid=14) at disk-io.c:339
+#2 0x0000000000440845 in btrfs_search_slot (trans=<optimized out>, root=<optimized out>, key=<optimized out>, p=<optimized out>,
+ ins_len=<optimized out>, cow=<optimized out>) at ctree.c:1175
+#3 0x000000000044bf8a in find_first_block_group (root=0x6b5850, path=0x6b41d0, key=0x7fffffffde78) at extent-tree.c:3142
+#4 0x000000000044bd3a in btrfs_read_block_groups (root=0x6b5850) at extent-tree.c:3240
+#5 0x00000000004464b3 in btrfs_setup_all_roots (fs_info=0x6b53a0, root_tree_bytenr=4202496, flags=<optimized out>) at disk-io.c:1077
+#6 0x0000000000446fc5 in __open_ctree_fd (fp=<optimized out>, path=<optimized out>, sb_bytenr=65536, root_tree_bytenr=<optimized out>,
+ chunk_root_bytenr=<optimized out>, flags=<optimized out>) at disk-io.c:1341
+#7 0x0000000000446d65 in open_ctree_fs_info (filename=0x7fffffffe4f5 "hang000022.img", sb_bytenr=0, root_tree_bytenr=0,
+ chunk_root_bytenr=0, flags=64) at disk-io.c:1387
+#8 0x000000000041bbe2 in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11382
+#9 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243
+quit
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=167781
+Lukas Lueg 2016-09-17 19:01:47 UTC
+
+More news from the fuzzer. The attached image causes btrfsck to overflow it's
+stack by what seems to be an infinite (or at least sufficiently deep) recursion
+in resolve_one_root(); using btrfs-progs v4.7-42-g56e9586.
+
+
+checking extents
+Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
+Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent
+Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
+Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent
+Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
+Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent
+ref mismatch on [131072 4096] extent item 0, found 1
+Backref 131072 parent 3 root 3 not found in extent tree
+backpointer mismatch on [131072 4096]
+bad extent [131072, 135168), type mismatch with chunk
+ref mismatch on [4194304 4096] extent item 0, found 1
+Backref 4194304 parent 5 root 5 not found in extent tree
+backpointer mismatch on [4194304 4096]
+ref mismatch on [4198400 4096] extent item 0, found 1
+Backref 4198400 parent 1 root 1 not found in extent tree
+backpointer mismatch on [4198400 4096]
+ref mismatch on [4231168 4096] extent item 0, found 1
+Backref 4231168 parent 7 root 7 not found in extent tree
+backpointer mismatch on [4231168 4096]
+ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1
+Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree
+Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60800000bd20
+backpointer mismatch on [3472328296227680304 3472328296227680304]
+Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1]
+Errors found in extent allocation tree or chunk allocation
+checking free space cache
+checking fs roots
+checking csums
+checking root refs
+checking quota groups
+ASAN:DEADLYSIGNAL
+=================================================================
+==9638==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc0e2d1ff8 (pc 0x0000005f2ed7 bp 0x7ffc0e2d2010 sp 0x7ffc0e2d2000 T0)
+ #0 0x5f2ed6 in find_ref_bytenr /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:253:46
+ #1 0x5f2cba in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:560:20
+ #2 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #3 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #4 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #5 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #6 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #7 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #8 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #9 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #10 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #11 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #12 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #13 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #14 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #15 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #16 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #17 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #18 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #19 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #20 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #21 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #22 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #23 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #24 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #25 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #26 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #27 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #28 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #29 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #30 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #31 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #32 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #33 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #34 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #35 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #36 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #37 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #38 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #39 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #40 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #41 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #42 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #43 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #44 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #45 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #46 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #47 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #48 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #49 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #50 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #51 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #52 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #53 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #54 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #55 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #56 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #57 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #58 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #59 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #60 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #61 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #62 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #63 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #64 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #65 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #66 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #67 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #68 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #69 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #70 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #71 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #72 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #73 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #74 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #75 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #76 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #77 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #78 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #79 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #80 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #81 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #82 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #83 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #84 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #85 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #86 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #87 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #88 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #89 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #90 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #91 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #92 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #93 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #94 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #95 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #96 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #97 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #98 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #99 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #100 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #101 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #102 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #103 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #104 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #105 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #106 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #107 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #108 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #109 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #110 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #111 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #112 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #113 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #114 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #115 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #116 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #117 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #118 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #119 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #120 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #121 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #122 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #123 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #124 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #125 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #126 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #127 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #128 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #129 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #130 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #131 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #132 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #133 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #134 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #135 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #136 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #137 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #138 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #139 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #140 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #141 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #142 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #143 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #144 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #145 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #146 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #147 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #148 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #149 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #150 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #151 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #152 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #153 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #154 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #155 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #156 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #157 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #158 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #159 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #160 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #161 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #162 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #163 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #164 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #165 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #166 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #167 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #168 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #169 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #170 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #171 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #172 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #173 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #174 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #175 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #176 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #177 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #178 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #179 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #180 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #181 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #182 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #183 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #184 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #185 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #186 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #187 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #188 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #189 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #190 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #191 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #192 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #193 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #194 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #195 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #196 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #197 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #198 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #199 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #200 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #201 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #202 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #203 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #204 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #205 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #206 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #207 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #208 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #209 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #210 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #211 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #212 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #213 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #214 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #215 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #216 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #217 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #218 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #219 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #220 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #221 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #222 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #223 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #224 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #225 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #226 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #227 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #228 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #229 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #230 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #231 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #232 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #233 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #234 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #235 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #236 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #237 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #238 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #239 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #240 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #241 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #242 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #243 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #244 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #245 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #246 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #247 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #248 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #249 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #250 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+ #251 0x5f2d1e in resolve_one_root /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:566:9
+
+SUMMARY: AddressSanitizer: stack-overflow /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:253:46 in find_ref_bytenr
+==9638==ABORTING
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=167921
+Lukas Lueg 2016-09-17 19:16:19 UTC
+
+More news from the fuzzer. The attached image causes a call to abort() when
+running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507
+
+Program received signal SIGABRT, Aborted.
+0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6
+#2 0x000000000042390b in run_next_block (root=<optimized out>, bits=<optimized out>, bits_nr=1024, last=<optimized out>,
+ pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>,
+ chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>,
+ ri=<optimized out>) at cmds-check.c:6424
+#3 0x0000000000421d9b in deal_root_from_list (list=<optimized out>, root=<optimized out>, bits=<optimized out>, bits_nr=1024,
+ pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>,
+ chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>)
+ at cmds-check.c:8391
+#4 0x000000000041d1d2 in check_chunks_and_extents (root=<optimized out>) at cmds-check.c:8567
+#5 0x000000000041bf0b in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11493
+#6 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243
+
+parent transid verify failed on 4194304 wanted 65305493131755520 found 14
+parent transid verify failed on 4194304 wanted 65305493131755520 found 14
+Ignoring transid failure
+Checking filesystem on crashing_images/id:000162,sig:06,src:000059+001444,op:splice,rep:2.img
+UUID: 056b0872-c0a7-4121-8ac9-2263ffbee306
+checking extents/bin/sh: line 3: 3091 Aborted LD_LIBRARY_PATH=/home/lukas/dev/btrfsfuzz/bin-asan/lib LD_PRELOAD=/home/lukas/dev/afl_git/libdislocator/libdislocator.so ASAN_OPTIONS=detect_leaks=0 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfsck crashing_images/id:000162,sig:06,src:000059+001444,op:splice,rep:2.img
+Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000160.img
+Missing separate debuginfos, use: dnf debuginfo-install glibc-2.23.1-10.fc24.x86_64
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+[Inferior 1 (process 21730) exited with code 0376]
+Missing separate debuginfos, use: dnf debuginfo-install libblkid-2.28.2-1.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 lzo-2.08-8.fc24.x86_64 zlib-1.2.8-10.fc24.x86_64
+No stack.
+Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000162.img
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+
+Program received signal SIGABRT, Aborted.
+0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6
+#2 0x000000000042390b in run_next_block (root=<optimized out>, bits=<optimized out>, bits_nr=1024, last=<optimized out>,
+ pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>,
+ chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>,
+ ri=<optimized out>) at cmds-check.c:6424
+#3 0x0000000000421d9b in deal_root_from_list (list=<optimized out>, root=<optimized out>, bits=<optimized out>, bits_nr=1024,
+ pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>,
+ chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>)
+ at cmds-check.c:8391
+#4 0x000000000041d1d2 in check_chunks_and_extents (root=<optimized out>) at cmds-check.c:8567
+#5 0x000000000041bf0b in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11493
+#6 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243
+quit
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=168301
+Lukas Lueg 2016-09-17 20:00:11 UTC
+
+More news from the fuzzer. The attached image causes a call to abort() when
+running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507
+
+Program received signal SIGABRT, Aborted.
+0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6
+#2 0x0000000000424fc7 in add_data_backref (extent_cache=0x7fffffffdfe0, bytenr=18446744073709551615, parent=<optimized out>,
+ root=<optimized out>, owner=<optimized out>, offset=<optimized out>, num_refs=<optimized out>, found_ref=<optimized out>,
+ max_size=4096) at cmds-check.c:4856
+#3 0x00000000004234bd in run_next_block (root=<optimized out>, bits=<optimized out>, bits_nr=1024, last=<optimized out>,
+ pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>,
+ chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>,
+ ri=<optimized out>) at cmds-check.c:6388
+#4 0x0000000000421d9b in deal_root_from_list (list=<optimized out>, root=<optimized out>, bits=<optimized out>, bits_nr=1024,
+ pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>,
+ chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>)
+ at cmds-check.c:8391
+#5 0x000000000041d160 in check_chunks_and_extents (root=<optimized out>) at cmds-check.c:8558
+#6 0x000000000041bf0b in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11493
+#7 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243
+
+Checking filesystem on crashing_images/id:000170,sig:06,src:001268,op:havoc,rep:8.img
+UUID: 056b0872-c0a7-4121-8ac9-2263ffbee306
+checking extents/bin/sh: line 3: 4644 Aborted LD_LIBRARY_PATH=/home/lukas/dev/btrfsfuzz/bin-asan/lib LD_PRELOAD=/home/lukas/dev/afl_git/libdislocator/libdislocator.so ASAN_OPTIONS=detect_leaks=0 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfsck crashing_images/id:000170,sig:06,src:001268,op:havoc,rep:8.img
+Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck crash000170.img
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+
+Program received signal SIGABRT, Aborted.
+0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#0 0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#1 0x00007ffff6fb02fa in abort () from /lib64/libc.so.6
+#2 0x0000000000424fc7 in add_data_backref (extent_cache=0x7fffffffdfe0, bytenr=18446744073709551615, parent=<optimized out>,
+ root=<optimized out>, owner=<optimized out>, offset=<optimized out>, num_refs=<optimized out>, found_ref=<optimized out>,
+ max_size=4096) at cmds-check.c:4856
+#3 0x00000000004234bd in run_next_block (root=<optimized out>, bits=<optimized out>, bits_nr=1024, last=<optimized out>,
+ pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>,
+ chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>,
+ ri=<optimized out>) at cmds-check.c:6388
+#4 0x0000000000421d9b in deal_root_from_list (list=<optimized out>, root=<optimized out>, bits=<optimized out>, bits_nr=1024,
+ pending=<optimized out>, seen=<optimized out>, reada=<optimized out>, nodes=<optimized out>, extent_cache=<optimized out>,
+ chunk_cache=<optimized out>, dev_cache=<optimized out>, block_group_cache=<optimized out>, dev_extent_cache=<optimized out>)
+ at cmds-check.c:8391
+#5 0x000000000041d160 in check_chunks_and_extents (root=<optimized out>) at cmds-check.c:8558
+#6 0x000000000041bf0b in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11493
+#7 0x000000000040a10d in main (argc=<optimized out>, argv=0x7fffffffe218) at btrfs.c:243
+quit
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=169301
+Lukas Lueg 2016-09-18 09:07:55 UTC
+
+More news from the fuzzer. The attached image causes a heap-use-after-free
+when running btrfsck with ASAN over it; using btrfs-progs v4.7.2-56-ge8c2013
+
+==3439==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014170 at pc 0x0000005c05ae bp 0x7ffe84ef8d00 sp 0x7ffe84ef8cf8
+READ of size 4 at 0x621000014170 thread T0
+ #0 0x5c05ad in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10
+ #1 0x59360c in btrfs_release_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1096:3
+ #2 0x5961bb in close_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1805:2
+ #3 0x5246e7 in close_ctree /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:155:9
+ #4 0x51e334 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11618:2
+ #5 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #6 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #7 0x421358 in _start (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+Probably somewhat related to this: The image crash000255.img causes btrfsck to
+try to allocate around 3.5gb of memory in one chunk, sending ASAN into a death
+spiral. On systems with sufficient memory, the heap-use-after-free turns up.
+
+parent transid verify failed on 0 wanted 3472328296227680304 found 0
+parent transid verify failed on 0 wanted 3472328296227680304 found 0
+Ignoring transid failure
+Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
+Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent
+Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
+Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent
+Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
+Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent
+ref mismatch on [0 4096] extent item 0, found 1
+Backref 0 parent 0 root 0 not found in extent tree
+backpointer mismatch on [0 4096]
+bad extent [0, 4096), type mismatch with chunk
+ref mismatch on [131072 4096] extent item 0, found 1
+Backref 131072 parent 3 root 3 not found in extent tree
+backpointer mismatch on [131072 4096]
+ref mismatch on [4198400 4096] extent item 0, found 1
+Backref 4198400 parent 1 root 1 not found in extent tree
+backpointer mismatch on [4198400 4096]
+ref mismatch on [4231168 4096] extent item 0, found 1
+Backref 4231168 parent 7 root 7 not found in extent tree
+backpointer mismatch on [4231168 4096]
+ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1
+Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree
+Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60700000ddf0
+backpointer mismatch on [3472328296227680304 3472328296227680304]
+Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1]
+checking free space cache
+checking fs roots
+root 5 root dir 3472328296227680304 not found
+checking csums
+checking root refs
+checking quota groups
+ERROR: while mapping refs: -5
+=================================================================
+==3439==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000014170 at pc 0x0000005c05ae bp 0x7ffe84ef8d00 sp 0x7ffe84ef8cf8
+READ of size 4 at 0x621000014170 thread T0
+ #0 0x5c05ad in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10
+ #1 0x59360c in btrfs_release_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1096:3
+ #2 0x5961bb in close_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1805:2
+ #3 0x5246e7 in close_ctree /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:155:9
+ #4 0x51e334 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11618:2
+ #5 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #6 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #7 0x421358 in _start (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+0x621000014170 is located 112 bytes inside of 4224-byte region [0x621000014100,0x621000015180)
+freed by thread T0 here:
+ #0 0x4bf990 in __interceptor_cfree.localalias.1 (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bf990)
+ #1 0x5c0582 in free_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:591:3
+ #2 0x5c1b18 in alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:644:4
+ #3 0x58de0c in btrfs_find_create_tree_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:193:9
+ #4 0x58e880 in read_tree_block_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:339:7
+ #5 0x5f2d74 in read_tree_block /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
+ #6 0x5f2b52 in travel_tree /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7
+ #7 0x5f299b in add_refs_for_implied /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8
+ #8 0x5efd39 in map_implied_refs /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9
+ #9 0x5eed89 in qgroup_verify_all /home/slave/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8
+ #10 0x51ea14 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9
+ #11 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #12 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+
+previously allocated by thread T0 here:
+ #0 0x4bfca0 in calloc (/home/slave/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfca0)
+ #1 0x5c16ca in __alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:542:7
+ #2 0x5c1b26 in alloc_extent_buffer /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:646:8
+ #3 0x58de0c in btrfs_find_create_tree_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:193:9
+ #4 0x58e880 in read_tree_block_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:339:7
+ #5 0x5918a2 in read_tree_block /home/slave/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
+ #6 0x591712 in find_and_setup_root /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:647:15
+ #7 0x593243 in setup_root_or_create_block /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:966:8
+ #8 0x592a06 in btrfs_setup_all_roots /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1045:8
+ #9 0x5948fe in __open_ctree_fd /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1341:8
+ #10 0x5942b5 in open_ctree_fs_info /home/slave/dev/btrfsfuzz/src-asan/disk-io.c:1387:9
+ #11 0x51dff2 in cmd_check /home/slave/dev/btrfsfuzz/src-asan/cmds-check.c:11382:9
+ #12 0x4f0ee1 in main /home/slave/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #13 0x7f792c60e730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+
+SUMMARY: AddressSanitizer: heap-use-after-free /home/slave/dev/btrfsfuzz/src-asan/extent_io.c:579:10 in free_extent_buffer
+Shadow bytes around the buggy address:
+ 0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffa800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ 0x0c427fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x0c427fffa820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
+ 0x0c427fffa830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c427fffa840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c427fffa850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c427fffa860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x0c427fffa870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+==3439==ABORTING
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=169301
+Lukas Lueg 2016-09-18 09:07:55 UTC
+
+parent transid verify failed on 4231168 wanted 274877906948 found 4
+Ignoring transid failure
+parent transid verify failed on 4222976 wanted 3472328296227680304 found 4
+parent transid verify failed on 4222976 wanted 3472328296227680304 found 4
+Ignoring transid failure
+checking extents
+Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
+Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent
+Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
+Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent
+Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
+Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent
+ref mismatch on [131072 4096] extent item 0, found 1
+Backref 131072 parent 3 root 3 not found in extent tree
+backpointer mismatch on [131072 4096]
+ref mismatch on [4194304 4096] extent item 0, found 1
+Backref 4194304 parent 5 root 5 not found in extent tree
+backpointer mismatch on [4194304 4096]
+ref mismatch on [4198400 4096] extent item 0, found 1
+Backref 4198400 parent 1 root 1 not found in extent tree
+backpointer mismatch on [4198400 4096]
+ref mismatch on [4231168 4096] extent item 0, found 1
+Backref 4231168 parent 7 root 7 not found in extent tree
+backpointer mismatch on [4231168 4096]
+ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1
+Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree
+Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x60800000bc20
+backpointer mismatch on [3472328296227680304 3472328296227680304]
+Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1]
+Errors found in extent allocation tree or chunk allocation
+checking free space cache
+checking fs roots
+checking csums
+checking root refs
+checking quota groups
+==23294==ERROR: AddressSanitizer failed to allocate 0xe4ff4000 (3841933312) bytes of LargeMmapAllocator (error code: 12)
+==23294==Process memory map follows:
+ 0x000000400000-0x0000006a6000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs
+ 0x0000008a6000-0x0000008b9000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs
+ 0x0000008b9000-0x0000008ef000 /home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs
+ 0x0000008ef000-0x000001567000
+ 0x00007fff7000-0x00008fff7000
+ 0x00008fff7000-0x02008fff7000
+ 0x02008fff7000-0x10007fff8000
+ 0x600000000000-0x602000000000
+ 0x602000000000-0x602000010000
+ 0x602000010000-0x603000000000
+ 0x603000000000-0x603000010000
+ 0x603000010000-0x604000000000
+ 0x604000000000-0x604000010000
+ 0x604000010000-0x606000000000
+ 0x606000000000-0x606000010000
+ 0x606000010000-0x607000000000
+ 0x607000000000-0x607000010000
+ 0x607000010000-0x608000000000
+ 0x608000000000-0x608000010000
+ 0x608000010000-0x60c000000000
+ 0x60c000000000-0x60c000010000
+ 0x60c000010000-0x60d000000000
+ 0x60d000000000-0x60d000010000
+ 0x60d000010000-0x60e000000000
+ 0x60e000000000-0x60e000010000
+ 0x60e000010000-0x611000000000
+ 0x611000000000-0x611000010000
+ 0x611000010000-0x616000000000
+ 0x616000000000-0x616000020000
+ 0x616000020000-0x619000000000
+ 0x619000000000-0x619000020000
+ 0x619000020000-0x621000000000
+ 0x621000000000-0x621000020000
+ 0x621000020000-0x624000000000
+ 0x624000000000-0x624000020000
+ 0x624000020000-0x629000000000
+ 0x629000000000-0x629000010000
+ 0x629000010000-0x640000000000
+ 0x640000000000-0x640000003000
+ 0x7f62fb97e000-0x7f62fdcd0000
+ 0x7f62fdcd0000-0x7f62fde89000 /usr/lib64/libc-2.23.so
+ 0x7f62fde89000-0x7f62fe088000 /usr/lib64/libc-2.23.so
+ 0x7f62fe088000-0x7f62fe08c000 /usr/lib64/libc-2.23.so
+ 0x7f62fe08c000-0x7f62fe08e000 /usr/lib64/libc-2.23.so
+ 0x7f62fe08e000-0x7f62fe092000
+ 0x7f62fe092000-0x7f62fe0a8000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1
+ 0x7f62fe0a8000-0x7f62fe2a7000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1
+ 0x7f62fe2a7000-0x7f62fe2a8000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1
+ 0x7f62fe2a8000-0x7f62fe2a9000 /usr/lib64/libgcc_s-6.1.1-20160621.so.1
+ 0x7f62fe2a9000-0x7f62fe2ac000 /usr/lib64/libdl-2.23.so
+ 0x7f62fe2ac000-0x7f62fe4ab000 /usr/lib64/libdl-2.23.so
+ 0x7f62fe4ab000-0x7f62fe4ac000 /usr/lib64/libdl-2.23.so
+ 0x7f62fe4ac000-0x7f62fe4ad000 /usr/lib64/libdl-2.23.so
+ 0x7f62fe4ad000-0x7f62fe5b5000 /usr/lib64/libm-2.23.so
+ 0x7f62fe5b5000-0x7f62fe7b4000 /usr/lib64/libm-2.23.so
+ 0x7f62fe7b4000-0x7f62fe7b5000 /usr/lib64/libm-2.23.so
+ 0x7f62fe7b5000-0x7f62fe7b6000 /usr/lib64/libm-2.23.so
+ 0x7f62fe7b6000-0x7f62fe7bd000 /usr/lib64/librt-2.23.so
+ 0x7f62fe7bd000-0x7f62fe9bc000 /usr/lib64/librt-2.23.so
+ 0x7f62fe9bc000-0x7f62fe9bd000 /usr/lib64/librt-2.23.so
+ 0x7f62fe9bd000-0x7f62fe9be000 /usr/lib64/librt-2.23.so
+ 0x7f62fe9be000-0x7f62fe9d5000 /usr/lib64/libpthread-2.23.so
+ 0x7f62fe9d5000-0x7f62febd4000 /usr/lib64/libpthread-2.23.so
+ 0x7f62febd4000-0x7f62febd5000 /usr/lib64/libpthread-2.23.so
+ 0x7f62febd5000-0x7f62febd6000 /usr/lib64/libpthread-2.23.so
+ 0x7f62febd6000-0x7f62febda000
+ 0x7f62febda000-0x7f62febfc000 /usr/lib64/liblzo2.so.2.0.0
+ 0x7f62febfc000-0x7f62fedfb000 /usr/lib64/liblzo2.so.2.0.0
+ 0x7f62fedfb000-0x7f62fedfc000 /usr/lib64/liblzo2.so.2.0.0
+ 0x7f62fedfc000-0x7f62fedfd000
+ 0x7f62fedfd000-0x7f62fee12000 /usr/lib64/libz.so.1.2.8
+ 0x7f62fee12000-0x7f62ff011000 /usr/lib64/libz.so.1.2.8
+ 0x7f62ff011000-0x7f62ff012000 /usr/lib64/libz.so.1.2.8
+ 0x7f62ff012000-0x7f62ff013000 /usr/lib64/libz.so.1.2.8
+ 0x7f62ff013000-0x7f62ff050000 /usr/lib64/libblkid.so.1.1.0
+ 0x7f62ff050000-0x7f62ff250000 /usr/lib64/libblkid.so.1.1.0
+ 0x7f62ff250000-0x7f62ff254000 /usr/lib64/libblkid.so.1.1.0
+ 0x7f62ff254000-0x7f62ff255000 /usr/lib64/libblkid.so.1.1.0
+ 0x7f62ff255000-0x7f62ff256000
+ 0x7f62ff256000-0x7f62ff25a000 /usr/lib64/libuuid.so.1.3.0
+ 0x7f62ff25a000-0x7f62ff459000 /usr/lib64/libuuid.so.1.3.0
+ 0x7f62ff459000-0x7f62ff45a000 /usr/lib64/libuuid.so.1.3.0
+ 0x7f62ff45a000-0x7f62ff45b000
+ 0x7f62ff45b000-0x7f62ff45d000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so
+ 0x7f62ff45d000-0x7f62ff65c000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so
+ 0x7f62ff65c000-0x7f62ff65d000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so
+ 0x7f62ff65d000-0x7f62ff65e000 /home/lukas/dev/afl_git/libdislocator/libdislocator.so
+ 0x7f62ff65e000-0x7f62ff682000 /usr/lib64/ld-2.23.so
+ 0x7f62ff810000-0x7f62ff879000
+ 0x7f62ff879000-0x7f62ff881000
+ 0x7f62ff881000-0x7f62ff882000 /usr/lib64/ld-2.23.so
+ 0x7f62ff882000-0x7f62ff883000 /usr/lib64/ld-2.23.so
+ 0x7f62ff883000-0x7f62ff884000
+ 0x7fff5a065000-0x7fff5a086000 [stack]
+ 0x7fff5a0c7000-0x7fff5a0ca000 [vvar]
+ 0x7fff5a0ca000-0x7fff5a0cc000 [vdso]
+ 0xffffffffff600000-0xffffffffff601000 [vsyscall]
+==23294==End of process memory map.
+==23294==AddressSanitizer CHECK failed: /builddir/build/BUILD/compiler-rt-3.8.0.src/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
+ #0 0x4c90cd in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4c90cd)
+ #1 0x4cfa73 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4cfa73)
+ #2 0x4cfc61 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4cfc61)
+ #3 0x4d8922 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4d8922)
+ #4 0x42dbab in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x42dbab)
+ #5 0x4259fb in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4259fb)
+ #6 0x4bfd1a in calloc (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4bfd1a)
+ #7 0x5c181a in __alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:542:7
+ #8 0x5c1c76 in alloc_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:646:8
+ #9 0x58e01c in btrfs_find_create_tree_block /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:193:9
+ #10 0x58ea90 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-asan/disk-io.c:339:7
+ #11 0x5f2f84 in read_tree_block /home/lukas/dev/btrfsfuzz/src-asan/./disk-io.h:112:9
+ #12 0x5f2d62 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:692:7
+ #13 0x5f2bab in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8
+ #14 0x5eff59 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9
+ #15 0x5eefa9 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8
+ #16 0x51f08f in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11637:9
+ #17 0x4f0f81 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #18 0x7f62fdcf0730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #19 0x4213f8 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4213f8)
+
+checking free space cache
+checking fs roots
+checking csums
+checking root refs
+checking quota groups
+ERROR: while mapping refs: -5
+checking extentsErrors found in extent allocation tree or chunk allocationfound 3472328296227696688 bytes used err is 0
+total csum bytes: 0
+total tree bytes: 16384
+total fs tree bytes: 4096
+total extent tree bytes: 0
+btree space waste bytes: 12674
+file data blocks allocated: 3472328296227680304
+ referenced 3472328296227680304
+extent_io.c:580: free_extent_buffer: Assertion `eb->refs < 0` failed.
+../btrfs[0x47a4a3]
+../btrfs[0x47a550]
+../btrfs(free_extent_buffer+0x6e)[0x47b73c]
+../btrfs(btrfs_release_all_roots+0x8c)[0x461cdf]
+../btrfs(close_ctree_fs_info+0x1f3)[0x46391a]
+../btrfs[0x424043]
+../btrfs(cmd_check+0xe1a)[0x43f352]
+../btrfs(main+0x12b)[0x40b581]
+/lib64/libc.so.6(__libc_start_main+0xf1)[0x7f970daf3291]
+../btrfs(_start+0x2a)[0x40afba]
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=172811
+Lukas Lueg 2016-09-23 18:34:15 UTC
+
+More news from the fuzzer. The attached image causes a segmentation fault when
+running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507
+
+This may be the same cause as 156721, the call-tree is different, though.
+
+The juicy parts:
+
+==19342==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e5 (pc 0x7f3b12e1df50 bp 0x7ffeb50b4260 sp 0x7ffeb50b39e8 T0)
+ #0 0x7f3b12e1df4f in __memmove_avx_unaligned (/lib64/libc.so.6+0x149f4f)
+ #1 0x4a982c in __asan_memcpy (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4a982c)
+ #2 0x5c2d59 in read_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:867:2
+ #3 0x52eaa6 in btrfs_node_key /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1667:2
+ #4 0x5436c7 in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3661:3
+ #5 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10
+ #6 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8
+ #7 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #8 0x7f3b12cf4730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #9 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+parent transid verify failed on 4198400 wanted 65305493131755520 found 14
+parent transid verify failed on 4198400 wanted 65305493131755520 found 14
+Ignoring transid failure
+ERROR: add_tree_backref failed: File exists
+ERROR: add_tree_backref failed: File exists
+parent transid verify failed on 131072 wanted 36283884678912 found 4
+parent transid verify failed on 131072 wanted 36283884678912 found 4
+Ignoring transid failure
+ERROR: tree block bytenr 1280 is not aligned to sectorsize 4096
+checking free space cache
+checking fs roots
+root 5 root dir 41471 not found
+parent transid verify failed on 4198400 wanted 4 found 14
+Ignoring transid failure
+parent transid verify failed on 131072 wanted 36283884678912 found 4
+Ignoring transid failure
+ASAN:DEADLYSIGNAL
+=================================================================
+==19342==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e5 (pc 0x7f3b12e1df50 bp 0x7ffeb50b4260 sp 0x7ffeb50b39e8 T0)
+ #0 0x7f3b12e1df4f in __memmove_avx_unaligned (/lib64/libc.so.6+0x149f4f)
+ #1 0x4a982c in __asan_memcpy (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4a982c)
+ #2 0x5c2d59 in read_extent_buffer /home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:867:2
+ #3 0x52eaa6 in btrfs_node_key /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1667:2
+ #4 0x5436c7 in check_fs_root /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3661:3
+ #5 0x5224ef in check_fs_roots /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3809:10
+ #6 0x51e772 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11533:8
+ #7 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #8 0x7f3b12cf4730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #9 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV (/lib64/libc.so.6+0x149f4f) in __memmove_avx_unaligned
+==19342==ABORTING
--- /dev/null
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=172861
+Lukas Lueg 2016-09-24 15:40:54 UTC
+
+More news from the fuzzer. The attached image causes a segmentation fault when
+running btrfsck over it; using btrfs-progs v4.7.2-55-g2b7c507
+
+The juicy parts:
+
+==12279==ERROR: AddressSanitizer: SEGV on unknown address 0x6210010719f9 (pc 0x0000005f30bd bp 0x7ffcf39cc670 sp 0x7ffcf39cc670 T0)
+ #0 0x5f30bc in btrfs_file_extent_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1
+ #1 0x5f2f49 in add_refs_for_leaf_items /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:664:17
+ #2 0x5f2ba9 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:704:9
+ #3 0x5f2c0a in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:719:9
+ #4 0x5f299b in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8
+ #5 0x5efd39 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9
+ #6 0x5eed89 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8
+ #7 0x51ea14 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9
+ #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #9 0x7f811e227730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+Extent back ref already exists for 0 parent 0 root 0
+Extent back ref already exists for 0 parent 0 root 0
+Extent back ref already exists for 0 parent 0 root 0
+Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
+Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent
+Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
+Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent
+Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
+Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent
+Chunk[256, 228, 7471104]: length(9306112), offset(7471104), type(5) is not found in block group
+Chunk[256, 228, 7471104] stripe[1, 7471104] is not found in dev extent
+ref mismatch on [0 4096] extent item 0, found 4
+Backref 0 parent 0 root 0 not found in extent tree
+Incorrect global backref count on 0 found 1 wanted 4
+backpointer mismatch on [0 4096]
+bad extent [0, 4096), type mismatch with chunk
+ref mismatch on [135168 4096] extent item 0, found 1
+Backref 135168 parent 3 root 3 not found in extent tree
+backpointer mismatch on [135168 4096]
+ref mismatch on [4202496 4096] extent item 0, found 1
+Backref 4202496 parent 1 root 1 not found in extent tree
+backpointer mismatch on [4202496 4096]
+Dev extent's total-byte(0) is not equal to byte-used(16777216) in dev[1, 216, 1]
+checking free space cache
+checking fs roots
+root 5 root dir 0 not found
+checking csums
+checking root refs
+checking quota groups
+ASAN:DEADLYSIGNAL
+=================================================================
+==12279==ERROR: AddressSanitizer: SEGV on unknown address 0x6210010719f9 (pc 0x0000005f30bd bp 0x7ffcf39cc670 sp 0x7ffcf39cc670 T0)
+ #0 0x5f30bc in btrfs_file_extent_type /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1
+ #1 0x5f2f49 in add_refs_for_leaf_items /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:664:17
+ #2 0x5f2ba9 in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:704:9
+ #3 0x5f2c0a in travel_tree /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:719:9
+ #4 0x5f299b in add_refs_for_implied /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:748:8
+ #5 0x5efd39 in map_implied_refs /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:766:9
+ #6 0x5eed89 in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-asan/qgroup-verify.c:1366:8
+ #7 0x51ea14 in cmd_check /home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11571:9
+ #8 0x4f0ee1 in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8
+ #9 0x7f811e227730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+ #10 0x421358 in _start (/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421358)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:2083:1 in btrfs_file_extent_type
+==12279==ABORTING
projects / platform / upstream / btrfs-progs.git / commitdiff