[PATCH 1/3] btrfs-progs: check: orig: Don't panic out when unexpected root item is referring to one extent

[PATCH 1/3] btrfs-progs: check: orig: Don't panic out when unexpected root item is referring to one extent

[Qu Wenruo]

With crafted image, expected root item can refer to certain extent, and
original mode uses BUG_ON() to handle such case.

Fix it by gracefully return error.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=200403
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
 check/main.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/check/main.c b/check/main.c
index 8db300abb825..6f1182106071 100644
--- a/check/main.c
+++ b/check/main.c
@@ -3724,7 +3724,12 @@ static int check_owner_ref(struct btrfs_root *root,
 		if (btrfs_header_owner(buf) == back->root)
 			return 0;
 	}
-	BUG_ON(rec->is_root);
+	/*
+	 * Some unexpected root item referring to this one, return 1 to
+	 * indicate owner not found
+	 */
+	if (rec->is_root)
+		return 1;
 
 	/* try to find the block by search corresponding fs tree */
 	key.objectid = btrfs_header_owner(buf);
-- 
2.18.0

[PATCH 2/3] btrfs-progs: tests/fuzz: Add fuzzed test image for btrfs check BUG_ON

[Qu Wenruo]

This fuzzed image will not only cause kernel BUG_ON(), but also btrfs
check BUG_ON() for original mode.

Checking filesystem on /home/adam/btrfs/crafted_images/runtime/0.img
UUID: 3381d111-94a3-4ac7-8f39-611bbbdab7e6
checking extents
check/main.c:3677: check_owner_ref: BUG_ON `rec->is_root` triggered, value 1
btrfs(+0x572c2)[0x562d65da72c2]
btrfs(+0x6098d)[0x562d65db098d]
btrfs(+0x60bb6)[0x562d65db0bb6]
btrfs(+0x6179b)[0x562d65db179b]
btrfs(cmd_check+0x1199)[0x562d65db5589]
btrfs(main+0x88)[0x562d65d62768]
/usr/lib/libc.so.6(__libc_start_main+0xeb)[0x7f4fcbb1b06b]
btrfs(_start+0x2a)[0x562d65d6288a]

Link: https://bugzilla.kernel.org/show_bug.cgi?id=200403
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
 tests/fuzz-tests/images/bko-200403.raw.txt |  93 +++++++++++++++++++++
 tests/fuzz-tests/images/bko-200403.raw.xz  | Bin 0 -> 23252 bytes
 2 files changed, 93 insertions(+)
 create mode 100644 tests/fuzz-tests/images/bko-200403.raw.txt
 create mode 100644 tests/fuzz-tests/images/bko-200403.raw.xz

diff --git a/tests/fuzz-tests/images/bko-200403.raw.txt b/tests/fuzz-tests/images/bko-200403.raw.txt
new file mode 100644
index 000000000000..aae8ea4810bb
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-200403.raw.txt
@@ -0,0 +1,93 @@
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=200403
+Wen Xu 2018-07-04 17:21:58 UTC
+
+Created attachment 277167 [details]
+The (compressed) crafted image which causes crash
+
+- Reproduce
+# mkdir mnt
+# mount -t btrfs 0.img mnt
+# gcc -o poc poc.c
+# ./poc ./mnt
+# umount mnt
+
+- Kernel message
+[  230.611533] BTRFS: device fsid 3381d111-94a3-4ac7-8f39-611bbbdab7e6 devid 1 transid 8 /dev/loop0
+[  230.632922] BTRFS info (device loop0): disk space caching is enabled
+[  230.632935] BTRFS info (device loop0): has skinny extents
+[  230.647496] BTRFS info (device loop0): creating UUID tree
+[  237.692643] ------------[ cut here ]------------
+[  237.692654] kernel BUG at fs/btrfs/volumes.c:1625!
+[  237.693822] invalid opcode: 0000 [#1] SMP KASAN PTI
+[  237.694867] CPU: 1 PID: 1387 Comm: umount Not tainted 4.18.0-rc1+ #8
+[  237.696177] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+[  237.698177] RIP: 0010:btrfs_remove_chunk+0x37a/0xd60
+[  237.699209] Code: e0 48 39 85 28 ff ff ff 77 20 0f b6 85 27 ff ff ff 4d 89 6f 80 4c 89 f7 4d 89 67 89 41 88 47 88 e8 0b 01 f7 ff e9 f5 fe ff ff <0f> 0b 0f 85 5c 08 00 00 4d 8d 66 40 4c 89 f7 e8 42 f9 b6 ff 4c 89
+[  237.703034] RSP: 0018:ffff8801f0b0fad8 EFLAGS: 00010206
+[  237.704122] RAX: 0000000008000000 RBX: ffff8801ef4d7c38 RCX: 0000000000000000
+[  237.705572] RDX: ffffed003e161f30 RSI: 0000000000000e70 RDI: ffff8801f2a6ae70
+[  237.707035] RBP: ffff8801f0b0fc38 R08: ffff8801f0b0f9e0 R09: ffff8801f0b0fa20
+[  237.708485] R10: 0000000000000003 R11: ffffed003e161f7c R12: 0000000007400000
+[  237.709929] R13: 0000000000000001 R14: ffff8801f2bf0a50 R15: ffff8801f0b0fc10
+[  237.711391] FS:  00007f691b770840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
+[  237.713034] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  237.714206] CR2: 0000000000cb0348 CR3: 00000001f26f8000 CR4: 00000000000006e0
+[  237.719741] Call Trace:
+[  237.720274]  ? btrfs_grow_device+0x240/0x240
+[  237.721193]  ? kasan_check_read+0x11/0x20
+[  237.722080]  ? mutex_lock+0x99/0xf0
+[  237.722854]  btrfs_delete_unused_bgs+0x4b6/0x5c0
+[  237.723836]  close_ctree+0x40a/0x460
+[  237.724586]  ? transaction_kthread+0x250/0x250
+[  237.725523]  ? dispose_list+0xa0/0xa0
+[  237.726303]  btrfs_put_super+0x25/0x30
+[  237.727110]  generic_shutdown_super+0xb9/0x1c0
+[  237.728032]  kill_anon_super+0x24/0x40
+[  237.728814]  btrfs_kill_super+0x31/0x220
+[  237.729630]  deactivate_locked_super+0x6f/0xa0
+[  237.730548]  deactivate_super+0x5e/0x80
+[  237.731352]  cleanup_mnt+0x61/0xa0
+[  237.732060]  __cleanup_mnt+0x12/0x20
+[  237.732835]  task_work_run+0xc8/0xf0
+[  237.733605]  exit_to_usermode_loop+0x125/0x130
+[  237.734530]  do_syscall_64+0x138/0x170
+[  237.735331]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[  237.736676] RIP: 0033:0x7f691b050487
+[  237.737457] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48
+[  237.741327] RSP: 002b:00007ffdf3a06d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+[  237.742889] RAX: 0000000000000000 RBX: 0000000000ca7030 RCX: 00007f691b050487
+[  237.744351] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000cae1e0
+[  237.745814] RBP: 0000000000cae1e0 R08: 0000000000000000 R09: 0000000000000015
+[  237.747289] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f691b55983c
+[  237.748750] R13: 0000000000000000 R14: 0000000000ca7210 R15: 00007ffdf3a07020
+[  237.750224] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy
+[  237.760666] ---[ end trace 2e85051acb5f6dc1 ]---
+[  237.761718] RIP: 0010:btrfs_remove_chunk+0x37a/0xd60
+[  237.762827] Code: e0 48 39 85 28 ff ff ff 77 20 0f b6 85 27 ff ff ff 4d 89 6f 80 4c 89 f7 4d 89 67 89 41 88 47 88 e8 0b 01 f7 ff e9 f5 fe ff ff <0f> 0b 0f 85 5c 08 00 00 4d 8d 66 40 4c 89 f7 e8 42 f9 b6 ff 4c 89
+[  237.766977] RSP: 0018:ffff8801f0b0fad8 EFLAGS: 00010206
+[  237.768157] RAX: 0000000008000000 RBX: ffff8801ef4d7c38 RCX: 0000000000000000
+[  237.769672] RDX: ffffed003e161f30 RSI: 0000000000000e70 RDI: ffff8801f2a6ae70
+[  237.771147] RBP: ffff8801f0b0fc38 R08: ffff8801f0b0f9e0 R09: ffff8801f0b0fa20
+[  237.772650] R10: 0000000000000003 R11: ffffed003e161f7c R12: 0000000007400000
+[  237.774119] R13: 0000000000000001 R14: ffff8801f2bf0a50 R15: ffff8801f0b0fc10
+[  237.775598] FS:  00007f691b770840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000
+[  237.777297] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  237.778496] CR2: 0000000000cb0348 CR3: 00000001f26f8000 CR4: 00000000000006e0
+
+
+===== Extra info for btrfs-progs ======
+It has one corrupted root item, (41 ROOT_ITEM 0) referring tree block
+29364224, which is also UUID tree root.
+It would cause original mode to hit BUG_ON().
+Checking filesystem on /home/adam/btrfs/crafted_images/runtime/0.img
+UUID: 3381d111-94a3-4ac7-8f39-611bbbdab7e6
+checking extents
+check/main.c:3677: check_owner_ref: BUG_ON `rec->is_root` triggered, value 1
+btrfs(+0x572c2)[0x562d65da72c2]
+btrfs(+0x6098d)[0x562d65db098d]
+btrfs(+0x60bb6)[0x562d65db0bb6]
+btrfs(+0x6179b)[0x562d65db179b]
+btrfs(cmd_check+0x1199)[0x562d65db5589]
+btrfs(main+0x88)[0x562d65d62768]
+/usr/lib/libc.so.6(__libc_start_main+0xeb)[0x7f4fcbb1b06b]
+btrfs(_start+0x2a)[0x562d65d6288a]
diff --git a/tests/fuzz-tests/images/bko-200403.raw.xz b/tests/fuzz-tests/images/bko-200403.raw.xz
new file mode 100644
index 0000000000000000000000000000000000000000..569594570e6c26220e8cc1d2d6c71032cb4ff74b
GIT binary patch
literal 23252
zcmeHPcTiOMvL13ylCuPXWh4w)vV)R?<eZ}jgXA1UkSIgWNsyeg$bu|E2}4GZASg+Z
zAu2G$x%bxAt-4$9-KxcX-sh`#{yjByep7wAzy7+v{`G};fRPCZguOA-tcVF>!(ak|
zK;&aa2sGLayU!d1a=SpIi`&pjvdYvRx2&~aB=c+(KfycMSz`&G66lwd#!zbr8H|n9
z5GW>@3oTuZ=b+I2U`*HV9lPR-YE2C#cJ5yCQn52DOcRDaI<NLCb7Do18J_3+l*!^w
z`|o~8j)^}zKq_0cePRXY<zLdqcnSn#siII{!*!p+DwDVzJJO{-HziV2?0FkWs&0*L
z_e|Lh;emtLOr+{apZm+xqkFe8wUzXdkHysIX1U&cy*^g6UxtxN{xYud!Vq?Rv}mrg
zS}kwV8j7|jh+HBG@(9dQTAIYZE9&c4mF$mV<1@C*<;<CW@YO%6g1Pz(#lDw0(z%!t
z&WkAZiq(FAZ7^T2`s!s=iN^?*1S%y+LY4@G#PV3vgAo<G(77;_a4G8OlYw*QBlV?c
zX=NhrUnCbL(7KV{rq`fwBAZzzaL`Ge><gk(J}<9rWGAd~NBwG;P}7i+-HNxVB$k8G
zOpzs9-^rr<{u*wPd<f;4gEC(N9W1}0#d=ZIm8+Vb@~~Wse42yt$%>C!?y1_NSPu0!
z+LP}fVY-gn1k@zICE2L7=c=WCR7YOU)VWAX&U^U<4>TvPj}0|HS2LsE-jQ3{=ypwD
znqNff#d<yy<7T2_nwX_ayB}|59<k6GFKAR8H*xB0dHHec6b)i=Q@DiOO2^CgXC?n^
z+oq2+hDjQDPR<)18#v7IK-u$KG~_-i25_%#gA1HQG~uZs<2fl2n2_L|#ZTaGB6da`
z=3C#~q8Ubm<X+_VNm+831sdem5{XPCnhrP6AFg_^y=GS)#<~|6+S`o^fP=kLNwY0P
zg{s0FD%qLwQkV+$kD4@QlN0GhIgVX4AI8}YQ|5@{bUr7@5vo(XSKajvtFtv|`}B2v
zx&;>Y7|SS*H+*Xfbr|evIdZY^81bRA0;O2KlM9_B8R(N;#g2(0MU$tX-2IGEL?h@l
z9!0W>^Pr`(Y(aj5Zg}L^$B(-0`)=r>4wJ+nI3@KvZofU$P$Hg4qNuE~VtzT=z)fdn
z{AANX$Ea)5r`mXJ-4qA^<js7|`I!#bYlOx0I`rhdt_<oII|8Y&VP2Qz7OB1Fjq_LY
zhm++kiVM8&FJ8^}4l>pbQ+$z>eb-XMY3DE5{pC5E_5io&q*gE{7K8hyHKbi(4GE<R
zcbh7`R@c~T7ML@tI#6!p+8}Gg#7rAoExqw(Q;Bj`Di6{6l)VU=Zd!6Y>s$Dah@{Md
zzxh3h(hE;}nS|*RWT$M34?=}V_g2%}cqf8{jBh;47S7#8g!@XQN#00#k;DS`IlW)?
zHH_1RKP=elP()2P9469p8lgN@#wwfE%_yfU<fOJ#Nr*Gi1O~tA);C;C&CX3uk$3nD
zGaMk>Rmboz4ZERSPG4=syuYRv#)H@Gu-n8*^Yz=1O)!B__XuIfnIz_->L?3@wCcFo
z)F3aBOV6gyw3m(ANu?%%7M1?#P{AFPIG@$~Esw@E#Us7FXz!bX3qAMrlGrnFu`CB4
zN>OzSiD#BjW0ZU@Cg4R@qD{D}J&0+N%erpCIX^zkFXOO8@(f2#q-Dm2@FpE_dmqzx
z<7R4PUc9S&n@IL=zN6)ZMtnm7nj8ZRLVD_!U3Aq3K^O|!o<d;X`NHpXjJ{5O%Stj?
zH3w)S<$u^GuXwaJnOtK5`Y|RPBs)HYy+W<rPcK1|Am{<tr|iRp7RnOTxHRKsH{Irg
za}I~*oY9u0z`69;<arqfSap|OBZWzeMt7FCj*AOjZ&^O!kkQo1O_%(bBCp?KupiYz
z0V%Z0DUyhQKOe0tQNz=)B}G27G1Giu=v7&s8-2evw`?X}3y-Yl@wPUK=(uwn`-$(6
zwbM>c<N);zTt&0SiKE>7Eoa)(C5+*)oEK($rr+u?Jz+Yi4C3bq?6Sl6(aLe5q=-rW
z?T4fqv=?@cxQKg4oBr?4cP`R`&|juZ^N;S#WMN@Vv|yR*B+<Us$5?XpEiwGkpUAZP
zYdmA#?lQ}X;B09xZeBQ<SV!0PNzO^|LNOM#7lSW$W|&0><;j|p02s;wz1$GFCcck2
zHd4lo^@O1VW>Yb)=?JD(7s=H(hP*b;QlsDFiIu3mUlRfDR_=E`(1>(57{90?QP5kL
zk$%_UoOLbde7=#-xrcZT+;Iwh=5Tb_(vZ{P;Haz}3b$!S4*gJ+x}rz?PXgq39v#u-
zECodI6#(S-C<b8fPa`g1uq%cpU@*X7S7gV4!2pB(*!t_cJggIA8}#Zju+~GhS%#VB
z#W_=~SO)q8?K%WwvmimPAKVdo9bo@ZwpMZH9R2xD1I-j$2qflgeb;Gh76N-v7Pb?l
zS$Ge#dZQC-TmM18yIb)NMBQ&VV8o%{qS>D;42fEDxHBZ*XQh1Xw;1cloKazjvT2~j
zA&043x-oW?46074v4<}4#H?p;wZ{wJD2j6J{LG|9L9;^YkzIhYCvZG~z$8<>U6M1y
zqMXODRWK`yk_CCzs+Zy7%cVm5vPZ2k=8`fvykAm+R|4*^J9V?;T)%C?Ri|oFHrdbm
z1B%=$8u=%nkN;BI`|cbr156TNl2>TzT+!bFV)R`GTfoo;O^sSw3+g+RnNIL;H(FEU
zGJZHxK>1DMS!$9o2oUd!Vl+~w8((k;j=5BJFd*Z0dl8*;pJQt>_|W`Y+27Z(yW)TS
z1DI*%?v~&1rfDe`hTB90n`ql4d#RZ9xi%($DjXQa!`>-aDuE71%b9`T<C=9`JgM%i
zGT-0Hx^m-*yXHU_Kso^F0HphI{r)SW$M31(4L&t!S%9Is^}M&iTIhqy+JT2c$e3X8
z;&2Onzs!U296Yyfoo41T1$VO%3VPn{Wy(++gTboNnN^}n@9TWOa9|DcR)l1_^hHB`
z6vp3$E#ALLSZ6nEZOQJ@y9?>O)9?ARDHx>$RqMize3gz2!XQSO%Gp^^zi!z4a{Z=g
zj;0k&a(vk<q6EiKC?%cpi&`-MKAy1!w2Ov&pb#f&=RBX3MiR`|QdipNZxC+Pag4!8
z66euiO5P1QZN}TTD$w`Qh8Xjm8EHYZUYln+lcI*ipnaKS0lG6h-L0?mYM>OKL0R^!
zFBc^uhlJI<AX_Ht)#hH}lWt~IWCtzvoHbu7?g?cwCLi(EIJ%~tdMU5+*PerJ2L*qK
zEA2V-QNJMvuFSv~Mua(Dn^bu}60Wo<?P_ZD3mMIV@B2Ix0yZjyut71oha$W@&1gmP
zGOLJsV|g)RNEf5?AqVZPkJo(Looe(Z#lN|@%$NztAf)$>!b{I%&uy5HiE>s&b_Yh&
zeDhCAZ_OQoosO|FGpV>X2<<9@^NK%8M~95G4F(4?cK9%*Hon9L#nwxnx_&W^W&FBR
zYrbc7U00P2t|^(<DtM9a76g&g@fx|jjDEESGtX%jA{+@mEnBSb{IskLx)I=yAk2C0
zfw$G)-@WND_ld9HelLShLik0e8-16Se((f0z6D+9VgBZ{euU*x{UAzkR}lqGq!NT9
zSE5me^I=sR`c4g>X$%4^%`Bg(ROAy4r1Z&uZ2b1nl}Lhoq@&Re&ee6#ne>$Z7Rr(v
zs`u75uC6WM{)rN8-F9$Dd&dNRNsIiAEMl^Z=XUL>o%UjV^~bJB$7h_K(&_^qE96~o
z44MKjbh+FUv<OnezV58@)}|qR8R%2HZ1G>mp|`x~S$pM~+0zJg!B46hD{IBR#Nh=b
z-SJ-WyBvsb>6^q<8r)r9?VeoV&hDUdKzk6i?Nh#*J!9Ke{PjL=!s>f4gNMkMYNqz}
z-xNY+-)KmFI;5SRXPTnpcm9YUtjFQvAY-}A8BD@Snp+wF@FEwtcHE6Mm)%K{a&hKx
zxXHF2Q|&=i2t|4Ca~q@UyKmctiOGI*TOv@lYt3HQ5Ue61jHRf`JHB)pX_LhvX+_Ko
z^WX=c6Z6Jgb_mskuxx&aGJj%UlSO<tLj8CkNL*1R3(<7@lx-;iHx|^>(1R}l`Am6n
zTihGAZ-ZgepW-v=V|8cafv&&aC#U_Hk{1XhLo2-xt<~+3;EuFv(#q>~<^oHKd5Yn&
z?eUBZ2MWg+4n{`Vfrgi)r5FA0Z$I>^Uhm&<W@2;Si+3ZpDRcS^pNYjyI%*S=gP?Hj
z3|v(CLO0NA)FR}wgV*QPckP+++3N2fM8rgH<)>sH!s$<Ny1Kq{_z>hcxDFQiL%~%i
zO6gcKfnek@ZMtw^hX7JBsx@oqhJ;Ix63e<*NN&N)*%mcwhy2i{Fg%m<tml)u*)!Kw
zrJH{7DVw9UrqRx)Of>U5HV9uayL70OdGsKk_})}nQ3Y7!X=aX!;3G0(;nXxDWoI{1
z`Z&GK#k2HE5ouV#0~Rm)!(1)Gux#+kQ^R&a%a~lbug<pp8$t(J-X<ocR*nux-V7<Y
z^gywFA8jCvDQxMz$4={Jdx{*V1-tSuZ7qG9jlvPm+B|3bc#3ZfDaWDrEloJR?Ze0O
zTtd}sPXwvX8rJf`nJ@36ctg5JZm7tHHc+&L-lHW`kUm3{NyN#p3?9wBr4^EpME46C
zr%NV%+K8CcB_&X<CM=K3Nt42rP~XkeF6G)cI}{g^5nf{p@5`{r^42~nrqLG1Czldy
zl<2LMYr^ZK9l8aZ8dGJLx4qnuJ&Lf8+#)C+6yH+TBNbEC85xk>D<}E(bd#ct%6eFF
zmKxJ2`-MM8Ut0L+7H3rZMr4@mfj!mCI=`_h6$j0bpk~WEh_kKHP0o2r%TJeD6TOvG
z@Bv!k{b_xoNL19~^9OhFl%g$Z0_l4_u`xHck;#zsq(r|wlx0!ReuStRj|#IEX2TK#
zB5hOvlDy{4Yp(ZbQjzOJtFoef0of9F0^ZK`(Ba+5k_I#r&sf)&y(;pQjC5^AYx1|d
z=~<_$cc%`O9|-li3y8MK7i#((XbDw+{#3tQVnar8vBitOX`|#!8cMgR4}C)J*mKSE
z8teVA8~c>$tUjW5^_NPalOeBsaY0TC6V3b<_qJ<97bSBFgJ7|T8Ug`f<V<_3aDFRI
zW4{ScPpLpT*j*6953{Lxw8X}yd23F^T|8SnzCOa;)ItvvFJDJ9m?(w5sReh^ON6{9
zIyWX?u+ety!*mt2Y6xcQb+M)tUGkiGEDh&o(N@eRUm%ZfglZyXJyE%|GMFdC$tiP{
zzQNQ;|DnNJ%4cTD*<`}o(KQCmjQHdC{u4UzmD%&}dj1vj`yZ-<tBn#IZK$OIY#m_h
z09*gb*gBx00vhU{p8vXHz5rT<fWZJs@F$c60ni6P9{~LyH6;yzJ^=bZA?PPyID)pE
zjfG>W@3xZt#@9!b$n)z2VY^`sk!m5Q$GUo&wnZ;u+1tz$&VoUGr^>wF?DFhcQN4lu
zxyI%&h0;?K$#OlsuHW*edg$tmv~N;7_a|pIKDr(xHlLDlG)+C+Gc3~KEYuL<uIP@>
zf#FJND5Awu@c(ZhJ^qDE8_?;va;L)q(;l>yZ|h@4x^Y)VbXqZNVSMB^Za1ID%#B@G
z%m5ohSN~+M-|oCl&T7;H1-mFRYeE6<kp7G?SO#W@`-X#c${ML8dNew0FLZh08deRS
zNNfi6OV=Tyl4pB`u&=@^Qh{&Wxpx%|Q#G_9Yg#4FgNDNgDQIm!sdXm)@kSJ5khT>V
z9{Vg#CiH?`Zk}l?jgU(~T^!!uy&XR9L7sD4odxUJh}~k=a<nJ3b}@##F1UZ&#oA$a
zm;94n`FY1J?h8jTDwKYXxLGg#!P5Z<5AI4fkrfVPbp3_9qCD74WpUS~_|o<sZTzUG
z?#UQJ*?iX4L1n-01NE)iVIydQ*ISu9GKFtvIH3DIw-a=;FZh?YB%5wt>#?6xb;;7K
z5MmW|X@3*Az*~rnwxyM8@oR82m4V=7R`^yuQsv+4RlI9t{)o=f1OJoYlR{0n+ey6A
zdf`Lo@SjAk|4%m@|I6K_e`Muy6!RA#Hm@9;K)C>v3qZL5lneiQ74(Wl&R>v@{#zsm
zFbq&q043#*x3hte{IPup0K)(e13c_cZYKEYCsF`f@mIHjToDcasRrK!A-!sar*^_|
zG&3ju{jQNKzWsj@oPXHSXI5tXK)V8<`T*4js6IgT|I+5F|2x^_pJ@`<==3L-NdX4C
zqH_ZV0}S?K>sY|U01pE^>?fQ70+d`p$pw_$pGe6K6aNCj10g-axFm41|Gt_UG`cIb
k)P5)E4hW;71tTmhO#biBf~y$wsA#1GvHtM`Y-5wZ0aTx!T>t<8

literal 0
HcmV?d00001

-- 
2.18.0

[PATCH 3/3] btrfs-progs: test/fuzz: Add image for BUG_ON() when opening the fs by btrfs check

[Qu Wenruo]

Link: https://bugzilla.kernel.org/show_bug.cgi?id=199839
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
 tests/fuzz-tests/images/bko-199839.raw.txt | 198 +++++++++++++++++++++
 tests/fuzz-tests/images/bko-199839.raw.xz  | Bin 0 -> 24400 bytes
 2 files changed, 198 insertions(+)
 create mode 100644 tests/fuzz-tests/images/bko-199839.raw.txt
 create mode 100644 tests/fuzz-tests/images/bko-199839.raw.xz

diff --git a/tests/fuzz-tests/images/bko-199839.raw.txt b/tests/fuzz-tests/images/bko-199839.raw.txt
new file mode 100644
index 000000000000..3e4b273d9ec7
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-199839.raw.txt
@@ -0,0 +1,198 @@
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=199839
+Wen Xu 2018-05-26 04:18:45 UTC
+
+Created attachment 276197 [details]
+The (compressed) crafted image which causes crash
+
+- Overview
+use-after-free in try_merge_free_space() when mounting a crafted btrfs image
+
+- Reproduce (4.17 KASAN build)
+# mkdir mnt
+# mount -t btrfs 8.img mnt
+
+- Kernel Message
+[  449.751861] BTRFS: device fsid 12b338de-a2e9-40fa-a4b0-90e53b7c5773 devid 1 transid 8 /dev/loop0
+[  449.757216] BTRFS info (device loop0): disk space caching is enabled
+[  449.757221] BTRFS info (device loop0): has skinny extents
+[  449.785096] BTRFS error (device loop0): bad tree block start 0 29396992
+[  449.788629] BTRFS info (device loop0): read error corrected: ino 0 off 29396992 (dev /dev/loop0 sector 73800)
+[  449.792965] BTRFS error (device loop0): bad fsid on block 29409280
+[  449.795193] BTRFS info (device loop0): read error corrected: ino 0 off 29409280 (dev /dev/loop0 sector 73824)
+[  449.795401] BTRFS info (device loop0): creating UUID tree
+[  449.883426] ==================================================================
+[  449.886228] BUG: KASAN: use-after-free in try_merge_free_space+0xc0/0x2e0
+[  449.888344] Read of size 8 at addr ffff8801ed10f030 by task mount/1291
+
+[  449.889947] CPU: 1 PID: 1291 Comm: mount Not tainted 4.17.0-rc5+ #6
+[  449.889951] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+[  449.889953] Call Trace:
+[  449.889976]  dump_stack+0x7b/0xb5
+[  449.890274]  print_address_description+0x70/0x290
+[  449.890286]  kasan_report+0x291/0x390
+[  449.890296]  ? try_merge_free_space+0xc0/0x2e0
+[  449.890303]  __asan_load8+0x54/0x90
+[  449.890310]  try_merge_free_space+0xc0/0x2e0
+[  449.890318]  __btrfs_add_free_space+0x96/0x5e0
+[  449.890324]  ? kasan_check_write+0x14/0x20
+[  449.890331]  ? btrfs_get_block_group+0x1e/0x30
+[  449.890337]  ? block_group_cache_tree_search+0xef/0x150
+[  449.890343]  unpin_extent_range+0x376/0x670
+[  449.890350]  ? __exclude_logged_extent+0x160/0x160
+[  449.890358]  btrfs_finish_extent_commit+0x15b/0x490
+[  449.890371]  ? __find_get_block+0x106/0x400
+[  449.890378]  ? btrfs_prepare_extent_commit+0x1a0/0x1a0
+[  449.890384]  ? write_all_supers+0x714/0x1420
+[  449.890394]  btrfs_commit_transaction+0xaf4/0xfa0
+[  449.890402]  ? btrfs_apply_pending_changes+0xa0/0xa0
+[  449.890407]  ? start_transaction+0x153/0x640
+[  449.890414]  btrfs_create_uuid_tree+0x6a/0x170
+[  449.890419]  open_ctree+0x3b26/0x3ce9
+[  449.890429]  ? close_ctree+0x4a0/0x4a0
+[  449.890441]  ? bdi_register_va+0x44/0x50
+[  449.890451]  ? super_setup_bdi_name+0x11b/0x1a0
+[  449.890457]  ? kill_block_super+0x80/0x80
+[  449.890468]  ? snprintf+0x96/0xd0
+[  449.890479]  btrfs_mount_root+0xae6/0xc60
+[  449.890485]  ? btrfs_mount_root+0xae6/0xc60
+[  449.890491]  ? pcpu_block_update_hint_alloc+0x1f5/0x2a0
+[  449.890498]  ? btrfs_decode_error+0x40/0x40
+[  449.890510]  ? find_next_bit+0x57/0x90
+[  449.890517]  ? cpumask_next+0x1a/0x20
+[  449.890522]  ? pcpu_alloc+0x449/0x8c0
+[  449.890528]  ? pcpu_free_area+0x410/0x410
+[  449.890534]  ? memcg_kmem_put_cache+0x1b/0xa0
+[  449.890540]  ? memcpy+0x45/0x50
+[  449.890547]  mount_fs+0x60/0x1a0
+[  449.890553]  ? btrfs_decode_error+0x40/0x40
+[  449.890558]  ? mount_fs+0x60/0x1a0
+[  449.890565]  ? alloc_vfsmnt+0x309/0x360
+[  449.890570]  vfs_kern_mount+0x6b/0x1a0
+[  449.890576]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[  449.890583]  btrfs_mount+0x209/0xb71
+[  449.890589]  ? pcpu_block_update_hint_alloc+0x1f5/0x2a0
+[  449.890595]  ? btrfs_remount+0x8e0/0x8e0
+[  449.890601]  ? find_next_zero_bit+0x2c/0xa0
+[  449.890608]  ? find_next_bit+0x57/0x90
+[  449.890613]  ? cpumask_next+0x1a/0x20
+[  449.890617]  ? pcpu_alloc+0x449/0x8c0
+[  449.890624]  ? pcpu_free_area+0x410/0x410
+[  449.890629]  ? memcg_kmem_put_cache+0x1b/0xa0
+[  449.890634]  ? memcpy+0x45/0x50
+[  449.890641]  mount_fs+0x60/0x1a0
+[  449.890646]  ? btrfs_remount+0x8e0/0x8e0
+[  449.890652]  ? mount_fs+0x60/0x1a0
+[  449.890656]  ? alloc_vfsmnt+0x309/0x360
+[  449.890662]  vfs_kern_mount+0x6b/0x1a0
+[  449.890668]  do_mount+0x34a/0x18a0
+[  449.890673]  ? lockref_put_or_lock+0xcf/0x160
+[  449.890680]  ? copy_mount_string+0x20/0x20
+[  449.890685]  ? memcg_kmem_put_cache+0x1b/0xa0
+[  449.890691]  ? kasan_check_write+0x14/0x20
+[  449.890696]  ? _copy_from_user+0x6a/0x90
+[  449.890702]  ? memdup_user+0x42/0x60
+[  449.890708]  ksys_mount+0x83/0xd0
+[  449.890714]  __x64_sys_mount+0x67/0x80
+[  449.890723]  do_syscall_64+0x78/0x170
+[  449.890729]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[  449.890734] RIP: 0033:0x7fc36964fb9a
+[  449.890737] RSP: 002b:00007ffd268892f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+[  449.890744] RAX: ffffffffffffffda RBX: 0000000000e7f030 RCX: 00007fc36964fb9a
+[  449.890747] RDX: 0000000000e7f210 RSI: 0000000000e80f30 RDI: 0000000000e87ec0
+[  449.890750] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014
+[  449.890753] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e87ec0
+[  449.890756] R13: 0000000000e7f210 R14: 0000000000000000 R15: 0000000000000003
+
+[  449.891109] Allocated by task 1291:
+[  449.891832]  save_stack+0x46/0xd0
+[  449.891838]  kasan_kmalloc+0xad/0xe0
+[  449.891843]  kasan_slab_alloc+0x11/0x20
+[  449.891848]  kmem_cache_alloc+0xd1/0x1e0
+[  449.891854]  __btrfs_add_free_space+0x43/0x5e0
+[  449.891859]  add_new_free_space+0x22b/0x240
+[  449.891864]  btrfs_read_block_groups+0xae3/0xc60
+[  449.891868]  open_ctree+0x2cfc/0x3ce9
+[  449.891873]  btrfs_mount_root+0xae6/0xc60
+[  449.891878]  mount_fs+0x60/0x1a0
+[  449.891883]  vfs_kern_mount+0x6b/0x1a0
+[  449.891888]  btrfs_mount+0x209/0xb71
+[  449.891893]  mount_fs+0x60/0x1a0
+[  449.891897]  vfs_kern_mount+0x6b/0x1a0
+[  449.891902]  do_mount+0x34a/0x18a0
+[  449.891906]  ksys_mount+0x83/0xd0
+[  449.891911]  __x64_sys_mount+0x67/0x80
+[  449.891916]  do_syscall_64+0x78/0x170
+[  449.891921]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[  449.892235] Freed by task 1291:
+[  449.892866]  save_stack+0x46/0xd0
+[  449.892872]  __kasan_slab_free+0x13c/0x1a0
+[  449.892877]  kasan_slab_free+0xe/0x10
+[  449.892882]  kmem_cache_free+0x89/0x1e0
+[  449.892888]  try_merge_free_space+0x274/0x2e0
+[  449.892894]  __btrfs_add_free_space+0x96/0x5e0
+[  449.892898]  unpin_extent_range+0x376/0x670
+[  449.892904]  btrfs_finish_extent_commit+0x15b/0x490
+[  449.892909]  btrfs_commit_transaction+0xaf4/0xfa0
+[  449.892913]  btrfs_create_uuid_tree+0x6a/0x170
+[  449.892917]  open_ctree+0x3b26/0x3ce9
+[  449.892922]  btrfs_mount_root+0xae6/0xc60
+[  449.892927]  mount_fs+0x60/0x1a0
+[  449.892932]  vfs_kern_mount+0x6b/0x1a0
+[  449.892937]  btrfs_mount+0x209/0xb71
+[  449.892942]  mount_fs+0x60/0x1a0
+[  449.892946]  vfs_kern_mount+0x6b/0x1a0
+[  449.892951]  do_mount+0x34a/0x18a0
+[  449.892955]  ksys_mount+0x83/0xd0
+[  449.892960]  __x64_sys_mount+0x67/0x80
+[  449.892965]  do_syscall_64+0x78/0x170
+[  449.892970]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+[  449.893286] The buggy address belongs to the object at ffff8801ed10f000
+                which belongs to the cache btrfs_free_space of size 72
+[  449.895793] The buggy address is located 48 bytes inside of
+                72-byte region [ffff8801ed10f000, ffff8801ed10f048)
+[  449.898035] The buggy address belongs to the page:
+[  449.898979] page:ffffea0007b443c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0
+[  449.900562] flags: 0x2ffff0000000100(slab)
+[  449.901379] raw: 02ffff0000000100 0000000000000000 0000000000000000 0000000180270027
+[  449.902881] raw: dead000000000100 dead000000000200 ffff8801e0a676c0 0000000000000000
+[  449.904396] page dumped because: kasan: bad access detected
+
+[  449.905800] Memory state around the buggy address:
+[  449.906748]  ffff8801ed10ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[  449.908165]  ffff8801ed10ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[  449.909577] >ffff8801ed10f000: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
+[  449.910969]                                      ^
+[  449.911933]  ffff8801ed10f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  449.913328]  ffff8801ed10f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[  449.914720] ==================================================================
+[  449.916119] Disabling lock debugging due to kernel taint
+
+No kernel crash on plain kernel.
+
+- Reason
+https://elixir.bootlin.com/linux/v4.17-rc5/source/fs/btrfs/free-space-cache.c#L2161
+
+	if (left_info && !left_info->bitmap &&
+	    left_info->offset + left_info->bytes == offset) {
+		if (update_stat)
+			unlink_free_space(ctl, left_info);
+		else
+			__unlink_free_space(ctl, left_info);
+		info->offset = left_info->offset;
+		info->bytes += left_info->bytes;
+		kmem_cache_free(btrfs_free_space_cachep, left_info);
+		merged = true;
+	}
+
+	return merged;
+
+Regarding KASAN report, left_info is already freed but referenced (->bitmap). It is in fact freed just several lines after, namely kmem_cache_free(btrfs_free_space_cachep, left_info);
+
+Found by Wen Xu and Po-Ning Tseng from SSLab, Gatech.
+
+===== Extra info for btrfs-progs =====
+This image could cause btrfs-progs to BUG_ON() when opening the image.
+Fixed by "btrfs-progs: Don't BUG_ON() if we failed to load one device or one
+chunk".
diff --git a/tests/fuzz-tests/images/bko-199839.raw.xz b/tests/fuzz-tests/images/bko-199839.raw.xz
new file mode 100644
index 0000000000000000000000000000000000000000..c06d9540f708824e763b0e2cb0e66266326e31a6
GIT binary patch
literal 24400
zcmeHPWl$XIk{t*V+}$;}yF<_rAOs0+0YY&1z~B-H9xS-KWzayd!6gJ3+}%U4L1%B(
ztF3*zwYzoid+%;`_szfgH&gxfIo*Ax``ior>KOn4NZXLliiiL@1WEt^fIF@?0)sgr
z%Nqj#PWLcaK@&_#N}0%2)LgSUk!8Ce9QFEmlR9{k8!RS)pjsC&7#*#~U4S(gSiBL#
zfTy*pPYU*kUiX4FCI@2Lb}qZCSQ-^DzICir8GH1a+TB1;w?nV!Vw0t@*-$qnie$zU
z8a2m*fZNznut+PtJOR{>j$SV#?LpMf5Bxedz0I8(JNf*Z#Q8=q%rw^m$u#$I(2!^C
zZjJ2&j}vwh@|ilq08ZYmWj55Zkd1BjsbQMU*EQ{4lHO)HqvfR?9na(SoLIWJs!=_h
z2QuGkF*l(r%t&JUry;KuQoORfb#ub{%A|)fJaf4zUF&jJ?mqeJ_KOztu(q%>P)1h`
zerOaOrMLZ=ftLmvK-W02by5gm58*lGGgKe44*0mf=qC3x$|PL8fsxUJ{r%Y~&}_L9
z-97c{iGx~0MgbYr;|%#L#pBu(zK6NeYD{rMsh271Gr~zF?W`nQie-pBR)OwHC;fvh
zYOUm#0<NXl$#(r%HgB8HNEh6aTRPQIH^XLjI?fxF&QH5q&qwM9;yJZN?k(42+<)kQ
z$KaN2d`97S>g^b>M!c*brNabK9_YkYsc9oXGUWlecs(a{L=;1zsEE?RFIqBR(0Mdk
zNc5wY7%If%wiHzVxhk7m!(%ePRX2b+HuU2S$9W}=b0p&1hf8^rAp?5e^2=Rp77<OI
zKF56vDsi6(q?PiCSK`W`?hJt!i)7muIK4dgz#O_T(-_6qVDUP-2Q@C*oQIh^SL>0E
zeiNU9W0eaa_XWuhx?5i(Zhxqqpcipj6=pCrLw!7$nxdI=5J7hnOSak)cxj#*Lz5>>
zbfTqY)0DoVkxzktlf|csB)-q-lXxre<?I6+CUJ_Kn&UT(Hl}UyQej3i+in|~9=$=q
z{o~no3gc2YN%Nn$rGdy=*WhAoygd1QJ=a?ji#0sKrn$B?;OR&*>k*!4#!0g+m+tlD
zmz>oi!(ng$K6;EV7yo@n1H++Ws>pVyRvl}%$xX{sxfAV=Pu0dGm`SkN-r9U(TCfX6
zImn={p8{FXknbA=eEcj>3S6(}^tnMRsL{LdFpsCoa6K20Vt-%lZDcD;jQYl1H{=tN
z<4F75Zgf>DCyeVLgQ|6`?g^=pe)yjCOTCUg&r1ExEkoqT*ZuQVcegLu-AAbnY2~h$
zv?QUdmT2O@VK(~}kob?@b}rL$94S?6xp)F>7;X~O#akbWF$zmzQN$^`^IyKr;NjBk
zj0-yp3F@@!Wzt$!V+y7HprI{ah!7b~#aWwx_!Wb<02`_+t<>>0%(<7XJ-HSOsm&Pm
z4N1Y6`vuBCO}UjTM^yOiJxN8jBq<$(rZp=d6B+!p0`mgKN=V&lJK@YH!+yiMhyn>-
zI1c?;QHqPNyMDqx*s65k{4BR+f(!!<apFi>>zVV789BNSdom6Z7@Ps?*}u5>##J1y
zhOfDH-nhKy&LAabfdQ2-d46F~W7y9tt{8w(V(n^U$NMUO#O^&oA;OYs1=17_BnG`<
zuO*SR%yb4gAA*t9btq*cC|9)X*~-uUPO#myg)D9U85@K#$kJ_9S!wFAOeU)Ce3azu
zwv987<2@wB*}86op+o<!-K~(>K)GV30bS77SS{hf+wtRnA35knf)FoqQSGr)m$RA@
z=0pNsd6n5e;L#q|2q-agV7LhEfI~N}lKYNoe_ryOrdVD_=j;*&(?gcwu!)qk=m55a
zpHDol$U0Hd)Y9%}Yo_CIetXV8>qq^LO!{?St%)ODp92d)Oaw?H`a8(Xyvn5T%9^!7
zv#}a_j!8UZvtLlt;ru;4smdGo9`uE_xqU5JF0`sEu*LfwU>y7oiys*iO@Z{MQ1pWc
z4LjxZYAp>oNjgg|-kWfnbQYE>X@{`<ru9cYfs5_NorF;Mr69uVhdxm5V4PG-%rWk4
z8YLGVd-cG3kEkIGv<os8jP=Xxkwpr|Ff33Lb$rltvg`G{dZF@ZMOFZ@#4Gbrd)DTc
zAr_xHqyrkMiHPd7&Fq%Iiq}=$I_zs(ZJQSA<nC5;in}{#Ln<D@EPkw_ee3(OfG@XY
z+>Z>J@(r{zH@$+VvR#5@KE{<wDGzvz&*&n)_(5EraKDr$zfLIz>YlVhxAni?g5CK(
zM@ldXrd4#8^cBbv`(%)y>`GNtj;NL|mdBPUq^qw)hGI1pFZ4X`En8SYLw6Ok<OXF}
zo#Gkd8i;SZRU<fJ7>}`T<_k%2lBOC(T)T<3A2qVpGG9D>?C79#DQ!#CNW_$vh};hy
zfr}Sa%$+iTI1rhEj_6u@zLc(2fb#jbU&U&_E*JkAfsPwPzHlJ_fok*@Aj6sOcb9K?
z!2V#r0}mKHV1I5$4bL!mhW$@u7!IN_;Om1|7x1V96X8|js}u$Zuf|b=2S!J3YM&XS
zX3e?23RX2IdpaSAHlKNust5%fYs8(NtjphTTC(2(Ned!Q1MThotZN_|ery>0ren;l
zE1O<<7CIF~xz(d6yubDa*Ku0Gsb0ybs97)C^RevVuxG78^VU||k~Y7z{+Ut4jID%z
z<{JJ~G348ZAX!#kCdA~zdHfX`c~~sE3ki8~{KsR0XICZlcV0+HPsx=T4ja2&9y01z
z<^kuK7}8TTN!^u?ryq-5XtW<CVw4%EyRDQxHjQ)(fH?V%V{ZYoO4emTjnQvMzNezS
zCgH;9nkq4MJ(plkY?tLM=98d7I7rsm9();qO^?N7peTu3%tvm4z-cnfXO$w!#^}#@
z@v(PzIc0r=LjFhV94OhM;YiycJ*Ru{bPmR3qbOa26?iu6YLM$=DJgZp4ViUY(=$r_
zLJ2JDlS*c>_86<%VP+_WqP(BG2!vo!NWb%{2qC0%oS61KlOoiz_>;!*{~e91vqF?r
z8oYCbcdmb)@B}ZDe^Z$hLQn?G++6Q#brdRSN+O@9kEX85_P!7QG92JXDfoHa<=OEb
zy$j<?+%&JqKNDg7K>=>DoJ$!MPH=F7gA?3;_&?y+H6VYf2=W+YfVIm<Ztn&Y&HNeS
zWE>H_<i881UT!$o&5)$&YHr42q9xHr8}T~Kv#>MVMx^aj<ontuw=hI}XRpA?ot?5Q
zOy~h7=`}CNd)>3fm%-#*J>1W=h-lI4iXK^*O=lVQMIY?n53J9%uGyeTb63ACFWymb
zv{1r`1%z)F${DXTNm-VmqV=Z7VrfPTGkWK!j&S0P?kC=O=F}g~Fcj`s*fVw#;>aI$
zZDA(~4Wnrp=9{-_8siRp0}+vHa{{DAK_@Dt!pmag9VVnj<%^u4I}^Ii9|1e6#lsA?
z@2j|{UaH?tviJ>=wR|oT)(xYBU6R^NhPNclsBTmxw9W74+0s}?_89B!ZI2SV9}3}a
zC);}%?LA_s+Oa!oS1ZQDQ#}#Vqp6gaSa^9|AvXtfyU+J~f$fG}t*)~-Sg*Oogd$+K
z+Wv5`lvaDyKZJLh-TmbgbQ<P!-mraJw{fDY&)09zq?7wRvQ+pa;A&yJQ@E<gy37X@
zMj-4a5qr!c!EZ^_asJrR-zdCL^K;-2$QCbCi-?s3+w<qlMu9nEtkP_Gy-Lq$md)$}
z34L1;mgo{QZa$x)Rv%p;q3uABd^v6cqHQE}7>+oxiW>s690v4{AgQ096W-yQw(y+r
zj2<o_k3Qh%O~rf@Aiit5GFSv^TGo=V^Eu^1FlfO)ZNJ1<`bro32@H&TBa%j-h15(b
zwyt+)bfHk^(`I6Rfet{BXv{Yt-)Onf!fe&`USz4|+ndu%EI@TQlqI(}Q8aYb8D6(h
z6-9C#J7nv>4v6q@1aF5hp<QYqc5cRo<m&WUHPuL|(3{5dub8aoX%+cllGXZOldD3#
zpx1A4UnU?sQ+A#+I?|oGY%Q>CyyFdxoWIt~>Ct(j$^t$E7ZT#9&l5#4o6vFq{odQ`
zdI);T-{>9}tXUbS<xi-YIEyrtHWg$doa=ed_d&)(c=g+wz~spZvM)GNlB3xsNclsS
z{FFE1!q8(canxDN61z&tv1v;2U&kiXH>ELnd`Fxe&`7jbA>`g015W1G@6{Pn1;!zn
zG*I<uF9UQ=L$?tSR^0bR9}YYNd5UfPI*5Z&N7F<PL8<%uu-qd97ZWNOtkPGNo4j0(
zhYfQJZ@WVkq<P5_37(TbvRFEL(PdOp(f^_GNB!=6=n&``-J!TDSN1(1x4SM~uNs1w
zfgmmM{dOZm`@Ukw-v!xvu!uCmPgk!JHVX}Qjk#)T_qlIznpM;e8OEW7JRH@sqMBPr
zr*$^1bE^`}dcyWot8<}IZMSwHdftdLMgvC~J`SmLDnHF+Wrw*P?h@?!@rtCL-t?Kk
z&%MI>*2*Yb<@#%ze82z`9nrzK=LbRR-y8aBJsu8q#`P+|_A8fmD85=8C;~ewI0f$c
zA7Z%`3C>!FL&M^nvn>xNuPlS16!w;$Xl$d1>Q9m!>Yh^Th7PYek(Gd<dDo%=Q}L#&
zuL5{T4jHZd)fmQ~EYwpD1)nJbQhUIs5zGSCLj2Fhy~f-r0Rcl$(5n|4&jeMF@0mvo
z8x9M}5NrmRJH_&m$JH#$G?QlTXZ^2~z6lUKUY2U{`MD<KU;MV}wuszCxZ8o;tZX2s
z!&yQih)uqM5*cFhg&>-zFy?Ee+H`@Vt{}Vli#HO>Q76g4)kRinv|ydH9jIt&>3OcQ
ztT#mLVl)c<%zO`g&i?KKw(PhV#1M{y_{~>XosvA)kSVYY87VmNm^rc9oo<&rXUe9Y
zWz6nq`F_e&bOX<e|2T6a0OlRH&$PjRCOnBcYUAP~_QX9c?xo{rh2CnlzP8<i*GZ`Z
z2EI>qEJ3HVmq>_lz1Tj-b)(H^qOTgS;*TTUZ~~r_CA9`vjf*D$1g~CaYfme5iGg>8
zl6Diiz0VAgQv|N_%H9aMW8kZ#Ew~<!nqwPBnekC+&E&JCVt$zQGE$n}qB8{B2Uin-
z_{wQg6_4jyIF0)yW^%zTR+uD5`w(WQOuoU7vf+A*?t%AX_?WTxrPk9Bs>aKl)X98`
z{aTlsXU0Te&7YC3lAx*fl1g4N?&7ceQ91lfh)dnY9fvz$!toDBix!uMci*kQ$>wmN
zbcC+D)u&Fwh*!85%I{7HX4RN-gqOrdT97%H%e0?7U0&->$2M_kJp3AO=}^EUi(_B(
zW*0;KfL!fqq0oz`CyALgK~<^Wpjz`gIEBXvqbp8}a^KsQc&FK#B@j^&0XUHN$hg4D
z#HD>bEPQ0gk3fuG**LVWxpz#pL{=O{ble5HKR&q}oK6~VxdG;9Dp`+c4Ao{il>%ji
z%v^NM4DVXog1+OqD4dU8=eT(mI15itOqkb^=%O_#Q#byk?}+a%bK!$L=S@bWw0>nK
zHpEMe&)Kw}1goKak-Cl2+>-6wR6%LfVpJ9MfldvSu0~v`$;>zVB7u~Eq&7i(INO%o
zg=;U7U@pmfZ!(<168$=vakA>ihXD}urAg<Gz=v!8na}up2yEV8S#|d<q|O}cIn!Zw
zdW^7-{W7bfSrT(98b>HOiQ^x9x7~tS?fI+E6fLy-pVoOPV_m;~73cmMH+;c)BYh+=
zvY9nVZ%BTm7*OIMNE<e_`E_Q0Y<Vz2^CjBy+rHq6II?HrO5+AN^N~rx6JLvG({f$Z
zdR$kB5)W}DF)KxMxlqRQ+P}}y4_<z}Ok(ADk3JEm6tV&VlMO*BWE^fa>A#ClPE{X`
zkFq&BvY_`vSX-&_1@2<vf}cjiZr#6<&npO-1_8Sskzl%ixcj;*bew+RX<J{1u$et&
zcYfP)Sx(^7ko}k$_#yNQ=VDXvez}6ljh7GeJ<OZyO;$_}x?mP@ff<5Ox|kOKJKmqg
zz*V4Tm5(tUcJZl9j<P>njDQONgsb)AkK!ma5~i*rrf<F8R3Z}kAzg;hMkC7ypImz@
z8^6G*$Z5+@qj>xfXt%3{OQg;U9y#6l`M`w!h=ua>s!zl%AaLOwY2<MI$Z}{=P|)Y8
zL}tcSk8d?<9d@lj%*9W4`P=BDyU)uN8d%HQx^uA(FOR0*+d6;{_vLX(`kKFbg1HHs
z)?7}H*oY?PfOVBGzmFuJx@3^E#8te(&b=|XN90{}m^WJPUSxNOng<Y8Y214tnD10Q
zy4iI<x)O0`B%)}%->iwf65T>6G-wfwQDl5laaKsM&pgpMLz9}~bTH3V)-ZP4DsD8{
zeMt^+Ovs*132Z{Y(I0W|!IkoTK{W;bZ70iLJhB&oY`NGqLd!`62#RdKU{%HslNdm_
zT~VInYso!}=lBFVtqUt7qU4Pt=9{!rE018%VzNm?T6;N?k^IUn5miRYj1Sy!1M+eh
zTCLpM6-YSDtF;%%7CcfpyId}EP=Z;`X6iEZ3puUYo6VQvjRs={mISGNI?Z5P4SR=&
zWODIZXWPkf!lgZDLOj;UMBs<+i3uR?n|cj1OR@`%WE|t#Kko_z8*9x1d}4)9tni8T
zf7!$eUsr&yEBsmOnQ)c-Z&JzOkc2}L4#|JF=l!d7T{tA+kc2}L4#~ggR^?Z7*eN0d
z;Gl#fe1P)-BTywQkKK0b^%8QGWbq!m4YEC5pU=Cz!*ZB)zc;Wz;7omdFwx8IkOb#W
zSpG~QGzM2sHQGL?SOkdgy<Tjt?DK40fWb>3jLcDu{;<CO5ofESlBYA4@tLN^*h1-T
z*vAE2>sq@$YPQ9x>+r~oM&*Dc!Ytb-t{k7FidqHG^jWEtcE+W(HkE2wZu^Sjd&@Rz
zacW3~1BQa4Fy##|9DKVl9cs@4Xx?5M2l!wB>gde+@j}LVBuN(zyH4T`C5T0Qt)6rB
z<Z55!m|7{f=TX=ijV7zE(>y43`ymhKy@7T!_GgE$Y!}DHJzJ#<RnUHATsY@LT~jxR
zSh>HfE|+#?5B*8=w_F_kx>x+`-TZ&($<DuB$K0sHcHk<_A601{E)m552g6rO*Gwn)
z2`3pDexTf1DG^FRRE_VwW7O@NwNr{WK-Nx%%&DKzxOf`_uk+FBqs!i+dDVSBihptb
zPA(z{(^77-ItzfgS-$&I?)+^Enl(LEXG^otIXjamvp?}eU*b?b_ljmmuw~8q@gk_Q
z%HB}6my44YV#>>^r6d(0L(~(q+g>2bo2Rm|hFlEQQ{`L|hLU%e;wsv0o(o!kU5F7*
zF85ZBy|q7>I4~6_XrQ7lUy6^>7Tn<lc-PPz+fEP5NjZ^GMb~3b%Hu9+G*q=9?svC;
zX~9F9!A_M5I|W}Op-ysHUq$UT)tbUOB4h_*B?{+K#MveKgt-!v!XL{vBv7>AkC;np
z-CRIxgI9x1gGM4$Xx_O-d0Xyfa&!R?jkF22a=1d@8E9H0x~mxVI@Blb<PMCXA|2-}
z7s(ArN*n#N$)!Cs=E88m{ZYWduM2<wi7Z@$fom}T6AS(D2^l^i!zX0;g#3SbLWXk~
zoWtN82Inw1hyA16VE#>7`Y$bfex0E9ucHwM;Lu&f@GQHal*;K=H4@kUpHhnWJq}Dz
z>y`?*TmhFW;9FeqEv~=Mxb4@oKHQ(|cbe?|Yng-x3?8sQ$2S6=VQ`Hau2KId_NMSE
z`3L=A;Q@mO?9X)^hG!T&!~Q>K7*KQ+fC@Nt9dJ9em;exmK{BWFd8+{kr5y-BAW-Hv
Wul#J2m>+~B;yjOj`wT$RH~1H8_y~aj

literal 0
HcmV?d00001

-- 
2.18.0

Re: [PATCH 1/3] btrfs-progs: check: orig: Don't panic out when unexpected root item is referring to one extent

[David Sterba]

On Thu, Jul 05, 2018 at 03:45:56PM +0800, Qu Wenruo wrote:
> With crafted image, expected root item can refer to certain extent, and
> original mode uses BUG_ON() to handle such case.
> 
> Fix it by gracefully return error.
> 
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=200403
> Signed-off-by: Qu Wenruo <wqu@suse.com>

Please send cover lettter for patchsets with more than one patch.
Patches 1-3 applied, thanks.