Ubuntu
linux package

btrfs: Automatic balance returns -EUCLEAN and leads to forced readonly filesystem

Bug #1934709 reported by Matthew Ruffell
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Medium
Matthew Ruffell

Bug Description

BugLink: https://bugs.launchpad.net/bugs/1934709

[Impact]

During an automatic balance, users may encounter an error when writing the transaction log to disk, when the log tree is being parsed, which forces the filesystem to be remounted read-only and outputs the following kernel oops:

BTRFS: error (device dm-14) in balance_level:1962: errno=-117 unknown
BTRFS info (device dm-14): forced readonly
BTRFS: Transaction aborted (error -117)
WARNING: CPU: 7 PID: 10818 at /build/linux-99Rib2/linux-4.15.0/fs/btrfs/tree-log.c:2908 btrfs_sync_log+0xa28/0xbc0 [btrfs]
CPU: 7 PID: 10818 Comm: qemu-system-s39 Tainted: G OE 4.15.0-136-generic #140-Ubuntu
Hardware name: IBM 3907 LR1 A00 (LPAR)
Krnl PSW : 0000000076bc1d64 000000009cc65255 (btrfs_sync_log+0xa28/0xbc0 [btrfs])
           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
Krnl GPRS: 007899a600000000 0000000000000006 0000000000000027 0000000000000007
           000003ff801fdd8c 000000000002394c 00000053650a7000 ffffffffffffff8b
           000000536b7f6000 00000053ffffff8b 00000053650a3800 0000005385935000
           000000532054de01 0000005385935290 000003ff801fdd8c 0000004eebb1fae0
Krnl Code: 000003ff801fdd80: c0200002a032 larl %r2,000003ff80251de4
           000003ff801fdd86: c0e5fffb2181 brasl %r14,000003ff80162088
          #000003ff801fdd8c: a7f40001 brc 15,000003ff801fdd8e
          >000003ff801fdd90: e3a0f0a80004 lg %r10,168(%r15)
           000003ff801fdd96: b9040057 lgr %r5,%r7
           000003ff801fdd9a: a7490b5c lghi %r4,2908
           000003ff801fdd9e: b904002a lgr %r2,%r10
           000003ff801fdda2: c0300002604f larl %r3,000003ff80249e40
Call Trace:
([<000003ff801fdd8c>] btrfs_sync_log+0xa24/0xbc0 [btrfs])
 [<000003ff801c74e2>] btrfs_sync_file+0x3e2/0x550 [btrfs]
 [<00000000003ce6ce>] do_fsync+0x5e/0x90
 [<00000000003ce9ca>] SyS_fdatasync+0x32/0x48
 [<00000000008ffe5c>] system_call+0xd8/0x2c8
Last Breaking-Event-Address:
 [<000003ff801fdd8c>] btrfs_sync_log+0xa24/0xbc0 [btrfs]
BTRFS: error (device dm-14) in btrfs_sync_log:2908: errno=-117 unknown
BTRFS error (device dm-14): pending csums is 269639680

This bug appears to be linked to bug 1933172, but is different and has a different root cause. Again, I believe that this is a regression introduced in the fixing of CVE-2019-19036, from 4.15.0-109-generic.

[Fix]

Analysis of the kernel oops is as follows:

The first thing we see is that BTRFS entered ERROR state with the reason:

in balance_level:1962: errno=-117 unknown

Now errno -117 is:

100 #define EUCLEAN 117 /* Structure needs cleaning */

btrfs treats -EUCLEAN as if corruption has happened. Let's see where this is returned from.

If we start at fs/btrfs/ctree.c in balance_level(), line 1962:

1917 static noinline int balance_level(struct btrfs_trans_handle *trans,
1918 struct btrfs_root *root,
1919 struct btrfs_path *path, int level)
1920 {
...
1958 /* promote the child to a root */
1959 child = read_node_slot(fs_info, mid, 0);
1960 if (IS_ERR(child)) {
1961 ret = PTR_ERR(child);
1962 btrfs_handle_fs_error(fs_info, ret, NULL);
1963 goto enospc;
1964 }
...
2136 }

We are in the middle of a balancing operation, and if you happen to be familiar with how b-tree data structures work, we are promoting a child node to a topmost root node.

The error most likely happens in read_node_slot(), with the lines after it printing that an error has happened.

1887 static noinline struct extent_buffer *
1888 read_node_slot(struct btrfs_fs_info *fs_info, struct extent_buffer *parent,
1889 int slot)
1890 {
...
1900 btrfs_node_key_to_cpu(parent, &first_key, slot);
1901 eb = read_tree_block(fs_info, btrfs_node_blockptr(parent, slot),
1902 btrfs_node_ptr_generation(parent, slot),
1903 level - 1, &first_key);
...
1910 }

There are two calls here which are relevant. btrfs_node_key_to_cpu() and read_tree_block().

Let's look at read_tree_block() in fs/btrfs/disk-io.c:

1147 struct extent_buffer *read_tree_block(struct btrfs_fs_info *fs_info, u64 bytenr,
1148 u64 parent_transid, int level,
1149 struct btrfs_key *first_key)
1150 {
1151 struct extent_buffer *buf = NULL;
1152 int ret;
1153
1154 buf = btrfs_find_create_tree_block(fs_info, bytenr);
1155 if (IS_ERR(buf))
1156 return buf;
1157
1158 ret = btree_read_extent_buffer_pages(fs_info, buf, parent_transid,
1159 level, first_key);
1160 if (ret) {
1161 free_extent_buffer_stale(buf);
1162 return ERR_PTR(ret);
1163 }
1164 return buf;
1165
1166 }

The interesting one here is btree_read_extent_buffer_pages():

498 static int btree_read_extent_buffer_pages(struct btrfs_fs_info *fs_info,
499 struct extent_buffer *eb,
500 u64 parent_transid, int level,
501 struct btrfs_key *first_key)
502 {
...
511 while (1) {
512 clear_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags);
513 ret = read_extent_buffer_pages(io_tree, eb, WAIT_COMPLETE,
514 btree_get_extent, mirror_num);
515 if (!ret) {
516 if (verify_parent_transid(io_tree, eb,
517 parent_transid, 0))
518 ret = -EIO;
519 else if (verify_level_key(fs_info, eb, level,
520 first_key))
521 ret = -EUCLEAN;
522 else
523 break;
524 }
525
526 /*
527 * This buffer's crc is fine, but its contents are corrupted, so
528 * there is no reason to read the other copies, they won't be
529 * any less wrong.
530 */
531 if (test_bit(EXTENT_BUFFER_CORRUPT, &eb->bflags) ||
532 ret == -EUCLEAN)
533 break;
...

If read_extent_buffer_pages() returns zero, we call verify_level_key(), and if this returns non-zero, we return -EUCLEAN.

verify_level_key() can fail on three conditions.

 440 static int verify_level_key(struct btrfs_fs_info *fs_info,
 441 struct extent_buffer *eb, int level,
 442 struct btrfs_key *first_key)
 443 {
 448 found_level = btrfs_header_level(eb);
 449 if (found_level != level) {
...
 456 return -EIO;
 457 }
 458
 459 if (!first_key)
 460 return 0;
 461
 462 /* We have @first_key, so this @eb must have at least one item */
 463 if (btrfs_header_nritems(eb) == 0) {
 464 btrfs_err(fs_info,
 465 "invalid tree nritems, bytenr=%llu nritems=0 expect >0",
 466 eb->start);
 467 WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG));
 468 return -EUCLEAN;
 469 }
 470
 471 if (found_level)
 472 btrfs_node_key_to_cpu(eb, &found_key, 0);
 473 else
 474 btrfs_item_key_to_cpu(eb, &found_key, 0);
 475 ret = btrfs_comp_cpu_keys(first_key, &found_key);
...
 487 return ret;
 488 }

1) If the eb level doesn't match the provided level.
2) If the eb has 0 items.
3) If the found_key doesn't match the first_key.

With the information we currently have, we don't know what one caused the problem.

I looked to see when verify_level_key() was first introduced. It seems it arrived in 4.15.0-109-generic through the SRU of CVE-2019-19036, with the commit:

ubuntu-bionic 50ab1ff51db0c5eb77ffc6f15ef32f07764f86ff
Author: Qu Wenruo <email address hidden>
Date: Thu Mar 29 09:08:11 2018 +0800
Subject: btrfs: Validate child tree block's level and first key
Link: https://paste.ubuntu.com/p/DQjTkfNRDt/

If you look at this particular hunk:

https://paste.ubuntu.com/p/z4qXw2Jp9K/

We see lines 18 - 26 of the above pastebin are introduced here.

Looking at the original upstream commit:

commit 581c1760415c48cca9349b198bba52dd38750765
Author: Qu Wenruo <email address hidden>
Date: Thu Mar 29 09:08:11 2018 +0800
Subject: btrfs: Validate child tree block's level and first key
Link: https://github.com/torvalds/linux/commit/581c1760415c48cca9349b198bba52dd38750765

Particularly the same hunk:

https://paste.ubuntu.com/p/vW3Y9BvK4C/

There is a subtle difference, the second if statement is extended with the ret == -EUCLEAN check, and not implemented entirely.

Why is this?

I looked up when the if statement was first introduced, and it was a very old commit from v2.6.39-rc1:

https://paste.ubuntu.com/p/vPT36xXq66/

Particularly this hunk:

https://paste.ubuntu.com/p/2jmQRSmVfc/

Interesting. Why is a commit from 4.15-109-generic re-implement something that should have been there since 2.6.39?

I checked upstream, and found the if statement to be removed entirely.

That is when I came across:

commit f8397d69daef06d358430d3054662fb597e37c00
Author: Nikolay Borisov <email address hidden>
Date: Tue Nov 6 16:40:20 2018 +0200
Subject: btrfs: Always try all copies when reading extent buffers
Link: https://github.com/torvalds/linux/commit/f8397d69daef06d358430d3054662fb597e37c00

Which talks about balance operations failing out of the blue after a raid 1 disk was added back to the array. The commit removes the if statement, and moves the location of the clear EXTENT_BUFFER_CORRUPT inside the while loop.

I checked the Bionic 4.15 kernel, and I found that this commit was applied in 4.15.0-56-generic:

ubuntu-bionic 03e1b5c9a1c1704e109466b375d09a4721b65ec5
Author: Nikolay Borisov <email address hidden>
Date: Tue Nov 6 16:40:20 2018 +0200
Subject: btrfs: Always try all copies when reading extent buffers
Link: https://paste.ubuntu.com/p/TS2c5Mptr2/

It appears that the if statement was removed in 4.15.0-56-generic intentionally, and was brought back mistakenly in a backport of "btrfs: Validate child tree block's level and first key" 4.15.0-109-generic.

The root cause is likely some interaction between bug 1933172 and this bug, which leads to EXTENT_BUFFER_CORRUPT being set, or the incorrect first_key being set for the root node, which means we end up returning -EUCLEAN and aborting the transaction.

Unfortunately, this is the second bad backport of CVE-2019-19036.

The fix is to revert "btrfs: Validate child tree block's level and first key" and its dependency commit "btrfs: Detect unbalanced tree with empty leaf before crashing btree operations", and re-apply correct backports of these commits with that if statement removed, to keep the spirit of the already applied "btrfs: Always try all copies when reading extent buffers".

We will also add the below commits as they are fixup commits for
"btrfs: Validate child tree block's level and first key".

commit 5d41be6f702f19f72db816c17175caf9dbdcdfa6
Author: Qu Wenruo <email address hidden>
Date: Fri Apr 13 06:32:47 2018 +0800
Subject: btrfs: Only check first key for committed tree blocks
https://github.com/torvalds/linux/commit/5d41be6f702f19f72db816c17175caf9dbdcdfa6

commit 17515f1b764df36271f3166c714f5a78301fbaa7
Author: Qu Wenruo <email address hidden>
Date: Mon Apr 23 17:32:04 2018 +0800
Subject: btrfs: Fix wrong first_key parameter in replace_path
Link: https://github.com/torvalds/linux/commit/17515f1b764df36271f3166c714f5a78301fbaa7

[Testcase]

Unfortunately, the customer did not image the affected filesystem and has since restored a backup ontop of it.

I have been attempting to reproduce this issue for some time, but I have not experienced the same call trace. I ran into bug 1933172 while trying to reproduce this bug.

I have been trying to balance nearly full btrfs filesystems, and I have looped xfstests btrfs/124 for hours attempting to trigger "btrfs: Always try all copies when reading extent buffers" but I haven't experienced a crash yet.

I have a test kernel in the following ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/sf311164-test-2

If you install it, balances still complete as expected.

I will keep attempting to reproduce the issue, and will update this section if I manage to create a testcase.

For regression testing, I have run xfstests btrfs/* on both 4.15.0-136-generic and the test kernel, and they both share the same results:

4.15.0-136-generic from -updates:

https://paste.ubuntu.com/p/4MpZ5YVMnv/

4.15.0-136-generic test kernel from above ppa:

https://paste.ubuntu.com/p/CsxzbCkJmJ/

[Where problems could occur]

If a regression were to occur, it would affect users of btrfs filesystems, and would likely show during a routine balance operation.

I believe affected users would have nearly full filesystems, and would also experience filesystem corruption from bug 1933172, which would then cause the issues from this bug when the transaction log is written to disk.

With all modifications to btrfs, there is a risk of data corruption and filesystem corruption for all btrfs users, since balances happen automatically and on a regular basis. If a regression does happen, users should remount their filesystems with the "nobalance" flag, backup their data, and attempt a repair if necessary.

[Other info]

A community member has hit this issue before, and has reported it upstream to linux-btrfs here, although they never received a reply.

https://www.spinics.net/lists/linux-btrfs/msg112261.html

I have written to Richard and asked if he has any additional information that might help reproduce, but I have yet to receive a reply.

If you read Richard's mailing list link, it mentions filesystem corruption with missing extents. This suggests this crash might be linked to bug 1933172, which I came across while trying to reproduce the issue in this bug.

See original description

CVE References

Matthew Ruffell (mruffell)
Changed in linux (Ubuntu):
status: New → Fix Released
Changed in linux (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Matthew Ruffell (mruffell)
description: updated
Matthew Ruffell (mruffell)
description: updated
description: updated
Matthew Ruffell (mruffell)
description: updated
Kleber Sacilotto de Souza (kleber-souza)
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Matthew Ruffell (mruffell) wrote :

Performing verification for Bionic.

Firstly, I installed 4.15.0-151-generic from -updates, to get a baseline for all xfstests results.

I built and ran btrfs/* from xfstests, using the following local config:

export TEST_DEV=/dev/vdc
export TEST_DIR=/mnt/test
export SCRATCH_DEV_POOL="/dev/vdd /dev/vde /dev/vdf"
export SCRATCH_MNT=/mnt/scratch

The results are here:

https://paste.ubuntu.com/p/5TZTTHkvGs/

I then enabled -proposed and installed 4.15.0-152-generic, and executed the same testsuite.

The results are here:

https://paste.ubuntu.com/p/cpXBjP5bkF/

Doing a diff of the two, there are no differences, and they also match the output of 4.15.0-136-generic done earlier.

Now, I was a little concerned about btrfs/078 failing, so I decided to look into it some more.

btrfs/078 _check_btrfs_filesystem: filesystem on /dev/vdd is inconsistent
(see /home/ubuntu/xfstests/results//btrfs/078.full for details)

This test has failed with all Ubuntu kernels in the past, and is not new. If you run the testcase several times however, we see that sometimes it passes, and sometimes fails. If it fails, it almost always errors out at 399 seconds, which suggests a timeout? When it succeeds, it takes 430s.

4.15.0-151-generic:

https://paste.ubuntu.com/p/tPgyRHXtmb/

4.15.0-152-generic:

https://paste.ubuntu.com/p/P3xgJz5JnQ/

What the test does is fill the filesystem with files, and perform 100 read only snapshots, and then checks for consistency. The functionality doesn't appear to be related to balancing, and the tests seem to pass more on the kernel in -proposed then they did before, so I believe the kernel in -proposed is safe and unlikely to introduce any new regressions.

I am happy with the performance of the kernel in -proposed, testing various balances, and running the xfstest suite, that I will mark it as verified.

tags: added: bionic sts verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.5 KiB)

This bug was fixed in the package linux - 4.15.0-154.161

---------------
linux (4.15.0-154.161) bionic; urgency=medium

  * bionic/linux: 4.15.0-154.161 -proposed tracker (LP: #1938411)

  * Potential reverts of 4.19.y stable changes in 18.04 (LP: #1938537)
    - SAUCE: Revert "locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to
      signal"
    - SAUCE: Revert "drm/amd/amdgpu: fix refcount leak"

  * Packaging resync (LP: #1786013)
    - [Packaging] resync getabis
    - [Packaging] update helper scripts
    - update dkms package versions

  * btrfs: Automatic balance returns -EUCLEAN and leads to forced readonly
    filesystem (LP: #1934709) // CVE-2019-19036
    - btrfs: Validate child tree block's level and first key
    - btrfs: Detect unbalanced tree with empty leaf before crashing btree
      operations

  * btrfs: Automatic balance returns -EUCLEAN and leads to forced readonly
    filesystem (LP: #1934709)
    - Revert "btrfs: Detect unbalanced tree with empty leaf before crashing btree
      operations"
    - Revert "btrfs: Validate child tree block's level and first key"
    - btrfs: Only check first key for committed tree blocks
    - btrfs: Fix wrong first_key parameter in replace_path

  * Enable fib-onlink-tests.sh and msg_zerocopy.sh in kselftests/net on Bionic
    (LP: #1934759)
    - selftests: Add fib-onlink-tests.sh to TEST_PROGS
    - selftests: net: use TEST_PROGS_EXTENDED
    - selftests/net: enable msg_zerocopy test
    - SAUCE: selftests: Make fib-onlink-tests.sh executable

  * Kernel oops due to uninitialized list on kernfs (kernfs_kill_sb)
    (LP: #1934175)
    - kernfs: deal with kernfs_fill_super() failures
    - unfuck sysfs_mount()

  * large_dir in ext4 broken (LP: #1933074)
    - SAUCE: ext4: fix directory index node split corruption

  * btrfs: Attempting to balance a nearly full filesystem with relocated root
    nodes fails (LP: #1933172) // CVE-2019-19036
    - btrfs: reloc: fix reloc root leak and NULL pointer dereference

  * btrfs: Attempting to balance a nearly full filesystem with relocated root
    nodes fails (LP: #1933172)
    - Revert "btrfs: reloc: fix reloc root leak and NULL pointer dereference"

  * Pixel format change broken for Elgato Cam Link 4K (LP: #1932367)
    - (upstream) media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K

  * Bionic update: upstream stable patchset 2021-06-23 (LP: #1933375)
    - net: usb: cdc_ncm: don't spew notifications
    - efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared
    - efi: cper: fix snprintf() use in cper_dimm_err_location()
    - vfio/pci: Fix error return code in vfio_ecap_init()
    - vfio/pci: zap_vma_ptes() needs MMU
    - vfio/platform: fix module_put call in error flow
    - ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service
    - HID: pidff: fix error return code in hid_pidff_init()
    - HID: i2c-hid: fix format string mismatch
    - netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches
    - ieee802154: fix error return code in ieee802154_add_iface()
    - ieee802154: fix error return code in ieee802154_llsec_getparams()
    - Bluetooth: fix the erroneous flush_work() order
    - Blu...

Read more...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.