[Bugme-new] [Bug 12480] New: btrfs: NULL deref, soft lockup on mounting a randomly corrupted (and checksums not fixed) fs
bugme-daemon at bugzilla.kernel.org
bugme-daemon at bugzilla.kernel.org
Sun Jan 18 12:22:04 PST 2009
http://bugzilla.kernel.org/show_bug.cgi?id=12480
Summary: btrfs: NULL deref, soft lockup on mounting a randomly
corrupted (and checksums not fixed) fs
Product: File System
Version: 2.5
KernelVersion: 2.6.29-rc2
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Other
AssignedTo: fs_other at kernel-bugs.osdl.org
ReportedBy: sliedes at cc.hut.fi
Hardware Environment: qemu x86
Software Environment: minimal Debian sid/unstable
Problem Description:
On mounting an intentionally corrupted filesystem, I get the following oops.
Since I did not fix any checksums after corrupting the fs, I assume this is due
to some data that is not protected by a checksum.
Unfortunately the 256 MiB minimum filesystem size limit makes attaching a test
case a bit harder. Still ask for it if you think you need one.
------------------------------------------------------------
device fsid 754307078c69d888-2aaaab2531fc0aa9 <6>devid 1 transid 15 /dev/hdb
btrfs: hdb checksum verify failed on 20971520 wanted 997053EF found 5F42117D
level 0
btrfs: hdb checksum verify failed on 20971520 wanted 997053EF found 5F42117D
level 0
btrfs: hdb checksum verify failed on 20971520 wanted 997053EF found B670A8AB
level 0
[a warn_slowpath() warning cut away]
btrfs bad mapping eb start 20971520 len 4096, wanted 2147487182 8
[a warn_slowpath() warning cut away]
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<c0216e05>] kmap_atomic_prot+0x15/0xb1
*pde = 00000000
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
last sysfs file:
Pid: 997, comm: mount Tainted: G W (2.6.29-rc2 #2)
EIP: 0060:[<c0216e05>] EFLAGS: 00000282 CPU: 0
EIP is at kmap_atomic_prot+0x15/0xb1
EAX: c6ee5000 EBX: 00000000 ECX: 00000163 EDX: 00000004
ESI: 00000004 EDI: 00000000 EBP: 00000163 ESP: c6ee5cec
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process mount (pid: 997, ti=c6ee5000 task=c5d50000 task.ti=c6ee5000)
Stack:
00000000 00001400 00000000 00080000 c04987bd 00000002 00000001 00000000
c0498818 80000dce 00000008 c710db00 00000000 c726dc6c 00001000 80000dce
00000000 c710db00 00000000 c04915d3 c6ee5d64 c6ee5d60 c6ee5d5c c6ee5d58
Call Trace:
[<c04987bd>] map_private_extent_buffer+0x83/0x180
[<c0498818>] map_private_extent_buffer+0xde/0x180
[<c04915d3>] btrfs_chunk_length+0x4e/0xcf
[<c04987bd>] map_private_extent_buffer+0x83/0x180
[<c04a0d90>] read_one_chunk+0x28/0x311
[<c048f570>] btrfs_item_offset+0xc0/0xc2
[<c04a121e>] btrfs_read_chunk_tree+0x1a5/0x1b1
[<c047dd8b>] open_ctree+0xad6/0xfd1
[<c02b48f5>] disk_name+0x9c/0xa6
[<c04d8414>] strlcpy+0x11/0x3d
[<c04610d7>] btrfs_get_sb+0x2f5/0x3e7
[<c02610c8>] kstrdup+0x24/0x40
[<c0278c28>] vfs_kern_mount+0x37/0x88
[<c0278cc0>] do_kern_mount+0x31/0xbc
[<c028c4fd>] do_mount+0x39b/0x77d
[<c028ac13>] copy_mount_options+0x2c/0x11b
[<c028c967>] sys_mount+0x88/0xc1
[<c02030be>] syscall_call+0x7/0xb
Code: 84 c8 c0 83 e2 fc 8d 04 09 01 c8 8d 04 81 8d 04 82 c3 0f 0b eb fe 55 57
56 53 89 c3 89 d6 89 cd 89 e0 25 00 f0 ff ff 83 40 14 01 <8b> 0b 89 c8 c1 e8 0d
25 00 18 00 00 05 80 4e 6e c0 2b 80 8c 07
EIP: [<c0216e05>] kmap_atomic_prot+0x15/0xb1 SS:ESP 0068:c6ee5cec
---[ end trace 13cdbae0c899649b ]---
note: mount[997] exited with preempt_count 1
BUG: scheduling while atomic: mount/997/0x10000001
INFO: lockdep is turned off.
Pid: 997, comm: mount Tainted: G D W 2.6.29-rc2 #2
Call Trace:
[<c05c78f9>] schedule+0x612/0xb0e
[<c04dea6f>] debug_check_no_obj_freed+0x123/0x179
[<c0268366>] remove_vma+0x52/0x66
[<c02212b0>] __cond_resched+0x22/0x37
[<c05c7efd>] _cond_resched+0x2b/0x37
[<c02264d6>] put_files_struct+0x65/0xa6
[<c0227d6b>] do_exit+0x116/0x788
[<c0225308>] release_console_sem+0x17d/0x1bd
[<c05c6fce>] printk+0x17/0x1b
[<c0205ea5>] oops_begin+0x0/0x86
[<c0213155>] do_page_fault+0x2dc/0x6b7
[<c02060bc>] show_trace+0x18/0x1d
[<c05c6eb6>] dump_stack+0x6d/0x72
[<c05c6fce>] printk+0x17/0x1b
[<c0224c9e>] warn_slowpath+0xa1/0xce
[<c05c9e65>] _spin_lock_irqsave+0x3c/0x44
[<c0225308>] release_console_sem+0x17d/0x1bd
[<c0212e79>] do_page_fault+0x0/0x6b7
[<c05ca20a>] error_code+0x72/0x78
[<c0216e05>] kmap_atomic_prot+0x15/0xb1
[<c04987bd>] map_private_extent_buffer+0x83/0x180
[<c0498818>] map_private_extent_buffer+0xde/0x180
[<c04915d3>] btrfs_chunk_length+0x4e/0xcf
[<c04987bd>] map_private_extent_buffer+0x83/0x180
[<c04a0d90>] read_one_chunk+0x28/0x311
[<c048f570>] btrfs_item_offset+0xc0/0xc2
[<c04a121e>] btrfs_read_chunk_tree+0x1a5/0x1b1
[<c047dd8b>] open_ctree+0xad6/0xfd1
[<c02b48f5>] disk_name+0x9c/0xa6
[<c04d8414>] strlcpy+0x11/0x3d
[<c04610d7>] btrfs_get_sb+0x2f5/0x3e7
[<c02610c8>] kstrdup+0x24/0x40
[<c0278c28>] vfs_kern_mount+0x37/0x88
[<c0278cc0>] do_kern_mount+0x31/0xbc
[<c028c4fd>] do_mount+0x39b/0x77d
[<c028ac13>] copy_mount_options+0x2c/0x11b
[<c028c967>] sys_mount+0x88/0xc1
[<c02030be>] syscall_call+0x7/0xb
./runtest: line 31: 997 Segmentation fault mount /dev/hdb /mnt -t btrfs
umount: /mnt: not mounted
***** zzuffing ***** seed 30000002
device fsid 754307078c69d888-2aaaab2531fc0aa9 <6>devid 1 transid 15 /dev/hdb
BUG: unable to handle kernel NULL pointer dereference at 0000015c
IP: [<c0460d5b>] btrfs_test_super+0x6/0x19
*pde = 00000000
Oops: 0000 [#2] SMP DEBUG_PAGEALLOC
last sysfs file:
Pid: 1016, comm: mount Tainted: G D W (2.6.29-rc2 #2)
EIP: 0060:[<c0460d5b>] EFLAGS: 00000287 CPU: 0
EIP is at btrfs_test_super+0x6/0x19
EAX: 00000000 EBX: c7ad2800 ECX: 00000000 EDX: c79faf80
ESI: 00000000 EDI: c06cd4d8 EBP: 00000000 ESP: c6ee5ea0
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process mount (pid: 1016, ti=c6ee5000 task=c7891340 task.ti=c6ee5000)
Stack:
c02792be 22222222 c0278d4b c0460d55 c06cd4c0 c06cd4e0 c06cd4e8 c740c9c0
00000000 00000000 00000000 c0460ebf c79faf80 c68a1000 c06cd4c0 c79d8d90
00000010 00000009 c68a1000 000000d0 c68a1000 c02610c8 c7aacc00 00000000
Call Trace:
[<c02792be>] sget+0x51/0x363
[<c0278d4b>] set_anon_super+0x0/0xa2
[<c0460d55>] btrfs_test_super+0x0/0x19
[<c0460ebf>] btrfs_get_sb+0xdd/0x3e7
[<c02610c8>] kstrdup+0x24/0x40
[<c0278c28>] vfs_kern_mount+0x37/0x88
[<c0278cc0>] do_kern_mount+0x31/0xbc
[<c028c4fd>] do_mount+0x39b/0x77d
[<c028ac13>] copy_mount_options+0x2c/0x11b
[<c028c967>] sys_mount+0x88/0xc1
[<c02030be>] syscall_call+0x7/0xb
Code: 44 24 04 82 d6 66 c0 c7 04 24 bc 09 46 c0 b9 c1 09 46 c0 e8 76 d7 e2 ff
83 c4 08 c3 90 90 90 90 c6 40 11 00 c3 8b 80 78 02 00 00 <8b> 80 5c 01 00 00 39
90 98 1f 00 00 0f 94 c0 0f b6 c0 c3 53 8b
EIP: [<c0460d5b>] btrfs_test_super+0x6/0x19 SS:ESP 0068:c6ee5ea0
---[ end trace 13cdbae0c899649c ]---
./runtest: line 31: 1016 Segmentation fault mount /dev/hdb /mnt -t btrfs
umount: /mnt: not mounted
***** zzuffing ***** seed 30000003
BUG: soft lockup - CPU#0 stuck for 61s! [pdflush:103]
Pid: 103, comm: pdflush Tainted: G D W (2.6.29-rc2 #2)
EIP: 0060:[<c04ddfb9>] EFLAGS: 00000246 CPU: 0
EIP is at _raw_spin_lock+0xd7/0x12b
EAX: 00000000 EBX: c06c30a8 ECX: 00000000 EDX: 00003400
ESI: 12fc19d8 EDI: 00000000 EBP: 00000001 ESP: c7888f3c
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 8005003b CR2: 08058480 CR3: 06849000 CR4: 00000690
DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
DR6: 00000000 DR7: 00000000
Call Trace:
[<c02791c5>] ? sync_supers+0xc/0xb4
[<c05c9da0>] ? _spin_lock+0x31/0x3c
[<c02791c5>] ? sync_supers+0xc/0xb4
[<c02595f3>] ? wb_kupdate+0x2b/0xe8
[<c025a18b>] ? pdflush+0xe6/0x1a0
[<c02595c8>] ? wb_kupdate+0x0/0xe8
[<c025a0a5>] ? pdflush+0x0/0x1a0
[<c023681e>] ? kthread+0x39/0x62
[<c02367e5>] ? kthread+0x0/0x62
[<c020384b>] ? kernel_thread_helper+0x7/0x1c
------------------------------------------------------------
--
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the Bugme-new
mailing list