[Bug 887046] New: NULL pointer derefernce in find_parent_nodes+0x360/0x1380 [btrfs]
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c0 Summary: NULL pointer derefernce in find_parent_nodes+0x360/0x1380 [btrfs] Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: coolo@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- https://openqa.opensuse.org/tests/11448/file/serial0.txt shows the current factory broken. during installation it's pretty often crashing while "saving configuration". This is the screen it's dying in: https://openqa.opensuse.org/tests/11448/modules/livecdreboot/steps/3 is the screen it's dying in. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c1 --- Comment #1 from Stephan Kulow <coolo@suse.com> 2014-07-13 17:07:54 CEST --- https://openqa.opensuse.org/tests/11438/modules/livecdreboot/steps/1 is a very similiar case, but crashes differently: [ 436.905833] BUG: unable to handle kernel NULL pointer dereference at (null) [ 436.907585] IP: [<c03343c0>] page_address+0x10/0xd0 [ 436.908027] *pde = 00000000 [ 436.908027] Oops: 0000 [#1] SMP [ 436.908027] Modules linked in: fuse btrfs dm_multipath dm_mod scsi_dh multipath raid10 raid456 async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod parport_pc parport nls_utf8 isofs usb_storage iscsi_ibft iscsi_boot_sysfs arc4 ecb fan thermal nfs lockd fscache nls_iso8859_1 nls_cp437 sg st af_packet hid_generic usbhid sunrpc sr_mod cdrom ata_generic cirrus virtio_net syscopyarea sysfillrect sysimgblt ttm ata_piix virtio_blk uhci_hcd drm_kms_helper ehci_hcd ahci libahci drm usbcore processor thermal_sys libata pvpanic button floppy usb_common i2c_core hwmon virtio_pci virtio_ring virtio edd squashfs loop [last unloaded: ppa] [ 436.908027] CPU: 0 PID: 4591 Comm: kworker/u2:4 Not tainted 3.15.2-1.gd43d97e-default #1 [ 436.908027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 436.908027] Workqueue: btrfs-qgroup-rescan normal_work_helper [btrfs] [ 436.908027] task: d605a110 ti: d607e000 task.ti: d607e000 [ 436.908027] EIP: 0060:[<c03343c0>] EFLAGS: 00010282 CPU: 0 [ 436.908027] EIP is at page_address+0x10/0xd0 [ 436.908027] EAX: 00000000 EBX: 00000009 ECX: 00000000 EDX: 00000000 [ 436.908027] ESI: 00000000 EDI: 00000009 EBP: d607fe08 ESP: d607fdf8 [ 436.908027] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 436.908027] CR0: 8005003b CR2: 00000000 CR3: 1cf25000 CR4: 00000690 [ 436.908027] Stack: [ 436.908027] decc95e0 00000009 00000005 00000009 d607fe34 f91f9333 00004009 00003ff8 [ 436.908027] c6378da0 00000000 00000000 d607fecf 00000058 0000028b e10a57d4 d607fee4 [ 436.908027] f9237a8b 00000011 00000000 00000020 00000020 d607feac f33ca988 f33ca940 [ 436.908027] Call Trace: [ 436.908027] [<f91f9333>] read_extent_buffer+0xb3/0x110 [btrfs] [ 436.908027] [<f9237a8b>] btrfs_qgroup_rescan_worker+0x2db/0x760 [btrfs] [ 436.908027] [<f9206148>] normal_work_helper+0xc8/0x270 [btrfs] [ 436.908027] [<c025e38b>] process_one_work+0x11b/0x390 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c2 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High --- Comment #2 from Stephan Kulow <coolo@suse.com> 2014-07-13 17:08:17 CEST --- as this blocks factory repo updates, I set it to P2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c3 --- Comment #3 from Stephan Kulow <coolo@suse.com> 2014-07-14 14:42:05 CEST --- this seems to only affect i586 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c4 --- Comment #4 from Stephan Kulow <coolo@suse.com> 2014-07-17 12:19:02 CEST --- I created an ext4 test now - and it's not crashing at all. So it's really btrfs code, not something that just happens to end up in btrfs code. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c Arvin Schnell <aschnell@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kernel-maintainers@forge.pr |mfasheh@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c10 --- Comment #10 from Stephan Kulow <coolo@suse.com> 2014-07-22 07:52:18 CEST --- Arvin, please disable that feature. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c16 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tiwai@suse.com --- Comment #16 from Takashi Iwai <tiwai@suse.com> 2014-07-25 12:30:53 UTC --- I stumbled upon this bug and took a bit deeper look. The issue has existed since long time ago; 3.11.x already shows the very same problem when quota is enabled on btrfs. It gives Oops sooner or later in the same code path (list_del() in the clean up prefs_delayed list in find_parent_nodes()). I quickly bisected and resulted in the commit: ed8c4913da4951957bf8afc788522788881ff405 Btrfs: make sure the backref walker catches all refs to our extent Although I don't fully understand why this hits only 32bit kernel, reverting this commit fixes the problem, up to 3.14. However, 3.15 introduced yet another place triggering the very same problem. Again bisected, and hit to the commit: 4485386853454f184235c8a973b29fa7fa522eb1 Btrfs: take into account total references when doing backref lookup Reverting both commits above makes quota with 3.15 kernel working on 32bit QEMU/KVM. Investigating further... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c17 --- Comment #17 from Takashi Iwai <tiwai@suse.com> 2014-07-25 13:13:18 UTC --- OK, I finally understood what went wrong. Indeed, this happens only on 32bit. The function ulist_add_merge() takes u64 pointer as old_aux. This replaces the content of old_aux pointer with the old aux data. Meanwhile, the caller of this function passes the pointer to a pointer. Since the pointer is 32bit, writing a 64bit value corrupts the neighborhood. This leads to NULL in the adjacent list member, hits the NULL dereference Oops in the end. Why there are two hits: the first commit introduced a new call of ulist_add_merge(). With the second commit, it extends the search area and it casually triggers the another call of ulist_add_merge() in find_parent_nodes(). A test fix patch is attached below. In this patch, I introduced a new function, ulist_add_merge_ptr(), for keeping the compatibility of ulist_add_merge(). But, since backref.c is the only user of ulist_add_merge(), we may change ulist_add_merge() itself to take the pointer for aux, instead, too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c18 --- Comment #18 from Takashi Iwai <tiwai@suse.com> 2014-07-25 13:15:59 UTC --- Created an attachment (id=599933) --> (http://bugzilla.novell.com/attachment.cgi?id=599933) Fix patch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c19 --- Comment #19 from Stephan Kulow <coolo@suse.com> 2014-07-25 15:30:29 CEST --- You're my hero Takashi! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c20 --- Comment #20 from Takashi Iwai <tiwai@suse.com> 2014-07-28 08:57:31 UTC --- I submitted the fix to the upstream now. Let's see... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=887046 https://bugzilla.novell.com/show_bug.cgi?id=887046#c21 Takashi Iwai <tiwai@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #21 from Takashi Iwai <tiwai@suse.com> 2014-08-21 15:57:36 UTC --- The fix was accepted to the upstream finally. Now it's merged to openSUSE-13.1, stable, HEAD and SLE12 kernel git branches. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:136:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:136:moderate |ibs:running:136:moderate | |ibs:running:136:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:136:moderate |ibs:running:136:moderate |ibs:running:136:moderate |ibs:running:136:moderate | |ibs:running:136:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:136:moderate |ibs:running:136:important -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:136:important |ibs:running:136:important | |obs:running:3332:important -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 --- Comment #22 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-SU-2014:1677-1: An update that solves 31 vulnerabilities and has 12 fixes is now available. Category: security (important) Bug References: 818966,835839,853040,856659,864375,865882,873790,875051,881008,882639,882804,883518,883724,883948,883949,884324,887046,887082,889173,890114,891689,892490,893429,896382,896385,896390,896391,896392,896689,897736,899785,900392,902346,902349,902351,904013,904700,905100,905744,907818,908163,909077,910251 CVE References: CVE-2013-2891,CVE-2013-2898,CVE-2014-0181,CVE-2014-0206,CVE-2014-1739,CVE-2014-3181,CVE-2014-3182,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-4171,CVE-2014-4508,CVE-2014-4608,CVE-2014-4611,CVE-2014-4943,CVE-2014-5077,CVE-2014-5206,CVE-2014-5207,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410,CVE-2014-7826,CVE-2014-7841,CVE-2014-7975,CVE-2014-8133,CVE-2014-8709,CVE-2014-9090,CVE-2014-9322 Sources used: openSUSE 13.1 (src): cloop-2.639-11.16.1, crash-7.0.2-2.16.1, hdjmod-1.28-16.16.1, ipset-6.21.1-2.20.1, iscsitarget-1.4.20.3-13.16.1, kernel-docs-3.11.10-25.2, kernel-source-3.11.10-25.1, kernel-syms-3.11.10-25.1, ndiswrapper-1.58-16.1, pcfclock-0.44-258.16.1, vhba-kmp-20130607-2.17.1, virtualbox-4.2.18-2.21.1, xen-4.3.2_02-30.1, xtables-addons-2.3-2.16.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 --- Comment #23 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2015:0068-1: An update that solves 11 vulnerabilities and has 62 fixes is now available. Category: security (important) Bug References: 851603,853040,860441,862957,863526,870498,873228,874025,877622,879255,880767,880892,881085,883139,887046,887382,887418,889295,889297,891259,891619,892254,892612,892650,892860,893454,894057,894863,895221,895387,895468,895680,895983,896391,897101,897736,897770,897912,898234,898297,899192,899489,899551,899785,899787,899908,900126,901090,901774,901809,901925,902010,902016,902346,902893,902898,903279,903307,904013,904077,904115,904354,904871,905087,905100,905296,905758,905772,907818,908184,909077,910251,910697 CVE References: CVE-2013-6405,CVE-2014-3185,CVE-2014-3610,CVE-2014-3611,CVE-2014-3647,CVE-2014-3673,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-9090,CVE-2014-9322 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): kernel-docs-3.12.32-33.3, kernel-obs-build-3.12.32-33.1 SUSE Linux Enterprise Server 12 (src): kernel-source-3.12.32-33.1, kernel-syms-3.12.32-33.1 SUSE Linux Enterprise Desktop 12 (src): kernel-source-3.12.32-33.1, kernel-syms-3.12.32-33.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:136:important |obs:running:3332:important |obs:running:3332:important | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=887046 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:3332:important | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com